grpc
/
grpc-java
mirror of https://github.com/grpc/grpc-java.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

xds: update envoy and udpa to later versions to get agentless changes (#7122)

This commit is contained in:
sanjaypujare 2020-06-12 09:44:40 -07:00 committed by GitHub
parent 7f3a602255
commit 4077414e23
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
105 changed files with 2284 additions and 1294 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
xds/third_party/envoy/import.sh vendored
View File

@ -18,7 +18,7 @@
set -e
BRANCH=master
# import VERSION from one of the google internal CLs
VERSION=b16ce6d5ea0d2da73e764d145623e7367dc59ed3
VERSION=440899714143b6a143917cbd8e3f0ccba0847cd4
GIT_REPO="https://github.com/envoyproxy/envoy.git"
GIT_BASE_DIR=envoy
SOURCE_PROTO_BASE_DIR=envoy/api
@ -27,6 +27,9 @@ FILES=(
envoy/annotations/deprecation.proto
envoy/annotations/resource.proto
envoy/api/v2/auth/cert.proto
envoy/api/v2/auth/common.proto
envoy/api/v2/auth/secret.proto
envoy/api/v2/auth/tls.proto
envoy/api/v2/cds.proto
envoy/api/v2/cluster.proto
envoy/api/v2/cluster/circuit_breaker.proto
@ -36,6 +39,7 @@ envoy/api/v2/core/address.proto
envoy/api/v2/core/backoff.proto
envoy/api/v2/core/base.proto
envoy/api/v2/core/config_source.proto
envoy/api/v2/core/event_service_config.proto
envoy/api/v2/core/grpc_service.proto
envoy/api/v2/core/health_check.proto
envoy/api/v2/core/http_uri.proto
@ -67,10 +71,13 @@ envoy/config/core/v3/address.proto
envoy/config/core/v3/backoff.proto
envoy/config/core/v3/base.proto
envoy/config/core/v3/config_source.proto
envoy/config/core/v3/event_service_config.proto
envoy/config/core/v3/extension.proto
envoy/config/core/v3/grpc_service.proto
envoy/config/core/v3/health_check.proto
envoy/config/core/v3/http_uri.proto
envoy/config/core/v3/protocol.proto
envoy/config/core/v3/proxy_protocol.proto
envoy/config/core/v3/socket_option.proto
envoy/config/endpoint/v3/endpoint.proto
envoy/config/endpoint/v3/endpoint_components.proto
@ -84,9 +91,19 @@ envoy/config/listener/v3/listener.proto
envoy/config/listener/v3/listener_components.proto
envoy/config/listener/v3/udp_listener_config.proto
envoy/config/route/v3/route_components.proto
envoy/config/trace/v2/http_tracer.proto
envoy/config/trace/v2/trace.proto
envoy/config/trace/v2/datadog.proto
envoy/config/trace/v2/dynamic_ot.proto
envoy/config/trace/v2/lightstep.proto
envoy/config/trace/v2/opencensus.proto
envoy/config/trace/v2/service.proto
envoy/config/trace/v2/zipkin.proto
envoy/config/rbac/v2/rbac.proto
envoy/extensions/transport_sockets/tls/v3/cert.proto
envoy/extensions/transport_sockets/tls/v3/common.proto
envoy/extensions/transport_sockets/tls/v3/secret.proto
envoy/extensions/transport_sockets/tls/v3/tls.proto
envoy/service/discovery/v2/ads.proto
envoy/service/discovery/v2/sds.proto
envoy/service/load_stats/v2/lrs.proto

470
xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/cert.proto vendored
View File

@ -2,475 +2,15 @@ syntax = "proto3";
package envoy.api.v2.auth;
import "envoy/api/v2/core/base.proto";
import "envoy/api/v2/core/config_source.proto";
import "envoy/type/matcher/string.proto";
import "google/protobuf/any.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/sensitive.proto";
import "udpa/annotations/migrate.proto";
import "validate/validate.proto";
import "udpa/annotations/status.proto";
import public "envoy/api/v2/auth/common.proto";
import public "envoy/api/v2/auth/secret.proto";
import public "envoy/api/v2/auth/tls.proto";
option java_package = "io.envoyproxy.envoy.api.v2.auth";
option java_outer_classname = "CertProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package =
"envoy.extensions.transport_sockets.tls.v3";
// [#protodoc-title: Common TLS configuration]
message TlsParameters {
enum TlsProtocol {
// Envoy will choose the optimal TLS version.
TLS_AUTO = 0;
// TLS 1.0
TLSv1_0 = 1;
// TLS 1.1
TLSv1_1 = 2;
// TLS 1.2
TLSv1_2 = 3;
// TLS 1.3
TLSv1_3 = 4;
}
// Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for
// servers.
TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}];
// Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and
// ``TLSv1_2`` for clients and for servers using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`.
TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum = {defined_only: true}];
// If specified, the TLS listener will only support the specified `cipher list
// <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_
// when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not
// specified, the default list will be used.
//
// In non-FIPS builds, the default cipher list is:
//
// .. code-block:: none
//
// [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
// [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
// ECDHE-ECDSA-AES128-SHA
// ECDHE-RSA-AES128-SHA
// AES128-GCM-SHA256
// AES128-SHA
// ECDHE-ECDSA-AES256-GCM-SHA384
// ECDHE-RSA-AES256-GCM-SHA384
// ECDHE-ECDSA-AES256-SHA
// ECDHE-RSA-AES256-SHA
// AES256-GCM-SHA384
// AES256-SHA
//
// In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default cipher list is:
//
// .. code-block:: none
//
// ECDHE-ECDSA-AES128-GCM-SHA256
// ECDHE-RSA-AES128-GCM-SHA256
// ECDHE-ECDSA-AES128-SHA
// ECDHE-RSA-AES128-SHA
// AES128-GCM-SHA256
// AES128-SHA
// ECDHE-ECDSA-AES256-GCM-SHA384
// ECDHE-RSA-AES256-GCM-SHA384
// ECDHE-ECDSA-AES256-SHA
// ECDHE-RSA-AES256-SHA
// AES256-GCM-SHA384
// AES256-SHA
repeated string cipher_suites = 3;
// If specified, the TLS connection will only support the specified ECDH
// curves. If not specified, the default curves will be used.
//
// In non-FIPS builds, the default curves are:
//
// .. code-block:: none
//
// X25519
// P-256
//
// In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is:
//
// .. code-block:: none
//
// P-256
repeated string ecdh_curves = 4;
}
// BoringSSL private key method configuration. The private key methods are used for external
// (potentially asynchronous) signing and decryption operations. Some use cases for private key
// methods would be TPM support and TLS acceleration.
message PrivateKeyProvider {
// Private key method provider name. The name must match a
// supported private key method provider type.
string provider_name = 1 [(validate.rules).string = {min_bytes: 1}];
// Private key method provider specific configuration.
oneof config_type {
google.protobuf.Struct config = 2 [deprecated = true, (udpa.annotations.sensitive) = true];
google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true];
}
}
// [#next-free-field: 7]
message TlsCertificate {
// The TLS certificate chain.
core.DataSource certificate_chain = 1;
// The TLS private key.
core.DataSource private_key = 2 [(udpa.annotations.sensitive) = true];
// BoringSSL private key method provider. This is an alternative to :ref:`private_key
// <envoy_api_field_auth.TlsCertificate.private_key>` field. This can't be
// marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key
// <envoy_api_field_auth.TlsCertificate.private_key>` and
// :ref:`private_key_provider
// <envoy_api_field_auth.TlsCertificate.private_key_provider>` fields will result in an
// error.
PrivateKeyProvider private_key_provider = 6;
// The password to decrypt the TLS private key. If this field is not set, it is assumed that the
// TLS private key is not password encrypted.
core.DataSource password = 3 [(udpa.annotations.sensitive) = true];
// [#not-implemented-hide:]
core.DataSource ocsp_staple = 4;
// [#not-implemented-hide:]
repeated core.DataSource signed_certificate_timestamp = 5;
}
message TlsSessionTicketKeys {
// Keys for encrypting and decrypting TLS session tickets. The
// first key in the array contains the key to encrypt all new sessions created by this context.
// All keys are candidates for decrypting received tickets. This allows for easy rotation of keys
// by, for example, putting the new key first, and the previous key second.
//
// If :ref:`session_ticket_keys <envoy_api_field_auth.DownstreamTlsContext.session_ticket_keys>`
// is not specified, the TLS library will still support resuming sessions via tickets, but it will
// use an internally-generated and managed key, so sessions cannot be resumed across hot restarts
// or on different hosts.
//
// Each key must contain exactly 80 bytes of cryptographically-secure random data. For
// example, the output of ``openssl rand 80``.
//
// .. attention::
//
// Using this feature has serious security considerations and risks. Improper handling of keys
// may result in loss of secrecy in connections, even if ciphers supporting perfect forward
// secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some
// discussion. To minimize the risk, you must:
//
// * Keep the session ticket keys at least as secure as your TLS certificate private keys
// * Rotate session ticket keys at least daily, and preferably hourly
// * Always generate keys using a cryptographically-secure random data source
repeated core.DataSource keys = 1
[(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true];
}
// [#next-free-field: 11]
message CertificateValidationContext {
// Peer certificate verification mode.
enum TrustChainVerification {
// Perform default certificate verification (e.g., against CA / verification lists)
VERIFY_TRUST_CHAIN = 0;
// Connections where the certificate fails verification will be permitted.
// For HTTP connections, the result of certificate verification can be used in route matching. (
// see :ref:`validated <envoy_api_field_route.RouteMatch.TlsContextMatchOptions.validated>` ).
ACCEPT_UNTRUSTED = 1;
}
// TLS certificate data containing certificate authority certificates to use in verifying
// a presented peer certificate (e.g. server certificate for clusters or client certificate
// for listeners). If not specified and a peer certificate is presented it will not be
// verified. By default, a client certificate is optional, unless one of the additional
// options (:ref:`require_client_certificate
// <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
// :ref:`verify_certificate_spki
// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
// :ref:`verify_certificate_hash
// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
// :ref:`match_subject_alt_names
// <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
// specified.
//
// It can optionally contain certificate revocation lists, in which case Envoy will verify
// that the presented peer certificate has not been revoked by one of the included CRLs.
//
// See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
// system CA locations.
core.DataSource trusted_ca = 1;
// An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
// SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
// matches one of the specified values.
//
// A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
// can be generated with the following command:
//
// .. code-block:: bash
//
// $ openssl x509 -in path/to/client.crt -noout -pubkey
// | openssl pkey -pubin -outform DER
// | openssl dgst -sha256 -binary
// | openssl enc -base64
// NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
//
// This is the format used in HTTP Public Key Pinning.
//
// When both:
// :ref:`verify_certificate_hash
// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
// :ref:`verify_certificate_spki
// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
// a hash matching value from either of the lists will result in the certificate being accepted.
//
// .. attention::
//
// This option is preferred over :ref:`verify_certificate_hash
// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
// because SPKI is tied to a private key, so it doesn't change when the certificate
// is renewed using the same private key.
repeated string verify_certificate_spki = 3
[(validate.rules).repeated = {items {string {min_bytes: 44 max_bytes: 44}}}];
// An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
// the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
//
// A hex-encoded SHA-256 of the certificate can be generated with the following command:
//
// .. code-block:: bash
//
// $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
// df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
//
// A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
// can be generated with the following command:
//
// .. code-block:: bash
//
// $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
// DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
//
// Both of those formats are acceptable.
//
// When both:
// :ref:`verify_certificate_hash
// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
// :ref:`verify_certificate_spki
// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
// a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2
[(validate.rules).repeated = {items {string {min_bytes: 64 max_bytes: 95}}}];
// An optional list of Subject Alternative Names. If specified, Envoy will verify that the
// Subject Alternative Name of the presented certificate matches one of the specified values.
//
// .. attention::
//
// Subject Alternative Names are easily spoofable and verifying only them is insecure,
// therefore this option must be used together with :ref:`trusted_ca
// <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4 [deprecated = true];
// An optional list of Subject Alternative name matchers. Envoy will verify that the
// Subject Alternative Name of the presented certificate matches one of the specified matches.
//
// When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
// configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
// For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
// it should be configured as shown below.
//
// .. code-block:: yaml
//
// match_subject_alt_names:
// exact: "api.example.com"
//
// .. attention::
//
// Subject Alternative Names are easily spoofable and verifying only them is insecure,
// therefore this option must be used together with :ref:`trusted_ca
// <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated type.matcher.StringMatcher match_subject_alt_names = 9;
// [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
google.protobuf.BoolValue require_ocsp_staple = 5;
// [#not-implemented-hide:] Must present signed certificate time-stamp.
google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
// An optional `certificate revocation list
// <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
// (in PEM format). If specified, Envoy will verify that the presented peer
// certificate has not been revoked by this CRL. If this DataSource contains
// multiple CRLs, all of them will be used.
core.DataSource crl = 7;
// If specified, Envoy will not reject expired certificates.
bool allow_expired_certificate = 8;
// Certificate trust chain verification mode.
TrustChainVerification trust_chain_verification = 10
[(validate.rules).enum = {defined_only: true}];
}
// TLS context shared by both client and server TLS contexts.
// [#next-free-field: 9]
message CommonTlsContext {
message CombinedCertificateValidationContext {
// How to validate peer certificates.
CertificateValidationContext default_validation_context = 1
[(validate.rules).message = {required: true}];
// Config for fetching validation context via SDS API.
SdsSecretConfig validation_context_sds_secret_config = 2
[(validate.rules).message = {required: true}];
}
reserved 5;
// TLS protocol versions, cipher suites etc.
TlsParameters tls_params = 1;
// :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the
// same context to allow both RSA and ECDSA certificates.
//
// Only a single TLS certificate is supported in client contexts. In server contexts, the first
// RSA certificate is used for clients that only support RSA and the first ECDSA certificate is
// used for clients that support ECDSA.
repeated TlsCertificate tls_certificates = 2;
// Configs for fetching TLS certificates via SDS API.
repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6
[(validate.rules).repeated = {max_items: 1}];
oneof validation_context_type {
// How to validate peer certificates.
CertificateValidationContext validation_context = 3;
// Config for fetching validation context via SDS API.
SdsSecretConfig validation_context_sds_secret_config = 7;
// Combined certificate validation context holds a default CertificateValidationContext
// and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic
// and default CertificateValidationContext are merged into a new CertificateValidationContext
// for validation. This merge is done by Message::MergeFrom(), so dynamic
// CertificateValidationContext overwrites singular fields in default
// CertificateValidationContext, and concatenates repeated fields to default
// CertificateValidationContext, and logical OR is applied to boolean fields.
CombinedCertificateValidationContext combined_validation_context = 8;
}
// Supplies the list of ALPN protocols that the listener should expose. In
// practice this is likely to be set to one of two values (see the
// :ref:`codec_type
// <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.codec_type>`
// parameter in the HTTP connection manager for more information):
//
// * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1.
// * "http/1.1" If the listener is only going to support HTTP/1.1.
//
// There is no default for this parameter. If empty, Envoy will not expose ALPN.
repeated string alpn_protocols = 4;
}
message UpstreamTlsContext {
// Common TLS context settings.
//
// .. attention::
//
// Server certificate verification is not enabled by default. Configure
// :ref:`trusted_ca<envoy_api_field_auth.CertificateValidationContext.trusted_ca>` to enable
// verification.
CommonTlsContext common_tls_context = 1;
// SNI string to use when creating TLS backend connections.
string sni = 2 [(validate.rules).string = {max_bytes: 255}];
// If true, server-initiated TLS renegotiation will be allowed.
//
// .. attention::
//
// TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary.
bool allow_renegotiation = 3;
// Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets
// for TLSv1.2 and older) to store for the purpose of session resumption.
//
// Defaults to 1, setting this to 0 disables session resumption.
google.protobuf.UInt32Value max_session_keys = 4;
}
// [#next-free-field: 7]
message DownstreamTlsContext {
// Common TLS context settings.
CommonTlsContext common_tls_context = 1;
// If specified, Envoy will reject connections without a valid client
// certificate.
google.protobuf.BoolValue require_client_certificate = 2;
// If specified, Envoy will reject connections without a valid and matching SNI.
// [#not-implemented-hide:]
google.protobuf.BoolValue require_sni = 3;
oneof session_ticket_keys_type {
// TLS session ticket key settings.
TlsSessionTicketKeys session_ticket_keys = 4;
// Config for fetching TLS session ticket keys via SDS API.
SdsSecretConfig session_ticket_keys_sds_secret_config = 5;
}
// If specified, session_timeout will change maximum lifetime (in seconds) of TLS session
// Currently this value is used as a hint to `TLS session ticket lifetime (for TLSv1.2)
// <https://tools.ietf.org/html/rfc5077#section-5.6>`
// only seconds could be specified (fractional seconds are going to be ignored).
google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = {
lt {seconds: 4294967296}
gte {}
}];
}
message GenericSecret {
// Secret of generic type and is available to filters.
core.DataSource secret = 1 [(udpa.annotations.sensitive) = true];
}
message SdsSecretConfig {
// Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
// When both name and config are specified, then secret can be fetched and/or reloaded via
// SDS. When only name is specified, then secret will be loaded from static resources.
string name = 1;
core.ConfigSource sds_config = 2;
}
// [#next-free-field: 6]
message Secret {
// Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
string name = 1;
oneof type {
TlsCertificate tls_certificate = 2;
TlsSessionTicketKeys session_ticket_keys = 3;
CertificateValidationContext validation_context = 4;
GenericSecret generic_secret = 5;
}
}

327
xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/common.proto vendored Normal file
View File

@ -0,0 +1,327 @@
syntax = "proto3";
package envoy.api.v2.auth;
import "envoy/api/v2/core/base.proto";
import "envoy/type/matcher/string.proto";
import "google/protobuf/any.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/sensitive.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2.auth";
option java_outer_classname = "CommonProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package =
"envoy.extensions.transport_sockets.tls.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Common TLS configuration]
message TlsParameters {
enum TlsProtocol {
// Envoy will choose the optimal TLS version.
TLS_AUTO = 0;
// TLS 1.0
TLSv1_0 = 1;
// TLS 1.1
TLSv1_1 = 2;
// TLS 1.2
TLSv1_2 = 3;
// TLS 1.3
TLSv1_3 = 4;
}
// Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for
// servers.
TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}];
// Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and
// ``TLSv1_2`` for clients and for servers using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`.
TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum = {defined_only: true}];
// If specified, the TLS listener will only support the specified `cipher list
// <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_
// when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not
// specified, the default list will be used.
//
// In non-FIPS builds, the default cipher list is:
//
// .. code-block:: none
//
// [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
// [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
// ECDHE-ECDSA-AES128-SHA
// ECDHE-RSA-AES128-SHA
// AES128-GCM-SHA256
// AES128-SHA
// ECDHE-ECDSA-AES256-GCM-SHA384
// ECDHE-RSA-AES256-GCM-SHA384
// ECDHE-ECDSA-AES256-SHA
// ECDHE-RSA-AES256-SHA
// AES256-GCM-SHA384
// AES256-SHA
//
// In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default cipher list is:
//
// .. code-block:: none
//
// ECDHE-ECDSA-AES128-GCM-SHA256
// ECDHE-RSA-AES128-GCM-SHA256
// ECDHE-ECDSA-AES128-SHA
// ECDHE-RSA-AES128-SHA
// AES128-GCM-SHA256
// AES128-SHA
// ECDHE-ECDSA-AES256-GCM-SHA384
// ECDHE-RSA-AES256-GCM-SHA384
// ECDHE-ECDSA-AES256-SHA
// ECDHE-RSA-AES256-SHA
// AES256-GCM-SHA384
// AES256-SHA
repeated string cipher_suites = 3;
// If specified, the TLS connection will only support the specified ECDH
// curves. If not specified, the default curves will be used.
//
// In non-FIPS builds, the default curves are:
//
// .. code-block:: none
//
// X25519
// P-256
//
// In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is:
//
// .. code-block:: none
//
// P-256
repeated string ecdh_curves = 4;
}
// BoringSSL private key method configuration. The private key methods are used for external
// (potentially asynchronous) signing and decryption operations. Some use cases for private key
// methods would be TPM support and TLS acceleration.
message PrivateKeyProvider {
// Private key method provider name. The name must match a
// supported private key method provider type.
string provider_name = 1 [(validate.rules).string = {min_bytes: 1}];
// Private key method provider specific configuration.
oneof config_type {
google.protobuf.Struct config = 2 [deprecated = true, (udpa.annotations.sensitive) = true];
google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true];
}
}
// [#next-free-field: 7]
message TlsCertificate {
// The TLS certificate chain.
core.DataSource certificate_chain = 1;
// The TLS private key.
core.DataSource private_key = 2 [(udpa.annotations.sensitive) = true];
// BoringSSL private key method provider. This is an alternative to :ref:`private_key
// <envoy_api_field_auth.TlsCertificate.private_key>` field. This can't be
// marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key
// <envoy_api_field_auth.TlsCertificate.private_key>` and
// :ref:`private_key_provider
// <envoy_api_field_auth.TlsCertificate.private_key_provider>` fields will result in an
// error.
PrivateKeyProvider private_key_provider = 6;
// The password to decrypt the TLS private key. If this field is not set, it is assumed that the
// TLS private key is not password encrypted.
core.DataSource password = 3 [(udpa.annotations.sensitive) = true];
// [#not-implemented-hide:]
core.DataSource ocsp_staple = 4;
// [#not-implemented-hide:]
repeated core.DataSource signed_certificate_timestamp = 5;
}
message TlsSessionTicketKeys {
// Keys for encrypting and decrypting TLS session tickets. The
// first key in the array contains the key to encrypt all new sessions created by this context.
// All keys are candidates for decrypting received tickets. This allows for easy rotation of keys
// by, for example, putting the new key first, and the previous key second.
//
// If :ref:`session_ticket_keys <envoy_api_field_auth.DownstreamTlsContext.session_ticket_keys>`
// is not specified, the TLS library will still support resuming sessions via tickets, but it will
// use an internally-generated and managed key, so sessions cannot be resumed across hot restarts
// or on different hosts.
//
// Each key must contain exactly 80 bytes of cryptographically-secure random data. For
// example, the output of ``openssl rand 80``.
//
// .. attention::
//
// Using this feature has serious security considerations and risks. Improper handling of keys
// may result in loss of secrecy in connections, even if ciphers supporting perfect forward
// secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some
// discussion. To minimize the risk, you must:
//
// * Keep the session ticket keys at least as secure as your TLS certificate private keys
// * Rotate session ticket keys at least daily, and preferably hourly
// * Always generate keys using a cryptographically-secure random data source
repeated core.DataSource keys = 1
[(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true];
}
// [#next-free-field: 11]
message CertificateValidationContext {
// Peer certificate verification mode.
enum TrustChainVerification {
// Perform default certificate verification (e.g., against CA / verification lists)
VERIFY_TRUST_CHAIN = 0;
// Connections where the certificate fails verification will be permitted.
// For HTTP connections, the result of certificate verification can be used in route matching. (
// see :ref:`validated <envoy_api_field_route.RouteMatch.TlsContextMatchOptions.validated>` ).
ACCEPT_UNTRUSTED = 1;
}
// TLS certificate data containing certificate authority certificates to use in verifying
// a presented peer certificate (e.g. server certificate for clusters or client certificate
// for listeners). If not specified and a peer certificate is presented it will not be
// verified. By default, a client certificate is optional, unless one of the additional
// options (:ref:`require_client_certificate
// <envoy_api_field_auth.DownstreamTlsContext.require_client_certificate>`,
// :ref:`verify_certificate_spki
// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>`,
// :ref:`verify_certificate_hash
// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`, or
// :ref:`match_subject_alt_names
// <envoy_api_field_auth.CertificateValidationContext.match_subject_alt_names>`) is also
// specified.
//
// It can optionally contain certificate revocation lists, in which case Envoy will verify
// that the presented peer certificate has not been revoked by one of the included CRLs.
//
// See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
// system CA locations.
core.DataSource trusted_ca = 1;
// An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
// SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
// matches one of the specified values.
//
// A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
// can be generated with the following command:
//
// .. code-block:: bash
//
// $ openssl x509 -in path/to/client.crt -noout -pubkey
// | openssl pkey -pubin -outform DER
// | openssl dgst -sha256 -binary
// | openssl enc -base64
// NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
//
// This is the format used in HTTP Public Key Pinning.
//
// When both:
// :ref:`verify_certificate_hash
// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
// :ref:`verify_certificate_spki
// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
// a hash matching value from either of the lists will result in the certificate being accepted.
//
// .. attention::
//
// This option is preferred over :ref:`verify_certificate_hash
// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>`,
// because SPKI is tied to a private key, so it doesn't change when the certificate
// is renewed using the same private key.
repeated string verify_certificate_spki = 3
[(validate.rules).repeated = {items {string {min_bytes: 44 max_bytes: 44}}}];
// An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
// the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
//
// A hex-encoded SHA-256 of the certificate can be generated with the following command:
//
// .. code-block:: bash
//
// $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
// df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
//
// A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
// can be generated with the following command:
//
// .. code-block:: bash
//
// $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
// DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
//
// Both of those formats are acceptable.
//
// When both:
// :ref:`verify_certificate_hash
// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_hash>` and
// :ref:`verify_certificate_spki
// <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
// a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2
[(validate.rules).repeated = {items {string {min_bytes: 64 max_bytes: 95}}}];
// An optional list of Subject Alternative Names. If specified, Envoy will verify that the
// Subject Alternative Name of the presented certificate matches one of the specified values.
//
// .. attention::
//
// Subject Alternative Names are easily spoofable and verifying only them is insecure,
// therefore this option must be used together with :ref:`trusted_ca
// <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated string verify_subject_alt_name = 4 [deprecated = true];
// An optional list of Subject Alternative name matchers. Envoy will verify that the
// Subject Alternative Name of the presented certificate matches one of the specified matches.
//
// When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
// configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.StringMatcher>`.
// For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
// it should be configured as shown below.
//
// .. code-block:: yaml
//
// match_subject_alt_names:
// exact: "api.example.com"
//
// .. attention::
//
// Subject Alternative Names are easily spoofable and verifying only them is insecure,
// therefore this option must be used together with :ref:`trusted_ca
// <envoy_api_field_auth.CertificateValidationContext.trusted_ca>`.
repeated type.matcher.StringMatcher match_subject_alt_names = 9;
// [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
google.protobuf.BoolValue require_ocsp_staple = 5;
// [#not-implemented-hide:] Must present signed certificate time-stamp.
google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
// An optional `certificate revocation list
// <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
// (in PEM format). If specified, Envoy will verify that the presented peer
// certificate has not been revoked by this CRL. If this DataSource contains
// multiple CRLs, all of them will be used.
core.DataSource crl = 7;
// If specified, Envoy will not reject expired certificates.
bool allow_expired_certificate = 8;
// Certificate trust chain verification mode.
TrustChainVerification trust_chain_verification = 10
[(validate.rules).enum = {defined_only: true}];
}

50
xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/secret.proto vendored Normal file
View File

@ -0,0 +1,50 @@
syntax = "proto3";
package envoy.api.v2.auth;
import "envoy/api/v2/auth/common.proto";
import "envoy/api/v2/core/base.proto";
import "envoy/api/v2/core/config_source.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/sensitive.proto";
import "udpa/annotations/status.proto";
option java_package = "io.envoyproxy.envoy.api.v2.auth";
option java_outer_classname = "SecretProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package =
"envoy.extensions.transport_sockets.tls.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Secrets configuration]
message GenericSecret {
// Secret of generic type and is available to filters.
core.DataSource secret = 1 [(udpa.annotations.sensitive) = true];
}
message SdsSecretConfig {
// Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
// When both name and config are specified, then secret can be fetched and/or reloaded via
// SDS. When only name is specified, then secret will be loaded from static resources.
string name = 1;
core.ConfigSource sds_config = 2;
}
// [#next-free-field: 6]
message Secret {
// Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
string name = 1;
oneof type {
TlsCertificate tls_certificate = 2;
TlsSessionTicketKeys session_ticket_keys = 3;
CertificateValidationContext validation_context = 4;
GenericSecret generic_secret = 5;
}
}

152
xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/tls.proto vendored Normal file
View File

@ -0,0 +1,152 @@
syntax = "proto3";
package envoy.api.v2.auth;
import "envoy/api/v2/auth/common.proto";
import "envoy/api/v2/auth/secret.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2.auth";
option java_outer_classname = "TlsProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package =
"envoy.extensions.transport_sockets.tls.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: TLS transport socket]
// [#extension: envoy.transport_sockets.tls]
// The TLS contexts below provide the transport socket configuration for upstream/downstream TLS.
message UpstreamTlsContext {
// Common TLS context settings.
//
// .. attention::
//
// Server certificate verification is not enabled by default. Configure
// :ref:`trusted_ca<envoy_api_field_auth.CertificateValidationContext.trusted_ca>` to enable
// verification.
CommonTlsContext common_tls_context = 1;
// SNI string to use when creating TLS backend connections.
string sni = 2 [(validate.rules).string = {max_bytes: 255}];
// If true, server-initiated TLS renegotiation will be allowed.
//
// .. attention::
//
// TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary.
bool allow_renegotiation = 3;
// Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets
// for TLSv1.2 and older) to store for the purpose of session resumption.
//
// Defaults to 1, setting this to 0 disables session resumption.
google.protobuf.UInt32Value max_session_keys = 4;
}
// [#next-free-field: 8]
message DownstreamTlsContext {
// Common TLS context settings.
CommonTlsContext common_tls_context = 1;
// If specified, Envoy will reject connections without a valid client
// certificate.
google.protobuf.BoolValue require_client_certificate = 2;
// If specified, Envoy will reject connections without a valid and matching SNI.
// [#not-implemented-hide:]
google.protobuf.BoolValue require_sni = 3;
oneof session_ticket_keys_type {
// TLS session ticket key settings.
TlsSessionTicketKeys session_ticket_keys = 4;
// Config for fetching TLS session ticket keys via SDS API.
SdsSecretConfig session_ticket_keys_sds_secret_config = 5;
// Config for controlling stateless TLS session resumption: setting this to true will cause the TLS
// server to not issue TLS session tickets for the purposes of stateless TLS session resumption.
// If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using
// the keys specified through either :ref:`session_ticket_keys <envoy_api_field_auth.DownstreamTlsContext.session_ticket_keys>`
// or :ref:`session_ticket_keys_sds_secret_config <envoy_api_field_auth.DownstreamTlsContext.session_ticket_keys_sds_secret_config>`.
// If this config is set to false and no keys are explicitly configured, the TLS server will issue
// TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the
// implication that sessions cannot be resumed across hot restarts or on different hosts.
bool disable_stateless_session_resumption = 7;
}
// If specified, session_timeout will change maximum lifetime (in seconds) of TLS session
// Currently this value is used as a hint to `TLS session ticket lifetime (for TLSv1.2)
// <https://tools.ietf.org/html/rfc5077#section-5.6>`
// only seconds could be specified (fractional seconds are going to be ignored).
google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = {
lt {seconds: 4294967296}
gte {}
}];
}
// TLS context shared by both client and server TLS contexts.
// [#next-free-field: 9]
message CommonTlsContext {
message CombinedCertificateValidationContext {
// How to validate peer certificates.
CertificateValidationContext default_validation_context = 1
[(validate.rules).message = {required: true}];
// Config for fetching validation context via SDS API.
SdsSecretConfig validation_context_sds_secret_config = 2
[(validate.rules).message = {required: true}];
}
reserved 5;
// TLS protocol versions, cipher suites etc.
TlsParameters tls_params = 1;
// :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the
// same context to allow both RSA and ECDSA certificates.
//
// Only a single TLS certificate is supported in client contexts. In server contexts, the first
// RSA certificate is used for clients that only support RSA and the first ECDSA certificate is
// used for clients that support ECDSA.
repeated TlsCertificate tls_certificates = 2;
// Configs for fetching TLS certificates via SDS API.
repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6
[(validate.rules).repeated = {max_items: 1}];
oneof validation_context_type {
// How to validate peer certificates.
CertificateValidationContext validation_context = 3;
// Config for fetching validation context via SDS API.
SdsSecretConfig validation_context_sds_secret_config = 7;
// Combined certificate validation context holds a default CertificateValidationContext
// and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic
// and default CertificateValidationContext are merged into a new CertificateValidationContext
// for validation. This merge is done by Message::MergeFrom(), so dynamic
// CertificateValidationContext overwrites singular fields in default
// CertificateValidationContext, and concatenates repeated fields to default
// CertificateValidationContext, and logical OR is applied to boolean fields.
CombinedCertificateValidationContext combined_validation_context = 8;
}
// Supplies the list of ALPN protocols that the listener should expose. In
// practice this is likely to be set to one of two values (see the
// :ref:`codec_type
// <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.codec_type>`
// parameter in the HTTP connection manager for more information):
//
// * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1.
// * "http/1.1" If the listener is only going to support HTTP/1.1.
//
// There is no default for this parameter. If empty, Envoy will not expose ALPN.
repeated string alpn_protocols = 4;
}

2
xds/third_party/envoy/src/main/proto/envoy/api/v2/cds.proto vendored
View File

@ -8,6 +8,7 @@ import "google/api/annotations.proto";
import "envoy/annotations/resource.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import public "envoy/api/v2/cluster.proto";
@ -16,6 +17,7 @@ option java_outer_classname = "CdsProto";
option java_multiple_files = true;
option java_generic_services = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.service.cluster.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: CDS]

22
xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster.proto vendored
View File

@ -2,7 +2,7 @@ syntax = "proto3";
package envoy.api.v2;
import "envoy/api/v2/auth/cert.proto";
import "envoy/api/v2/auth/tls.proto";
import "envoy/api/v2/cluster/circuit_breaker.proto";
import "envoy/api/v2/cluster/filter.proto";
import "envoy/api/v2/cluster/outlier_detection.proto";
@ -21,12 +21,14 @@ import "google/protobuf/wrappers.proto";
import "envoy/annotations/deprecation.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2";
option java_outer_classname = "ClusterProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.cluster.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Cluster configuration]
@ -354,7 +356,7 @@ message Cluster {
}
// Common configuration for all load balancer implementations.
// [#next-free-field: 7]
// [#next-free-field: 8]
message CommonLbConfig {
// Configuration for :ref:`zone aware routing
// <arch_overview_load_balancing_zone_aware_routing>`.
@ -384,6 +386,13 @@ message Cluster {
message LocalityWeightedLbConfig {
}
// Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.)
message ConsistentHashingLbConfig {
// If set to `true`, the cluster will use hostname instead of the resolved
// address as the key to consistently hash to an upstream host. Only valid for StrictDNS clusters with hostnames which resolve to a single IP address.
bool use_hostname_for_hashing = 1;
}
// Configures the :ref:`healthy panic threshold <arch_overview_load_balancing_panic_threshold>`.
// If not specified, the default is 50%.
// To disable panic mode, set to 0%.
@ -438,6 +447,9 @@ message Cluster {
// If set to `true`, the cluster manager will drain all existing
// connections to upstream hosts whenever hosts are added or removed from the cluster.
bool close_connections_on_host_set_change = 6;
//Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.)
ConsistentHashingLbConfig consistent_hashing_lb_config = 7;
}
message RefreshRate {
@ -459,7 +471,7 @@ message Cluster {
reserved 12, 15;
// Configuration to use different transport sockets for different endpoints.
// The entry of *envoy.transport_socket* in the
// The entry of *envoy.transport_socket_match* in the
// :ref:`LbEndpoint.Metadata <envoy_api_field_endpoint.LbEndpoint.metadata>`
// is used to match against the transport sockets as they appear in the list. The first
// :ref:`match <envoy_api_msg_Cluster.TransportSocketMatch>` is used.
@ -479,14 +491,14 @@ message Cluster {
// transport_socket:
// name: envoy.transport_sockets.raw_buffer
//
// Connections to the endpoints whose metadata value under *envoy.transport_socket*
// Connections to the endpoints whose metadata value under *envoy.transport_socket_match*
// having "acceptMTLS"/"true" key/value pair use the "enableMTLS" socket configuration.
//
// If a :ref:`socket match <envoy_api_msg_Cluster.TransportSocketMatch>` with empty match
// criteria is provided, that always match any endpoint. For example, the "defaultToPlaintext"
// socket match in case above.
//
// If an endpoint metadata's value under *envoy.transport_socket* does not match any
// If an endpoint metadata's value under *envoy.transport_socket_match* does not match any
// *TransportSocketMatch*, socket configuration fallbacks to use the *tls_context* or
// *transport_socket* specified in this cluster.
//

2
xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/circuit_breaker.proto vendored
View File

@ -8,6 +8,7 @@ import "envoy/type/percent.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2.cluster";
@ -16,6 +17,7 @@ option java_multiple_files = true;
option csharp_namespace = "Envoy.Api.V2.ClusterNS";
option ruby_package = "Envoy.Api.V2.ClusterNS";
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.cluster.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Circuit breakers]

2
xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/filter.proto vendored
View File

@ -5,6 +5,7 @@ package envoy.api.v2.cluster;
import "google/protobuf/any.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2.cluster";
@ -13,6 +14,7 @@ option java_multiple_files = true;
option csharp_namespace = "Envoy.Api.V2.ClusterNS";
option ruby_package = "Envoy.Api.V2.ClusterNS";
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.cluster.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Upstream filters]
// Upstream filters apply to the connections to the upstream cluster hosts.

2
xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/outlier_detection.proto vendored
View File

@ -6,6 +6,7 @@ import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2.cluster";
@ -14,6 +15,7 @@ option java_multiple_files = true;
option csharp_namespace = "Envoy.Api.V2.ClusterNS";
option ruby_package = "Envoy.Api.V2.ClusterNS";
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.cluster.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Outlier detection]

2
xds/third_party/envoy/src/main/proto/envoy/api/v2/core/address.proto vendored
View File

@ -7,12 +7,14 @@ import "envoy/api/v2/core/socket_option.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2.core";
option java_outer_classname = "AddressProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Network addresses]

2
xds/third_party/envoy/src/main/proto/envoy/api/v2/core/backoff.proto vendored
View File

@ -5,12 +5,14 @@ package envoy.api.v2.core;
import "google/protobuf/duration.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2.core";
option java_outer_classname = "BackoffProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Backoff Strategy]

11
xds/third_party/envoy/src/main/proto/envoy/api/v2/core/base.proto vendored
View File

@ -14,6 +14,7 @@ import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
import public "envoy/api/v2/core/socket_option.proto";
@ -22,6 +23,7 @@ option java_package = "io.envoyproxy.envoy.api.v2.core";
option java_outer_classname = "BaseProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Common types]
@ -230,6 +232,15 @@ message RuntimeUInt32 {
string runtime_key = 3 [(validate.rules).string = {min_bytes: 1}];
}
// Runtime derived double with a default when not specified.
message RuntimeDouble {
// Default value if runtime value is not available.
double default_value = 1;
// Runtime key to get value for comparison. This value is used if defined.
string runtime_key = 2 [(validate.rules).string = {min_bytes: 1}];
}
// Runtime derived bool with a default when not specified.
message RuntimeFeatureFlag {
// Default value if runtime value is not available.

8
xds/third_party/envoy/src/main/proto/envoy/api/v2/core/config_source.proto vendored
View File

@ -9,12 +9,14 @@ import "google/protobuf/wrappers.proto";
import "envoy/annotations/deprecation.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2.core";
option java_outer_classname = "ConfigSourceProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Configuration sources]
@ -55,10 +57,6 @@ message ApiConfigSource {
// Using the delta xDS gRPC service, i.e. DeltaDiscovery{Request,Response}
// rather than Discovery{Request,Response}. Rather than sending Envoy the entire state
// with every update, the xDS server only sends what has changed since the last update.
//
// DELTA_GRPC is not yet entirely implemented! Initially, only CDS is available.
// Do not use for other xDSes.
// [#comment:TODO(fredlas) update/remove this warning when appropriate.]
DELTA_GRPC = 3;
}
@ -133,6 +131,8 @@ message ConfigSource {
option (validate.required) = true;
// Path on the filesystem to source and watch for configuration updates.
// When sourcing configuration for :ref:`secret <envoy_api_msg_auth.Secret>`,
// the certificate and key files are also watched for updates.
//
// .. note::
//

26
xds/third_party/envoy/src/main/proto/envoy/api/v2/core/event_service_config.proto vendored Normal file
View File

@ -0,0 +1,26 @@
syntax = "proto3";
package envoy.api.v2.core;
import "envoy/api/v2/core/grpc_service.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2.core";
option java_outer_classname = "EventServiceConfigProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#not-implemented-hide:]
// Configuration of the event reporting service endpoint.
message EventServiceConfig {
oneof config_source_specifier {
option (validate.required) = true;
// Specifies the gRPC service that hosts the event reporting service.
GrpcService grpc_service = 1;
}
}

5
xds/third_party/envoy/src/main/proto/envoy/api/v2/core/grpc_service.proto vendored
View File

@ -9,15 +9,16 @@ import "google/protobuf/duration.proto";
import "google/protobuf/empty.proto";
import "google/protobuf/struct.proto";
import "udpa/annotations/sensitive.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/sensitive.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2.core";
option java_outer_classname = "GrpcServiceProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: gRPC services]

16
xds/third_party/envoy/src/main/proto/envoy/api/v2/core/health_check.proto vendored
View File

@ -3,6 +3,7 @@ syntax = "proto3";
package envoy.api.v2.core;
import "envoy/api/v2/core/base.proto";
import "envoy/api/v2/core/event_service_config.proto";
import "envoy/type/http.proto";
import "envoy/type/matcher/string.proto";
import "envoy/type/range.proto";
@ -14,12 +15,14 @@ import "google/protobuf/wrappers.proto";
import "envoy/annotations/deprecation.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2.core";
option java_outer_classname = "HealthCheckProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Health check]
// * Health checking :ref:`architecture overview <arch_overview_health_checking>`.
@ -52,7 +55,7 @@ enum HealthStatus {
DEGRADED = 5;
}
// [#next-free-field: 22]
// [#next-free-field: 23]
message HealthCheck {
// Describes the encoding of the payload bytes in the payload.
message Payload {
@ -71,7 +74,8 @@ message HealthCheck {
message HttpHealthCheck {
// The value of the host header in the HTTP health check request. If
// left empty (default value), the name of the cluster this health check is associated
// with will be used.
// with will be used. The host header can be customized for a specific endpoint by setting the
// :ref:`hostname <envoy_api_field_endpoint.Endpoint.HealthCheckConfig.hostname>` field.
string host = 1;
// Specifies the HTTP path that will be requested during health checking. For example
@ -158,7 +162,8 @@ message HealthCheck {
// The value of the :authority header in the gRPC health check request. If
// left empty (default value), the name of the cluster this health check is associated
// with will be used.
// with will be used. The authority header can be customized for a specific endpoint by setting
// the :ref:`hostname <envoy_api_field_endpoint.Endpoint.HealthCheckConfig.hostname>` field.
string authority = 2;
}
@ -288,6 +293,11 @@ message HealthCheck {
// If empty, no event log will be written.
string event_log_path = 17;
// [#not-implemented-hide:]
// The gRPC service for the health check event service.
// If empty, health check events won't be sent to a remote endpoint.
EventServiceConfig event_service = 22;
// If set to true, health check failure events will always be logged. If set to false, only the
// initial health check failure event will be logged.
// The default value is false.

2
xds/third_party/envoy/src/main/proto/envoy/api/v2/core/http_uri.proto vendored
View File

@ -5,12 +5,14 @@ package envoy.api.v2.core;
import "google/protobuf/duration.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2.core";
option java_outer_classname = "HttpUriProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: HTTP Service URI ]

32
xds/third_party/envoy/src/main/proto/envoy/api/v2/core/protocol.proto vendored
View File

@ -6,12 +6,14 @@ import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2.core";
option java_outer_classname = "ProtocolProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Protocol options]
@ -32,9 +34,30 @@ message UpstreamHttpProtocolOptions {
bool auto_san_validation = 2;
}
// [#next-free-field: 6]
message HttpProtocolOptions {
// Action to take when Envoy receives client request with header names containing underscore
// characters.
// Underscore character is allowed in header names by the RFC-7230 and this behavior is implemented
// as a security measure due to systems that treat '_' and '-' as interchangeable. Envoy by default allows client request headers with underscore
// characters.
enum HeadersWithUnderscoresAction {
// Allow headers with underscores. This is the default behavior.
ALLOW = 0;
// Reject client request. HTTP/1 requests are rejected with the 400 status. HTTP/2 requests
// end with the stream reset. The "httpN.requests_rejected_with_underscores_in_headers" counter
// is incremented for each rejected request.
REJECT_REQUEST = 1;
// Drop the header with name containing underscores. The header is dropped before the filter chain is
// invoked and as such filters will not see dropped headers. The
// "httpN.dropped_headers_with_underscores" is incremented for each dropped header.
DROP_HEADER = 2;
}
// The idle timeout for connections. The idle timeout is defined as the
// period in which there are no active requests. If not set, there is no idle timeout. When the
// period in which there are no active requests. When the
// idle timeout is reached the connection will be closed. If the connection is an HTTP/2
// downstream connection a drain sequence will occur prior to closing the connection, see
// :ref:`drain_timeout
@ -62,9 +85,12 @@ message HttpProtocolOptions {
// Total duration to keep alive an HTTP request/response stream. If the time limit is reached the stream will be
// reset independent of any other timeouts. If not specified, this value is not set.
// The current implementation implements this timeout on downstream connections only.
// [#comment:TODO(shikugawa): add this functionality to upstream.]
google.protobuf.Duration max_stream_duration = 4;
// Action to take when a client request with a header name containing underscore characters is received.
// If this setting is not specified, the value defaults to ALLOW.
// Note: upstream responses are not affected by this setting.
HeadersWithUnderscoresAction headers_with_underscores_action = 5;
}
// [#next-free-field: 6]

2
xds/third_party/envoy/src/main/proto/envoy/api/v2/core/socket_option.proto vendored
View File

@ -3,12 +3,14 @@ syntax = "proto3";
package envoy.api.v2.core;
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2.core";
option java_outer_classname = "SocketOptionProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Socket Option ]

2
xds/third_party/envoy/src/main/proto/envoy/api/v2/discovery.proto vendored
View File

@ -8,11 +8,13 @@ import "google/protobuf/any.proto";
import "google/rpc/status.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
option java_package = "io.envoyproxy.envoy.api.v2";
option java_outer_classname = "DiscoveryProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.service.discovery.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Common discovery API components]

2
xds/third_party/envoy/src/main/proto/envoy/api/v2/eds.proto vendored
View File

@ -10,6 +10,7 @@ import "google/protobuf/wrappers.proto";
import "envoy/annotations/resource.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
import public "envoy/api/v2/endpoint.proto";
@ -19,6 +20,7 @@ option java_outer_classname = "EdsProto";
option java_multiple_files = true;
option java_generic_services = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.service.endpoint.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: EDS]
// Endpoint discovery :ref:`architecture overview <arch_overview_service_discovery_types_eds>`

4
xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint.proto vendored
View File

@ -10,12 +10,14 @@ import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2";
option java_outer_classname = "EndpointProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.endpoint.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Endpoint configuration]
// Endpoint discovery :ref:`architecture overview <arch_overview_service_discovery_types_eds>`
@ -34,6 +36,7 @@ message ClusterLoadAssignment {
// Load balancing policy settings.
// [#next-free-field: 6]
message Policy {
// [#not-implemented-hide:]
message DropOverload {
// Identifier for the policy specifying the drop.
string category = 1 [(validate.rules).string = {min_bytes: 1}];
@ -63,6 +66,7 @@ message ClusterLoadAssignment {
// "throttle"_drop = 60%
// "lb"_drop = 20% // 50% of the remaining 'actual' load, which is 40%.
// actual_outgoing_load = 20% // remaining after applying all categories.
// [#not-implemented-hide:]
repeated DropOverload drop_overloads = 2;
// Priority levels and localities are considered overprovisioned with this

2
xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint.proto vendored
View File

@ -2,6 +2,8 @@ syntax = "proto3";
package envoy.api.v2.endpoint;
import "udpa/annotations/status.proto";
import public "envoy/api/v2/endpoint/endpoint_components.proto";
option java_package = "io.envoyproxy.envoy.api.v2.endpoint";

21
xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint_components.proto vendored
View File

@ -9,12 +9,14 @@ import "envoy/api/v2/core/health_check.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2.endpoint";
option java_outer_classname = "EndpointComponentsProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.endpoint.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Endpoints]
@ -29,6 +31,13 @@ message Endpoint {
// check port. Setting this with a non-zero value allows an upstream host
// to have different health check address port.
uint32 port_value = 1 [(validate.rules).uint32 = {lte: 65535}];
// By default, the host header for L7 health checks is controlled by cluster level configuration
// (see: :ref:`host <envoy_api_field_core.HealthCheck.HttpHealthCheck.host>` and
// :ref:`authority <envoy_api_field_core.HealthCheck.GrpcHealthCheck.authority>`). Setting this
// to a non-empty value allows overriding the cluster level configuration for a specific
// endpoint.
string hostname = 2;
}
// The upstream host address.
@ -50,6 +59,12 @@ message Endpoint {
// This takes into effect only for upstream clusters with
// :ref:`active health checking <arch_overview_health_checking>` enabled.
HealthCheckConfig health_check_config = 2;
// The hostname associated with this endpoint. This hostname is not used for routing or address
// resolution. If provided, it will be associated with the endpoint, and can be used for features
// that require a hostname, like
// :ref:`auto_host_rewrite <envoy_api_field_route.RouteAction.auto_host_rewrite>`.
string hostname = 3;
}
// An Endpoint that Envoy can route traffic to.
@ -82,7 +97,8 @@ message LbEndpoint {
// percentage of traffic for the endpoint. This percentage is then further
// weighted by the endpoint's locality's load balancing weight from
// LocalityLbEndpoints. If unspecified, each host is presumed to have equal
// weight in a locality.
// weight in a locality. The sum of the weights of all endpoints in the
// endpoint's locality must not exceed uint32_t maximal value (4294967295).
google.protobuf.UInt32Value load_balancing_weight = 4 [(validate.rules).uint32 = {gte: 1}];
}
@ -101,7 +117,8 @@ message LocalityLbEndpoints {
// Optional: Per priority/region/zone/sub_zone weight; at least 1. The load
// balancing weight for a locality is divided by the sum of the weights of all
// localities at the same priority level to produce the effective percentage
// of traffic for the locality.
// of traffic for the locality. The sum of the weights of all localities at
// the same priority level must not exceed uint32_t maximal value (4294967295).
//
// Locality weights are only considered when :ref:`locality weighted load
// balancing <arch_overview_load_balancing_locality_weighted_lb>` is

2
xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/load_report.proto vendored
View File

@ -9,12 +9,14 @@ import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2.endpoint";
option java_outer_classname = "LoadReportProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.endpoint.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// These are stats Envoy reports to GLB every so often. Report frequency is
// defined by

2
xds/third_party/envoy/src/main/proto/envoy/api/v2/lds.proto vendored
View File

@ -10,6 +10,7 @@ import "google/protobuf/wrappers.proto";
import "envoy/annotations/resource.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
import public "envoy/api/v2/listener.proto";
@ -19,6 +20,7 @@ option java_outer_classname = "LdsProto";
option java_multiple_files = true;
option java_generic_services = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.service.listener.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Listener]
// Listener :ref:`configuration overview <config_listeners>`

9
xds/third_party/envoy/src/main/proto/envoy/api/v2/listener.proto vendored
View File

@ -7,6 +7,7 @@ import "envoy/api/v2/core/base.proto";
import "envoy/api/v2/core/socket_option.proto";
import "envoy/api/v2/listener/listener_components.proto";
import "envoy/api/v2/listener/udp_listener_config.proto";
import "envoy/config/filter/accesslog/v2/accesslog.proto";
import "envoy/config/listener/v2/api_listener.proto";
import "google/api/annotations.proto";
@ -14,17 +15,19 @@ import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2";
option java_outer_classname = "ListenerProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.listener.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Listener configuration]
// Listener :ref:`configuration overview <config_listeners>`
// [#next-free-field: 22]
// [#next-free-field: 23]
message Listener {
enum DrainType {
// Drain in response to calling /healthcheck/fail admin endpoint (along with the health check
@ -237,4 +240,8 @@ message Listener {
// This issue was fixed by `tcp: Avoid TCP syncookie rejected by SO_REUSEPORT socket
// <https://github.com/torvalds/linux/commit/40a1227ea845a37ab197dd1caffb60b047fa36b1>`_.
bool reuse_port = 21;
// Configuration for :ref:`access logs <arch_overview_access_logs>`
// emitted by this listener.
repeated config.filter.accesslog.v2.AccessLog access_log = 22;
}

2
xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener.proto vendored
View File

@ -2,6 +2,8 @@ syntax = "proto3";
package envoy.api.v2.listener;
import "udpa/annotations/status.proto";
import public "envoy/api/v2/listener/listener_components.proto";
option java_package = "io.envoyproxy.envoy.api.v2.listener";

44
xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener_components.proto vendored
View File

@ -2,7 +2,7 @@ syntax = "proto3";
package envoy.api.v2.listener;
import "envoy/api/v2/auth/cert.proto";
import "envoy/api/v2/auth/tls.proto";
import "envoy/api/v2/core/address.proto";
import "envoy/api/v2/core/base.proto";
import "envoy/type/range.proto";
@ -12,6 +12,7 @@ import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2.listener";
@ -20,6 +21,7 @@ option java_multiple_files = true;
option csharp_namespace = "Envoy.Api.V2.ListenerNS";
option ruby_package = "Envoy.Api.V2.ListenerNS";
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.listener.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Listener components]
// Listener :ref:`configuration overview <config_listeners>`
@ -207,9 +209,32 @@ message FilterChain {
string name = 7;
}
// [#not-implemented-hide:]
// Listener filter chain match configuration. This is a recursive structure which allows complex
// nested match configurations to be built using various logical operators.
//
// Examples:
//
// * Matches if the destination port is 3306.
//
// .. code-block:: yaml
//
// destination_port_range:
// start: 3306
// end: 3307
//
// * Matches if the destination port is 3306 or 15000.
//
// .. code-block:: yaml
//
// or_match:
// rules:
// - destination_port_range:
// start: 3306
// end: 3306
// - destination_port_range:
// start: 15000
// end: 15001
//
// [#next-free-field: 6]
message ListenerFilterChainMatchPredicate {
// A set of match configurations used for logical operations.
@ -255,17 +280,8 @@ message ListenerFilter {
google.protobuf.Any typed_config = 3;
}
// [#not-implemented-hide:]
// Decide when to disable this listener filter on incoming traffic.
// Example:
// 0. always enable filter
// don't set `filter_disabled`
// 1. disable when the destination port is 3306
// rule.destination_port_range = Int32Range {start = 3306, end = 3307}
// 2. disable when the destination port is 3306 or 15000
// rule.or_match = MatchSet.rules [
// rule.destination_port_range = Int32Range {start = 3306, end = 3307},
// rule.destination_port_range = Int32Range {start = 15000, end = 15001},
// ]
// Optional match predicate used to disable the filter. The filter is enabled when this field is empty.
// See :ref:`ListenerFilterChainMatchPredicate <envoy_api_msg_listener.ListenerFilterChainMatchPredicate>`
// for further examples.
ListenerFilterChainMatchPredicate filter_disabled = 4;
}

2
xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/udp_listener_config.proto vendored
View File

@ -6,6 +6,7 @@ import "google/protobuf/any.proto";
import "google/protobuf/struct.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
option java_package = "io.envoyproxy.envoy.api.v2.listener";
option java_outer_classname = "UdpListenerConfigProto";
@ -13,6 +14,7 @@ option java_multiple_files = true;
option csharp_namespace = "Envoy.Api.V2.ListenerNS";
option ruby_package = "Envoy.Api.V2.ListenerNS";
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.listener.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: UDP Listener Config]
// Listener :ref:`configuration overview <config_listeners>`

2
xds/third_party/envoy/src/main/proto/envoy/api/v2/rds.proto vendored
View File

@ -9,6 +9,7 @@ import "google/protobuf/wrappers.proto";
import "envoy/annotations/resource.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
import public "envoy/api/v2/route.proto";
@ -18,6 +19,7 @@ option java_outer_classname = "RdsProto";
option java_multiple_files = true;
option java_generic_services = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.service.route.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: RDS]

2
xds/third_party/envoy/src/main/proto/envoy/api/v2/route.proto vendored
View File

@ -9,12 +9,14 @@ import "envoy/api/v2/route/route_components.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2";
option java_outer_classname = "RouteProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.route.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: HTTP route configuration]
// * Routing :ref:`architecture overview <arch_overview_http_routing>`

2
xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route.proto vendored
View File

@ -2,6 +2,8 @@ syntax = "proto3";
package envoy.api.v2.route;
import "udpa/annotations/status.proto";
import public "envoy/api/v2/route/route_components.proto";
option java_package = "io.envoyproxy.envoy.api.v2.route";

4
xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route_components.proto vendored
View File

@ -16,12 +16,14 @@ import "google/protobuf/wrappers.proto";
import "envoy/annotations/deprecation.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2.route";
option java_outer_classname = "RouteComponentsProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.route.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: HTTP route components]
// * Routing :ref:`architecture overview <arch_overview_http_routing>`
@ -1274,7 +1276,7 @@ message Tracing {
// statistics are perfect in the sense that they are emitted on the downstream
// side such that they include network level failures.
//
// Documentation for :ref:`virtual cluster statistics <config_http_filters_router_stats>`.
// Documentation for :ref:`virtual cluster statistics <config_http_filters_router_vcluster_stats>`.
//
// .. note::
//

2
xds/third_party/envoy/src/main/proto/envoy/api/v2/scoped_route.proto vendored
View File

@ -3,12 +3,14 @@ syntax = "proto3";
package envoy.api.v2;
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.api.v2";
option java_outer_classname = "ScopedRouteProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.route.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: HTTP scoped routing configuration]
// * Routing :ref:`architecture overview <arch_overview_http_routing>`

2
xds/third_party/envoy/src/main/proto/envoy/api/v2/srds.proto vendored
View File

@ -8,6 +8,7 @@ import "google/api/annotations.proto";
import "envoy/annotations/resource.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import public "envoy/api/v2/scoped_route.proto";
@ -16,6 +17,7 @@ option java_outer_classname = "SrdsProto";
option java_multiple_files = true;
option java_generic_services = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.service.route.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: SRDS]
// * Routing :ref:`architecture overview <arch_overview_http_routing>`

5
xds/third_party/envoy/src/main/proto/envoy/config/accesslog/v3/accesslog.proto vendored
View File

@ -9,13 +9,14 @@ import "envoy/type/v3/percent.proto";
import "google/protobuf/any.proto";
import "google/protobuf/struct.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.accesslog.v3";
option java_outer_classname = "AccesslogProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Common access log types]
@ -239,6 +240,8 @@ message ResponseFlagFilter {
in: "SI"
in: "IH"
in: "DPE"
in: "UMSDR"
in: "RFCF"
}
}
}];

3
xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/circuit_breaker.proto vendored
View File

@ -7,13 +7,14 @@ import "envoy/type/v3/percent.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.cluster.v3";
option java_outer_classname = "CircuitBreakerProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Circuit breakers]

30
xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/cluster.proto vendored
View File

@ -18,14 +18,15 @@ import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/versioning.proto";
import "envoy/annotations/deprecation.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.cluster.v3";
option java_outer_classname = "ClusterProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Cluster configuration]
@ -373,7 +374,7 @@ message Cluster {
}
// Common configuration for all load balancer implementations.
// [#next-free-field: 7]
// [#next-free-field: 8]
message CommonLbConfig {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.Cluster.CommonLbConfig";
@ -411,6 +412,16 @@ message Cluster {
"envoy.api.v2.Cluster.CommonLbConfig.LocalityWeightedLbConfig";
}
// Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.)
message ConsistentHashingLbConfig {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.Cluster.CommonLbConfig.ConsistentHashingLbConfig";
// If set to `true`, the cluster will use hostname instead of the resolved
// address as the key to consistently hash to an upstream host. Only valid for StrictDNS clusters with hostnames which resolve to a single IP address.
bool use_hostname_for_hashing = 1;
}
// Configures the :ref:`healthy panic threshold <arch_overview_load_balancing_panic_threshold>`.
// If not specified, the default is 50%.
// To disable panic mode, set to 0%.
@ -465,6 +476,9 @@ message Cluster {
// If set to `true`, the cluster manager will drain all existing
// connections to upstream hosts whenever hosts are added or removed from the cluster.
bool close_connections_on_host_set_change = 6;
//Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.)
ConsistentHashingLbConfig consistent_hashing_lb_config = 7;
}
message RefreshRate {
@ -490,7 +504,7 @@ message Cluster {
reserved "hosts", "tls_context", "extension_protocol_options";
// Configuration to use different transport sockets for different endpoints.
// The entry of *envoy.transport_socket* in the
// The entry of *envoy.transport_socket_match* in the
// :ref:`LbEndpoint.Metadata <envoy_api_field_config.endpoint.v3.LbEndpoint.metadata>`
// is used to match against the transport sockets as they appear in the list. The first
// :ref:`match <envoy_api_msg_config.cluster.v3.Cluster.TransportSocketMatch>` is used.
@ -510,14 +524,14 @@ message Cluster {
// transport_socket:
// name: envoy.transport_sockets.raw_buffer
//
// Connections to the endpoints whose metadata value under *envoy.transport_socket*
// Connections to the endpoints whose metadata value under *envoy.transport_socket_match*
// having "acceptMTLS"/"true" key/value pair use the "enableMTLS" socket configuration.
//
// If a :ref:`socket match <envoy_api_msg_config.cluster.v3.Cluster.TransportSocketMatch>` with empty match
// criteria is provided, that always match any endpoint. For example, the "defaultToPlaintext"
// socket match in case above.
//
// If an endpoint metadata's value under *envoy.transport_socket* does not match any
// If an endpoint metadata's value under *envoy.transport_socket_match* does not match any
// *TransportSocketMatch*, socket configuration fallbacks to use the *tls_context* or
// *transport_socket* specified in this cluster.
//
@ -533,6 +547,10 @@ message Cluster {
// *TransportSocketMatch* in this field. Other client Envoys receive CDS without
// *transport_socket_match* set, and still send plain text traffic to the same cluster.
//
// This field can be used to specify custom transport socket configurations for health
// checks by adding matching key/value pairs in a health check's
// :ref:`transport socket match criteria <envoy_api_field_config.core.v3.HealthCheck.transport_socket_match_criteria>` field.
//
// [#comment:TODO(incfly): add a detailed architecture doc on intended usage.]
repeated TransportSocketMatch transport_socket_matches = 43;

3
xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/filter.proto vendored
View File

@ -4,13 +4,14 @@ package envoy.config.cluster.v3;
import "google/protobuf/any.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.cluster.v3";
option java_outer_classname = "FilterProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Upstream filters]
// Upstream filters apply to the connections to the upstream cluster hosts.

3
xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/outlier_detection.proto vendored
View File

@ -5,13 +5,14 @@ package envoy.config.cluster.v3;
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.cluster.v3";
option java_outer_classname = "OutlierDetectionProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Outlier detection]

3
xds/third_party/envoy/src/main/proto/envoy/config/core/v3/address.proto vendored
View File

@ -6,13 +6,14 @@ import "envoy/config/core/v3/socket_option.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.core.v3";
option java_outer_classname = "AddressProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Network addresses]

3
xds/third_party/envoy/src/main/proto/envoy/config/core/v3/backoff.proto vendored
View File

@ -4,13 +4,14 @@ package envoy.config.core.v3;
import "google/protobuf/duration.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.core.v3";
option java_outer_classname = "BackoffProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Backoff Strategy]

14
xds/third_party/envoy/src/main/proto/envoy/config/core/v3/base.proto vendored
View File

@ -13,13 +13,14 @@ import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.core.v3";
option java_outer_classname = "BaseProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Common types]
@ -238,6 +239,17 @@ message RuntimeUInt32 {
string runtime_key = 3 [(validate.rules).string = {min_bytes: 1}];
}
// Runtime derived double with a default when not specified.
message RuntimeDouble {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.RuntimeDouble";
// Default value if runtime value is not available.
double default_value = 1;
// Runtime key to get value for comparison. This value is used if defined.
string runtime_key = 2 [(validate.rules).string = {min_bytes: 1}];
}
// Runtime derived bool with a default when not specified.
message RuntimeFeatureFlag {
option (udpa.annotations.versioning).previous_message_type =

11
xds/third_party/envoy/src/main/proto/envoy/config/core/v3/config_source.proto vendored
View File

@ -7,14 +7,15 @@ import "envoy/config/core/v3/grpc_service.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/versioning.proto";
import "envoy/annotations/deprecation.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.core.v3";
option java_outer_classname = "ConfigSourceProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Configuration sources]
@ -57,10 +58,6 @@ message ApiConfigSource {
// Using the delta xDS gRPC service, i.e. DeltaDiscovery{Request,Response}
// rather than Discovery{Request,Response}. Rather than sending Envoy the entire state
// with every update, the xDS server only sends what has changed since the last update.
//
// DELTA_GRPC is not yet entirely implemented! Initially, only CDS is available.
// Do not use for other xDSes.
// [#comment:TODO(fredlas) update/remove this warning when appropriate.]
DELTA_GRPC = 3;
}
@ -143,6 +140,8 @@ message ConfigSource {
option (validate.required) = true;
// Path on the filesystem to source and watch for configuration updates.
// When sourcing configuration for :ref:`secret <envoy_api_msg_extensions.transport_sockets.tls.v3.Secret>`,
// the certificate and key files are also watched for updates.
//
// .. note::
//

28
xds/third_party/envoy/src/main/proto/envoy/config/core/v3/event_service_config.proto vendored Normal file
View File

@ -0,0 +1,28 @@
syntax = "proto3";
package envoy.config.core.v3;
import "envoy/config/core/v3/grpc_service.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.core.v3";
option java_outer_classname = "EventServiceConfigProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#not-implemented-hide:]
// Configuration of the event reporting service endpoint.
message EventServiceConfig {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.core.EventServiceConfig";
oneof config_source_specifier {
option (validate.required) = true;
// Specifies the gRPC service that hosts the event reporting service.
GrpcService grpc_service = 1;
}
}

30
xds/third_party/envoy/src/main/proto/envoy/config/core/v3/extension.proto vendored Normal file
View File

@ -0,0 +1,30 @@
syntax = "proto3";
package envoy.config.core.v3;
import "google/protobuf/any.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.core.v3";
option java_outer_classname = "ExtensionProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Extension configuration]
// Message type for extension configuration.
// [#next-major-version: revisit all existing typed_config that doesn't use this wrapper.].
message TypedExtensionConfig {
// The name of an extension. This is not used to select the extension, instead
// it serves the role of an opaque identifier.
string name = 1 [(validate.rules).string = {min_len: 1}];
// The typed config for the extension. The type URL will be used to identify
// the extension. In the case that the type URL is *udpa.type.v1.TypedStruct*,
// the inner type URL of *TypedStruct* will be utilized. See the
// :ref:`extension configuration overview
// <config_overview_extension_configuration>` for further details.
google.protobuf.Any typed_config = 2 [(validate.rules).any = {required: true}];
}

10
xds/third_party/envoy/src/main/proto/envoy/config/core/v3/grpc_service.proto vendored
View File

@ -8,15 +8,17 @@ import "google/protobuf/any.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/empty.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/sensitive.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.core.v3";
option java_outer_classname = "GrpcServiceProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: gRPC services]
@ -36,7 +38,7 @@ message GrpcService {
string cluster_name = 1 [(validate.rules).string = {min_bytes: 1}];
}
// [#next-free-field: 7]
// [#next-free-field: 8]
message GoogleGrpc {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.core.GrpcService.GoogleGrpc";
@ -231,6 +233,10 @@ message GrpcService {
// Additional configuration for site-specific customizations of the Google
// gRPC library.
google.protobuf.Struct config = 6;
// How many bytes each stream can buffer internally.
// If not set an implementation defined default is applied (1MiB).
google.protobuf.UInt32Value per_stream_buffer_limit_bytes = 7;
}
reserved 4;

64
xds/third_party/envoy/src/main/proto/envoy/config/core/v3/health_check.proto vendored
View File

@ -3,6 +3,7 @@ syntax = "proto3";
package envoy.config.core.v3;
import "envoy/config/core/v3/base.proto";
import "envoy/config/core/v3/event_service_config.proto";
import "envoy/type/matcher/v3/string.proto";
import "envoy/type/v3/http.proto";
import "envoy/type/v3/range.proto";
@ -12,14 +13,15 @@ import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/versioning.proto";
import "envoy/annotations/deprecation.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.core.v3";
option java_outer_classname = "HealthCheckProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Health check]
// * Health checking :ref:`architecture overview <arch_overview_health_checking>`.
@ -52,7 +54,7 @@ enum HealthStatus {
DEGRADED = 5;
}
// [#next-free-field: 22]
// [#next-free-field: 24]
message HealthCheck {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HealthCheck";
@ -83,12 +85,15 @@ message HealthCheck {
// The value of the host header in the HTTP health check request. If
// left empty (default value), the name of the cluster this health check is associated
// with will be used.
string host = 1;
// with will be used. The host header can be customized for a specific endpoint by setting the
// :ref:`hostname <envoy_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname>` field.
string host = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
// Specifies the HTTP path that will be requested during health checking. For example
// */healthcheck*.
string path = 2 [(validate.rules).string = {min_bytes: 1}];
string path = 2 [
(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}
];
// [#not-implemented-hide:] HTTP specific payload.
Payload send = 3;
@ -105,7 +110,9 @@ message HealthCheck {
// Specifies a list of HTTP headers that should be removed from each request that is sent to the
// health checked cluster.
repeated string request_headers_to_remove = 8;
repeated string request_headers_to_remove = 8 [(validate.rules).repeated = {
items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}
}];
// Specifies a list of HTTP response statuses considered healthy. If provided, replaces default
// 200-only policy - 200 must be included explicitly as needed. Ranges follow half-open
@ -164,8 +171,10 @@ message HealthCheck {
// The value of the :authority header in the gRPC health check request. If
// left empty (default value), the name of the cluster this health check is associated
// with will be used.
string authority = 2;
// with will be used. The authority header can be customized for a specific endpoint by setting
// the :ref:`hostname <envoy_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname>` field.
string authority = 2
[(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
}
// Custom health check.
@ -302,6 +311,11 @@ message HealthCheck {
// If empty, no event log will be written.
string event_log_path = 17;
// [#not-implemented-hide:]
// The gRPC service for the health check event service.
// If empty, health check events won't be sent to a remote endpoint.
EventServiceConfig event_service = 22;
// If set to true, health check failure events will always be logged. If set to false, only the
// initial health check failure event will be logged.
// The default value is false.
@ -309,4 +323,36 @@ message HealthCheck {
// This allows overriding the cluster TLS settings, just for health check connections.
TlsOptions tls_options = 21;
// Optional key/value pairs that will be used to match a transport socket from those specified in the cluster's
// :ref:`tranport socket matches <envoy_api_field_config.cluster.v3.Cluster.transport_socket_matches>`.
// For example, the following match criteria
//
// .. code-block:: yaml
//
// transport_socket_match_criteria:
// useMTLS: true
//
// Will match the following :ref:`cluster socket match <envoy_api_msg_config.cluster.v3.Cluster.TransportSocketMatch>`
//
// .. code-block:: yaml
//
// transport_socket_matches:
// - name: "useMTLS"
// match:
// useMTLS: true
// transport_socket:
// name: envoy.transport_sockets.tls
// config: { ... } # tls socket configuration
//
// If this field is set, then for health checks it will supersede an entry of *envoy.transport_socket* in the
// :ref:`LbEndpoint.Metadata <envoy_api_field_config.endpoint.v3.LbEndpoint.metadata>`.
// This allows using different transport socket capabilities for health checking versus proxying to the
// endpoint.
//
// If the key/values pairs specified do not match any
// :ref:`transport socket matches <envoy_api_field_config.cluster.v3.Cluster.transport_socket_matches>`,
// the cluster's :ref:`transport socket <envoy_api_field_config.cluster.v3.Cluster.transport_socket>`
// will be used for health check socket configuration.
google.protobuf.Struct transport_socket_match_criteria = 23;
}

3
xds/third_party/envoy/src/main/proto/envoy/config/core/v3/http_uri.proto vendored
View File

@ -4,13 +4,14 @@ package envoy.config.core.v3;
import "google/protobuf/duration.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.core.v3";
option java_outer_classname = "HttpUriProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: HTTP Service URI ]

33
xds/third_party/envoy/src/main/proto/envoy/config/core/v3/protocol.proto vendored
View File

@ -5,13 +5,14 @@ package envoy.config.core.v3;
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.core.v3";
option java_outer_classname = "ProtocolProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Protocol options]
@ -37,12 +38,33 @@ message UpstreamHttpProtocolOptions {
bool auto_san_validation = 2;
}
// [#next-free-field: 6]
message HttpProtocolOptions {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.core.HttpProtocolOptions";
// Action to take when Envoy receives client request with header names containing underscore
// characters.
// Underscore character is allowed in header names by the RFC-7230 and this behavior is implemented
// as a security measure due to systems that treat '_' and '-' as interchangeable. Envoy by default allows client request headers with underscore
// characters.
enum HeadersWithUnderscoresAction {
// Allow headers with underscores. This is the default behavior.
ALLOW = 0;
// Reject client request. HTTP/1 requests are rejected with the 400 status. HTTP/2 requests
// end with the stream reset. The "httpN.requests_rejected_with_underscores_in_headers" counter
// is incremented for each rejected request.
REJECT_REQUEST = 1;
// Drop the header with name containing underscores. The header is dropped before the filter chain is
// invoked and as such filters will not see dropped headers. The
// "httpN.dropped_headers_with_underscores" is incremented for each dropped header.
DROP_HEADER = 2;
}
// The idle timeout for connections. The idle timeout is defined as the
// period in which there are no active requests. If not set, there is no idle timeout. When the
// period in which there are no active requests. When the
// idle timeout is reached the connection will be closed. If the connection is an HTTP/2
// downstream connection a drain sequence will occur prior to closing the connection, see
// :ref:`drain_timeout
@ -70,9 +92,12 @@ message HttpProtocolOptions {
// Total duration to keep alive an HTTP request/response stream. If the time limit is reached the stream will be
// reset independent of any other timeouts. If not specified, this value is not set.
// The current implementation implements this timeout on downstream connections only.
// [#comment:TODO(shikugawa): add this functionality to upstream.]
google.protobuf.Duration max_stream_duration = 4;
// Action to take when a client request with a header name containing underscore characters is received.
// If this setting is not specified, the value defaults to ALLOW.
// Note: upstream responses are not affected by this setting.
HeadersWithUnderscoresAction headers_with_underscores_action = 5;
}
// [#next-free-field: 6]

26
xds/third_party/envoy/src/main/proto/envoy/config/core/v3/proxy_protocol.proto vendored Normal file
View File

@ -0,0 +1,26 @@
syntax = "proto3";
package envoy.config.core.v3;
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.core.v3";
option java_outer_classname = "ProxyProtocolProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Proxy Protocol]
message ProxyProtocolConfig {
enum Version {
// PROXY protocol version 1. Human readable format.
V1 = 0;
// PROXY protocol version 2. Binary format.
V2 = 1;
}
// The PROXY protocol version to use. See https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt for details
Version version = 1;
}

3
xds/third_party/envoy/src/main/proto/envoy/config/core/v3/socket_option.proto vendored
View File

@ -2,13 +2,14 @@ syntax = "proto3";
package envoy.config.core.v3;
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.core.v3";
option java_outer_classname = "SocketOptionProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Socket Option ]

5
xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint.proto vendored
View File

@ -9,13 +9,14 @@ import "google/api/annotations.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.endpoint.v3";
option java_outer_classname = "EndpointProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Endpoint configuration]
// Endpoint discovery :ref:`architecture overview <arch_overview_service_discovery_types_eds>`
@ -39,6 +40,7 @@ message ClusterLoadAssignment {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.ClusterLoadAssignment.Policy";
// [#not-implemented-hide:]
message DropOverload {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.ClusterLoadAssignment.Policy.DropOverload";
@ -73,6 +75,7 @@ message ClusterLoadAssignment {
// "throttle"_drop = 60%
// "lb"_drop = 20% // 50% of the remaining 'actual' load, which is 40%.
// actual_outgoing_load = 20% // remaining after applying all categories.
// [#not-implemented-hide:]
repeated DropOverload drop_overloads = 2;
// Priority levels and localities are considered overprovisioned with this

22
xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint_components.proto vendored
View File

@ -8,13 +8,14 @@ import "envoy/config/core/v3/health_check.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.endpoint.v3";
option java_outer_classname = "EndpointComponentsProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Endpoints]
@ -34,6 +35,13 @@ message Endpoint {
// check port. Setting this with a non-zero value allows an upstream host
// to have different health check address port.
uint32 port_value = 1 [(validate.rules).uint32 = {lte: 65535}];
// By default, the host header for L7 health checks is controlled by cluster level configuration
// (see: :ref:`host <envoy_api_field_config.core.v3.HealthCheck.HttpHealthCheck.host>` and
// :ref:`authority <envoy_api_field_config.core.v3.HealthCheck.GrpcHealthCheck.authority>`). Setting this
// to a non-empty value allows overriding the cluster level configuration for a specific
// endpoint.
string hostname = 2;
}
// The upstream host address.
@ -55,6 +63,12 @@ message Endpoint {
// This takes into effect only for upstream clusters with
// :ref:`active health checking <arch_overview_health_checking>` enabled.
HealthCheckConfig health_check_config = 2;
// The hostname associated with this endpoint. This hostname is not used for routing or address
// resolution. If provided, it will be associated with the endpoint, and can be used for features
// that require a hostname, like
// :ref:`auto_host_rewrite <envoy_api_field_config.route.v3.RouteAction.auto_host_rewrite>`.
string hostname = 3;
}
// An Endpoint that Envoy can route traffic to.
@ -89,7 +103,8 @@ message LbEndpoint {
// percentage of traffic for the endpoint. This percentage is then further
// weighted by the endpoint's locality's load balancing weight from
// LocalityLbEndpoints. If unspecified, each host is presumed to have equal
// weight in a locality.
// weight in a locality. The sum of the weights of all endpoints in the
// endpoint's locality must not exceed uint32_t maximal value (4294967295).
google.protobuf.UInt32Value load_balancing_weight = 4 [(validate.rules).uint32 = {gte: 1}];
}
@ -111,7 +126,8 @@ message LocalityLbEndpoints {
// Optional: Per priority/region/zone/sub_zone weight; at least 1. The load
// balancing weight for a locality is divided by the sum of the weights of all
// localities at the same priority level to produce the effective percentage
// of traffic for the locality.
// of traffic for the locality. The sum of the weights of all localities at
// the same priority level must not exceed uint32_t maximal value (4294967295).
//
// Locality weights are only considered when :ref:`locality weighted load
// balancing <arch_overview_load_balancing_locality_weighted_lb>` is

2
xds/third_party/envoy/src/main/proto/envoy/config/filter/accesslog/v2/accesslog.proto vendored
View File

@ -10,12 +10,14 @@ import "google/protobuf/any.proto";
import "google/protobuf/struct.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.filter.accesslog.v2";
option java_outer_classname = "AccesslogProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.accesslog.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Common access log types]

2
xds/third_party/envoy/src/main/proto/envoy/config/filter/fault/v2/fault.proto vendored
View File

@ -8,12 +8,14 @@ import "google/protobuf/duration.proto";
import "envoy/annotations/deprecation.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.filter.fault.v2";
option java_outer_classname = "FaultProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.extensions.filters.common.fault.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Common fault injection types]

2
xds/third_party/envoy/src/main/proto/envoy/config/filter/http/fault/v2/fault.proto vendored
View File

@ -9,12 +9,14 @@ import "envoy/type/percent.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.filter.http.fault.v2";
option java_outer_classname = "FaultProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.extensions.filters.http.fault.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Fault Injection]
// Fault Injection :ref:`configuration overview <config_http_filters_fault_injection>`.

43
xds/third_party/envoy/src/main/proto/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto vendored
View File

@ -7,7 +7,7 @@ import "envoy/api/v2/core/protocol.proto";
import "envoy/api/v2/route.proto";
import "envoy/api/v2/scoped_route.proto";
import "envoy/config/filter/accesslog/v2/accesslog.proto";
import "envoy/config/trace/v2/trace.proto";
import "envoy/config/trace/v2/http_tracer.proto";
import "envoy/type/percent.proto";
import "envoy/type/tracing/v2/custom_tag.proto";
@ -18,6 +18,7 @@ import "google/protobuf/wrappers.proto";
import "envoy/annotations/deprecation.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2";
@ -25,12 +26,13 @@ option java_outer_classname = "HttpConnectionManagerProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package =
"envoy.extensions.filters.network.http_connection_manager.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: HTTP connection manager]
// HTTP connection manager :ref:`configuration overview <config_http_conn_man>`.
// [#extension: envoy.filters.network.http_connection_manager]
// [#next-free-field: 36]
// [#next-free-field: 37]
message HttpConnectionManager {
enum CodecType {
// For every new connection, the connection manager will determine which
@ -159,9 +161,15 @@ message HttpConnectionManager {
repeated type.tracing.v2.CustomTag custom_tags = 8;
// Configuration for an external tracing provider.
// If not specified, Envoy will fall back to using tracing provider configuration
// from the bootstrap config.
// [#not-implemented-hide:]
// If not specified, no tracing will be performed.
//
// .. attention::
// Please be aware that *envoy.tracers.opencensus* provider can only be configured once
// in Envoy lifetime.
// Any attempts to reconfigure it or to use different configurations for different HCM filters
// will be rejected.
// Such a constraint is inherent to OpenCensus itself. It cannot be overcome without changes
// on OpenCensus side.
trace.v2.Tracing.Http provider = 9;
}
@ -224,7 +232,7 @@ message HttpConnectionManager {
// Determines if upgrades are enabled or disabled by default. Defaults to true.
// This can be overridden on a per-route basis with :ref:`cluster
// <envoy_api_field_route.RouteAction.upgrade_configs>` as documented in the
// :ref:`upgrade documentation <arch_overview_websocket>`.
// :ref:`upgrade documentation <arch_overview_upgrades>`.
google.protobuf.BoolValue enabled = 3;
}
@ -254,8 +262,8 @@ message HttpConnectionManager {
}
// A list of individual HTTP filters that make up the filter chain for
// requests made to the connection manager. Order matters as the filters are
// processed sequentially as request events happen.
// requests made to the connection manager. :ref:`Order matters <arch_overview_http_filters_ordering>`
// as the filters are processed sequentially as request events happen.
repeated HttpFilter http_filters = 5;
// Whether the connection manager manipulates the :ref:`config_http_conn_man_headers_user-agent`
@ -334,7 +342,7 @@ message HttpConnectionManager {
// timeout, although per-route idle timeout overrides will continue to apply.
google.protobuf.Duration stream_idle_timeout = 24;
// A timeout for idle requests managed by the connection manager.
// The amount of time that Envoy will wait for the entire request to be received.
// The timer is activated when the request is initiated, and is disarmed when the last byte of the
// request is sent upstream (i.e. all decoding filters have processed the request), OR when the
// response is initiated. If not specified or set to 0, this timeout is disabled.
@ -491,6 +499,18 @@ message HttpConnectionManager {
// with `prefix` match set to `/dir`. Defaults to `false`. Note that slash merging is not part of
// `HTTP spec <https://tools.ietf.org/html/rfc3986>` and is provided for convenience.
bool merge_slashes = 33;
// The configuration of the request ID extension. This includes operations such as
// generation, validation, and associated tracing operations.
//
// If not set, Envoy uses the default UUID-based behavior:
//
// 1. Request ID is propagated using *x-request-id* header.
//
// 2. Request ID is a universally unique identifier (UUID).
//
// 3. Tracing decision (sampled, forced, etc) is set in 14th byte of the UUID.
RequestIDExtension request_id_extension = 36;
}
message Rds {
@ -640,3 +660,8 @@ message HttpFilter {
google.protobuf.Any typed_config = 4;
}
}
message RequestIDExtension {
// Request ID extension specific configuration.
google.protobuf.Any typed_config = 1;
}

2
xds/third_party/envoy/src/main/proto/envoy/config/listener/v2/api_listener.proto vendored
View File

@ -5,11 +5,13 @@ package envoy.config.listener.v2;
import "google/protobuf/any.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
option java_package = "io.envoyproxy.envoy.config.listener.v2";
option java_outer_classname = "ApiListenerProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.config.listener.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: API listener]

2
xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/api_listener.proto vendored
View File

@ -4,11 +4,13 @@ package envoy.config.listener.v3;
import "google/protobuf/any.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
option java_package = "io.envoyproxy.envoy.config.listener.v3";
option java_outer_classname = "ApiListenerProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: API listener]

14
xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener.proto vendored
View File

@ -2,6 +2,7 @@ syntax = "proto3";
package envoy.config.listener.v3;
import "envoy/config/accesslog/v3/accesslog.proto";
import "envoy/config/core/v3/address.proto";
import "envoy/config/core/v3/base.proto";
import "envoy/config/core/v3/socket_option.proto";
@ -13,18 +14,20 @@ import "google/api/annotations.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/security.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.listener.v3";
option java_outer_classname = "ListenerProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Listener configuration]
// Listener :ref:`configuration overview <config_listeners>`
// [#next-free-field: 22]
// [#next-free-field: 23]
message Listener {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Listener";
@ -106,7 +109,8 @@ message Listener {
// Soft limit on size of the listeners new connection read and write buffers.
// If unspecified, an implementation defined default is applied (1MiB).
google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5;
google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5
[(udpa.annotations.security).configure_for_untrusted_downstream = true];
// Listener metadata.
core.v3.Metadata metadata = 6;
@ -232,4 +236,8 @@ message Listener {
// This issue was fixed by `tcp: Avoid TCP syncookie rejected by SO_REUSEPORT socket
// <https://github.com/torvalds/linux/commit/40a1227ea845a37ab197dd1caffb60b047fa36b1>`_.
bool reuse_port = 21;
// Configuration for :ref:`access logs <arch_overview_access_logs>`
// emitted by this listener.
repeated accesslog.v3.AccessLog access_log = 22;
}

43
xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener_components.proto vendored
View File

@ -10,13 +10,14 @@ import "google/protobuf/any.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.listener.v3";
option java_outer_classname = "ListenerComponentsProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Listener components]
// Listener :ref:`configuration overview <config_listeners>`
@ -207,9 +208,32 @@ message FilterChain {
string name = 7;
}
// [#not-implemented-hide:]
// Listener filter chain match configuration. This is a recursive structure which allows complex
// nested match configurations to be built using various logical operators.
//
// Examples:
//
// * Matches if the destination port is 3306.
//
// .. code-block:: yaml
//
// destination_port_range:
// start: 3306
// end: 3307
//
// * Matches if the destination port is 3306 or 15000.
//
// .. code-block:: yaml
//
// or_match:
// rules:
// - destination_port_range:
// start: 3306
// end: 3306
// - destination_port_range:
// start: 15000
// end: 15001
//
// [#next-free-field: 6]
message ListenerFilterChainMatchPredicate {
option (udpa.annotations.versioning).previous_message_type =
@ -266,17 +290,8 @@ message ListenerFilter {
google.protobuf.Any typed_config = 3;
}
// [#not-implemented-hide:]
// Decide when to disable this listener filter on incoming traffic.
// Example:
// 0. always enable filter
// don't set `filter_disabled`
// 1. disable when the destination port is 3306
// rule.destination_port_range = Int32Range {start = 3306, end = 3307}
// 2. disable when the destination port is 3306 or 15000
// rule.or_match = MatchSet.rules [
// rule.destination_port_range = Int32Range {start = 3306, end = 3307},
// rule.destination_port_range = Int32Range {start = 15000, end = 15001},
// ]
// Optional match predicate used to disable the filter. The filter is enabled when this field is empty.
// See :ref:`ListenerFilterChainMatchPredicate <envoy_api_msg_config.listener.v3.ListenerFilterChainMatchPredicate>`
// for further examples.
ListenerFilterChainMatchPredicate filter_disabled = 4;
}

2
xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/udp_listener_config.proto vendored
View File

@ -5,11 +5,13 @@ package envoy.config.listener.v3;
import "google/protobuf/any.proto";
import "google/protobuf/struct.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
option java_package = "io.envoyproxy.envoy.config.listener.v3";
option java_outer_classname = "UdpListenerConfigProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: UDP Listener Config]
// Listener :ref:`configuration overview <config_listeners>`

20
xds/third_party/envoy/src/main/proto/envoy/config/rbac/v2/rbac.proto vendored
View File

@ -10,11 +10,13 @@ import "envoy/type/matcher/string.proto";
import "google/api/expr/v1alpha1/syntax.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.rbac.v2";
option java_outer_classname = "RbacProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Role Based Access Control (RBAC)]
@ -168,7 +170,7 @@ message Permission {
}
// Principal defines an identity or a group of identities for a downstream subject.
// [#next-free-field: 10]
// [#next-free-field: 12]
message Principal {
// Used in the `and_ids` and `or_ids` fields in the `identifier` oneof. Depending on the context,
// each are applied with the associated behavior.
@ -202,7 +204,21 @@ message Principal {
Authenticated authenticated = 4;
// A CIDR block that describes the downstream IP.
api.v2.core.CidrRange source_ip = 5;
// This address will honor proxy protocol, but will not honor XFF.
api.v2.core.CidrRange source_ip = 5 [deprecated = true];
// A CIDR block that describes the downstream remote/origin address.
// Note: This is always the physical peer even if the
// :ref:`remote_ip <envoy_api_field_config.rbac.v2.Principal.remote_ip>` is inferred
// from for example the x-forwarder-for header, proxy protocol, etc.
api.v2.core.CidrRange direct_remote_ip = 10;
// A CIDR block that describes the downstream remote/origin address.
// Note: This may not be the physical peer and could be different from the
// :ref:`direct_remote_ip <envoy_api_field_config.rbac.v2.Principal.direct_remote_ip>`.
// E.g, if the remote ip is inferred from for example the x-forwarder-for header,
// proxy protocol, etc.
api.v2.core.CidrRange remote_ip = 11;
// A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only
// available for HTTP request.

94
xds/third_party/envoy/src/main/proto/envoy/config/route/v3/route_components.proto vendored
View File

@ -3,6 +3,8 @@ syntax = "proto3";
package envoy.config.route.v3;
import "envoy/config/core/v3/base.proto";
import "envoy/config/core/v3/extension.proto";
import "envoy/config/core/v3/proxy_protocol.proto";
import "envoy/type/matcher/v3/regex.proto";
import "envoy/type/matcher/v3/string.proto";
import "envoy/type/tracing/v3/custom_tag.proto";
@ -14,14 +16,15 @@ import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/versioning.proto";
import "envoy/annotations/deprecation.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.route.v3";
option java_outer_classname = "RouteComponentsProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: HTTP route components]
// * Routing :ref:`architecture overview <arch_overview_http_routing>`
@ -107,7 +110,9 @@ message VirtualHost {
// Specifies a list of HTTP headers that should be removed from each request
// handled by this virtual host.
repeated string request_headers_to_remove = 13;
repeated string request_headers_to_remove = 13 [(validate.rules).repeated = {
items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
}];
// Specifies a list of HTTP headers that should be added to each response
// handled by this virtual host. Headers specified at this level are applied
@ -251,7 +256,9 @@ message Route {
// Specifies a list of HTTP headers that should be removed from each request
// matching this route.
repeated string request_headers_to_remove = 12;
repeated string request_headers_to_remove = 12 [(validate.rules).repeated = {
items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}}
}];
// Specifies a set of headers that will be added to responses to requests
// matching this route. Headers specified at this level are applied before
@ -365,7 +372,7 @@ message WeightedCluster {
string runtime_key_prefix = 2;
}
// [#next-free-field: 12]
// [#next-free-field: 13]
message RouteMatch {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteMatch";
@ -387,6 +394,10 @@ message RouteMatch {
google.protobuf.BoolValue validated = 2;
}
// An extensible message for matching CONNECT requests.
message ConnectMatcher {
}
reserved 5, 3;
reserved "regex";
@ -415,6 +426,17 @@ message RouteMatch {
// on :path, etc. The issue with that is it is unclear how to generically deal with query string
// stripping. This needs more thought.]
type.matcher.v3.RegexMatcher safe_regex = 10 [(validate.rules).message = {required: true}];
// If this is used as the matcher, the matcher will only match CONNECT requests.
// Note that this will not match HTTP/2 upgrade-style CONNECT requests
// (WebSocket and the like) as they are normalized in Envoy as HTTP/1.1 style
// upgrades.
// This is the only way to match CONNECT requests for HTTP/1.1. For HTTP/2,
// where CONNECT requests may have a path, the path matchers will work if
// there is a path present.
// Note that CONNECT support is currently considered alpha in Envoy.
// [#comment:TODO(htuch): Replace the above comment with an alpha tag.
ConnectMatcher connect_matcher = 12;
}
// Indicates that prefix/path matching should be case insensitive. The default
@ -515,7 +537,7 @@ message CorsPolicy {
core.v3.RuntimeFractionalPercent shadow_enabled = 10;
}
// [#next-free-field: 34]
// [#next-free-field: 35]
message RouteAction {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteAction";
@ -528,7 +550,10 @@ message RouteAction {
}
// Configures :ref:`internal redirect <arch_overview_internal_redirects>` behavior.
// [#next-major-version: remove this definition - it's defined in the InternalRedirectPolicy message.]
enum InternalRedirectAction {
option deprecated = true;
PASS_THROUGH_INTERNAL_REDIRECT = 0;
HANDLE_INTERNAL_REDIRECT = 1;
}
@ -700,6 +725,13 @@ message RouteAction {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.route.RouteAction.UpgradeConfig";
// Configuration for sending data upstream as a raw data payload. This is used for
// CONNECT requests, when forwarding CONNECT payload as raw TCP.
message ConnectConfig {
// If present, the proxy protocol header will be prepended to the CONNECT payload sent upstream.
core.v3.ProxyProtocolConfig proxy_protocol_config = 1;
}
// The case-insensitive name of this upgrade, e.g. "websocket".
// For each upgrade type present in upgrade_configs, requests with
// Upgrade: [upgrade_type] will be proxied upstream.
@ -708,6 +740,12 @@ message RouteAction {
// Determines if upgrades are available on this route. Defaults to true.
google.protobuf.BoolValue enabled = 2;
// Configuration for sending data upstream as a raw data payload. This is used for
// CONNECT requests, when forwarding CONNECT payload as raw TCP.
// Note that CONNECT support is currently considered alpha in Envoy.
// [#comment:TODO(htuch): Replace the above comment with an alpha tag.
ConnectConfig connect_config = 3;
}
reserved 12, 18, 19, 16, 22, 21, 10;
@ -952,7 +990,13 @@ message RouteAction {
repeated UpgradeConfig upgrade_configs = 25;
InternalRedirectAction internal_redirect_action = 26;
// If present, Envoy will try to follow an upstream redirect response instead of proxying the
// response back to the downstream. An upstream redirect response is defined
// by :ref:`redirect_response_codes
// <envoy_api_field_config.route.v3.InternalRedirectPolicy.redirect_response_codes>`.
InternalRedirectPolicy internal_redirect_policy = 34;
InternalRedirectAction internal_redirect_action = 26 [deprecated = true];
// An internal redirect is handled, iff the number of previous internal redirects that a
// downstream request has encountered is lower than this value, and
@ -968,7 +1012,7 @@ message RouteAction {
// will pass the redirect back to downstream.
//
// If not specified, at most one redirect will be followed.
google.protobuf.UInt32Value max_internal_redirects = 31;
google.protobuf.UInt32Value max_internal_redirects = 31 [deprecated = true];
// Indicates that the route has a hedge policy. Note that if this is set,
// it'll take precedence over the virtual host level hedge policy entirely
@ -1265,7 +1309,7 @@ message Tracing {
// statistics are perfect in the sense that they are emitted on the downstream
// side such that they include network level failures.
//
// Documentation for :ref:`virtual cluster statistics <config_http_filters_router_stats>`.
// Documentation for :ref:`virtual cluster statistics <config_http_filters_router_vcluster_stats>`.
//
// .. note::
//
@ -1351,6 +1395,11 @@ message RateLimit {
// The key to use in the descriptor entry.
string descriptor_key = 2 [(validate.rules).string = {min_bytes: 1}];
// If set to true, Envoy skips the descriptor while calling rate limiting service
// when header is not present in the request. By default it skips calling the
// rate limiting service if this header is not present in the request.
bool skip_if_absent = 3;
}
// The following descriptor entry is appended to the descriptor and is populated using the
@ -1559,3 +1608,30 @@ message QueryParameterMatcher {
bool present_match = 6;
}
}
// HTTP Internal Redirect :ref:`architecture overview <arch_overview_internal_redirects>`.
message InternalRedirectPolicy {
// An internal redirect is not handled, unless the number of previous internal redirects that a
// downstream request has encountered is lower than this value.
// In the case where a downstream request is bounced among multiple routes by internal redirect,
// the first route that hits this threshold, or does not set :ref:`internal_redirect_policy
// <envoy_api_field_config.route.v3.RouteAction.internal_redirect_policy>`
// will pass the redirect back to downstream.
//
// If not specified, at most one redirect will be followed.
google.protobuf.UInt32Value max_internal_redirects = 1;
// Defines what upstream response codes are allowed to trigger internal redirect. If unspecified,
// only 302 will be treated as internal redirect.
// Only 301, 302, 303, 307 and 308 are valid values. Any other codes will be ignored.
repeated uint32 redirect_response_codes = 2 [(validate.rules).repeated = {max_items: 5}];
// Specifies a list of predicates that are queried when an upstream response is deemed
// to trigger an internal redirect by all other criteria. Any predicate in the list can reject
// the redirect, causing the response to be proxied to downstream.
repeated core.v3.TypedExtensionConfig predicates = 3;
// Allow internal redirect to follow a target URI with a different scheme than the value of
// x-forwarded-proto. The default is false.
bool allow_cross_scheme_redirect = 4;
}

23
xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/datadog.proto vendored Normal file
View File

@ -0,0 +1,23 @@
syntax = "proto3";
package envoy.config.trace.v2;
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.trace.v2";
option java_outer_classname = "DatadogProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Datadog tracer]
// Configuration for the Datadog tracer.
// [#extension: envoy.tracers.datadog]
message DatadogConfig {
// The cluster to use for submitting traces to the Datadog agent.
string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
// The name used for the service when traces are generated by envoy.
string service_name = 2 [(validate.rules).string = {min_bytes: 1}];
}

29
xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/dynamic_ot.proto vendored Normal file
View File

@ -0,0 +1,29 @@
syntax = "proto3";
package envoy.config.trace.v2;
import "google/protobuf/struct.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.trace.v2";
option java_outer_classname = "DynamicOtProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Dynamically loadable OpenTracing tracer]
// DynamicOtConfig is used to dynamically load a tracer from a shared library
// that implements the `OpenTracing dynamic loading API
// <https://github.com/opentracing/opentracing-cpp>`_.
// [#extension: envoy.tracers.dynamic_ot]
message DynamicOtConfig {
// Dynamic library implementing the `OpenTracing API
// <https://github.com/opentracing/opentracing-cpp>`_.
string library = 1 [(validate.rules).string = {min_bytes: 1}];
// The configuration to use when creating a tracer from the given dynamic
// library.
google.protobuf.Struct config = 2;
}

65
xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/http_tracer.proto vendored Normal file
View File

@ -0,0 +1,65 @@
syntax = "proto3";
package envoy.config.trace.v2;
import "google/protobuf/any.proto";
import "google/protobuf/struct.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.trace.v2";
option java_outer_classname = "HttpTracerProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Tracing]
// Tracing :ref:`architecture overview <arch_overview_tracing>`.
// The tracing configuration specifies settings for an HTTP tracer provider used by Envoy.
//
// Envoy may support other tracers in the future, but right now the HTTP tracer is the only one
// supported.
//
// .. attention::
//
// Use of this message type has been deprecated in favor of direct use of
// :ref:`Tracing.Http <envoy_api_msg_config.trace.v2.Tracing.Http>`.
message Tracing {
// Configuration for an HTTP tracer provider used by Envoy.
//
// The configuration is defined by the
// :ref:`HttpConnectionManager.Tracing <envoy_api_msg_config.filter.network.http_connection_manager.v2.HttpConnectionManager.Tracing>`
// :ref:`provider <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.Tracing.provider>`
// field.
message Http {
// The name of the HTTP trace driver to instantiate. The name must match a
// supported HTTP trace driver. Built-in trace drivers:
//
// - *envoy.tracers.lightstep*
// - *envoy.tracers.zipkin*
// - *envoy.tracers.dynamic_ot*
// - *envoy.tracers.datadog*
// - *envoy.tracers.opencensus*
// - *envoy.tracers.xray*
string name = 1 [(validate.rules).string = {min_bytes: 1}];
// Trace driver specific configuration which depends on the driver being instantiated.
// See the trace drivers for examples:
//
// - :ref:`LightstepConfig <envoy_api_msg_config.trace.v2.LightstepConfig>`
// - :ref:`ZipkinConfig <envoy_api_msg_config.trace.v2.ZipkinConfig>`
// - :ref:`DynamicOtConfig <envoy_api_msg_config.trace.v2.DynamicOtConfig>`
// - :ref:`DatadogConfig <envoy_api_msg_config.trace.v2.DatadogConfig>`
// - :ref:`OpenCensusConfig <envoy_api_msg_config.trace.v2.OpenCensusConfig>`
// - :ref:`AWS X-Ray <envoy_api_msg_config.trace.v2alpha.XRayConfig>`
oneof config_type {
google.protobuf.Struct config = 2 [deprecated = true];
google.protobuf.Any typed_config = 3;
}
}
// Provides configuration for the HTTP tracer.
Http http = 1;
}

43
xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/lightstep.proto vendored Normal file
View File

@ -0,0 +1,43 @@
syntax = "proto3";
package envoy.config.trace.v2;
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.trace.v2";
option java_outer_classname = "LightstepProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: LightStep tracer]
// Configuration for the LightStep tracer.
// [#extension: envoy.tracers.lightstep]
message LightstepConfig {
// Available propagation modes
enum PropagationMode {
// Propagate trace context in the single header x-ot-span-context.
ENVOY = 0;
// Propagate trace context using LightStep's native format.
LIGHTSTEP = 1;
// Propagate trace context using the b3 format.
B3 = 2;
// Propagation trace context using the w3 trace-context standard.
TRACE_CONTEXT = 3;
}
// The cluster manager cluster that hosts the LightStep collectors.
string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
// File containing the access token to the `LightStep
// <https://lightstep.com/>`_ API.
string access_token_file = 2 [(validate.rules).string = {min_bytes: 1}];
// Propagation modes to use by LightStep's tracer.
repeated PropagationMode propagation_modes = 3
[(validate.rules).repeated = {items {enum {defined_only: true}}}];
}

93
xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/opencensus.proto vendored Normal file
View File

@ -0,0 +1,93 @@
syntax = "proto3";
package envoy.config.trace.v2;
import "envoy/api/v2/core/grpc_service.proto";
import "opencensus/proto/trace/v1/trace_config.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.trace.v2";
option java_outer_classname = "OpencensusProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: OpenCensus tracer]
// Configuration for the OpenCensus tracer.
// [#next-free-field: 15]
// [#extension: envoy.tracers.opencensus]
message OpenCensusConfig {
enum TraceContext {
// No-op default, no trace context is utilized.
NONE = 0;
// W3C Trace-Context format "traceparent:" header.
TRACE_CONTEXT = 1;
// Binary "grpc-trace-bin:" header.
GRPC_TRACE_BIN = 2;
// "X-Cloud-Trace-Context:" header.
CLOUD_TRACE_CONTEXT = 3;
// X-B3-* headers.
B3 = 4;
}
reserved 7;
// Configures tracing, e.g. the sampler, max number of annotations, etc.
opencensus.proto.trace.v1.TraceConfig trace_config = 1;
// Enables the stdout exporter if set to true. This is intended for debugging
// purposes.
bool stdout_exporter_enabled = 2;
// Enables the Stackdriver exporter if set to true. The project_id must also
// be set.
bool stackdriver_exporter_enabled = 3;
// The Cloud project_id to use for Stackdriver tracing.
string stackdriver_project_id = 4;
// (optional) By default, the Stackdriver exporter will connect to production
// Stackdriver. If stackdriver_address is non-empty, it will instead connect
// to this address, which is in the gRPC format:
// https://github.com/grpc/grpc/blob/master/doc/naming.md
string stackdriver_address = 10;
// (optional) The gRPC server that hosts Stackdriver tracing service. Only
// Google gRPC is supported. If :ref:`target_uri <envoy_v3_api_field_config.core.v3.GrpcService.GoogleGrpc.target_uri>`
// is not provided, the default production Stackdriver address will be used.
api.v2.core.GrpcService stackdriver_grpc_service = 13;
// Enables the Zipkin exporter if set to true. The url and service name must
// also be set.
bool zipkin_exporter_enabled = 5;
// The URL to Zipkin, e.g. "http://127.0.0.1:9411/api/v2/spans"
string zipkin_url = 6;
// Enables the OpenCensus Agent exporter if set to true. The ocagent_address or
// ocagent_grpc_service must also be set.
bool ocagent_exporter_enabled = 11;
// The address of the OpenCensus Agent, if its exporter is enabled, in gRPC
// format: https://github.com/grpc/grpc/blob/master/doc/naming.md
// [#comment:TODO: deprecate this field]
string ocagent_address = 12;
// (optional) The gRPC server hosted by the OpenCensus Agent. Only Google gRPC is supported.
// This is only used if the ocagent_address is left empty.
api.v2.core.GrpcService ocagent_grpc_service = 14;
// List of incoming trace context headers we will accept. First one found
// wins.
repeated TraceContext incoming_trace_context = 8;
// List of outgoing trace context headers we will produce.
repeated TraceContext outgoing_trace_context = 9;
}

21
xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/service.proto vendored Normal file
View File

@ -0,0 +1,21 @@
syntax = "proto3";
package envoy.config.trace.v2;
import "envoy/api/v2/core/grpc_service.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.trace.v2";
option java_outer_classname = "ServiceProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Trace Service]
// Configuration structure.
message TraceServiceConfig {
// The upstream gRPC cluster that hosts the metrics service.
api.v2.core.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}];
}

223
xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/trace.proto vendored
View File

@ -2,223 +2,16 @@ syntax = "proto3";
package envoy.config.trace.v2;
import "envoy/api/v2/core/grpc_service.proto";
import "udpa/annotations/status.proto";
import "google/protobuf/any.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "opencensus/proto/trace/v1/trace_config.proto";
import "envoy/annotations/deprecation.proto";
import "validate/validate.proto";
import public "envoy/config/trace/v2/datadog.proto";
import public "envoy/config/trace/v2/dynamic_ot.proto";
import public "envoy/config/trace/v2/http_tracer.proto";
import public "envoy/config/trace/v2/lightstep.proto";
import public "envoy/config/trace/v2/opencensus.proto";
import public "envoy/config/trace/v2/service.proto";
import public "envoy/config/trace/v2/zipkin.proto";
option java_package = "io.envoyproxy.envoy.config.trace.v2";
option java_outer_classname = "TraceProto";
option java_multiple_files = true;
// [#protodoc-title: Tracing]
// Tracing :ref:`architecture overview <arch_overview_tracing>`.
// The tracing configuration specifies global
// settings for the HTTP tracer used by Envoy. The configuration is defined by
// the :ref:`Bootstrap <envoy_api_msg_config.bootstrap.v2.Bootstrap>` :ref:`tracing
// <envoy_api_field_config.bootstrap.v2.Bootstrap.tracing>` field. Envoy may support other tracers
// in the future, but right now the HTTP tracer is the only one supported.
message Tracing {
message Http {
// The name of the HTTP trace driver to instantiate. The name must match a
// supported HTTP trace driver. Built-in trace drivers:
//
// - *envoy.tracers.lightstep*
// - *envoy.tracers.zipkin*
// - *envoy.tracers.dynamic_ot*
// - *envoy.tracers.datadog*
// - *envoy.tracers.opencensus*
// - *envoy.tracers.xray*
string name = 1 [(validate.rules).string = {min_bytes: 1}];
// Trace driver specific configuration which depends on the driver being instantiated.
// See the trace drivers for examples:
//
// - :ref:`LightstepConfig <envoy_api_msg_config.trace.v2.LightstepConfig>`
// - :ref:`ZipkinConfig <envoy_api_msg_config.trace.v2.ZipkinConfig>`
// - :ref:`DynamicOtConfig <envoy_api_msg_config.trace.v2.DynamicOtConfig>`
// - :ref:`DatadogConfig <envoy_api_msg_config.trace.v2.DatadogConfig>`
// - :ref:`OpenCensusConfig <envoy_api_msg_config.trace.v2.OpenCensusConfig>`
// - :ref:`AWS X-Ray <envoy_api_msg_config.trace.v2alpha.XRayConfig>`
oneof config_type {
google.protobuf.Struct config = 2 [deprecated = true];
google.protobuf.Any typed_config = 3;
}
}
// Provides configuration for the HTTP tracer.
Http http = 1;
}
// Configuration for the LightStep tracer.
// [#extension: envoy.tracers.lightstep]
message LightstepConfig {
// The cluster manager cluster that hosts the LightStep collectors.
string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
// File containing the access token to the `LightStep
// <https://lightstep.com/>`_ API.
string access_token_file = 2 [(validate.rules).string = {min_bytes: 1}];
}
// Configuration for the Zipkin tracer.
// [#extension: envoy.tracers.zipkin]
// [#next-free-field: 6]
message ZipkinConfig {
// Available Zipkin collector endpoint versions.
enum CollectorEndpointVersion {
// Zipkin API v1, JSON over HTTP.
// [#comment: The default implementation of Zipkin client before this field is added was only v1
// and the way user configure this was by not explicitly specifying the version. Consequently,
// before this is added, the corresponding Zipkin collector expected to receive v1 payload.
// Hence the motivation of adding HTTP_JSON_V1 as the default is to avoid a breaking change when
// user upgrading Envoy with this change. Furthermore, we also immediately deprecate this field,
// since in Zipkin realm this v1 version is considered to be not preferable anymore.]
HTTP_JSON_V1 = 0 [deprecated = true, (envoy.annotations.disallowed_by_default_enum) = true];
// Zipkin API v2, JSON over HTTP.
HTTP_JSON = 1;
// Zipkin API v2, protobuf over HTTP.
HTTP_PROTO = 2;
// [#not-implemented-hide:]
GRPC = 3;
}
// The cluster manager cluster that hosts the Zipkin collectors. Note that the
// Zipkin cluster must be defined in the :ref:`Bootstrap static cluster
// resources <envoy_api_field_config.bootstrap.v2.Bootstrap.StaticResources.clusters>`.
string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
// The API endpoint of the Zipkin service where the spans will be sent. When
// using a standard Zipkin installation, the API endpoint is typically
// /api/v1/spans, which is the default value.
string collector_endpoint = 2 [(validate.rules).string = {min_bytes: 1}];
// Determines whether a 128bit trace id will be used when creating a new
// trace instance. The default value is false, which will result in a 64 bit trace id being used.
bool trace_id_128bit = 3;
// Determines whether client and server spans will share the same span context.
// The default value is true.
google.protobuf.BoolValue shared_span_context = 4;
// Determines the selected collector endpoint version. By default, the ``HTTP_JSON_V1`` will be
// used.
CollectorEndpointVersion collector_endpoint_version = 5;
}
// DynamicOtConfig is used to dynamically load a tracer from a shared library
// that implements the `OpenTracing dynamic loading API
// <https://github.com/opentracing/opentracing-cpp>`_.
// [#extension: envoy.tracers.dynamic_ot]
message DynamicOtConfig {
// Dynamic library implementing the `OpenTracing API
// <https://github.com/opentracing/opentracing-cpp>`_.
string library = 1 [(validate.rules).string = {min_bytes: 1}];
// The configuration to use when creating a tracer from the given dynamic
// library.
google.protobuf.Struct config = 2;
}
// Configuration for the Datadog tracer.
// [#extension: envoy.tracers.datadog]
message DatadogConfig {
// The cluster to use for submitting traces to the Datadog agent.
string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
// The name used for the service when traces are generated by envoy.
string service_name = 2 [(validate.rules).string = {min_bytes: 1}];
}
// Configuration for the OpenCensus tracer.
// [#next-free-field: 15]
// [#extension: envoy.tracers.opencensus]
message OpenCensusConfig {
enum TraceContext {
// No-op default, no trace context is utilized.
NONE = 0;
// W3C Trace-Context format "traceparent:" header.
TRACE_CONTEXT = 1;
// Binary "grpc-trace-bin:" header.
GRPC_TRACE_BIN = 2;
// "X-Cloud-Trace-Context:" header.
CLOUD_TRACE_CONTEXT = 3;
// X-B3-* headers.
B3 = 4;
}
reserved 7;
// Configures tracing, e.g. the sampler, max number of annotations, etc.
opencensus.proto.trace.v1.TraceConfig trace_config = 1;
// Enables the stdout exporter if set to true. This is intended for debugging
// purposes.
bool stdout_exporter_enabled = 2;
// Enables the Stackdriver exporter if set to true. The project_id must also
// be set.
bool stackdriver_exporter_enabled = 3;
// The Cloud project_id to use for Stackdriver tracing.
string stackdriver_project_id = 4;
// (optional) By default, the Stackdriver exporter will connect to production
// Stackdriver. If stackdriver_address is non-empty, it will instead connect
// to this address, which is in the gRPC format:
// https://github.com/grpc/grpc/blob/master/doc/naming.md
string stackdriver_address = 10;
// (optional) The gRPC server that hosts Stackdriver tracing service. Only
// Google gRPC is supported. If :ref:`target_uri <envoy_v3_api_field_config.core.v3.GrpcService.GoogleGrpc.target_uri>`
// is not provided, the default production Stackdriver address will be used.
api.v2.core.GrpcService stackdriver_grpc_service = 13;
// Enables the Zipkin exporter if set to true. The url and service name must
// also be set.
bool zipkin_exporter_enabled = 5;
// The URL to Zipkin, e.g. "http://127.0.0.1:9411/api/v2/spans"
string zipkin_url = 6;
// Enables the OpenCensus Agent exporter if set to true. The ocagent_address or
// ocagent_grpc_service must also be set.
bool ocagent_exporter_enabled = 11;
// The address of the OpenCensus Agent, if its exporter is enabled, in gRPC
// format: https://github.com/grpc/grpc/blob/master/doc/naming.md
// [#comment:TODO: deprecate this field]
string ocagent_address = 12;
// (optional) The gRPC server hosted by the OpenCensus Agent. Only Google gRPC is supported.
// This is only used if the ocagent_address is left empty.
api.v2.core.GrpcService ocagent_grpc_service = 14;
// List of incoming trace context headers we will accept. First one found
// wins.
repeated TraceContext incoming_trace_context = 8;
// List of outgoing trace context headers we will produce.
repeated TraceContext outgoing_trace_context = 9;
}
// Configuration structure.
message TraceServiceConfig {
// The upstream gRPC cluster that hosts the metrics service.
api.v2.core.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}];
}

64
xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/zipkin.proto vendored Normal file
View File

@ -0,0 +1,64 @@
syntax = "proto3";
package envoy.config.trace.v2;
import "google/protobuf/wrappers.proto";
import "envoy/annotations/deprecation.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.config.trace.v2";
option java_outer_classname = "ZipkinProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Zipkin tracer]
// Configuration for the Zipkin tracer.
// [#extension: envoy.tracers.zipkin]
// [#next-free-field: 6]
message ZipkinConfig {
// Available Zipkin collector endpoint versions.
enum CollectorEndpointVersion {
// Zipkin API v1, JSON over HTTP.
// [#comment: The default implementation of Zipkin client before this field is added was only v1
// and the way user configure this was by not explicitly specifying the version. Consequently,
// before this is added, the corresponding Zipkin collector expected to receive v1 payload.
// Hence the motivation of adding HTTP_JSON_V1 as the default is to avoid a breaking change when
// user upgrading Envoy with this change. Furthermore, we also immediately deprecate this field,
// since in Zipkin realm this v1 version is considered to be not preferable anymore.]
HTTP_JSON_V1 = 0 [deprecated = true, (envoy.annotations.disallowed_by_default_enum) = true];
// Zipkin API v2, JSON over HTTP.
HTTP_JSON = 1;
// Zipkin API v2, protobuf over HTTP.
HTTP_PROTO = 2;
// [#not-implemented-hide:]
GRPC = 3;
}
// The cluster manager cluster that hosts the Zipkin collectors. Note that the
// Zipkin cluster must be defined in the :ref:`Bootstrap static cluster
// resources <envoy_api_field_config.bootstrap.v2.Bootstrap.StaticResources.clusters>`.
string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
// The API endpoint of the Zipkin service where the spans will be sent. When
// using a standard Zipkin installation, the API endpoint is typically
// /api/v1/spans, which is the default value.
string collector_endpoint = 2 [(validate.rules).string = {min_bytes: 1}];
// Determines whether a 128bit trace id will be used when creating a new
// trace instance. The default value is false, which will result in a 64 bit trace id being used.
bool trace_id_128bit = 3;
// Determines whether client and server spans will share the same span context.
// The default value is true.
google.protobuf.BoolValue shared_span_context = 4;
// Determines the selected collector endpoint version. By default, the ``HTTP_JSON_V1`` will be
// used.
CollectorEndpointVersion collector_endpoint_version = 5;
}

495
xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/cert.proto vendored
View File

@ -2,499 +2,12 @@ syntax = "proto3";
package envoy.extensions.transport_sockets.tls.v3;
import "envoy/config/core/v3/base.proto";
import "envoy/config/core/v3/config_source.proto";
import "envoy/type/matcher/v3/string.proto";
import "udpa/annotations/status.proto";
import "google/protobuf/any.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/sensitive.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
import public "envoy/extensions/transport_sockets/tls/v3/common.proto";
import public "envoy/extensions/transport_sockets/tls/v3/secret.proto";
import public "envoy/extensions/transport_sockets/tls/v3/tls.proto";
option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3";
option java_outer_classname = "CertProto";
option java_multiple_files = true;
// [#protodoc-title: Common TLS configuration]
message TlsParameters {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.TlsParameters";
enum TlsProtocol {
// Envoy will choose the optimal TLS version.
TLS_AUTO = 0;
// TLS 1.0
TLSv1_0 = 1;
// TLS 1.1
TLSv1_1 = 2;
// TLS 1.2
TLSv1_2 = 3;
// TLS 1.3
TLSv1_3 = 4;
}
// Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for
// servers.
TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}];
// Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and
// ``TLSv1_2`` for clients and for servers using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`.
TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum = {defined_only: true}];
// If specified, the TLS listener will only support the specified `cipher list
// <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_
// when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not
// specified, the default list will be used.
//
// In non-FIPS builds, the default cipher list is:
//
// .. code-block:: none
//
// [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
// [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
// ECDHE-ECDSA-AES128-SHA
// ECDHE-RSA-AES128-SHA
// AES128-GCM-SHA256
// AES128-SHA
// ECDHE-ECDSA-AES256-GCM-SHA384
// ECDHE-RSA-AES256-GCM-SHA384
// ECDHE-ECDSA-AES256-SHA
// ECDHE-RSA-AES256-SHA
// AES256-GCM-SHA384
// AES256-SHA
//
// In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default cipher list is:
//
// .. code-block:: none
//
// ECDHE-ECDSA-AES128-GCM-SHA256
// ECDHE-RSA-AES128-GCM-SHA256
// ECDHE-ECDSA-AES128-SHA
// ECDHE-RSA-AES128-SHA
// AES128-GCM-SHA256
// AES128-SHA
// ECDHE-ECDSA-AES256-GCM-SHA384
// ECDHE-RSA-AES256-GCM-SHA384
// ECDHE-ECDSA-AES256-SHA
// ECDHE-RSA-AES256-SHA
// AES256-GCM-SHA384
// AES256-SHA
repeated string cipher_suites = 3;
// If specified, the TLS connection will only support the specified ECDH
// curves. If not specified, the default curves will be used.
//
// In non-FIPS builds, the default curves are:
//
// .. code-block:: none
//
// X25519
// P-256
//
// In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is:
//
// .. code-block:: none
//
// P-256
repeated string ecdh_curves = 4;
}
// BoringSSL private key method configuration. The private key methods are used for external
// (potentially asynchronous) signing and decryption operations. Some use cases for private key
// methods would be TPM support and TLS acceleration.
message PrivateKeyProvider {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.PrivateKeyProvider";
reserved 2;
reserved "config";
// Private key method provider name. The name must match a
// supported private key method provider type.
string provider_name = 1 [(validate.rules).string = {min_bytes: 1}];
// Private key method provider specific configuration.
oneof config_type {
google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true];
}
}
// [#next-free-field: 7]
message TlsCertificate {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.TlsCertificate";
// The TLS certificate chain.
config.core.v3.DataSource certificate_chain = 1;
// The TLS private key.
config.core.v3.DataSource private_key = 2 [(udpa.annotations.sensitive) = true];
// BoringSSL private key method provider. This is an alternative to :ref:`private_key
// <envoy_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` field. This can't be
// marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key
// <envoy_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` and
// :ref:`private_key_provider
// <envoy_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>` fields will result in an
// error.
PrivateKeyProvider private_key_provider = 6;
// The password to decrypt the TLS private key. If this field is not set, it is assumed that the
// TLS private key is not password encrypted.
config.core.v3.DataSource password = 3 [(udpa.annotations.sensitive) = true];
// [#not-implemented-hide:]
config.core.v3.DataSource ocsp_staple = 4;
// [#not-implemented-hide:]
repeated config.core.v3.DataSource signed_certificate_timestamp = 5;
}
message TlsSessionTicketKeys {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.TlsSessionTicketKeys";
// Keys for encrypting and decrypting TLS session tickets. The
// first key in the array contains the key to encrypt all new sessions created by this context.
// All keys are candidates for decrypting received tickets. This allows for easy rotation of keys
// by, for example, putting the new key first, and the previous key second.
//
// If :ref:`session_ticket_keys <envoy_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys>`
// is not specified, the TLS library will still support resuming sessions via tickets, but it will
// use an internally-generated and managed key, so sessions cannot be resumed across hot restarts
// or on different hosts.
//
// Each key must contain exactly 80 bytes of cryptographically-secure random data. For
// example, the output of ``openssl rand 80``.
//
// .. attention::
//
// Using this feature has serious security considerations and risks. Improper handling of keys
// may result in loss of secrecy in connections, even if ciphers supporting perfect forward
// secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some
// discussion. To minimize the risk, you must:
//
// * Keep the session ticket keys at least as secure as your TLS certificate private keys
// * Rotate session ticket keys at least daily, and preferably hourly
// * Always generate keys using a cryptographically-secure random data source
repeated config.core.v3.DataSource keys = 1
[(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true];
}
// [#next-free-field: 11]
message CertificateValidationContext {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.CertificateValidationContext";
// Peer certificate verification mode.
enum TrustChainVerification {
// Perform default certificate verification (e.g., against CA / verification lists)
VERIFY_TRUST_CHAIN = 0;
// Connections where the certificate fails verification will be permitted.
// For HTTP connections, the result of certificate verification can be used in route matching. (
// see :ref:`validated <envoy_api_field_config.route.v3.RouteMatch.TlsContextMatchOptions.validated>` ).
ACCEPT_UNTRUSTED = 1;
}
reserved 4;
reserved "verify_subject_alt_name";
// TLS certificate data containing certificate authority certificates to use in verifying
// a presented peer certificate (e.g. server certificate for clusters or client certificate
// for listeners). If not specified and a peer certificate is presented it will not be
// verified. By default, a client certificate is optional, unless one of the additional
// options (:ref:`require_client_certificate
// <envoy_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,
// :ref:`verify_certificate_spki
// <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,
// :ref:`verify_certificate_hash
// <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or
// :ref:`match_subject_alt_names
// <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_subject_alt_names>`) is also
// specified.
//
// It can optionally contain certificate revocation lists, in which case Envoy will verify
// that the presented peer certificate has not been revoked by one of the included CRLs.
//
// See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
// system CA locations.
config.core.v3.DataSource trusted_ca = 1;
// An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
// SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
// matches one of the specified values.
//
// A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
// can be generated with the following command:
//
// .. code-block:: bash
//
// $ openssl x509 -in path/to/client.crt -noout -pubkey
// | openssl pkey -pubin -outform DER
// | openssl dgst -sha256 -binary
// | openssl enc -base64
// NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
//
// This is the format used in HTTP Public Key Pinning.
//
// When both:
// :ref:`verify_certificate_hash
// <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
// :ref:`verify_certificate_spki
// <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
// a hash matching value from either of the lists will result in the certificate being accepted.
//
// .. attention::
//
// This option is preferred over :ref:`verify_certificate_hash
// <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
// because SPKI is tied to a private key, so it doesn't change when the certificate
// is renewed using the same private key.
repeated string verify_certificate_spki = 3
[(validate.rules).repeated = {items {string {min_bytes: 44 max_bytes: 44}}}];
// An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
// the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
//
// A hex-encoded SHA-256 of the certificate can be generated with the following command:
//
// .. code-block:: bash
//
// $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
// df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
//
// A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
// can be generated with the following command:
//
// .. code-block:: bash
//
// $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
// DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
//
// Both of those formats are acceptable.
//
// When both:
// :ref:`verify_certificate_hash
// <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
// :ref:`verify_certificate_spki
// <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
// a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2
[(validate.rules).repeated = {items {string {min_bytes: 64 max_bytes: 95}}}];
// An optional list of Subject Alternative name matchers. Envoy will verify that the
// Subject Alternative Name of the presented certificate matches one of the specified matches.
//
// When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
// configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.v3.StringMatcher>`.
// For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
// it should be configured as shown below.
//
// .. code-block:: yaml
//
// match_subject_alt_names:
// exact: "api.example.com"
//
// .. attention::
//
// Subject Alternative Names are easily spoofable and verifying only them is insecure,
// therefore this option must be used together with :ref:`trusted_ca
// <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated type.matcher.v3.StringMatcher match_subject_alt_names = 9;
// [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
google.protobuf.BoolValue require_ocsp_staple = 5;
// [#not-implemented-hide:] Must present signed certificate time-stamp.
google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
// An optional `certificate revocation list
// <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
// (in PEM format). If specified, Envoy will verify that the presented peer
// certificate has not been revoked by this CRL. If this DataSource contains
// multiple CRLs, all of them will be used.
config.core.v3.DataSource crl = 7;
// If specified, Envoy will not reject expired certificates.
bool allow_expired_certificate = 8;
// Certificate trust chain verification mode.
TrustChainVerification trust_chain_verification = 10
[(validate.rules).enum = {defined_only: true}];
}
// TLS context shared by both client and server TLS contexts.
// [#next-free-field: 9]
message CommonTlsContext {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext";
message CombinedCertificateValidationContext {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext";
// How to validate peer certificates.
CertificateValidationContext default_validation_context = 1
[(validate.rules).message = {required: true}];
// Config for fetching validation context via SDS API.
SdsSecretConfig validation_context_sds_secret_config = 2
[(validate.rules).message = {required: true}];
}
reserved 5;
// TLS protocol versions, cipher suites etc.
TlsParameters tls_params = 1;
// :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the
// same context to allow both RSA and ECDSA certificates.
//
// Only a single TLS certificate is supported in client contexts. In server contexts, the first
// RSA certificate is used for clients that only support RSA and the first ECDSA certificate is
// used for clients that support ECDSA.
repeated TlsCertificate tls_certificates = 2;
// Configs for fetching TLS certificates via SDS API.
repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6
[(validate.rules).repeated = {max_items: 1}];
oneof validation_context_type {
// How to validate peer certificates.
CertificateValidationContext validation_context = 3;
// Config for fetching validation context via SDS API.
SdsSecretConfig validation_context_sds_secret_config = 7;
// Combined certificate validation context holds a default CertificateValidationContext
// and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic
// and default CertificateValidationContext are merged into a new CertificateValidationContext
// for validation. This merge is done by Message::MergeFrom(), so dynamic
// CertificateValidationContext overwrites singular fields in default
// CertificateValidationContext, and concatenates repeated fields to default
// CertificateValidationContext, and logical OR is applied to boolean fields.
CombinedCertificateValidationContext combined_validation_context = 8;
}
// Supplies the list of ALPN protocols that the listener should expose. In
// practice this is likely to be set to one of two values (see the
// :ref:`codec_type
// <envoy_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.codec_type>`
// parameter in the HTTP connection manager for more information):
//
// * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1.
// * "http/1.1" If the listener is only going to support HTTP/1.1.
//
// There is no default for this parameter. If empty, Envoy will not expose ALPN.
repeated string alpn_protocols = 4;
}
message UpstreamTlsContext {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.UpstreamTlsContext";
// Common TLS context settings.
//
// .. attention::
//
// Server certificate verification is not enabled by default. Configure
// :ref:`trusted_ca<envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>` to enable
// verification.
CommonTlsContext common_tls_context = 1;
// SNI string to use when creating TLS backend connections.
string sni = 2 [(validate.rules).string = {max_bytes: 255}];
// If true, server-initiated TLS renegotiation will be allowed.
//
// .. attention::
//
// TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary.
bool allow_renegotiation = 3;
// Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets
// for TLSv1.2 and older) to store for the purpose of session resumption.
//
// Defaults to 1, setting this to 0 disables session resumption.
google.protobuf.UInt32Value max_session_keys = 4;
}
// [#next-free-field: 7]
message DownstreamTlsContext {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.DownstreamTlsContext";
// Common TLS context settings.
CommonTlsContext common_tls_context = 1;
// If specified, Envoy will reject connections without a valid client
// certificate.
google.protobuf.BoolValue require_client_certificate = 2;
// If specified, Envoy will reject connections without a valid and matching SNI.
// [#not-implemented-hide:]
google.protobuf.BoolValue require_sni = 3;
oneof session_ticket_keys_type {
// TLS session ticket key settings.
TlsSessionTicketKeys session_ticket_keys = 4;
// Config for fetching TLS session ticket keys via SDS API.
SdsSecretConfig session_ticket_keys_sds_secret_config = 5;
}
// If specified, session_timeout will change maximum lifetime (in seconds) of TLS session
// Currently this value is used as a hint to `TLS session ticket lifetime (for TLSv1.2)
// <https://tools.ietf.org/html/rfc5077#section-5.6>`
// only seconds could be specified (fractional seconds are going to be ignored).
google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = {
lt {seconds: 4294967296}
gte {}
}];
}
message GenericSecret {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.GenericSecret";
// Secret of generic type and is available to filters.
config.core.v3.DataSource secret = 1 [(udpa.annotations.sensitive) = true];
}
message SdsSecretConfig {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.SdsSecretConfig";
// Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
// When both name and config are specified, then secret can be fetched and/or reloaded via
// SDS. When only name is specified, then secret will be loaded from static resources.
string name = 1;
config.core.v3.ConfigSource sds_config = 2;
}
// [#next-free-field: 6]
message Secret {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.Secret";
// Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
string name = 1;
oneof type {
TlsCertificate tls_certificate = 2;
TlsSessionTicketKeys session_ticket_keys = 3;
CertificateValidationContext validation_context = 4;
GenericSecret generic_secret = 5;
}
}

334
xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/common.proto vendored Normal file
View File

@ -0,0 +1,334 @@
syntax = "proto3";
package envoy.extensions.transport_sockets.tls.v3;
import "envoy/config/core/v3/base.proto";
import "envoy/type/matcher/v3/string.proto";
import "google/protobuf/any.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/sensitive.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3";
option java_outer_classname = "CommonProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Common TLS configuration]
message TlsParameters {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.TlsParameters";
enum TlsProtocol {
// Envoy will choose the optimal TLS version.
TLS_AUTO = 0;
// TLS 1.0
TLSv1_0 = 1;
// TLS 1.1
TLSv1_1 = 2;
// TLS 1.2
TLSv1_2 = 3;
// TLS 1.3
TLSv1_3 = 4;
}
// Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for
// servers.
TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}];
// Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and
// ``TLSv1_2`` for clients and for servers using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`.
TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum = {defined_only: true}];
// If specified, the TLS listener will only support the specified `cipher list
// <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_
// when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not
// specified, the default list will be used.
//
// In non-FIPS builds, the default cipher list is:
//
// .. code-block:: none
//
// [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
// [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
// ECDHE-ECDSA-AES128-SHA
// ECDHE-RSA-AES128-SHA
// AES128-GCM-SHA256
// AES128-SHA
// ECDHE-ECDSA-AES256-GCM-SHA384
// ECDHE-RSA-AES256-GCM-SHA384
// ECDHE-ECDSA-AES256-SHA
// ECDHE-RSA-AES256-SHA
// AES256-GCM-SHA384
// AES256-SHA
//
// In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default cipher list is:
//
// .. code-block:: none
//
// ECDHE-ECDSA-AES128-GCM-SHA256
// ECDHE-RSA-AES128-GCM-SHA256
// ECDHE-ECDSA-AES128-SHA
// ECDHE-RSA-AES128-SHA
// AES128-GCM-SHA256
// AES128-SHA
// ECDHE-ECDSA-AES256-GCM-SHA384
// ECDHE-RSA-AES256-GCM-SHA384
// ECDHE-ECDSA-AES256-SHA
// ECDHE-RSA-AES256-SHA
// AES256-GCM-SHA384
// AES256-SHA
repeated string cipher_suites = 3;
// If specified, the TLS connection will only support the specified ECDH
// curves. If not specified, the default curves will be used.
//
// In non-FIPS builds, the default curves are:
//
// .. code-block:: none
//
// X25519
// P-256
//
// In builds using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`, the default curve is:
//
// .. code-block:: none
//
// P-256
repeated string ecdh_curves = 4;
}
// BoringSSL private key method configuration. The private key methods are used for external
// (potentially asynchronous) signing and decryption operations. Some use cases for private key
// methods would be TPM support and TLS acceleration.
message PrivateKeyProvider {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.PrivateKeyProvider";
reserved 2;
reserved "config";
// Private key method provider name. The name must match a
// supported private key method provider type.
string provider_name = 1 [(validate.rules).string = {min_bytes: 1}];
// Private key method provider specific configuration.
oneof config_type {
google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true];
}
}
// [#next-free-field: 7]
message TlsCertificate {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.TlsCertificate";
// The TLS certificate chain.
config.core.v3.DataSource certificate_chain = 1;
// The TLS private key.
config.core.v3.DataSource private_key = 2 [(udpa.annotations.sensitive) = true];
// BoringSSL private key method provider. This is an alternative to :ref:`private_key
// <envoy_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` field. This can't be
// marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key
// <envoy_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` and
// :ref:`private_key_provider
// <envoy_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>` fields will result in an
// error.
PrivateKeyProvider private_key_provider = 6;
// The password to decrypt the TLS private key. If this field is not set, it is assumed that the
// TLS private key is not password encrypted.
config.core.v3.DataSource password = 3 [(udpa.annotations.sensitive) = true];
// [#not-implemented-hide:]
config.core.v3.DataSource ocsp_staple = 4;
// [#not-implemented-hide:]
repeated config.core.v3.DataSource signed_certificate_timestamp = 5;
}
message TlsSessionTicketKeys {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.TlsSessionTicketKeys";
// Keys for encrypting and decrypting TLS session tickets. The
// first key in the array contains the key to encrypt all new sessions created by this context.
// All keys are candidates for decrypting received tickets. This allows for easy rotation of keys
// by, for example, putting the new key first, and the previous key second.
//
// If :ref:`session_ticket_keys <envoy_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys>`
// is not specified, the TLS library will still support resuming sessions via tickets, but it will
// use an internally-generated and managed key, so sessions cannot be resumed across hot restarts
// or on different hosts.
//
// Each key must contain exactly 80 bytes of cryptographically-secure random data. For
// example, the output of ``openssl rand 80``.
//
// .. attention::
//
// Using this feature has serious security considerations and risks. Improper handling of keys
// may result in loss of secrecy in connections, even if ciphers supporting perfect forward
// secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some
// discussion. To minimize the risk, you must:
//
// * Keep the session ticket keys at least as secure as your TLS certificate private keys
// * Rotate session ticket keys at least daily, and preferably hourly
// * Always generate keys using a cryptographically-secure random data source
repeated config.core.v3.DataSource keys = 1
[(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true];
}
// [#next-free-field: 11]
message CertificateValidationContext {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.CertificateValidationContext";
// Peer certificate verification mode.
enum TrustChainVerification {
// Perform default certificate verification (e.g., against CA / verification lists)
VERIFY_TRUST_CHAIN = 0;
// Connections where the certificate fails verification will be permitted.
// For HTTP connections, the result of certificate verification can be used in route matching. (
// see :ref:`validated <envoy_api_field_config.route.v3.RouteMatch.TlsContextMatchOptions.validated>` ).
ACCEPT_UNTRUSTED = 1;
}
reserved 4;
reserved "verify_subject_alt_name";
// TLS certificate data containing certificate authority certificates to use in verifying
// a presented peer certificate (e.g. server certificate for clusters or client certificate
// for listeners). If not specified and a peer certificate is presented it will not be
// verified. By default, a client certificate is optional, unless one of the additional
// options (:ref:`require_client_certificate
// <envoy_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,
// :ref:`verify_certificate_spki
// <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,
// :ref:`verify_certificate_hash
// <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or
// :ref:`match_subject_alt_names
// <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_subject_alt_names>`) is also
// specified.
//
// It can optionally contain certificate revocation lists, in which case Envoy will verify
// that the presented peer certificate has not been revoked by one of the included CRLs.
//
// See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
// system CA locations.
config.core.v3.DataSource trusted_ca = 1;
// An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the
// SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate
// matches one of the specified values.
//
// A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate
// can be generated with the following command:
//
// .. code-block:: bash
//
// $ openssl x509 -in path/to/client.crt -noout -pubkey
// | openssl pkey -pubin -outform DER
// | openssl dgst -sha256 -binary
// | openssl enc -base64
// NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
//
// This is the format used in HTTP Public Key Pinning.
//
// When both:
// :ref:`verify_certificate_hash
// <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
// :ref:`verify_certificate_spki
// <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
// a hash matching value from either of the lists will result in the certificate being accepted.
//
// .. attention::
//
// This option is preferred over :ref:`verify_certificate_hash
// <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,
// because SPKI is tied to a private key, so it doesn't change when the certificate
// is renewed using the same private key.
repeated string verify_certificate_spki = 3
[(validate.rules).repeated = {items {string {min_bytes: 44 max_bytes: 44}}}];
// An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
// the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
//
// A hex-encoded SHA-256 of the certificate can be generated with the following command:
//
// .. code-block:: bash
//
// $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2
// df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a
//
// A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate
// can be generated with the following command:
//
// .. code-block:: bash
//
// $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2
// DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A
//
// Both of those formats are acceptable.
//
// When both:
// :ref:`verify_certificate_hash
// <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and
// :ref:`verify_certificate_spki
// <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,
// a hash matching value from either of the lists will result in the certificate being accepted.
repeated string verify_certificate_hash = 2
[(validate.rules).repeated = {items {string {min_bytes: 64 max_bytes: 95}}}];
// An optional list of Subject Alternative name matchers. Envoy will verify that the
// Subject Alternative Name of the presented certificate matches one of the specified matches.
//
// When a certificate has wildcard DNS SAN entries, to match a specific client, it should be
// configured with exact match type in the :ref:`string matcher <envoy_api_msg_type.matcher.v3.StringMatcher>`.
// For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com",
// it should be configured as shown below.
//
// .. code-block:: yaml
//
// match_subject_alt_names:
// exact: "api.example.com"
//
// .. attention::
//
// Subject Alternative Names are easily spoofable and verifying only them is insecure,
// therefore this option must be used together with :ref:`trusted_ca
// <envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
repeated type.matcher.v3.StringMatcher match_subject_alt_names = 9;
// [#not-implemented-hide:] Must present a signed time-stamped OCSP response.
google.protobuf.BoolValue require_ocsp_staple = 5;
// [#not-implemented-hide:] Must present signed certificate time-stamp.
google.protobuf.BoolValue require_signed_certificate_timestamp = 6;
// An optional `certificate revocation list
// <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_
// (in PEM format). If specified, Envoy will verify that the presented peer
// certificate has not been revoked by this CRL. If this DataSource contains
// multiple CRLs, all of them will be used.
config.core.v3.DataSource crl = 7;
// If specified, Envoy will not reject expired certificates.
bool allow_expired_certificate = 8;
// Certificate trust chain verification mode.
TrustChainVerification trust_chain_verification = 10
[(validate.rules).enum = {defined_only: true}];
}

54
xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/secret.proto vendored Normal file
View File

@ -0,0 +1,54 @@
syntax = "proto3";
package envoy.extensions.transport_sockets.tls.v3;
import "envoy/config/core/v3/base.proto";
import "envoy/config/core/v3/config_source.proto";
import "envoy/extensions/transport_sockets/tls/v3/common.proto";
import "udpa/annotations/sensitive.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3";
option java_outer_classname = "SecretProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Secrets configuration]
message GenericSecret {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.GenericSecret";
// Secret of generic type and is available to filters.
config.core.v3.DataSource secret = 1 [(udpa.annotations.sensitive) = true];
}
message SdsSecretConfig {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.SdsSecretConfig";
// Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
// When both name and config are specified, then secret can be fetched and/or reloaded via
// SDS. When only name is specified, then secret will be loaded from static resources.
string name = 1;
config.core.v3.ConfigSource sds_config = 2;
}
// [#next-free-field: 6]
message Secret {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.Secret";
// Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
string name = 1;
oneof type {
TlsCertificate tls_certificate = 2;
TlsSessionTicketKeys session_ticket_keys = 3;
CertificateValidationContext validation_context = 4;
GenericSecret generic_secret = 5;
}
}

204
xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/tls.proto vendored Normal file
View File

@ -0,0 +1,204 @@
syntax = "proto3";
package envoy.extensions.transport_sockets.tls.v3;
import "envoy/config/core/v3/extension.proto";
import "envoy/extensions/transport_sockets/tls/v3/common.proto";
import "envoy/extensions/transport_sockets/tls/v3/secret.proto";
import "google/protobuf/any.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3";
option java_outer_classname = "TlsProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: TLS transport socket]
// [#extension: envoy.transport_sockets.tls]
// The TLS contexts below provide the transport socket configuration for upstream/downstream TLS.
message UpstreamTlsContext {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.UpstreamTlsContext";
// Common TLS context settings.
//
// .. attention::
//
// Server certificate verification is not enabled by default. Configure
// :ref:`trusted_ca<envoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>` to enable
// verification.
CommonTlsContext common_tls_context = 1;
// SNI string to use when creating TLS backend connections.
string sni = 2 [(validate.rules).string = {max_bytes: 255}];
// If true, server-initiated TLS renegotiation will be allowed.
//
// .. attention::
//
// TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary.
bool allow_renegotiation = 3;
// Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets
// for TLSv1.2 and older) to store for the purpose of session resumption.
//
// Defaults to 1, setting this to 0 disables session resumption.
google.protobuf.UInt32Value max_session_keys = 4;
}
// [#next-free-field: 8]
message DownstreamTlsContext {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.DownstreamTlsContext";
// Common TLS context settings.
CommonTlsContext common_tls_context = 1;
// If specified, Envoy will reject connections without a valid client
// certificate.
google.protobuf.BoolValue require_client_certificate = 2;
// If specified, Envoy will reject connections without a valid and matching SNI.
// [#not-implemented-hide:]
google.protobuf.BoolValue require_sni = 3;
oneof session_ticket_keys_type {
// TLS session ticket key settings.
TlsSessionTicketKeys session_ticket_keys = 4;
// Config for fetching TLS session ticket keys via SDS API.
SdsSecretConfig session_ticket_keys_sds_secret_config = 5;
// Config for controlling stateless TLS session resumption: setting this to true will cause the TLS
// server to not issue TLS session tickets for the purposes of stateless TLS session resumption.
// If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using
// the keys specified through either :ref:`session_ticket_keys <envoy_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys>`
// or :ref:`session_ticket_keys_sds_secret_config <envoy_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys_sds_secret_config>`.
// If this config is set to false and no keys are explicitly configured, the TLS server will issue
// TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the
// implication that sessions cannot be resumed across hot restarts or on different hosts.
bool disable_stateless_session_resumption = 7;
}
// If specified, session_timeout will change maximum lifetime (in seconds) of TLS session
// Currently this value is used as a hint to `TLS session ticket lifetime (for TLSv1.2)
// <https://tools.ietf.org/html/rfc5077#section-5.6>`
// only seconds could be specified (fractional seconds are going to be ignored).
google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = {
lt {seconds: 4294967296}
gte {}
}];
}
// TLS context shared by both client and server TLS contexts.
// [#next-free-field: 11]
message CommonTlsContext {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext";
// Config for Certificate provider to get certificates. This provider should allow certificates to be
// fetched/refreshed over the network asynchronously with respect to the TLS handshake.
message CertificateProvider {
// opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify
// a root-certificate (validation context) or "TLS" to specify a new tls-certificate.
string name = 1 [(validate.rules).string = {min_bytes: 1}];
// Provider specific config.
// Note: an implementation is expected to dedup multiple instances of the same config
// to maintain a single certificate-provider instance. The sharing can happen, for
// example, among multiple clusters or between the tls_certificate and validation_context
// certificate providers of a cluster.
// This config could be supplied inline or (in future) a named xDS resource.
oneof config {
option (validate.required) = true;
config.core.v3.TypedExtensionConfig typed_config = 2;
}
}
message CombinedCertificateValidationContext {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext";
// How to validate peer certificates.
CertificateValidationContext default_validation_context = 1
[(validate.rules).message = {required: true}];
// Config for fetching validation context via SDS API. Note SDS API allows certificates to be
// fetched/refreshed over the network asynchronously with respect to the TLS handshake.
// Only to be used when validation_context_certificate_provider is not used.
SdsSecretConfig validation_context_sds_secret_config = 2 [
(validate.rules).message = {required: true},
(udpa.annotations.field_migrate).oneof_promotion = "dynamic_validation_context"
];
// Certificate provider for fetching validation context - only to be used when
// validation_context_sds_secret_config is not used.
// [#not-implemented-hide:]
CertificateProvider validation_context_certificate_provider = 3
[(udpa.annotations.field_migrate).oneof_promotion = "dynamic_validation_context"];
}
reserved 5;
// TLS protocol versions, cipher suites etc.
TlsParameters tls_params = 1;
// :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the
// same context to allow both RSA and ECDSA certificates.
//
// Only a single TLS certificate is supported in client contexts. In server contexts, the first
// RSA certificate is used for clients that only support RSA and the first ECDSA certificate is
// used for clients that support ECDSA.
repeated TlsCertificate tls_certificates = 2;
// Configs for fetching TLS certificates via SDS API. Note SDS API allows certificates to be
// fetched/refreshed over the network asynchronously with respect to the TLS handshake.
repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6
[(validate.rules).repeated = {max_items: 1}];
// Certificate provider for fetching TLS certificates.
// [#not-implemented-hide:]
CertificateProvider tls_certificate_certificate_provider = 9;
oneof validation_context_type {
// How to validate peer certificates.
CertificateValidationContext validation_context = 3;
// Config for fetching validation context via SDS API. Note SDS API allows certificates to be
// fetched/refreshed over the network asynchronously with respect to the TLS handshake.
SdsSecretConfig validation_context_sds_secret_config = 7;
// Combined certificate validation context holds a default CertificateValidationContext
// and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic
// and default CertificateValidationContext are merged into a new CertificateValidationContext
// for validation. This merge is done by Message::MergeFrom(), so dynamic
// CertificateValidationContext overwrites singular fields in default
// CertificateValidationContext, and concatenates repeated fields to default
// CertificateValidationContext, and logical OR is applied to boolean fields.
CombinedCertificateValidationContext combined_validation_context = 8;
// Certificate provider for fetching validation context.
// [#not-implemented-hide:]
CertificateProvider validation_context_certificate_provider = 10;
}
// Supplies the list of ALPN protocols that the listener should expose. In
// practice this is likely to be set to one of two values (see the
// :ref:`codec_type
// <envoy_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.codec_type>`
// parameter in the HTTP connection manager for more information):
//
// * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1.
// * "http/1.1" If the listener is only going to support HTTP/1.1.
//
// There is no default for this parameter. If empty, Envoy will not expose ALPN.
repeated string alpn_protocols = 4;
}

3
xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/ads.proto vendored
View File

@ -4,10 +4,13 @@ package envoy.service.discovery.v2;
import "envoy/api/v2/discovery.proto";
import "udpa/annotations/status.proto";
option java_package = "io.envoyproxy.envoy.service.discovery.v2";
option java_outer_classname = "AdsProto";
option java_multiple_files = true;
option java_generic_services = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Aggregated Discovery Service (ADS)]

2
xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/sds.proto vendored
View File

@ -8,12 +8,14 @@ import "google/api/annotations.proto";
import "envoy/annotations/resource.proto";
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
option java_package = "io.envoyproxy.envoy.service.discovery.v2";
option java_outer_classname = "SdsProto";
option java_multiple_files = true;
option java_generic_services = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.service.secret.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Secret Discovery Service (SDS)]

10
xds/third_party/envoy/src/main/proto/envoy/service/load_stats/v2/lrs.proto vendored
View File

@ -7,12 +7,14 @@ import "envoy/api/v2/endpoint/load_report.proto";
import "google/protobuf/duration.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.service.load_stats.v2";
option java_outer_classname = "LrsProto";
option java_multiple_files = true;
option java_generic_services = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Load reporting service]
@ -64,7 +66,13 @@ message LoadStatsRequest {
// [#not-implemented-hide:] Not configuration. TBD how to doc proto APIs.
message LoadStatsResponse {
// Clusters to report stats for.
repeated string clusters = 1 [(validate.rules).repeated = {min_items: 1}];
// Not populated if *send_all_clusters* is true.
repeated string clusters = 1;
// If true, the client should send all clusters it knows about.
// Only clients that advertise the "envoy.lrs.supports_send_all_clusters" capability in their
// :ref:`client_features<envoy_api_field_core.Node.client_features>` field will honor this field.
bool send_all_clusters = 4;
// The minimum interval of time to collect stats over. This is only a minimum for two reasons:
// 1. There may be some delay from when the timer fires until stats sampling occurs.

3
xds/third_party/envoy/src/main/proto/envoy/type/http.proto vendored
View File

@ -2,9 +2,12 @@ syntax = "proto3";
package envoy.type;
import "udpa/annotations/status.proto";
option java_package = "io.envoyproxy.envoy.type";
option java_outer_classname = "HttpProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: HTTP]

2
xds/third_party/envoy/src/main/proto/envoy/type/matcher/metadata.proto vendored
View File

@ -4,11 +4,13 @@ package envoy.type.matcher;
import "envoy/type/matcher/value.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.type.matcher";
option java_outer_classname = "MetadataProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Metadata matcher]

2
xds/third_party/envoy/src/main/proto/envoy/type/matcher/number.proto vendored
View File

@ -4,11 +4,13 @@ package envoy.type.matcher;
import "envoy/type/range.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.type.matcher";
option java_outer_classname = "NumberProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Number matcher]

2
xds/third_party/envoy/src/main/proto/envoy/type/matcher/path.proto vendored
View File

@ -4,11 +4,13 @@ package envoy.type.matcher;
import "envoy/type/matcher/string.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.type.matcher";
option java_outer_classname = "PathProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Path matcher]

7
xds/third_party/envoy/src/main/proto/envoy/type/matcher/regex.proto vendored
View File

@ -4,11 +4,13 @@ package envoy.type.matcher;
import "google/protobuf/wrappers.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.type.matcher";
option java_outer_classname = "RegexProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Regex matcher]
@ -22,7 +24,10 @@ message RegexMatcher {
// compiled regex is to evaluate. A regex that has a program size greater than the configured
// value will fail to compile. In this case, the configured max program size can be increased
// or the regex can be simplified. If not specified, the default is 100.
google.protobuf.UInt32Value max_program_size = 1;
//
// This field is deprecated; regexp validation should be performed on the management server
// instead of being done by each individual client.
google.protobuf.UInt32Value max_program_size = 1 [deprecated = true];
}
oneof engine_type {

2
xds/third_party/envoy/src/main/proto/envoy/type/matcher/string.proto vendored
View File

@ -5,11 +5,13 @@ package envoy.type.matcher;
import "envoy/type/matcher/regex.proto";
import "envoy/annotations/deprecation.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.type.matcher";
option java_outer_classname = "StringProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: String matcher]

8
xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/regex.proto vendored
View File

@ -4,13 +4,14 @@ package envoy.type.matcher.v3;
import "google/protobuf/wrappers.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.type.matcher.v3";
option java_outer_classname = "RegexProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Regex matcher]
@ -29,7 +30,10 @@ message RegexMatcher {
// compiled regex is to evaluate. A regex that has a program size greater than the configured
// value will fail to compile. In this case, the configured max program size can be increased
// or the regex can be simplified. If not specified, the default is 100.
google.protobuf.UInt32Value max_program_size = 1;
//
// This field is deprecated; regexp validation should be performed on the management server
// instead of being done by each individual client.
google.protobuf.UInt32Value max_program_size = 1 [deprecated = true];
}
oneof engine_type {

5
xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/string.proto vendored
View File

@ -4,14 +4,15 @@ package envoy.type.matcher.v3;
import "envoy/type/matcher/v3/regex.proto";
import "udpa/annotations/versioning.proto";
import "envoy/annotations/deprecation.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.type.matcher.v3";
option java_outer_classname = "StringProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: String matcher]

2
xds/third_party/envoy/src/main/proto/envoy/type/matcher/value.proto vendored
View File

@ -5,11 +5,13 @@ package envoy.type.matcher;
import "envoy/type/matcher/number.proto";
import "envoy/type/matcher/string.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.type.matcher";
option java_outer_classname = "ValueProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Value matcher]

2
xds/third_party/envoy/src/main/proto/envoy/type/metadata/v2/metadata.proto vendored
View File

@ -3,12 +3,14 @@ syntax = "proto3";
package envoy.type.metadata.v2;
import "udpa/annotations/migrate.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.type.metadata.v2";
option java_outer_classname = "MetadataProto";
option java_multiple_files = true;
option (udpa.annotations.file_migrate).move_to_package = "envoy.type.metadata.v3";
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Metadata]

3
xds/third_party/envoy/src/main/proto/envoy/type/metadata/v3/metadata.proto vendored
View File

@ -2,13 +2,14 @@ syntax = "proto3";
package envoy.type.metadata.v3;
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.type.metadata.v3";
option java_outer_classname = "MetadataProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Metadata]

2
xds/third_party/envoy/src/main/proto/envoy/type/percent.proto vendored
View File

@ -2,11 +2,13 @@ syntax = "proto3";
package envoy.type;
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.type";
option java_outer_classname = "PercentProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Percent]

3
xds/third_party/envoy/src/main/proto/envoy/type/range.proto vendored
View File

@ -2,9 +2,12 @@ syntax = "proto3";
package envoy.type;
import "udpa/annotations/status.proto";
option java_package = "io.envoyproxy.envoy.type";
option java_outer_classname = "RangeProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Range]

3
xds/third_party/envoy/src/main/proto/envoy/type/semantic_version.proto vendored
View File

@ -2,9 +2,12 @@ syntax = "proto3";
package envoy.type;
import "udpa/annotations/status.proto";
option java_package = "io.envoyproxy.envoy.type";
option java_outer_classname = "SemanticVersionProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Semantic Version]

2
xds/third_party/envoy/src/main/proto/envoy/type/tracing/v2/custom_tag.proto vendored
View File

@ -4,11 +4,13 @@ package envoy.type.tracing.v2;
import "envoy/type/metadata/v2/metadata.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.type.tracing.v2";
option java_outer_classname = "CustomTagProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Custom Tag]

3
xds/third_party/envoy/src/main/proto/envoy/type/tracing/v3/custom_tag.proto vendored
View File

@ -4,13 +4,14 @@ package envoy.type.tracing.v3;
import "envoy/type/metadata/v3/metadata.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.type.tracing.v3";
option java_outer_classname = "CustomTagProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Custom Tag]

3
xds/third_party/envoy/src/main/proto/envoy/type/v3/http.proto vendored
View File

@ -2,9 +2,12 @@ syntax = "proto3";
package envoy.type.v3;
import "udpa/annotations/status.proto";
option java_package = "io.envoyproxy.envoy.type.v3";
option java_outer_classname = "HttpProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: HTTP]

3
xds/third_party/envoy/src/main/proto/envoy/type/v3/percent.proto vendored
View File

@ -2,13 +2,14 @@ syntax = "proto3";
package envoy.type.v3;
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.type.v3";
option java_outer_classname = "PercentProto";
option java_multiple_files = true;
option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Percent]

Some files were not shown because too many files have changed in this diff Show More