diff --git a/xds/third_party/envoy/import.sh b/xds/third_party/envoy/import.sh index e078327c16..188645eb9c 100755 --- a/xds/third_party/envoy/import.sh +++ b/xds/third_party/envoy/import.sh @@ -18,7 +18,7 @@ set -e BRANCH=master # import VERSION from one of the google internal CLs -VERSION=b16ce6d5ea0d2da73e764d145623e7367dc59ed3 +VERSION=440899714143b6a143917cbd8e3f0ccba0847cd4 GIT_REPO="https://github.com/envoyproxy/envoy.git" GIT_BASE_DIR=envoy SOURCE_PROTO_BASE_DIR=envoy/api @@ -27,6 +27,9 @@ FILES=( envoy/annotations/deprecation.proto envoy/annotations/resource.proto envoy/api/v2/auth/cert.proto +envoy/api/v2/auth/common.proto +envoy/api/v2/auth/secret.proto +envoy/api/v2/auth/tls.proto envoy/api/v2/cds.proto envoy/api/v2/cluster.proto envoy/api/v2/cluster/circuit_breaker.proto @@ -36,6 +39,7 @@ envoy/api/v2/core/address.proto envoy/api/v2/core/backoff.proto envoy/api/v2/core/base.proto envoy/api/v2/core/config_source.proto +envoy/api/v2/core/event_service_config.proto envoy/api/v2/core/grpc_service.proto envoy/api/v2/core/health_check.proto envoy/api/v2/core/http_uri.proto @@ -67,10 +71,13 @@ envoy/config/core/v3/address.proto envoy/config/core/v3/backoff.proto envoy/config/core/v3/base.proto envoy/config/core/v3/config_source.proto +envoy/config/core/v3/event_service_config.proto +envoy/config/core/v3/extension.proto envoy/config/core/v3/grpc_service.proto envoy/config/core/v3/health_check.proto envoy/config/core/v3/http_uri.proto envoy/config/core/v3/protocol.proto +envoy/config/core/v3/proxy_protocol.proto envoy/config/core/v3/socket_option.proto envoy/config/endpoint/v3/endpoint.proto envoy/config/endpoint/v3/endpoint_components.proto @@ -84,9 +91,19 @@ envoy/config/listener/v3/listener.proto envoy/config/listener/v3/listener_components.proto envoy/config/listener/v3/udp_listener_config.proto envoy/config/route/v3/route_components.proto +envoy/config/trace/v2/http_tracer.proto envoy/config/trace/v2/trace.proto +envoy/config/trace/v2/datadog.proto +envoy/config/trace/v2/dynamic_ot.proto +envoy/config/trace/v2/lightstep.proto +envoy/config/trace/v2/opencensus.proto +envoy/config/trace/v2/service.proto +envoy/config/trace/v2/zipkin.proto envoy/config/rbac/v2/rbac.proto envoy/extensions/transport_sockets/tls/v3/cert.proto +envoy/extensions/transport_sockets/tls/v3/common.proto +envoy/extensions/transport_sockets/tls/v3/secret.proto +envoy/extensions/transport_sockets/tls/v3/tls.proto envoy/service/discovery/v2/ads.proto envoy/service/discovery/v2/sds.proto envoy/service/load_stats/v2/lrs.proto diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/cert.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/cert.proto index cdb6a3d168..49e8b8c70f 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/cert.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/cert.proto @@ -2,475 +2,15 @@ syntax = "proto3"; package envoy.api.v2.auth; -import "envoy/api/v2/core/base.proto"; -import "envoy/api/v2/core/config_source.proto"; -import "envoy/type/matcher/string.proto"; - -import "google/protobuf/any.proto"; -import "google/protobuf/duration.proto"; -import "google/protobuf/struct.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/sensitive.proto"; - import "udpa/annotations/migrate.proto"; -import "validate/validate.proto"; +import "udpa/annotations/status.proto"; + +import public "envoy/api/v2/auth/common.proto"; +import public "envoy/api/v2/auth/secret.proto"; +import public "envoy/api/v2/auth/tls.proto"; option java_package = "io.envoyproxy.envoy.api.v2.auth"; option java_outer_classname = "CertProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.extensions.transport_sockets.tls.v3"; - -// [#protodoc-title: Common TLS configuration] - -message TlsParameters { - enum TlsProtocol { - // Envoy will choose the optimal TLS version. - TLS_AUTO = 0; - - // TLS 1.0 - TLSv1_0 = 1; - - // TLS 1.1 - TLSv1_1 = 2; - - // TLS 1.2 - TLSv1_2 = 3; - - // TLS 1.3 - TLSv1_3 = 4; - } - - // Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for - // servers. - TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}]; - - // Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and - // ``TLSv1_2`` for clients and for servers using :ref:`BoringSSL FIPS `. - TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum = {defined_only: true}]; - - // If specified, the TLS listener will only support the specified `cipher list - // `_ - // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not - // specified, the default list will be used. - // - // In non-FIPS builds, the default cipher list is: - // - // .. code-block:: none - // - // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] - // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] - // ECDHE-ECDSA-AES128-SHA - // ECDHE-RSA-AES128-SHA - // AES128-GCM-SHA256 - // AES128-SHA - // ECDHE-ECDSA-AES256-GCM-SHA384 - // ECDHE-RSA-AES256-GCM-SHA384 - // ECDHE-ECDSA-AES256-SHA - // ECDHE-RSA-AES256-SHA - // AES256-GCM-SHA384 - // AES256-SHA - // - // In builds using :ref:`BoringSSL FIPS `, the default cipher list is: - // - // .. code-block:: none - // - // ECDHE-ECDSA-AES128-GCM-SHA256 - // ECDHE-RSA-AES128-GCM-SHA256 - // ECDHE-ECDSA-AES128-SHA - // ECDHE-RSA-AES128-SHA - // AES128-GCM-SHA256 - // AES128-SHA - // ECDHE-ECDSA-AES256-GCM-SHA384 - // ECDHE-RSA-AES256-GCM-SHA384 - // ECDHE-ECDSA-AES256-SHA - // ECDHE-RSA-AES256-SHA - // AES256-GCM-SHA384 - // AES256-SHA - repeated string cipher_suites = 3; - - // If specified, the TLS connection will only support the specified ECDH - // curves. If not specified, the default curves will be used. - // - // In non-FIPS builds, the default curves are: - // - // .. code-block:: none - // - // X25519 - // P-256 - // - // In builds using :ref:`BoringSSL FIPS `, the default curve is: - // - // .. code-block:: none - // - // P-256 - repeated string ecdh_curves = 4; -} - -// BoringSSL private key method configuration. The private key methods are used for external -// (potentially asynchronous) signing and decryption operations. Some use cases for private key -// methods would be TPM support and TLS acceleration. -message PrivateKeyProvider { - // Private key method provider name. The name must match a - // supported private key method provider type. - string provider_name = 1 [(validate.rules).string = {min_bytes: 1}]; - - // Private key method provider specific configuration. - oneof config_type { - google.protobuf.Struct config = 2 [deprecated = true, (udpa.annotations.sensitive) = true]; - - google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true]; - } -} - -// [#next-free-field: 7] -message TlsCertificate { - // The TLS certificate chain. - core.DataSource certificate_chain = 1; - - // The TLS private key. - core.DataSource private_key = 2 [(udpa.annotations.sensitive) = true]; - - // BoringSSL private key method provider. This is an alternative to :ref:`private_key - // ` field. This can't be - // marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key - // ` and - // :ref:`private_key_provider - // ` fields will result in an - // error. - PrivateKeyProvider private_key_provider = 6; - - // The password to decrypt the TLS private key. If this field is not set, it is assumed that the - // TLS private key is not password encrypted. - core.DataSource password = 3 [(udpa.annotations.sensitive) = true]; - - // [#not-implemented-hide:] - core.DataSource ocsp_staple = 4; - - // [#not-implemented-hide:] - repeated core.DataSource signed_certificate_timestamp = 5; -} - -message TlsSessionTicketKeys { - // Keys for encrypting and decrypting TLS session tickets. The - // first key in the array contains the key to encrypt all new sessions created by this context. - // All keys are candidates for decrypting received tickets. This allows for easy rotation of keys - // by, for example, putting the new key first, and the previous key second. - // - // If :ref:`session_ticket_keys ` - // is not specified, the TLS library will still support resuming sessions via tickets, but it will - // use an internally-generated and managed key, so sessions cannot be resumed across hot restarts - // or on different hosts. - // - // Each key must contain exactly 80 bytes of cryptographically-secure random data. For - // example, the output of ``openssl rand 80``. - // - // .. attention:: - // - // Using this feature has serious security considerations and risks. Improper handling of keys - // may result in loss of secrecy in connections, even if ciphers supporting perfect forward - // secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some - // discussion. To minimize the risk, you must: - // - // * Keep the session ticket keys at least as secure as your TLS certificate private keys - // * Rotate session ticket keys at least daily, and preferably hourly - // * Always generate keys using a cryptographically-secure random data source - repeated core.DataSource keys = 1 - [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true]; -} - -// [#next-free-field: 11] -message CertificateValidationContext { - // Peer certificate verification mode. - enum TrustChainVerification { - // Perform default certificate verification (e.g., against CA / verification lists) - VERIFY_TRUST_CHAIN = 0; - - // Connections where the certificate fails verification will be permitted. - // For HTTP connections, the result of certificate verification can be used in route matching. ( - // see :ref:`validated ` ). - ACCEPT_UNTRUSTED = 1; - } - - // TLS certificate data containing certificate authority certificates to use in verifying - // a presented peer certificate (e.g. server certificate for clusters or client certificate - // for listeners). If not specified and a peer certificate is presented it will not be - // verified. By default, a client certificate is optional, unless one of the additional - // options (:ref:`require_client_certificate - // `, - // :ref:`verify_certificate_spki - // `, - // :ref:`verify_certificate_hash - // `, or - // :ref:`match_subject_alt_names - // `) is also - // specified. - // - // It can optionally contain certificate revocation lists, in which case Envoy will verify - // that the presented peer certificate has not been revoked by one of the included CRLs. - // - // See :ref:`the TLS overview ` for a list of common - // system CA locations. - core.DataSource trusted_ca = 1; - - // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the - // SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate - // matches one of the specified values. - // - // A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate - // can be generated with the following command: - // - // .. code-block:: bash - // - // $ openssl x509 -in path/to/client.crt -noout -pubkey - // | openssl pkey -pubin -outform DER - // | openssl dgst -sha256 -binary - // | openssl enc -base64 - // NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= - // - // This is the format used in HTTP Public Key Pinning. - // - // When both: - // :ref:`verify_certificate_hash - // ` and - // :ref:`verify_certificate_spki - // ` are specified, - // a hash matching value from either of the lists will result in the certificate being accepted. - // - // .. attention:: - // - // This option is preferred over :ref:`verify_certificate_hash - // `, - // because SPKI is tied to a private key, so it doesn't change when the certificate - // is renewed using the same private key. - repeated string verify_certificate_spki = 3 - [(validate.rules).repeated = {items {string {min_bytes: 44 max_bytes: 44}}}]; - - // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that - // the SHA-256 of the DER-encoded presented certificate matches one of the specified values. - // - // A hex-encoded SHA-256 of the certificate can be generated with the following command: - // - // .. code-block:: bash - // - // $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 - // df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a - // - // A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate - // can be generated with the following command: - // - // .. code-block:: bash - // - // $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 - // DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A - // - // Both of those formats are acceptable. - // - // When both: - // :ref:`verify_certificate_hash - // ` and - // :ref:`verify_certificate_spki - // ` are specified, - // a hash matching value from either of the lists will result in the certificate being accepted. - repeated string verify_certificate_hash = 2 - [(validate.rules).repeated = {items {string {min_bytes: 64 max_bytes: 95}}}]; - - // An optional list of Subject Alternative Names. If specified, Envoy will verify that the - // Subject Alternative Name of the presented certificate matches one of the specified values. - // - // .. attention:: - // - // Subject Alternative Names are easily spoofable and verifying only them is insecure, - // therefore this option must be used together with :ref:`trusted_ca - // `. - repeated string verify_subject_alt_name = 4 [deprecated = true]; - - // An optional list of Subject Alternative name matchers. Envoy will verify that the - // Subject Alternative Name of the presented certificate matches one of the specified matches. - // - // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be - // configured with exact match type in the :ref:`string matcher `. - // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", - // it should be configured as shown below. - // - // .. code-block:: yaml - // - // match_subject_alt_names: - // exact: "api.example.com" - // - // .. attention:: - // - // Subject Alternative Names are easily spoofable and verifying only them is insecure, - // therefore this option must be used together with :ref:`trusted_ca - // `. - repeated type.matcher.StringMatcher match_subject_alt_names = 9; - - // [#not-implemented-hide:] Must present a signed time-stamped OCSP response. - google.protobuf.BoolValue require_ocsp_staple = 5; - - // [#not-implemented-hide:] Must present signed certificate time-stamp. - google.protobuf.BoolValue require_signed_certificate_timestamp = 6; - - // An optional `certificate revocation list - // `_ - // (in PEM format). If specified, Envoy will verify that the presented peer - // certificate has not been revoked by this CRL. If this DataSource contains - // multiple CRLs, all of them will be used. - core.DataSource crl = 7; - - // If specified, Envoy will not reject expired certificates. - bool allow_expired_certificate = 8; - - // Certificate trust chain verification mode. - TrustChainVerification trust_chain_verification = 10 - [(validate.rules).enum = {defined_only: true}]; -} - -// TLS context shared by both client and server TLS contexts. -// [#next-free-field: 9] -message CommonTlsContext { - message CombinedCertificateValidationContext { - // How to validate peer certificates. - CertificateValidationContext default_validation_context = 1 - [(validate.rules).message = {required: true}]; - - // Config for fetching validation context via SDS API. - SdsSecretConfig validation_context_sds_secret_config = 2 - [(validate.rules).message = {required: true}]; - } - - reserved 5; - - // TLS protocol versions, cipher suites etc. - TlsParameters tls_params = 1; - - // :ref:`Multiple TLS certificates ` can be associated with the - // same context to allow both RSA and ECDSA certificates. - // - // Only a single TLS certificate is supported in client contexts. In server contexts, the first - // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is - // used for clients that support ECDSA. - repeated TlsCertificate tls_certificates = 2; - - // Configs for fetching TLS certificates via SDS API. - repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6 - [(validate.rules).repeated = {max_items: 1}]; - - oneof validation_context_type { - // How to validate peer certificates. - CertificateValidationContext validation_context = 3; - - // Config for fetching validation context via SDS API. - SdsSecretConfig validation_context_sds_secret_config = 7; - - // Combined certificate validation context holds a default CertificateValidationContext - // and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic - // and default CertificateValidationContext are merged into a new CertificateValidationContext - // for validation. This merge is done by Message::MergeFrom(), so dynamic - // CertificateValidationContext overwrites singular fields in default - // CertificateValidationContext, and concatenates repeated fields to default - // CertificateValidationContext, and logical OR is applied to boolean fields. - CombinedCertificateValidationContext combined_validation_context = 8; - } - - // Supplies the list of ALPN protocols that the listener should expose. In - // practice this is likely to be set to one of two values (see the - // :ref:`codec_type - // ` - // parameter in the HTTP connection manager for more information): - // - // * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1. - // * "http/1.1" If the listener is only going to support HTTP/1.1. - // - // There is no default for this parameter. If empty, Envoy will not expose ALPN. - repeated string alpn_protocols = 4; -} - -message UpstreamTlsContext { - // Common TLS context settings. - // - // .. attention:: - // - // Server certificate verification is not enabled by default. Configure - // :ref:`trusted_ca` to enable - // verification. - CommonTlsContext common_tls_context = 1; - - // SNI string to use when creating TLS backend connections. - string sni = 2 [(validate.rules).string = {max_bytes: 255}]; - - // If true, server-initiated TLS renegotiation will be allowed. - // - // .. attention:: - // - // TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary. - bool allow_renegotiation = 3; - - // Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets - // for TLSv1.2 and older) to store for the purpose of session resumption. - // - // Defaults to 1, setting this to 0 disables session resumption. - google.protobuf.UInt32Value max_session_keys = 4; -} - -// [#next-free-field: 7] -message DownstreamTlsContext { - // Common TLS context settings. - CommonTlsContext common_tls_context = 1; - - // If specified, Envoy will reject connections without a valid client - // certificate. - google.protobuf.BoolValue require_client_certificate = 2; - - // If specified, Envoy will reject connections without a valid and matching SNI. - // [#not-implemented-hide:] - google.protobuf.BoolValue require_sni = 3; - - oneof session_ticket_keys_type { - // TLS session ticket key settings. - TlsSessionTicketKeys session_ticket_keys = 4; - - // Config for fetching TLS session ticket keys via SDS API. - SdsSecretConfig session_ticket_keys_sds_secret_config = 5; - } - - // If specified, session_timeout will change maximum lifetime (in seconds) of TLS session - // Currently this value is used as a hint to `TLS session ticket lifetime (for TLSv1.2) - // ` - // only seconds could be specified (fractional seconds are going to be ignored). - google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = { - lt {seconds: 4294967296} - gte {} - }]; -} - -message GenericSecret { - // Secret of generic type and is available to filters. - core.DataSource secret = 1 [(udpa.annotations.sensitive) = true]; -} - -message SdsSecretConfig { - // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. - // When both name and config are specified, then secret can be fetched and/or reloaded via - // SDS. When only name is specified, then secret will be loaded from static resources. - string name = 1; - - core.ConfigSource sds_config = 2; -} - -// [#next-free-field: 6] -message Secret { - // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. - string name = 1; - - oneof type { - TlsCertificate tls_certificate = 2; - - TlsSessionTicketKeys session_ticket_keys = 3; - - CertificateValidationContext validation_context = 4; - - GenericSecret generic_secret = 5; - } -} diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/common.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/common.proto new file mode 100644 index 0000000000..ab4b9c1349 --- /dev/null +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/common.proto @@ -0,0 +1,327 @@ +syntax = "proto3"; + +package envoy.api.v2.auth; + +import "envoy/api/v2/core/base.proto"; +import "envoy/type/matcher/string.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.api.v2.auth"; +option java_outer_classname = "CommonProto"; +option java_multiple_files = true; +option (udpa.annotations.file_migrate).move_to_package = + "envoy.extensions.transport_sockets.tls.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: Common TLS configuration] + +message TlsParameters { + enum TlsProtocol { + // Envoy will choose the optimal TLS version. + TLS_AUTO = 0; + + // TLS 1.0 + TLSv1_0 = 1; + + // TLS 1.1 + TLSv1_1 = 2; + + // TLS 1.2 + TLSv1_2 = 3; + + // TLS 1.3 + TLSv1_3 = 4; + } + + // Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for + // servers. + TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}]; + + // Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and + // ``TLSv1_2`` for clients and for servers using :ref:`BoringSSL FIPS `. + TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum = {defined_only: true}]; + + // If specified, the TLS listener will only support the specified `cipher list + // `_ + // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not + // specified, the default list will be used. + // + // In non-FIPS builds, the default cipher list is: + // + // .. code-block:: none + // + // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + // ECDHE-ECDSA-AES128-SHA + // ECDHE-RSA-AES128-SHA + // AES128-GCM-SHA256 + // AES128-SHA + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 + // ECDHE-ECDSA-AES256-SHA + // ECDHE-RSA-AES256-SHA + // AES256-GCM-SHA384 + // AES256-SHA + // + // In builds using :ref:`BoringSSL FIPS `, the default cipher list is: + // + // .. code-block:: none + // + // ECDHE-ECDSA-AES128-GCM-SHA256 + // ECDHE-RSA-AES128-GCM-SHA256 + // ECDHE-ECDSA-AES128-SHA + // ECDHE-RSA-AES128-SHA + // AES128-GCM-SHA256 + // AES128-SHA + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 + // ECDHE-ECDSA-AES256-SHA + // ECDHE-RSA-AES256-SHA + // AES256-GCM-SHA384 + // AES256-SHA + repeated string cipher_suites = 3; + + // If specified, the TLS connection will only support the specified ECDH + // curves. If not specified, the default curves will be used. + // + // In non-FIPS builds, the default curves are: + // + // .. code-block:: none + // + // X25519 + // P-256 + // + // In builds using :ref:`BoringSSL FIPS `, the default curve is: + // + // .. code-block:: none + // + // P-256 + repeated string ecdh_curves = 4; +} + +// BoringSSL private key method configuration. The private key methods are used for external +// (potentially asynchronous) signing and decryption operations. Some use cases for private key +// methods would be TPM support and TLS acceleration. +message PrivateKeyProvider { + // Private key method provider name. The name must match a + // supported private key method provider type. + string provider_name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Private key method provider specific configuration. + oneof config_type { + google.protobuf.Struct config = 2 [deprecated = true, (udpa.annotations.sensitive) = true]; + + google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true]; + } +} + +// [#next-free-field: 7] +message TlsCertificate { + // The TLS certificate chain. + core.DataSource certificate_chain = 1; + + // The TLS private key. + core.DataSource private_key = 2 [(udpa.annotations.sensitive) = true]; + + // BoringSSL private key method provider. This is an alternative to :ref:`private_key + // ` field. This can't be + // marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key + // ` and + // :ref:`private_key_provider + // ` fields will result in an + // error. + PrivateKeyProvider private_key_provider = 6; + + // The password to decrypt the TLS private key. If this field is not set, it is assumed that the + // TLS private key is not password encrypted. + core.DataSource password = 3 [(udpa.annotations.sensitive) = true]; + + // [#not-implemented-hide:] + core.DataSource ocsp_staple = 4; + + // [#not-implemented-hide:] + repeated core.DataSource signed_certificate_timestamp = 5; +} + +message TlsSessionTicketKeys { + // Keys for encrypting and decrypting TLS session tickets. The + // first key in the array contains the key to encrypt all new sessions created by this context. + // All keys are candidates for decrypting received tickets. This allows for easy rotation of keys + // by, for example, putting the new key first, and the previous key second. + // + // If :ref:`session_ticket_keys ` + // is not specified, the TLS library will still support resuming sessions via tickets, but it will + // use an internally-generated and managed key, so sessions cannot be resumed across hot restarts + // or on different hosts. + // + // Each key must contain exactly 80 bytes of cryptographically-secure random data. For + // example, the output of ``openssl rand 80``. + // + // .. attention:: + // + // Using this feature has serious security considerations and risks. Improper handling of keys + // may result in loss of secrecy in connections, even if ciphers supporting perfect forward + // secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some + // discussion. To minimize the risk, you must: + // + // * Keep the session ticket keys at least as secure as your TLS certificate private keys + // * Rotate session ticket keys at least daily, and preferably hourly + // * Always generate keys using a cryptographically-secure random data source + repeated core.DataSource keys = 1 + [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true]; +} + +// [#next-free-field: 11] +message CertificateValidationContext { + // Peer certificate verification mode. + enum TrustChainVerification { + // Perform default certificate verification (e.g., against CA / verification lists) + VERIFY_TRUST_CHAIN = 0; + + // Connections where the certificate fails verification will be permitted. + // For HTTP connections, the result of certificate verification can be used in route matching. ( + // see :ref:`validated ` ). + ACCEPT_UNTRUSTED = 1; + } + + // TLS certificate data containing certificate authority certificates to use in verifying + // a presented peer certificate (e.g. server certificate for clusters or client certificate + // for listeners). If not specified and a peer certificate is presented it will not be + // verified. By default, a client certificate is optional, unless one of the additional + // options (:ref:`require_client_certificate + // `, + // :ref:`verify_certificate_spki + // `, + // :ref:`verify_certificate_hash + // `, or + // :ref:`match_subject_alt_names + // `) is also + // specified. + // + // It can optionally contain certificate revocation lists, in which case Envoy will verify + // that the presented peer certificate has not been revoked by one of the included CRLs. + // + // See :ref:`the TLS overview ` for a list of common + // system CA locations. + core.DataSource trusted_ca = 1; + + // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the + // SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate + // matches one of the specified values. + // + // A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate + // can be generated with the following command: + // + // .. code-block:: bash + // + // $ openssl x509 -in path/to/client.crt -noout -pubkey + // | openssl pkey -pubin -outform DER + // | openssl dgst -sha256 -binary + // | openssl enc -base64 + // NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= + // + // This is the format used in HTTP Public Key Pinning. + // + // When both: + // :ref:`verify_certificate_hash + // ` and + // :ref:`verify_certificate_spki + // ` are specified, + // a hash matching value from either of the lists will result in the certificate being accepted. + // + // .. attention:: + // + // This option is preferred over :ref:`verify_certificate_hash + // `, + // because SPKI is tied to a private key, so it doesn't change when the certificate + // is renewed using the same private key. + repeated string verify_certificate_spki = 3 + [(validate.rules).repeated = {items {string {min_bytes: 44 max_bytes: 44}}}]; + + // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that + // the SHA-256 of the DER-encoded presented certificate matches one of the specified values. + // + // A hex-encoded SHA-256 of the certificate can be generated with the following command: + // + // .. code-block:: bash + // + // $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 + // df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a + // + // A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate + // can be generated with the following command: + // + // .. code-block:: bash + // + // $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 + // DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A + // + // Both of those formats are acceptable. + // + // When both: + // :ref:`verify_certificate_hash + // ` and + // :ref:`verify_certificate_spki + // ` are specified, + // a hash matching value from either of the lists will result in the certificate being accepted. + repeated string verify_certificate_hash = 2 + [(validate.rules).repeated = {items {string {min_bytes: 64 max_bytes: 95}}}]; + + // An optional list of Subject Alternative Names. If specified, Envoy will verify that the + // Subject Alternative Name of the presented certificate matches one of the specified values. + // + // .. attention:: + // + // Subject Alternative Names are easily spoofable and verifying only them is insecure, + // therefore this option must be used together with :ref:`trusted_ca + // `. + repeated string verify_subject_alt_name = 4 [deprecated = true]; + + // An optional list of Subject Alternative name matchers. Envoy will verify that the + // Subject Alternative Name of the presented certificate matches one of the specified matches. + // + // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be + // configured with exact match type in the :ref:`string matcher `. + // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", + // it should be configured as shown below. + // + // .. code-block:: yaml + // + // match_subject_alt_names: + // exact: "api.example.com" + // + // .. attention:: + // + // Subject Alternative Names are easily spoofable and verifying only them is insecure, + // therefore this option must be used together with :ref:`trusted_ca + // `. + repeated type.matcher.StringMatcher match_subject_alt_names = 9; + + // [#not-implemented-hide:] Must present a signed time-stamped OCSP response. + google.protobuf.BoolValue require_ocsp_staple = 5; + + // [#not-implemented-hide:] Must present signed certificate time-stamp. + google.protobuf.BoolValue require_signed_certificate_timestamp = 6; + + // An optional `certificate revocation list + // `_ + // (in PEM format). If specified, Envoy will verify that the presented peer + // certificate has not been revoked by this CRL. If this DataSource contains + // multiple CRLs, all of them will be used. + core.DataSource crl = 7; + + // If specified, Envoy will not reject expired certificates. + bool allow_expired_certificate = 8; + + // Certificate trust chain verification mode. + TrustChainVerification trust_chain_verification = 10 + [(validate.rules).enum = {defined_only: true}]; +} diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/secret.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/secret.proto new file mode 100644 index 0000000000..3a6d8cf7dc --- /dev/null +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/secret.proto @@ -0,0 +1,50 @@ +syntax = "proto3"; + +package envoy.api.v2.auth; + +import "envoy/api/v2/auth/common.proto"; +import "envoy/api/v2/core/base.proto"; +import "envoy/api/v2/core/config_source.proto"; + +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.api.v2.auth"; +option java_outer_classname = "SecretProto"; +option java_multiple_files = true; +option (udpa.annotations.file_migrate).move_to_package = + "envoy.extensions.transport_sockets.tls.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: Secrets configuration] + +message GenericSecret { + // Secret of generic type and is available to filters. + core.DataSource secret = 1 [(udpa.annotations.sensitive) = true]; +} + +message SdsSecretConfig { + // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. + // When both name and config are specified, then secret can be fetched and/or reloaded via + // SDS. When only name is specified, then secret will be loaded from static resources. + string name = 1; + + core.ConfigSource sds_config = 2; +} + +// [#next-free-field: 6] +message Secret { + // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. + string name = 1; + + oneof type { + TlsCertificate tls_certificate = 2; + + TlsSessionTicketKeys session_ticket_keys = 3; + + CertificateValidationContext validation_context = 4; + + GenericSecret generic_secret = 5; + } +} diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/tls.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/tls.proto new file mode 100644 index 0000000000..201973a2b9 --- /dev/null +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/tls.proto @@ -0,0 +1,152 @@ +syntax = "proto3"; + +package envoy.api.v2.auth; + +import "envoy/api/v2/auth/common.proto"; +import "envoy/api/v2/auth/secret.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.api.v2.auth"; +option java_outer_classname = "TlsProto"; +option java_multiple_files = true; +option (udpa.annotations.file_migrate).move_to_package = + "envoy.extensions.transport_sockets.tls.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: TLS transport socket] +// [#extension: envoy.transport_sockets.tls] +// The TLS contexts below provide the transport socket configuration for upstream/downstream TLS. + +message UpstreamTlsContext { + // Common TLS context settings. + // + // .. attention:: + // + // Server certificate verification is not enabled by default. Configure + // :ref:`trusted_ca` to enable + // verification. + CommonTlsContext common_tls_context = 1; + + // SNI string to use when creating TLS backend connections. + string sni = 2 [(validate.rules).string = {max_bytes: 255}]; + + // If true, server-initiated TLS renegotiation will be allowed. + // + // .. attention:: + // + // TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary. + bool allow_renegotiation = 3; + + // Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets + // for TLSv1.2 and older) to store for the purpose of session resumption. + // + // Defaults to 1, setting this to 0 disables session resumption. + google.protobuf.UInt32Value max_session_keys = 4; +} + +// [#next-free-field: 8] +message DownstreamTlsContext { + // Common TLS context settings. + CommonTlsContext common_tls_context = 1; + + // If specified, Envoy will reject connections without a valid client + // certificate. + google.protobuf.BoolValue require_client_certificate = 2; + + // If specified, Envoy will reject connections without a valid and matching SNI. + // [#not-implemented-hide:] + google.protobuf.BoolValue require_sni = 3; + + oneof session_ticket_keys_type { + // TLS session ticket key settings. + TlsSessionTicketKeys session_ticket_keys = 4; + + // Config for fetching TLS session ticket keys via SDS API. + SdsSecretConfig session_ticket_keys_sds_secret_config = 5; + + // Config for controlling stateless TLS session resumption: setting this to true will cause the TLS + // server to not issue TLS session tickets for the purposes of stateless TLS session resumption. + // If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using + // the keys specified through either :ref:`session_ticket_keys ` + // or :ref:`session_ticket_keys_sds_secret_config `. + // If this config is set to false and no keys are explicitly configured, the TLS server will issue + // TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the + // implication that sessions cannot be resumed across hot restarts or on different hosts. + bool disable_stateless_session_resumption = 7; + } + + // If specified, session_timeout will change maximum lifetime (in seconds) of TLS session + // Currently this value is used as a hint to `TLS session ticket lifetime (for TLSv1.2) + // ` + // only seconds could be specified (fractional seconds are going to be ignored). + google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = { + lt {seconds: 4294967296} + gte {} + }]; +} + +// TLS context shared by both client and server TLS contexts. +// [#next-free-field: 9] +message CommonTlsContext { + message CombinedCertificateValidationContext { + // How to validate peer certificates. + CertificateValidationContext default_validation_context = 1 + [(validate.rules).message = {required: true}]; + + // Config for fetching validation context via SDS API. + SdsSecretConfig validation_context_sds_secret_config = 2 + [(validate.rules).message = {required: true}]; + } + + reserved 5; + + // TLS protocol versions, cipher suites etc. + TlsParameters tls_params = 1; + + // :ref:`Multiple TLS certificates ` can be associated with the + // same context to allow both RSA and ECDSA certificates. + // + // Only a single TLS certificate is supported in client contexts. In server contexts, the first + // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is + // used for clients that support ECDSA. + repeated TlsCertificate tls_certificates = 2; + + // Configs for fetching TLS certificates via SDS API. + repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6 + [(validate.rules).repeated = {max_items: 1}]; + + oneof validation_context_type { + // How to validate peer certificates. + CertificateValidationContext validation_context = 3; + + // Config for fetching validation context via SDS API. + SdsSecretConfig validation_context_sds_secret_config = 7; + + // Combined certificate validation context holds a default CertificateValidationContext + // and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic + // and default CertificateValidationContext are merged into a new CertificateValidationContext + // for validation. This merge is done by Message::MergeFrom(), so dynamic + // CertificateValidationContext overwrites singular fields in default + // CertificateValidationContext, and concatenates repeated fields to default + // CertificateValidationContext, and logical OR is applied to boolean fields. + CombinedCertificateValidationContext combined_validation_context = 8; + } + + // Supplies the list of ALPN protocols that the listener should expose. In + // practice this is likely to be set to one of two values (see the + // :ref:`codec_type + // ` + // parameter in the HTTP connection manager for more information): + // + // * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1. + // * "http/1.1" If the listener is only going to support HTTP/1.1. + // + // There is no default for this parameter. If empty, Envoy will not expose ALPN. + repeated string alpn_protocols = 4; +} diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cds.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cds.proto index dcd5c3fd0f..0b657a0fa4 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cds.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cds.proto @@ -8,6 +8,7 @@ import "google/api/annotations.proto"; import "envoy/annotations/resource.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import public "envoy/api/v2/cluster.proto"; @@ -16,6 +17,7 @@ option java_outer_classname = "CdsProto"; option java_multiple_files = true; option java_generic_services = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.service.cluster.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: CDS] diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster.proto index 55324ff600..c95de62c12 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster.proto @@ -2,7 +2,7 @@ syntax = "proto3"; package envoy.api.v2; -import "envoy/api/v2/auth/cert.proto"; +import "envoy/api/v2/auth/tls.proto"; import "envoy/api/v2/cluster/circuit_breaker.proto"; import "envoy/api/v2/cluster/filter.proto"; import "envoy/api/v2/cluster/outlier_detection.proto"; @@ -21,12 +21,14 @@ import "google/protobuf/wrappers.proto"; import "envoy/annotations/deprecation.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2"; option java_outer_classname = "ClusterProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.cluster.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Cluster configuration] @@ -354,7 +356,7 @@ message Cluster { } // Common configuration for all load balancer implementations. - // [#next-free-field: 7] + // [#next-free-field: 8] message CommonLbConfig { // Configuration for :ref:`zone aware routing // `. @@ -384,6 +386,13 @@ message Cluster { message LocalityWeightedLbConfig { } + // Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.) + message ConsistentHashingLbConfig { + // If set to `true`, the cluster will use hostname instead of the resolved + // address as the key to consistently hash to an upstream host. Only valid for StrictDNS clusters with hostnames which resolve to a single IP address. + bool use_hostname_for_hashing = 1; + } + // Configures the :ref:`healthy panic threshold `. // If not specified, the default is 50%. // To disable panic mode, set to 0%. @@ -438,6 +447,9 @@ message Cluster { // If set to `true`, the cluster manager will drain all existing // connections to upstream hosts whenever hosts are added or removed from the cluster. bool close_connections_on_host_set_change = 6; + + //Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.) + ConsistentHashingLbConfig consistent_hashing_lb_config = 7; } message RefreshRate { @@ -459,7 +471,7 @@ message Cluster { reserved 12, 15; // Configuration to use different transport sockets for different endpoints. - // The entry of *envoy.transport_socket* in the + // The entry of *envoy.transport_socket_match* in the // :ref:`LbEndpoint.Metadata ` // is used to match against the transport sockets as they appear in the list. The first // :ref:`match ` is used. @@ -479,14 +491,14 @@ message Cluster { // transport_socket: // name: envoy.transport_sockets.raw_buffer // - // Connections to the endpoints whose metadata value under *envoy.transport_socket* + // Connections to the endpoints whose metadata value under *envoy.transport_socket_match* // having "acceptMTLS"/"true" key/value pair use the "enableMTLS" socket configuration. // // If a :ref:`socket match ` with empty match // criteria is provided, that always match any endpoint. For example, the "defaultToPlaintext" // socket match in case above. // - // If an endpoint metadata's value under *envoy.transport_socket* does not match any + // If an endpoint metadata's value under *envoy.transport_socket_match* does not match any // *TransportSocketMatch*, socket configuration fallbacks to use the *tls_context* or // *transport_socket* specified in this cluster. // diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/circuit_breaker.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/circuit_breaker.proto index 893d1f1aa1..510619b264 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/circuit_breaker.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/circuit_breaker.proto @@ -8,6 +8,7 @@ import "envoy/type/percent.proto"; import "google/protobuf/wrappers.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2.cluster"; @@ -16,6 +17,7 @@ option java_multiple_files = true; option csharp_namespace = "Envoy.Api.V2.ClusterNS"; option ruby_package = "Envoy.Api.V2.ClusterNS"; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.cluster.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Circuit breakers] diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/filter.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/filter.proto index 67f3c3ba5e..b87ad79d8f 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/filter.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/filter.proto @@ -5,6 +5,7 @@ package envoy.api.v2.cluster; import "google/protobuf/any.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2.cluster"; @@ -13,6 +14,7 @@ option java_multiple_files = true; option csharp_namespace = "Envoy.Api.V2.ClusterNS"; option ruby_package = "Envoy.Api.V2.ClusterNS"; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.cluster.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Upstream filters] // Upstream filters apply to the connections to the upstream cluster hosts. diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/outlier_detection.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/outlier_detection.proto index 0cc638ceb4..6cf35e41ff 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/outlier_detection.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster/outlier_detection.proto @@ -6,6 +6,7 @@ import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2.cluster"; @@ -14,6 +15,7 @@ option java_multiple_files = true; option csharp_namespace = "Envoy.Api.V2.ClusterNS"; option ruby_package = "Envoy.Api.V2.ClusterNS"; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.cluster.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Outlier detection] diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/address.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/address.proto index e5c1f1c9d4..804da53958 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/address.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/address.proto @@ -7,12 +7,14 @@ import "envoy/api/v2/core/socket_option.proto"; import "google/protobuf/wrappers.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2.core"; option java_outer_classname = "AddressProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Network addresses] diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/backoff.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/backoff.proto index b467915002..e45c71e39b 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/backoff.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/backoff.proto @@ -5,12 +5,14 @@ package envoy.api.v2.core; import "google/protobuf/duration.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2.core"; option java_outer_classname = "BackoffProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Backoff Strategy] diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/base.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/base.proto index d10163b3bd..b7145d77ef 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/base.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/base.proto @@ -14,6 +14,7 @@ import "google/protobuf/struct.proto"; import "google/protobuf/wrappers.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; import public "envoy/api/v2/core/socket_option.proto"; @@ -22,6 +23,7 @@ option java_package = "io.envoyproxy.envoy.api.v2.core"; option java_outer_classname = "BaseProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Common types] @@ -230,6 +232,15 @@ message RuntimeUInt32 { string runtime_key = 3 [(validate.rules).string = {min_bytes: 1}]; } +// Runtime derived double with a default when not specified. +message RuntimeDouble { + // Default value if runtime value is not available. + double default_value = 1; + + // Runtime key to get value for comparison. This value is used if defined. + string runtime_key = 2 [(validate.rules).string = {min_bytes: 1}]; +} + // Runtime derived bool with a default when not specified. message RuntimeFeatureFlag { // Default value if runtime value is not available. diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/config_source.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/config_source.proto index 60949ca1c8..8bbb961c1a 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/config_source.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/config_source.proto @@ -9,12 +9,14 @@ import "google/protobuf/wrappers.proto"; import "envoy/annotations/deprecation.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2.core"; option java_outer_classname = "ConfigSourceProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Configuration sources] @@ -55,10 +57,6 @@ message ApiConfigSource { // Using the delta xDS gRPC service, i.e. DeltaDiscovery{Request,Response} // rather than Discovery{Request,Response}. Rather than sending Envoy the entire state // with every update, the xDS server only sends what has changed since the last update. - // - // DELTA_GRPC is not yet entirely implemented! Initially, only CDS is available. - // Do not use for other xDSes. - // [#comment:TODO(fredlas) update/remove this warning when appropriate.] DELTA_GRPC = 3; } @@ -133,6 +131,8 @@ message ConfigSource { option (validate.required) = true; // Path on the filesystem to source and watch for configuration updates. + // When sourcing configuration for :ref:`secret `, + // the certificate and key files are also watched for updates. // // .. note:: // diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/event_service_config.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/event_service_config.proto new file mode 100644 index 0000000000..f822f8c6b6 --- /dev/null +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/event_service_config.proto @@ -0,0 +1,26 @@ +syntax = "proto3"; + +package envoy.api.v2.core; + +import "envoy/api/v2/core/grpc_service.proto"; + +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.api.v2.core"; +option java_outer_classname = "EventServiceConfigProto"; +option java_multiple_files = true; +option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#not-implemented-hide:] +// Configuration of the event reporting service endpoint. +message EventServiceConfig { + oneof config_source_specifier { + option (validate.required) = true; + + // Specifies the gRPC service that hosts the event reporting service. + GrpcService grpc_service = 1; + } +} diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/grpc_service.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/grpc_service.proto index 6fda81e3a2..dd789644e1 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/grpc_service.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/grpc_service.proto @@ -9,15 +9,16 @@ import "google/protobuf/duration.proto"; import "google/protobuf/empty.proto"; import "google/protobuf/struct.proto"; -import "udpa/annotations/sensitive.proto"; - import "udpa/annotations/migrate.proto"; +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2.core"; option java_outer_classname = "GrpcServiceProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: gRPC services] diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/health_check.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/health_check.proto index 91aeb76b8b..bc4ae3e5c8 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/health_check.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/health_check.proto @@ -3,6 +3,7 @@ syntax = "proto3"; package envoy.api.v2.core; import "envoy/api/v2/core/base.proto"; +import "envoy/api/v2/core/event_service_config.proto"; import "envoy/type/http.proto"; import "envoy/type/matcher/string.proto"; import "envoy/type/range.proto"; @@ -14,12 +15,14 @@ import "google/protobuf/wrappers.proto"; import "envoy/annotations/deprecation.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2.core"; option java_outer_classname = "HealthCheckProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Health check] // * Health checking :ref:`architecture overview `. @@ -52,7 +55,7 @@ enum HealthStatus { DEGRADED = 5; } -// [#next-free-field: 22] +// [#next-free-field: 23] message HealthCheck { // Describes the encoding of the payload bytes in the payload. message Payload { @@ -71,7 +74,8 @@ message HealthCheck { message HttpHealthCheck { // The value of the host header in the HTTP health check request. If // left empty (default value), the name of the cluster this health check is associated - // with will be used. + // with will be used. The host header can be customized for a specific endpoint by setting the + // :ref:`hostname ` field. string host = 1; // Specifies the HTTP path that will be requested during health checking. For example @@ -158,7 +162,8 @@ message HealthCheck { // The value of the :authority header in the gRPC health check request. If // left empty (default value), the name of the cluster this health check is associated - // with will be used. + // with will be used. The authority header can be customized for a specific endpoint by setting + // the :ref:`hostname ` field. string authority = 2; } @@ -288,6 +293,11 @@ message HealthCheck { // If empty, no event log will be written. string event_log_path = 17; + // [#not-implemented-hide:] + // The gRPC service for the health check event service. + // If empty, health check events won't be sent to a remote endpoint. + EventServiceConfig event_service = 22; + // If set to true, health check failure events will always be logged. If set to false, only the // initial health check failure event will be logged. // The default value is false. diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/http_uri.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/http_uri.proto index 5f740695dd..cd1a0660e3 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/http_uri.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/http_uri.proto @@ -5,12 +5,14 @@ package envoy.api.v2.core; import "google/protobuf/duration.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2.core"; option java_outer_classname = "HttpUriProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: HTTP Service URI ] diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/protocol.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/protocol.proto index c8cfcf8260..9c47e388ee 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/protocol.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/protocol.proto @@ -6,12 +6,14 @@ import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2.core"; option java_outer_classname = "ProtocolProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Protocol options] @@ -32,9 +34,30 @@ message UpstreamHttpProtocolOptions { bool auto_san_validation = 2; } +// [#next-free-field: 6] message HttpProtocolOptions { + // Action to take when Envoy receives client request with header names containing underscore + // characters. + // Underscore character is allowed in header names by the RFC-7230 and this behavior is implemented + // as a security measure due to systems that treat '_' and '-' as interchangeable. Envoy by default allows client request headers with underscore + // characters. + enum HeadersWithUnderscoresAction { + // Allow headers with underscores. This is the default behavior. + ALLOW = 0; + + // Reject client request. HTTP/1 requests are rejected with the 400 status. HTTP/2 requests + // end with the stream reset. The "httpN.requests_rejected_with_underscores_in_headers" counter + // is incremented for each rejected request. + REJECT_REQUEST = 1; + + // Drop the header with name containing underscores. The header is dropped before the filter chain is + // invoked and as such filters will not see dropped headers. The + // "httpN.dropped_headers_with_underscores" is incremented for each dropped header. + DROP_HEADER = 2; + } + // The idle timeout for connections. The idle timeout is defined as the - // period in which there are no active requests. If not set, there is no idle timeout. When the + // period in which there are no active requests. When the // idle timeout is reached the connection will be closed. If the connection is an HTTP/2 // downstream connection a drain sequence will occur prior to closing the connection, see // :ref:`drain_timeout @@ -62,9 +85,12 @@ message HttpProtocolOptions { // Total duration to keep alive an HTTP request/response stream. If the time limit is reached the stream will be // reset independent of any other timeouts. If not specified, this value is not set. - // The current implementation implements this timeout on downstream connections only. - // [#comment:TODO(shikugawa): add this functionality to upstream.] google.protobuf.Duration max_stream_duration = 4; + + // Action to take when a client request with a header name containing underscore characters is received. + // If this setting is not specified, the value defaults to ALLOW. + // Note: upstream responses are not affected by this setting. + HeadersWithUnderscoresAction headers_with_underscores_action = 5; } // [#next-free-field: 6] diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/socket_option.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/socket_option.proto index 9a044d1a9e..39678ad1b8 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/socket_option.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/core/socket_option.proto @@ -3,12 +3,14 @@ syntax = "proto3"; package envoy.api.v2.core; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2.core"; option java_outer_classname = "SocketOptionProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Socket Option ] diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/discovery.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/discovery.proto index 0794f82aa9..da2690f867 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/discovery.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/discovery.proto @@ -8,11 +8,13 @@ import "google/protobuf/any.proto"; import "google/rpc/status.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; option java_package = "io.envoyproxy.envoy.api.v2"; option java_outer_classname = "DiscoveryProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.service.discovery.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Common discovery API components] diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/eds.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/eds.proto index 0917940aee..b0d5c7c473 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/eds.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/eds.proto @@ -10,6 +10,7 @@ import "google/protobuf/wrappers.proto"; import "envoy/annotations/resource.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; import public "envoy/api/v2/endpoint.proto"; @@ -19,6 +20,7 @@ option java_outer_classname = "EdsProto"; option java_multiple_files = true; option java_generic_services = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.service.endpoint.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: EDS] // Endpoint discovery :ref:`architecture overview ` diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint.proto index 87d8713e8e..92a2b13a89 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint.proto @@ -10,12 +10,14 @@ import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2"; option java_outer_classname = "EndpointProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.endpoint.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Endpoint configuration] // Endpoint discovery :ref:`architecture overview ` @@ -34,6 +36,7 @@ message ClusterLoadAssignment { // Load balancing policy settings. // [#next-free-field: 6] message Policy { + // [#not-implemented-hide:] message DropOverload { // Identifier for the policy specifying the drop. string category = 1 [(validate.rules).string = {min_bytes: 1}]; @@ -63,6 +66,7 @@ message ClusterLoadAssignment { // "throttle"_drop = 60% // "lb"_drop = 20% // 50% of the remaining 'actual' load, which is 40%. // actual_outgoing_load = 20% // remaining after applying all categories. + // [#not-implemented-hide:] repeated DropOverload drop_overloads = 2; // Priority levels and localities are considered overprovisioned with this diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint.proto index 247c9ae265..9724fd7281 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint.proto @@ -2,6 +2,8 @@ syntax = "proto3"; package envoy.api.v2.endpoint; +import "udpa/annotations/status.proto"; + import public "envoy/api/v2/endpoint/endpoint_components.proto"; option java_package = "io.envoyproxy.envoy.api.v2.endpoint"; diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint_components.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint_components.proto index 5d2fe52758..78d45e2e08 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint_components.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/endpoint_components.proto @@ -9,12 +9,14 @@ import "envoy/api/v2/core/health_check.proto"; import "google/protobuf/wrappers.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2.endpoint"; option java_outer_classname = "EndpointComponentsProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.endpoint.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Endpoints] @@ -29,6 +31,13 @@ message Endpoint { // check port. Setting this with a non-zero value allows an upstream host // to have different health check address port. uint32 port_value = 1 [(validate.rules).uint32 = {lte: 65535}]; + + // By default, the host header for L7 health checks is controlled by cluster level configuration + // (see: :ref:`host ` and + // :ref:`authority `). Setting this + // to a non-empty value allows overriding the cluster level configuration for a specific + // endpoint. + string hostname = 2; } // The upstream host address. @@ -50,6 +59,12 @@ message Endpoint { // This takes into effect only for upstream clusters with // :ref:`active health checking ` enabled. HealthCheckConfig health_check_config = 2; + + // The hostname associated with this endpoint. This hostname is not used for routing or address + // resolution. If provided, it will be associated with the endpoint, and can be used for features + // that require a hostname, like + // :ref:`auto_host_rewrite `. + string hostname = 3; } // An Endpoint that Envoy can route traffic to. @@ -82,7 +97,8 @@ message LbEndpoint { // percentage of traffic for the endpoint. This percentage is then further // weighted by the endpoint's locality's load balancing weight from // LocalityLbEndpoints. If unspecified, each host is presumed to have equal - // weight in a locality. + // weight in a locality. The sum of the weights of all endpoints in the + // endpoint's locality must not exceed uint32_t maximal value (4294967295). google.protobuf.UInt32Value load_balancing_weight = 4 [(validate.rules).uint32 = {gte: 1}]; } @@ -101,7 +117,8 @@ message LocalityLbEndpoints { // Optional: Per priority/region/zone/sub_zone weight; at least 1. The load // balancing weight for a locality is divided by the sum of the weights of all // localities at the same priority level to produce the effective percentage - // of traffic for the locality. + // of traffic for the locality. The sum of the weights of all localities at + // the same priority level must not exceed uint32_t maximal value (4294967295). // // Locality weights are only considered when :ref:`locality weighted load // balancing ` is diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/load_report.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/load_report.proto index a80d5b77d9..928aed6102 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/load_report.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/endpoint/load_report.proto @@ -9,12 +9,14 @@ import "google/protobuf/duration.proto"; import "google/protobuf/struct.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2.endpoint"; option java_outer_classname = "LoadReportProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.endpoint.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // These are stats Envoy reports to GLB every so often. Report frequency is // defined by diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/lds.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/lds.proto index aa13453ebc..d1e528f247 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/lds.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/lds.proto @@ -10,6 +10,7 @@ import "google/protobuf/wrappers.proto"; import "envoy/annotations/resource.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; import public "envoy/api/v2/listener.proto"; @@ -19,6 +20,7 @@ option java_outer_classname = "LdsProto"; option java_multiple_files = true; option java_generic_services = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.service.listener.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Listener] // Listener :ref:`configuration overview ` diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener.proto index 5873380db8..a93df10c31 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener.proto @@ -7,6 +7,7 @@ import "envoy/api/v2/core/base.proto"; import "envoy/api/v2/core/socket_option.proto"; import "envoy/api/v2/listener/listener_components.proto"; import "envoy/api/v2/listener/udp_listener_config.proto"; +import "envoy/config/filter/accesslog/v2/accesslog.proto"; import "envoy/config/listener/v2/api_listener.proto"; import "google/api/annotations.proto"; @@ -14,17 +15,19 @@ import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2"; option java_outer_classname = "ListenerProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.listener.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Listener configuration] // Listener :ref:`configuration overview ` -// [#next-free-field: 22] +// [#next-free-field: 23] message Listener { enum DrainType { // Drain in response to calling /healthcheck/fail admin endpoint (along with the health check @@ -237,4 +240,8 @@ message Listener { // This issue was fixed by `tcp: Avoid TCP syncookie rejected by SO_REUSEPORT socket // `_. bool reuse_port = 21; + + // Configuration for :ref:`access logs ` + // emitted by this listener. + repeated config.filter.accesslog.v2.AccessLog access_log = 22; } diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener.proto index 273b29cb5d..671da24b04 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener.proto @@ -2,6 +2,8 @@ syntax = "proto3"; package envoy.api.v2.listener; +import "udpa/annotations/status.proto"; + import public "envoy/api/v2/listener/listener_components.proto"; option java_package = "io.envoyproxy.envoy.api.v2.listener"; diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener_components.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener_components.proto index ec889d7f4f..a6791c86cd 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener_components.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/listener_components.proto @@ -2,7 +2,7 @@ syntax = "proto3"; package envoy.api.v2.listener; -import "envoy/api/v2/auth/cert.proto"; +import "envoy/api/v2/auth/tls.proto"; import "envoy/api/v2/core/address.proto"; import "envoy/api/v2/core/base.proto"; import "envoy/type/range.proto"; @@ -12,6 +12,7 @@ import "google/protobuf/struct.proto"; import "google/protobuf/wrappers.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2.listener"; @@ -20,6 +21,7 @@ option java_multiple_files = true; option csharp_namespace = "Envoy.Api.V2.ListenerNS"; option ruby_package = "Envoy.Api.V2.ListenerNS"; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.listener.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Listener components] // Listener :ref:`configuration overview ` @@ -207,9 +209,32 @@ message FilterChain { string name = 7; } -// [#not-implemented-hide:] // Listener filter chain match configuration. This is a recursive structure which allows complex // nested match configurations to be built using various logical operators. +// +// Examples: +// +// * Matches if the destination port is 3306. +// +// .. code-block:: yaml +// +// destination_port_range: +// start: 3306 +// end: 3307 +// +// * Matches if the destination port is 3306 or 15000. +// +// .. code-block:: yaml +// +// or_match: +// rules: +// - destination_port_range: +// start: 3306 +// end: 3306 +// - destination_port_range: +// start: 15000 +// end: 15001 +// // [#next-free-field: 6] message ListenerFilterChainMatchPredicate { // A set of match configurations used for logical operations. @@ -255,17 +280,8 @@ message ListenerFilter { google.protobuf.Any typed_config = 3; } - // [#not-implemented-hide:] - // Decide when to disable this listener filter on incoming traffic. - // Example: - // 0. always enable filter - // don't set `filter_disabled` - // 1. disable when the destination port is 3306 - // rule.destination_port_range = Int32Range {start = 3306, end = 3307} - // 2. disable when the destination port is 3306 or 15000 - // rule.or_match = MatchSet.rules [ - // rule.destination_port_range = Int32Range {start = 3306, end = 3307}, - // rule.destination_port_range = Int32Range {start = 15000, end = 15001}, - // ] + // Optional match predicate used to disable the filter. The filter is enabled when this field is empty. + // See :ref:`ListenerFilterChainMatchPredicate ` + // for further examples. ListenerFilterChainMatchPredicate filter_disabled = 4; } diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/udp_listener_config.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/udp_listener_config.proto index 31404b41d5..d4d29531f3 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/udp_listener_config.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/listener/udp_listener_config.proto @@ -6,6 +6,7 @@ import "google/protobuf/any.proto"; import "google/protobuf/struct.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; option java_package = "io.envoyproxy.envoy.api.v2.listener"; option java_outer_classname = "UdpListenerConfigProto"; @@ -13,6 +14,7 @@ option java_multiple_files = true; option csharp_namespace = "Envoy.Api.V2.ListenerNS"; option ruby_package = "Envoy.Api.V2.ListenerNS"; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.listener.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: UDP Listener Config] // Listener :ref:`configuration overview ` diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/rds.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/rds.proto index f54308aafb..fad73f1758 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/rds.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/rds.proto @@ -9,6 +9,7 @@ import "google/protobuf/wrappers.proto"; import "envoy/annotations/resource.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; import public "envoy/api/v2/route.proto"; @@ -18,6 +19,7 @@ option java_outer_classname = "RdsProto"; option java_multiple_files = true; option java_generic_services = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.service.route.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: RDS] diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/route.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/route.proto index 87374611d8..549f134a7f 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/route.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/route.proto @@ -9,12 +9,14 @@ import "envoy/api/v2/route/route_components.proto"; import "google/protobuf/wrappers.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2"; option java_outer_classname = "RouteProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.route.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: HTTP route configuration] // * Routing :ref:`architecture overview ` diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route.proto index ec13e9e5c8..92e44f1e19 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route.proto @@ -2,6 +2,8 @@ syntax = "proto3"; package envoy.api.v2.route; +import "udpa/annotations/status.proto"; + import public "envoy/api/v2/route/route_components.proto"; option java_package = "io.envoyproxy.envoy.api.v2.route"; diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route_components.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route_components.proto index 2ae4ee75ef..c890134414 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route_components.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route_components.proto @@ -16,12 +16,14 @@ import "google/protobuf/wrappers.proto"; import "envoy/annotations/deprecation.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2.route"; option java_outer_classname = "RouteComponentsProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.route.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: HTTP route components] // * Routing :ref:`architecture overview ` @@ -1274,7 +1276,7 @@ message Tracing { // statistics are perfect in the sense that they are emitted on the downstream // side such that they include network level failures. // -// Documentation for :ref:`virtual cluster statistics `. +// Documentation for :ref:`virtual cluster statistics `. // // .. note:: // diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/scoped_route.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/scoped_route.proto index 43f81cf920..0841bd0872 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/scoped_route.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/scoped_route.proto @@ -3,12 +3,14 @@ syntax = "proto3"; package envoy.api.v2; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.api.v2"; option java_outer_classname = "ScopedRouteProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.route.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: HTTP scoped routing configuration] // * Routing :ref:`architecture overview ` diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/srds.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/srds.proto index f874307d7e..0edb99a1ec 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/srds.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/srds.proto @@ -8,6 +8,7 @@ import "google/api/annotations.proto"; import "envoy/annotations/resource.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import public "envoy/api/v2/scoped_route.proto"; @@ -16,6 +17,7 @@ option java_outer_classname = "SrdsProto"; option java_multiple_files = true; option java_generic_services = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.service.route.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: SRDS] // * Routing :ref:`architecture overview ` diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/accesslog/v3/accesslog.proto b/xds/third_party/envoy/src/main/proto/envoy/config/accesslog/v3/accesslog.proto index 8bfc999f08..9a2f276b34 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/accesslog/v3/accesslog.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/accesslog/v3/accesslog.proto @@ -9,13 +9,14 @@ import "envoy/type/v3/percent.proto"; import "google/protobuf/any.proto"; import "google/protobuf/struct.proto"; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; - import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.accesslog.v3"; option java_outer_classname = "AccesslogProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Common access log types] @@ -239,6 +240,8 @@ message ResponseFlagFilter { in: "SI" in: "IH" in: "DPE" + in: "UMSDR" + in: "RFCF" } } }]; diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/circuit_breaker.proto b/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/circuit_breaker.proto index 42de29b01e..96e69701cd 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/circuit_breaker.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/circuit_breaker.proto @@ -7,13 +7,14 @@ import "envoy/type/v3/percent.proto"; import "google/protobuf/wrappers.proto"; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; - import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.cluster.v3"; option java_outer_classname = "CircuitBreakerProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Circuit breakers] diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/cluster.proto b/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/cluster.proto index 5e7edd5682..be7710815b 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/cluster.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/cluster.proto @@ -18,14 +18,15 @@ import "google/protobuf/duration.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/wrappers.proto"; -import "udpa/annotations/versioning.proto"; - import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.cluster.v3"; option java_outer_classname = "ClusterProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Cluster configuration] @@ -373,7 +374,7 @@ message Cluster { } // Common configuration for all load balancer implementations. - // [#next-free-field: 7] + // [#next-free-field: 8] message CommonLbConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Cluster.CommonLbConfig"; @@ -411,6 +412,16 @@ message Cluster { "envoy.api.v2.Cluster.CommonLbConfig.LocalityWeightedLbConfig"; } + // Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.) + message ConsistentHashingLbConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.CommonLbConfig.ConsistentHashingLbConfig"; + + // If set to `true`, the cluster will use hostname instead of the resolved + // address as the key to consistently hash to an upstream host. Only valid for StrictDNS clusters with hostnames which resolve to a single IP address. + bool use_hostname_for_hashing = 1; + } + // Configures the :ref:`healthy panic threshold `. // If not specified, the default is 50%. // To disable panic mode, set to 0%. @@ -465,6 +476,9 @@ message Cluster { // If set to `true`, the cluster manager will drain all existing // connections to upstream hosts whenever hosts are added or removed from the cluster. bool close_connections_on_host_set_change = 6; + + //Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.) + ConsistentHashingLbConfig consistent_hashing_lb_config = 7; } message RefreshRate { @@ -490,7 +504,7 @@ message Cluster { reserved "hosts", "tls_context", "extension_protocol_options"; // Configuration to use different transport sockets for different endpoints. - // The entry of *envoy.transport_socket* in the + // The entry of *envoy.transport_socket_match* in the // :ref:`LbEndpoint.Metadata ` // is used to match against the transport sockets as they appear in the list. The first // :ref:`match ` is used. @@ -510,14 +524,14 @@ message Cluster { // transport_socket: // name: envoy.transport_sockets.raw_buffer // - // Connections to the endpoints whose metadata value under *envoy.transport_socket* + // Connections to the endpoints whose metadata value under *envoy.transport_socket_match* // having "acceptMTLS"/"true" key/value pair use the "enableMTLS" socket configuration. // // If a :ref:`socket match ` with empty match // criteria is provided, that always match any endpoint. For example, the "defaultToPlaintext" // socket match in case above. // - // If an endpoint metadata's value under *envoy.transport_socket* does not match any + // If an endpoint metadata's value under *envoy.transport_socket_match* does not match any // *TransportSocketMatch*, socket configuration fallbacks to use the *tls_context* or // *transport_socket* specified in this cluster. // @@ -533,6 +547,10 @@ message Cluster { // *TransportSocketMatch* in this field. Other client Envoys receive CDS without // *transport_socket_match* set, and still send plain text traffic to the same cluster. // + // This field can be used to specify custom transport socket configurations for health + // checks by adding matching key/value pairs in a health check's + // :ref:`transport socket match criteria ` field. + // // [#comment:TODO(incfly): add a detailed architecture doc on intended usage.] repeated TransportSocketMatch transport_socket_matches = 43; diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/filter.proto b/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/filter.proto index 9ded0fbbb1..af3116ec26 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/filter.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/filter.proto @@ -4,13 +4,14 @@ package envoy.config.cluster.v3; import "google/protobuf/any.proto"; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; - import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.cluster.v3"; option java_outer_classname = "FilterProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Upstream filters] // Upstream filters apply to the connections to the upstream cluster hosts. diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/outlier_detection.proto b/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/outlier_detection.proto index 1364b197f5..c0b4d5732d 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/outlier_detection.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/outlier_detection.proto @@ -5,13 +5,14 @@ package envoy.config.cluster.v3; import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; - import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.cluster.v3"; option java_outer_classname = "OutlierDetectionProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Outlier detection] diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/address.proto b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/address.proto index 92649ff6ae..5102c2d575 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/address.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/address.proto @@ -6,13 +6,14 @@ import "envoy/config/core/v3/socket_option.proto"; import "google/protobuf/wrappers.proto"; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; - import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.core.v3"; option java_outer_classname = "AddressProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Network addresses] diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/backoff.proto b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/backoff.proto index 63fc868435..55b504e716 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/backoff.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/backoff.proto @@ -4,13 +4,14 @@ package envoy.config.core.v3; import "google/protobuf/duration.proto"; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; - import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.core.v3"; option java_outer_classname = "BackoffProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Backoff Strategy] diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/base.proto b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/base.proto index ba1b5ded43..b8ce5bff4b 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/base.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/base.proto @@ -13,13 +13,14 @@ import "google/protobuf/duration.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/wrappers.proto"; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; - import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.core.v3"; option java_outer_classname = "BaseProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Common types] @@ -238,6 +239,17 @@ message RuntimeUInt32 { string runtime_key = 3 [(validate.rules).string = {min_bytes: 1}]; } +// Runtime derived double with a default when not specified. +message RuntimeDouble { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.RuntimeDouble"; + + // Default value if runtime value is not available. + double default_value = 1; + + // Runtime key to get value for comparison. This value is used if defined. + string runtime_key = 2 [(validate.rules).string = {min_bytes: 1}]; +} + // Runtime derived bool with a default when not specified. message RuntimeFeatureFlag { option (udpa.annotations.versioning).previous_message_type = diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/config_source.proto b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/config_source.proto index 73dfe15982..7337403bc8 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/config_source.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/config_source.proto @@ -7,14 +7,15 @@ import "envoy/config/core/v3/grpc_service.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; -import "udpa/annotations/versioning.proto"; - import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.core.v3"; option java_outer_classname = "ConfigSourceProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Configuration sources] @@ -57,10 +58,6 @@ message ApiConfigSource { // Using the delta xDS gRPC service, i.e. DeltaDiscovery{Request,Response} // rather than Discovery{Request,Response}. Rather than sending Envoy the entire state // with every update, the xDS server only sends what has changed since the last update. - // - // DELTA_GRPC is not yet entirely implemented! Initially, only CDS is available. - // Do not use for other xDSes. - // [#comment:TODO(fredlas) update/remove this warning when appropriate.] DELTA_GRPC = 3; } @@ -143,6 +140,8 @@ message ConfigSource { option (validate.required) = true; // Path on the filesystem to source and watch for configuration updates. + // When sourcing configuration for :ref:`secret `, + // the certificate and key files are also watched for updates. // // .. note:: // diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/event_service_config.proto b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/event_service_config.proto new file mode 100644 index 0000000000..b3552e3975 --- /dev/null +++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/event_service_config.proto @@ -0,0 +1,28 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/grpc_service.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "EventServiceConfigProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#not-implemented-hide:] +// Configuration of the event reporting service endpoint. +message EventServiceConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.EventServiceConfig"; + + oneof config_source_specifier { + option (validate.required) = true; + + // Specifies the gRPC service that hosts the event reporting service. + GrpcService grpc_service = 1; + } +} diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/extension.proto b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/extension.proto new file mode 100644 index 0000000000..6363987607 --- /dev/null +++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/extension.proto @@ -0,0 +1,30 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "ExtensionProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Extension configuration] + +// Message type for extension configuration. +// [#next-major-version: revisit all existing typed_config that doesn't use this wrapper.]. +message TypedExtensionConfig { + // The name of an extension. This is not used to select the extension, instead + // it serves the role of an opaque identifier. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The typed config for the extension. The type URL will be used to identify + // the extension. In the case that the type URL is *udpa.type.v1.TypedStruct*, + // the inner type URL of *TypedStruct* will be utilized. See the + // :ref:`extension configuration overview + // ` for further details. + google.protobuf.Any typed_config = 2 [(validate.rules).any = {required: true}]; +} diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/grpc_service.proto b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/grpc_service.proto index a2d41a7232..3acd3c1c9b 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/grpc_service.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/grpc_service.proto @@ -8,15 +8,17 @@ import "google/protobuf/any.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/empty.proto"; import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; - import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.core.v3"; option java_outer_classname = "GrpcServiceProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: gRPC services] @@ -36,7 +38,7 @@ message GrpcService { string cluster_name = 1 [(validate.rules).string = {min_bytes: 1}]; } - // [#next-free-field: 7] + // [#next-free-field: 8] message GoogleGrpc { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.GrpcService.GoogleGrpc"; @@ -231,6 +233,10 @@ message GrpcService { // Additional configuration for site-specific customizations of the Google // gRPC library. google.protobuf.Struct config = 6; + + // How many bytes each stream can buffer internally. + // If not set an implementation defined default is applied (1MiB). + google.protobuf.UInt32Value per_stream_buffer_limit_bytes = 7; } reserved 4; diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/health_check.proto b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/health_check.proto index 624b7f6e5b..c6b4acfa93 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/health_check.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/health_check.proto @@ -3,6 +3,7 @@ syntax = "proto3"; package envoy.config.core.v3; import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/event_service_config.proto"; import "envoy/type/matcher/v3/string.proto"; import "envoy/type/v3/http.proto"; import "envoy/type/v3/range.proto"; @@ -12,14 +13,15 @@ import "google/protobuf/duration.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/wrappers.proto"; -import "udpa/annotations/versioning.proto"; - import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.core.v3"; option java_outer_classname = "HealthCheckProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Health check] // * Health checking :ref:`architecture overview `. @@ -52,7 +54,7 @@ enum HealthStatus { DEGRADED = 5; } -// [#next-free-field: 22] +// [#next-free-field: 24] message HealthCheck { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HealthCheck"; @@ -83,12 +85,15 @@ message HealthCheck { // The value of the host header in the HTTP health check request. If // left empty (default value), the name of the cluster this health check is associated - // with will be used. - string host = 1; + // with will be used. The host header can be customized for a specific endpoint by setting the + // :ref:`hostname ` field. + string host = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; // Specifies the HTTP path that will be requested during health checking. For example // */healthcheck*. - string path = 2 [(validate.rules).string = {min_bytes: 1}]; + string path = 2 [ + (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_VALUE strict: false} + ]; // [#not-implemented-hide:] HTTP specific payload. Payload send = 3; @@ -105,7 +110,9 @@ message HealthCheck { // Specifies a list of HTTP headers that should be removed from each request that is sent to the // health checked cluster. - repeated string request_headers_to_remove = 8; + repeated string request_headers_to_remove = 8 [(validate.rules).repeated = { + items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; // Specifies a list of HTTP response statuses considered healthy. If provided, replaces default // 200-only policy - 200 must be included explicitly as needed. Ranges follow half-open @@ -164,8 +171,10 @@ message HealthCheck { // The value of the :authority header in the gRPC health check request. If // left empty (default value), the name of the cluster this health check is associated - // with will be used. - string authority = 2; + // with will be used. The authority header can be customized for a specific endpoint by setting + // the :ref:`hostname ` field. + string authority = 2 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; } // Custom health check. @@ -302,6 +311,11 @@ message HealthCheck { // If empty, no event log will be written. string event_log_path = 17; + // [#not-implemented-hide:] + // The gRPC service for the health check event service. + // If empty, health check events won't be sent to a remote endpoint. + EventServiceConfig event_service = 22; + // If set to true, health check failure events will always be logged. If set to false, only the // initial health check failure event will be logged. // The default value is false. @@ -309,4 +323,36 @@ message HealthCheck { // This allows overriding the cluster TLS settings, just for health check connections. TlsOptions tls_options = 21; + + // Optional key/value pairs that will be used to match a transport socket from those specified in the cluster's + // :ref:`tranport socket matches `. + // For example, the following match criteria + // + // .. code-block:: yaml + // + // transport_socket_match_criteria: + // useMTLS: true + // + // Will match the following :ref:`cluster socket match ` + // + // .. code-block:: yaml + // + // transport_socket_matches: + // - name: "useMTLS" + // match: + // useMTLS: true + // transport_socket: + // name: envoy.transport_sockets.tls + // config: { ... } # tls socket configuration + // + // If this field is set, then for health checks it will supersede an entry of *envoy.transport_socket* in the + // :ref:`LbEndpoint.Metadata `. + // This allows using different transport socket capabilities for health checking versus proxying to the + // endpoint. + // + // If the key/values pairs specified do not match any + // :ref:`transport socket matches `, + // the cluster's :ref:`transport socket ` + // will be used for health check socket configuration. + google.protobuf.Struct transport_socket_match_criteria = 23; } diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/http_uri.proto b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/http_uri.proto index 481ba93785..42bcd4f615 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/http_uri.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/http_uri.proto @@ -4,13 +4,14 @@ package envoy.config.core.v3; import "google/protobuf/duration.proto"; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; - import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.core.v3"; option java_outer_classname = "HttpUriProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: HTTP Service URI ] diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/protocol.proto b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/protocol.proto index 8d23ba229e..7866b87999 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/protocol.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/protocol.proto @@ -5,13 +5,14 @@ package envoy.config.core.v3; import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; - import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.core.v3"; option java_outer_classname = "ProtocolProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Protocol options] @@ -37,12 +38,33 @@ message UpstreamHttpProtocolOptions { bool auto_san_validation = 2; } +// [#next-free-field: 6] message HttpProtocolOptions { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HttpProtocolOptions"; + // Action to take when Envoy receives client request with header names containing underscore + // characters. + // Underscore character is allowed in header names by the RFC-7230 and this behavior is implemented + // as a security measure due to systems that treat '_' and '-' as interchangeable. Envoy by default allows client request headers with underscore + // characters. + enum HeadersWithUnderscoresAction { + // Allow headers with underscores. This is the default behavior. + ALLOW = 0; + + // Reject client request. HTTP/1 requests are rejected with the 400 status. HTTP/2 requests + // end with the stream reset. The "httpN.requests_rejected_with_underscores_in_headers" counter + // is incremented for each rejected request. + REJECT_REQUEST = 1; + + // Drop the header with name containing underscores. The header is dropped before the filter chain is + // invoked and as such filters will not see dropped headers. The + // "httpN.dropped_headers_with_underscores" is incremented for each dropped header. + DROP_HEADER = 2; + } + // The idle timeout for connections. The idle timeout is defined as the - // period in which there are no active requests. If not set, there is no idle timeout. When the + // period in which there are no active requests. When the // idle timeout is reached the connection will be closed. If the connection is an HTTP/2 // downstream connection a drain sequence will occur prior to closing the connection, see // :ref:`drain_timeout @@ -70,9 +92,12 @@ message HttpProtocolOptions { // Total duration to keep alive an HTTP request/response stream. If the time limit is reached the stream will be // reset independent of any other timeouts. If not specified, this value is not set. - // The current implementation implements this timeout on downstream connections only. - // [#comment:TODO(shikugawa): add this functionality to upstream.] google.protobuf.Duration max_stream_duration = 4; + + // Action to take when a client request with a header name containing underscore characters is received. + // If this setting is not specified, the value defaults to ALLOW. + // Note: upstream responses are not affected by this setting. + HeadersWithUnderscoresAction headers_with_underscores_action = 5; } // [#next-free-field: 6] diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/proxy_protocol.proto b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/proxy_protocol.proto new file mode 100644 index 0000000000..225a8971f2 --- /dev/null +++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/proxy_protocol.proto @@ -0,0 +1,26 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "ProxyProtocolProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Proxy Protocol] + +message ProxyProtocolConfig { + enum Version { + // PROXY protocol version 1. Human readable format. + V1 = 0; + + // PROXY protocol version 2. Binary format. + V2 = 1; + } + + // The PROXY protocol version to use. See https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt for details + Version version = 1; +} diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/socket_option.proto b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/socket_option.proto index 0de7848aea..b22169b86a 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/socket_option.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/socket_option.proto @@ -2,13 +2,14 @@ syntax = "proto3"; package envoy.config.core.v3; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; - import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.core.v3"; option java_outer_classname = "SocketOptionProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Socket Option ] diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint.proto b/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint.proto index 3b521e37ae..63869fafcb 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint.proto @@ -9,13 +9,14 @@ import "google/api/annotations.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; - import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.endpoint.v3"; option java_outer_classname = "EndpointProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Endpoint configuration] // Endpoint discovery :ref:`architecture overview ` @@ -39,6 +40,7 @@ message ClusterLoadAssignment { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.ClusterLoadAssignment.Policy"; + // [#not-implemented-hide:] message DropOverload { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.ClusterLoadAssignment.Policy.DropOverload"; @@ -73,6 +75,7 @@ message ClusterLoadAssignment { // "throttle"_drop = 60% // "lb"_drop = 20% // 50% of the remaining 'actual' load, which is 40%. // actual_outgoing_load = 20% // remaining after applying all categories. + // [#not-implemented-hide:] repeated DropOverload drop_overloads = 2; // Priority levels and localities are considered overprovisioned with this diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint_components.proto b/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint_components.proto index 2bb219151e..b880a38d1a 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint_components.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint_components.proto @@ -8,13 +8,14 @@ import "envoy/config/core/v3/health_check.proto"; import "google/protobuf/wrappers.proto"; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; - import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.endpoint.v3"; option java_outer_classname = "EndpointComponentsProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Endpoints] @@ -34,6 +35,13 @@ message Endpoint { // check port. Setting this with a non-zero value allows an upstream host // to have different health check address port. uint32 port_value = 1 [(validate.rules).uint32 = {lte: 65535}]; + + // By default, the host header for L7 health checks is controlled by cluster level configuration + // (see: :ref:`host ` and + // :ref:`authority `). Setting this + // to a non-empty value allows overriding the cluster level configuration for a specific + // endpoint. + string hostname = 2; } // The upstream host address. @@ -55,6 +63,12 @@ message Endpoint { // This takes into effect only for upstream clusters with // :ref:`active health checking ` enabled. HealthCheckConfig health_check_config = 2; + + // The hostname associated with this endpoint. This hostname is not used for routing or address + // resolution. If provided, it will be associated with the endpoint, and can be used for features + // that require a hostname, like + // :ref:`auto_host_rewrite `. + string hostname = 3; } // An Endpoint that Envoy can route traffic to. @@ -89,7 +103,8 @@ message LbEndpoint { // percentage of traffic for the endpoint. This percentage is then further // weighted by the endpoint's locality's load balancing weight from // LocalityLbEndpoints. If unspecified, each host is presumed to have equal - // weight in a locality. + // weight in a locality. The sum of the weights of all endpoints in the + // endpoint's locality must not exceed uint32_t maximal value (4294967295). google.protobuf.UInt32Value load_balancing_weight = 4 [(validate.rules).uint32 = {gte: 1}]; } @@ -111,7 +126,8 @@ message LocalityLbEndpoints { // Optional: Per priority/region/zone/sub_zone weight; at least 1. The load // balancing weight for a locality is divided by the sum of the weights of all // localities at the same priority level to produce the effective percentage - // of traffic for the locality. + // of traffic for the locality. The sum of the weights of all localities at + // the same priority level must not exceed uint32_t maximal value (4294967295). // // Locality weights are only considered when :ref:`locality weighted load // balancing ` is diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/filter/accesslog/v2/accesslog.proto b/xds/third_party/envoy/src/main/proto/envoy/config/filter/accesslog/v2/accesslog.proto index 8a525dee91..25d27bfbd1 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/filter/accesslog/v2/accesslog.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/filter/accesslog/v2/accesslog.proto @@ -10,12 +10,14 @@ import "google/protobuf/any.proto"; import "google/protobuf/struct.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.filter.accesslog.v2"; option java_outer_classname = "AccesslogProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.accesslog.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Common access log types] diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/filter/fault/v2/fault.proto b/xds/third_party/envoy/src/main/proto/envoy/config/filter/fault/v2/fault.proto index d0d12c07a6..016140d10f 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/filter/fault/v2/fault.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/filter/fault/v2/fault.proto @@ -8,12 +8,14 @@ import "google/protobuf/duration.proto"; import "envoy/annotations/deprecation.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.filter.fault.v2"; option java_outer_classname = "FaultProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.extensions.filters.common.fault.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Common fault injection types] diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/filter/http/fault/v2/fault.proto b/xds/third_party/envoy/src/main/proto/envoy/config/filter/http/fault/v2/fault.proto index 9ce4928807..cb99b0d71b 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/filter/http/fault/v2/fault.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/filter/http/fault/v2/fault.proto @@ -9,12 +9,14 @@ import "envoy/type/percent.proto"; import "google/protobuf/wrappers.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.filter.http.fault.v2"; option java_outer_classname = "FaultProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.extensions.filters.http.fault.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Fault Injection] // Fault Injection :ref:`configuration overview `. diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto b/xds/third_party/envoy/src/main/proto/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto index 35fd122c06..742e5584be 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto @@ -7,7 +7,7 @@ import "envoy/api/v2/core/protocol.proto"; import "envoy/api/v2/route.proto"; import "envoy/api/v2/scoped_route.proto"; import "envoy/config/filter/accesslog/v2/accesslog.proto"; -import "envoy/config/trace/v2/trace.proto"; +import "envoy/config/trace/v2/http_tracer.proto"; import "envoy/type/percent.proto"; import "envoy/type/tracing/v2/custom_tag.proto"; @@ -18,6 +18,7 @@ import "google/protobuf/wrappers.proto"; import "envoy/annotations/deprecation.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2"; @@ -25,12 +26,13 @@ option java_outer_classname = "HttpConnectionManagerProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.extensions.filters.network.http_connection_manager.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: HTTP connection manager] // HTTP connection manager :ref:`configuration overview `. // [#extension: envoy.filters.network.http_connection_manager] -// [#next-free-field: 36] +// [#next-free-field: 37] message HttpConnectionManager { enum CodecType { // For every new connection, the connection manager will determine which @@ -159,9 +161,15 @@ message HttpConnectionManager { repeated type.tracing.v2.CustomTag custom_tags = 8; // Configuration for an external tracing provider. - // If not specified, Envoy will fall back to using tracing provider configuration - // from the bootstrap config. - // [#not-implemented-hide:] + // If not specified, no tracing will be performed. + // + // .. attention:: + // Please be aware that *envoy.tracers.opencensus* provider can only be configured once + // in Envoy lifetime. + // Any attempts to reconfigure it or to use different configurations for different HCM filters + // will be rejected. + // Such a constraint is inherent to OpenCensus itself. It cannot be overcome without changes + // on OpenCensus side. trace.v2.Tracing.Http provider = 9; } @@ -224,7 +232,7 @@ message HttpConnectionManager { // Determines if upgrades are enabled or disabled by default. Defaults to true. // This can be overridden on a per-route basis with :ref:`cluster // ` as documented in the - // :ref:`upgrade documentation `. + // :ref:`upgrade documentation `. google.protobuf.BoolValue enabled = 3; } @@ -254,8 +262,8 @@ message HttpConnectionManager { } // A list of individual HTTP filters that make up the filter chain for - // requests made to the connection manager. Order matters as the filters are - // processed sequentially as request events happen. + // requests made to the connection manager. :ref:`Order matters ` + // as the filters are processed sequentially as request events happen. repeated HttpFilter http_filters = 5; // Whether the connection manager manipulates the :ref:`config_http_conn_man_headers_user-agent` @@ -334,7 +342,7 @@ message HttpConnectionManager { // timeout, although per-route idle timeout overrides will continue to apply. google.protobuf.Duration stream_idle_timeout = 24; - // A timeout for idle requests managed by the connection manager. + // The amount of time that Envoy will wait for the entire request to be received. // The timer is activated when the request is initiated, and is disarmed when the last byte of the // request is sent upstream (i.e. all decoding filters have processed the request), OR when the // response is initiated. If not specified or set to 0, this timeout is disabled. @@ -491,6 +499,18 @@ message HttpConnectionManager { // with `prefix` match set to `/dir`. Defaults to `false`. Note that slash merging is not part of // `HTTP spec ` and is provided for convenience. bool merge_slashes = 33; + + // The configuration of the request ID extension. This includes operations such as + // generation, validation, and associated tracing operations. + // + // If not set, Envoy uses the default UUID-based behavior: + // + // 1. Request ID is propagated using *x-request-id* header. + // + // 2. Request ID is a universally unique identifier (UUID). + // + // 3. Tracing decision (sampled, forced, etc) is set in 14th byte of the UUID. + RequestIDExtension request_id_extension = 36; } message Rds { @@ -640,3 +660,8 @@ message HttpFilter { google.protobuf.Any typed_config = 4; } } + +message RequestIDExtension { + // Request ID extension specific configuration. + google.protobuf.Any typed_config = 1; +} diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v2/api_listener.proto b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v2/api_listener.proto index 3f974cad9e..6709d5fe0b 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v2/api_listener.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v2/api_listener.proto @@ -5,11 +5,13 @@ package envoy.config.listener.v2; import "google/protobuf/any.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; option java_package = "io.envoyproxy.envoy.config.listener.v2"; option java_outer_classname = "ApiListenerProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.config.listener.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: API listener] diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/api_listener.proto b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/api_listener.proto index c8c3ea1159..4d3879a22b 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/api_listener.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/api_listener.proto @@ -4,11 +4,13 @@ package envoy.config.listener.v3; import "google/protobuf/any.proto"; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; option java_package = "io.envoyproxy.envoy.config.listener.v3"; option java_outer_classname = "ApiListenerProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: API listener] diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener.proto b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener.proto index 3564020194..03214150e7 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener.proto @@ -2,6 +2,7 @@ syntax = "proto3"; package envoy.config.listener.v3; +import "envoy/config/accesslog/v3/accesslog.proto"; import "envoy/config/core/v3/address.proto"; import "envoy/config/core/v3/base.proto"; import "envoy/config/core/v3/socket_option.proto"; @@ -13,18 +14,20 @@ import "google/api/annotations.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; +import "udpa/annotations/security.proto"; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; - import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.listener.v3"; option java_outer_classname = "ListenerProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Listener configuration] // Listener :ref:`configuration overview ` -// [#next-free-field: 22] +// [#next-free-field: 23] message Listener { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Listener"; @@ -106,7 +109,8 @@ message Listener { // Soft limit on size of the listener’s new connection read and write buffers. // If unspecified, an implementation defined default is applied (1MiB). - google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5; + google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5 + [(udpa.annotations.security).configure_for_untrusted_downstream = true]; // Listener metadata. core.v3.Metadata metadata = 6; @@ -232,4 +236,8 @@ message Listener { // This issue was fixed by `tcp: Avoid TCP syncookie rejected by SO_REUSEPORT socket // `_. bool reuse_port = 21; + + // Configuration for :ref:`access logs ` + // emitted by this listener. + repeated accesslog.v3.AccessLog access_log = 22; } diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener_components.proto b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener_components.proto index 6ba993b651..88e75e65b5 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener_components.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener_components.proto @@ -10,13 +10,14 @@ import "google/protobuf/any.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/wrappers.proto"; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; - import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.listener.v3"; option java_outer_classname = "ListenerComponentsProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Listener components] // Listener :ref:`configuration overview ` @@ -207,9 +208,32 @@ message FilterChain { string name = 7; } -// [#not-implemented-hide:] // Listener filter chain match configuration. This is a recursive structure which allows complex // nested match configurations to be built using various logical operators. +// +// Examples: +// +// * Matches if the destination port is 3306. +// +// .. code-block:: yaml +// +// destination_port_range: +// start: 3306 +// end: 3307 +// +// * Matches if the destination port is 3306 or 15000. +// +// .. code-block:: yaml +// +// or_match: +// rules: +// - destination_port_range: +// start: 3306 +// end: 3306 +// - destination_port_range: +// start: 15000 +// end: 15001 +// // [#next-free-field: 6] message ListenerFilterChainMatchPredicate { option (udpa.annotations.versioning).previous_message_type = @@ -266,17 +290,8 @@ message ListenerFilter { google.protobuf.Any typed_config = 3; } - // [#not-implemented-hide:] - // Decide when to disable this listener filter on incoming traffic. - // Example: - // 0. always enable filter - // don't set `filter_disabled` - // 1. disable when the destination port is 3306 - // rule.destination_port_range = Int32Range {start = 3306, end = 3307} - // 2. disable when the destination port is 3306 or 15000 - // rule.or_match = MatchSet.rules [ - // rule.destination_port_range = Int32Range {start = 3306, end = 3307}, - // rule.destination_port_range = Int32Range {start = 15000, end = 15001}, - // ] + // Optional match predicate used to disable the filter. The filter is enabled when this field is empty. + // See :ref:`ListenerFilterChainMatchPredicate ` + // for further examples. ListenerFilterChainMatchPredicate filter_disabled = 4; } diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/udp_listener_config.proto b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/udp_listener_config.proto index 701a8bbe71..9edbe59548 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/udp_listener_config.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/udp_listener_config.proto @@ -5,11 +5,13 @@ package envoy.config.listener.v3; import "google/protobuf/any.proto"; import "google/protobuf/struct.proto"; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; option java_package = "io.envoyproxy.envoy.config.listener.v3"; option java_outer_classname = "UdpListenerConfigProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: UDP Listener Config] // Listener :ref:`configuration overview ` diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/rbac/v2/rbac.proto b/xds/third_party/envoy/src/main/proto/envoy/config/rbac/v2/rbac.proto index fa5d27fdf6..943ac33e08 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/rbac/v2/rbac.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/rbac/v2/rbac.proto @@ -10,11 +10,13 @@ import "envoy/type/matcher/string.proto"; import "google/api/expr/v1alpha1/syntax.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.rbac.v2"; option java_outer_classname = "RbacProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Role Based Access Control (RBAC)] @@ -168,7 +170,7 @@ message Permission { } // Principal defines an identity or a group of identities for a downstream subject. -// [#next-free-field: 10] +// [#next-free-field: 12] message Principal { // Used in the `and_ids` and `or_ids` fields in the `identifier` oneof. Depending on the context, // each are applied with the associated behavior. @@ -202,7 +204,21 @@ message Principal { Authenticated authenticated = 4; // A CIDR block that describes the downstream IP. - api.v2.core.CidrRange source_ip = 5; + // This address will honor proxy protocol, but will not honor XFF. + api.v2.core.CidrRange source_ip = 5 [deprecated = true]; + + // A CIDR block that describes the downstream remote/origin address. + // Note: This is always the physical peer even if the + // :ref:`remote_ip ` is inferred + // from for example the x-forwarder-for header, proxy protocol, etc. + api.v2.core.CidrRange direct_remote_ip = 10; + + // A CIDR block that describes the downstream remote/origin address. + // Note: This may not be the physical peer and could be different from the + // :ref:`direct_remote_ip `. + // E.g, if the remote ip is inferred from for example the x-forwarder-for header, + // proxy protocol, etc. + api.v2.core.CidrRange remote_ip = 11; // A header (or pseudo-header such as :path or :method) on the incoming HTTP request. Only // available for HTTP request. diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/route/v3/route_components.proto b/xds/third_party/envoy/src/main/proto/envoy/config/route/v3/route_components.proto index f1a91fe580..f927f582bd 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/route/v3/route_components.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/route/v3/route_components.proto @@ -3,6 +3,8 @@ syntax = "proto3"; package envoy.config.route.v3; import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/proxy_protocol.proto"; import "envoy/type/matcher/v3/regex.proto"; import "envoy/type/matcher/v3/string.proto"; import "envoy/type/tracing/v3/custom_tag.proto"; @@ -14,14 +16,15 @@ import "google/protobuf/duration.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/wrappers.proto"; -import "udpa/annotations/versioning.proto"; - import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.route.v3"; option java_outer_classname = "RouteComponentsProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: HTTP route components] // * Routing :ref:`architecture overview ` @@ -107,7 +110,9 @@ message VirtualHost { // Specifies a list of HTTP headers that should be removed from each request // handled by this virtual host. - repeated string request_headers_to_remove = 13; + repeated string request_headers_to_remove = 13 [(validate.rules).repeated = { + items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; // Specifies a list of HTTP headers that should be added to each response // handled by this virtual host. Headers specified at this level are applied @@ -251,7 +256,9 @@ message Route { // Specifies a list of HTTP headers that should be removed from each request // matching this route. - repeated string request_headers_to_remove = 12; + repeated string request_headers_to_remove = 12 [(validate.rules).repeated = { + items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; // Specifies a set of headers that will be added to responses to requests // matching this route. Headers specified at this level are applied before @@ -365,7 +372,7 @@ message WeightedCluster { string runtime_key_prefix = 2; } -// [#next-free-field: 12] +// [#next-free-field: 13] message RouteMatch { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteMatch"; @@ -387,6 +394,10 @@ message RouteMatch { google.protobuf.BoolValue validated = 2; } + // An extensible message for matching CONNECT requests. + message ConnectMatcher { + } + reserved 5, 3; reserved "regex"; @@ -415,6 +426,17 @@ message RouteMatch { // on :path, etc. The issue with that is it is unclear how to generically deal with query string // stripping. This needs more thought.] type.matcher.v3.RegexMatcher safe_regex = 10 [(validate.rules).message = {required: true}]; + + // If this is used as the matcher, the matcher will only match CONNECT requests. + // Note that this will not match HTTP/2 upgrade-style CONNECT requests + // (WebSocket and the like) as they are normalized in Envoy as HTTP/1.1 style + // upgrades. + // This is the only way to match CONNECT requests for HTTP/1.1. For HTTP/2, + // where CONNECT requests may have a path, the path matchers will work if + // there is a path present. + // Note that CONNECT support is currently considered alpha in Envoy. + // [#comment:TODO(htuch): Replace the above comment with an alpha tag. + ConnectMatcher connect_matcher = 12; } // Indicates that prefix/path matching should be case insensitive. The default @@ -515,7 +537,7 @@ message CorsPolicy { core.v3.RuntimeFractionalPercent shadow_enabled = 10; } -// [#next-free-field: 34] +// [#next-free-field: 35] message RouteAction { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteAction"; @@ -528,7 +550,10 @@ message RouteAction { } // Configures :ref:`internal redirect ` behavior. + // [#next-major-version: remove this definition - it's defined in the InternalRedirectPolicy message.] enum InternalRedirectAction { + option deprecated = true; + PASS_THROUGH_INTERNAL_REDIRECT = 0; HANDLE_INTERNAL_REDIRECT = 1; } @@ -700,6 +725,13 @@ message RouteAction { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteAction.UpgradeConfig"; + // Configuration for sending data upstream as a raw data payload. This is used for + // CONNECT requests, when forwarding CONNECT payload as raw TCP. + message ConnectConfig { + // If present, the proxy protocol header will be prepended to the CONNECT payload sent upstream. + core.v3.ProxyProtocolConfig proxy_protocol_config = 1; + } + // The case-insensitive name of this upgrade, e.g. "websocket". // For each upgrade type present in upgrade_configs, requests with // Upgrade: [upgrade_type] will be proxied upstream. @@ -708,6 +740,12 @@ message RouteAction { // Determines if upgrades are available on this route. Defaults to true. google.protobuf.BoolValue enabled = 2; + + // Configuration for sending data upstream as a raw data payload. This is used for + // CONNECT requests, when forwarding CONNECT payload as raw TCP. + // Note that CONNECT support is currently considered alpha in Envoy. + // [#comment:TODO(htuch): Replace the above comment with an alpha tag. + ConnectConfig connect_config = 3; } reserved 12, 18, 19, 16, 22, 21, 10; @@ -952,7 +990,13 @@ message RouteAction { repeated UpgradeConfig upgrade_configs = 25; - InternalRedirectAction internal_redirect_action = 26; + // If present, Envoy will try to follow an upstream redirect response instead of proxying the + // response back to the downstream. An upstream redirect response is defined + // by :ref:`redirect_response_codes + // `. + InternalRedirectPolicy internal_redirect_policy = 34; + + InternalRedirectAction internal_redirect_action = 26 [deprecated = true]; // An internal redirect is handled, iff the number of previous internal redirects that a // downstream request has encountered is lower than this value, and @@ -968,7 +1012,7 @@ message RouteAction { // will pass the redirect back to downstream. // // If not specified, at most one redirect will be followed. - google.protobuf.UInt32Value max_internal_redirects = 31; + google.protobuf.UInt32Value max_internal_redirects = 31 [deprecated = true]; // Indicates that the route has a hedge policy. Note that if this is set, // it'll take precedence over the virtual host level hedge policy entirely @@ -1265,7 +1309,7 @@ message Tracing { // statistics are perfect in the sense that they are emitted on the downstream // side such that they include network level failures. // -// Documentation for :ref:`virtual cluster statistics `. +// Documentation for :ref:`virtual cluster statistics `. // // .. note:: // @@ -1351,6 +1395,11 @@ message RateLimit { // The key to use in the descriptor entry. string descriptor_key = 2 [(validate.rules).string = {min_bytes: 1}]; + + // If set to true, Envoy skips the descriptor while calling rate limiting service + // when header is not present in the request. By default it skips calling the + // rate limiting service if this header is not present in the request. + bool skip_if_absent = 3; } // The following descriptor entry is appended to the descriptor and is populated using the @@ -1559,3 +1608,30 @@ message QueryParameterMatcher { bool present_match = 6; } } + +// HTTP Internal Redirect :ref:`architecture overview `. +message InternalRedirectPolicy { + // An internal redirect is not handled, unless the number of previous internal redirects that a + // downstream request has encountered is lower than this value. + // In the case where a downstream request is bounced among multiple routes by internal redirect, + // the first route that hits this threshold, or does not set :ref:`internal_redirect_policy + // ` + // will pass the redirect back to downstream. + // + // If not specified, at most one redirect will be followed. + google.protobuf.UInt32Value max_internal_redirects = 1; + + // Defines what upstream response codes are allowed to trigger internal redirect. If unspecified, + // only 302 will be treated as internal redirect. + // Only 301, 302, 303, 307 and 308 are valid values. Any other codes will be ignored. + repeated uint32 redirect_response_codes = 2 [(validate.rules).repeated = {max_items: 5}]; + + // Specifies a list of predicates that are queried when an upstream response is deemed + // to trigger an internal redirect by all other criteria. Any predicate in the list can reject + // the redirect, causing the response to be proxied to downstream. + repeated core.v3.TypedExtensionConfig predicates = 3; + + // Allow internal redirect to follow a target URI with a different scheme than the value of + // x-forwarded-proto. The default is false. + bool allow_cross_scheme_redirect = 4; +} diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/datadog.proto b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/datadog.proto new file mode 100644 index 0000000000..0992601a8a --- /dev/null +++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/datadog.proto @@ -0,0 +1,23 @@ +syntax = "proto3"; + +package envoy.config.trace.v2; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.trace.v2"; +option java_outer_classname = "DatadogProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: Datadog tracer] + +// Configuration for the Datadog tracer. +// [#extension: envoy.tracers.datadog] +message DatadogConfig { + // The cluster to use for submitting traces to the Datadog agent. + string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}]; + + // The name used for the service when traces are generated by envoy. + string service_name = 2 [(validate.rules).string = {min_bytes: 1}]; +} diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/dynamic_ot.proto b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/dynamic_ot.proto new file mode 100644 index 0000000000..55c6d401b3 --- /dev/null +++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/dynamic_ot.proto @@ -0,0 +1,29 @@ +syntax = "proto3"; + +package envoy.config.trace.v2; + +import "google/protobuf/struct.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.trace.v2"; +option java_outer_classname = "DynamicOtProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: Dynamically loadable OpenTracing tracer] + +// DynamicOtConfig is used to dynamically load a tracer from a shared library +// that implements the `OpenTracing dynamic loading API +// `_. +// [#extension: envoy.tracers.dynamic_ot] +message DynamicOtConfig { + // Dynamic library implementing the `OpenTracing API + // `_. + string library = 1 [(validate.rules).string = {min_bytes: 1}]; + + // The configuration to use when creating a tracer from the given dynamic + // library. + google.protobuf.Struct config = 2; +} diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/http_tracer.proto b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/http_tracer.proto new file mode 100644 index 0000000000..fba830b987 --- /dev/null +++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/http_tracer.proto @@ -0,0 +1,65 @@ +syntax = "proto3"; + +package envoy.config.trace.v2; + +import "google/protobuf/any.proto"; +import "google/protobuf/struct.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.trace.v2"; +option java_outer_classname = "HttpTracerProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: Tracing] +// Tracing :ref:`architecture overview `. + +// The tracing configuration specifies settings for an HTTP tracer provider used by Envoy. +// +// Envoy may support other tracers in the future, but right now the HTTP tracer is the only one +// supported. +// +// .. attention:: +// +// Use of this message type has been deprecated in favor of direct use of +// :ref:`Tracing.Http `. +message Tracing { + // Configuration for an HTTP tracer provider used by Envoy. + // + // The configuration is defined by the + // :ref:`HttpConnectionManager.Tracing ` + // :ref:`provider ` + // field. + message Http { + // The name of the HTTP trace driver to instantiate. The name must match a + // supported HTTP trace driver. Built-in trace drivers: + // + // - *envoy.tracers.lightstep* + // - *envoy.tracers.zipkin* + // - *envoy.tracers.dynamic_ot* + // - *envoy.tracers.datadog* + // - *envoy.tracers.opencensus* + // - *envoy.tracers.xray* + string name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Trace driver specific configuration which depends on the driver being instantiated. + // See the trace drivers for examples: + // + // - :ref:`LightstepConfig ` + // - :ref:`ZipkinConfig ` + // - :ref:`DynamicOtConfig ` + // - :ref:`DatadogConfig ` + // - :ref:`OpenCensusConfig ` + // - :ref:`AWS X-Ray ` + oneof config_type { + google.protobuf.Struct config = 2 [deprecated = true]; + + google.protobuf.Any typed_config = 3; + } + } + + // Provides configuration for the HTTP tracer. + Http http = 1; +} diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/lightstep.proto b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/lightstep.proto new file mode 100644 index 0000000000..849749baaa --- /dev/null +++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/lightstep.proto @@ -0,0 +1,43 @@ +syntax = "proto3"; + +package envoy.config.trace.v2; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.trace.v2"; +option java_outer_classname = "LightstepProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: LightStep tracer] + +// Configuration for the LightStep tracer. +// [#extension: envoy.tracers.lightstep] +message LightstepConfig { + // Available propagation modes + enum PropagationMode { + // Propagate trace context in the single header x-ot-span-context. + ENVOY = 0; + + // Propagate trace context using LightStep's native format. + LIGHTSTEP = 1; + + // Propagate trace context using the b3 format. + B3 = 2; + + // Propagation trace context using the w3 trace-context standard. + TRACE_CONTEXT = 3; + } + + // The cluster manager cluster that hosts the LightStep collectors. + string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}]; + + // File containing the access token to the `LightStep + // `_ API. + string access_token_file = 2 [(validate.rules).string = {min_bytes: 1}]; + + // Propagation modes to use by LightStep's tracer. + repeated PropagationMode propagation_modes = 3 + [(validate.rules).repeated = {items {enum {defined_only: true}}}]; +} diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/opencensus.proto b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/opencensus.proto new file mode 100644 index 0000000000..8c8dab94a8 --- /dev/null +++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/opencensus.proto @@ -0,0 +1,93 @@ +syntax = "proto3"; + +package envoy.config.trace.v2; + +import "envoy/api/v2/core/grpc_service.proto"; + +import "opencensus/proto/trace/v1/trace_config.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.trace.v2"; +option java_outer_classname = "OpencensusProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: OpenCensus tracer] + +// Configuration for the OpenCensus tracer. +// [#next-free-field: 15] +// [#extension: envoy.tracers.opencensus] +message OpenCensusConfig { + enum TraceContext { + // No-op default, no trace context is utilized. + NONE = 0; + + // W3C Trace-Context format "traceparent:" header. + TRACE_CONTEXT = 1; + + // Binary "grpc-trace-bin:" header. + GRPC_TRACE_BIN = 2; + + // "X-Cloud-Trace-Context:" header. + CLOUD_TRACE_CONTEXT = 3; + + // X-B3-* headers. + B3 = 4; + } + + reserved 7; + + // Configures tracing, e.g. the sampler, max number of annotations, etc. + opencensus.proto.trace.v1.TraceConfig trace_config = 1; + + // Enables the stdout exporter if set to true. This is intended for debugging + // purposes. + bool stdout_exporter_enabled = 2; + + // Enables the Stackdriver exporter if set to true. The project_id must also + // be set. + bool stackdriver_exporter_enabled = 3; + + // The Cloud project_id to use for Stackdriver tracing. + string stackdriver_project_id = 4; + + // (optional) By default, the Stackdriver exporter will connect to production + // Stackdriver. If stackdriver_address is non-empty, it will instead connect + // to this address, which is in the gRPC format: + // https://github.com/grpc/grpc/blob/master/doc/naming.md + string stackdriver_address = 10; + + // (optional) The gRPC server that hosts Stackdriver tracing service. Only + // Google gRPC is supported. If :ref:`target_uri ` + // is not provided, the default production Stackdriver address will be used. + api.v2.core.GrpcService stackdriver_grpc_service = 13; + + // Enables the Zipkin exporter if set to true. The url and service name must + // also be set. + bool zipkin_exporter_enabled = 5; + + // The URL to Zipkin, e.g. "http://127.0.0.1:9411/api/v2/spans" + string zipkin_url = 6; + + // Enables the OpenCensus Agent exporter if set to true. The ocagent_address or + // ocagent_grpc_service must also be set. + bool ocagent_exporter_enabled = 11; + + // The address of the OpenCensus Agent, if its exporter is enabled, in gRPC + // format: https://github.com/grpc/grpc/blob/master/doc/naming.md + // [#comment:TODO: deprecate this field] + string ocagent_address = 12; + + // (optional) The gRPC server hosted by the OpenCensus Agent. Only Google gRPC is supported. + // This is only used if the ocagent_address is left empty. + api.v2.core.GrpcService ocagent_grpc_service = 14; + + // List of incoming trace context headers we will accept. First one found + // wins. + repeated TraceContext incoming_trace_context = 8; + + // List of outgoing trace context headers we will produce. + repeated TraceContext outgoing_trace_context = 9; +} diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/service.proto b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/service.proto new file mode 100644 index 0000000000..d102499b62 --- /dev/null +++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/service.proto @@ -0,0 +1,21 @@ +syntax = "proto3"; + +package envoy.config.trace.v2; + +import "envoy/api/v2/core/grpc_service.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.trace.v2"; +option java_outer_classname = "ServiceProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: Trace Service] + +// Configuration structure. +message TraceServiceConfig { + // The upstream gRPC cluster that hosts the metrics service. + api.v2.core.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}]; +} diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/trace.proto b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/trace.proto index 420e4aa28f..9f0670b28f 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/trace.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/trace.proto @@ -2,223 +2,16 @@ syntax = "proto3"; package envoy.config.trace.v2; -import "envoy/api/v2/core/grpc_service.proto"; +import "udpa/annotations/status.proto"; -import "google/protobuf/any.proto"; -import "google/protobuf/struct.proto"; -import "google/protobuf/wrappers.proto"; - -import "opencensus/proto/trace/v1/trace_config.proto"; - -import "envoy/annotations/deprecation.proto"; -import "validate/validate.proto"; +import public "envoy/config/trace/v2/datadog.proto"; +import public "envoy/config/trace/v2/dynamic_ot.proto"; +import public "envoy/config/trace/v2/http_tracer.proto"; +import public "envoy/config/trace/v2/lightstep.proto"; +import public "envoy/config/trace/v2/opencensus.proto"; +import public "envoy/config/trace/v2/service.proto"; +import public "envoy/config/trace/v2/zipkin.proto"; option java_package = "io.envoyproxy.envoy.config.trace.v2"; option java_outer_classname = "TraceProto"; option java_multiple_files = true; - -// [#protodoc-title: Tracing] -// Tracing :ref:`architecture overview `. - -// The tracing configuration specifies global -// settings for the HTTP tracer used by Envoy. The configuration is defined by -// the :ref:`Bootstrap ` :ref:`tracing -// ` field. Envoy may support other tracers -// in the future, but right now the HTTP tracer is the only one supported. -message Tracing { - message Http { - // The name of the HTTP trace driver to instantiate. The name must match a - // supported HTTP trace driver. Built-in trace drivers: - // - // - *envoy.tracers.lightstep* - // - *envoy.tracers.zipkin* - // - *envoy.tracers.dynamic_ot* - // - *envoy.tracers.datadog* - // - *envoy.tracers.opencensus* - // - *envoy.tracers.xray* - string name = 1 [(validate.rules).string = {min_bytes: 1}]; - - // Trace driver specific configuration which depends on the driver being instantiated. - // See the trace drivers for examples: - // - // - :ref:`LightstepConfig ` - // - :ref:`ZipkinConfig ` - // - :ref:`DynamicOtConfig ` - // - :ref:`DatadogConfig ` - // - :ref:`OpenCensusConfig ` - // - :ref:`AWS X-Ray ` - oneof config_type { - google.protobuf.Struct config = 2 [deprecated = true]; - - google.protobuf.Any typed_config = 3; - } - } - - // Provides configuration for the HTTP tracer. - Http http = 1; -} - -// Configuration for the LightStep tracer. -// [#extension: envoy.tracers.lightstep] -message LightstepConfig { - // The cluster manager cluster that hosts the LightStep collectors. - string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}]; - - // File containing the access token to the `LightStep - // `_ API. - string access_token_file = 2 [(validate.rules).string = {min_bytes: 1}]; -} - -// Configuration for the Zipkin tracer. -// [#extension: envoy.tracers.zipkin] -// [#next-free-field: 6] -message ZipkinConfig { - // Available Zipkin collector endpoint versions. - enum CollectorEndpointVersion { - // Zipkin API v1, JSON over HTTP. - // [#comment: The default implementation of Zipkin client before this field is added was only v1 - // and the way user configure this was by not explicitly specifying the version. Consequently, - // before this is added, the corresponding Zipkin collector expected to receive v1 payload. - // Hence the motivation of adding HTTP_JSON_V1 as the default is to avoid a breaking change when - // user upgrading Envoy with this change. Furthermore, we also immediately deprecate this field, - // since in Zipkin realm this v1 version is considered to be not preferable anymore.] - HTTP_JSON_V1 = 0 [deprecated = true, (envoy.annotations.disallowed_by_default_enum) = true]; - - // Zipkin API v2, JSON over HTTP. - HTTP_JSON = 1; - - // Zipkin API v2, protobuf over HTTP. - HTTP_PROTO = 2; - - // [#not-implemented-hide:] - GRPC = 3; - } - - // The cluster manager cluster that hosts the Zipkin collectors. Note that the - // Zipkin cluster must be defined in the :ref:`Bootstrap static cluster - // resources `. - string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}]; - - // The API endpoint of the Zipkin service where the spans will be sent. When - // using a standard Zipkin installation, the API endpoint is typically - // /api/v1/spans, which is the default value. - string collector_endpoint = 2 [(validate.rules).string = {min_bytes: 1}]; - - // Determines whether a 128bit trace id will be used when creating a new - // trace instance. The default value is false, which will result in a 64 bit trace id being used. - bool trace_id_128bit = 3; - - // Determines whether client and server spans will share the same span context. - // The default value is true. - google.protobuf.BoolValue shared_span_context = 4; - - // Determines the selected collector endpoint version. By default, the ``HTTP_JSON_V1`` will be - // used. - CollectorEndpointVersion collector_endpoint_version = 5; -} - -// DynamicOtConfig is used to dynamically load a tracer from a shared library -// that implements the `OpenTracing dynamic loading API -// `_. -// [#extension: envoy.tracers.dynamic_ot] -message DynamicOtConfig { - // Dynamic library implementing the `OpenTracing API - // `_. - string library = 1 [(validate.rules).string = {min_bytes: 1}]; - - // The configuration to use when creating a tracer from the given dynamic - // library. - google.protobuf.Struct config = 2; -} - -// Configuration for the Datadog tracer. -// [#extension: envoy.tracers.datadog] -message DatadogConfig { - // The cluster to use for submitting traces to the Datadog agent. - string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}]; - - // The name used for the service when traces are generated by envoy. - string service_name = 2 [(validate.rules).string = {min_bytes: 1}]; -} - -// Configuration for the OpenCensus tracer. -// [#next-free-field: 15] -// [#extension: envoy.tracers.opencensus] -message OpenCensusConfig { - enum TraceContext { - // No-op default, no trace context is utilized. - NONE = 0; - - // W3C Trace-Context format "traceparent:" header. - TRACE_CONTEXT = 1; - - // Binary "grpc-trace-bin:" header. - GRPC_TRACE_BIN = 2; - - // "X-Cloud-Trace-Context:" header. - CLOUD_TRACE_CONTEXT = 3; - - // X-B3-* headers. - B3 = 4; - } - - reserved 7; - - // Configures tracing, e.g. the sampler, max number of annotations, etc. - opencensus.proto.trace.v1.TraceConfig trace_config = 1; - - // Enables the stdout exporter if set to true. This is intended for debugging - // purposes. - bool stdout_exporter_enabled = 2; - - // Enables the Stackdriver exporter if set to true. The project_id must also - // be set. - bool stackdriver_exporter_enabled = 3; - - // The Cloud project_id to use for Stackdriver tracing. - string stackdriver_project_id = 4; - - // (optional) By default, the Stackdriver exporter will connect to production - // Stackdriver. If stackdriver_address is non-empty, it will instead connect - // to this address, which is in the gRPC format: - // https://github.com/grpc/grpc/blob/master/doc/naming.md - string stackdriver_address = 10; - - // (optional) The gRPC server that hosts Stackdriver tracing service. Only - // Google gRPC is supported. If :ref:`target_uri ` - // is not provided, the default production Stackdriver address will be used. - api.v2.core.GrpcService stackdriver_grpc_service = 13; - - // Enables the Zipkin exporter if set to true. The url and service name must - // also be set. - bool zipkin_exporter_enabled = 5; - - // The URL to Zipkin, e.g. "http://127.0.0.1:9411/api/v2/spans" - string zipkin_url = 6; - - // Enables the OpenCensus Agent exporter if set to true. The ocagent_address or - // ocagent_grpc_service must also be set. - bool ocagent_exporter_enabled = 11; - - // The address of the OpenCensus Agent, if its exporter is enabled, in gRPC - // format: https://github.com/grpc/grpc/blob/master/doc/naming.md - // [#comment:TODO: deprecate this field] - string ocagent_address = 12; - - // (optional) The gRPC server hosted by the OpenCensus Agent. Only Google gRPC is supported. - // This is only used if the ocagent_address is left empty. - api.v2.core.GrpcService ocagent_grpc_service = 14; - - // List of incoming trace context headers we will accept. First one found - // wins. - repeated TraceContext incoming_trace_context = 8; - - // List of outgoing trace context headers we will produce. - repeated TraceContext outgoing_trace_context = 9; -} - -// Configuration structure. -message TraceServiceConfig { - // The upstream gRPC cluster that hosts the metrics service. - api.v2.core.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}]; -} diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/zipkin.proto b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/zipkin.proto new file mode 100644 index 0000000000..a825d85bb7 --- /dev/null +++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v2/zipkin.proto @@ -0,0 +1,64 @@ +syntax = "proto3"; + +package envoy.config.trace.v2; + +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.trace.v2"; +option java_outer_classname = "ZipkinProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: Zipkin tracer] + +// Configuration for the Zipkin tracer. +// [#extension: envoy.tracers.zipkin] +// [#next-free-field: 6] +message ZipkinConfig { + // Available Zipkin collector endpoint versions. + enum CollectorEndpointVersion { + // Zipkin API v1, JSON over HTTP. + // [#comment: The default implementation of Zipkin client before this field is added was only v1 + // and the way user configure this was by not explicitly specifying the version. Consequently, + // before this is added, the corresponding Zipkin collector expected to receive v1 payload. + // Hence the motivation of adding HTTP_JSON_V1 as the default is to avoid a breaking change when + // user upgrading Envoy with this change. Furthermore, we also immediately deprecate this field, + // since in Zipkin realm this v1 version is considered to be not preferable anymore.] + HTTP_JSON_V1 = 0 [deprecated = true, (envoy.annotations.disallowed_by_default_enum) = true]; + + // Zipkin API v2, JSON over HTTP. + HTTP_JSON = 1; + + // Zipkin API v2, protobuf over HTTP. + HTTP_PROTO = 2; + + // [#not-implemented-hide:] + GRPC = 3; + } + + // The cluster manager cluster that hosts the Zipkin collectors. Note that the + // Zipkin cluster must be defined in the :ref:`Bootstrap static cluster + // resources `. + string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}]; + + // The API endpoint of the Zipkin service where the spans will be sent. When + // using a standard Zipkin installation, the API endpoint is typically + // /api/v1/spans, which is the default value. + string collector_endpoint = 2 [(validate.rules).string = {min_bytes: 1}]; + + // Determines whether a 128bit trace id will be used when creating a new + // trace instance. The default value is false, which will result in a 64 bit trace id being used. + bool trace_id_128bit = 3; + + // Determines whether client and server spans will share the same span context. + // The default value is true. + google.protobuf.BoolValue shared_span_context = 4; + + // Determines the selected collector endpoint version. By default, the ``HTTP_JSON_V1`` will be + // used. + CollectorEndpointVersion collector_endpoint_version = 5; +} diff --git a/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/cert.proto b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/cert.proto index 4d43b0ac99..cf5dc597aa 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/cert.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/cert.proto @@ -2,499 +2,12 @@ syntax = "proto3"; package envoy.extensions.transport_sockets.tls.v3; -import "envoy/config/core/v3/base.proto"; -import "envoy/config/core/v3/config_source.proto"; -import "envoy/type/matcher/v3/string.proto"; +import "udpa/annotations/status.proto"; -import "google/protobuf/any.proto"; -import "google/protobuf/duration.proto"; -import "google/protobuf/struct.proto"; -import "google/protobuf/wrappers.proto"; - -import "udpa/annotations/sensitive.proto"; -import "udpa/annotations/versioning.proto"; - -import "validate/validate.proto"; +import public "envoy/extensions/transport_sockets/tls/v3/common.proto"; +import public "envoy/extensions/transport_sockets/tls/v3/secret.proto"; +import public "envoy/extensions/transport_sockets/tls/v3/tls.proto"; option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3"; option java_outer_classname = "CertProto"; option java_multiple_files = true; - -// [#protodoc-title: Common TLS configuration] - -message TlsParameters { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.TlsParameters"; - - enum TlsProtocol { - // Envoy will choose the optimal TLS version. - TLS_AUTO = 0; - - // TLS 1.0 - TLSv1_0 = 1; - - // TLS 1.1 - TLSv1_1 = 2; - - // TLS 1.2 - TLSv1_2 = 3; - - // TLS 1.3 - TLSv1_3 = 4; - } - - // Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for - // servers. - TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}]; - - // Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and - // ``TLSv1_2`` for clients and for servers using :ref:`BoringSSL FIPS `. - TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum = {defined_only: true}]; - - // If specified, the TLS listener will only support the specified `cipher list - // `_ - // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not - // specified, the default list will be used. - // - // In non-FIPS builds, the default cipher list is: - // - // .. code-block:: none - // - // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] - // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] - // ECDHE-ECDSA-AES128-SHA - // ECDHE-RSA-AES128-SHA - // AES128-GCM-SHA256 - // AES128-SHA - // ECDHE-ECDSA-AES256-GCM-SHA384 - // ECDHE-RSA-AES256-GCM-SHA384 - // ECDHE-ECDSA-AES256-SHA - // ECDHE-RSA-AES256-SHA - // AES256-GCM-SHA384 - // AES256-SHA - // - // In builds using :ref:`BoringSSL FIPS `, the default cipher list is: - // - // .. code-block:: none - // - // ECDHE-ECDSA-AES128-GCM-SHA256 - // ECDHE-RSA-AES128-GCM-SHA256 - // ECDHE-ECDSA-AES128-SHA - // ECDHE-RSA-AES128-SHA - // AES128-GCM-SHA256 - // AES128-SHA - // ECDHE-ECDSA-AES256-GCM-SHA384 - // ECDHE-RSA-AES256-GCM-SHA384 - // ECDHE-ECDSA-AES256-SHA - // ECDHE-RSA-AES256-SHA - // AES256-GCM-SHA384 - // AES256-SHA - repeated string cipher_suites = 3; - - // If specified, the TLS connection will only support the specified ECDH - // curves. If not specified, the default curves will be used. - // - // In non-FIPS builds, the default curves are: - // - // .. code-block:: none - // - // X25519 - // P-256 - // - // In builds using :ref:`BoringSSL FIPS `, the default curve is: - // - // .. code-block:: none - // - // P-256 - repeated string ecdh_curves = 4; -} - -// BoringSSL private key method configuration. The private key methods are used for external -// (potentially asynchronous) signing and decryption operations. Some use cases for private key -// methods would be TPM support and TLS acceleration. -message PrivateKeyProvider { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.auth.PrivateKeyProvider"; - - reserved 2; - - reserved "config"; - - // Private key method provider name. The name must match a - // supported private key method provider type. - string provider_name = 1 [(validate.rules).string = {min_bytes: 1}]; - - // Private key method provider specific configuration. - oneof config_type { - google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true]; - } -} - -// [#next-free-field: 7] -message TlsCertificate { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.TlsCertificate"; - - // The TLS certificate chain. - config.core.v3.DataSource certificate_chain = 1; - - // The TLS private key. - config.core.v3.DataSource private_key = 2 [(udpa.annotations.sensitive) = true]; - - // BoringSSL private key method provider. This is an alternative to :ref:`private_key - // ` field. This can't be - // marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key - // ` and - // :ref:`private_key_provider - // ` fields will result in an - // error. - PrivateKeyProvider private_key_provider = 6; - - // The password to decrypt the TLS private key. If this field is not set, it is assumed that the - // TLS private key is not password encrypted. - config.core.v3.DataSource password = 3 [(udpa.annotations.sensitive) = true]; - - // [#not-implemented-hide:] - config.core.v3.DataSource ocsp_staple = 4; - - // [#not-implemented-hide:] - repeated config.core.v3.DataSource signed_certificate_timestamp = 5; -} - -message TlsSessionTicketKeys { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.auth.TlsSessionTicketKeys"; - - // Keys for encrypting and decrypting TLS session tickets. The - // first key in the array contains the key to encrypt all new sessions created by this context. - // All keys are candidates for decrypting received tickets. This allows for easy rotation of keys - // by, for example, putting the new key first, and the previous key second. - // - // If :ref:`session_ticket_keys ` - // is not specified, the TLS library will still support resuming sessions via tickets, but it will - // use an internally-generated and managed key, so sessions cannot be resumed across hot restarts - // or on different hosts. - // - // Each key must contain exactly 80 bytes of cryptographically-secure random data. For - // example, the output of ``openssl rand 80``. - // - // .. attention:: - // - // Using this feature has serious security considerations and risks. Improper handling of keys - // may result in loss of secrecy in connections, even if ciphers supporting perfect forward - // secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some - // discussion. To minimize the risk, you must: - // - // * Keep the session ticket keys at least as secure as your TLS certificate private keys - // * Rotate session ticket keys at least daily, and preferably hourly - // * Always generate keys using a cryptographically-secure random data source - repeated config.core.v3.DataSource keys = 1 - [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true]; -} - -// [#next-free-field: 11] -message CertificateValidationContext { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.auth.CertificateValidationContext"; - - // Peer certificate verification mode. - enum TrustChainVerification { - // Perform default certificate verification (e.g., against CA / verification lists) - VERIFY_TRUST_CHAIN = 0; - - // Connections where the certificate fails verification will be permitted. - // For HTTP connections, the result of certificate verification can be used in route matching. ( - // see :ref:`validated ` ). - ACCEPT_UNTRUSTED = 1; - } - - reserved 4; - - reserved "verify_subject_alt_name"; - - // TLS certificate data containing certificate authority certificates to use in verifying - // a presented peer certificate (e.g. server certificate for clusters or client certificate - // for listeners). If not specified and a peer certificate is presented it will not be - // verified. By default, a client certificate is optional, unless one of the additional - // options (:ref:`require_client_certificate - // `, - // :ref:`verify_certificate_spki - // `, - // :ref:`verify_certificate_hash - // `, or - // :ref:`match_subject_alt_names - // `) is also - // specified. - // - // It can optionally contain certificate revocation lists, in which case Envoy will verify - // that the presented peer certificate has not been revoked by one of the included CRLs. - // - // See :ref:`the TLS overview ` for a list of common - // system CA locations. - config.core.v3.DataSource trusted_ca = 1; - - // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the - // SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate - // matches one of the specified values. - // - // A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate - // can be generated with the following command: - // - // .. code-block:: bash - // - // $ openssl x509 -in path/to/client.crt -noout -pubkey - // | openssl pkey -pubin -outform DER - // | openssl dgst -sha256 -binary - // | openssl enc -base64 - // NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= - // - // This is the format used in HTTP Public Key Pinning. - // - // When both: - // :ref:`verify_certificate_hash - // ` and - // :ref:`verify_certificate_spki - // ` are specified, - // a hash matching value from either of the lists will result in the certificate being accepted. - // - // .. attention:: - // - // This option is preferred over :ref:`verify_certificate_hash - // `, - // because SPKI is tied to a private key, so it doesn't change when the certificate - // is renewed using the same private key. - repeated string verify_certificate_spki = 3 - [(validate.rules).repeated = {items {string {min_bytes: 44 max_bytes: 44}}}]; - - // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that - // the SHA-256 of the DER-encoded presented certificate matches one of the specified values. - // - // A hex-encoded SHA-256 of the certificate can be generated with the following command: - // - // .. code-block:: bash - // - // $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 - // df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a - // - // A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate - // can be generated with the following command: - // - // .. code-block:: bash - // - // $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 - // DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A - // - // Both of those formats are acceptable. - // - // When both: - // :ref:`verify_certificate_hash - // ` and - // :ref:`verify_certificate_spki - // ` are specified, - // a hash matching value from either of the lists will result in the certificate being accepted. - repeated string verify_certificate_hash = 2 - [(validate.rules).repeated = {items {string {min_bytes: 64 max_bytes: 95}}}]; - - // An optional list of Subject Alternative name matchers. Envoy will verify that the - // Subject Alternative Name of the presented certificate matches one of the specified matches. - // - // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be - // configured with exact match type in the :ref:`string matcher `. - // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", - // it should be configured as shown below. - // - // .. code-block:: yaml - // - // match_subject_alt_names: - // exact: "api.example.com" - // - // .. attention:: - // - // Subject Alternative Names are easily spoofable and verifying only them is insecure, - // therefore this option must be used together with :ref:`trusted_ca - // `. - repeated type.matcher.v3.StringMatcher match_subject_alt_names = 9; - - // [#not-implemented-hide:] Must present a signed time-stamped OCSP response. - google.protobuf.BoolValue require_ocsp_staple = 5; - - // [#not-implemented-hide:] Must present signed certificate time-stamp. - google.protobuf.BoolValue require_signed_certificate_timestamp = 6; - - // An optional `certificate revocation list - // `_ - // (in PEM format). If specified, Envoy will verify that the presented peer - // certificate has not been revoked by this CRL. If this DataSource contains - // multiple CRLs, all of them will be used. - config.core.v3.DataSource crl = 7; - - // If specified, Envoy will not reject expired certificates. - bool allow_expired_certificate = 8; - - // Certificate trust chain verification mode. - TrustChainVerification trust_chain_verification = 10 - [(validate.rules).enum = {defined_only: true}]; -} - -// TLS context shared by both client and server TLS contexts. -// [#next-free-field: 9] -message CommonTlsContext { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext"; - - message CombinedCertificateValidationContext { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext"; - - // How to validate peer certificates. - CertificateValidationContext default_validation_context = 1 - [(validate.rules).message = {required: true}]; - - // Config for fetching validation context via SDS API. - SdsSecretConfig validation_context_sds_secret_config = 2 - [(validate.rules).message = {required: true}]; - } - - reserved 5; - - // TLS protocol versions, cipher suites etc. - TlsParameters tls_params = 1; - - // :ref:`Multiple TLS certificates ` can be associated with the - // same context to allow both RSA and ECDSA certificates. - // - // Only a single TLS certificate is supported in client contexts. In server contexts, the first - // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is - // used for clients that support ECDSA. - repeated TlsCertificate tls_certificates = 2; - - // Configs for fetching TLS certificates via SDS API. - repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6 - [(validate.rules).repeated = {max_items: 1}]; - - oneof validation_context_type { - // How to validate peer certificates. - CertificateValidationContext validation_context = 3; - - // Config for fetching validation context via SDS API. - SdsSecretConfig validation_context_sds_secret_config = 7; - - // Combined certificate validation context holds a default CertificateValidationContext - // and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic - // and default CertificateValidationContext are merged into a new CertificateValidationContext - // for validation. This merge is done by Message::MergeFrom(), so dynamic - // CertificateValidationContext overwrites singular fields in default - // CertificateValidationContext, and concatenates repeated fields to default - // CertificateValidationContext, and logical OR is applied to boolean fields. - CombinedCertificateValidationContext combined_validation_context = 8; - } - - // Supplies the list of ALPN protocols that the listener should expose. In - // practice this is likely to be set to one of two values (see the - // :ref:`codec_type - // ` - // parameter in the HTTP connection manager for more information): - // - // * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1. - // * "http/1.1" If the listener is only going to support HTTP/1.1. - // - // There is no default for this parameter. If empty, Envoy will not expose ALPN. - repeated string alpn_protocols = 4; -} - -message UpstreamTlsContext { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.auth.UpstreamTlsContext"; - - // Common TLS context settings. - // - // .. attention:: - // - // Server certificate verification is not enabled by default. Configure - // :ref:`trusted_ca` to enable - // verification. - CommonTlsContext common_tls_context = 1; - - // SNI string to use when creating TLS backend connections. - string sni = 2 [(validate.rules).string = {max_bytes: 255}]; - - // If true, server-initiated TLS renegotiation will be allowed. - // - // .. attention:: - // - // TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary. - bool allow_renegotiation = 3; - - // Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets - // for TLSv1.2 and older) to store for the purpose of session resumption. - // - // Defaults to 1, setting this to 0 disables session resumption. - google.protobuf.UInt32Value max_session_keys = 4; -} - -// [#next-free-field: 7] -message DownstreamTlsContext { - option (udpa.annotations.versioning).previous_message_type = - "envoy.api.v2.auth.DownstreamTlsContext"; - - // Common TLS context settings. - CommonTlsContext common_tls_context = 1; - - // If specified, Envoy will reject connections without a valid client - // certificate. - google.protobuf.BoolValue require_client_certificate = 2; - - // If specified, Envoy will reject connections without a valid and matching SNI. - // [#not-implemented-hide:] - google.protobuf.BoolValue require_sni = 3; - - oneof session_ticket_keys_type { - // TLS session ticket key settings. - TlsSessionTicketKeys session_ticket_keys = 4; - - // Config for fetching TLS session ticket keys via SDS API. - SdsSecretConfig session_ticket_keys_sds_secret_config = 5; - } - - // If specified, session_timeout will change maximum lifetime (in seconds) of TLS session - // Currently this value is used as a hint to `TLS session ticket lifetime (for TLSv1.2) - // ` - // only seconds could be specified (fractional seconds are going to be ignored). - google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = { - lt {seconds: 4294967296} - gte {} - }]; -} - -message GenericSecret { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.GenericSecret"; - - // Secret of generic type and is available to filters. - config.core.v3.DataSource secret = 1 [(udpa.annotations.sensitive) = true]; -} - -message SdsSecretConfig { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.SdsSecretConfig"; - - // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. - // When both name and config are specified, then secret can be fetched and/or reloaded via - // SDS. When only name is specified, then secret will be loaded from static resources. - string name = 1; - - config.core.v3.ConfigSource sds_config = 2; -} - -// [#next-free-field: 6] -message Secret { - option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.Secret"; - - // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. - string name = 1; - - oneof type { - TlsCertificate tls_certificate = 2; - - TlsSessionTicketKeys session_ticket_keys = 3; - - CertificateValidationContext validation_context = 4; - - GenericSecret generic_secret = 5; - } -} diff --git a/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/common.proto b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/common.proto new file mode 100644 index 0000000000..b468f5b7e4 --- /dev/null +++ b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -0,0 +1,334 @@ +syntax = "proto3"; + +package envoy.extensions.transport_sockets.tls.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/type/matcher/v3/string.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3"; +option java_outer_classname = "CommonProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Common TLS configuration] + +message TlsParameters { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.TlsParameters"; + + enum TlsProtocol { + // Envoy will choose the optimal TLS version. + TLS_AUTO = 0; + + // TLS 1.0 + TLSv1_0 = 1; + + // TLS 1.1 + TLSv1_1 = 2; + + // TLS 1.2 + TLSv1_2 = 3; + + // TLS 1.3 + TLSv1_3 = 4; + } + + // Minimum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_0`` for + // servers. + TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}]; + + // Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and + // ``TLSv1_2`` for clients and for servers using :ref:`BoringSSL FIPS `. + TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum = {defined_only: true}]; + + // If specified, the TLS listener will only support the specified `cipher list + // `_ + // when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). If not + // specified, the default list will be used. + // + // In non-FIPS builds, the default cipher list is: + // + // .. code-block:: none + // + // [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + // [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + // ECDHE-ECDSA-AES128-SHA + // ECDHE-RSA-AES128-SHA + // AES128-GCM-SHA256 + // AES128-SHA + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 + // ECDHE-ECDSA-AES256-SHA + // ECDHE-RSA-AES256-SHA + // AES256-GCM-SHA384 + // AES256-SHA + // + // In builds using :ref:`BoringSSL FIPS `, the default cipher list is: + // + // .. code-block:: none + // + // ECDHE-ECDSA-AES128-GCM-SHA256 + // ECDHE-RSA-AES128-GCM-SHA256 + // ECDHE-ECDSA-AES128-SHA + // ECDHE-RSA-AES128-SHA + // AES128-GCM-SHA256 + // AES128-SHA + // ECDHE-ECDSA-AES256-GCM-SHA384 + // ECDHE-RSA-AES256-GCM-SHA384 + // ECDHE-ECDSA-AES256-SHA + // ECDHE-RSA-AES256-SHA + // AES256-GCM-SHA384 + // AES256-SHA + repeated string cipher_suites = 3; + + // If specified, the TLS connection will only support the specified ECDH + // curves. If not specified, the default curves will be used. + // + // In non-FIPS builds, the default curves are: + // + // .. code-block:: none + // + // X25519 + // P-256 + // + // In builds using :ref:`BoringSSL FIPS `, the default curve is: + // + // .. code-block:: none + // + // P-256 + repeated string ecdh_curves = 4; +} + +// BoringSSL private key method configuration. The private key methods are used for external +// (potentially asynchronous) signing and decryption operations. Some use cases for private key +// methods would be TPM support and TLS acceleration. +message PrivateKeyProvider { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.auth.PrivateKeyProvider"; + + reserved 2; + + reserved "config"; + + // Private key method provider name. The name must match a + // supported private key method provider type. + string provider_name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Private key method provider specific configuration. + oneof config_type { + google.protobuf.Any typed_config = 3 [(udpa.annotations.sensitive) = true]; + } +} + +// [#next-free-field: 7] +message TlsCertificate { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.TlsCertificate"; + + // The TLS certificate chain. + config.core.v3.DataSource certificate_chain = 1; + + // The TLS private key. + config.core.v3.DataSource private_key = 2 [(udpa.annotations.sensitive) = true]; + + // BoringSSL private key method provider. This is an alternative to :ref:`private_key + // ` field. This can't be + // marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key + // ` and + // :ref:`private_key_provider + // ` fields will result in an + // error. + PrivateKeyProvider private_key_provider = 6; + + // The password to decrypt the TLS private key. If this field is not set, it is assumed that the + // TLS private key is not password encrypted. + config.core.v3.DataSource password = 3 [(udpa.annotations.sensitive) = true]; + + // [#not-implemented-hide:] + config.core.v3.DataSource ocsp_staple = 4; + + // [#not-implemented-hide:] + repeated config.core.v3.DataSource signed_certificate_timestamp = 5; +} + +message TlsSessionTicketKeys { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.auth.TlsSessionTicketKeys"; + + // Keys for encrypting and decrypting TLS session tickets. The + // first key in the array contains the key to encrypt all new sessions created by this context. + // All keys are candidates for decrypting received tickets. This allows for easy rotation of keys + // by, for example, putting the new key first, and the previous key second. + // + // If :ref:`session_ticket_keys ` + // is not specified, the TLS library will still support resuming sessions via tickets, but it will + // use an internally-generated and managed key, so sessions cannot be resumed across hot restarts + // or on different hosts. + // + // Each key must contain exactly 80 bytes of cryptographically-secure random data. For + // example, the output of ``openssl rand 80``. + // + // .. attention:: + // + // Using this feature has serious security considerations and risks. Improper handling of keys + // may result in loss of secrecy in connections, even if ciphers supporting perfect forward + // secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some + // discussion. To minimize the risk, you must: + // + // * Keep the session ticket keys at least as secure as your TLS certificate private keys + // * Rotate session ticket keys at least daily, and preferably hourly + // * Always generate keys using a cryptographically-secure random data source + repeated config.core.v3.DataSource keys = 1 + [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true]; +} + +// [#next-free-field: 11] +message CertificateValidationContext { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.auth.CertificateValidationContext"; + + // Peer certificate verification mode. + enum TrustChainVerification { + // Perform default certificate verification (e.g., against CA / verification lists) + VERIFY_TRUST_CHAIN = 0; + + // Connections where the certificate fails verification will be permitted. + // For HTTP connections, the result of certificate verification can be used in route matching. ( + // see :ref:`validated ` ). + ACCEPT_UNTRUSTED = 1; + } + + reserved 4; + + reserved "verify_subject_alt_name"; + + // TLS certificate data containing certificate authority certificates to use in verifying + // a presented peer certificate (e.g. server certificate for clusters or client certificate + // for listeners). If not specified and a peer certificate is presented it will not be + // verified. By default, a client certificate is optional, unless one of the additional + // options (:ref:`require_client_certificate + // `, + // :ref:`verify_certificate_spki + // `, + // :ref:`verify_certificate_hash + // `, or + // :ref:`match_subject_alt_names + // `) is also + // specified. + // + // It can optionally contain certificate revocation lists, in which case Envoy will verify + // that the presented peer certificate has not been revoked by one of the included CRLs. + // + // See :ref:`the TLS overview ` for a list of common + // system CA locations. + config.core.v3.DataSource trusted_ca = 1; + + // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the + // SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate + // matches one of the specified values. + // + // A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate + // can be generated with the following command: + // + // .. code-block:: bash + // + // $ openssl x509 -in path/to/client.crt -noout -pubkey + // | openssl pkey -pubin -outform DER + // | openssl dgst -sha256 -binary + // | openssl enc -base64 + // NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= + // + // This is the format used in HTTP Public Key Pinning. + // + // When both: + // :ref:`verify_certificate_hash + // ` and + // :ref:`verify_certificate_spki + // ` are specified, + // a hash matching value from either of the lists will result in the certificate being accepted. + // + // .. attention:: + // + // This option is preferred over :ref:`verify_certificate_hash + // `, + // because SPKI is tied to a private key, so it doesn't change when the certificate + // is renewed using the same private key. + repeated string verify_certificate_spki = 3 + [(validate.rules).repeated = {items {string {min_bytes: 44 max_bytes: 44}}}]; + + // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that + // the SHA-256 of the DER-encoded presented certificate matches one of the specified values. + // + // A hex-encoded SHA-256 of the certificate can be generated with the following command: + // + // .. code-block:: bash + // + // $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 + // df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a + // + // A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate + // can be generated with the following command: + // + // .. code-block:: bash + // + // $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 + // DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A + // + // Both of those formats are acceptable. + // + // When both: + // :ref:`verify_certificate_hash + // ` and + // :ref:`verify_certificate_spki + // ` are specified, + // a hash matching value from either of the lists will result in the certificate being accepted. + repeated string verify_certificate_hash = 2 + [(validate.rules).repeated = {items {string {min_bytes: 64 max_bytes: 95}}}]; + + // An optional list of Subject Alternative name matchers. Envoy will verify that the + // Subject Alternative Name of the presented certificate matches one of the specified matches. + // + // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be + // configured with exact match type in the :ref:`string matcher `. + // For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", + // it should be configured as shown below. + // + // .. code-block:: yaml + // + // match_subject_alt_names: + // exact: "api.example.com" + // + // .. attention:: + // + // Subject Alternative Names are easily spoofable and verifying only them is insecure, + // therefore this option must be used together with :ref:`trusted_ca + // `. + repeated type.matcher.v3.StringMatcher match_subject_alt_names = 9; + + // [#not-implemented-hide:] Must present a signed time-stamped OCSP response. + google.protobuf.BoolValue require_ocsp_staple = 5; + + // [#not-implemented-hide:] Must present signed certificate time-stamp. + google.protobuf.BoolValue require_signed_certificate_timestamp = 6; + + // An optional `certificate revocation list + // `_ + // (in PEM format). If specified, Envoy will verify that the presented peer + // certificate has not been revoked by this CRL. If this DataSource contains + // multiple CRLs, all of them will be used. + config.core.v3.DataSource crl = 7; + + // If specified, Envoy will not reject expired certificates. + bool allow_expired_certificate = 8; + + // Certificate trust chain verification mode. + TrustChainVerification trust_chain_verification = 10 + [(validate.rules).enum = {defined_only: true}]; +} diff --git a/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/secret.proto b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/secret.proto new file mode 100644 index 0000000000..2a77ec765c --- /dev/null +++ b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/secret.proto @@ -0,0 +1,54 @@ +syntax = "proto3"; + +package envoy.extensions.transport_sockets.tls.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/extensions/transport_sockets/tls/v3/common.proto"; + +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3"; +option java_outer_classname = "SecretProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Secrets configuration] + +message GenericSecret { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.GenericSecret"; + + // Secret of generic type and is available to filters. + config.core.v3.DataSource secret = 1 [(udpa.annotations.sensitive) = true]; +} + +message SdsSecretConfig { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.SdsSecretConfig"; + + // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. + // When both name and config are specified, then secret can be fetched and/or reloaded via + // SDS. When only name is specified, then secret will be loaded from static resources. + string name = 1; + + config.core.v3.ConfigSource sds_config = 2; +} + +// [#next-free-field: 6] +message Secret { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.Secret"; + + // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. + string name = 1; + + oneof type { + TlsCertificate tls_certificate = 2; + + TlsSessionTicketKeys session_ticket_keys = 3; + + CertificateValidationContext validation_context = 4; + + GenericSecret generic_secret = 5; + } +} diff --git a/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/tls.proto b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/tls.proto new file mode 100644 index 0000000000..1806a44666 --- /dev/null +++ b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/tls.proto @@ -0,0 +1,204 @@ +syntax = "proto3"; + +package envoy.extensions.transport_sockets.tls.v3; + +import "envoy/config/core/v3/extension.proto"; +import "envoy/extensions/transport_sockets/tls/v3/common.proto"; +import "envoy/extensions/transport_sockets/tls/v3/secret.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3"; +option java_outer_classname = "TlsProto"; +option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: TLS transport socket] +// [#extension: envoy.transport_sockets.tls] +// The TLS contexts below provide the transport socket configuration for upstream/downstream TLS. + +message UpstreamTlsContext { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.auth.UpstreamTlsContext"; + + // Common TLS context settings. + // + // .. attention:: + // + // Server certificate verification is not enabled by default. Configure + // :ref:`trusted_ca` to enable + // verification. + CommonTlsContext common_tls_context = 1; + + // SNI string to use when creating TLS backend connections. + string sni = 2 [(validate.rules).string = {max_bytes: 255}]; + + // If true, server-initiated TLS renegotiation will be allowed. + // + // .. attention:: + // + // TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary. + bool allow_renegotiation = 3; + + // Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets + // for TLSv1.2 and older) to store for the purpose of session resumption. + // + // Defaults to 1, setting this to 0 disables session resumption. + google.protobuf.UInt32Value max_session_keys = 4; +} + +// [#next-free-field: 8] +message DownstreamTlsContext { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.auth.DownstreamTlsContext"; + + // Common TLS context settings. + CommonTlsContext common_tls_context = 1; + + // If specified, Envoy will reject connections without a valid client + // certificate. + google.protobuf.BoolValue require_client_certificate = 2; + + // If specified, Envoy will reject connections without a valid and matching SNI. + // [#not-implemented-hide:] + google.protobuf.BoolValue require_sni = 3; + + oneof session_ticket_keys_type { + // TLS session ticket key settings. + TlsSessionTicketKeys session_ticket_keys = 4; + + // Config for fetching TLS session ticket keys via SDS API. + SdsSecretConfig session_ticket_keys_sds_secret_config = 5; + + // Config for controlling stateless TLS session resumption: setting this to true will cause the TLS + // server to not issue TLS session tickets for the purposes of stateless TLS session resumption. + // If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using + // the keys specified through either :ref:`session_ticket_keys ` + // or :ref:`session_ticket_keys_sds_secret_config `. + // If this config is set to false and no keys are explicitly configured, the TLS server will issue + // TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the + // implication that sessions cannot be resumed across hot restarts or on different hosts. + bool disable_stateless_session_resumption = 7; + } + + // If specified, session_timeout will change maximum lifetime (in seconds) of TLS session + // Currently this value is used as a hint to `TLS session ticket lifetime (for TLSv1.2) + // ` + // only seconds could be specified (fractional seconds are going to be ignored). + google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = { + lt {seconds: 4294967296} + gte {} + }]; +} + +// TLS context shared by both client and server TLS contexts. +// [#next-free-field: 11] +message CommonTlsContext { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext"; + + // Config for Certificate provider to get certificates. This provider should allow certificates to be + // fetched/refreshed over the network asynchronously with respect to the TLS handshake. + message CertificateProvider { + // opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify + // a root-certificate (validation context) or "TLS" to specify a new tls-certificate. + string name = 1 [(validate.rules).string = {min_bytes: 1}]; + + // Provider specific config. + // Note: an implementation is expected to dedup multiple instances of the same config + // to maintain a single certificate-provider instance. The sharing can happen, for + // example, among multiple clusters or between the tls_certificate and validation_context + // certificate providers of a cluster. + // This config could be supplied inline or (in future) a named xDS resource. + oneof config { + option (validate.required) = true; + + config.core.v3.TypedExtensionConfig typed_config = 2; + } + } + + message CombinedCertificateValidationContext { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext"; + + // How to validate peer certificates. + CertificateValidationContext default_validation_context = 1 + [(validate.rules).message = {required: true}]; + + // Config for fetching validation context via SDS API. Note SDS API allows certificates to be + // fetched/refreshed over the network asynchronously with respect to the TLS handshake. + // Only to be used when validation_context_certificate_provider is not used. + SdsSecretConfig validation_context_sds_secret_config = 2 [ + (validate.rules).message = {required: true}, + (udpa.annotations.field_migrate).oneof_promotion = "dynamic_validation_context" + ]; + + // Certificate provider for fetching validation context - only to be used when + // validation_context_sds_secret_config is not used. + // [#not-implemented-hide:] + CertificateProvider validation_context_certificate_provider = 3 + [(udpa.annotations.field_migrate).oneof_promotion = "dynamic_validation_context"]; + } + + reserved 5; + + // TLS protocol versions, cipher suites etc. + TlsParameters tls_params = 1; + + // :ref:`Multiple TLS certificates ` can be associated with the + // same context to allow both RSA and ECDSA certificates. + // + // Only a single TLS certificate is supported in client contexts. In server contexts, the first + // RSA certificate is used for clients that only support RSA and the first ECDSA certificate is + // used for clients that support ECDSA. + repeated TlsCertificate tls_certificates = 2; + + // Configs for fetching TLS certificates via SDS API. Note SDS API allows certificates to be + // fetched/refreshed over the network asynchronously with respect to the TLS handshake. + repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6 + [(validate.rules).repeated = {max_items: 1}]; + + // Certificate provider for fetching TLS certificates. + // [#not-implemented-hide:] + CertificateProvider tls_certificate_certificate_provider = 9; + + oneof validation_context_type { + // How to validate peer certificates. + CertificateValidationContext validation_context = 3; + + // Config for fetching validation context via SDS API. Note SDS API allows certificates to be + // fetched/refreshed over the network asynchronously with respect to the TLS handshake. + SdsSecretConfig validation_context_sds_secret_config = 7; + + // Combined certificate validation context holds a default CertificateValidationContext + // and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic + // and default CertificateValidationContext are merged into a new CertificateValidationContext + // for validation. This merge is done by Message::MergeFrom(), so dynamic + // CertificateValidationContext overwrites singular fields in default + // CertificateValidationContext, and concatenates repeated fields to default + // CertificateValidationContext, and logical OR is applied to boolean fields. + CombinedCertificateValidationContext combined_validation_context = 8; + + // Certificate provider for fetching validation context. + // [#not-implemented-hide:] + CertificateProvider validation_context_certificate_provider = 10; + } + + // Supplies the list of ALPN protocols that the listener should expose. In + // practice this is likely to be set to one of two values (see the + // :ref:`codec_type + // ` + // parameter in the HTTP connection manager for more information): + // + // * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1. + // * "http/1.1" If the listener is only going to support HTTP/1.1. + // + // There is no default for this parameter. If empty, Envoy will not expose ALPN. + repeated string alpn_protocols = 4; +} diff --git a/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/ads.proto b/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/ads.proto index 01759e5f1b..d70e0cdc8e 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/ads.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/ads.proto @@ -4,10 +4,13 @@ package envoy.service.discovery.v2; import "envoy/api/v2/discovery.proto"; +import "udpa/annotations/status.proto"; + option java_package = "io.envoyproxy.envoy.service.discovery.v2"; option java_outer_classname = "AdsProto"; option java_multiple_files = true; option java_generic_services = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Aggregated Discovery Service (ADS)] diff --git a/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/sds.proto b/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/sds.proto index 6a131ad413..4d01d475c5 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/sds.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v2/sds.proto @@ -8,12 +8,14 @@ import "google/api/annotations.proto"; import "envoy/annotations/resource.proto"; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; option java_package = "io.envoyproxy.envoy.service.discovery.v2"; option java_outer_classname = "SdsProto"; option java_multiple_files = true; option java_generic_services = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.service.secret.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Secret Discovery Service (SDS)] diff --git a/xds/third_party/envoy/src/main/proto/envoy/service/load_stats/v2/lrs.proto b/xds/third_party/envoy/src/main/proto/envoy/service/load_stats/v2/lrs.proto index a82d703de8..d8707bd62c 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/service/load_stats/v2/lrs.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/service/load_stats/v2/lrs.proto @@ -7,12 +7,14 @@ import "envoy/api/v2/endpoint/load_report.proto"; import "google/protobuf/duration.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.service.load_stats.v2"; option java_outer_classname = "LrsProto"; option java_multiple_files = true; option java_generic_services = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Load reporting service] @@ -64,7 +66,13 @@ message LoadStatsRequest { // [#not-implemented-hide:] Not configuration. TBD how to doc proto APIs. message LoadStatsResponse { // Clusters to report stats for. - repeated string clusters = 1 [(validate.rules).repeated = {min_items: 1}]; + // Not populated if *send_all_clusters* is true. + repeated string clusters = 1; + + // If true, the client should send all clusters it knows about. + // Only clients that advertise the "envoy.lrs.supports_send_all_clusters" capability in their + // :ref:`client_features` field will honor this field. + bool send_all_clusters = 4; // The minimum interval of time to collect stats over. This is only a minimum for two reasons: // 1. There may be some delay from when the timer fires until stats sampling occurs. diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/http.proto b/xds/third_party/envoy/src/main/proto/envoy/type/http.proto index 12160c6354..c1c787411f 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/http.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/http.proto @@ -2,9 +2,12 @@ syntax = "proto3"; package envoy.type; +import "udpa/annotations/status.proto"; + option java_package = "io.envoyproxy.envoy.type"; option java_outer_classname = "HttpProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: HTTP] diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/metadata.proto b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/metadata.proto index 43dd5b7ad1..2cbc602564 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/metadata.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/metadata.proto @@ -4,11 +4,13 @@ package envoy.type.matcher; import "envoy/type/matcher/value.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.type.matcher"; option java_outer_classname = "MetadataProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Metadata matcher] diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/number.proto b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/number.proto index 52a6eb6e15..e488f16a4a 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/number.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/number.proto @@ -4,11 +4,13 @@ package envoy.type.matcher; import "envoy/type/range.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.type.matcher"; option java_outer_classname = "NumberProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Number matcher] diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/path.proto b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/path.proto index 779339a2d2..860a1c69f1 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/path.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/path.proto @@ -4,11 +4,13 @@ package envoy.type.matcher; import "envoy/type/matcher/string.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.type.matcher"; option java_outer_classname = "PathProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Path matcher] diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/regex.proto b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/regex.proto index 2be13845fc..9e41637ab7 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/regex.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/regex.proto @@ -4,11 +4,13 @@ package envoy.type.matcher; import "google/protobuf/wrappers.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.type.matcher"; option java_outer_classname = "RegexProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Regex matcher] @@ -22,7 +24,10 @@ message RegexMatcher { // compiled regex is to evaluate. A regex that has a program size greater than the configured // value will fail to compile. In this case, the configured max program size can be increased // or the regex can be simplified. If not specified, the default is 100. - google.protobuf.UInt32Value max_program_size = 1; + // + // This field is deprecated; regexp validation should be performed on the management server + // instead of being done by each individual client. + google.protobuf.UInt32Value max_program_size = 1 [deprecated = true]; } oneof engine_type { diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/string.proto b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/string.proto index 2cbfc24764..431043e00e 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/string.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/string.proto @@ -5,11 +5,13 @@ package envoy.type.matcher; import "envoy/type/matcher/regex.proto"; import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.type.matcher"; option java_outer_classname = "StringProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: String matcher] diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/regex.proto b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/regex.proto index acfb905ea0..e318cb5457 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/regex.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/regex.proto @@ -4,13 +4,14 @@ package envoy.type.matcher.v3; import "google/protobuf/wrappers.proto"; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; - import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.type.matcher.v3"; option java_outer_classname = "RegexProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Regex matcher] @@ -29,7 +30,10 @@ message RegexMatcher { // compiled regex is to evaluate. A regex that has a program size greater than the configured // value will fail to compile. In this case, the configured max program size can be increased // or the regex can be simplified. If not specified, the default is 100. - google.protobuf.UInt32Value max_program_size = 1; + // + // This field is deprecated; regexp validation should be performed on the management server + // instead of being done by each individual client. + google.protobuf.UInt32Value max_program_size = 1 [deprecated = true]; } oneof engine_type { diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/string.proto b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/string.proto index b67b6b22ac..77fe48ac74 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/string.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/string.proto @@ -4,14 +4,15 @@ package envoy.type.matcher.v3; import "envoy/type/matcher/v3/regex.proto"; -import "udpa/annotations/versioning.proto"; - import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.type.matcher.v3"; option java_outer_classname = "StringProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: String matcher] diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/value.proto b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/value.proto index dda4995890..aaecd14e8e 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/value.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/value.proto @@ -5,11 +5,13 @@ package envoy.type.matcher; import "envoy/type/matcher/number.proto"; import "envoy/type/matcher/string.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.type.matcher"; option java_outer_classname = "ValueProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Value matcher] diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v2/metadata.proto b/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v2/metadata.proto index 67653519ba..43a1a7ca92 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v2/metadata.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v2/metadata.proto @@ -3,12 +3,14 @@ syntax = "proto3"; package envoy.type.metadata.v2; import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.type.metadata.v2"; option java_outer_classname = "MetadataProto"; option java_multiple_files = true; option (udpa.annotations.file_migrate).move_to_package = "envoy.type.metadata.v3"; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Metadata] diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v3/metadata.proto b/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v3/metadata.proto index f8a98d0b58..ddcce68820 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v3/metadata.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v3/metadata.proto @@ -2,13 +2,14 @@ syntax = "proto3"; package envoy.type.metadata.v3; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; - import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.type.metadata.v3"; option java_outer_classname = "MetadataProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Metadata] diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/percent.proto b/xds/third_party/envoy/src/main/proto/envoy/type/percent.proto index 3420342dee..fc41a26662 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/percent.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/percent.proto @@ -2,11 +2,13 @@ syntax = "proto3"; package envoy.type; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.type"; option java_outer_classname = "PercentProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Percent] diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/range.proto b/xds/third_party/envoy/src/main/proto/envoy/type/range.proto index e550ca19bf..79aaa81975 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/range.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/range.proto @@ -2,9 +2,12 @@ syntax = "proto3"; package envoy.type; +import "udpa/annotations/status.proto"; + option java_package = "io.envoyproxy.envoy.type"; option java_outer_classname = "RangeProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Range] diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/semantic_version.proto b/xds/third_party/envoy/src/main/proto/envoy/type/semantic_version.proto index a7dbf7ebd6..80fe016bfa 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/semantic_version.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/semantic_version.proto @@ -2,9 +2,12 @@ syntax = "proto3"; package envoy.type; +import "udpa/annotations/status.proto"; + option java_package = "io.envoyproxy.envoy.type"; option java_outer_classname = "SemanticVersionProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Semantic Version] diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v2/custom_tag.proto b/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v2/custom_tag.proto index 750c07f799..7506ae8861 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v2/custom_tag.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v2/custom_tag.proto @@ -4,11 +4,13 @@ package envoy.type.tracing.v2; import "envoy/type/metadata/v2/metadata.proto"; +import "udpa/annotations/status.proto"; import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.type.tracing.v2"; option java_outer_classname = "CustomTagProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = FROZEN; // [#protodoc-title: Custom Tag] diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v3/custom_tag.proto b/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v3/custom_tag.proto index 9b8d6029e1..42518ead59 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v3/custom_tag.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v3/custom_tag.proto @@ -4,13 +4,14 @@ package envoy.type.tracing.v3; import "envoy/type/metadata/v3/metadata.proto"; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; - import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.type.tracing.v3"; option java_outer_classname = "CustomTagProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Custom Tag] diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/v3/http.proto b/xds/third_party/envoy/src/main/proto/envoy/type/v3/http.proto index 2018b8a1e7..fec15d11f8 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/v3/http.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/v3/http.proto @@ -2,9 +2,12 @@ syntax = "proto3"; package envoy.type.v3; +import "udpa/annotations/status.proto"; + option java_package = "io.envoyproxy.envoy.type.v3"; option java_outer_classname = "HttpProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: HTTP] diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/v3/percent.proto b/xds/third_party/envoy/src/main/proto/envoy/type/v3/percent.proto index 80439bc606..3a89a3f44f 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/v3/percent.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/v3/percent.proto @@ -2,13 +2,14 @@ syntax = "proto3"; package envoy.type.v3; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; - import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.type.v3"; option java_outer_classname = "PercentProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Percent] diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/v3/range.proto b/xds/third_party/envoy/src/main/proto/envoy/type/v3/range.proto index c0e8348768..de1d55b09a 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/v3/range.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/v3/range.proto @@ -2,11 +2,13 @@ syntax = "proto3"; package envoy.type.v3; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; option java_package = "io.envoyproxy.envoy.type.v3"; option java_outer_classname = "RangeProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Range] diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/v3/semantic_version.proto b/xds/third_party/envoy/src/main/proto/envoy/type/v3/semantic_version.proto index 38f3484ae5..a4126336f0 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/v3/semantic_version.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/v3/semantic_version.proto @@ -2,11 +2,13 @@ syntax = "proto3"; package envoy.type.v3; +import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; option java_package = "io.envoyproxy.envoy.type.v3"; option java_outer_classname = "SemanticVersionProto"; option java_multiple_files = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; // [#protodoc-title: Semantic Version] diff --git a/xds/third_party/udpa/import.sh b/xds/third_party/udpa/import.sh index 976372f469..a625579d29 100755 --- a/xds/third_party/udpa/import.sh +++ b/xds/third_party/udpa/import.sh @@ -18,14 +18,16 @@ set -e BRANCH=master # import VERSION from one of the google internal CLs -VERSION=edbea6a78f6d1ba34edc69c53a396b1d88d59651 +VERSION=3b31d022a144b334eb2224838e4d6952ab5253aa GIT_REPO="https://github.com/cncf/udpa.git" GIT_BASE_DIR=udpa SOURCE_PROTO_BASE_DIR=udpa TARGET_PROTO_BASE_DIR=src/main/proto FILES=( udpa/annotations/migrate.proto +udpa/annotations/security.proto udpa/annotations/sensitive.proto +udpa/annotations/status.proto udpa/annotations/versioning.proto udpa/data/orca/v1/orca_load_report.proto udpa/service/orca/v1/orca.proto diff --git a/xds/third_party/udpa/src/main/proto/udpa/annotations/security.proto b/xds/third_party/udpa/src/main/proto/udpa/annotations/security.proto new file mode 100644 index 0000000000..7191fe30c8 --- /dev/null +++ b/xds/third_party/udpa/src/main/proto/udpa/annotations/security.proto @@ -0,0 +1,31 @@ +syntax = "proto3"; + +package udpa.annotations; + +import "udpa/annotations/status.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/descriptor.proto"; + +import "validate/validate.proto"; + +// All annotations in this file are experimental and subject to change. Their +// only consumer today is the Envoy APIs and SecuritAnnotationValidator protoc +// plugin in this repository. +option (udpa.annotations.file_status).work_in_progress = true; + +extend google.protobuf.FieldOptions { + // Magic number is the 28 most significant bits in the sha256sum of + // "udpa.annotations.security". + FieldSecurityAnnotation security = 11122993; +} + +// These annotations indicate metadata for the purpose of understanding the +// security significance of fields. +message FieldSecurityAnnotation { + // Field should be set in the presence of untrusted downstreams. + bool configure_for_untrusted_downstream = 1; + + // Field should be set in the presence of untrusted upstreams. + bool configure_for_untrusted_upstream = 2; +} diff --git a/xds/third_party/udpa/src/main/proto/udpa/annotations/status.proto b/xds/third_party/udpa/src/main/proto/udpa/annotations/status.proto new file mode 100644 index 0000000000..9832ffd3a2 --- /dev/null +++ b/xds/third_party/udpa/src/main/proto/udpa/annotations/status.proto @@ -0,0 +1,34 @@ +syntax = "proto3"; + +package udpa.annotations; + +import "google/protobuf/descriptor.proto"; + +// Magic number in this file derived from top 28bit of SHA256 digest of +// "udpa.annotation.status". +extend google.protobuf.FileOptions { + StatusAnnotation file_status = 222707719; +} + +enum PackageVersionStatus { + // Unknown package version status. + UNKNOWN = 0; + + // This version of the package is frozen. + FROZEN = 1; + + // This version of the package is the active development version. + ACTIVE = 2; + + // This version of the package is the candidate for the next major version. It + // is typically machine generated from the active development version. + NEXT_MAJOR_VERSION_CANDIDATE = 3; +} + +message StatusAnnotation { + // The entity is work-in-progress and subject to breaking changes. + bool work_in_progress = 1; + + // The entity belongs to a package with the given version status. + PackageVersionStatus package_version_status = 2; +}