grpc
/
grpc-java
mirror of https://github.com/grpc/grpc-java.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

xds: Envoy proto sync to 2024-07-06 (#11401) 

`envoyproxy/envoy`: Sync protos to the latest imported version
ab911ac2ff
(commit 2024-07-06, cl/651956889).

Should be a noop, just a routine xDS proto update to make upcoming
RLQS-related imports simpler.
This commit is contained in:
Sergii Tkachenko 2024-07-29 12:18:18 -04:00 committed by GitHub
parent 9ba2f9dec5
commit 96a788a349
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
28 changed files with 419 additions and 130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
buildscripts/data-plane-api-no-envoy.patch
View File

@ -1,50 +0,0 @@
From 786c93ccaae9891338f098a5aba60e9987d78bd3 Mon Sep 17 00:00:00 2001
From: "update-envoy[bot]"
<135279899+update-envoy[bot]@users.noreply.github.com>
Date: Mon, 17 Jun 2024 02:25:24 +0000
Subject: [PATCH] bazel: `@envoy_api` should not depend on `@envoy` (#34759)
The extra dependency was introduced in 65273b2a9b. pgv.patch is only
used by envoy_api, so just moving the file avoids the dependency.
Signed-off-by: Eric Anderson <ejona@google.com>
Mirrored from https://github.com/envoyproxy/envoy @ 9fde867399cc7fcf97815995f8466f62172b26f6
---
bazel/pgv.patch | 13 +++++++++++++
bazel/repositories.bzl | 2 +-
2 files changed, 14 insertions(+), 1 deletion(-)
create mode 100644 bazel/pgv.patch
diff --git a/bazel/pgv.patch b/bazel/pgv.patch
new file mode 100644
index 000000000..81e25abfe
--- /dev/null
+++ b/bazel/pgv.patch
@@ -0,0 +1,13 @@
+--- a/templates/cc/register.go 2023-06-22 14:25:05.776175085 +0000
++++ b/templates/cc/register.go 2023-06-22 14:26:33.008090583 +0000
+@@ -116,6 +116,10 @@
+ func (fns CCFuncs) methodName(name interface{}) string {
+ nameStr := fmt.Sprintf("%s", name)
+ switch nameStr {
++ case "concept":
++ return "concept_"
++ case "requires":
++ return "requires_"
+ case "const":
+ return "const_"
+ case "inline":
diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
index 3e24566a9..7813b0abd 100644
--- a/bazel/repositories.bzl
+++ b/bazel/repositories.bzl
@@ -19,7 +19,7 @@ def api_dependencies():
external_http_archive(
name = "com_envoyproxy_protoc_gen_validate",
patch_args = ["-p1"],
- patches = ["@envoy//bazel:pgv.patch"],
+ patches = ["@envoy_api//bazel:pgv.patch"],
)
external_http_archive(
name = "com_google_googleapis",

9
repositories.bzl
View File

@ -130,14 +130,11 @@ def grpc_java_repositories(bzlmod = False):
if not native.existing_rule("envoy_api"):
http_archive(
name = "envoy_api",
sha256 = "c4c9c43903e413924b0cb08e9747f3c3a0727ad221a3c446a326db32def18c60",
strip_prefix = "data-plane-api-1611a7304794e13efe2d26f8480a2d2473a528c5",
sha256 = "cb7cd388eaa297320d392c872ceb82571dee71f4b6f1c4546b0c0a399636f523",
strip_prefix = "data-plane-api-874e3aa8c3aa5086b6bffa2166e0e0077bb32f71",
urls = [
"https://storage.googleapis.com/grpc-bazel-mirror/github.com/envoyproxy/data-plane-api/archive/1611a7304794e13efe2d26f8480a2d2473a528c5.tar.gz",
"https://github.com/envoyproxy/data-plane-api/archive/1611a7304794e13efe2d26f8480a2d2473a528c5.tar.gz",
"https://github.com/envoyproxy/data-plane-api/archive/874e3aa8c3aa5086b6bffa2166e0e0077bb32f71.tar.gz",
],
patch_args = ["-p1"],
patches = ["@io_grpc_grpc_java//:buildscripts/data-plane-api-no-envoy.patch"],
)
def com_google_protobuf():

2
xds/third_party/envoy/import.sh vendored
View File

@ -17,7 +17,7 @@
set -e
# import VERSION from the google internal copybara_version.txt for Envoy
VERSION=147e6b9523d8d2ae0d9d2205254d6e633644c6fe
VERSION=ab911ac2ff971f805ec822ad4d4ff6b42a61cc7c
DOWNLOAD_URL="https://github.com/envoyproxy/envoy/archive/${VERSION}.tar.gz"
DOWNLOAD_BASE_DIR="envoy-${VERSION}"
SOURCE_PROTO_BASE_DIR="${DOWNLOAD_BASE_DIR}/api"

1
xds/third_party/envoy/src/main/proto/envoy/config/accesslog/v3/accesslog.proto vendored
View File

@ -256,6 +256,7 @@ message ResponseFlagFilter {
in: "OM"
in: "DF"
in: "DO"
in: "DR"
}
}
}];

17
xds/third_party/envoy/src/main/proto/envoy/config/bootstrap/v3/bootstrap.proto vendored
View File

@ -41,7 +41,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// <config_overview_bootstrap>` for more detail.
// Bootstrap :ref:`configuration overview <config_overview_bootstrap>`.
// [#next-free-field: 41]
// [#next-free-field: 42]
message Bootstrap {
option (udpa.annotations.versioning).previous_message_type =
"envoy.config.bootstrap.v2.Bootstrap";
@ -411,6 +411,10 @@ message Bootstrap {
// Optional gRPC async manager config.
GrpcAsyncClientManagerConfig grpc_async_client_manager_config = 40;
// Optional configuration for memory allocation manager.
// Memory releasing is only supported for `tcmalloc allocator <https://github.com/google/tcmalloc>`_.
MemoryAllocatorManager memory_allocator_manager = 41;
}
// Administration interface :ref:`operations documentation
@ -734,3 +738,14 @@ message CustomInlineHeader {
// The type of the header that is expected to be set as the inline header.
InlineHeaderType inline_header_type = 2 [(validate.rules).enum = {defined_only: true}];
}
message MemoryAllocatorManager {
// Configures tcmalloc to perform background release of free memory in amount of bytes per ``memory_release_interval`` interval.
// If equals to ``0``, no memory release will occur. Defaults to ``0``.
uint64 bytes_to_release = 1;
// Interval in milliseconds for memory releasing. If specified, during every
// interval Envoy will try to release ``bytes_to_release`` of free memory back to operating system for reuse.
// Defaults to 1000 milliseconds.
google.protobuf.Duration memory_release_interval = 2;
}

46
xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/cluster.proto vendored
View File

@ -168,7 +168,7 @@ message Cluster {
// The name of the match, used in stats generation.
string name = 1 [(validate.rules).string = {min_len: 1}];
// Optional endpoint metadata match criteria.
// Optional metadata match criteria.
// The connection to the endpoint with metadata matching what is set in this field
// will use the transport socket configuration specified here.
// The endpoint's metadata entry in ``envoy.transport_socket_match`` is used to match
@ -754,12 +754,14 @@ message Cluster {
reserved "hosts", "tls_context", "extension_protocol_options";
// Configuration to use different transport sockets for different endpoints.
// The entry of ``envoy.transport_socket_match`` in the
// :ref:`LbEndpoint.Metadata <envoy_v3_api_field_config.endpoint.v3.LbEndpoint.metadata>`
// is used to match against the transport sockets as they appear in the list. The first
// :ref:`match <envoy_v3_api_msg_config.cluster.v3.Cluster.TransportSocketMatch>` is used.
// For example, with the following match
// Configuration to use different transport sockets for different endpoints. The entry of
// ``envoy.transport_socket_match`` in the :ref:`LbEndpoint.Metadata
// <envoy_v3_api_field_config.endpoint.v3.LbEndpoint.metadata>` is used to match against the
// transport sockets as they appear in the list. If a match is not found, the search continues in
// :ref:`LocalityLbEndpoints.Metadata
// <envoy_v3_api_field_config.endpoint.v3.LocalityLbEndpoints.metadata>`. The first :ref:`match
// <envoy_v3_api_msg_config.cluster.v3.Cluster.TransportSocketMatch>` is used. For example, with
// the following match
//
// .. code-block:: yaml
//
@ -783,8 +785,9 @@ message Cluster {
// socket match in case above.
//
// If an endpoint metadata's value under ``envoy.transport_socket_match`` does not match any
// ``TransportSocketMatch``, socket configuration fallbacks to use the ``tls_context`` or
// ``transport_socket`` specified in this cluster.
// ``TransportSocketMatch``, the locality metadata is then checked for a match. Barring any
// matches in the endpoint or locality metadata, the socket configuration fallbacks to use the
// ``tls_context`` or ``transport_socket`` specified in this cluster.
//
// This field allows gradual and flexible transport socket configuration changes.
//
@ -1236,6 +1239,26 @@ message UpstreamConnectionOptions {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.UpstreamConnectionOptions";
enum FirstAddressFamilyVersion {
// respect the native ranking of destination ip addresses returned from dns
// resolution
DEFAULT = 0;
V4 = 1;
V6 = 2;
}
message HappyEyeballsConfig {
// Specify the IP address family to attempt connection first in happy
// eyeballs algorithm according to RFC8305#section-4.
FirstAddressFamilyVersion first_address_family_version = 1;
// Specify the number of addresses of the first_address_family_version being
// attempted for connection before the other address family.
google.protobuf.UInt32Value first_address_family_count = 2 [(validate.rules).uint32 = {gte: 1}];
}
// If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives.
core.v3.TcpKeepalive tcp_keepalive = 1;
@ -1243,6 +1266,11 @@ message UpstreamConnectionOptions {
// This can be used by extensions during processing of requests. The association mechanism is
// implementation specific. Defaults to false due to performance concerns.
bool set_local_interface_name_on_upstream_connections = 2;
// Configurations for happy eyeballs algorithm.
// Add configs for first_address_family_version and first_address_family_count
// when sorting destination ip addresses.
HappyEyeballsConfig happy_eyeballs_config = 3;
}
message TrackClusterStats {

16
xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/outlier_detection.proto vendored
View File

@ -2,6 +2,8 @@ syntax = "proto3";
package envoy.config.cluster.v3;
import "envoy/config/core/v3/extension.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
@ -19,7 +21,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// See the :ref:`architecture overview <arch_overview_outlier_detection>` for
// more information on outlier detection.
// [#next-free-field: 24]
// [#next-free-field: 26]
message OutlierDetection {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.cluster.OutlierDetection";
@ -40,8 +42,8 @@ message OutlierDetection {
// Defaults to 30000ms or 30s.
google.protobuf.Duration base_ejection_time = 3 [(validate.rules).duration = {gt {}}];
// The maximum % of an upstream cluster that can be ejected due to outlier
// detection. Defaults to 10% but will eject at least one host regardless of the value.
// The maximum % of an upstream cluster that can be ejected due to outlier detection. Defaults to 10% .
// Will eject at least one host regardless of the value if :ref:`always_eject_one_host<envoy_v3_api_field_config.cluster.v3.OutlierDetection.always_eject_one_host>` is enabled.
google.protobuf.UInt32Value max_ejection_percent = 4 [(validate.rules).uint32 = {lte: 100}];
// The % chance that a host will be actually ejected when an outlier status
@ -167,4 +169,12 @@ message OutlierDetection {
// To change this default behavior set this config to ``false`` where active health checking will not uneject the host.
// Defaults to true.
google.protobuf.BoolValue successful_active_health_check_uneject_host = 23;
// Set of host's passive monitors.
// [#not-implemented-hide:]
repeated core.v3.TypedExtensionConfig monitors = 24;
// If enabled, at least one host is ejected regardless of the value of :ref:`max_ejection_percent<envoy_v3_api_field_config.cluster.v3.OutlierDetection.max_ejection_percent>`.
// Defaults to false.
google.protobuf.BoolValue always_eject_one_host = 25;
}

107
xds/third_party/envoy/src/main/proto/envoy/config/core/v3/base.proto vendored
View File

@ -245,7 +245,8 @@ message Metadata {
// :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`
// fields are present in the metadata with same keys,
// only ``typed_filter_metadata`` field will be parsed.
map<string, google.protobuf.Struct> filter_metadata = 1;
map<string, google.protobuf.Struct> filter_metadata = 1
[(validate.rules).map = {keys {string {min_len: 1}}}];
// Key is the reverse DNS filter name, e.g. com.acme.widget. The ``envoy.*``
// namespace is reserved for Envoy's built-in filters.
@ -253,7 +254,8 @@ message Metadata {
// If both :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`
// and ``typed_filter_metadata`` fields are present in the metadata with same keys,
// only ``typed_filter_metadata`` field will be parsed.
map<string, google.protobuf.Any> typed_filter_metadata = 2;
map<string, google.protobuf.Any> typed_filter_metadata = 2
[(validate.rules).map = {keys {string {min_len: 1}}}];
}
// Runtime derived uint32 with a default when not specified.
@ -301,6 +303,59 @@ message RuntimeFeatureFlag {
string runtime_key = 2 [(validate.rules).string = {min_len: 1}];
}
message KeyValue {
// The key of the key/value pair.
string key = 1 [(validate.rules).string = {min_len: 1 max_bytes: 16384}];
// The value of the key/value pair.
bytes value = 2;
}
// Key/value pair plus option to control append behavior. This is used to specify
// key/value pairs that should be appended to a set of existing key/value pairs.
message KeyValueAppend {
// Describes the supported actions types for key/value pair append action.
enum KeyValueAppendAction {
// If the key already exists, this action will result in the following behavior:
//
// - Comma-concatenated value if multiple values are not allowed.
// - New value added to the list of values if multiple values are allowed.
//
// If the key doesn't exist then this will add pair with specified key and value.
APPEND_IF_EXISTS_OR_ADD = 0;
// This action will add the key/value pair if it doesn't already exist. If the
// key already exists then this will be a no-op.
ADD_IF_ABSENT = 1;
// This action will overwrite the specified value by discarding any existing
// values if the key already exists. If the key doesn't exist then this will add
// the pair with specified key and value.
OVERWRITE_IF_EXISTS_OR_ADD = 2;
// This action will overwrite the specified value by discarding any existing
// values if the key already exists. If the key doesn't exist then this will
// be no-op.
OVERWRITE_IF_EXISTS = 3;
}
// Key/value pair entry that this option to append or overwrite.
KeyValue entry = 1 [(validate.rules).message = {required: true}];
// Describes the action taken to append/overwrite the given value for an existing
// key or to only add this key if it's absent.
KeyValueAppendAction action = 2 [(validate.rules).enum = {defined_only: true}];
}
// Key/value pair to append or remove.
message KeyValueMutation {
// Key/value pair to append or overwrite. Only one of ``append`` or ``remove`` can be set.
KeyValueAppend append = 1;
// Key to remove. Only one of ``append`` or ``remove`` can be set.
string remove = 2 [(validate.rules).string = {max_bytes: 16384}];
}
// Query parameter name/value pair.
message QueryParameter {
// The key of the query parameter. Case sensitive.
@ -409,6 +464,7 @@ message WatchedDirectory {
}
// Data source consisting of a file, an inline value, or an environment variable.
// [#next-free-field: 6]
message DataSource {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.DataSource";
@ -427,12 +483,47 @@ message DataSource {
// Environment variable data source.
string environment_variable = 4 [(validate.rules).string = {min_len: 1}];
}
// Watched directory that is watched for file changes. If this is set explicitly, the file
// specified in the ``filename`` field will be reloaded when relevant file move events occur.
//
// .. note::
// This field only makes sense when the ``filename`` field is set.
//
// .. note::
// Envoy only updates when the file is replaced by a file move, and not when the file is
// edited in place.
//
// .. note::
// Not all use cases of ``DataSource`` support watching directories. It depends on the
// specific usage of the ``DataSource``. See the documentation of the parent message for
// details.
WatchedDirectory watched_directory = 5;
}
// The message specifies the retry policy of remote data source when fetching fails.
// [#next-free-field: 7]
message RetryPolicy {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.RetryPolicy";
// See :ref:`RetryPriority <envoy_v3_api_field_config.route.v3.RetryPolicy.retry_priority>`.
message RetryPriority {
string name = 1 [(validate.rules).string = {min_len: 1}];
oneof config_type {
google.protobuf.Any typed_config = 2;
}
}
// See :ref:`RetryHostPredicate <envoy_v3_api_field_config.route.v3.RetryPolicy.retry_host_predicate>`.
message RetryHostPredicate {
string name = 1 [(validate.rules).string = {min_len: 1}];
oneof config_type {
google.protobuf.Any typed_config = 2;
}
}
// Specifies parameters that control :ref:`retry backoff strategy <envoy_v3_api_msg_config.core.v3.BackoffStrategy>`.
// This parameter is optional, in which case the default base interval is 1000 milliseconds. The
// default maximum interval is 10 times the base interval.
@ -442,6 +533,18 @@ message RetryPolicy {
// defaults to 1.
google.protobuf.UInt32Value num_retries = 2
[(udpa.annotations.field_migrate).rename = "max_retries"];
// For details, see :ref:`retry_on <envoy_v3_api_field_config.route.v3.RetryPolicy.retry_on>`.
string retry_on = 3;
// For details, see :ref:`retry_priority <envoy_v3_api_field_config.route.v3.RetryPolicy.retry_priority>`.
RetryPriority retry_priority = 4;
// For details, see :ref:`RetryHostPredicate <envoy_v3_api_field_config.route.v3.RetryPolicy.retry_host_predicate>`.
repeated RetryHostPredicate retry_host_predicate = 5;
// For details, see :ref:`host_selection_retry_max_attempts <envoy_v3_api_field_config.route.v3.RetryPolicy.host_selection_retry_max_attempts>`.
int64 host_selection_retry_max_attempts = 6;
}
// The message specifies how to fetch data from remote and how to verify it.

8
xds/third_party/envoy/src/main/proto/envoy/config/core/v3/config_source.proto vendored
View File

@ -28,12 +28,10 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// xDS API and non-xDS services version. This is used to describe both resource and transport
// protocol versions (in distinct configuration fields).
enum ApiVersion {
// When not specified, we assume v2, to ease migration to Envoy's stable API
// versioning. If a client does not support v2 (e.g. due to deprecation), this
// is an invalid value.
AUTO = 0 [deprecated = true, (envoy.annotations.deprecated_at_minor_version_enum) = "3.0"];
// When not specified, we assume v3; it is the only supported version.
AUTO = 0;
// Use xDS v2 API.
// Use xDS v2 API. This is no longer supported.
V2 = 1 [deprecated = true, (envoy.annotations.deprecated_at_minor_version_enum) = "3.0"];
// Use xDS v3 API.

19
xds/third_party/envoy/src/main/proto/envoy/config/core/v3/grpc_service.proto vendored
View File

@ -25,10 +25,11 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// gRPC service configuration. This is used by :ref:`ApiConfigSource
// <envoy_v3_api_msg_config.core.v3.ApiConfigSource>` and filter configurations.
// [#next-free-field: 6]
// [#next-free-field: 7]
message GrpcService {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.GrpcService";
// [#next-free-field: 6]
message EnvoyGrpc {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.core.GrpcService.EnvoyGrpc";
@ -49,6 +50,18 @@ message GrpcService {
// Currently only supported for xDS gRPC streams.
// If not set, xDS gRPC streams default base interval:500ms, maximum interval:30s will be applied.
RetryPolicy retry_policy = 3;
// Maximum gRPC message size that is allowed to be received.
// If a message over this limit is received, the gRPC stream is terminated with the RESOURCE_EXHAUSTED error.
// This limit is applied to individual messages in the streaming response and not the total size of streaming response.
// Defaults to 0, which means unlimited.
google.protobuf.UInt32Value max_receive_message_length = 4;
// This provides gRPC client level control over envoy generated headers.
// If false, the header will be sent but it can be overridden by per stream option.
// If true, the header will be removed and can not be overridden by per stream option.
// Default to false.
bool skip_envoy_headers = 5;
}
// [#next-free-field: 9]
@ -300,4 +313,8 @@ message GrpcService {
// documentation on :ref:`custom request headers
// <config_http_conn_man_headers_custom_request_headers>`.
repeated HeaderValue initial_metadata = 5;
// Optional default retry policy for streams toward the service.
// If an async stream doesn't have retry policy configured in its stream options, this retry policy is used.
RetryPolicy retry_policy = 6;
}

20
xds/third_party/envoy/src/main/proto/envoy/config/core/v3/health_check.proto vendored
View File

@ -5,6 +5,7 @@ package envoy.config.core.v3;
import "envoy/config/core/v3/base.proto";
import "envoy/config/core/v3/event_service_config.proto";
import "envoy/config/core/v3/extension.proto";
import "envoy/config/core/v3/proxy_protocol.proto";
import "envoy/type/matcher/v3/string.proto";
import "envoy/type/v3/http.proto";
import "envoy/type/v3/range.proto";
@ -62,7 +63,7 @@ message HealthStatusSet {
[(validate.rules).repeated = {items {enum {defined_only: true}}}];
}
// [#next-free-field: 26]
// [#next-free-field: 27]
message HealthCheck {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HealthCheck";
@ -95,12 +96,11 @@ message HealthCheck {
// left empty (default value), the name of the cluster this health check is associated
// with will be used. The host header can be customized for a specific endpoint by setting the
// :ref:`hostname <envoy_v3_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname>` field.
string host = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}];
string host = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE}];
// Specifies the HTTP path that will be requested during health checking. For example
// ``/healthcheck``.
string path = 2
[(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}];
string path = 2 [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE}];
// [#not-implemented-hide:] HTTP specific payload.
Payload send = 3;
@ -178,6 +178,13 @@ message HealthCheck {
// payload block must be found, and in the order specified, but not
// necessarily contiguous.
repeated Payload receive = 2;
// When setting this value, it tries to attempt health check request with ProxyProtocol.
// When ``send`` is presented, they are sent after preceding ProxyProtocol header.
// Only ProxyProtocol header is sent when ``send`` is not presented.
// It allows to use both ProxyProtocol V1 and V2. In V1, it presents L3/L4. In V2, it includes
// LOCAL command and doesn't include L3/L4.
ProxyProtocolConfig proxy_protocol_config = 3;
}
message RedisHealthCheck {
@ -392,6 +399,11 @@ message HealthCheck {
// The default value is false.
bool always_log_health_check_failures = 19;
// If set to true, health check success events will always be logged. If set to false, only host addition event will be logged
// if it is the first successful health check, or if the healthy threshold is reached.
// The default value is false.
bool always_log_health_check_success = 26;
// This allows overriding the cluster TLS settings, just for health check connections.
TlsOptions tls_options = 21;

38
xds/third_party/envoy/src/main/proto/envoy/config/core/v3/protocol.proto vendored
View File

@ -56,7 +56,7 @@ message QuicKeepAliveSettings {
}
// QUIC protocol options which apply to both downstream and upstream connections.
// [#next-free-field: 8]
// [#next-free-field: 9]
message QuicProtocolOptions {
// Maximum number of streams that the client can negotiate per connection. 100
// if not specified.
@ -64,7 +64,7 @@ message QuicProtocolOptions {
// `Initial stream-level flow-control receive window
// <https://tools.ietf.org/html/draft-ietf-quic-transport-34#section-4.1>`_ size. Valid values range from
// 1 to 16777216 (2^24, maximum supported by QUICHE) and defaults to 65536 (2^16).
// 1 to 16777216 (2^24, maximum supported by QUICHE) and defaults to 16777216 (16 * 1024 * 1024).
//
// NOTE: 16384 (2^14) is the minimum window size supported in Google QUIC. If configured smaller than it, we will use 16384 instead.
// QUICHE IETF Quic implementation supports 1 bytes window. We only support increasing the default window size now, so it's also the minimum.
@ -76,8 +76,8 @@ message QuicProtocolOptions {
[(validate.rules).uint32 = {lte: 16777216 gte: 1}];
// Similar to ``initial_stream_window_size``, but for connection-level
// flow-control. Valid values rage from 1 to 25165824 (24MB, maximum supported by QUICHE) and defaults to 65536 (2^16).
// window. Currently, this has the same minimum/default as ``initial_stream_window_size``.
// flow-control. Valid values rage from 1 to 25165824 (24MB, maximum supported by QUICHE) and defaults
// to 25165824 (24 * 1024 * 1024).
//
// NOTE: 16384 (2^14) is the minimum window size supported in Google QUIC. We only support increasing the default
// window size now, so it's also the minimum.
@ -102,6 +102,15 @@ message QuicProtocolOptions {
// A comma-separated list of strings representing QUIC client connection options defined in
// `QUICHE <https://github.com/google/quiche/blob/main/quiche/quic/core/crypto/crypto_protocol.h>`_ and to be sent by upstream connections.
string client_connection_options = 7;
// The duration that a QUIC connection stays idle before it closes itself. If this field is not present, QUICHE
// default 600s will be applied.
// For internal corporate network, a long timeout is often fine.
// But for client facing network, 30s is usually a good choice.
google.protobuf.Duration idle_network_timeout = 8 [(validate.rules).duration = {
lte {seconds: 600}
gte {seconds: 1}
}];
}
message UpstreamHttpProtocolOptions {
@ -477,10 +486,10 @@ message Http2ProtocolOptions {
// Allows proxying Websocket and other upgrades over H2 connect.
bool allow_connect = 5;
// [#not-implemented-hide:] Hiding until envoy has full metadata support.
// [#not-implemented-hide:] Hiding until Envoy has full metadata support.
// Still under implementation. DO NOT USE.
//
// Allows metadata. See [metadata
// Allows sending and receiving HTTP/2 METADATA frames. See [metadata
// docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more
// information.
bool allow_metadata = 6;
@ -609,7 +618,7 @@ message GrpcProtocolOptions {
}
// A message which allows using HTTP/3.
// [#next-free-field: 6]
// [#next-free-field: 7]
message Http3ProtocolOptions {
QuicProtocolOptions quic_protocol_options = 1;
@ -628,12 +637,27 @@ message Http3ProtocolOptions {
// <https://datatracker.ietf.org/doc/draft-ietf-httpbis-h3-websockets/>`_
// Note that HTTP/3 CONNECT is not yet an RFC.
bool allow_extended_connect = 5 [(xds.annotations.v3.field_status).work_in_progress = true];
// [#not-implemented-hide:] Hiding until Envoy has full metadata support.
// Still under implementation. DO NOT USE.
//
// Allows sending and receiving HTTP/3 METADATA frames. See [metadata
// docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more
// information.
bool allow_metadata = 6;
}
// A message to control transformations to the :scheme header
message SchemeHeaderTransformation {
oneof transformation {
// Overwrite any Scheme header with the contents of this string.
// If set, takes precedence over match_upstream.
string scheme_to_overwrite = 1 [(validate.rules).string = {in: "http" in: "https"}];
}
// Set the Scheme header to match the upstream transport protocol. For example, should a
// request be sent to the upstream over TLS, the scheme header will be set to "https". Should the
// request be sent over plaintext, the scheme header will be set to "http".
// If scheme_to_overwrite is set, this field is not used.
bool match_upstream = 2;
}

6
xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint.proto vendored
View File

@ -77,6 +77,12 @@ message ClusterLoadAssignment {
//
// Envoy supports only one element and will NACK if more than one element is present.
// Other xDS-capable data planes will not necessarily have this limitation.
//
// In Envoy, this ``drop_overloads`` config can be overridden by a runtime key
// "load_balancing_policy.drop_overload_limit" setting. This runtime key can be set to
// any integer number between 0 and 100. 0 means drop 0%. 100 means drop 100%.
// When both ``drop_overloads`` config and "load_balancing_policy.drop_overload_limit"
// setting are in place, the min of these two wins.
repeated DropOverload drop_overloads = 2;
// Priority levels and localities are considered overprovisioned with this

5
xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint_components.proto vendored
View File

@ -147,7 +147,7 @@ message LedsClusterLocalityConfig {
// A group of endpoints belonging to a Locality.
// One can have multiple LocalityLbEndpoints for a locality, but only if
// they have different priorities.
// [#next-free-field: 9]
// [#next-free-field: 10]
message LocalityLbEndpoints {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.endpoint.LocalityLbEndpoints";
@ -161,6 +161,9 @@ message LocalityLbEndpoints {
// Identifies location of where the upstream hosts run.
core.v3.Locality locality = 1;
// Metadata to provide additional information about the locality endpoints in aggregate.
core.v3.Metadata metadata = 9;
// The group of endpoints belonging to the locality specified.
// [#comment:TODO(adisuissa): Once LEDS is implemented this field needs to be
// deprecated and replaced by ``load_balancer_endpoints``.]

29
xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/load_report.proto vendored
View File

@ -8,6 +8,8 @@ import "envoy/config/core/v3/base.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "xds/annotations/v3/status.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
@ -23,7 +25,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// These are stats Envoy reports to the management server at a frequency defined by
// :ref:`LoadStatsResponse.load_reporting_interval<envoy_v3_api_field_service.load_stats.v3.LoadStatsResponse.load_reporting_interval>`.
// Stats per upstream region/zone and optionally per subzone.
// [#next-free-field: 9]
// [#next-free-field: 12]
message UpstreamLocalityStats {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.endpoint.UpstreamLocalityStats";
@ -48,6 +50,31 @@ message UpstreamLocalityStats {
// upstream endpoints in the locality.
uint64 total_issued_requests = 8;
// The total number of connections in an established state at the time of the
// report. This field is aggregated over all the upstream endpoints in the
// locality.
// In Envoy, this information may be based on ``upstream_cx_active metric``.
// [#not-implemented-hide:]
uint64 total_active_connections = 9 [(xds.annotations.v3.field_status).work_in_progress = true];
// The total number of connections opened since the last report.
// This field is aggregated over all the upstream endpoints in the locality.
// In Envoy, this information may be based on ``upstream_cx_total`` metric
// compared to itself between start and end of an interval, i.e.
// ``upstream_cx_total``(now) - ``upstream_cx_total``(now -
// load_report_interval).
// [#not-implemented-hide:]
uint64 total_new_connections = 10 [(xds.annotations.v3.field_status).work_in_progress = true];
// The total number of connection failures since the last report.
// This field is aggregated over all the upstream endpoints in the locality.
// In Envoy, this information may be based on ``upstream_cx_connect_fail``
// metric compared to itself between start and end of an interval, i.e.
// ``upstream_cx_connect_fail``(now) - ``upstream_cx_connect_fail``(now -
// load_report_interval).
// [#not-implemented-hide:]
uint64 total_fail_connections = 11 [(xds.annotations.v3.field_status).work_in_progress = true];
// Stats for multi-dimensional load balancing.
repeated EndpointLoadMetricStats load_metric_stats = 5;

5
xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener.proto vendored
View File

@ -53,7 +53,7 @@ message ListenerCollection {
repeated xds.core.v3.CollectionEntry entries = 1;
}
// [#next-free-field: 35]
// [#next-free-field: 36]
message Listener {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Listener";
@ -387,6 +387,9 @@ message Listener {
// Whether the listener should limit connections based upon the value of
// :ref:`global_downstream_max_connections <config_overload_manager_limiting_connections>`.
bool ignore_global_conn_limit = 31;
// Whether the listener bypasses configured overload manager actions.
bool bypass_overload_manager = 35;
}
// A placeholder proto so that users can explicitly configure the standard

13
xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/quic_config.proto vendored
View File

@ -24,7 +24,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: QUIC listener config]
// Configuration specific to the UDP QUIC listener.
// [#next-free-field: 10]
// [#next-free-field: 12]
message QuicProtocolOptions {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.listener.QuicProtocolOptions";
@ -72,9 +72,18 @@ message QuicProtocolOptions {
core.v3.TypedExtensionConfig connection_id_generator_config = 8;
// Configure the server's preferred address to advertise so that client can migrate to it. See :ref:`example <envoy_v3_api_msg_extensions.quic.server_preferred_address.v3.FixedServerPreferredAddressConfig>` which configures a pair of v4 and v6 preferred addresses.
// The current QUICHE implementation will advertise only one of the preferred IPv4 and IPv6 addresses based on the address family the client initially connects with, and only if the client is also QUICHE-based.
// The current QUICHE implementation will advertise only one of the preferred IPv4 and IPv6 addresses based on the address family the client initially connects with.
// If not specified, Envoy will not advertise any server's preferred address.
// [#extension-category: envoy.quic.server_preferred_address]
core.v3.TypedExtensionConfig server_preferred_address_config = 9
[(xds.annotations.v3.field_status).work_in_progress = true];
// Configure the server to send transport parameter `disable_active_migration <https://www.rfc-editor.org/rfc/rfc9000#section-18.2-4.30.1>`_.
// Defaults to false (do not send this transport parameter).
google.protobuf.BoolValue send_disable_active_migration = 10;
// Configure which implementation of ``quic::QuicConnectionDebugVisitor`` to be used for this listener.
// If not specified, no debug visitor will be attached to connections.
// [#extension-category: envoy.quic.connection_debug_visitor]
core.v3.TypedExtensionConfig connection_debug_visitor_config = 11;
}

6
xds/third_party/envoy/src/main/proto/envoy/config/rbac/v3/rbac.proto vendored
View File

@ -194,7 +194,7 @@ message Policy {
}
// Permission defines an action (or actions) that a principal can take.
// [#next-free-field: 13]
// [#next-free-field: 14]
message Permission {
option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Permission";
@ -270,6 +270,10 @@ message Permission {
// Extension for configuring custom matchers for RBAC.
// [#extension-category: envoy.rbac.matchers]
core.v3.TypedExtensionConfig matcher = 12;
// URI template path matching.
// [#extension-category: envoy.path.match]
core.v3.TypedExtensionConfig uri_template = 13;
}
}

15
xds/third_party/envoy/src/main/proto/envoy/config/route/v3/route_components.proto vendored
View File

@ -673,7 +673,7 @@ message RouteMatch {
// :ref:`CorsPolicy in filter extension <envoy_v3_api_msg_extensions.filters.http.cors.v3.CorsPolicy>`
// as as alternative.
//
// [#next-free-field: 13]
// [#next-free-field: 14]
message CorsPolicy {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.CorsPolicy";
@ -727,6 +727,10 @@ message CorsPolicy {
//
// More details refer to https://developer.chrome.com/blog/private-network-access-preflight.
google.protobuf.BoolValue allow_private_network_access = 12;
// Specifies if preflight requests not matching the configured allowed origin should be forwarded
// to the upstream. Default is true.
google.protobuf.BoolValue forward_not_matching_preflights = 13;
}
// [#next-free-field: 42]
@ -759,7 +763,8 @@ message RouteAction {
// collected for the shadow cluster making this feature useful for testing.
//
// During shadowing, the host/authority header is altered such that ``-shadow`` is appended. This is
// useful for logging. For example, ``cluster1`` becomes ``cluster1-shadow``.
// useful for logging. For example, ``cluster1`` becomes ``cluster1-shadow``. This behavior can be
// disabled by setting ``disable_shadow_host_suffix_append`` to ``true``.
//
// .. note::
//
@ -768,7 +773,7 @@ message RouteAction {
// .. note::
//
// Shadowing doesn't support Http CONNECT and upgrades.
// [#next-free-field: 6]
// [#next-free-field: 7]
message RequestMirrorPolicy {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.route.RouteAction.RequestMirrorPolicy";
@ -814,6 +819,9 @@ message RouteAction {
// Determines if the trace span should be sampled. Defaults to true.
google.protobuf.BoolValue trace_sampled = 4;
// Disables appending the ``-shadow`` suffix to the shadowed ``Host`` header. Defaults to ``false``.
bool disable_shadow_host_suffix_append = 6;
}
// Specifies the route's hashing policy if the upstream cluster uses a hashing :ref:`load balancer
@ -1211,7 +1219,6 @@ message RouteAction {
// :ref:`host_rewrite_path_regex <envoy_v3_api_field_config.route.v3.RouteAction.host_rewrite_path_regex>`)
// causes the original value of the host header, if any, to be appended to the
// :ref:`config_http_conn_man_headers_x-forwarded-host` HTTP header if it is different to the last value appended.
// This can be disabled by setting the runtime guard ``envoy_reloadable_features_append_xfh_idempotent`` to false.
bool append_x_forwarded_host = 38;
// Specifies the upstream timeout for the route. If not specified, the default is 15s. This

10
xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/dynamic_ot.proto vendored
View File

@ -33,11 +33,15 @@ message DynamicOtConfig {
string library = 1 [
deprecated = true,
(validate.rules).string = {min_len: 1},
(envoy.annotations.deprecated_at_minor_version) = "3.0"
(envoy.annotations.deprecated_at_minor_version) = "3.0",
(envoy.annotations.disallowed_by_default) = true
];
// The configuration to use when creating a tracer from the given dynamic
// library.
google.protobuf.Struct config = 2
[deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
google.protobuf.Struct config = 2 [
deprecated = true,
(envoy.annotations.deprecated_at_minor_version) = "3.0",
(envoy.annotations.disallowed_by_default) = true
];
}

7
xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/zipkin.proto vendored
View File

@ -82,5 +82,10 @@ message ZipkinConfig {
// If this is set to true, then the
// :ref:`start_child_span of router <envoy_v3_api_field_extensions.filters.http.router.v3.Router.start_child_span>`
// SHOULD be set to true also to ensure the correctness of trace chain.
bool split_spans_for_request = 7;
//
// Both this field and ``start_child_span`` are deprecated by the
// :ref:`spawn_upstream_span <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.spawn_upstream_span>`.
// Please use that ``spawn_upstream_span`` field to control the span creation.
bool split_spans_for_request = 7
[deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
}

5
xds/third_party/envoy/src/main/proto/envoy/data/accesslog/v3/accesslog.proto vendored
View File

@ -271,7 +271,7 @@ message AccessLogCommon {
}
// Flags indicating occurrences during request/response processing.
// [#next-free-field: 28]
// [#next-free-field: 29]
message ResponseFlags {
option (udpa.annotations.versioning).previous_message_type =
"envoy.data.accesslog.v2.ResponseFlags";
@ -372,6 +372,9 @@ message ResponseFlags {
// Indicates a DNS resolution failed.
bool dns_resolution_failure = 27;
// Indicates a downstream remote codec level reset was received on the stream
bool downstream_remote_reset = 28;
}
// Properties of a negotiated TLS connection.

10
xds/third_party/envoy/src/main/proto/envoy/extensions/filters/http/rbac/v3/rbac.proto vendored
View File

@ -22,7 +22,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#extension: envoy.filters.http.rbac]
// RBAC filter config.
// [#next-free-field: 6]
// [#next-free-field: 8]
message RBAC {
option (udpa.annotations.versioning).previous_message_type =
"envoy.config.filter.http.rbac.v2.RBAC";
@ -34,6 +34,11 @@ message RBAC {
config.rbac.v3.RBAC rules = 1
[(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier"];
// If specified, rules will emit stats with the given prefix.
// This is useful to distinguish the stat when there are more than 1 RBAC filter configured with
// rules.
string rules_stat_prefix = 6;
// The match tree to use when resolving RBAC action for incoming requests. Requests do not
// match any matcher will be denied.
// If absent, no enforcing RBAC matcher will be applied.
@ -62,6 +67,9 @@ message RBAC {
// This is useful to distinguish the stat when there are more than 1 RBAC filter configured with
// shadow rules.
string shadow_rules_stat_prefix = 3;
// If track_per_rule_stats is true, counters will be published for each rule and shadow rule.
bool track_per_rule_stats = 7;
}
message RBACPerRoute {

6
xds/third_party/envoy/src/main/proto/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto vendored
View File

@ -37,7 +37,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// HTTP connection manager :ref:`configuration overview <config_http_conn_man>`.
// [#extension: envoy.filters.network.http_connection_manager]
// [#next-free-field: 57]
// [#next-free-field: 58]
message HttpConnectionManager {
option (udpa.annotations.versioning).previous_message_type =
"envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager";
@ -887,6 +887,10 @@ message HttpConnectionManager {
// will be ignored if the ``x-forwarded-port`` header has been set by any trusted proxy in front of Envoy.
bool append_x_forwarded_port = 51;
// Append the :ref:`config_http_conn_man_headers_x-envoy-local-overloaded` HTTP header in the scenario where
// the Overload Manager has been triggered.
bool append_local_overload = 57;
// Whether the HCM will add ProxyProtocolFilterState to the Connection lifetime filter state. Defaults to ``true``.
// This should be set to ``false`` in cases where Envoy's view of the downstream address may not correspond to the
// actual client address, for example, if there's another proxy in front of the Envoy.

39
xds/third_party/envoy/src/main/proto/envoy/extensions/load_balancing_policies/least_request/v3/least_request.proto vendored
View File

@ -7,6 +7,7 @@ import "envoy/extensions/load_balancing_policies/common/v3/common.proto";
import "google/protobuf/wrappers.proto";
import "envoy/annotations/deprecation.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
@ -22,10 +23,34 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// This configuration allows the built-in LEAST_REQUEST LB policy to be configured via the LB policy
// extension point. See the :ref:`load balancing architecture overview
// <arch_overview_load_balancing_types>` for more information.
// [#next-free-field: 6]
// [#next-free-field: 7]
message LeastRequest {
// Available methods for selecting the host set from which to return the host with the
// fewest active requests.
enum SelectionMethod {
// Return host with fewest requests from a set of ``choice_count`` randomly selected hosts.
// Best selection method for most scenarios.
N_CHOICES = 0;
// Return host with fewest requests from all hosts.
// Useful in some niche use cases involving low request rates and one of:
// (example 1) low request limits on workloads, or (example 2) few hosts.
//
// Example 1: Consider a workload type that can only accept one connection at a time.
// If such workloads are deployed across many hosts, only a small percentage of those
// workloads have zero connections at any given time, and the rate of new connections is low,
// the ``FULL_SCAN`` method is more likely to select a suitable host than ``N_CHOICES``.
//
// Example 2: Consider a workload type that is only deployed on 2 hosts. With default settings,
// the ``N_CHOICES`` method will return the host with more active requests 25% of the time.
// If the request rate is sufficiently low, the behavior of always selecting the host with least
// requests as of the last metrics refresh may be preferable.
FULL_SCAN = 1;
}
// The number of random healthy hosts from which the host with the fewest active requests will
// be chosen. Defaults to 2 so that we perform two-choice selection if the field is not set.
// Only applies to the ``N_CHOICES`` selection method.
google.protobuf.UInt32Value choice_count = 1 [(validate.rules).uint32 = {gte: 2}];
// The following formula is used to calculate the dynamic weights when hosts have different load
@ -61,8 +86,12 @@ message LeastRequest {
common.v3.LocalityLbConfig locality_lb_config = 4;
// [#not-implemented-hide:]
// Configuration for performing full scan on the list of hosts.
// If this configuration is set, when selecting the host a full scan on the list hosts will be
// used to select the one with least requests instead of using random choices.
google.protobuf.BoolValue enable_full_scan = 5;
// Unused. Replaced by the `selection_method` enum for better extensibility.
google.protobuf.BoolValue enable_full_scan = 5
[deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
// Method for selecting the host set from which to return the host with the fewest active requests.
//
// Defaults to ``N_CHOICES``.
SelectionMethod selection_method = 6 [(validate.rules).enum = {defined_only: true}];
}

34
xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/common.proto vendored
View File

@ -314,16 +314,32 @@ message SubjectAltNameMatcher {
DNS = 2;
URI = 3;
IP_ADDRESS = 4;
OTHER_NAME = 5;
}
// Specification of type of SAN. Note that the default enum value is an invalid choice.
SanType san_type = 1 [(validate.rules).enum = {defined_only: true not_in: 0}];
// Matcher for SAN value.
//
// The string matching for OTHER_NAME SAN values depends on their ASN.1 type:
//
// * OBJECT: Validated against its dotted numeric notation (e.g., "1.2.3.4")
// * BOOLEAN: Validated against strings "true" or "false"
// * INTEGER/ENUMERATED: Validated against a string containing the integer value
// * NULL: Validated against an empty string
// * Other types: Validated directly against the string value
type.matcher.v3.StringMatcher matcher = 2 [(validate.rules).message = {required: true}];
// OID Value which is required if OTHER_NAME SAN type is used.
// For example, UPN OID is 1.3.6.1.4.1.311.20.2.3
// (Reference: http://oid-info.com/get/1.3.6.1.4.1.311.20.2.3).
//
// If set for SAN types other than OTHER_NAME, it will be ignored.
string oid = 3;
}
// [#next-free-field: 17]
// [#next-free-field: 18]
message CertificateValidationContext {
option (udpa.annotations.versioning).previous_message_type =
"envoy.api.v2.auth.CertificateValidationContext";
@ -339,6 +355,9 @@ message CertificateValidationContext {
ACCEPT_UNTRUSTED = 1;
}
message SystemRootCerts {
}
reserved 4, 5;
reserved "verify_subject_alt_name";
@ -378,20 +397,23 @@ message CertificateValidationContext {
// can be treated as trust anchor as well. It allows verification with building valid partial chain instead
// of a full chain.
//
// Only one of ``trusted_ca`` and ``ca_certificate_provider_instance`` may be specified.
//
// [#next-major-version: This field and watched_directory below should ideally be moved into a
// separate sub-message, since there's no point in specifying the latter field without this one.]
// If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``.
config.core.v3.DataSource trusted_ca = 1
[(udpa.annotations.field_migrate).oneof_promotion = "ca_cert_source"];
// Certificate provider instance for fetching TLS certificates.
//
// Only one of ``trusted_ca`` and ``ca_certificate_provider_instance`` may be specified.
// If set, takes precedence over ``trusted_ca``.
// [#not-implemented-hide:]
CertificateProviderPluginInstance ca_certificate_provider_instance = 13
[(udpa.annotations.field_migrate).oneof_promotion = "ca_cert_source"];
// Use system root certs for validation.
// If present, system root certs are used only if neither of the ``trusted_ca``
// or ``ca_certificate_provider_instance`` fields are set.
// [#not-implemented-hide:]
SystemRootCerts system_root_certs = 17;
// If specified, updates of a file-based ``trusted_ca`` source will be triggered
// by this watch. This allows explicit control over the path watched, by
// default the parent directory of the filesystem path in ``trusted_ca`` is

18
xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/tls.proto vendored
View File

@ -248,11 +248,8 @@ message CommonTlsContext {
// :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>` can be associated with the
// same context to allow both RSA and ECDSA certificates and support SNI-based selection.
//
// Only one of ``tls_certificates``, ``tls_certificate_sds_secret_configs``,
// and ``tls_certificate_provider_instance`` may be used.
// [#next-major-version: These mutually exclusive fields should ideally be in a oneof, but it's
// not legal to put a repeated field in a oneof. In the next major version, we should rework
// this to avoid this problem.]
// If ``tls_certificate_provider_instance`` is set, this field is ignored.
// If this field is set, ``tls_certificate_sds_secret_configs`` is ignored.
repeated TlsCertificate tls_certificates = 2;
// Configs for fetching TLS certificates via SDS API. Note SDS API allows certificates to be
@ -261,17 +258,14 @@ message CommonTlsContext {
// The same number and types of certificates as :ref:`tls_certificates <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CommonTlsContext.tls_certificates>`
// are valid in the the certificates fetched through this setting.
//
// Only one of ``tls_certificates``, ``tls_certificate_sds_secret_configs``,
// and ``tls_certificate_provider_instance`` may be used.
// [#next-major-version: These mutually exclusive fields should ideally be in a oneof, but it's
// not legal to put a repeated field in a oneof. In the next major version, we should rework
// this to avoid this problem.]
// If ``tls_certificates`` or ``tls_certificate_provider_instance`` are set, this field
// is ignored.
repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6;
// Certificate provider instance for fetching TLS certs.
//
// Only one of ``tls_certificates``, ``tls_certificate_sds_secret_configs``,
// and ``tls_certificate_provider_instance`` may be used.
// If this field is set, ``tls_certificates`` and ``tls_certificate_provider_instance``
// are ignored.
// [#not-implemented-hide:]
CertificateProviderPluginInstance tls_certificate_provider_instance = 14;

8
xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/string.proto vendored
View File

@ -4,6 +4,8 @@ package envoy.type.matcher.v3;
import "envoy/type/matcher/v3/regex.proto";
import "xds/core/v3/extension.proto";
import "udpa/annotations/status.proto";
import "udpa/annotations/versioning.proto";
import "validate/validate.proto";
@ -17,7 +19,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: String matcher]
// Specifies the way to match a string.
// [#next-free-field: 8]
// [#next-free-field: 9]
message StringMatcher {
option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.StringMatcher";
@ -61,6 +63,10 @@ message StringMatcher {
//
// * ``abc`` matches the value ``xyz.abc.def``
string contains = 7 [(validate.rules).string = {min_len: 1}];
// Use an extension as the matcher type.
// [#extension-category: envoy.string_matcher]
xds.core.v3.TypedExtensionConfig custom = 8;
}
// If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. This