From e530e10648ec7abc9a06125a024f22848dbfbbf8 Mon Sep 17 00:00:00 2001 From: sanjaypujare Date: Tue, 22 Dec 2020 12:22:40 -0800 Subject: [PATCH] xds: import latest envoy and udpa protos to get new fields (#7747) --- xds/third_party/envoy/import.sh | 2 +- .../src/main/proto/envoy/api/v2/cluster.proto | 10 ++ .../envoy/api/v2/route/route_components.proto | 8 + .../envoy/config/accesslog/v3/accesslog.proto | 2 +- .../envoy/config/cluster/v3/cluster.proto | 22 ++- .../envoy/config/cluster/v3/filter.proto | 2 +- .../proto/envoy/config/core/v3/address.proto | 7 +- .../proto/envoy/config/core/v3/base.proto | 32 +++- .../envoy/config/core/v3/config_source.proto | 6 +- .../envoy/config/core/v3/grpc_service.proto | 20 +-- .../envoy/config/core/v3/health_check.proto | 26 +++- .../proto/envoy/config/core/v3/http_uri.proto | 4 +- .../proto/envoy/config/core/v3/protocol.proto | 43 +++++- .../core/v3/substitution_format_string.proto | 2 +- .../envoy/config/endpoint/v3/endpoint.proto | 4 +- .../config/endpoint/v3/load_report.proto | 4 +- .../v2/http_connection_manager.proto | 4 + .../envoy/config/listener/v3/listener.proto | 10 +- .../listener/v3/listener_components.proto | 23 ++- .../config/route/v3/route_components.proto | 142 ++++++++++++------ .../envoy/config/route/v3/scoped_route.proto | 4 +- .../proto/envoy/config/trace/v3/datadog.proto | 4 +- .../envoy/config/trace/v3/dynamic_ot.proto | 2 +- .../envoy/config/trace/v3/http_tracer.proto | 2 +- .../envoy/config/trace/v3/lightstep.proto | 4 +- .../proto/envoy/config/trace/v3/zipkin.proto | 8 +- .../v3/http_connection_manager.proto | 30 ++-- .../transport_sockets/tls/v3/common.proto | 49 +++++- .../transport_sockets/tls/v3/secret.proto | 10 +- .../transport_sockets/tls/v3/tls.proto | 2 +- .../service/discovery/v3/discovery.proto | 57 +++++-- .../proto/envoy/type/matcher/metadata.proto | 4 +- .../main/proto/envoy/type/matcher/regex.proto | 2 +- .../proto/envoy/type/matcher/string.proto | 4 +- .../envoy/type/matcher/v3/metadata.proto | 4 +- .../proto/envoy/type/matcher/v3/regex.proto | 2 +- .../proto/envoy/type/matcher/v3/string.proto | 6 +- .../envoy/type/metadata/v3/metadata.proto | 4 +- .../envoy/type/tracing/v3/custom_tag.proto | 8 +- xds/third_party/udpa/import.sh | 12 +- .../proto/udpa/core/v1/context_params.proto | 16 -- .../core/v1 => xds/core/v3}/authority.proto | 6 +- .../v1 => xds/core/v3}/collection_entry.proto | 10 +- .../proto/xds/core/v3/context_params.proto | 21 +++ .../v1 => xds/core/v3}/resource_locator.proto | 40 ++--- .../v1 => xds/core/v3}/resource_name.proto | 22 +-- 46 files changed, 482 insertions(+), 224 deletions(-) delete mode 100644 xds/third_party/udpa/src/main/proto/udpa/core/v1/context_params.proto rename xds/third_party/udpa/src/main/proto/{udpa/core/v1 => xds/core/v3}/authority.proto (82%) rename xds/third_party/udpa/src/main/proto/{udpa/core/v1 => xds/core/v3}/collection_entry.proto (87%) create mode 100644 xds/third_party/udpa/src/main/proto/xds/core/v3/context_params.proto rename xds/third_party/udpa/src/main/proto/{udpa/core/v1 => xds/core/v3}/resource_locator.proto (75%) rename xds/third_party/udpa/src/main/proto/{udpa/core/v1 => xds/core/v3}/resource_name.proto (55%) diff --git a/xds/third_party/envoy/import.sh b/xds/third_party/envoy/import.sh index 30bc8bde0a..8a6847ded9 100755 --- a/xds/third_party/envoy/import.sh +++ b/xds/third_party/envoy/import.sh @@ -18,7 +18,7 @@ set -e BRANCH=master # import VERSION from one of the google internal CLs -VERSION=1c27396b1f7e756ba79eed72b47f485d44da1d41 +VERSION=af17f954653afcab6a189673e3500b2e988f1aef GIT_REPO="https://github.com/envoyproxy/envoy.git" GIT_BASE_DIR=envoy SOURCE_PROTO_BASE_DIR=envoy/api diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster.proto index d1a50fbdb9..fab95f71b7 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/cluster.proto @@ -352,6 +352,10 @@ message Cluster { // This header isn't sanitized by default, so enabling this feature allows HTTP clients to // route traffic to arbitrary hosts and/or ports, which may have serious security // consequences. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. bool use_http_header = 1; } @@ -677,10 +681,16 @@ message Cluster { // :ref:`STRICT_DNS` // and :ref:`LOGICAL_DNS` // this setting is ignored. + // Setting this value causes failure if the + // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during + // server startup. Apple's API only allows overriding DNS resolvers via system settings. repeated core.Address dns_resolvers = 18; // [#next-major-version: Reconcile DNS options in a single message.] // Always use TCP queries instead of UDP queries for DNS lookups. + // Setting this value causes failure if the + // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during + // server startup. Apple' API only uses UDP for DNS resolution. bool use_tcp_for_dns_lookups = 45; // If specified, outlier detection will be enabled for this upstream cluster. diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route_components.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route_components.proto index 339c7bcbc5..c1e84a5618 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route_components.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/route/route_components.proto @@ -756,6 +756,10 @@ message RouteAction { // // Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1 // *Host* header. Thus, if attempting to match on *Host*, match on *:authority* instead. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. string cluster_header = 2 [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; @@ -866,6 +870,10 @@ message RouteAction { // // Pay attention to the potential security implications of using this option. Provided header // must come from trusted source. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. string auto_host_rewrite_header = 29 [ (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}, (udpa.annotations.field_migrate).rename = "host_rewrite_header" diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/accesslog/v3/accesslog.proto b/xds/third_party/envoy/src/main/proto/envoy/config/accesslog/v3/accesslog.proto index 54fa139057..d85c6af829 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/accesslog/v3/accesslog.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/accesslog/v3/accesslog.proto @@ -164,7 +164,7 @@ message RuntimeFilter { // Runtime key to get an optional overridden numerator for use in the // *percent_sampled* field. If found in runtime, this value will replace the // default numerator. - string runtime_key = 1 [(validate.rules).string = {min_bytes: 1}]; + string runtime_key = 1 [(validate.rules).string = {min_len: 1}]; // The default sampling percentage. If not specified, defaults to 0% with // denominator of 100. diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/cluster.proto b/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/cluster.proto index 7747c75672..130887c76a 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/cluster.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/cluster.proto @@ -19,8 +19,8 @@ import "google/protobuf/duration.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/wrappers.proto"; -import "udpa/core/v1/collection_entry.proto"; -import "udpa/core/v1/resource_locator.proto"; +import "xds/core/v3/collection_entry.proto"; +import "xds/core/v3/resource_locator.proto"; import "envoy/annotations/deprecation.proto"; import "udpa/annotations/migrate.proto"; @@ -39,7 +39,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // Cluster list collections. Entries are *Cluster* resources or references. // [#not-implemented-hide:] message ClusterCollection { - udpa.core.v1.CollectionEntry entries = 1; + xds.core.v3.CollectionEntry entries = 1; } // Configuration for a single upstream cluster. @@ -170,7 +170,7 @@ message Cluster { "envoy.api.v2.Cluster.CustomClusterType"; // The type of the cluster to instantiate. The name must match a supported cluster type. - string name = 1 [(validate.rules).string = {min_bytes: 1}]; + string name = 1 [(validate.rules).string = {min_len: 1}]; // Cluster specific configuration which depends on the cluster being instantiated. // See the supported cluster for further documentation. @@ -192,7 +192,7 @@ message Cluster { // Resource locator for EDS. This is mutually exclusive to *service_name*. // [#not-implemented-hide:] - udpa.core.v1.ResourceLocator eds_resource_locator = 3 + xds.core.v3.ResourceLocator eds_resource_locator = 3 [(udpa.annotations.field_migrate).oneof_promotion = "name_specifier"]; } @@ -436,6 +436,10 @@ message Cluster { // This header isn't sanitized by default, so enabling this feature allows HTTP clients to // route traffic to arbitrary hosts and/or ports, which may have serious security // consequences. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. bool use_http_header = 1; } @@ -700,7 +704,7 @@ message Cluster { // :ref:`statistics ` if :ref:`alt_stat_name // ` is not provided. // Any ``:`` in the cluster name will be converted to ``_`` when emitting statistics. - string name = 1 [(validate.rules).string = {min_bytes: 1}]; + string name = 1 [(validate.rules).string = {min_len: 1}]; // An optional alternative to the cluster name to be used while emitting stats. // Any ``:`` in the name will be converted to ``_`` when emitting statistics. This should not be @@ -829,10 +833,16 @@ message Cluster { // :ref:`STRICT_DNS` // and :ref:`LOGICAL_DNS` // this setting is ignored. + // Setting this value causes failure if the + // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during + // server startup. Apple's API only allows overriding DNS resolvers via system settings. repeated core.v3.Address dns_resolvers = 18; // [#next-major-version: Reconcile DNS options in a single message.] // Always use TCP queries instead of UDP queries for DNS lookups. + // Setting this value causes failure if the + // ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during + // server startup. Apple' API only uses UDP for DNS resolution. bool use_tcp_for_dns_lookups = 45; // If specified, outlier detection will be enabled for this upstream cluster. diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/filter.proto b/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/filter.proto index af3116ec26..74f4a1137d 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/filter.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/filter.proto @@ -21,7 +21,7 @@ message Filter { // The name of the filter to instantiate. The name must match a // :ref:`supported filter `. - string name = 1 [(validate.rules).string = {min_bytes: 1}]; + string name = 1 [(validate.rules).string = {min_len: 1}]; // Filter specific configuration which depends on the filter being // instantiated. See the supported filters for further documentation. diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/address.proto b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/address.proto index 030b68e694..8228450eb9 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/address.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/address.proto @@ -24,7 +24,7 @@ message Pipe { // abstract namespace. The starting '@' is replaced by a null byte by Envoy. // Paths starting with '@' will result in an error in environments other than // Linux. - string path = 1 [(validate.rules).string = {min_bytes: 1}]; + string path = 1 [(validate.rules).string = {min_len: 1}]; // The mode for the Pipe. Not applicable for abstract sockets. uint32 mode = 2 [(validate.rules).uint32 = {lte: 511}]; @@ -32,6 +32,7 @@ message Pipe { // [#not-implemented-hide:] The address represents an envoy internal listener. // TODO(lambdai): Make this address available for listener and endpoint. +// TODO(asraa): When address available, remove workaround from test/server/server_fuzz_test.cc:30. message EnvoyInternalAddress { oneof address_name_specifier { option (validate.required) = true; @@ -63,7 +64,7 @@ message SocketAddress { // address must be an IP (*STATIC* or *EDS* clusters) or a hostname resolved by DNS // (*STRICT_DNS* or *LOGICAL_DNS* clusters). Address resolution can be customized // via :ref:`resolver_name `. - string address = 2 [(validate.rules).string = {min_bytes: 1}]; + string address = 2 [(validate.rules).string = {min_len: 1}]; oneof port_specifier { option (validate.required) = true; @@ -152,7 +153,7 @@ message CidrRange { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.CidrRange"; // IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``. - string address_prefix = 1 [(validate.rules).string = {min_bytes: 1}]; + string address_prefix = 1 [(validate.rules).string = {min_len: 1}]; // Length of prefix, e.g. 0, 32. google.protobuf.UInt32Value prefix_len = 2 [(validate.rules).uint32 = {lte: 128}]; diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/base.proto b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/base.proto index 15a17b4938..5b5339ea5b 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/base.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/base.proto @@ -237,7 +237,16 @@ message RuntimeUInt32 { uint32 default_value = 2; // Runtime key to get value for comparison. This value is used if defined. - string runtime_key = 3 [(validate.rules).string = {min_bytes: 1}]; + string runtime_key = 3 [(validate.rules).string = {min_len: 1}]; +} + +// Runtime derived percentage with a default when not specified. +message RuntimePercent { + // Default value if runtime value is not available. + type.v3.Percent default_value = 1; + + // Runtime key to get value for comparison. This value is used if defined. + string runtime_key = 2 [(validate.rules).string = {min_len: 1}]; } // Runtime derived double with a default when not specified. @@ -248,7 +257,7 @@ message RuntimeDouble { double default_value = 1; // Runtime key to get value for comparison. This value is used if defined. - string runtime_key = 2 [(validate.rules).string = {min_bytes: 1}]; + string runtime_key = 2 [(validate.rules).string = {min_len: 1}]; } // Runtime derived bool with a default when not specified. @@ -262,7 +271,7 @@ message RuntimeFeatureFlag { // Runtime key to get value for comparison. This value is used if defined. The boolean value must // be represented via its // `canonical JSON encoding `_. - string runtime_key = 2 [(validate.rules).string = {min_bytes: 1}]; + string runtime_key = 2 [(validate.rules).string = {min_len: 1}]; } // Header name/value pair. @@ -272,7 +281,7 @@ message HeaderValue { // Header name. string key = 1 [(validate.rules).string = - {min_bytes: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME strict: false}]; + {min_len: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME strict: false}]; // Header value. // @@ -304,6 +313,13 @@ message HeaderMap { repeated HeaderValue headers = 1; } +// A directory that is watched for changes, e.g. by inotify on Linux. Move/rename +// events inside this directory trigger the watch. +message WatchedDirectory { + // Directory path to watch. + string path = 1 [(validate.rules).string = {min_len: 1}]; +} + // Data source consisting of either a file or an inline value. message DataSource { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.DataSource"; @@ -312,13 +328,13 @@ message DataSource { option (validate.required) = true; // Local filesystem data source. - string filename = 1 [(validate.rules).string = {min_bytes: 1}]; + string filename = 1 [(validate.rules).string = {min_len: 1}]; // Bytes inlined in the configuration. bytes inline_bytes = 2 [(validate.rules).bytes = {min_len: 1}]; // String inlined in the configuration. - string inline_string = 3 [(validate.rules).string = {min_bytes: 1}]; + string inline_string = 3 [(validate.rules).string = {min_len: 1}]; } } @@ -345,7 +361,7 @@ message RemoteDataSource { HttpUri http_uri = 1 [(validate.rules).message = {required: true}]; // SHA256 string for verifying data. - string sha256 = 2 [(validate.rules).string = {min_bytes: 1}]; + string sha256 = 2 [(validate.rules).string = {min_len: 1}]; // Retry policy for fetching remote data. RetryPolicy retry_policy = 3; @@ -379,7 +395,7 @@ message TransportSocket { // The name of the transport socket to instantiate. The name must match a supported transport // socket implementation. - string name = 1 [(validate.rules).string = {min_bytes: 1}]; + string name = 1 [(validate.rules).string = {min_len: 1}]; // Implementation specific configuration which depends on the implementation being instantiated. // See the supported transport socket implementations for further documentation. diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/config_source.proto b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/config_source.proto index 72837bb3be..1ddaf6df8d 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/config_source.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/config_source.proto @@ -7,7 +7,7 @@ import "envoy/config/core/v3/grpc_service.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; -import "udpa/core/v1/authority.proto"; +import "xds/core/v3/authority.proto"; import "envoy/annotations/deprecation.proto"; import "udpa/annotations/status.proto"; @@ -153,11 +153,11 @@ message ConfigSource { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.ConfigSource"; // Authorities that this config source may be used for. An authority specified - // in a *udpa.core.v1.ResourceLocator* is resolved to a *ConfigSource* prior + // in a *xds.core.v3.ResourceLocator* is resolved to a *ConfigSource* prior // to configuration fetch. This field provides the association between // authority name and configuration source. // [#not-implemented-hide:] - repeated udpa.core.v1.Authority authorities = 7; + repeated xds.core.v3.Authority authorities = 7; oneof config_source_specifier { option (validate.required) = true; diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/grpc_service.proto b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/grpc_service.proto index 967c694d2b..e3730d0174 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/grpc_service.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/grpc_service.proto @@ -35,13 +35,13 @@ message GrpcService { // The name of the upstream gRPC cluster. SSL credentials will be supplied // in the :ref:`Cluster ` :ref:`transport_socket // `. - string cluster_name = 1 [(validate.rules).string = {min_bytes: 1}]; + string cluster_name = 1 [(validate.rules).string = {min_len: 1}]; // The `:authority` header in the grpc request. If this field is not set, the authority header value will be `cluster_name`. // Note that this authority does not override the SNI. The SNI is provided by the transport socket of the cluster. string authority = 2 [(validate.rules).string = - {min_bytes: 0 max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}]; + {min_len: 0 max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}]; } // [#next-free-field: 9] @@ -160,10 +160,10 @@ message GrpcService { // The path of subject token, a security token that represents the // identity of the party on behalf of whom the request is being made. - string subject_token_path = 6 [(validate.rules).string = {min_bytes: 1}]; + string subject_token_path = 6 [(validate.rules).string = {min_len: 1}]; // Type of the subject token. - string subject_token_type = 7 [(validate.rules).string = {min_bytes: 1}]; + string subject_token_type = 7 [(validate.rules).string = {min_len: 1}]; // The path of actor token, a security token that represents the identity // of the acting party. The acting party is authorized to use the @@ -230,7 +230,7 @@ message GrpcService { // The target URI when using the `Google C++ gRPC client // `_. SSL credentials will be supplied in // :ref:`channel_credentials `. - string target_uri = 1 [(validate.rules).string = {min_bytes: 1}]; + string target_uri = 1 [(validate.rules).string = {min_len: 1}]; ChannelCredentials channel_credentials = 2; @@ -247,7 +247,7 @@ message GrpcService { // // streams_total, Counter, Total number of streams opened // streams_closed_, Counter, Total streams closed with - string stat_prefix = 4 [(validate.rules).string = {min_bytes: 1}]; + string stat_prefix = 4 [(validate.rules).string = {min_len: 1}]; // The name of the Google gRPC credentials factory to use. This must have been registered with // Envoy. If this is empty, a default credentials factory will be used that sets up channel @@ -286,8 +286,10 @@ message GrpcService { // request. google.protobuf.Duration timeout = 3; - // Additional metadata to include in streams initiated to the GrpcService. - // This can be used for scenarios in which additional ad hoc authorization - // headers (e.g. ``x-foo-bar: baz-key``) are to be injected. + // Additional metadata to include in streams initiated to the GrpcService. This can be used for + // scenarios in which additional ad hoc authorization headers (e.g. ``x-foo-bar: baz-key``) are to + // be injected. For more information, including details on header value syntax, see the + // documentation on :ref:`custom request headers + // `. repeated HeaderValue initial_metadata = 5; } diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/health_check.proto b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/health_check.proto index c6b4acfa93..ccd4739698 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/health_check.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/health_check.proto @@ -54,7 +54,7 @@ enum HealthStatus { DEGRADED = 5; } -// [#next-free-field: 24] +// [#next-free-field: 25] message HealthCheck { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HealthCheck"; @@ -67,7 +67,7 @@ message HealthCheck { option (validate.required) = true; // Hex encoded payload. E.g., "000000FF". - string text = 1 [(validate.rules).string = {min_bytes: 1}]; + string text = 1 [(validate.rules).string = {min_len: 1}]; // [#not-implemented-hide:] Binary payload. bytes binary = 2; @@ -91,9 +91,8 @@ message HealthCheck { // Specifies the HTTP path that will be requested during health checking. For example // */healthcheck*. - string path = 2 [ - (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_VALUE strict: false} - ]; + string path = 2 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}]; // [#not-implemented-hide:] HTTP specific payload. Payload send = 3; @@ -187,7 +186,7 @@ message HealthCheck { reserved "config"; // The registered name of the custom health checker. - string name = 1 [(validate.rules).string = {min_bytes: 1}]; + string name = 1 [(validate.rules).string = {min_len: 1}]; // A custom health checker specific configuration which depends on the custom health checker // being instantiated. See :api:`envoy/config/health_checker` for reference. @@ -285,6 +284,21 @@ message HealthCheck { // The default value for "no traffic interval" is 60 seconds. google.protobuf.Duration no_traffic_interval = 12 [(validate.rules).duration = {gt {}}]; + // The "no traffic healthy interval" is a special health check interval that + // is used for hosts that are currently passing active health checking + // (including new hosts) when the cluster has received no traffic. + // + // This is useful for when we want to send frequent health checks with + // `no_traffic_interval` but then revert to lower frequency `no_traffic_healthy_interval` once + // a host in the cluster is marked as healthy. + // + // Once a cluster has been used for traffic routing, Envoy will shift back to using the + // standard health check interval that is defined. + // + // If no_traffic_healthy_interval is not set, it will default to the + // no traffic interval and send that interval regardless of health state. + google.protobuf.Duration no_traffic_healthy_interval = 24 [(validate.rules).duration = {gt {}}]; + // The "unhealthy interval" is a health check interval that is used for hosts that are marked as // unhealthy. As soon as the host is marked as healthy, Envoy will shift back to using the // standard health check interval that is defined. diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/http_uri.proto b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/http_uri.proto index 42bcd4f615..5d1fc239e0 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/http_uri.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/http_uri.proto @@ -27,7 +27,7 @@ message HttpUri { // // uri: https://www.googleapis.com/oauth2/v1/certs // - string uri = 1 [(validate.rules).string = {min_bytes: 1}]; + string uri = 1 [(validate.rules).string = {min_len: 1}]; // Specify how `uri` is to be fetched. Today, this requires an explicit // cluster, but in the future we may support dynamic cluster creation or @@ -45,7 +45,7 @@ message HttpUri { // // cluster: jwks_cluster // - string cluster = 2 [(validate.rules).string = {min_bytes: 1}]; + string cluster = 2 [(validate.rules).string = {min_len: 1}]; } // Sets the maximum duration in milliseconds that a response can take to arrive upon request. diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/protocol.proto b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/protocol.proto index 3e20f3b449..5acdd010e3 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/protocol.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/protocol.proto @@ -2,6 +2,8 @@ syntax = "proto3"; package envoy.config.core.v3; +import "envoy/type/v3/percent.proto"; + import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; @@ -177,7 +179,27 @@ message Http1ProtocolOptions { google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 7; } -// [#next-free-field: 15] +message KeepaliveSettings { + // Send HTTP/2 PING frames at this period, in order to test that the connection is still alive. + google.protobuf.Duration interval = 1 [(validate.rules).duration = { + required: true + gte {nanos: 1000000} + }]; + + // How long to wait for a response to a keepalive PING. If a response is not received within this + // time period, the connection will be aborted. + google.protobuf.Duration timeout = 2 [(validate.rules).duration = { + required: true + gte {nanos: 1000000} + }]; + + // A random jitter amount as a percentage of interval that will be added to each interval. + // A value of zero means there will be no jitter. + // The default value is 15%. + type.v3.Percent interval_jitter = 3; +} + +// [#next-free-field: 16] message Http2ProtocolOptions { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Http2ProtocolOptions"; @@ -248,7 +270,8 @@ message Http2ProtocolOptions { // be written into the socket). Exceeding this limit triggers flood mitigation and connection is // terminated. The ``http2.outbound_flood`` stat tracks the number of terminated connections due // to flood mitigation. The default limit is 10000. - // [#comment:TODO: implement same limits for upstream outbound frames as well.] + // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the + // `envoy.reloadable_features.upstream_http2_flood_checks` flag. google.protobuf.UInt32Value max_outbound_frames = 7 [(validate.rules).uint32 = {gte: 1}]; // Limit the number of pending outbound downstream frames of types PING, SETTINGS and RST_STREAM, @@ -256,7 +279,8 @@ message Http2ProtocolOptions { // this limit triggers flood mitigation and connection is terminated. The // ``http2.outbound_control_flood`` stat tracks the number of terminated connections due to flood // mitigation. The default limit is 1000. - // [#comment:TODO: implement same limits for upstream outbound frames as well.] + // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the + // `envoy.reloadable_features.upstream_http2_flood_checks` flag. google.protobuf.UInt32Value max_outbound_control_frames = 8 [(validate.rules).uint32 = {gte: 1}]; // Limit the number of consecutive inbound frames of types HEADERS, CONTINUATION and DATA with an @@ -265,7 +289,8 @@ message Http2ProtocolOptions { // stat tracks the number of connections terminated due to flood mitigation. // Setting this to 0 will terminate connection upon receiving first frame with an empty payload // and no end stream flag. The default limit is 1. - // [#comment:TODO: implement same limits for upstream inbound frames as well.] + // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the + // `envoy.reloadable_features.upstream_http2_flood_checks` flag. google.protobuf.UInt32Value max_consecutive_inbound_frames_with_empty_payload = 9; // Limit the number of inbound PRIORITY frames allowed per each opened stream. If the number @@ -276,7 +301,8 @@ message Http2ProtocolOptions { // // the connection is terminated. The ``http2.inbound_priority_frames_flood`` stat tracks // the number of connections terminated due to flood mitigation. The default limit is 100. - // [#comment:TODO: implement same limits for upstream inbound frames as well.] + // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the + // `envoy.reloadable_features.upstream_http2_flood_checks` flag. google.protobuf.UInt32Value max_inbound_priority_frames_per_stream = 10; // Limit the number of inbound WINDOW_UPDATE frames allowed per DATA frame sent. If the number @@ -290,7 +316,8 @@ message Http2ProtocolOptions { // the number of connections terminated due to flood mitigation. The default limit is 10. // Setting this to 1 should be enough to support HTTP/2 implementations with basic flow control, // but more complex implementations that try to estimate available bandwidth require at least 2. - // [#comment:TODO: implement same limits for upstream inbound frames as well.] + // NOTE: flood and abuse mitigation for upstream connections is presently enabled by the + // `envoy.reloadable_features.upstream_http2_flood_checks` flag. google.protobuf.UInt32Value max_inbound_window_update_frames_per_data_frame_sent = 11 [(validate.rules).uint32 = {gte: 1}]; @@ -345,6 +372,10 @@ message Http2ProtocolOptions { // `_ for // standardized identifiers. repeated SettingsParameter custom_settings_parameters = 13; + + // Send HTTP/2 PING frames to verify that the connection is still healthy. If the remote peer + // does not respond within the configured timeout, the connection will be aborted. + KeepaliveSettings connection_keepalive = 15; } // [#not-implemented-hide:] diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/substitution_format_string.proto b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/substitution_format_string.proto index d3c0915c82..10d99b878b 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/substitution_format_string.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/core/v3/substitution_format_string.proto @@ -36,7 +36,7 @@ message SubstitutionFormatString { // // upstream connect error:503:path=/foo // - string text_format = 1 [(validate.rules).string = {min_bytes: 1}]; + string text_format = 1 [(validate.rules).string = {min_len: 1}]; // Specify a format with command operators to form a JSON string. // Its details is described in :ref:`format dictionary`. diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint.proto b/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint.proto index e58c327156..214ce6c208 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/endpoint.proto @@ -46,7 +46,7 @@ message ClusterLoadAssignment { "envoy.api.v2.ClusterLoadAssignment.Policy.DropOverload"; // Identifier for the policy specifying the drop. - string category = 1 [(validate.rules).string = {min_bytes: 1}]; + string category = 1 [(validate.rules).string = {min_len: 1}]; // Percentage of traffic that should be dropped for the category. type.v3.FractionalPercent drop_percentage = 2; @@ -105,7 +105,7 @@ message ClusterLoadAssignment { // ` value if specified // in the cluster :ref:`EdsClusterConfig // `. - string cluster_name = 1 [(validate.rules).string = {min_bytes: 1}]; + string cluster_name = 1 [(validate.rules).string = {min_len: 1}]; // List of endpoints to load balance to. repeated LocalityLbEndpoints endpoints = 2; diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/load_report.proto b/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/load_report.proto index 3f067737ec..7140ca05af 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/load_report.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/endpoint/v3/load_report.proto @@ -129,14 +129,14 @@ message ClusterStats { "envoy.api.v2.endpoint.ClusterStats.DroppedRequests"; // Identifier for the policy specifying the drop. - string category = 1 [(validate.rules).string = {min_bytes: 1}]; + string category = 1 [(validate.rules).string = {min_len: 1}]; // Total number of deliberately dropped requests for the category. uint64 dropped_count = 2; } // The name of the cluster. - string cluster_name = 1 [(validate.rules).string = {min_bytes: 1}]; + string cluster_name = 1 [(validate.rules).string = {min_len: 1}]; // The eds_cluster_config service_name of the cluster. // It's possible that two clusters send the same service_name to EDS, diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto b/xds/third_party/envoy/src/main/proto/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto index 06b13acb2f..c05032df21 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto @@ -586,6 +586,10 @@ message ScopedRoutes { } // The name of the header field to extract the value from. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. string name = 1 [(validate.rules).string = {min_bytes: 1}]; // The element separator (e.g., ';' separates 'a;b;c;d'). diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener.proto b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener.proto index dab0eb1ce6..beb5cd16f6 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener.proto @@ -15,7 +15,7 @@ import "google/api/annotations.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; -import "udpa/core/v1/collection_entry.proto"; +import "xds/core/v3/collection_entry.proto"; import "udpa/annotations/security.proto"; import "udpa/annotations/status.proto"; @@ -33,10 +33,10 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // Listener list collections. Entries are *Listener* resources or references. // [#not-implemented-hide:] message ListenerCollection { - repeated udpa.core.v1.CollectionEntry entries = 1; + repeated xds.core.v3.CollectionEntry entries = 1; } -// [#next-free-field: 25] +// [#next-free-field: 26] message Listener { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Listener"; @@ -116,6 +116,10 @@ message Listener { // :ref:`FAQ entry `. repeated FilterChain filter_chains = 3; + // The default filter chain if none of the filter chain matches. If no default filter chain is supplied, + // the connection will be closed. The filter chain match is ignored in this field. + FilterChain default_filter_chain = 25; + // Soft limit on size of the listener’s new connection read and write buffers. // If unspecified, an implementation defined default is applied (1MiB). google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5 diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener_components.proto b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener_components.proto index 8a22fbc97f..c389c841e0 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener_components.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/listener/v3/listener_components.proto @@ -32,7 +32,7 @@ message Filter { // The name of the filter to instantiate. The name must match a // :ref:`supported filter `. - string name = 1 [(validate.rules).string = {min_bytes: 1}]; + string name = 1 [(validate.rules).string = {min_len: 1}]; // Filter specific configuration which depends on the filter being // instantiated. See the supported filters for further documentation. @@ -65,6 +65,18 @@ message Filter { // ``www.example.com``, then ``*.example.com``, then ``*.com``, then any filter // chain without ``server_names`` requirements). // +// A different way to reason about the filter chain matches: +// Suppose there exists N filter chains. Prune the filter chain set using the above 8 steps. +// In each step, filter chains which most specifically matches the attributes continue to the next step. +// The listener guarantees at most 1 filter chain is left after all of the steps. +// +// Example: +// +// For destination port, filter chains specifying the destination port of incoming traffic are the +// most specific match. If none of the filter chains specifies the exact destination port, the filter +// chains which do not specify ports are the most specific match. Filter chains specifying the +// wrong port can never be the most specific match. +// // [#comment: Implemented rules are kept in the preference order, with deprecated fields // listed at the end, because that's how we want to list them in the docs. // @@ -168,7 +180,7 @@ message FilterChainMatch { // A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and // various other parameters. -// [#next-free-field: 9] +// [#next-free-field: 10] message FilterChain { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.listener.FilterChain"; @@ -218,6 +230,11 @@ message FilterChain { // will be set up with plaintext. core.v3.TransportSocket transport_socket = 6; + // If present and nonzero, the amount of time to allow incoming connections to complete any + // transport socket negotiations. If this expires before the transport reports connection + // establishment, the connection is summarily closed. + google.protobuf.Duration transport_socket_connect_timeout = 9; + // [#not-implemented-hide:] The unique name (or empty) by which this filter chain is known. If no // name is provided, Envoy will allocate an internal UUID for the filter chain. If the filter // chain is to be dynamically updated or removed via FCDS a unique name must be provided. @@ -303,7 +320,7 @@ message ListenerFilter { // The name of the filter to instantiate. The name must match a // :ref:`supported filter `. - string name = 1 [(validate.rules).string = {min_bytes: 1}]; + string name = 1 [(validate.rules).string = {min_len: 1}]; // Filter specific configuration which depends on the filter being instantiated. // See the supported filters for further documentation. diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/route/v3/route_components.proto b/xds/third_party/envoy/src/main/proto/envoy/config/route/v3/route_components.proto index bd040ee31a..62633012cf 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/route/v3/route_components.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/route/v3/route_components.proto @@ -60,7 +60,7 @@ message VirtualHost { // The logical name of the virtual host. This is used when emitting certain // statistics but is not relevant for routing. - string name = 1 [(validate.rules).string = {min_bytes: 1}]; + string name = 1 [(validate.rules).string = {min_len: 1}]; // A list of domains (host/authority header) that will be matched to this // virtual host. Wildcard hosts are supported in the suffix or prefix form. @@ -113,7 +113,7 @@ message VirtualHost { // Specifies a list of HTTP headers that should be removed from each request // handled by this virtual host. repeated string request_headers_to_remove = 13 [(validate.rules).repeated = { - items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} }]; // Specifies a list of HTTP headers that should be added to each response @@ -128,7 +128,7 @@ message VirtualHost { // Specifies a list of HTTP headers that should be removed from each response // handled by this virtual host. repeated string response_headers_to_remove = 11 [(validate.rules).repeated = { - items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} }]; // Indicates that the virtual host has a CORS policy. @@ -263,7 +263,7 @@ message Route { // Specifies a list of HTTP headers that should be removed from each request // matching this route. repeated string request_headers_to_remove = 12 [(validate.rules).repeated = { - items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} }]; // Specifies a set of headers that will be added to responses to requests @@ -278,7 +278,7 @@ message Route { // Specifies a list of HTTP headers that should be removed from each response // to requests matching this route. repeated string response_headers_to_remove = 11 [(validate.rules).repeated = { - items {string {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} }]; // Presence of the object defines whether the connection manager's tracing configuration @@ -311,7 +311,7 @@ message WeightedCluster { // Name of the upstream cluster. The cluster must exist in the // :ref:`cluster manager configuration `. - string name = 1 [(validate.rules).string = {min_bytes: 1}]; + string name = 1 [(validate.rules).string = {min_len: 1}]; // An integer between 0 and :ref:`total_weight // `. When a request matches the route, @@ -591,7 +591,7 @@ message RouteAction { // Specifies the cluster that requests will be mirrored to. The cluster must // exist in the cluster manager configuration. - string cluster = 1 [(validate.rules).string = {min_bytes: 1}]; + string cluster = 1 [(validate.rules).string = {min_len: 1}]; // If not specified, all requests to the target cluster will be mirrored. // @@ -620,9 +620,8 @@ message RouteAction { // The name of the request header that will be used to obtain the hash // key. If the request header is not present, no hash will be produced. - string header_name = 1 [ - (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false} - ]; + string header_name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; // If specified, the request header value will be rewritten and used // to produce the hash key. @@ -650,7 +649,7 @@ message RouteAction { // The name of the cookie that will be used to obtain the hash key. If the // cookie is not present and ttl below is not set, no hash will be // produced. - string name = 1 [(validate.rules).string = {min_bytes: 1}]; + string name = 1 [(validate.rules).string = {min_len: 1}]; // If specified, a cookie with the TTL will be generated if the cookie is // not present. If the TTL is present and zero, the generated cookie will @@ -677,7 +676,7 @@ message RouteAction { // The name of the URL query parameter that will be used to obtain the hash // key. If the parameter is not present, no hash will be produced. Query // parameter names are case-sensitive. - string name = 1 [(validate.rules).string = {min_bytes: 1}]; + string name = 1 [(validate.rules).string = {min_len: 1}]; } message FilterState { @@ -687,7 +686,7 @@ message RouteAction { // The name of the Object in the per-request filterState, which is an // Envoy::Http::Hashable object. If there is no data associated with the key, // or the stored object is not Envoy::Http::Hashable, no hash will be produced. - string key = 1 [(validate.rules).string = {min_bytes: 1}]; + string key = 1 [(validate.rules).string = {min_len: 1}]; } oneof policy_specifier { @@ -752,7 +751,7 @@ message RouteAction { // For each upgrade type present in upgrade_configs, requests with // Upgrade: [upgrade_type] will be proxied upstream. string upgrade_type = 1 - [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}]; // Determines if upgrades are available on this route. Defaults to true. google.protobuf.BoolValue enabled = 2; @@ -764,14 +763,15 @@ message RouteAction { ConnectConfig connect_config = 3; } - // [#not-implemented-hide:] message MaxStreamDuration { // Specifies the maximum duration allowed for streams on the route. If not specified, the value // from the :ref:`max_stream_duration // ` field in // :ref:`HttpConnectionManager.common_http_protocol_options // ` - // is used. + // is used. If this field is set explicitly to zero, any + // HttpConnectionManager max_stream_duration timeout will be disabled for + // this route. google.protobuf.Duration max_stream_duration = 1; // If present, and the request contains a `grpc-timeout header @@ -798,7 +798,7 @@ message RouteAction { // Indicates the upstream cluster to which the request should be routed // to. - string cluster = 1 [(validate.rules).string = {min_bytes: 1}]; + string cluster = 1 [(validate.rules).string = {min_len: 1}]; // Envoy will determine the cluster to route to by reading the value of the // HTTP header named by cluster_header from the request headers. If the @@ -809,8 +809,12 @@ message RouteAction { // // Internally, Envoy always uses the HTTP/2 *:authority* header to represent the HTTP/1 // *Host* header. Thus, if attempting to match on *Host*, match on *:authority* instead. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. string cluster_header = 2 - [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; // Multiple upstream clusters can be specified for a given route. The // request is routed to one of the upstream clusters based on weights @@ -917,6 +921,10 @@ message RouteAction { // // Pay attention to the potential security implications of using this option. Provided header // must come from trusted source. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. string host_rewrite_header = 29 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; @@ -969,6 +977,10 @@ message RouteAction { // fires, the stream is terminated with a 408 Request Timeout error code if no // upstream response header has been received, otherwise a stream reset // occurs. + // + // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" + // is configured, this timeout is scaled according to the value for + // :ref:`HTTP_DOWNSTREAM_CONNECTION_IDLE `. google.protobuf.Duration idle_timeout = 24; // Indicates that the route has a retry policy. Note that if this is set, @@ -1018,6 +1030,7 @@ message RouteAction { // Indicates that the route has a CORS policy. CorsPolicy cors = 17; + // Deprecated by :ref:`grpc_timeout_header_max ` // If present, and the request is a gRPC request, use the // `grpc-timeout header `_, // or its default value (infinity) instead of @@ -1037,8 +1050,9 @@ message RouteAction { // :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`, // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms`, and the // :ref:`retry overview `. - google.protobuf.Duration max_grpc_timeout = 23; + google.protobuf.Duration max_grpc_timeout = 23 [deprecated = true]; + // Deprecated by :ref:`grpc_timeout_header_offset `. // If present, Envoy will adjust the timeout provided by the `grpc-timeout` header by subtracting // the provided duration from the header. This is useful in allowing Envoy to set its global // timeout to be less than that of the deadline imposed by the calling client, which makes it more @@ -1046,7 +1060,7 @@ message RouteAction { // The offset will only be applied if the provided grpc_timeout is greater than the offset. This // ensures that the offset will only ever decrease the timeout and never set it to 0 (meaning // infinity). - google.protobuf.Duration grpc_timeout_offset = 28; + google.protobuf.Duration grpc_timeout_offset = 28 [deprecated = true]; repeated UpgradeConfig upgrade_configs = 25; @@ -1080,7 +1094,6 @@ message RouteAction { HedgePolicy hedge_policy = 27; // Specifies the maximum stream duration for this route. - // [#not-implemented-hide:] MaxStreamDuration max_stream_duration = 36; } @@ -1102,7 +1115,7 @@ message RetryPolicy { reserved "config"; - string name = 1 [(validate.rules).string = {min_bytes: 1}]; + string name = 1 [(validate.rules).string = {min_len: 1}]; oneof config_type { google.protobuf.Any typed_config = 3; @@ -1117,7 +1130,7 @@ message RetryPolicy { reserved "config"; - string name = 1 [(validate.rules).string = {min_bytes: 1}]; + string name = 1 [(validate.rules).string = {min_len: 1}]; oneof config_type { google.protobuf.Any typed_config = 3; @@ -1145,9 +1158,15 @@ message RetryPolicy { } message ResetHeader { + // The name of the reset header. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. string name = 1 - [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + // The format of the reset header. ResetHeaderFormat format = 2 [(validate.rules).enum = {defined_only: true}]; } @@ -1413,7 +1432,7 @@ message Decorator { // For ingress (inbound) requests, or egress (outbound) responses, this value may be overridden // by the :ref:`x-envoy-decorator-operation // ` header. - string operation = 1 [(validate.rules).string = {min_bytes: 1}]; + string operation = 1 [(validate.rules).string = {min_len: 1}]; // Whether the decorated details should be propagated to the other party. The default is true. google.protobuf.BoolValue propagate = 2; @@ -1488,14 +1507,14 @@ message VirtualCluster { // Specifies the name of the virtual cluster. The virtual cluster name as well // as the virtual host name are used when emitting statistics. The statistics are emitted by the // router filter and are documented :ref:`here `. - string name = 2 [(validate.rules).string = {min_bytes: 1}]; + string name = 2 [(validate.rules).string = {min_len: 1}]; } // Global rate limiting :ref:`architecture overview `. message RateLimit { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RateLimit"; - // [#next-free-field: 8] + // [#next-free-field: 9] message Action { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RateLimit.Action"; @@ -1546,12 +1565,11 @@ message RateLimit { // The header name to be queried from the request headers. The header’s // value is used to populate the value of the descriptor entry for the // descriptor_key. - string header_name = 1 [ - (validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false} - ]; + string header_name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; // The key to use in the descriptor entry. - string descriptor_key = 2 [(validate.rules).string = {min_bytes: 1}]; + string descriptor_key = 2 [(validate.rules).string = {min_len: 1}]; // If set to true, Envoy skips the descriptor while calling rate limiting service // when header is not present in the request. By default it skips calling the @@ -1580,7 +1598,7 @@ message RateLimit { "envoy.api.v2.route.RateLimit.Action.GenericKey"; // The value to use in the descriptor entry. - string descriptor_value = 1 [(validate.rules).string = {min_bytes: 1}]; + string descriptor_value = 1 [(validate.rules).string = {min_len: 1}]; // An optional key to use in the descriptor entry. If not set it defaults // to 'generic_key' as the descriptor key. @@ -1597,7 +1615,7 @@ message RateLimit { "envoy.api.v2.route.RateLimit.Action.HeaderValueMatch"; // The value to use in the descriptor entry. - string descriptor_value = 1 [(validate.rules).string = {min_bytes: 1}]; + string descriptor_value = 1 [(validate.rules).string = {min_len: 1}]; // If set to true, the action will append a descriptor entry when the // request matches the headers. If set to false, the action will append a @@ -1613,14 +1631,18 @@ message RateLimit { repeated HeaderMatcher headers = 3 [(validate.rules).repeated = {min_items: 1}]; } - // The following descriptor entry is appended when the dynamic metadata contains a key value: + // The following descriptor entry is appended when the + // :ref:`dynamic metadata ` contains a key value: // // .. code-block:: cpp // - // ("", "") + // ("", "") + // + // .. attention:: + // This action has been deprecated in favor of the :ref:`metadata ` action message DynamicMetaData { // The key to use in the descriptor entry. - string descriptor_key = 1 [(validate.rules).string = {min_bytes: 1}]; + string descriptor_key = 1 [(validate.rules).string = {min_len: 1}]; // Metadata struct that defines the key and path to retrieve the string value. A match will // only happen if the value in the dynamic metadata is of type string. @@ -1631,6 +1653,35 @@ message RateLimit { string default_value = 3; } + // The following descriptor entry is appended when the metadata contains a key value: + // + // .. code-block:: cpp + // + // ("", "") + message MetaData { + enum Source { + // Query :ref:`dynamic metadata ` + DYNAMIC = 0; + + // Query :ref:`route entry metadata ` + ROUTE_ENTRY = 1; + } + + // The key to use in the descriptor entry. + string descriptor_key = 1 [(validate.rules).string = {min_len: 1}]; + + // Metadata struct that defines the key and path to retrieve the string value. A match will + // only happen if the value in the metadata is of type string. + type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}]; + + // An optional value to use if *metadata_key* is empty. If not set and + // no value is present under the metadata_key then no descriptor is generated. + string default_value = 3; + + // Source of metadata + Source source = 4 [(validate.rules).enum = {defined_only: true}]; + } + oneof action_specifier { option (validate.required) = true; @@ -1653,7 +1704,14 @@ message RateLimit { HeaderValueMatch header_value_match = 6; // Rate limit on dynamic metadata. - DynamicMetaData dynamic_metadata = 7; + // + // .. attention:: + // This field has been deprecated in favor of the :ref:`metadata ` field + DynamicMetaData dynamic_metadata = 7 + [deprecated = true, (envoy.annotations.disallowed_by_default) = true]; + + // Rate limit on metadata. + MetaData metadata = 8; } } @@ -1736,7 +1794,7 @@ message HeaderMatcher { // Specifies the name of the header in the request. string name = 1 - [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; // Specifies how the header match will be performed to route the request. oneof header_match_specifier { @@ -1771,7 +1829,7 @@ message HeaderMatcher { // Examples: // // * The prefix *abcd* matches the value *abcdxyz*, but not for *abcxyz*. - string prefix_match = 9 [(validate.rules).string = {min_bytes: 1}]; + string prefix_match = 9 [(validate.rules).string = {min_len: 1}]; // If specified, header match will be performed based on the suffix of the header value. // Note: empty suffix is not allowed, please use present_match instead. @@ -1779,7 +1837,7 @@ message HeaderMatcher { // Examples: // // * The suffix *abcd* matches the value *xyzabcd*, but not for *xyzbcd*. - string suffix_match = 10 [(validate.rules).string = {min_bytes: 1}]; + string suffix_match = 10 [(validate.rules).string = {min_len: 1}]; // If specified, header match will be performed based on whether the header value contains // the given value or not. @@ -1788,7 +1846,7 @@ message HeaderMatcher { // Examples: // // * The value *abcd* matches the value *xyzabcdpqr*, but not for *xyzbcdpqr*. - string contains_match = 12 [(validate.rules).string = {min_bytes: 1}]; + string contains_match = 12 [(validate.rules).string = {min_len: 1}]; } // If specified, the match result will be inverted before checking. Defaults to false. @@ -1813,7 +1871,7 @@ message QueryParameterMatcher { // Specifies the name of a key that must be present in the requested // *path*'s query string. - string name = 1 [(validate.rules).string = {min_bytes: 1 max_bytes: 1024}]; + string name = 1 [(validate.rules).string = {min_len: 1 max_bytes: 1024}]; oneof query_parameter_match_specifier { // Specifies whether a query parameter value should match against a string. diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/route/v3/scoped_route.proto b/xds/third_party/envoy/src/main/proto/envoy/config/route/v3/scoped_route.proto index d6611b0b1d..b7e3aa66e0 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/route/v3/scoped_route.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/route/v3/scoped_route.proto @@ -108,12 +108,12 @@ message ScopedRouteConfiguration { bool on_demand = 4; // The name assigned to the routing scope. - string name = 1 [(validate.rules).string = {min_bytes: 1}]; + string name = 1 [(validate.rules).string = {min_len: 1}]; // The resource name to use for a :ref:`envoy_api_msg_service.discovery.v3.DiscoveryRequest` to an // RDS server to fetch the :ref:`envoy_api_msg_config.route.v3.RouteConfiguration` associated // with this scope. - string route_configuration_name = 2 [(validate.rules).string = {min_bytes: 1}]; + string route_configuration_name = 2 [(validate.rules).string = {min_len: 1}]; // The key to match against. Key key = 3 [(validate.rules).message = {required: true}]; diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/datadog.proto b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/datadog.proto index f1fe3e6661..c101ab2f03 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/datadog.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/datadog.proto @@ -22,8 +22,8 @@ message DatadogConfig { "envoy.config.trace.v2.DatadogConfig"; // The cluster to use for submitting traces to the Datadog agent. - string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}]; + string collector_cluster = 1 [(validate.rules).string = {min_len: 1}]; // The name used for the service when traces are generated by envoy. - string service_name = 2 [(validate.rules).string = {min_bytes: 1}]; + string service_name = 2 [(validate.rules).string = {min_len: 1}]; } diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/dynamic_ot.proto b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/dynamic_ot.proto index fb372da8c5..c281068715 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/dynamic_ot.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/dynamic_ot.proto @@ -28,7 +28,7 @@ message DynamicOtConfig { // Dynamic library implementing the `OpenTracing API // `_. - string library = 1 [(validate.rules).string = {min_bytes: 1}]; + string library = 1 [(validate.rules).string = {min_len: 1}]; // The configuration to use when creating a tracer from the given dynamic // library. diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/http_tracer.proto b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/http_tracer.proto index 2a87a28db2..33adea18a4 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/http_tracer.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/http_tracer.proto @@ -52,7 +52,7 @@ message Tracing { // - *envoy.tracers.datadog* // - *envoy.tracers.opencensus* // - *envoy.tracers.xray* - string name = 1 [(validate.rules).string = {min_bytes: 1}]; + string name = 1 [(validate.rules).string = {min_len: 1}]; // Trace driver specific configuration which depends on the driver being instantiated. // See the trace drivers for examples: diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/lightstep.proto b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/lightstep.proto index 0e0b60b5bd..0b7be7c4e6 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/lightstep.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/lightstep.proto @@ -38,11 +38,11 @@ message LightstepConfig { } // The cluster manager cluster that hosts the LightStep collectors. - string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}]; + string collector_cluster = 1 [(validate.rules).string = {min_len: 1}]; // File containing the access token to the `LightStep // `_ API. - string access_token_file = 2 [(validate.rules).string = {min_bytes: 1}]; + string access_token_file = 2 [(validate.rules).string = {min_len: 1}]; // Propagation modes to use by LightStep's tracer. repeated PropagationMode propagation_modes = 3 diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/zipkin.proto b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/zipkin.proto index 5c5349cdf1..928e139831 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/zipkin.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/config/trace/v3/zipkin.proto @@ -46,15 +46,13 @@ message ZipkinConfig { GRPC = 3; } - // The cluster manager cluster that hosts the Zipkin collectors. Note that the - // Zipkin cluster must be defined in the :ref:`Bootstrap static cluster - // resources `. - string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}]; + // The cluster manager cluster that hosts the Zipkin collectors. + string collector_cluster = 1 [(validate.rules).string = {min_len: 1}]; // The API endpoint of the Zipkin service where the spans will be sent. When // using a standard Zipkin installation, the API endpoint is typically // /api/v1/spans, which is the default value. - string collector_endpoint = 2 [(validate.rules).string = {min_bytes: 1}]; + string collector_endpoint = 2 [(validate.rules).string = {min_len: 1}]; // Determines whether a 128bit trace id will be used when creating a new // trace instance. The default value is false, which will result in a 64 bit trace id being used. diff --git a/xds/third_party/envoy/src/main/proto/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto b/xds/third_party/envoy/src/main/proto/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto index a715a51dbf..2f30e95f34 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto @@ -19,7 +19,7 @@ import "google/protobuf/duration.proto"; import "google/protobuf/struct.proto"; import "google/protobuf/wrappers.proto"; -import "udpa/core/v1/resource_locator.proto"; +import "xds/core/v3/resource_locator.proto"; import "envoy/annotations/deprecation.proto"; import "udpa/annotations/migrate.proto"; @@ -37,7 +37,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE; // HTTP connection manager :ref:`configuration overview `. // [#extension: envoy.filters.network.http_connection_manager] -// [#next-free-field: 41] +// [#next-free-field: 42] message HttpConnectionManager { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"; @@ -252,7 +252,7 @@ message HttpConnectionManager { // The human readable prefix to use when emitting statistics for the // connection manager. See the :ref:`statistics documentation ` for // more information. - string stat_prefix = 2 [(validate.rules).string = {min_bytes: 1}]; + string stat_prefix = 2 [(validate.rules).string = {min_len: 1}]; oneof route_specifier { option (validate.required) = true; @@ -360,6 +360,14 @@ message HttpConnectionManager { google.protobuf.Duration request_timeout = 28 [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + // The amount of time that Envoy will wait for the request headers to be received. The timer is + // activated when the first byte of the headers is received, and is disarmed when the last byte of + // the headers has been received. If not specified or set to 0, this timeout is disabled. + google.protobuf.Duration request_headers_timeout = 41 [ + (validate.rules).duration = {gte {}}, + (udpa.annotations.security).configure_for_untrusted_downstream = true + ]; + // The time that Envoy will wait between sending an HTTP/2 “shutdown // notification” (GOAWAY frame with max stream ID) and a final GOAWAY frame. // This is used so that Envoy provides a grace period for new streams that @@ -648,7 +656,7 @@ message Rds { // Resource locator for RDS. This is mutually exclusive to *route_config_name*. // [#not-implemented-hide:] - udpa.core.v1.ResourceLocator rds_resource_locator = 3 + xds.core.v3.ResourceLocator rds_resource_locator = 3 [(udpa.annotations.field_migrate).oneof_promotion = "name_specifier"]; } @@ -718,14 +726,18 @@ message ScopedRoutes { // If an element contains no separator, the whole element is parsed as key and the // fragment value is an empty string. // If there are multiple values for a matched key, the first value is returned. - string separator = 1 [(validate.rules).string = {min_bytes: 1}]; + string separator = 1 [(validate.rules).string = {min_len: 1}]; // The key to match on. - string key = 2 [(validate.rules).string = {min_bytes: 1}]; + string key = 2 [(validate.rules).string = {min_len: 1}]; } // The name of the header field to extract the value from. - string name = 1 [(validate.rules).string = {min_bytes: 1}]; + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string name = 1 [(validate.rules).string = {min_len: 1}]; // The element separator (e.g., ';' separates 'a;b;c;d'). // Default: empty string. This causes the entirety of the header field to be extracted. @@ -759,7 +771,7 @@ message ScopedRoutes { } // The name assigned to the scoped routing configuration. - string name = 1 [(validate.rules).string = {min_bytes: 1}]; + string name = 1 [(validate.rules).string = {min_len: 1}]; // The algorithm to use for constructing a scope key for each request. ScopeKeyBuilder scope_key_builder = 2 [(validate.rules).message = {required: true}]; @@ -809,7 +821,7 @@ message HttpFilter { // The name of the filter configuration. The name is used as a fallback to // select an extension if the type of the configuration proto is not // sufficient. It also serves as a resource name in ExtensionConfigDS. - string name = 1 [(validate.rules).string = {min_bytes: 1}]; + string name = 1 [(validate.rules).string = {min_len: 1}]; oneof config_type { // Filter specific configuration which depends on the filter being instantiated. See the supported diff --git a/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/common.proto b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/common.proto index 3ba4e198bf..2b545b35ee 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/common.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/common.proto @@ -120,7 +120,7 @@ message PrivateKeyProvider { // Private key method provider name. The name must match a // supported private key method provider type. - string provider_name = 1 [(validate.rules).string = {min_bytes: 1}]; + string provider_name = 1 [(validate.rules).string = {min_len: 1}]; // Private key method provider specific configuration. oneof config_type { @@ -128,16 +128,37 @@ message PrivateKeyProvider { } } -// [#next-free-field: 7] +// [#next-free-field: 8] message TlsCertificate { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.TlsCertificate"; // The TLS certificate chain. + // + // If *certificate_chain* is a filesystem path, a watch will be added to the + // parent directory for any file moves to support rotation. This currently + // only applies to dynamic secrets, when the *TlsCertificate* is delivered via + // SDS. config.core.v3.DataSource certificate_chain = 1; // The TLS private key. + // + // If *private_key* is a filesystem path, a watch will be added to the parent + // directory for any file moves to support rotation. This currently only + // applies to dynamic secrets, when the *TlsCertificate* is delivered via SDS. config.core.v3.DataSource private_key = 2 [(udpa.annotations.sensitive) = true]; + // If specified, updates of file-based *certificate_chain* and *private_key* + // sources will be triggered by this watch. The certificate/key pair will be + // read together and validated for atomic read consistency (i.e. no + // intervening modification occurred between cert/key read, verified by file + // hash comparisons). This allows explicit control over the path watched, by + // default the parent directories of the filesystem paths in + // *certificate_chain* and *private_key* are watched if this field is not + // specified. This only applies when a *TlsCertificate* is delivered by SDS + // with references to filesystem paths. See the :ref:`SDS key rotation + // ` documentation for further details. + config.core.v3.WatchedDirectory watched_directory = 7; + // BoringSSL private key method provider. This is an alternative to :ref:`private_key // ` field. This can't be // marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key @@ -191,7 +212,7 @@ message TlsSessionTicketKeys { [(validate.rules).repeated = {min_items: 1}, (udpa.annotations.sensitive) = true]; } -// [#next-free-field: 11] +// [#next-free-field: 12] message CertificateValidationContext { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CertificateValidationContext"; @@ -233,8 +254,22 @@ message CertificateValidationContext { // // See :ref:`the TLS overview ` for a list of common // system CA locations. + // + // If *trusted_ca* is a filesystem path, a watch will be added to the parent + // directory for any file moves to support rotation. This currently only + // applies to dynamic secrets, when the *CertificateValidationContext* is + // delivered via SDS. config.core.v3.DataSource trusted_ca = 1; + // If specified, updates of a file-based *trusted_ca* source will be triggered + // by this watch. This allows explicit control over the path watched, by + // default the parent directory of the filesystem path in *trusted_ca* is + // watched if this field is not specified. This only applies when a + // *CertificateValidationContext* is delivered by SDS with references to + // filesystem paths. See the :ref:`SDS key rotation ` + // documentation for further details. + config.core.v3.WatchedDirectory watched_directory = 11; + // An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the // SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate // matches one of the specified values. @@ -266,7 +301,7 @@ message CertificateValidationContext { // because SPKI is tied to a private key, so it doesn't change when the certificate // is renewed using the same private key. repeated string verify_certificate_spki = 3 - [(validate.rules).repeated = {items {string {min_bytes: 44 max_bytes: 44}}}]; + [(validate.rules).repeated = {items {string {min_len: 44 max_bytes: 44}}}]; // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that // the SHA-256 of the DER-encoded presented certificate matches one of the specified values. @@ -295,10 +330,10 @@ message CertificateValidationContext { // ` are specified, // a hash matching value from either of the lists will result in the certificate being accepted. repeated string verify_certificate_hash = 2 - [(validate.rules).repeated = {items {string {min_bytes: 64 max_bytes: 95}}}]; + [(validate.rules).repeated = {items {string {min_len: 64 max_bytes: 95}}}]; - // An optional list of Subject Alternative name matchers. Envoy will verify that the - // Subject Alternative Name of the presented certificate matches one of the specified matches. + // An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the + // Subject Alternative Name of the presented certificate matches one of the specified matchers. // // When a certificate has wildcard DNS SAN entries, to match a specific client, it should be // configured with exact match type in the :ref:`string matcher `. diff --git a/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/secret.proto b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/secret.proto index 80c68a56f5..86f123be07 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/secret.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/secret.proto @@ -6,12 +6,13 @@ import "envoy/config/core/v3/base.proto"; import "envoy/config/core/v3/config_source.proto"; import "envoy/extensions/transport_sockets/tls/v3/common.proto"; -import "udpa/core/v1/resource_locator.proto"; +import "xds/core/v3/resource_locator.proto"; import "udpa/annotations/migrate.proto"; import "udpa/annotations/sensitive.proto"; import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3"; option java_outer_classname = "SecretProto"; @@ -33,11 +34,14 @@ message SdsSecretConfig { // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. // When both name and config are specified, then secret can be fetched and/or reloaded via // SDS. When only name is specified, then secret will be loaded from static resources. - string name = 1 [(udpa.annotations.field_migrate).oneof_promotion = "name_specifier"]; + string name = 1 [ + (validate.rules).string = {min_len: 1}, + (udpa.annotations.field_migrate).oneof_promotion = "name_specifier" + ]; // Resource locator for SDS. This is mutually exclusive to *name*. // [#not-implemented-hide:] - udpa.core.v1.ResourceLocator sds_resource_locator = 3 + xds.core.v3.ResourceLocator sds_resource_locator = 3 [(udpa.annotations.field_migrate).oneof_promotion = "name_specifier"]; config.core.v3.ConfigSource sds_config = 2; diff --git a/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/tls.proto b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/tls.proto index ab716a6a42..e11b269197 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/tls.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/extensions/transport_sockets/tls/v3/tls.proto @@ -135,7 +135,7 @@ message CommonTlsContext { message CertificateProvider { // opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify // a root-certificate (validation context) or "TLS" to specify a new tls-certificate. - string name = 1 [(validate.rules).string = {min_bytes: 1}]; + string name = 1 [(validate.rules).string = {min_len: 1}]; // Provider specific config. // Note: an implementation is expected to dedup multiple instances of the same config diff --git a/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v3/discovery.proto b/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v3/discovery.proto index 4047953921..c35c5595fc 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v3/discovery.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/service/discovery/v3/discovery.proto @@ -5,10 +5,11 @@ package envoy.service.discovery.v3; import "envoy/config/core/v3/base.proto"; import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; import "google/rpc/status.proto"; -import "udpa/core/v1/resource_locator.proto"; -import "udpa/core/v1/resource_name.proto"; +import "xds/core/v3/resource_locator.proto"; +import "xds/core/v3/resource_name.proto"; import "udpa/annotations/migrate.proto"; import "udpa/annotations/status.proto"; @@ -153,8 +154,8 @@ message DeltaDiscoveryRequest { // Type of the resource that is being requested, e.g. // "type.googleapis.com/envoy.api.v2.ClusterLoadAssignment". This does not need to be set if - // resources are only referenced via *udpa_resource_subscribe* and - // *udpa_resources_unsubscribe*. + // resources are only referenced via *xds_resource_subscribe* and + // *xds_resources_unsubscribe*. string type_url = 2; // DeltaDiscoveryRequests allow the client to add or remove individual @@ -181,20 +182,20 @@ message DeltaDiscoveryRequest { repeated string resource_names_subscribe = 3; // As with *resource_names_subscribe* but used when subscribing to resources indicated - // by a *udpa.core.v1.ResourceLocator*. The directives in the resource locator + // by a *xds.core.v3.ResourceLocator*. The directives in the resource locator // are ignored and the context parameters are matched with // *context_param_specifier* specific semantics. // [#not-implemented-hide:] - repeated udpa.core.v1.ResourceLocator udpa_resources_subscribe = 8; + repeated xds.core.v3.ResourceLocator xds_resources_subscribe = 8; // A list of Resource names to remove from the list of tracked resources. repeated string resource_names_unsubscribe = 4; // As with *resource_names_unsubscribe* but used when unsubscribing to resources indicated by a - // *udpa.core.v1.ResourceLocator*. This must match a previously subscribed - // resource locator provided in *udpa_resources_subscribe*. + // *xds.core.v3.ResourceLocator*. This must match a previously subscribed + // resource locator provided in *xds_resources_subscribe*. // [#not-implemented-hide:] - repeated udpa.core.v1.ResourceLocator udpa_resources_unsubscribe = 9; + repeated xds.core.v3.ResourceLocator xds_resources_unsubscribe = 9; // Informs the server of the versions of the resources the xDS client knows of, to enable the // client to continue the same logical xDS session even in the face of gRPC stream reconnection. @@ -243,24 +244,33 @@ message DeltaDiscoveryResponse { repeated string removed_resources = 6; // As with *removed_resources* but used when a removed resource was named in - // its *Resource*s with a *udpa.core.v1.ResourceName*. + // its *Resource*s with a *xds.core.v3.ResourceName*. // [#not-implemented-hide:] - repeated udpa.core.v1.ResourceName udpa_removed_resources = 7; + repeated xds.core.v3.ResourceName udpa_removed_resources = 7; // The nonce provides a way for DeltaDiscoveryRequests to uniquely // reference a DeltaDiscoveryResponse when (N)ACKing. The nonce is required. string nonce = 5; } -// [#next-free-field: 6] +// [#next-free-field: 8] message Resource { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Resource"; + // Cache control properties for the resource. + // [#not-implemented-hide:] + message CacheControl { + // If true, xDS proxies may not cache this resource. + // Note that this does not apply to clients other than xDS proxies, which must cache resources + // for their own use, regardless of the value of this field. + bool do_not_cache = 1; + } + // The resource's name, to distinguish it from others of the same type of resource. string name = 3 [(udpa.annotations.field_migrate).oneof_promotion = "name_specifier"]; - // Used instead of *name* when a resource with a *udpa.core.v1.ResourceName* is delivered. - udpa.core.v1.ResourceName udpa_resource_name = 5 + // Used instead of *name* when a resource with a *xds.core.v3.ResourceName* is delivered. + xds.core.v3.ResourceName xds_resource_name = 5 [(udpa.annotations.field_migrate).oneof_promotion = "name_specifier"]; // The aliases are a list of other names that this resource can go by. @@ -272,4 +282,23 @@ message Resource { // The resource being tracked. google.protobuf.Any resource = 2; + + // Time-to-live value for the resource. For each resource, a timer is started. The timer is + // reset each time the resource is received with a new TTL. If the resource is received with + // no TTL set, the timer is removed for the resource. Upon expiration of the timer, the + // configuration for the resource will be removed. + // + // The TTL can be refreshed or changed by sending a response that doesn't change the resource + // version. In this case the resource field does not need to be populated, which allows for + // light-weight "heartbeat" updates to keep a resource with a TTL alive. + // + // The TTL feature is meant to support configurations that should be removed in the event of + // a management server failure. For example, the feature may be used for fault injection + // testing where the fault injection should be terminated in the event that Envoy loses contact + // with the management server. + google.protobuf.Duration ttl = 6; + + // Cache control properties for the resource. + // [#not-implemented-hide:] + CacheControl cache_control = 7; } diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/metadata.proto b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/metadata.proto index 2cbc602564..ed58d04adb 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/metadata.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/metadata.proto @@ -83,12 +83,12 @@ message MetadataMatcher { option (validate.required) = true; // If specified, use the key to retrieve the value in a Struct. - string key = 1 [(validate.rules).string = {min_bytes: 1}]; + string key = 1 [(validate.rules).string = {min_len: 1}]; } } // The filter name to retrieve the Struct from the Metadata. - string filter = 1 [(validate.rules).string = {min_bytes: 1}]; + string filter = 1 [(validate.rules).string = {min_len: 1}]; // The path to retrieve the Value from the Struct. repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/regex.proto b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/regex.proto index b23c0bff30..6c499235bb 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/regex.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/regex.proto @@ -48,7 +48,7 @@ message RegexMatcher { } // The regex match string. The string must be supported by the configured engine. - string regex = 2 [(validate.rules).string = {min_bytes: 1}]; + string regex = 2 [(validate.rules).string = {min_len: 1}]; } // Describes how to match a string and then produce a new string using a regular diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/string.proto b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/string.proto index 431043e00e..499eaf2177 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/string.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/string.proto @@ -34,7 +34,7 @@ message StringMatcher { // Examples: // // * *abc* matches the value *abc.xyz* - string prefix = 2 [(validate.rules).string = {min_bytes: 1}]; + string prefix = 2 [(validate.rules).string = {min_len: 1}]; // The input string must have the suffix specified here. // Note: empty prefix is not allowed, please use regex instead. @@ -42,7 +42,7 @@ message StringMatcher { // Examples: // // * *abc* matches the value *xyz.abc* - string suffix = 3 [(validate.rules).string = {min_bytes: 1}]; + string suffix = 3 [(validate.rules).string = {min_len: 1}]; // The input string must match the regular expression specified here. // The regex grammar is defined `here diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/metadata.proto b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/metadata.proto index 65ec4f47ff..a7184ee980 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/metadata.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/metadata.proto @@ -89,12 +89,12 @@ message MetadataMatcher { option (validate.required) = true; // If specified, use the key to retrieve the value in a Struct. - string key = 1 [(validate.rules).string = {min_bytes: 1}]; + string key = 1 [(validate.rules).string = {min_len: 1}]; } } // The filter name to retrieve the Struct from the Metadata. - string filter = 1 [(validate.rules).string = {min_bytes: 1}]; + string filter = 1 [(validate.rules).string = {min_len: 1}]; // The path to retrieve the Value from the Struct. repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/regex.proto b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/regex.proto index 6087c6f90f..f5913c460c 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/regex.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/regex.proto @@ -54,7 +54,7 @@ message RegexMatcher { } // The regex match string. The string must be supported by the configured engine. - string regex = 2 [(validate.rules).string = {min_bytes: 1}]; + string regex = 2 [(validate.rules).string = {min_len: 1}]; } // Describes how to match a string and then produce a new string using a regular diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/string.proto b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/string.proto index d453d43d3f..7a91b58f3b 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/string.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/matcher/v3/string.proto @@ -41,7 +41,7 @@ message StringMatcher { // Examples: // // * *abc* matches the value *abc.xyz* - string prefix = 2 [(validate.rules).string = {min_bytes: 1}]; + string prefix = 2 [(validate.rules).string = {min_len: 1}]; // The input string must have the suffix specified here. // Note: empty prefix is not allowed, please use regex instead. @@ -49,7 +49,7 @@ message StringMatcher { // Examples: // // * *abc* matches the value *xyz.abc* - string suffix = 3 [(validate.rules).string = {min_bytes: 1}]; + string suffix = 3 [(validate.rules).string = {min_len: 1}]; // The input string must match the regular expression specified here. RegexMatcher safe_regex = 5 [(validate.rules).message = {required: true}]; @@ -60,7 +60,7 @@ message StringMatcher { // Examples: // // * *abc* matches the value *xyz.abc.def* - string contains = 7 [(validate.rules).string = {min_bytes: 1}]; + string contains = 7 [(validate.rules).string = {min_len: 1}]; } // If true, indicates the exact/prefix/suffix matching should be case insensitive. This has no diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v3/metadata.proto b/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v3/metadata.proto index ddcce68820..b971d8debb 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v3/metadata.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/metadata/v3/metadata.proto @@ -49,13 +49,13 @@ message MetadataKey { option (validate.required) = true; // If specified, use the key to retrieve the value in a Struct. - string key = 1 [(validate.rules).string = {min_bytes: 1}]; + string key = 1 [(validate.rules).string = {min_len: 1}]; } } // The key name of Metadata to retrieve the Struct from the metadata. // Typically, it represents a builtin subsystem or custom extension. - string key = 1 [(validate.rules).string = {min_bytes: 1}]; + string key = 1 [(validate.rules).string = {min_len: 1}]; // The path to retrieve the Value from the Struct. It can be a prefix or a full path, // e.g. ``[prop, xyz]`` for a struct or ``[prop, foo]`` for a string in the example, diff --git a/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v3/custom_tag.proto b/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v3/custom_tag.proto index 42518ead59..bcebe5779b 100644 --- a/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v3/custom_tag.proto +++ b/xds/third_party/envoy/src/main/proto/envoy/type/tracing/v3/custom_tag.proto @@ -26,7 +26,7 @@ message CustomTag { "envoy.type.tracing.v2.CustomTag.Literal"; // Static literal value to populate the tag value. - string value = 1 [(validate.rules).string = {min_bytes: 1}]; + string value = 1 [(validate.rules).string = {min_len: 1}]; } // Environment type custom tag with environment name and default value. @@ -35,7 +35,7 @@ message CustomTag { "envoy.type.tracing.v2.CustomTag.Environment"; // Environment variable name to obtain the value to populate the tag value. - string name = 1 [(validate.rules).string = {min_bytes: 1}]; + string name = 1 [(validate.rules).string = {min_len: 1}]; // When the environment variable is not found, // the tag value will be populated with this default value if specified, @@ -50,7 +50,7 @@ message CustomTag { // Header name to obtain the value to populate the tag value. string name = 1 - [(validate.rules).string = {min_bytes: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; // When the header does not exist, // the tag value will be populated with this default value if specified, @@ -80,7 +80,7 @@ message CustomTag { } // Used to populate the tag name. - string tag = 1 [(validate.rules).string = {min_bytes: 1}]; + string tag = 1 [(validate.rules).string = {min_len: 1}]; // Used to specify what kind of custom tag. oneof type { diff --git a/xds/third_party/udpa/import.sh b/xds/third_party/udpa/import.sh index f06a4f6c92..c82a63f8c1 100755 --- a/xds/third_party/udpa/import.sh +++ b/xds/third_party/udpa/import.sh @@ -18,7 +18,7 @@ set -e BRANCH=master # import VERSION from one of the google internal CLs -VERSION=efcf912fb35470672231c7b7bef620f3d17f655a +VERSION=5459f2c994033b0afed7e4a70ac7e90c90c1ffee GIT_REPO="https://github.com/cncf/udpa.git" GIT_BASE_DIR=udpa SOURCE_PROTO_BASE_DIR=udpa @@ -29,13 +29,13 @@ udpa/annotations/security.proto udpa/annotations/sensitive.proto udpa/annotations/status.proto udpa/annotations/versioning.proto -udpa/core/v1/authority.proto -udpa/core/v1/collection_entry.proto -udpa/core/v1/context_params.proto -udpa/core/v1/resource_locator.proto -udpa/core/v1/resource_name.proto udpa/data/orca/v1/orca_load_report.proto udpa/service/orca/v1/orca.proto +xds/core/v3/authority.proto +xds/core/v3/collection_entry.proto +xds/core/v3/context_params.proto +xds/core/v3/resource_locator.proto +xds/core/v3/resource_name.proto ) pushd `git rev-parse --show-toplevel`/xds/third_party/udpa diff --git a/xds/third_party/udpa/src/main/proto/udpa/core/v1/context_params.proto b/xds/third_party/udpa/src/main/proto/udpa/core/v1/context_params.proto deleted file mode 100644 index ccc4638f06..0000000000 --- a/xds/third_party/udpa/src/main/proto/udpa/core/v1/context_params.proto +++ /dev/null @@ -1,16 +0,0 @@ -syntax = "proto3"; - -package udpa.core.v1; - -import "udpa/annotations/status.proto"; - -option java_outer_classname = "ContextParamsProto"; -option java_multiple_files = true; -option java_package = "com.github.udpa.udpa.core.v1"; - -option (udpa.annotations.file_status).work_in_progress = true; - -// Additional parameters that can be used to select resource variants. -message ContextParams { - map params = 1; -} diff --git a/xds/third_party/udpa/src/main/proto/udpa/core/v1/authority.proto b/xds/third_party/udpa/src/main/proto/xds/core/v3/authority.proto similarity index 82% rename from xds/third_party/udpa/src/main/proto/udpa/core/v1/authority.proto rename to xds/third_party/udpa/src/main/proto/xds/core/v3/authority.proto index f250a6cb0e..49daf4b8cb 100644 --- a/xds/third_party/udpa/src/main/proto/udpa/core/v1/authority.proto +++ b/xds/third_party/udpa/src/main/proto/xds/core/v3/authority.proto @@ -1,6 +1,6 @@ syntax = "proto3"; -package udpa.core.v1; +package xds.core.v3; import "udpa/annotations/status.proto"; @@ -8,11 +8,11 @@ import "validate/validate.proto"; option java_outer_classname = "AuthorityProto"; option java_multiple_files = true; -option java_package = "com.github.udpa.udpa.core.v1"; +option java_package = "com.github.udpa.xds.core.v3"; option (udpa.annotations.file_status).work_in_progress = true; -// UDPA authority information. +// xDS authority information. message Authority { string name = 1 [(validate.rules).string = {min_len: 1}]; diff --git a/xds/third_party/udpa/src/main/proto/udpa/core/v1/collection_entry.proto b/xds/third_party/udpa/src/main/proto/xds/core/v3/collection_entry.proto similarity index 87% rename from xds/third_party/udpa/src/main/proto/udpa/core/v1/collection_entry.proto rename to xds/third_party/udpa/src/main/proto/xds/core/v3/collection_entry.proto index 8e4f0c8748..4ece240ca3 100644 --- a/xds/third_party/udpa/src/main/proto/udpa/core/v1/collection_entry.proto +++ b/xds/third_party/udpa/src/main/proto/xds/core/v3/collection_entry.proto @@ -1,21 +1,21 @@ syntax = "proto3"; -package udpa.core.v1; +package xds.core.v3; import "google/protobuf/any.proto"; import "udpa/annotations/status.proto"; -import "udpa/core/v1/resource_locator.proto"; +import "xds/core/v3/resource_locator.proto"; import "validate/validate.proto"; option java_outer_classname = "CollectionEntryProto"; option java_multiple_files = true; -option java_package = "com.github.udpa.udpa.core.v1"; +option java_package = "com.github.udpa.xds.core.v3"; option (udpa.annotations.file_status).work_in_progress = true; -// UDPA collection resource wrapper. This encapsulates a UDPA resource when +// xDS collection resource wrapper. This encapsulates a xDS resource when // appearing inside a list collection resource. List collection resources are // regular Resource messages of type: // @@ -32,7 +32,7 @@ message CollectionEntry { // reference via the #entry directive in ResourceLocator. string name = 1 [(validate.rules).string.pattern = "^[0-9a-zA-Z_\\-\\.~:]+$"]; - // The resource's logical version. It is illegal to have the same named UDPA + // The resource's logical version. It is illegal to have the same named xDS // resource name at a given version with different resource payloads. string version = 2; diff --git a/xds/third_party/udpa/src/main/proto/xds/core/v3/context_params.proto b/xds/third_party/udpa/src/main/proto/xds/core/v3/context_params.proto new file mode 100644 index 0000000000..8f27c1ca7e --- /dev/null +++ b/xds/third_party/udpa/src/main/proto/xds/core/v3/context_params.proto @@ -0,0 +1,21 @@ +syntax = "proto3"; + +package xds.core.v3; + +import "udpa/annotations/status.proto"; + +option java_outer_classname = "ContextParamsProto"; +option java_multiple_files = true; +option java_package = "com.github.udpa.xds.core.v3"; + +option (udpa.annotations.file_status).work_in_progress = true; + +// Additional parameters that can be used to select resource variants. These include any +// global context parameters, per-resource type client feature capabilities and per-resource +// type functional attributes. All per-resource type attributes will be `xds.resource.` +// prefixed and some of these are documented below: +// `xds.resource.listening_address`: The value is "IP:port" (e.g. "10.1.1.3:8080") which is +// the listening address of a Listener. Used in a Listener resource query. +message ContextParams { + map params = 1; +} diff --git a/xds/third_party/udpa/src/main/proto/udpa/core/v1/resource_locator.proto b/xds/third_party/udpa/src/main/proto/xds/core/v3/resource_locator.proto similarity index 75% rename from xds/third_party/udpa/src/main/proto/udpa/core/v1/resource_locator.proto rename to xds/third_party/udpa/src/main/proto/xds/core/v3/resource_locator.proto index a3c903144c..d7334394ae 100644 --- a/xds/third_party/udpa/src/main/proto/udpa/core/v1/resource_locator.proto +++ b/xds/third_party/udpa/src/main/proto/xds/core/v3/resource_locator.proto @@ -1,38 +1,38 @@ syntax = "proto3"; -package udpa.core.v1; +package xds.core.v3; import "udpa/annotations/status.proto"; -import "udpa/core/v1/context_params.proto"; +import "xds/core/v3/context_params.proto"; import "validate/validate.proto"; option java_outer_classname = "ResourceLocatorProto"; option java_multiple_files = true; -option java_package = "com.github.udpa.udpa.core.v1"; +option java_package = "com.github.udpa.xds.core.v3"; option (udpa.annotations.file_status).work_in_progress = true; -// UDPA resource locators identify a UDPA resource name and instruct the +// xDS resource locators identify a xDS resource name and instruct the // data-plane load balancer on how the resource may be located. // -// Resource locators have a canonical udpa:// URI representation: +// Resource locators have a canonical xdstp:// URI representation: // -// udpa://{authority}/{type_url}/{id/*}?{context_params}{#directive,*} +// xdstp://{authority}/{type_url}/{id}?{context_params}{#directive,*} // // where context_params take the form of URI query parameters. // // Resource locators have a similar canonical http:// URI representation: // -// http://{authority}/{type_url}/{id/*}?{context_params}{#directive,*} +// http://{authority}/{type_url}/{id}?{context_params}{#directive,*} // // Resource locators also have a simplified file:// URI representation: // -// file:///{id/*}{#directive,*} +// file:///{id}{#directive,*} // message ResourceLocator { enum Scheme { - UDPA = 0; + XDSTP = 0; HTTP = 1; FILE = 2; } @@ -40,13 +40,13 @@ message ResourceLocator { // URI scheme. Scheme scheme = 1 [(validate.rules).enum = {defined_only: true}]; - // Opaque identifiers for the resource. These are effectively concatenated - // with ‘/’ to form the non-query param path as resource ID. This may end + // Opaque identifier for the resource. Any '/' will not be escaped during URI + // encoding and will form part of the URI path. This may end // with ‘*’ for glob collection references. - repeated string id = 2 [(validate.rules).repeated = {min_items: 1}]; + string id = 2; // Logical authority for resource (not necessarily transport network address). - // Authorities are opaque in the UDPA API, data-plane load balancers will map + // Authorities are opaque in the xDS API, data-plane load balancers will map // them to concrete network transports such as an xDS management server, e.g. // via envoy.config.core.v3.ConfigSource. string authority = 3; @@ -65,7 +65,7 @@ message ResourceLocator { // .. space reserved for future potential matchers, e.g. CEL expressions. } - // Directives provide information to data-plane load balancers on how UDPA + // Directives provide information to data-plane load balancers on how xDS // resource names are to be interpreted and potentially further resolved. For // example, they may provide alternative resource locators for when primary // resolution fails. Directives are not part of resource names and do not @@ -75,7 +75,7 @@ message ResourceLocator { // // = // - // For example, we can have alt=udpa://foo/bar or entry=some%20thing. Each + // For example, we can have alt=xdstp://foo/bar or entry=some%20thing. Each // directive value type may have its own string encoding, in the case of // ResourceLocator there is a recursive URI encoding. // @@ -83,7 +83,7 @@ message ResourceLocator { // Multiple directives are comma-separated, so the reserved characters that // require percent encoding in a directive value are [',', '#', '[', ']', // '%']. These are the RFC3986 fragment reserved characters with the addition - // of the UDPA scheme specific ','. See + // of the xDS scheme specific ','. See // https://tools.ietf.org/html/rfc3986#page-49 for further details on URI ABNF // and reserved characters. message Directive { @@ -93,7 +93,7 @@ message ResourceLocator { // An alternative resource locator for fallback if the resource is // unavailable. For example, take the resource locator: // - // udpa://foo/some-type/some-route-table#alt=udpa://bar/some-type/another-route-table + // xdstp://foo/some-type/some-route-table#alt=xdstp://bar/some-type/another-route-table // // If the data-plane load balancer is unable to reach `foo` to fetch the // resource, it will fallback to `bar`. Alternative resources do not need @@ -103,13 +103,13 @@ message ResourceLocator { // List collections support inlining of resources via the entry field in // Resource. These inlined Resource objects may have an optional name // field specified. When specified, the entry directive allows - // UdpaResourceLocator to directly reference these inlined resources, e.g. - // udpa://.../foo#entry=bar. + // ResourceLocator to directly reference these inlined resources, e.g. + // xdstp://.../foo#entry=bar. string entry = 2 [(validate.rules).string = {min_len: 1, pattern: "^[0-9a-zA-Z_\\-\\./~:]+$"}]; } } - // A list of directives that appear in the UDPA resource locator #fragment. + // A list of directives that appear in the xDS resource locator #fragment. // // When encoding to URI form, directives are percent encoded with comma // separation. diff --git a/xds/third_party/udpa/src/main/proto/udpa/core/v1/resource_name.proto b/xds/third_party/udpa/src/main/proto/xds/core/v3/resource_name.proto similarity index 55% rename from xds/third_party/udpa/src/main/proto/udpa/core/v1/resource_name.proto rename to xds/third_party/udpa/src/main/proto/xds/core/v3/resource_name.proto index d6188853f9..103c7de864 100644 --- a/xds/third_party/udpa/src/main/proto/udpa/core/v1/resource_name.proto +++ b/xds/third_party/udpa/src/main/proto/xds/core/v3/resource_name.proto @@ -1,34 +1,34 @@ syntax = "proto3"; -package udpa.core.v1; +package xds.core.v3; import "udpa/annotations/status.proto"; -import "udpa/core/v1/context_params.proto"; +import "xds/core/v3/context_params.proto"; import "validate/validate.proto"; option java_outer_classname = "ResourceNameProto"; option java_multiple_files = true; -option java_package = "com.github.udpa.udpa.core.v1"; +option java_package = "com.github.udpa.xds.core.v3"; option (udpa.annotations.file_status).work_in_progress = true; -// UDPA resource name. This has a canonical udpa:// URI representation: +// xDS resource name. This has a canonical xdstp:// URI representation: // -// udpa://{authority}/{type_url}/{id/*}?{context_params} +// xdstp://{authority}/{type_url}/{id}?{context_params} // // where context_params take the form of URI query parameters. // -// A UDPA resource name fully identifies a network resource for transport -// purposes. UDPA resource names in this form appear only in discovery +// A xDS resource name fully identifies a network resource for transport +// purposes. xDS resource names in this form appear only in discovery // request/response messages used with the xDS transport. message ResourceName { - // Opaque identifiers for the resource. These are effectively concatenated - // with ‘/’ to form the non-query param path as resource ID. - repeated string id = 1 [(validate.rules).repeated = {min_items: 1}]; + // Opaque identifier for the resource. Any '/' will not be escaped during URI + // encoding and will form part of the URI path. + string id = 1; // Logical authority for resource (not necessarily transport network address). - // Authorities are opaque in the UDPA API, data-plane load balancers will map + // Authorities are opaque in the xDS API, data-plane load balancers will map // them to concrete network transports such as an xDS management server. string authority = 2;