istio
/
api
mirror of https://github.com/istio/api.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
api/mesh/v1alpha1/proxy.proto

775 lines
35 KiB
Protocol Buffer
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

// Copyright 2017 Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
package istio.mesh.v1alpha1;
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
import "networking/v1alpha3/destination_rule.proto";
import "networking/v1alpha3/workload_group.proto";
import "networking/v1beta1/proxy_config.proto";
option go_package = "istio.io/api/mesh/v1alpha1";
// AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
// It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation.
// Mesh policy cannot be INHERIT.
enum AuthenticationPolicy {
// Do not encrypt proxy to control plane traffic.
NONE = 0;
// Proxy to control plane traffic is wrapped into mutual TLS connections.
MUTUAL_TLS = 1;
// Use the policy defined by the parent scope. Should not be used for mesh
// policy.
INHERIT = 1000;
}
// Tracing defines configuration for the tracing performed by Envoy instances.
message Tracing {
// Zipkin defines configuration for a Zipkin tracer.
message Zipkin {
// Address of the Zipkin service (e.g. _zipkin:9411_).
string address = 1;
}
// $hide_from_docs
// Defines configuration for a Lightstep tracer.
message Lightstep {
// Address of the Lightstep Satellite pool.
string address = 1;
// The Lightstep access token.
string access_token = 2;
}
// Datadog defines configuration for a Datadog tracer.
message Datadog {
// Address of the Datadog Agent.
string address = 1;
}
// Stackdriver defines configuration for a Stackdriver tracer.
// See [Envoy's OpenCensus trace configuration](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/trace/v3/opencensus.proto)
// and
// [OpenCensus trace config](https://github.com/census-instrumentation/opencensus-proto/blob/master/src/opencensus/proto/trace/v1/trace_config.proto) for details.
message Stackdriver {
// debug enables trace output to stdout.
// $hide_from_docs
bool debug = 1;
// The global default max number of attributes per span.
// default is 200.
// $hide_from_docs
google.protobuf.Int64Value max_number_of_attributes = 2;
// The global default max number of annotation events per span.
// default is 200.
// $hide_from_docs
google.protobuf.Int64Value max_number_of_annotations = 3;
// The global default max number of message events per span.
// default is 200.
// $hide_from_docs
google.protobuf.Int64Value max_number_of_message_events = 4;
}
// OpenCensusAgent defines configuration for an OpenCensus tracer writing to
// an OpenCensus agent backend. See
// [Envoy's OpenCensus trace configuration](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/trace/v3/opencensus.proto)
// and
// [OpenCensus trace config](https://github.com/census-instrumentation/opencensus-proto/blob/master/src/opencensus/proto/trace/v1/trace_config.proto)
// for details.
message OpenCensusAgent {
// TraceContext selects the context propagation headers used for
// distributed tracing.
enum TraceContext {
// $hide_from_docs
// Unspecified context. Should not be used for now, but added to reserve
// the 0 enum value if TraceContext is used outside of a repeated field.
UNSPECIFIED = 0;
// Use W3C Trace Context propagation using the `traceparent` HTTP header.
// See the
// [Trace Context documentation](https://www.w3.org/TR/trace-context/) for details.
W3C_TRACE_CONTEXT = 1;
// Use gRPC binary context propagation using the `grpc-trace-bin` http header.
GRPC_BIN = 2;
// Use Cloud Trace context propagation using the
// `X-Cloud-Trace-Context` http header.
CLOUD_TRACE_CONTEXT = 3;
// Use multi-header B3 context propagation using the `X-B3-TraceId`,
// `X-B3-SpanId`, and `X-B3-Sampled` HTTP headers. See
// [B3 header propagation README](https://github.com/openzipkin/b3-propagation)
// for details.
B3 = 4;
}
// gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or
// unix:path). See [gRPC naming
// docs](https://github.com/grpc/grpc/blob/master/doc/naming.md) for
// details.
string address = 1;
// Specifies the set of context propagation headers used for distributed
// tracing. Default is `["W3C_TRACE_CONTEXT"]`. If multiple values are specified,
// the proxy will attempt to read each header for each request and will
// write all headers.
repeated TraceContext context = 2;
}
// The tracer implementation to be used by Envoy.
oneof tracer {
// Use a Zipkin tracer.
Zipkin zipkin = 1;
// Use a Lightstep tracer.
// NOTE: For Istio 1.15+, this configuration option will result
// in using OpenTelemetry-based Lightstep integration.
// $hide_from_docs
Lightstep lightstep = 2;
// Use a Datadog tracer.
Datadog datadog = 3;
// Use a Stackdriver tracer.
// $hide_from_docs
Stackdriver stackdriver = 4;
// Use an OpenCensus tracer exporting to an OpenCensus agent.
// $hide_from_docs
OpenCensusAgent open_census_agent = 9;
}
// Configure custom tags that will be added to any active span.
// Tags can be generated via literals, environment variables or an incoming request header.
// $hide_from_docs
message CustomTag {
// Specify how to populate the value in a custom tag
oneof type {
// The custom tag's value is the specified literal.
Literal literal = 1;
// The custom tag's value should be populated from an environmental
// variable
Environment environment = 2;
// The custom tag's value is populated by an http header from
// an incoming request.
RequestHeader header = 3;
}
}
// Literal type represents a static value.
// $hide_from_docs
message Literal {
// Static literal value used to populate the tag value.
string value = 1;
}
// Environment is the proxy's environment variable to be used for populating the custom span tag.
// $hide_from_docs
message Environment {
// Name of the environment variable used to populate the tag's value
string name = 1;
// When the environment variable is not found,
// the tag's value will be populated with this default value if specified,
// otherwise the tag will not be populated.
string default_value = 2;
}
// RequestHeader is the HTTP request header which will be used to populate the span tag.
// A default value can be configured if the header does not exist.
// $hide_from_docs
message RequestHeader {
// HTTP header name used to obtain the value from to populate the tag value.
string name = 1;
// Default value to be used for the tag when the named HTTP header does not exist.
// The tag will be skipped if no default value is provided.
string default_value = 2;
}
// Configures the custom tags to be added to active span by all proxies (i.e. sidecars
// and gateways).
// The key represents the name of the tag.
// Ex:
// ```yaml
// custom_tags:
// new_tag_name:
// header:
// name: custom-http-header-name
// default_value: defaulted-value-from-custom-header
// ```
// $hide_from_docs
map<string, CustomTag> custom_tags = 5;
// Configures the maximum length of the request path to extract and include in the
// HttpUrl tag. Used to truncate length request paths to meet the needs of tracing
// backend. If not set, then a length of 256 will be used.
// $hide_from_docs
uint32 max_path_tag_length = 6;
// The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation,
// if not requested by the client or not forced. Default is 1.0.
double sampling = 7;
// Use the tlsSettings to specify the tls mode to use. If the remote tracing service
// uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
// mode as `ISTIO_MUTUAL`.
istio.networking.v1alpha3.ClientTLSSettings tls_settings = 8;
// Determines whether or not trace spans generated by Envoy will include Istio specific tags.
// By default Istio specific tags are included in the trace spans.
google.protobuf.BoolValue enable_istio_tags = 10;
// $hide_from_docs
// Next available field number: 11
}
// SDS defines secret discovery service(SDS) configuration to be used by the proxy.
// For workload, its values are set in sidecar injector(passed as arguments to istio-proxy container).
// For pilot/mixer, it's passed as arguments to istio-proxy container in pilot/mixer deployment yaml files directly.
// $hide_from_docs
message SDS {
// True if SDS is enabled.
bool enabled = 1;
// Path of k8s service account JWT path.
string k8s_sa_jwt_path = 2;
}
// Topology describes the configuration for relative location of a proxy with
// respect to intermediate trusted proxies and the client. These settings
// control how the client attributes are retrieved from the incoming traffic by
// the gateway proxy and propagated to the upstream services in the cluster.
message Topology {
// Number of trusted proxies deployed in front of the Istio gateway proxy.
// When this option is set to value N greater than zero, the trusted client
// address is assumed to be the Nth address from the right end of the
// X-Forwarded-For (XFF) header from the incoming request. If the
// X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the
// gateway proxy falls back to using the immediate downstream connection's
// source address as the trusted client address.
// Note that the gateway proxy will append the downstream connection's source
// address to the X-Forwarded-For (XFF) address and set the
// X-Envoy-External-Address header to the trusted client address before
// forwarding it to the upstream services in the cluster.
// The default value of numTrustedProxies is 0.
// See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for)
// header handling for more details.
uint32 num_trusted_proxies = 1;
// Configures how the gateway proxy handles x-forwarded-client-cert (XFCC)
// header in the incoming request.
ForwardClientCertDetails forward_client_cert_details = 2;
// PROXY protocol configuration.
message ProxyProtocolConfiguration {}
// Enables [PROXY protocol](http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt) for
// downstream connections on a gateway.
ProxyProtocolConfiguration proxy_protocol = 3;
}
// ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC)
// header is handled by a proxy.
// See [Envoy XFCC](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-forwardclientcertdetails)
// header handling for more details.
enum ForwardClientCertDetails {
// Field is not set
UNDEFINED = 0;
// Do not send the XFCC header to the next hop.
SANITIZE = 1;
// When the client connection is mTLS (Mutual TLS), forward the XFCC header
// in the request.
FORWARD_ONLY = 2;
// When the client connection is mTLS, append the client certificate
// information to the requests XFCC header and forward it. This is the default value for sidecar proxies.
APPEND_FORWARD = 3;
// When the client connection is mTLS, reset the XFCC header with the client
// certificate information and send it to the next hop. This is the default value for gateway proxies.
SANITIZE_SET = 4;
// Always forward the XFCC header in the request, regardless of whether the
// client connection is mTLS.
ALWAYS_FORWARD_ONLY = 5;
}
// PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured
// mesh-wide or individual per-workload basis.
message PrivateKeyProvider {
// CryptoMb PrivateKeyProvider configuration
message CryptoMb {
// How long to wait until the per-thread processing queue should be processed. If the processing queue
// gets full (eight sign or decrypt requests are received) it is processed immediately.
// However, if the queue is not filled before the delay has expired, the requests already in the queue
// are processed, even if the queue is not full.
// In effect, this value controls the balance between latency and throughput.
// The duration needs to be set to a value greater than or equal to 1 millisecond.
google.protobuf.Duration poll_delay = 1;
// If the private key provider isnt available (eg. the required hardware capability doesnt existed)
// Envoy will fallback to the BoringSSL default implementation when the fallback is true.
// The default value is false.
google.protobuf.BoolValue fallback = 2;
}
// QAT (QuickAssist Technology) PrivateKeyProvider configuration
message QAT {
// How long to wait before polling the hardware accelerator after a request has been submitted there.
// Having a small value leads to quicker answers from the hardware but causes more polling loop spins,
// leading to potentially larger CPU usage.
// The duration needs to be set to a value greater than or equal to 1 millisecond.
google.protobuf.Duration poll_delay = 1;
// If the private key provider isnt available (eg. the required hardware capability doesnt existed)
// Envoy will fallback to the BoringSSL default implementation when the fallback is true.
// The default value is false.
google.protobuf.BoolValue fallback = 2;
}
// REQUIRED. Specifies detailed configuration for the Private key provider.
oneof provider {
// Use CryptoMb private key provider
CryptoMb cryptomb = 2;
// Use QAT private key provider
QAT qat = 3;
}
}
// ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis
// as well as by the mesh-wide defaults.
// To set the mesh-wide defaults, configure the `defaultConfig` section of `meshConfig`. For example:
//
// ```
// meshConfig:
// defaultConfig:
// discoveryAddress: istiod:15012
// ```
//
// This can also be configured on a per-workload basis by configuring the `proxy.istio.io/config` annotation on the pod. For example:
//
// ```
// annotations:
// proxy.istio.io/config: |
// discoveryAddress: istiod:15012
// ```
//
// If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults.
// This is different than a deep merge provided by protobuf.
// For example, `"tracing": { "sampling": 5 }` would completely override a setting configuring a tracing provider
// such as `"tracing": { "zipkin": { "address": "..." } }`.
//
// Note: fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.
message ProxyConfig {
// Path to the generated configuration file directory.
// Proxy agent generates the actual configuration and stores it in this directory.
string config_path = 1;
// Path to the proxy binary
string binary_path = 2;
// Allows specification of various Istio-supported naming schemes for the
// Envoy `service_cluster` value. The `service_cluster` value is primarily used
// by Envoys to provide service names for tracing spans.
enum TracingServiceName {
// Default scheme. Uses the `app` label and workload namespace to construct
// a cluster name. If the `app` label does not exist `istio-proxy` is used.
APP_LABEL_AND_NAMESPACE = 0;
// Uses the canonical name for a workload (*excluding namespace*).
CANONICAL_NAME_ONLY = 1;
// Uses the canonical name and namespace for a workload.
CANONICAL_NAME_AND_NAMESPACE = 2;
}
oneof cluster_name {
// Service cluster defines the name for the `service_cluster` that is
// shared by all Envoy instances. This setting corresponds to
// `--service-cluster` flag in Envoy. In a typical Envoy deployment, the
// `service-cluster` flag is used to identify the caller, for
// source-based routing scenarios.
//
// Since Istio does not assign a local `service/service` version to each
// Envoy instance, the name is same for all of them. However, the
// source/caller's identity (e.g., IP address) is encoded in the
// `--service-node` flag when launching Envoy. When the RDS service
// receives API calls from Envoy, it uses the value of the `service-node`
// flag to compute routes that are relative to the service instances
// located at that IP address.
string service_cluster = 3;
// Used by Envoy proxies to assign the values for the service names in trace
// spans.
TracingServiceName tracing_service_name = 36;
}
// The time in seconds that Envoy will drain connections during a hot
// restart. MUST be >=1s (e.g., _1s/1m/1h_)
// Default drain duration is `45s`.
google.protobuf.Duration drain_duration = 4;
reserved "parent_shutdown_duration";
reserved 5;
// Address of the discovery service exposing xDS with mTLS connection.
// The inject configuration may override this value.
string discovery_address = 6;
// $hide_from_docs
google.protobuf.Duration discovery_refresh_delay = 7 [deprecated = true];
// Address of the Zipkin service (e.g. _zipkin:9411_).
// DEPRECATED: Use [tracing][istio.mesh.v1alpha1.ProxyConfig.tracing] instead.
string zipkin_address = 8 [deprecated = true];
reserved "connect_timeout";
reserved 9;
// IP Address and Port of a statsd UDP listener (e.g. `10.75.241.127:9125`).
string statsd_udp_address = 10;
// $hide_from_docs
string envoy_metrics_service_address = 20 [deprecated = true];
// Port on which Envoy should listen for administrative commands.
// Default port is `15000`.
int32 proxy_admin_port = 11;
// $hide_from_docs
string availability_zone = 12 [deprecated = true];
// AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
// Default is set to `MUTUAL_TLS`.
AuthenticationPolicy control_plane_auth_policy = 13;
// File path of custom proxy configuration, currently used by proxies
// in front of istiod.
string custom_config_file = 14;
// Maximum length of name field in Envoy's metrics. The length of the name field
// is determined by the length of a name field in a service and the set of labels that
// comprise a particular version of the service. The default value is set to 189 characters.
// Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric.
// Increase the value of this field if you find that the metrics from Envoys are truncated.
int32 stat_name_length = 15;
// The number of worker threads to run.
// If unset, which is recommended, this will be automatically determined based on CPU requests/limits.
// If set to 0, all cores on the machine will be used, ignoring CPU requests or limits. This can lead to major performance
// issues if CPU limits are also set.
google.protobuf.Int32Value concurrency = 16;
// Path to the proxy bootstrap template file
string proxy_bootstrap_template_path = 17;
// The mode used to redirect inbound traffic to Envoy.
// This setting has no effect on outbound traffic: iptables `REDIRECT` is always used for
// outbound connections.
enum InboundInterceptionMode {
// The `REDIRECT` mode uses iptables `REDIRECT` to `NAT` and redirect to Envoy. This mode loses
// source IP addresses during redirection. This is the default redirection mode.
REDIRECT = 0;
// The `TPROXY` mode uses iptables `TPROXY` to redirect to Envoy. This mode preserves both the
// source and destination IP addresses and ports, so that they can be used for advanced
// filtering and manipulation. This mode also configures the sidecar to run with the
// `CAP_NET_ADMIN` capability, which is required to use `TPROXY`.
TPROXY = 1;
// The `NONE` mode does not configure redirect to Envoy at all. This is an advanced
// configuration that typically requires changes to user applications.
NONE = 2;
}
// The mode used to redirect inbound traffic to Envoy.
InboundInterceptionMode interception_mode = 18;
// Tracing configuration to be used by the proxy.
Tracing tracing = 19;
// Secret Discovery Service(SDS) configuration to be used by the proxy.
// $hide_from_docs
SDS sds = 21 [deprecated = true];
// Address of the service to which access logs from Envoys should be
// sent. (e.g. `accesslog-service:15000`). See [Access Log
// Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/accesslog/v2/als.proto)
// for details about Envoy's gRPC Access Log Service API.
RemoteService envoy_access_log_service = 22;
// Address of the Envoy Metrics Service implementation (e.g. `metrics-service:15000`).
// See [Metric Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto)
// for details about Envoy's Metrics Service API.
RemoteService envoy_metrics_service = 23;
// Additional environment variables for the proxy.
// Names starting with `ISTIO_META_` will be included in the generated bootstrap and sent to the XDS server.
map<string, string> proxy_metadata = 24;
// Envoy [runtime configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/runtime) to set during bootstrapping.
// This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.
map<string, string> runtime_values = 37;
// Port on which the agent should listen for administrative commands such as readiness probe.
// Default is set to port `15020`.
int32 status_port = 26;
// An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be
// added by configuring the telemetry extension. Each additional tag needs to be present in this list.
// Extra tags emitted by the telemetry extensions must be listed here so that they can be processed
// and exposed as Prometheus metrics.
// Deprecated: `istio.stats` is a native filter now, this field is no longer needed.
repeated string extra_stat_tags = 27;
// Topology encapsulates the configuration which describes where the proxy is
// located i.e. behind a (or N) trusted proxy (proxies) or directly exposed
// to the internet. This configuration only effects gateways and is applied
// to all the gateways in the cluster unless overridden via annotations of the
// gateway workloads.
Topology gateway_topology = 28;
// The amount of time allowed for connections to complete on proxy shutdown.
// On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining,
// discouraging any new connections and allowing existing connections to complete. It then
// sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes.
// If not set, a default of `5s` will be applied.
google.protobuf.Duration termination_drain_duration = 29;
// The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh)
// All control planes running in the same service mesh should specify the same mesh ID.
// Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.
string mesh_id = 30;
// VM Health Checking readiness probe. This health check config exactly mirrors the
// kubernetes readiness probe configuration both in schema and logic.
// Only one health check method of 3 can be set at a time.
istio.networking.v1alpha3.ReadinessProbe readiness_probe = 31;
// Proxy stats name matchers for stats creation. Note this is in addition to
// the minimum Envoy stats that Istio generates by default.
message ProxyStatsMatcher {
// Proxy stats name prefix matcher for inclusion.
repeated string inclusion_prefixes = 1;
// Proxy stats name suffix matcher for inclusion.
repeated string inclusion_suffixes = 2;
// Proxy stats name regexps matcher for inclusion.
repeated string inclusion_regexps = 3;
}
// Proxy stats matcher defines configuration for reporting custom Envoy stats.
// To reduce memory and CPU overhead from Envoy stats system, Istio proxies by
// default create and expose only a subset of Envoy stats. This option is to
// control creation of additional Envoy stats with prefix, suffix, and regex
// expressions match on the name of the stats. This replaces the stats
// inclusion annotations
// (`sidecar.istio.io/statsInclusionPrefixes`,
// `sidecar.istio.io/statsInclusionRegexps`, and
// `sidecar.istio.io/statsInclusionSuffixes`). For example, to enable stats
// for circuit breakers, request retries, upstream connections, and request timeouts,
// you can specify stats matcher as follows:
// ```yaml
// proxyStatsMatcher:
// inclusionRegexps:
// - .*outlier_detection.*
// - .*upstream_rq_retry.*
// - .*upstream_cx_.*
// inclusionSuffixes:
// - upstream_rq_timeout
// ```
// Note including more Envoy stats might increase number of time series
// collected by prometheus significantly. Care needs to be taken on Prometheus
// resource provision and configuration to reduce cardinality.
ProxyStatsMatcher proxy_stats_matcher = 32;
// Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.
// This feature adds hooks to delay application startup until the pod proxy
// is ready to accept traffic, mitigating some startup race conditions.
// Default value is 'false'.
google.protobuf.BoolValue hold_application_until_proxy_starts = 33;
// The PEM data of the extra root certificates for workload-to-workload communication.
// This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA.
// The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret)
// are added automatically by Istiod.
repeated string ca_certificates_pem = 34;
// Specifies the details of the proxy image.
istio.networking.v1beta1.ProxyImage image = 35;
// Specifies the details of the Private Key Provider configuration for gateway and sidecar proxies.
PrivateKeyProvider private_key_provider = 38;
// Define the set of headers to add/modify for HTTP request/responses.
//
// To enable an optional header, simply set the field. If no specific configuration is required, an empty object (`{}`) will enable it.
// Note: currently all headers are enabled by default.
//
// Below shows an example of customizing the `server` header and disabling the `X-Envoy-Attempt-Count` header:
//
// ```yaml
// proxyHeaders:
// server:
// value: "my-custom-server"
// # Explicitly enable Request IDs.
// # As this is the default, this has no effect.
// requestId: {}
// attemptCount:
// disabled: true
// ```
//
// Below shows an example of preserving the header case for HTTP 1.x requests
//
// ```yaml
// proxyHeaders:
// preserveHttp1HeaderCase: true
// ```
//
// Some headers are enabled by default, and require explicitly disabling. See below for an example of disabling all default-enabled headers:
//
// ```yaml
// proxyHeaders:
// forwardedClientCert: SANITIZE
// server:
// disabled: true
// requestId:
// disabled: true
// attemptCount:
// disabled: true
// envoyDebugHeaders:
// disabled: true
// metadataExchangeHeaders:
// mode: IN_MESH
// ```
ProxyHeaders proxy_headers = 39;
message ProxyHeaders {
message Server {
google.protobuf.BoolValue disabled = 1;
// If set, and the server header is enabled, this value will be set as the server header. By default, `istio-envoy` will be used.
string value = 2;
}
message RequestId {
google.protobuf.BoolValue disabled = 1;
}
message AttemptCount {
google.protobuf.BoolValue disabled = 1;
}
message XForwardedHost {
google.protobuf.BoolValue enabled = 1;
}
message XForwardedPort {
google.protobuf.BoolValue enabled = 1;
}
message EnvoyDebugHeaders {
google.protobuf.BoolValue disabled = 1;
}
enum MetadataExchangeMode {
// Existing Istio behavior for the metadata exchange headers is unchanged.
UNDEFINED = 0;
// Only append the istio metadata exchange headers for services considered in-mesh.
// Traffic is considered in-mesh if it is secured with Istio mutual TLS. This means that `MESH_EXTERNAL` services, unmatched passthrough traffic, and requests to workloads without Istio enabled will be considered out of mesh.
IN_MESH = 1;
}
message MetadataExchangeHeaders {
MetadataExchangeMode mode = 1;
}
message SetCurrentClientCertDetails {
// Whether to forward the subject of the client cert. Defaults to true.
google.protobuf.BoolValue subject = 1;
// Whether to forward the entire client cert in URL encoded PEM format. This will appear in the
// XFCC header comma separated from other values with the value Cert="PEM".
// Defaults to false.
google.protobuf.BoolValue cert = 2;
// Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM
// format. This will appear in the XFCC header comma separated from other values with the value
// Chain="PEM".
// Defaults to false.
google.protobuf.BoolValue chain = 3;
// Whether to forward the DNS type Subject Alternative Names of the client cert.
// Defaults to true.
google.protobuf.BoolValue dns = 4;
// Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to
// true.
google.protobuf.BoolValue uri = 5;
}
// Controls the `X-Forwarded-Client-Cert` header for inbound sidecar requests. To set this on gateways, use the `Topology` setting.
// To disable the header, configure either `SANITIZE` (to always remove the header, if present) or `FORWARD_ONLY` (to leave the header as-is).
// By default, `APPEND_FORWARD` will be used.
ForwardClientCertDetails forwarded_client_cert = 1;
// This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET
// and the client connection is mTLS. It specifies the fields in
// the client certificate to be forwarded. Note that `Hash` is always set, and
// `By` is always set when the client certificate presents the URI type Subject Alternative Name value.
SetCurrentClientCertDetails set_current_client_cert_details = 7;
// Controls the `X-Request-Id` header. If enabled, a request ID is generated for each request if one is not already set.
// This applies to all types of traffic (inbound, outbound, and gateways).
// If disabled, no request ID will be generate for the request. If it is already present, it will be preserved.
// Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended.
// This header is enabled by default if not configured.
RequestId request_id = 3;
// Controls the `server` header. If enabled, the `Server: istio-envoy` header is set in response headers for inbound traffic (including gateways).
// If disabled, the `Server` header is not modified. If it is already present, it will be preserved.
Server server = 2;
// Controls the `X-Envoy-Attempt-Count` header.
// If enabled, this header will be added on outbound request headers (including gateways) that have retries configured.
// If disabled, this header will not be set. If it is already present, it will be preserved.
// This header is enabled by default if not configured.
AttemptCount attempt_count = 4;
// Controls various `X-Envoy-*` headers, such as `X-Envoy-Overloaded` and `X-Envoy-Upstream-Service-Time`. If enabled,
// these headers will be included.
// If disabled, these headers will not be set. If they are already present, they will be preserved.
// See the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#envoy-v3-api-field-extensions-filters-http-router-v3-router-suppress-envoy-headers) for more details.
// These headers are enabled by default if not configured.
EnvoyDebugHeaders envoy_debug_headers = 5;
// Controls Istio metadata exchange headers `X-Envoy-Peer-Metadata` and `X-Envoy-Peer-Metadata-Id`.
// By default, the behavior is unspecified.
// If IN_MESH, these headers will not be appended to outbound requests from sidecars to services not in-mesh.
MetadataExchangeHeaders metadata_exchange_headers = 6;
// When true, the original case of HTTP/1.x headers will be preserved
// as they pass through the proxy, rather than normalizing them to lowercase.
// This field is particularly useful for applications that require case-sensitive
// headers for interoperability with downstream systems or APIs that expect specific
// casing.
// The preserve_http1_header_case option only applies to HTTP/1.x traffic, as HTTP/2 requires all headers
// to be lowercase per the protocol specification. Envoy will ignore this field for HTTP/2
// requests and automatically normalize headers to lowercase, ensuring compliance with HTTP/2
// standards.
google.protobuf.BoolValue preserve_http1_header_case = 40;
// Controls the `X-Forwarded-Host` header. If enabled, the `X-Forwarded-Host` header is appended
// with the original host when it is rewritten.
// This header is disabled by default.
XForwardedHost x_forwarded_host = 41;
// Controls the `X-Forwarded-Port` header. If enabled, the `X-Forwarded-Port` header is header with the port value
// client used to connect to Envoy. It will be ignored if the ``x-forwarded-port`` header has been set by any
// trusted proxy in front of Envoy.
// This header is disabled by default.
XForwardedPort x_forwarded_port = 42;
}
}
message RemoteService {
// Address of a remove service used for various purposes (access log
// receiver, metrics receiver, etc.). Can be IP address or a fully
// qualified DNS name.
string address = 1;
// Use the `tlsSettings` to specify the tls mode to use. If the remote service
// uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
// mode as `ISTIO_MUTUAL`.
istio.networking.v1alpha3.ClientTLSSettings tls_settings = 2;
// If set then set `SO_KEEPALIVE` on the socket to enable TCP Keepalives.
istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive tcp_keepalive = 3;
}
Reference in New Issue View Git Blame Copy Permalink