From 611bd0ad07677acb6655032c223dcfdf5c9a5409 Mon Sep 17 00:00:00 2001 From: unmultimedio <4431392+unmultimedio@users.noreply.github.com> Date: Thu, 15 Jan 2026 12:07:08 +0000 Subject: [PATCH] Detected new managed modules references --- ...16cf405b080946c52b7802bb63eef81279471798f0 | 106 + ...615e1b99e48d6795eaa1442b06f62d236b13d43c02 | 46 + ...3e43a3fe7ebab7217c13fad02ba1efaa86dce1e5df | 208 ++ ...cb8f571e4c2fb0ad941f11592fc9095eb354d89244 | 86 + ...6ec84802dd546fd2e0052d9eb7f96f76857e43d667 | 21 + ...32c65427bfa87772fbab5180477d39765cd27f4e12 | 18 + ...2aa4587504d1f823bcbd4903351459123c3800ce63 | 1407 ++++++++ ...153fe30ef05071970f7378ee176850e2ba1428b1b6 | 62 + ...e2b2879a7718180dc599bea7a372948d126abdb520 | 109 + ...94293065db9c960cd3618af09ff1aa2c37acd745f4 | 31 + ...2ccb7b068e3dde6ce4203d7c8de1491c7f15b2dc95 | 653 ++++ ...d671e50690f6e302a68f6d1fe850d395bb99fed659 | 102 + ...c38b43da984d68aa9a2c4530afdd9c538c095c8fd9 | 108 + ...f678d15c1d1b6303c31512879253f2f3339d4d46c0 | 152 + ...9f260aed9a3b7421ee76f5dc39ae73158ae4e7be9d | 107 + ...b18b86e373a0fba9beebd612c34ae2ecf2f57b9857 | 122 + ...69d67560bcab9adcebad108e0d5d06871587e881e9 | 223 ++ ...6c705ff47799f06efa85eab306eb0b0d616342e9f6 | 21 + ...927c12a6af6b68d36b65c8babdda818d773cd3720f | 124 + ...f04602da74c67dd184e9108c2c51a2cc15b0e69649 | 99 + ...c9c30cbea7d7d0d61d5a8119996380c0fab161a8e2 | 106 + ...6601533e89d40b5581f0fa40e98394bdd4c94ea867 | 176 + ...da80f6ba861f1f0f6f407aa49f65b551add68f985b | 34 + ...69182e55c89d16771df219dfd6448f73a0fb01c682 | 80 + ...e9a5e5fddf7ab2520840913725cfdebb6b588ee702 | 65 + ...7575e7928229ac2728312523de96648a58949c940f | 249 ++ ...467be85aa333c8640fe604e65bbacad6e5cef0ded6 | 2918 +++++++++++++++++ ...dc77c044643375b2ce74cd0afc2dbd0cf448f01928 | 108 + ...84351ad026c49cf596865b4b3711b10e60fbd7f545 | 533 +++ ...d9eea6ba734baa8d7fcb82a6cd0bfcf346a5da0aa8 | 128 + ...6e2abd4c2b0a98e14d55ef73cfdf0b823adc7befcb | 411 +++ ...c404be5ccff2a2f8553dd32667d4a3d6e7db8feaf0 | 602 ++++ ...6ead2c25e8b7534c4265c5ddd7a888ccb7f0c92c16 | 106 + ...74cb1444674c6bc399a146fc138fd5f9a4256c3d4e | 92 + ...208e4e16220772d4b0d8d47616ec718ed88f7edcab | 35 + ...57e8d0ab2185c3c3bb797087a5755ec577410483f0 | 109 + ...0f1e3157f3fedd27164de77d1584ad6bfa551a74f4 | 126 + ...2e4de525d3324ced0436a98f5697ace6c8c77c640b | 39 + ...f0ba0fa806b4a73deabc0e184235739b994264acb0 | 274 ++ ...74e55d5a857878ef3b46e5b3e10a75112450bfbcc3 | 41 + ...581ac0d69b00379cd8e2b29ed880483d0e4f2ac33c | 85 + ...7a25a5853cdb84983a8e40458729251d87b2f3cd34 | 100 + ...5d8ccdab9604f26a6e74fcf63928b179f7a5c35443 | 76 + ...c2c6808b95ae652f648e31d340279d1242ae80b895 | 57 + ...f468a58f7cf3b5fbad9a7ba6d9deafb339dae8d9be | 74 + ...79051056a7f02e6ccf57ee5e002356c4df121ad6a2 | 100 + ...62c72c7c9a4c4cbf948fc1a9a0a197e665a683c2bb | 353 ++ ...33dba9c73398d8db39d5218701936d632524728117 | 83 + ...2dfce5c03026fff6a317db73f7ce90cb8c4987e722 | 62 + ...2fdf08965b8b9f08388af4a4737e18d84b0c6f3d31 | 93 + ...097fc78cb557caae8f16d213080496f934263a378f | 882 +++++ ...4e1840f1ea633e4cfc995cab69f3d5b9db44f8888a | 187 ++ ...d792ba0ddcd7376523ce79059ca756d8327fc854c0 | 23 + ...a1227b4d344d54e2cc11f43f5ed7844279dbdd41e1 | 152 + ...4e826c3255eb63b88fef390fb0011e62ed8f736032 | 157 + ...45c0600d5ab4900396c58cd9419b3aa281f69077a3 | 102 + ...402649240a9459a17899ae8434aeed66f2c468e733 | 42 + ...0a85e330791f1bc2794bb19a389e65fddfe8ecf9fa | 367 +++ ...af5da62139bb562d43989ea7af85cc643cff01ac52 | 91 + ...76f459dcfeddbe8481627829993a1d9bdc25ae48dd | 786 +++++ ...f9564b4c036e396583710cc37e394cf55f5346fc36 | 38 + ...ca50cd3d862db39aae56e8f1c916d7bb35a1be0db9 | 214 ++ ...85f9f23fc0bf0f317ea5bf3a03c792c399121e980e | 69 + ...8aad4d85208c73897c8ea130ff31aa621b8284df26 | 101 + ...b968d826f17381445d38c68e84f1ad91118b3baab7 | 807 +++++ ...3ac5a25345af4db2bfd9a93a1562efb0e2d4e8323b | 123 + ...eeb4804b13568d2a664d74554b431480d5a275535b | 172 + ...d00ba17f627fb92ddfb625c6cecf43b1b3ce9860aa | 59 + ...932d88b9f04169da5ff732e44b87b8b318e85a7841 | 292 ++ ...1bb80e04f9b62fa3a9a6ba3d9c369980eca2214154 | 17 + ...5c960fd035c8a5049716f71abc97bd332996de3bd2 | 79 + ...2629ed25e92ada0afa531e8273e930bc46ca4ba02a | 470 +++ ...d7396d6d0fbe9c1beee5d3305f72252035f8604fd4 | 1357 ++++++++ ...7d67b3d9fd38ae158946b5b38277065a2d0bfde960 | 103 + ...f96bb0acf7edd8ee83131d7b27524cf538b96c7bf2 | 65 + ...38dd44a3d0cd59c9aa67748e5dfc36ee8766bb58b8 | 36 + ...5454c0a99d36c28a61aac13b7d46dd3e754d04dd10 | 500 +++ ...1a9a9fdd1bea3d2140f524eb8156273e1716684621 | 455 +++ ...fef87e2a92d80b763512663bbddcc13f5af9bd8608 | 22 + ...ae4ac6d8b20b2f26fefbccfbf38f82f0b4d10bc3ef | 461 +++ ...df785aa4f7d16b3a5a4262a697634624976f92d793 | 25 + ...919c20243a962cfc2e691ebcda0c631a03688fe76d | 355 ++ ...957dbedc9f09477828b46cc0d40c4cc85c42414e80 | 126 + ...97446184f9acfd684ff12de00b492b04fd8a49e2e6 | 32 + ...d2900e2db4b599e94bafacabc6dc4adf0618f3e548 | 18 + ...5ecbbb3d4b9130cf8c7827880a339beb089451b51f | 80 + ...12ea94df50f80c49bfdcdd5267e9de43bda3b58b47 | 73 + ...d79d994f3839140015015bbd8ace57ea993261494f | 143 + ...3956b5e79730a868ace2c4c115c1e7107f9fefa993 | 38 + ...f8196f00e8e3685cf49677ccd616077b68a956180e | 146 + ...c15a5071830c1599a7fe37028e9b5149c85afd7cce | 116 + ...b6836ebcd125d3abbc26012190cf544c9ce97717ce | 71 + ...dcc382ad1d83d018238ca8b810ff91eeace4dc8123 | 63 + ...287dc5c00b99d6894a6da03ad841517d12e072d5e9 | 55 + ...40606f7688b74628cf43a026a0d64b46e937b02976 | 355 ++ ...d4d842d6ebdf6b6ade161ded40e9d625f94773c69e | 366 +++ ...65a58affa6a2c29dd376fc21da66b09a0194d50b59 | 114 + modules/sync/envoyproxy/envoy/state.json | 4 + modules/sync/envoyproxy/ratelimit/state.json | 4 + modules/sync/googleapis/cloud-run/state.json | 36 + modules/sync/googleapis/googleapis/state.json | 36 + modules/sync/state.json | 8 +- 102 files changed, 21609 insertions(+), 4 deletions(-) create mode 100644 modules/sync/envoyproxy/envoy/cas/002cd85799c5af02bd7a35f7d889014754cb0265dfb84cc39b9e8b569beb221ae9950bcd19b5580b9c50e016cf405b080946c52b7802bb63eef81279471798f0 create mode 100644 modules/sync/envoyproxy/envoy/cas/056ea98f23a22a25955841d4606958174b1990f85452169d990a656b9fd06d8131521516969d1b0e21d6d6615e1b99e48d6795eaa1442b06f62d236b13d43c02 create mode 100644 modules/sync/envoyproxy/envoy/cas/0d874a925488c9bea4cc70351e808d73c2974bb5cd6b7974775a8655fff22c24d6868f09d929c9ef8889963e43a3fe7ebab7217c13fad02ba1efaa86dce1e5df create mode 100644 modules/sync/envoyproxy/envoy/cas/0ecfb10ccedca83b3f7d88257cf2f82c341acc72d04085dcc65d469306ae5e2af7b8c851fb0347033f98decb8f571e4c2fb0ad941f11592fc9095eb354d89244 create mode 100644 modules/sync/envoyproxy/envoy/cas/10eee635abc4bc9035d7c3fee3bf5459aff50302192c37f03fef2640149c4907e474b43bfbec062fba65b56ec84802dd546fd2e0052d9eb7f96f76857e43d667 create mode 100644 modules/sync/envoyproxy/envoy/cas/18a36552f74feffb5e870e31aa73db971de269d00a5b11a0e727722f894450a10a09768b71ad75fa3e532732c65427bfa87772fbab5180477d39765cd27f4e12 create mode 100644 modules/sync/envoyproxy/envoy/cas/19f745562070373e23d5463423482c666d5a48b31da6eacf09d376989cf8ded9f9d067027080242b21fd712aa4587504d1f823bcbd4903351459123c3800ce63 create mode 100644 modules/sync/envoyproxy/envoy/cas/1a40596b4ce5536642785bc6b04b1c565fba95bc59f0231c0d8691078a51a20b9386c7a23bb31e949c7e06153fe30ef05071970f7378ee176850e2ba1428b1b6 create mode 100644 modules/sync/envoyproxy/envoy/cas/1ae73302964f63f0d1e375ad6a78da4859bffbf7ed184d4af5e15a9ae0753daa26ddcaf538c25e0685945ce2b2879a7718180dc599bea7a372948d126abdb520 create mode 100644 modules/sync/envoyproxy/envoy/cas/1b604a7ffa664974b105f56de7c80786e98478d8911ee50e1c24f0d8c75072d4dd09f8ca7a0c8104f7f57d94293065db9c960cd3618af09ff1aa2c37acd745f4 create mode 100644 modules/sync/envoyproxy/envoy/cas/1df85d6b2e4538bf21786d82c70b53e0683f6d87b2f8ab87f5c2b0e50f39dd952b14fdb58c7d0e5548d7912ccb7b068e3dde6ce4203d7c8de1491c7f15b2dc95 create mode 100644 modules/sync/envoyproxy/envoy/cas/208e15cc704c30a3a37f03fd72c98eed16c47e31e653e12c4c3829bd1a7746757da98ec919f2fd034972bed671e50690f6e302a68f6d1fe850d395bb99fed659 create mode 100644 modules/sync/envoyproxy/envoy/cas/270a2e5b4b151c02c49ec87874d7fa8a2e2dddef86063a6fea58695044f1972043a9392d7d450a75981dccc38b43da984d68aa9a2c4530afdd9c538c095c8fd9 create mode 100644 modules/sync/envoyproxy/envoy/cas/27e7ea433e4e41e8bf8bee95418d6cad45942674cea4f325f7888bd75ca5851a678f728c72fd13140659fef678d15c1d1b6303c31512879253f2f3339d4d46c0 create mode 100644 modules/sync/envoyproxy/envoy/cas/2a3f58f19a05d4bb14ea75736b81862c7acd196b73db4ed172be24876e6c9efc18905db4c243fe3a266c1b9f260aed9a3b7421ee76f5dc39ae73158ae4e7be9d create mode 100644 modules/sync/envoyproxy/envoy/cas/2b79397942da5d50b1f2e3a350b069126a771b2449592441e1d34be8f2ff15eb0433de0557ed71a68a874bb18b86e373a0fba9beebd612c34ae2ecf2f57b9857 create mode 100644 modules/sync/envoyproxy/envoy/cas/316dc86defec70a70aa1e5901c99751f3fdea7250983b5f790f4fafa96ab9f2658f2eeea685f9c5110e3db69d67560bcab9adcebad108e0d5d06871587e881e9 create mode 100644 modules/sync/envoyproxy/envoy/cas/34211b28c5a19fa7da842985be337476e1bac2c0c5c71b81a5e3aa2e2d9a9aee72aa176897d0ac7cefda676c705ff47799f06efa85eab306eb0b0d616342e9f6 create mode 100644 modules/sync/envoyproxy/envoy/cas/37161b50fb369c7d99d81420e78eb5528031cb8963387b21f3b16a346425d4a48cac4fa95d2398dd4a8556927c12a6af6b68d36b65c8babdda818d773cd3720f create mode 100644 modules/sync/envoyproxy/envoy/cas/3d4d166abf61af4d0844593c3eccc0196688d3e6f40ad4092df9b75534d8c9d3110083fa6237da870e34d7f04602da74c67dd184e9108c2c51a2cc15b0e69649 create mode 100644 modules/sync/envoyproxy/envoy/cas/465bfc5258cfc02a55d62f64738c2e9c23266138751628c32cbe61da84cc8d12bdfb7a19577e3fb4e433cbc9c30cbea7d7d0d61d5a8119996380c0fab161a8e2 create mode 100644 modules/sync/envoyproxy/envoy/cas/47d7103d97ef0773986433d778f581ee7bf18610bca4308a1ecd757eb83a544df959c45b814cbeaeeae68a6601533e89d40b5581f0fa40e98394bdd4c94ea867 create mode 100644 modules/sync/envoyproxy/envoy/cas/4da937ae2f2013c8ab4c4b708457a63ed4acb07c2afac20418e6c55fde423553fcaadd570763a827644373da80f6ba861f1f0f6f407aa49f65b551add68f985b create mode 100644 modules/sync/envoyproxy/envoy/cas/4e474273521f8df5a92019d315c4bc4435a04903b0de9fd31d8700d36c88e87058eb07dbeb966abb786d6969182e55c89d16771df219dfd6448f73a0fb01c682 create mode 100644 modules/sync/envoyproxy/envoy/cas/4f7867b0773a6edbbff3f6032fb65b475a5cee759f6662696a55d74c25d4bb96c288630f05d6c12ba2806ee9a5e5fddf7ab2520840913725cfdebb6b588ee702 create mode 100644 modules/sync/envoyproxy/envoy/cas/507a8d9386faae791f5ea7cc6b5de36e64384b327e1b9a1738a108783695f21d05108d9aa049668e7b5dca7575e7928229ac2728312523de96648a58949c940f create mode 100644 modules/sync/envoyproxy/envoy/cas/51ab5857cad263ce58c510f0da0b06eee859677c39da016d6924a2c56a8fdc49e9b07c646d8b2dd518859f467be85aa333c8640fe604e65bbacad6e5cef0ded6 create mode 100644 modules/sync/envoyproxy/envoy/cas/54c295690dbab13abb894fdfc00f7169088c828711f94e5c9980521d5e3d3eeabef5e15980148a4c2c2bc3dc77c044643375b2ce74cd0afc2dbd0cf448f01928 create mode 100644 modules/sync/envoyproxy/envoy/cas/5606420f7e0e3365e9bdaa012bb3380ef16ab399b2b010998c9524e73e3a2bf40e844ebb97cab1ad5ede1b84351ad026c49cf596865b4b3711b10e60fbd7f545 create mode 100644 modules/sync/envoyproxy/envoy/cas/5667f8c87679bf1644503044802c8f3e1cf67eac83eafd7a9c0abd969bdc1addc7670b39c482a0cacc8a58d9eea6ba734baa8d7fcb82a6cd0bfcf346a5da0aa8 create mode 100644 modules/sync/envoyproxy/envoy/cas/56d8ee2a04129ea5371264bb7dc739ee4d45d1cb87be72d92e5e54cee26576222fd08d38538b750ce610516e2abd4c2b0a98e14d55ef73cfdf0b823adc7befcb create mode 100644 modules/sync/envoyproxy/envoy/cas/5753ad827ada06f3e3f0f98a57a0b70e93a6bbdd8b8b8a969e9c34d99804516e4593ed746c4e132edc3354c404be5ccff2a2f8553dd32667d4a3d6e7db8feaf0 create mode 100644 modules/sync/envoyproxy/envoy/cas/59527f51b36370ee87eaa093e454df957c4f537e2201e02da2928c072be789221d7850b0773d9772b06e4e6ead2c25e8b7534c4265c5ddd7a888ccb7f0c92c16 create mode 100644 modules/sync/envoyproxy/envoy/cas/59d9350a541de8f92284737869e627928b411fee305ce1c0b4960a60f13f003f6dcf4463bbf658273fe8a974cb1444674c6bc399a146fc138fd5f9a4256c3d4e create mode 100644 modules/sync/envoyproxy/envoy/cas/5c82678245095a18a9122648576780eb70221f36a71127ab80f6edd19b9c2316831b39b49848b5df74c31c208e4e16220772d4b0d8d47616ec718ed88f7edcab create mode 100644 modules/sync/envoyproxy/envoy/cas/5d1365c2a15eac67472851d97a23e17d24470ae21d04f87d9daf23a968cf1c85e76bae0aacfbee7e22d0fc57e8d0ab2185c3c3bb797087a5755ec577410483f0 create mode 100644 modules/sync/envoyproxy/envoy/cas/5fe000c8a7be0d8c110a23b7051a145c3bbc3dfb96ebc31f92a4c897bde8e7e6d2d09da8733cc1de3ac0a20f1e3157f3fedd27164de77d1584ad6bfa551a74f4 create mode 100644 modules/sync/envoyproxy/envoy/cas/619a9180e9bacad6103038fc2244b8239b0d849569f64f226ba8bf506a296f923e2eaf23e2aaa884d68b3d2e4de525d3324ced0436a98f5697ace6c8c77c640b create mode 100644 modules/sync/envoyproxy/envoy/cas/61fa4bc0c15dd4f8db3915ce16d05d830f94e84503ecc3dbe95d45282ffbe1b37f6103c91c139b11893438f0ba0fa806b4a73deabc0e184235739b994264acb0 create mode 100644 modules/sync/envoyproxy/envoy/cas/678bff6a6a4338b1448420ce629ec7d093dd5ce9c1f11ac247940ca93dbc3a91ef26fc38b8673606c8f52b74e55d5a857878ef3b46e5b3e10a75112450bfbcc3 create mode 100644 modules/sync/envoyproxy/envoy/cas/689c6756c416364b43a239d885aed8e13d410aa5f2efdb60e5240f8e709925c29a1574bd32b3d5f7c4e663581ac0d69b00379cd8e2b29ed880483d0e4f2ac33c create mode 100644 modules/sync/envoyproxy/envoy/cas/69807b25c10955f9925955a85ee043e724befa30d498745d5610572efbce5884cbead6c5205a5f4d54b4857a25a5853cdb84983a8e40458729251d87b2f3cd34 create mode 100644 modules/sync/envoyproxy/envoy/cas/6a79c855b6c0be08965931e01925e38b0dd6b550fbf8a89822f2c358fb26fbfda4c2ca08eade15ac926c325d8ccdab9604f26a6e74fcf63928b179f7a5c35443 create mode 100644 modules/sync/envoyproxy/envoy/cas/6f83dfd604349538d13f6a172792fad7f9c9fc13a4a66134ad7b0b6a99b17be0552d9c770cacd46f2649dbc2c6808b95ae652f648e31d340279d1242ae80b895 create mode 100644 modules/sync/envoyproxy/envoy/cas/6fce554d394bed9723dc38e8dbad13f7ed0b955cff4ef9af3492024133d2241b8097a22109e5bae906b63bf468a58f7cf3b5fbad9a7ba6d9deafb339dae8d9be create mode 100644 modules/sync/envoyproxy/envoy/cas/7019fbab61a8adb1bb613ffc714c741a043d90d5c8fe10f77d87d9e76882e2824bbe92b137736cbf32d17d79051056a7f02e6ccf57ee5e002356c4df121ad6a2 create mode 100644 modules/sync/envoyproxy/envoy/cas/70cc88d4aa127a44d8c9f07ff539b0df74e22f68798bad5d4fe6c2204d9291015b7d8ba081b581e7f84d6762c72c7c9a4c4cbf948fc1a9a0a197e665a683c2bb create mode 100644 modules/sync/envoyproxy/envoy/cas/748b4a07decc320986f74c63098d0a67eeb9f9f96c9b5f74c93aa338d40dc469bbaeaac10c43a9727ad42533dba9c73398d8db39d5218701936d632524728117 create mode 100644 modules/sync/envoyproxy/envoy/cas/7612c46eac426d19af9cedcef0dfc3307ddcc0135198548676b789bb15ae69cb0bf62883344bff9c6019492dfce5c03026fff6a317db73f7ce90cb8c4987e722 create mode 100644 modules/sync/envoyproxy/envoy/cas/781b40a8c70122b1a22be027ac05afb870f68a0d6b90894748005adb032e91f1ef800f0d37afa73677b95e2fdf08965b8b9f08388af4a4737e18d84b0c6f3d31 create mode 100644 modules/sync/envoyproxy/envoy/cas/7a694f7096a90eea01c8587b07066334b4fa525478303ea8a2b78d38185f17b025b1d71070421b8f9ba58f097fc78cb557caae8f16d213080496f934263a378f create mode 100644 modules/sync/envoyproxy/envoy/cas/7ab7551b0c8fc52259981599b1b118ec1aa8abc5692a0d550014d427dc5553c054ccd0c9d0262f7be1cf664e1840f1ea633e4cfc995cab69f3d5b9db44f8888a create mode 100644 modules/sync/envoyproxy/envoy/cas/7c09a0ec365d6a776cf29ae4ba19c2c4a62acf19b785f418f22ffdaeb017d896faf7216ec5901a22acddd5d792ba0ddcd7376523ce79059ca756d8327fc854c0 create mode 100644 modules/sync/envoyproxy/envoy/cas/7c47e01e6bd412b0dfa541a4e7337df6e21bafd4e16296091b1481cfafd975ec4c0405cf2262dde4f8dbe2a1227b4d344d54e2cc11f43f5ed7844279dbdd41e1 create mode 100644 modules/sync/envoyproxy/envoy/cas/820d7943bb9e5754b8275f131b6ecab54f6ab7a3eb9d4276c04973ec75434b8a57cdbb329cbfd83549b7ab4e826c3255eb63b88fef390fb0011e62ed8f736032 create mode 100644 modules/sync/envoyproxy/envoy/cas/8279990477d97efaa433be0a4321dc7d2291ee5d8aa833d9a24487786d43ed370fc0e7f1b3a4810025e61d45c0600d5ab4900396c58cd9419b3aa281f69077a3 create mode 100644 modules/sync/envoyproxy/envoy/cas/882661bb841648d59bb1f2acb187a340814f68ef6185cfa69dfe831ee21a826a7ecd8079ce8e511bf98598402649240a9459a17899ae8434aeed66f2c468e733 create mode 100644 modules/sync/envoyproxy/envoy/cas/883c1ea8b63022032112fac2bdb495ae2b5f80041c3d955b3e7f5e7dbf21025fccbdd1d656ebb024ef61220a85e330791f1bc2794bb19a389e65fddfe8ecf9fa create mode 100644 modules/sync/envoyproxy/envoy/cas/894ee44a49e973f8c2e094bfa3053351c0826c3da87d2f0f54d1d6c907892e49355a9437d0c938581bae75af5da62139bb562d43989ea7af85cc643cff01ac52 create mode 100644 modules/sync/envoyproxy/envoy/cas/8ca3bb1223bba6ed2a5ca12a2eb40ec4e962299d1723bd841e22535a605358433510aeb8e81faf0fc23bb276f459dcfeddbe8481627829993a1d9bdc25ae48dd create mode 100644 modules/sync/envoyproxy/envoy/cas/8f8bbcdf0c20b8232d78637ccd2a8aca9ce03f25fb56a75fc83d1bdb8fdaae32d0fa7aad4a1d3b41d8a4f6f9564b4c036e396583710cc37e394cf55f5346fc36 create mode 100644 modules/sync/envoyproxy/envoy/cas/93e4a36d900d8a68ed3b3126513013b82a79bda7e7c244b59a7ec2bd2928b8a7912e856da9075624253437ca50cd3d862db39aae56e8f1c916d7bb35a1be0db9 create mode 100644 modules/sync/envoyproxy/envoy/cas/9807d3ebad080c0acd2fbcc4286e17d94c2ea09233f52c89455ec54d6d1fb13b19b841faa36608cabf8e1e85f9f23fc0bf0f317ea5bf3a03c792c399121e980e create mode 100644 modules/sync/envoyproxy/envoy/cas/98893684c42a2e2520895a664623c59426eec1edc6b04ae90296ef27eb47fe1f12574a0c196d0979a001628aad4d85208c73897c8ea130ff31aa621b8284df26 create mode 100644 modules/sync/envoyproxy/envoy/cas/996a34816af91109a4fac98e114e7c5640f583ca8f46be8567f654ca73c42d77fd53ad3f069872ecf94e5cb968d826f17381445d38c68e84f1ad91118b3baab7 create mode 100644 modules/sync/envoyproxy/envoy/cas/9e76a22c9cdead3f586feeec0952f4809fe77c613adbaea2ffc25d357cdea64c3468f7b960227208a372f53ac5a25345af4db2bfd9a93a1562efb0e2d4e8323b create mode 100644 modules/sync/envoyproxy/envoy/cas/9e8d88f559a8724f64cdb259bb06d5d79dcc40430a2c190ceb6be8ad2bc989409748fc5f4d6d1b6f2dfd1deeb4804b13568d2a664d74554b431480d5a275535b create mode 100644 modules/sync/envoyproxy/envoy/cas/9ee0b29aed3777812c8d5348bdc7ba125d07c57cec49e831873382c2cdf523b4b5e83788c4ab5ff7d68154d00ba17f627fb92ddfb625c6cecf43b1b3ce9860aa create mode 100644 modules/sync/envoyproxy/envoy/cas/9f939fda4e1780444a5842e1b5a8c49ea62094afc0b6d83dbfd7479bfa3623be6a5c876538f9e4f7494fce932d88b9f04169da5ff732e44b87b8b318e85a7841 create mode 100644 modules/sync/envoyproxy/envoy/cas/a042cae93d024d6bcecdde67e0c856f445cb18ab4555c6f38eb17d049272b6216f1c566b58ee5eb42d649d1bb80e04f9b62fa3a9a6ba3d9c369980eca2214154 create mode 100644 modules/sync/envoyproxy/envoy/cas/a57d27a8b05774d301f856d2f82d3f94ab03fbcd8b9d188f3edd115325f9054463979c76015c671ebd4cc35c960fd035c8a5049716f71abc97bd332996de3bd2 create mode 100644 modules/sync/envoyproxy/envoy/cas/a5b9356c8ef2aa3c78941be61e47dbf667813c0a9d73f36aa221543f88d82f7e2e3ee366d2bc81f86874832629ed25e92ada0afa531e8273e930bc46ca4ba02a create mode 100644 modules/sync/envoyproxy/envoy/cas/ab4879612ab6ac4cd7e0baeda3622cda45273b419ad9bd1d79bdc707aaf11f9cca1b5fbecc5c290cb93e63d7396d6d0fbe9c1beee5d3305f72252035f8604fd4 create mode 100644 modules/sync/envoyproxy/envoy/cas/abfd42b3e363fbe849273f3400b4557ff8c511986893e362f7a3c524a33f10bc770a0e54e3160a7e02ad187d67b3d9fd38ae158946b5b38277065a2d0bfde960 create mode 100644 modules/sync/envoyproxy/envoy/cas/b01b9c08ea0d0da34c23042bd8da58ca40d92f1f7346b2a922c78409fa0e51d0b0acd6787de220b4b32397f96bb0acf7edd8ee83131d7b27524cf538b96c7bf2 create mode 100644 modules/sync/envoyproxy/envoy/cas/b5d9ec9f7834d656e6f73dd7ac2b1ac4765c8888d02fb3e42d51f9447008c8d52f40bebafca0ffeb7326e238dd44a3d0cd59c9aa67748e5dfc36ee8766bb58b8 create mode 100644 modules/sync/envoyproxy/envoy/cas/bb668849b33a7391d165b6b1e36b7049fc3ec26026d0e968c9398a8c2b56f1b2c3b5926bfe0d17ab81683a5454c0a99d36c28a61aac13b7d46dd3e754d04dd10 create mode 100644 modules/sync/envoyproxy/envoy/cas/bd93ad0724db9b3840188ee614b6a8fe094dacba594e4d989cc33169c3b9ac373fd95ce9c201089b70bdd91a9a9fdd1bea3d2140f524eb8156273e1716684621 create mode 100644 modules/sync/envoyproxy/envoy/cas/c0db1853e908e8135812c85e8a3a1a62c5c85e470976c46d8e9664b930f4c4aac87e4c4a81c4a8c514190efef87e2a92d80b763512663bbddcc13f5af9bd8608 create mode 100644 modules/sync/envoyproxy/envoy/cas/c533295400884a2028aebefc3c33e91ac5f04292175bbe92f403d268e72f956da90fa837cf7427f0b7b195ae4ac6d8b20b2f26fefbccfbf38f82f0b4d10bc3ef create mode 100644 modules/sync/envoyproxy/envoy/cas/c866183a84e3031e4a37288a46498f7e38bb7b544267a8ccdcd7c4ba4e9f498aba720e36f94819ffa6d72fdf785aa4f7d16b3a5a4262a697634624976f92d793 create mode 100644 modules/sync/envoyproxy/envoy/cas/ce8ca31393368bbd835e656a59ab152cfb4adccc0aae45660c8faa6b27a26ea45bd38647acce9aa7fd5262919c20243a962cfc2e691ebcda0c631a03688fe76d create mode 100644 modules/sync/envoyproxy/envoy/cas/cffb4b03c2cdaf87e95ae70b72ee7afa4952783c02b23cd850bc658223cf7b635a6ae46a4457fe5cc69daa957dbedc9f09477828b46cc0d40c4cc85c42414e80 create mode 100644 modules/sync/envoyproxy/envoy/cas/d24f80ec625ca4a34589ee26dc9092322920a57c5c68562f26c7a6438922039682f2dbc66d9e212c41657197446184f9acfd684ff12de00b492b04fd8a49e2e6 create mode 100644 modules/sync/envoyproxy/envoy/cas/d77cca717af1b36b3af64c7621f965ee6eb7288b95939fe5c280e564f38faf46bbcd539a0eb8f535314f9cd2900e2db4b599e94bafacabc6dc4adf0618f3e548 create mode 100644 modules/sync/envoyproxy/envoy/cas/da3d8f11bc83acc05f23de19e6eb9192dc8c0a438d35b3fdfd0a96eccc0e50fa5a0854b023ada3335d3ad65ecbbb3d4b9130cf8c7827880a339beb089451b51f create mode 100644 modules/sync/envoyproxy/envoy/cas/db215158abc795f16af911490b416d119eccc3ec6d16fe9d6a094f76db6ea54c007d28d77ae1b70529f7ba12ea94df50f80c49bfdcdd5267e9de43bda3b58b47 create mode 100644 modules/sync/envoyproxy/envoy/cas/dc63fcce9d1ed50b4322387791cddf8c021412eb8dc5cb27e63eaa51cb5aa48ccd055477b338e95e007371d79d994f3839140015015bbd8ace57ea993261494f create mode 100644 modules/sync/envoyproxy/envoy/cas/e1ef5c6288164e96ad75f885a9de2fe652bbbdfdd8a7f007ebee1983286e2b9efdd7028b76c68ba529d2783956b5e79730a868ace2c4c115c1e7107f9fefa993 create mode 100644 modules/sync/envoyproxy/envoy/cas/ec87b6ead92bdf9a5dc242a21f782d7a0f82a292522cbe59b802292b21e03f891b40218ed283b5a5c7c6d5f8196f00e8e3685cf49677ccd616077b68a956180e create mode 100644 modules/sync/envoyproxy/envoy/cas/f0a4d81196f500745a531f588d89c7622fe7d394cb4b967d4a12de27a8b9b9cbc84bfd0ba97446abf7d556c15a5071830c1599a7fe37028e9b5149c85afd7cce create mode 100644 modules/sync/envoyproxy/envoy/cas/f1ce76dc162b62f57898c3f089e2afdd5c6543e14fed6ad02a2ebbc220d55f53378ee6e19f05eb1a2cb4c5b6836ebcd125d3abbc26012190cf544c9ce97717ce create mode 100644 modules/sync/envoyproxy/envoy/cas/f31af87cde6202d9e68ca042f27da6dba4d65bdeb94065ce789d59f85dda5eaddc12d4060979422f571ed9dcc382ad1d83d018238ca8b810ff91eeace4dc8123 create mode 100644 modules/sync/envoyproxy/envoy/cas/f4b676ef5840cc1e1d8e3fe0c4082b16c423ac1a7b25f9e58f1a3f43733cf51bb7902519dc780939132ae3287dc5c00b99d6894a6da03ad841517d12e072d5e9 create mode 100644 modules/sync/envoyproxy/envoy/cas/f6879fdc241bb8413bd7a7d7a11ebd2605f85f399e70444bd392d8040ed29e6d7599caa614e64bfa6c37c940606f7688b74628cf43a026a0d64b46e937b02976 create mode 100644 modules/sync/envoyproxy/envoy/cas/f6ab25059c8421c806ba9672ecac55c6d74fc37d4b102962632c85a088cfc621f4953537f7605b8fd27ddfd4d842d6ebdf6b6ade161ded40e9d625f94773c69e create mode 100644 modules/sync/envoyproxy/envoy/cas/ffd5b6efba152ae8c135ff89f8c569e21f584379f1047a3dba7e53bbcd62880dc8e0ab883ae66bd8dc69d665a58affa6a2c29dd376fc21da66b09a0194d50b59 diff --git a/modules/sync/envoyproxy/envoy/cas/002cd85799c5af02bd7a35f7d889014754cb0265dfb84cc39b9e8b569beb221ae9950bcd19b5580b9c50e016cf405b080946c52b7802bb63eef81279471798f0 b/modules/sync/envoyproxy/envoy/cas/002cd85799c5af02bd7a35f7d889014754cb0265dfb84cc39b9e8b569beb221ae9950bcd19b5580b9c50e016cf405b080946c52b7802bb63eef81279471798f0 new file mode 100644 index 00000000..1ab6c5eb --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/002cd85799c5af02bd7a35f7d889014754cb0265dfb84cc39b9e8b569beb221ae9950bcd19b5580b9c50e016cf405b080946c52b7802bb63eef81279471798f0 @@ -0,0 +1,106 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.composite.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/extension.proto"; + +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.composite.v3"; +option java_outer_classname = "CompositeProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/composite/v3;compositev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Composite] +// Composite Filter :ref:`configuration overview `. +// [#extension: envoy.filters.http.composite] + +// :ref:`Composite filter ` config. The composite filter config +// allows delegating filter handling to another filter as determined by matching on the request +// headers. This makes it possible to use different filters or filter configurations based on the +// incoming request. +// +// This is intended to be used with +// :ref:`ExtensionWithMatcher ` +// where a match tree is specified that indicates (via +// :ref:`ExecuteFilterAction `) +// which filter configuration to create and delegate to. +message Composite { + // Named filter chain definitions that can be referenced from + // :ref:`ExecuteFilterAction.filter_chain_name + // `. + // The filter chains are compiled at configuration time and can be referenced by name. + // This is useful when the same filter chain needs to be applied across many routes, + // as it avoids duplicating the filter chain configuration. + map named_filter_chains = 1; +} + +// A list of filter configurations to be called in order. Note that this can be used as the type +// inside of an ECDS :ref:`TypedExtensionConfig +// ` extension, which allows a chain of +// filters to be configured dynamically. In that case, the types of all filters in the chain must +// be present in the :ref:`ExtensionConfigSource.type_urls +// ` field. +message FilterChainConfiguration { + repeated config.core.v3.TypedExtensionConfig typed_config = 1; +} + +// Configuration for an extension configuration discovery service with name. +message DynamicConfig { + // The name of the extension configuration. It also serves as a resource name in ExtensionConfigDS. + // The resource type in the ``DiscoveryRequest`` will be :ref:`TypedExtensionConfig + // `. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // Configuration source specifier for an extension configuration discovery + // service. In case of a failure and without the default configuration, + // 500(Internal Server Error) will be returned. + config.core.v3.ExtensionConfigSource config_discovery = 2; +} + +// Composite match action (see :ref:`matching docs ` for more info on match actions). +// This specifies the filter configuration of the filter that the composite filter should delegate filter interactions to. +// [#next-free-field: 6] +message ExecuteFilterAction { + // Filter specific configuration which depends on the filter being + // instantiated. See the supported filters for further documentation. + // Only one of ``typed_config``, ``dynamic_config``, ``filter_chain``, or ``filter_chain_name`` + // can be set. + // [#extension-category: envoy.filters.http] + config.core.v3.TypedExtensionConfig typed_config = 1 + [(udpa.annotations.field_migrate).oneof_promotion = "config_type"]; + + // Dynamic configuration of filter obtained via extension configuration discovery service. + // Only one of ``typed_config``, ``dynamic_config``, ``filter_chain``, or ``filter_chain_name`` + // can be set. + DynamicConfig dynamic_config = 2 + [(udpa.annotations.field_migrate).oneof_promotion = "config_type"]; + + // An inlined list of filter configurations. The specified filters will be executed in order. + // Only one of ``typed_config``, ``dynamic_config``, ``filter_chain``, or ``filter_chain_name`` + // can be set. + FilterChainConfiguration filter_chain = 4; + + // The name of a filter chain defined in + // :ref:`Composite.named_filter_chains + // `. + // At runtime, if the named filter chain is not found in the Composite filter's configuration, + // no filter will be applied for this match (the action is silently skipped). + // Only one of ``typed_config``, ``dynamic_config``, ``filter_chain``, or ``filter_chain_name`` + // can be set. + string filter_chain_name = 5; + + // Probability of the action execution. If not specified, this is 100%. + // This allows sampling behavior for the configured actions. + // For example, if + // :ref:`default_value ` + // under the ``sample_percent`` is configured with 30%, a dice roll with that + // probability is done. The underline action will only be executed if the + // dice roll returns positive. Otherwise, the action is skipped. + config.core.v3.RuntimeFractionalPercent sample_percent = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/056ea98f23a22a25955841d4606958174b1990f85452169d990a656b9fd06d8131521516969d1b0e21d6d6615e1b99e48d6795eaa1442b06f62d236b13d43c02 b/modules/sync/envoyproxy/envoy/cas/056ea98f23a22a25955841d4606958174b1990f85452169d990a656b9fd06d8131521516969d1b0e21d6d6615e1b99e48d6795eaa1442b06f62d236b13d43c02 new file mode 100644 index 00000000..ce616be1 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/056ea98f23a22a25955841d4606958174b1990f85452169d990a656b9fd06d8131521516969d1b0e21d6d6615e1b99e48d6795eaa1442b06f62d236b13d43c02 @@ -0,0 +1,46 @@ +syntax = "proto3"; + +package envoy.extensions.load_balancing_policies.random_subsetting.v3; + +import "envoy/config/cluster/v3/cluster.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.load_balancing_policies.random_subsetting.v3"; +option java_outer_classname = "RandomSubsettingProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/random_subsetting/v3;random_subsettingv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Random Subsetting Load Balancing Policy] +// [#not-implemented-hide:] +// [#extension: envoy.load_balancing_policies.random_subsetting] +// [#next-free-field: 3] + +// Configuration for the Random Subsetting Load Balancing Policy +// +// This policy selects a subset of endpoints and passes them to the child LB policy. +// It maintains 2 important properties: +// 1. The policy tries to distribute connections among servers as equally as possible. The higher +// ``(N_clients*subset_size)/N_servers`` ratio is, the closer the resulting server connection +// distribution is to uniform. +// 2. The policy minimizes the amount of connection churn generated during server scale-ups by +// using rendezvous hashing +// +// See the :ref:`load balancing architecture +// overview` for more information. +// +// [#not-implemented-hide:] +message RandomSubsetting { + // subset_size indicates how many backends every client will be connected to. + // The value must be greater than 0. + google.protobuf.UInt32Value subset_size = 1 [(validate.rules).uint32 = {gt: 0}]; + + // The config for the child policy. + // The value is required. + config.cluster.v3.LoadBalancingPolicy child_policy = 2 + [(validate.rules).message = {required: true}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/0d874a925488c9bea4cc70351e808d73c2974bb5cd6b7974775a8655fff22c24d6868f09d929c9ef8889963e43a3fe7ebab7217c13fad02ba1efaa86dce1e5df b/modules/sync/envoyproxy/envoy/cas/0d874a925488c9bea4cc70351e808d73c2974bb5cd6b7974775a8655fff22c24d6868f09d929c9ef8889963e43a3fe7ebab7217c13fad02ba1efaa86dce1e5df new file mode 100644 index 00000000..6614ce45 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/0d874a925488c9bea4cc70351e808d73c2974bb5cd6b7974775a8655fff22c24d6868f09d929c9ef8889963e43a3fe7ebab7217c13fad02ba1efaa86dce1e5df @@ -0,0 +1,208 @@ +syntax = "proto3"; + +package envoy.admin.v3; + +import "envoy/config/core/v3/base.proto"; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.admin.v3"; +option java_outer_classname = "ServerInfoProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/admin/v3;adminv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Server state] + +// Proto representation of the value returned by /server_info, containing +// server version/server status information. +// [#next-free-field: 8] +message ServerInfo { + option (udpa.annotations.versioning).previous_message_type = "envoy.admin.v2alpha.ServerInfo"; + + enum State { + // Server is live and serving traffic. + LIVE = 0; + + // Server is draining listeners in response to external health checks failing. + DRAINING = 1; + + // Server has not yet completed cluster manager initialization. + PRE_INITIALIZING = 2; + + // Server is running the cluster manager initialization callbacks (e.g., RDS). + INITIALIZING = 3; + } + + // Server version. + string version = 1; + + // State of the server. + State state = 2; + + // Uptime since current epoch was started. + google.protobuf.Duration uptime_current_epoch = 3; + + // Uptime since the start of the first epoch. + google.protobuf.Duration uptime_all_epochs = 4; + + // Hot restart version. + string hot_restart_version = 5; + + // Command line options the server is currently running with. + CommandLineOptions command_line_options = 6; + + // Populated node identity of this server. + config.core.v3.Node node = 7; +} + +// [#next-free-field: 43] +message CommandLineOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.admin.v2alpha.CommandLineOptions"; + + enum IpVersion { + v4 = 0; + v6 = 1; + } + + enum Mode { + // Validate configs and then serve traffic normally. + Serve = 0; + + // Validate configs and exit. + Validate = 1; + + // Completely load and initialize the config, and then exit without running the listener loop. + InitOnly = 2; + } + + enum DrainStrategy { + // Gradually discourage connections over the course of the drain period. + Gradual = 0; + + // Discourage all connections for the duration of the drain sequence. + Immediate = 1; + } + + reserved 12, 20, 21, 29; + + reserved "max_stats", "max_obj_name_len", "bootstrap_version"; + + // See :option:`--base-id` for details. + uint64 base_id = 1; + + // See :option:`--use-dynamic-base-id` for details. + bool use_dynamic_base_id = 31; + + // See :option:`--skip-hot-restart-on-no-parent` for details. + bool skip_hot_restart_on_no_parent = 39; + + // See :option:`--skip-hot-restart-parent-stats` for details. + bool skip_hot_restart_parent_stats = 40; + + // See :option:`--base-id-path` for details. + string base_id_path = 32; + + // See :option:`--concurrency` for details. + uint32 concurrency = 2; + + // See :option:`--config-path` for details. + string config_path = 3; + + // See :option:`--config-yaml` for details. + string config_yaml = 4; + + // See :option:`--allow-unknown-static-fields` for details. + bool allow_unknown_static_fields = 5; + + // See :option:`--reject-unknown-dynamic-fields` for details. + bool reject_unknown_dynamic_fields = 26; + + // See :option:`--ignore-unknown-dynamic-fields` for details. + bool ignore_unknown_dynamic_fields = 30; + + // See :option:`--skip-deprecated-logs` for details. + bool skip_deprecated_logs = 41; + + // See :option:`--admin-address-path` for details. + string admin_address_path = 6; + + // See :option:`--local-address-ip-version` for details. + IpVersion local_address_ip_version = 7; + + // See :option:`--log-level` for details. + string log_level = 8; + + // See :option:`--component-log-level` for details. + string component_log_level = 9; + + // See :option:`--log-format` for details. + string log_format = 10; + + // See :option:`--log-format-escaped` for details. + bool log_format_escaped = 27; + + // See :option:`--log-path` for details. + string log_path = 11; + + // See :option:`--service-cluster` for details. + string service_cluster = 13; + + // See :option:`--service-node` for details. + string service_node = 14; + + // See :option:`--service-zone` for details. + string service_zone = 15; + + // See :option:`--file-flush-interval-msec` for details. + google.protobuf.Duration file_flush_interval = 16; + + // See :option:`--file-flush-min-size-kb` for details. + uint32 file_flush_min_size = 42; + + // See :option:`--drain-time-s` for details. + google.protobuf.Duration drain_time = 17; + + // See :option:`--drain-strategy` for details. + DrainStrategy drain_strategy = 33; + + // See :option:`--parent-shutdown-time-s` for details. + google.protobuf.Duration parent_shutdown_time = 18; + + // See :option:`--mode` for details. + Mode mode = 19; + + // See :option:`--disable-hot-restart` for details. + bool disable_hot_restart = 22; + + // See :option:`--enable-mutex-tracing` for details. + bool enable_mutex_tracing = 23; + + // See :option:`--restart-epoch` for details. + uint32 restart_epoch = 24; + + // See :option:`--cpuset-threads` for details. + bool cpuset_threads = 25; + + // See :option:`--disable-extensions` for details. + repeated string disabled_extensions = 28; + + // See :option:`--enable-fine-grain-logging` for details. + bool enable_fine_grain_logging = 34; + + // See :option:`--socket-path` for details. + string socket_path = 35; + + // See :option:`--socket-mode` for details. + uint32 socket_mode = 36; + + // See :option:`--enable-core-dump` for details. + bool enable_core_dump = 37; + + // See :option:`--stats-tag` for details. + repeated string stats_tag = 38; +} diff --git a/modules/sync/envoyproxy/envoy/cas/0ecfb10ccedca83b3f7d88257cf2f82c341acc72d04085dcc65d469306ae5e2af7b8c851fb0347033f98decb8f571e4c2fb0ad941f11592fc9095eb354d89244 b/modules/sync/envoyproxy/envoy/cas/0ecfb10ccedca83b3f7d88257cf2f82c341acc72d04085dcc65d469306ae5e2af7b8c851fb0347033f98decb8f571e4c2fb0ad941f11592fc9095eb354d89244 new file mode 100644 index 00000000..a37efe15 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/0ecfb10ccedca83b3f7d88257cf2f82c341acc72d04085dcc65d469306ae5e2af7b8c851fb0347033f98decb8f571e4c2fb0ad941f11592fc9095eb354d89244 @@ -0,0 +1,86 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.rbac.v3; + +import "envoy/config/rbac/v3/rbac.proto"; + +import "xds/type/matcher/v3/matcher.proto"; + +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.rbac.v3"; +option java_outer_classname = "RbacProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/rbac/v3;rbacv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: RBAC] +// Role-Based Access Control :ref:`configuration overview `. +// [#extension: envoy.filters.http.rbac] + +// RBAC filter config. +// [#next-free-field: 8] +message RBAC { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.rbac.v2.RBAC"; + + // The primary RBAC policy which will be applied globally, to all the incoming requests. + // + // * If absent, no RBAC enforcement occurs. + // * If set but empty, all requests are denied. + // + // .. note:: + // + // When both ``rules`` and ``matcher`` are configured, ``rules`` will be ignored. + // + config.rbac.v3.RBAC rules = 1 + [(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier"]; + + // If specified, rules will emit stats with the given prefix. + // This is useful for distinguishing metrics when multiple RBAC filters are configured. + string rules_stat_prefix = 6; + + // Match tree for evaluating RBAC actions on incoming requests. Requests not matching any matcher will be denied. + // + // * If absent, no RBAC enforcement occurs. + // * If set but empty, all requests are denied. + // + xds.type.matcher.v3.Matcher matcher = 4 + [(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier"]; + + // Shadow policy for testing RBAC rules without enforcing them. These rules generate stats and logs but do not deny + // requests. If absent, no shadow RBAC policy will be applied. + // + // .. note:: + // + // When both ``shadow_rules`` and ``shadow_matcher`` are configured, ``shadow_rules`` will be ignored. + // + config.rbac.v3.RBAC shadow_rules = 2 + [(udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier"]; + + // If absent, no shadow matcher will be applied. + // Match tree for testing RBAC rules through stats and logs without enforcing them. + // If absent, no shadow matching occurs. + xds.type.matcher.v3.Matcher shadow_matcher = 5 + [(udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier"]; + + // If specified, shadow rules will emit stats with the given prefix. + // This is useful for distinguishing metrics when multiple RBAC filters use shadow rules. + string shadow_rules_stat_prefix = 3; + + // If ``track_per_rule_stats`` is ``true``, counters will be published for each rule and shadow rule. + bool track_per_rule_stats = 7; +} + +message RBACPerRoute { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.rbac.v2.RBACPerRoute"; + + reserved 1; + + // Per-route specific RBAC configuration that overrides the global RBAC configuration. + // If absent, RBAC policy will be disabled for this route. + RBAC rbac = 2; +} diff --git a/modules/sync/envoyproxy/envoy/cas/10eee635abc4bc9035d7c3fee3bf5459aff50302192c37f03fef2640149c4907e474b43bfbec062fba65b56ec84802dd546fd2e0052d9eb7f96f76857e43d667 b/modules/sync/envoyproxy/envoy/cas/10eee635abc4bc9035d7c3fee3bf5459aff50302192c37f03fef2640149c4907e474b43bfbec062fba65b56ec84802dd546fd2e0052d9eb7f96f76857e43d667 new file mode 100644 index 00000000..0fbd87f4 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/10eee635abc4bc9035d7c3fee3bf5459aff50302192c37f03fef2640149c4907e474b43bfbec062fba65b56ec84802dd546fd2e0052d9eb7f96f76857e43d667 @@ -0,0 +1,21 @@ +syntax = "proto3"; + +package envoy.extensions.transport_sockets.tls.cert_mappers.static_name.v3; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.cert_mappers.static_name.v3"; +option java_outer_classname = "ConfigProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/cert_mappers/static_name/v3;static_namev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Static secret certificate mapper] +// [#extension: envoy.tls.certificate_mappers.static_name] + +// A mapping to a fixed secret name for all certificates. +message StaticName { + // The name for the secret to use for all connections. + string name = 1 [(validate.rules).string = {min_len: 1}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/18a36552f74feffb5e870e31aa73db971de269d00a5b11a0e727722f894450a10a09768b71ad75fa3e532732c65427bfa87772fbab5180477d39765cd27f4e12 b/modules/sync/envoyproxy/envoy/cas/18a36552f74feffb5e870e31aa73db971de269d00a5b11a0e727722f894450a10a09768b71ad75fa3e532732c65427bfa87772fbab5180477d39765cd27f4e12 new file mode 100644 index 00000000..1beb39c5 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/18a36552f74feffb5e870e31aa73db971de269d00a5b11a0e727722f894450a10a09768b71ad75fa3e532732c65427bfa87772fbab5180477d39765cd27f4e12 @@ -0,0 +1,18 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.proto_api_scrubber.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.proto_api_scrubber.v3"; +option java_outer_classname = "MatcherActionsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/proto_api_scrubber/v3;proto_api_scrubberv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Proto API Scrubber Matcher Actions] + +// Specifies an :ref:`Unified Matcher API ` action to remove a field. +// This actual action needs to be implemented by the filter using it. +message RemoveFieldAction { +} diff --git a/modules/sync/envoyproxy/envoy/cas/19f745562070373e23d5463423482c666d5a48b31da6eacf09d376989cf8ded9f9d067027080242b21fd712aa4587504d1f823bcbd4903351459123c3800ce63 b/modules/sync/envoyproxy/envoy/cas/19f745562070373e23d5463423482c666d5a48b31da6eacf09d376989cf8ded9f9d067027080242b21fd712aa4587504d1f823bcbd4903351459123c3800ce63 new file mode 100644 index 00000000..19240909 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/19f745562070373e23d5463423482c666d5a48b31da6eacf09d376989cf8ded9f9d067027080242b21fd712aa4587504d1f823bcbd4903351459123c3800ce63 @@ -0,0 +1,1407 @@ +syntax = "proto3"; + +package envoy.config.cluster.v3; + +import "envoy/config/cluster/v3/circuit_breaker.proto"; +import "envoy/config/cluster/v3/filter.proto"; +import "envoy/config/cluster/v3/outlier_detection.proto"; +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/health_check.proto"; +import "envoy/config/core/v3/protocol.proto"; +import "envoy/config/core/v3/resolver.proto"; +import "envoy/config/endpoint/v3/endpoint.proto"; +import "envoy/type/metadata/v3/metadata.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/core/v3/collection_entry.proto"; +import "xds/type/matcher/v3/matcher.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/security.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.cluster.v3"; +option java_outer_classname = "ClusterProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/cluster/v3;clusterv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Cluster configuration] + +// Cluster list collections. Entries are ``Cluster`` resources or references. +// [#not-implemented-hide:] +message ClusterCollection { + xds.core.v3.CollectionEntry entries = 1; +} + +// Configuration for a single upstream cluster. +// [#next-free-field: 60] +message Cluster { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Cluster"; + + // Refer to :ref:`service discovery type ` + // for an explanation on each type. + enum DiscoveryType { + // Refer to the :ref:`static discovery type` + // for an explanation. + STATIC = 0; + + // Refer to the :ref:`strict DNS discovery + // type` + // for an explanation. + STRICT_DNS = 1; + + // Refer to the :ref:`logical DNS discovery + // type` + // for an explanation. + LOGICAL_DNS = 2; + + // Refer to the :ref:`service discovery type` + // for an explanation. + EDS = 3; + + // Refer to the :ref:`original destination discovery + // type` + // for an explanation. + ORIGINAL_DST = 4; + } + + // Refer to :ref:`load balancer type ` architecture + // overview section for information on each type. + enum LbPolicy { + reserved 4; + + reserved "ORIGINAL_DST_LB"; + + // Refer to the :ref:`round robin load balancing + // policy` + // for an explanation. + ROUND_ROBIN = 0; + + // Refer to the :ref:`least request load balancing + // policy` + // for an explanation. + LEAST_REQUEST = 1; + + // Refer to the :ref:`ring hash load balancing + // policy` + // for an explanation. + RING_HASH = 2; + + // Refer to the :ref:`random load balancing + // policy` + // for an explanation. + RANDOM = 3; + + // Refer to the :ref:`Maglev load balancing policy` + // for an explanation. + MAGLEV = 5; + + // This load balancer type must be specified if the configured cluster provides a cluster + // specific load balancer. Consult the configured cluster's documentation for whether to set + // this option or not. + CLUSTER_PROVIDED = 6; + + // Use the new :ref:`load_balancing_policy + // ` field to determine the LB policy. + // This has been deprecated in favor of using the :ref:`load_balancing_policy + // ` field without + // setting any value in :ref:`lb_policy`. + LOAD_BALANCING_POLICY_CONFIG = 7; + } + + // When V4_ONLY is selected, the DNS resolver will only perform a lookup for + // addresses in the IPv4 family. If V6_ONLY is selected, the DNS resolver will + // only perform a lookup for addresses in the IPv6 family. If AUTO is + // specified, the DNS resolver will first perform a lookup for addresses in + // the IPv6 family and fallback to a lookup for addresses in the IPv4 family. + // This is semantically equivalent to a non-existent V6_PREFERRED option. + // AUTO is a legacy name that is more opaque than + // necessary and will be deprecated in favor of V6_PREFERRED in a future major version of the API. + // If V4_PREFERRED is specified, the DNS resolver will first perform a lookup for addresses in the + // IPv4 family and fallback to a lookup for addresses in the IPv6 family. i.e., the callback + // target will only get v6 addresses if there were NO v4 addresses to return. + // If ALL is specified, the DNS resolver will perform a lookup for both IPv4 and IPv6 families, + // and return all resolved addresses. When this is used, Happy Eyeballs will be enabled for + // upstream connections. Refer to :ref:`Happy Eyeballs Support ` + // for more information. + // For cluster types other than + // :ref:`STRICT_DNS` and + // :ref:`LOGICAL_DNS`, + // this setting is + // ignored. + // [#next-major-version: deprecate AUTO in favor of a V6_PREFERRED option.] + enum DnsLookupFamily { + AUTO = 0; + V4_ONLY = 1; + V6_ONLY = 2; + V4_PREFERRED = 3; + ALL = 4; + } + + enum ClusterProtocolSelection { + // Cluster can only operate on one of the possible upstream protocols (HTTP1.1, HTTP2). + // If :ref:`http2_protocol_options ` are + // present, HTTP2 will be used, otherwise HTTP1.1 will be used. + USE_CONFIGURED_PROTOCOL = 0; + + // Use HTTP1.1 or HTTP2, depending on which one is used on the downstream connection. + USE_DOWNSTREAM_PROTOCOL = 1; + } + + // TransportSocketMatch specifies what transport socket config will be used + // when the match conditions are satisfied. + message TransportSocketMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.TransportSocketMatch"; + + // The name of the match, used in stats generation. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // Optional metadata match criteria. + // The connection to the endpoint with metadata matching what is set in this field + // will use the transport socket configuration specified here. + // The endpoint's metadata entry in ``envoy.transport_socket_match`` is used to match + // against the values specified in this field. + google.protobuf.Struct match = 2; + + // The configuration of the transport socket. + // [#extension-category: envoy.transport_sockets.upstream] + core.v3.TransportSocket transport_socket = 3; + } + + // Extended cluster type. + message CustomClusterType { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.CustomClusterType"; + + // The type of the cluster to instantiate. The name must match a supported cluster type. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // Cluster specific configuration which depends on the cluster being instantiated. + // See the supported cluster for further documentation. + // [#extension-category: envoy.clusters] + google.protobuf.Any typed_config = 2; + } + + // Only valid when discovery type is EDS. + message EdsClusterConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.EdsClusterConfig"; + + // Configuration for the source of EDS updates for this Cluster. + core.v3.ConfigSource eds_config = 1; + + // Optional alternative to cluster name to present to EDS. This does not + // have the same restrictions as cluster name, i.e. it may be arbitrary + // length. This may be a xdstp:// URL. + string service_name = 2; + } + + // Optionally divide the endpoints in this cluster into subsets defined by + // endpoint metadata and selected by route and weighted cluster metadata. + // [#next-free-field: 9] + message LbSubsetConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.LbSubsetConfig"; + + // If NO_FALLBACK is selected, a result + // equivalent to no healthy hosts is reported. If ANY_ENDPOINT is selected, + // any cluster endpoint may be returned (subject to policy, health checks, + // etc). If DEFAULT_SUBSET is selected, load balancing is performed over the + // endpoints matching the values from the default_subset field. + enum LbSubsetFallbackPolicy { + NO_FALLBACK = 0; + ANY_ENDPOINT = 1; + DEFAULT_SUBSET = 2; + } + + enum LbSubsetMetadataFallbackPolicy { + // No fallback. Route metadata will be used as-is. + METADATA_NO_FALLBACK = 0; + + // A special metadata key ``fallback_list`` will be used to provide variants of metadata to try. + // Value of ``fallback_list`` key has to be a list. Every list element has to be a struct - it will + // be merged with route metadata, overriding keys that appear in both places. + // ``fallback_list`` entries will be used in order until a host is found. + // + // ``fallback_list`` key itself is removed from metadata before subset load balancing is performed. + // + // Example: + // + // for metadata: + // + // .. code-block:: yaml + // + // version: 1.0 + // fallback_list: + // - version: 2.0 + // hardware: c64 + // - hardware: c32 + // - version: 3.0 + // + // at first, metadata: + // + // .. code-block:: json + // + // {"version": "2.0", "hardware": "c64"} + // + // will be used for load balancing. If no host is found, metadata: + // + // .. code-block:: json + // + // {"version": "1.0", "hardware": "c32"} + // + // is next to try. If it still results in no host, finally metadata: + // + // .. code-block:: json + // + // {"version": "3.0"} + // + // is used. + FALLBACK_LIST = 1; + } + + // Specifications for subsets. + message LbSubsetSelector { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.LbSubsetConfig.LbSubsetSelector"; + + // Allows to override top level fallback policy per selector. + enum LbSubsetSelectorFallbackPolicy { + // If NOT_DEFINED top level config fallback policy is used instead. + NOT_DEFINED = 0; + + // If NO_FALLBACK is selected, a result equivalent to no healthy hosts is reported. + NO_FALLBACK = 1; + + // If ANY_ENDPOINT is selected, any cluster endpoint may be returned + // (subject to policy, health checks, etc). + ANY_ENDPOINT = 2; + + // If DEFAULT_SUBSET is selected, load balancing is performed over the + // endpoints matching the values from the default_subset field. + DEFAULT_SUBSET = 3; + + // If KEYS_SUBSET is selected, subset selector matching is performed again with metadata + // keys reduced to + // :ref:`fallback_keys_subset`. + // It allows for a fallback to a different, less specific selector if some of the keys of + // the selector are considered optional. + KEYS_SUBSET = 4; + } + + // List of keys to match with the weighted cluster metadata. + repeated string keys = 1; + + // Selects a mode of operation in which each subset has only one host. This mode uses the same rules for + // choosing a host, but updating hosts is faster, especially for large numbers of hosts. + // + // If a match is found to a host, that host will be used regardless of priority levels. + // + // When this mode is enabled, configurations that contain more than one host with the same metadata value for the single key in ``keys`` + // will use only one of the hosts with the given key; no requests will be routed to the others. The cluster gauge + // :ref:`lb_subsets_single_host_per_subset_duplicate` indicates how many duplicates are + // present in the current configuration. + bool single_host_per_subset = 4; + + // The behavior used when no endpoint subset matches the selected route's + // metadata. + LbSubsetSelectorFallbackPolicy fallback_policy = 2 + [(validate.rules).enum = {defined_only: true}]; + + // Subset of + // :ref:`keys` used by + // :ref:`KEYS_SUBSET` + // fallback policy. + // It has to be a non empty list if KEYS_SUBSET fallback policy is selected. + // For any other fallback policy the parameter is not used and should not be set. + // Only values also present in + // :ref:`keys` are allowed, but + // ``fallback_keys_subset`` cannot be equal to ``keys``. + repeated string fallback_keys_subset = 3; + } + + // The behavior used when no endpoint subset matches the selected route's + // metadata. The value defaults to + // :ref:`NO_FALLBACK`. + LbSubsetFallbackPolicy fallback_policy = 1 [(validate.rules).enum = {defined_only: true}]; + + // Specifies the default subset of endpoints used during fallback if + // fallback_policy is + // :ref:`DEFAULT_SUBSET`. + // Each field in default_subset is + // compared to the matching LbEndpoint.Metadata under the ``envoy.lb`` + // namespace. It is valid for no hosts to match, in which case the behavior + // is the same as a fallback_policy of + // :ref:`NO_FALLBACK`. + google.protobuf.Struct default_subset = 2; + + // For each entry, LbEndpoint.Metadata's + // ``envoy.lb`` namespace is traversed and a subset is created for each unique + // combination of key and value. For example: + // + // .. code-block:: json + // + // { "subset_selectors": [ + // { "keys": [ "version" ] }, + // { "keys": [ "stage", "hardware_type" ] } + // ]} + // + // A subset is matched when the metadata from the selected route and + // weighted cluster contains the same keys and values as the subset's + // metadata. The same host may appear in multiple subsets. + repeated LbSubsetSelector subset_selectors = 3; + + // If true, routing to subsets will take into account the localities and locality weights of the + // endpoints when making the routing decision. + // + // There are some potential pitfalls associated with enabling this feature, as the resulting + // traffic split after applying both a subset match and locality weights might be undesirable. + // + // Consider for example a situation in which you have 50/50 split across two localities X/Y + // which have 100 hosts each without subsetting. If the subset LB results in X having only 1 + // host selected but Y having 100, then a lot more load is being dumped on the single host in X + // than originally anticipated in the load balancing assignment delivered via EDS. + bool locality_weight_aware = 4; + + // When used with locality_weight_aware, scales the weight of each locality by the ratio + // of hosts in the subset vs hosts in the original subset. This aims to even out the load + // going to an individual locality if said locality is disproportionately affected by the + // subset predicate. + bool scale_locality_weight = 5; + + // If true, when a fallback policy is configured and its corresponding subset fails to find + // a host this will cause any host to be selected instead. + // + // This is useful when using the default subset as the fallback policy, given the default + // subset might become empty. With this option enabled, if that happens the LB will attempt + // to select a host from the entire cluster. + bool panic_mode_any = 6; + + // If true, metadata specified for a metadata key will be matched against the corresponding + // endpoint metadata if the endpoint metadata matches the value exactly OR it is a list value + // and any of the elements in the list matches the criteria. + bool list_as_any = 7; + + // Fallback mechanism that allows to try different route metadata until a host is found. + // If load balancing process, including all its mechanisms (like + // :ref:`fallback_policy`) + // fails to select a host, this policy decides if and how the process is repeated using another metadata. + // + // The value defaults to + // :ref:`METADATA_NO_FALLBACK`. + LbSubsetMetadataFallbackPolicy metadata_fallback_policy = 8 + [(validate.rules).enum = {defined_only: true}]; + } + + // Configuration for :ref:`slow start mode `. + message SlowStartConfig { + // Represents the size of slow start window. + // If set, the newly created host remains in slow start mode starting from its creation time + // for the duration of slow start window. + google.protobuf.Duration slow_start_window = 1; + + // This parameter controls the speed of traffic increase over the slow start window. Defaults to 1.0, + // so that endpoint would get linearly increasing amount of traffic. + // When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + // The value of aggression parameter should be greater than 0.0. + // By tuning the parameter, is possible to achieve polynomial or exponential shape of ramp-up curve. + // + // During slow start window, effective weight of an endpoint would be scaled with time factor and aggression: + // ``new_weight = weight * max(min_weight_percent, time_factor ^ (1 / aggression))``, + // where ``time_factor=(time_since_start_seconds / slow_start_time_seconds)``. + // + // As time progresses, more and more traffic would be sent to endpoint, which is in slow start window. + // Once host exits slow start, time_factor and aggression no longer affect its weight. + core.v3.RuntimeDouble aggression = 2; + + // Configures the minimum percentage of origin weight that avoids too small new weight, + // which may cause endpoints in slow start mode receive no traffic in slow start window. + // If not specified, the default is 10%. + type.v3.Percent min_weight_percent = 3; + } + + // Specific configuration for the RoundRobin load balancing policy. + message RoundRobinLbConfig { + // Configuration for slow start mode. + // If this configuration is not set, slow start will not be not enabled. + SlowStartConfig slow_start_config = 1; + } + + // Specific configuration for the LeastRequest load balancing policy. + message LeastRequestLbConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.LeastRequestLbConfig"; + + // The number of random healthy hosts from which the host with the fewest active requests will + // be chosen. Defaults to 2 so that we perform two-choice selection if the field is not set. + google.protobuf.UInt32Value choice_count = 1 [(validate.rules).uint32 = {gte: 2}]; + + // The following formula is used to calculate the dynamic weights when hosts have different load + // balancing weights: + // + // ``weight = load_balancing_weight / (active_requests + 1)^active_request_bias`` + // + // The larger the active request bias is, the more aggressively active requests will lower the + // effective weight when all host weights are not equal. + // + // ``active_request_bias`` must be greater than or equal to 0.0. + // + // When ``active_request_bias == 0.0`` the Least Request Load Balancer doesn't consider the number + // of active requests at the time it picks a host and behaves like the Round Robin Load + // Balancer. + // + // When ``active_request_bias > 0.0`` the Least Request Load Balancer scales the load balancing + // weight by the number of active requests at the time it does a pick. + // + // The value is cached for performance reasons and refreshed whenever one of the Load Balancer's + // host sets changes, e.g., whenever there is a host membership update or a host load balancing + // weight change. + // + // .. note:: + // This setting only takes effect if all host weights are not equal. + core.v3.RuntimeDouble active_request_bias = 2; + + // Configuration for slow start mode. + // If this configuration is not set, slow start will not be not enabled. + SlowStartConfig slow_start_config = 3; + } + + // Specific configuration for the :ref:`RingHash` + // load balancing policy. + message RingHashLbConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.RingHashLbConfig"; + + // The hash function used to hash hosts onto the ketama ring. + enum HashFunction { + // Use `xxHash `_, this is the default hash function. + XX_HASH = 0; + + // Use `MurmurHash2 `_, this is compatible with + // std:hash in GNU libstdc++ 3.4.20 or above. This is typically the case when compiled + // on Linux and not macOS. + MURMUR_HASH_2 = 1; + } + + reserved 2; + + // Minimum hash ring size. The larger the ring is (that is, the more hashes there are for each + // provided host) the better the request distribution will reflect the desired weights. Defaults + // to 1024 entries, and limited to 8M entries. See also + // :ref:`maximum_ring_size`. + google.protobuf.UInt64Value minimum_ring_size = 1 [(validate.rules).uint64 = {lte: 8388608}]; + + // The hash function used to hash hosts onto the ketama ring. The value defaults to + // :ref:`XX_HASH`. + HashFunction hash_function = 3 [(validate.rules).enum = {defined_only: true}]; + + // Maximum hash ring size. Defaults to 8M entries, and limited to 8M entries, but can be lowered + // to further constrain resource use. See also + // :ref:`minimum_ring_size`. + google.protobuf.UInt64Value maximum_ring_size = 4 [(validate.rules).uint64 = {lte: 8388608}]; + } + + // Specific configuration for the :ref:`Maglev` + // load balancing policy. + message MaglevLbConfig { + // The table size for Maglev hashing. Maglev aims for "minimal disruption" rather than an absolute guarantee. + // Minimal disruption means that when the set of upstream hosts change, a connection will likely be sent to the same + // upstream as it was before. Increasing the table size reduces the amount of disruption. + // The table size must be prime number limited to 5000011. If it is not specified, the default is 65537. + google.protobuf.UInt64Value table_size = 1 [(validate.rules).uint64 = {lte: 5000011}]; + } + + // Specific configuration for the + // :ref:`Original Destination ` + // load balancing policy. + // [#extension: envoy.clusters.original_dst] + message OriginalDstLbConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.OriginalDstLbConfig"; + + // When true, a HTTP header can be used to override the original dst address. The default header is + // :ref:`x-envoy-original-dst-host `. + // + // .. attention:: + // + // This header isn't sanitized by default, so enabling this feature allows HTTP clients to + // route traffic to arbitrary hosts and/or ports, which may have serious security + // consequences. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + bool use_http_header = 1; + + // The http header to override destination address if :ref:`use_http_header `. + // is set to true. If the value is empty, :ref:`x-envoy-original-dst-host ` will be used. + string http_header_name = 2; + + // The port to override for the original dst address. This port + // will take precedence over filter state and header override ports + google.protobuf.UInt32Value upstream_port_override = 3 [(validate.rules).uint32 = {lte: 65535}]; + + // The dynamic metadata key to override destination address. + // First the request metadata is considered, then the connection one. + type.metadata.v3.MetadataKey metadata_key = 4; + } + + // Common configuration for all load balancer implementations. + // [#next-free-field: 9] + message CommonLbConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.CommonLbConfig"; + + // Configuration for :ref:`zone aware routing + // `. + message ZoneAwareLbConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.CommonLbConfig.ZoneAwareLbConfig"; + + // Configures percentage of requests that will be considered for zone aware routing + // if zone aware routing is configured. If not specified, the default is 100%. + // * :ref:`runtime values `. + // * :ref:`Zone aware routing support `. + type.v3.Percent routing_enabled = 1; + + // Configures minimum upstream cluster size required for zone aware routing + // If upstream cluster size is less than specified, zone aware routing is not performed + // even if zone aware routing is configured. If not specified, the default is 6. + // * :ref:`runtime values `. + // * :ref:`Zone aware routing support `. + google.protobuf.UInt64Value min_cluster_size = 2; + + // If set to true, Envoy will not consider any hosts when the cluster is in :ref:`panic + // mode`. Instead, the cluster will fail all + // requests as if all hosts are unhealthy. This can help avoid potentially overwhelming a + // failing service. + bool fail_traffic_on_panic = 3; + } + + // Configuration for :ref:`locality weighted load balancing + // ` + message LocalityWeightedLbConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.CommonLbConfig.LocalityWeightedLbConfig"; + } + + // Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.) + message ConsistentHashingLbConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Cluster.CommonLbConfig.ConsistentHashingLbConfig"; + + // If set to ``true``, the cluster will use hostname instead of the resolved + // address as the key to consistently hash to an upstream host. Only valid for StrictDNS clusters with hostnames which resolve to a single IP address. + bool use_hostname_for_hashing = 1; + + // Configures percentage of average cluster load to bound per upstream host. For example, with a value of 150 + // no upstream host will get a load more than 1.5 times the average load of all the hosts in the cluster. + // If not specified, the load is not bounded for any upstream host. Typical value for this parameter is between 120 and 200. + // Minimum is 100. + // + // Applies to both Ring Hash and Maglev load balancers. + // + // This is implemented based on the method described in the paper https://arxiv.org/abs/1608.01350. For the specified + // ``hash_balance_factor``, requests to any upstream host are capped at ``hash_balance_factor/100`` times the average number of requests + // across the cluster. When a request arrives for an upstream host that is currently serving at its max capacity, linear probing + // is used to identify an eligible host. Further, the linear probe is implemented using a random jump in hosts ring/table to identify + // the eligible host (this technique is as described in the paper https://arxiv.org/abs/1908.08762 - the random jump avoids the + // cascading overflow effect when choosing the next host in the ring/table). + // + // If weights are specified on the hosts, they are respected. + // + // This is an O(N) algorithm, unlike other load balancers. Using a lower ``hash_balance_factor`` results in more hosts + // being probed, so use a higher value if you require better performance. + google.protobuf.UInt32Value hash_balance_factor = 2 [(validate.rules).uint32 = {gte: 100}]; + } + + // Configures the :ref:`healthy panic threshold `. + // If not specified, the default is 50%. + // To disable panic mode, set to 0%. + // + // .. note:: + // The specified percent will be truncated to the nearest 1%. + type.v3.Percent healthy_panic_threshold = 1; + + oneof locality_config_specifier { + ZoneAwareLbConfig zone_aware_lb_config = 2; + + LocalityWeightedLbConfig locality_weighted_lb_config = 3; + } + + // If set, all health check/weight/metadata updates that happen within this duration will be + // merged and delivered in one shot when the duration expires. The start of the duration is when + // the first update happens. This is useful for big clusters, with potentially noisy deploys + // that might trigger excessive CPU usage due to a constant stream of healthcheck state changes + // or metadata updates. The first set of updates to be seen apply immediately (e.g.: a new + // cluster). Please always keep in mind that the use of sandbox technologies may change this + // behavior. + // + // If this is not set, we default to a merge window of 1000ms. To disable it, set the merge + // window to 0. + // + // .. note:: + // Merging does not apply to cluster membership changes (e.g.: adds/removes); this is + // because merging those updates isn't currently safe. See + // https://github.com/envoyproxy/envoy/pull/3941. + google.protobuf.Duration update_merge_window = 4; + + // If set to true, Envoy will :ref:`exclude ` new hosts + // when computing load balancing weights until they have been health checked for the first time. + // This will have no effect unless active health checking is also configured. + bool ignore_new_hosts_until_first_hc = 5; + + // If set to ``true``, the cluster manager will drain all existing + // connections to upstream hosts whenever hosts are added or removed from the cluster. + bool close_connections_on_host_set_change = 6; + + // Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.) + ConsistentHashingLbConfig consistent_hashing_lb_config = 7; + + // This controls what hosts are considered valid when using + // :ref:`host overrides `, which is used by some + // filters to modify the load balancing decision. + // + // If this is unset then [UNKNOWN, HEALTHY, DEGRADED] will be applied by default. If this is + // set with an empty set of statuses then host overrides will be ignored by the load balancing. + core.v3.HealthStatusSet override_host_status = 8; + } + + message RefreshRate { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Cluster.RefreshRate"; + + // Specifies the base interval between refreshes. This parameter is required and must be greater + // than zero and less than + // :ref:`max_interval `. + google.protobuf.Duration base_interval = 1 [(validate.rules).duration = { + required: true + gt {nanos: 1000000} + }]; + + // Specifies the maximum interval between refreshes. This parameter is optional, but must be + // greater than or equal to the + // :ref:`base_interval ` if set. The default + // is 10 times the :ref:`base_interval `. + google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {nanos: 1000000}}]; + } + + message PreconnectPolicy { + // Indicates how many streams (rounded up) can be anticipated per-upstream for each + // incoming stream. This is useful for high-QPS or latency-sensitive services. Preconnecting + // will only be done if the upstream is healthy and the cluster has traffic. + // + // For example if this is 2, for an incoming HTTP/1.1 stream, 2 connections will be + // established, one for the new incoming stream, and one for a presumed follow-up stream. For + // HTTP/2, only one connection would be established by default as one connection can + // serve both the original and presumed follow-up stream. + // + // In steady state for non-multiplexed connections a value of 1.5 would mean if there were 100 + // active streams, there would be 100 connections in use, and 50 connections preconnected. + // This might be a useful value for something like short lived single-use connections, + // for example proxying HTTP/1.1 if keep-alive were false and each stream resulted in connection + // termination. It would likely be overkill for long lived connections, such as TCP proxying SMTP + // or regular HTTP/1.1 with keep-alive. For long lived traffic, a value of 1.05 would be more + // reasonable, where for every 100 connections, 5 preconnected connections would be in the queue + // in case of unexpected disconnects where the connection could not be reused. + // + // If this value is not set, or set explicitly to one, Envoy will fetch as many connections + // as needed to serve streams in flight. This means in steady state if a connection is torn down, + // a subsequent streams will pay an upstream-rtt latency penalty waiting for a new connection. + // + // This is limited somewhat arbitrarily to 3 because preconnecting too aggressively can + // harm latency more than the preconnecting helps. + google.protobuf.DoubleValue per_upstream_preconnect_ratio = 1 + [(validate.rules).double = {lte: 3.0 gte: 1.0}]; + + // Indicates how many streams (rounded up) can be anticipated across a cluster for each + // stream, useful for low QPS services. This is currently supported for a subset of + // deterministic non-hash-based load-balancing algorithms (weighted round robin, random). + // Unlike ``per_upstream_preconnect_ratio`` this preconnects across the upstream instances in a + // cluster, doing best effort predictions of what upstream would be picked next and + // pre-establishing a connection. + // + // Preconnecting will be limited to one preconnect per configured upstream in the cluster and will + // only be done if there are healthy upstreams and the cluster has traffic. + // + // For example if preconnecting is set to 2 for a round robin HTTP/2 cluster, on the first + // incoming stream, 2 connections will be preconnected - one to the first upstream for this + // cluster, one to the second on the assumption there will be a follow-up stream. + // + // If this value is not set, or set explicitly to one, Envoy will fetch as many connections + // as needed to serve streams in flight, so during warm up and in steady state if a connection + // is closed (and per_upstream_preconnect_ratio is not set), there will be a latency hit for + // connection establishment. + // + // If both this and preconnect_ratio are set, Envoy will make sure both predicted needs are met, + // basically preconnecting max(predictive-preconnect, per-upstream-preconnect), for each + // upstream. + // + // This is limited somewhat arbitrarily to 3 because preconnecting too aggressively can + // harm latency more than the preconnecting helps. + google.protobuf.DoubleValue predictive_preconnect_ratio = 2 + [(validate.rules).double = {lte: 3.0 gte: 1.0}]; + } + + reserved 12, 15, 7, 11, 35; + + reserved "hosts", "tls_context", "extension_protocol_options"; + + // Configuration to use different transport sockets for different endpoints. The entry of + // ``envoy.transport_socket_match`` in the :ref:`LbEndpoint.Metadata + // ` is used to match against the + // transport sockets as they appear in the list. If a match is not found, the search continues in + // :ref:`LocalityLbEndpoints.Metadata + // `. The first :ref:`match + // ` is used. For example, with + // the following match + // + // .. code-block:: yaml + // + // transport_socket_matches: + // - name: "enableMTLS" + // match: + // acceptMTLS: true + // transport_socket: + // name: envoy.transport_sockets.tls + // config: { ... } # tls socket configuration + // - name: "defaultToPlaintext" + // match: {} + // transport_socket: + // name: envoy.transport_sockets.raw_buffer + // + // Connections to the endpoints whose metadata value under ``envoy.transport_socket_match`` + // having "acceptMTLS"/"true" key/value pair use the "enableMTLS" socket configuration. + // + // If a :ref:`socket match ` with empty match + // criteria is provided, that always match any endpoint. For example, the "defaultToPlaintext" + // socket match in case above. + // + // If an endpoint metadata's value under ``envoy.transport_socket_match`` does not match any + // ``TransportSocketMatch``, the locality metadata is then checked for a match. Barring any + // matches in the endpoint or locality metadata, the socket configuration fallbacks to use the + // ``tls_context`` or ``transport_socket`` specified in this cluster. + // + // This field allows gradual and flexible transport socket configuration changes. + // + // The metadata of endpoints in EDS can indicate transport socket capabilities. For example, + // an endpoint's metadata can have two key value pairs as "acceptMTLS": "true", + // "acceptPlaintext": "true". While some other endpoints, only accepting plaintext traffic + // has "acceptPlaintext": "true" metadata information. + // + // Then the xDS server can configure the CDS to a client, Envoy A, to send mutual TLS + // traffic for endpoints with "acceptMTLS": "true", by adding a corresponding + // ``TransportSocketMatch`` in this field. Other client Envoys receive CDS without + // ``transport_socket_match`` set, and still send plain text traffic to the same cluster. + // + // This field can be used to specify custom transport socket configurations for health + // checks by adding matching key/value pairs in a health check's + // :ref:`transport socket match criteria ` field. + // + // [#comment:TODO(incfly): add a detailed architecture doc on intended usage.] + repeated TransportSocketMatch transport_socket_matches = 43; + + // Optional matcher that selects a transport socket from + // :ref:`transport_socket_matches `. + // + // This matcher uses the generic xDS matcher framework to select a named transport socket + // based on various inputs available at transport socket selection time. + // + // Supported matching inputs: + // + // * ``endpoint_metadata``: Extract values from the selected endpoint's metadata. + // * ``locality_metadata``: Extract values from the endpoint's locality metadata. + // * ``transport_socket_filter_state``: Extract values from filter state that was explicitly shared from + // downstream to upstream via ``TransportSocketOptions``. This enables flexible + // downstream-connection-based matching, such as: + // + // - Network namespace matching. + // - Custom connection attributes. + // - Any data explicitly passed via filter state. + // + // .. note:: + // Filter state sharing follows the same pattern as tunneling in Envoy. Filters must explicitly + // share data by setting filter state with the appropriate sharing mode. The filter state is + // then accessible via the ``transport_socket_filter_state`` input during transport socket selection. + // + // If this field is set, it takes precedence over legacy metadata-based selection + // performed by :ref:`transport_socket_matches + // ` alone. + // If the matcher does not yield a match, Envoy uses the default transport socket + // configured for the cluster. + // + // When using this field, each entry in + // :ref:`transport_socket_matches ` + // must have a unique ``name``. The matcher outcome is expected to reference one of + // these names. + xds.type.matcher.v3.Matcher transport_socket_matcher = 59; + + // Supplies the name of the cluster which must be unique across all clusters. + // The cluster name is used when emitting + // :ref:`statistics ` if :ref:`alt_stat_name + // ` is not provided. + // Any ``:`` in the cluster name will be converted to ``_`` when emitting statistics. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // An optional alternative to the cluster name to be used for observability. This name is used + // for emitting stats for the cluster and access logging the cluster name. This will appear as + // additional information in configuration dumps of a cluster's current status as + // :ref:`observability_name ` + // and as an additional tag "upstream_cluster.name" while tracing. + // + // .. note:: + // Any ``:`` in the name will be converted to ``_`` when emitting statistics. This should not be confused with + // :ref:`Router Filter Header `. + string alt_stat_name = 28 [(udpa.annotations.field_migrate).rename = "observability_name"]; + + oneof cluster_discovery_type { + // The :ref:`service discovery type ` + // to use for resolving the cluster. + DiscoveryType type = 2 [(validate.rules).enum = {defined_only: true}]; + + // The custom cluster type. + CustomClusterType cluster_type = 38; + } + + // Configuration to use for EDS updates for the Cluster. + EdsClusterConfig eds_cluster_config = 3; + + // The timeout for new network connections to hosts in the cluster. + // If not set, a default value of 5s will be used. + google.protobuf.Duration connect_timeout = 4 [(validate.rules).duration = {gt {}}]; + + // Soft limit on size of the cluster’s connections read and write buffers. If + // unspecified, an implementation defined default is applied (1MiB). + google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5 + [(udpa.annotations.security).configure_for_untrusted_upstream = true]; + + // The :ref:`load balancer type ` to use + // when picking a host in the cluster. + LbPolicy lb_policy = 6 [(validate.rules).enum = {defined_only: true}]; + + // Setting this is required for specifying members of + // :ref:`STATIC`, + // :ref:`STRICT_DNS` + // or :ref:`LOGICAL_DNS` clusters. + // This field supersedes the ``hosts`` field in the v2 API. + // + // .. attention:: + // + // Setting this allows non-EDS cluster types to contain embedded EDS equivalent + // :ref:`endpoint assignments`. + // + endpoint.v3.ClusterLoadAssignment load_assignment = 33; + + // Optional :ref:`active health checking ` + // configuration for the cluster. If no + // configuration is specified no health checking will be done and all cluster + // members will be considered healthy at all times. + repeated core.v3.HealthCheck health_checks = 8; + + // Optional maximum requests for a single upstream connection. This parameter + // is respected by both the HTTP/1.1 and HTTP/2 connection pool + // implementations. If not specified, there is no limit. Setting this + // parameter to 1 will effectively disable keep alive. + // + // .. attention:: + // This field has been deprecated in favor of the :ref:`max_requests_per_connection ` field. + google.protobuf.UInt32Value max_requests_per_connection = 9 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Optional :ref:`circuit breaking ` for the cluster. + CircuitBreakers circuit_breakers = 10; + + // HTTP protocol options that are applied only to upstream HTTP connections. + // These options apply to all HTTP versions. + // This has been deprecated in favor of + // :ref:`upstream_http_protocol_options ` + // in the :ref:`http_protocol_options ` message. + // upstream_http_protocol_options can be set via the cluster's + // :ref:`extension_protocol_options`. + // See :ref:`upstream_http_protocol_options + // ` + // for example usage. + core.v3.UpstreamHttpProtocolOptions upstream_http_protocol_options = 46 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Additional options when handling HTTP requests upstream. These options will be applicable to + // both HTTP1 and HTTP2 requests. + // This has been deprecated in favor of + // :ref:`common_http_protocol_options ` + // in the :ref:`http_protocol_options ` message. + // common_http_protocol_options can be set via the cluster's + // :ref:`extension_protocol_options`. + // See :ref:`upstream_http_protocol_options + // ` + // for example usage. + core.v3.HttpProtocolOptions common_http_protocol_options = 29 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Additional options when handling HTTP1 requests. + // This has been deprecated in favor of http_protocol_options fields in the + // :ref:`http_protocol_options ` message. + // http_protocol_options can be set via the cluster's + // :ref:`extension_protocol_options`. + // See :ref:`upstream_http_protocol_options + // ` + // for example usage. + core.v3.Http1ProtocolOptions http_protocol_options = 13 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Even if default HTTP2 protocol options are desired, this field must be + // set so that Envoy will assume that the upstream supports HTTP/2 when + // making new HTTP connection pool connections. Currently, Envoy only + // supports prior knowledge for upstream connections. Even if TLS is used + // with ALPN, ``http2_protocol_options`` must be specified. As an aside this allows HTTP/2 + // connections to happen over plain text. + // This has been deprecated in favor of http2_protocol_options fields in the + // :ref:`http_protocol_options ` + // message. http2_protocol_options can be set via the cluster's + // :ref:`extension_protocol_options`. + // See :ref:`upstream_http_protocol_options + // ` + // for example usage. + core.v3.Http2ProtocolOptions http2_protocol_options = 14 [ + deprecated = true, + (udpa.annotations.security).configure_for_untrusted_upstream = true, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // The extension_protocol_options field is used to provide extension-specific protocol options + // for upstream connections. The key should match the extension filter name, such as + // "envoy.filters.network.thrift_proxy". See the extension's documentation for details on + // specific options. + // [#next-major-version: make this a list of typed extensions.] + // [#extension-category: envoy.upstream_options] + map typed_extension_protocol_options = 36; + + // If the DNS refresh rate is specified and the cluster type is either + // :ref:`STRICT_DNS`, + // or :ref:`LOGICAL_DNS`, + // this value is used as the cluster’s DNS refresh + // rate. The value configured must be at least 1ms. If this setting is not specified, the + // value defaults to 5000ms. For cluster types other than + // :ref:`STRICT_DNS` + // and :ref:`LOGICAL_DNS` + // this setting is ignored. + // This field is deprecated in favor of using the :ref:`cluster_type` + // extension point and configuring it with :ref:`DnsCluster`. + // If :ref:`cluster_type` is configured with + // :ref:`DnsCluster`, this field will be ignored. + google.protobuf.Duration dns_refresh_rate = 16 [ + deprecated = true, + (validate.rules).duration = {gt {nanos: 1000000}}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // DNS jitter can be optionally specified if the cluster type is either + // :ref:`STRICT_DNS`, + // or :ref:`LOGICAL_DNS`. + // DNS jitter causes the cluster to refresh DNS entries later by a random amount of time to avoid a + // stampede of DNS requests. This value sets the upper bound (exclusive) for the random amount. + // There will be no jitter if this value is omitted. For cluster types other than + // :ref:`STRICT_DNS` + // and :ref:`LOGICAL_DNS` + // this setting is ignored. + // This field is deprecated in favor of using the :ref:`cluster_type` + // extension point and configuring it with :ref:`DnsCluster`. + // If :ref:`cluster_type` is configured with + // :ref:`DnsCluster`, this field will be ignored. + google.protobuf.Duration dns_jitter = 58 [ + deprecated = true, + (validate.rules).duration = {gte {}}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If the DNS failure refresh rate is specified and the cluster type is either + // :ref:`STRICT_DNS`, + // or :ref:`LOGICAL_DNS`, + // this is used as the cluster’s DNS refresh rate when requests are failing. If this setting is + // not specified, the failure refresh rate defaults to the DNS refresh rate. For cluster types + // other than :ref:`STRICT_DNS` and + // :ref:`LOGICAL_DNS` this setting is + // ignored. + // This field is deprecated in favor of using the :ref:`cluster_type` + // extension point and configuring it with :ref:`DnsCluster`. + // If :ref:`cluster_type` is configured with + // :ref:`DnsCluster`, this field will be ignored. + RefreshRate dns_failure_refresh_rate = 44 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Optional configuration for setting cluster's DNS refresh rate. If the value is set to true, + // cluster's DNS refresh rate will be set to resource record's TTL which comes from DNS + // resolution. + // This field is deprecated in favor of using the :ref:`cluster_type` + // extension point and configuring it with :ref:`DnsCluster`. + // If :ref:`cluster_type` is configured with + // :ref:`DnsCluster`, this field will be ignored. + bool respect_dns_ttl = 39 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // The DNS IP address resolution policy. If this setting is not specified, the + // value defaults to + // :ref:`AUTO`. + // For logical and strict dns cluster, this field is deprecated in favor of using the + // :ref:`cluster_type` + // extension point and configuring it with :ref:`DnsCluster`. + // If :ref:`cluster_type` is configured with + // :ref:`DnsCluster`, this field will be ignored. + DnsLookupFamily dns_lookup_family = 17 [(validate.rules).enum = {defined_only: true}]; + + // If DNS resolvers are specified and the cluster type is either + // :ref:`STRICT_DNS`, + // or :ref:`LOGICAL_DNS`, + // this value is used to specify the cluster’s dns resolvers. + // If this setting is not specified, the value defaults to the default + // resolver, which uses /etc/resolv.conf for configuration. For cluster types + // other than + // :ref:`STRICT_DNS` + // and :ref:`LOGICAL_DNS` + // this setting is ignored. + // This field is deprecated in favor of ``dns_resolution_config`` + // which aggregates all of the DNS resolver configuration in a single message. + repeated core.v3.Address dns_resolvers = 18 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Always use TCP queries instead of UDP queries for DNS lookups. + // This field is deprecated in favor of ``dns_resolution_config`` + // which aggregates all of the DNS resolver configuration in a single message. + bool use_tcp_for_dns_lookups = 45 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // DNS resolution configuration which includes the underlying dns resolver addresses and options. + // This field is deprecated in favor of + // :ref:`typed_dns_resolver_config `. + core.v3.DnsResolutionConfig dns_resolution_config = 53 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // DNS resolver type configuration extension. This extension can be used to configure c-ares, apple, + // or any other DNS resolver types and the related parameters. + // For example, an object of + // :ref:`CaresDnsResolverConfig ` + // can be packed into this ``typed_dns_resolver_config``. This configuration replaces the + // :ref:`dns_resolution_config ` + // configuration. + // During the transition period when both ``dns_resolution_config`` and ``typed_dns_resolver_config`` exists, + // when ``typed_dns_resolver_config`` is in place, Envoy will use it and ignore ``dns_resolution_config``. + // When ``typed_dns_resolver_config`` is missing, the default behavior is in place. + // Also note that this field is deprecated for logical dns and strict dns clusters and will be ignored when + // :ref:`cluster_type` is configured with + // :ref:`DnsCluster`. + // [#extension-category: envoy.network.dns_resolver] + core.v3.TypedExtensionConfig typed_dns_resolver_config = 55; + + // Optional configuration for having cluster readiness block on warm-up. Currently, only applicable for + // :ref:`STRICT_DNS`, + // or :ref:`LOGICAL_DNS`, + // or :ref:`Redis Cluster`. + // If true, cluster readiness blocks on warm-up. If false, the cluster will complete + // initialization whether or not warm-up has completed. Defaults to true. + google.protobuf.BoolValue wait_for_warm_on_init = 54; + + // If specified, outlier detection will be enabled for this upstream cluster. + // Each of the configuration values can be overridden via + // :ref:`runtime values `. + OutlierDetection outlier_detection = 19; + + // The interval for removing stale hosts from a cluster type + // :ref:`ORIGINAL_DST`. + // Hosts are considered stale if they have not been used + // as upstream destinations during this interval. New hosts are added + // to original destination clusters on demand as new connections are + // redirected to Envoy, causing the number of hosts in the cluster to + // grow over time. Hosts that are not stale (they are actively used as + // destinations) are kept in the cluster, which allows connections to + // them remain open, saving the latency that would otherwise be spent + // on opening new connections. If this setting is not specified, the + // value defaults to 5000ms. For cluster types other than + // :ref:`ORIGINAL_DST` + // this setting is ignored. + google.protobuf.Duration cleanup_interval = 20 [(validate.rules).duration = {gt {}}]; + + // Optional configuration used to bind newly established upstream connections. + // This overrides any bind_config specified in the bootstrap proto. + // If the address and port are empty, no bind will be performed. + core.v3.BindConfig upstream_bind_config = 21; + + // Configuration for load balancing subsetting. + LbSubsetConfig lb_subset_config = 22; + + // Optional configuration for the load balancing algorithm selected by + // LbPolicy. Currently only + // :ref:`RING_HASH`, + // :ref:`MAGLEV` and + // :ref:`LEAST_REQUEST` + // has additional configuration options. + // Specifying ring_hash_lb_config or maglev_lb_config or least_request_lb_config without setting the corresponding + // LbPolicy will generate an error at runtime. + oneof lb_config { + // Optional configuration for the Ring Hash load balancing policy. + RingHashLbConfig ring_hash_lb_config = 23; + + // Optional configuration for the Maglev load balancing policy. + MaglevLbConfig maglev_lb_config = 52; + + // Optional configuration for the Original Destination load balancing policy. + OriginalDstLbConfig original_dst_lb_config = 34; + + // Optional configuration for the LeastRequest load balancing policy. + LeastRequestLbConfig least_request_lb_config = 37; + + // Optional configuration for the RoundRobin load balancing policy. + RoundRobinLbConfig round_robin_lb_config = 56; + } + + // Common configuration for all load balancer implementations. + CommonLbConfig common_lb_config = 27; + + // Optional custom transport socket implementation to use for upstream connections. + // To setup TLS, set a transport socket with name ``envoy.transport_sockets.tls`` and + // :ref:`UpstreamTlsContexts ` in the ``typed_config``. + // If no transport socket configuration is specified, new connections + // will be set up with plaintext. + core.v3.TransportSocket transport_socket = 24; + + // The Metadata field can be used to provide additional information about the + // cluster. It can be used for stats, logging, and varying filter behavior. + // Fields should use reverse DNS notation to denote which entity within Envoy + // will need the information. For instance, if the metadata is intended for + // the Router filter, the filter name should be specified as ``envoy.filters.http.router``. + core.v3.Metadata metadata = 25; + + // Determines how Envoy selects the protocol used to speak to upstream hosts. + // This has been deprecated in favor of setting explicit protocol selection + // in the :ref:`http_protocol_options + // ` message. + // http_protocol_options can be set via the cluster's + // :ref:`extension_protocol_options`. + ClusterProtocolSelection protocol_selection = 26 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Optional options for upstream connections. + UpstreamConnectionOptions upstream_connection_options = 30; + + // If an upstream host becomes unhealthy (as determined by the configured health checks + // or outlier detection), immediately close all connections to the failed host. + // + // .. note:: + // + // This is currently only supported for connections created by tcp_proxy. + // + // .. note:: + // + // The current implementation of this feature closes all connections immediately when + // the unhealthy status is detected. If there are a large number of connections open + // to an upstream host that becomes unhealthy, Envoy may spend a substantial amount of + // time exclusively closing these connections, and not processing any other traffic. + bool close_connections_on_host_health_failure = 31; + + // If set to true, Envoy will ignore the health value of a host when processing its removal + // from service discovery. This means that if active health checking is used, Envoy will *not* + // wait for the endpoint to go unhealthy before removing it. + bool ignore_health_on_host_removal = 32; + + // An (optional) network filter chain, listed in the order the filters should be applied. + // The chain will be applied to all outgoing connections that Envoy makes to the upstream + // servers of this cluster. + repeated Filter filters = 40; + + // If this field is set and is supported by the client, it will supersede the value of + // :ref:`lb_policy`. + LoadBalancingPolicy load_balancing_policy = 41; + + // [#not-implemented-hide:] + // If present, tells the client where to send load reports via LRS. If not present, the + // client will fall back to a client-side default, which may be either (a) don't send any + // load reports or (b) send load reports for all clusters to a single default server + // (which may be configured in the bootstrap file). + // + // Note that if multiple clusters point to the same LRS server, the client may choose to + // create a separate stream for each cluster or it may choose to coalesce the data for + // multiple clusters onto a single stream. Either way, the client must make sure to send + // the data for any given cluster on no more than one stream. + // + // [#next-major-version: In the v3 API, we should consider restructuring this somehow, + // maybe by allowing LRS to go on the ADS stream, or maybe by moving some of the negotiation + // from the LRS stream here.] + core.v3.ConfigSource lrs_server = 42; + + // A list of metric names from :ref:`ORCA load reports ` to propagate to LRS. + // + // If not specified, then ORCA load reports will not be propagated to LRS. + // + // For map fields in the ORCA proto, the string will be of the form ``.``. + // For example, the string ``named_metrics.foo`` will mean to look for the key ``foo`` in the ORCA + // :ref:`named_metrics ` field. + // + // The special map key ``*`` means to report all entries in the map (e.g., ``named_metrics.*`` means to + // report all entries in the ORCA named_metrics field). Note that this should be used only with trusted + // backends. + // + // The metric names in LRS will follow the same semantics as this field. In other words, if this field + // contains ``named_metrics.foo``, then the LRS load report will include the data with that same string + // as the key. + repeated string lrs_report_endpoint_metrics = 57; + + // If track_timeout_budgets is true, the :ref:`timeout budget histograms + // ` will be published for each + // request. These show what percentage of a request's per try and global timeout was used. A value + // of 0 would indicate that none of the timeout was used or that the timeout was infinite. A value + // of 100 would indicate that the request took the entirety of the timeout given to it. + // + // .. attention:: + // + // This field has been deprecated in favor of ``timeout_budgets``, part of + // :ref:`track_cluster_stats `. + bool track_timeout_budgets = 47 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Optional customization and configuration of upstream connection pool, and upstream type. + // + // Currently this field only applies for HTTP traffic but is designed for eventual use for custom + // TCP upstreams. + // + // For HTTP traffic, Envoy will generally take downstream HTTP and send it upstream as upstream + // HTTP, using the http connection pool and the codec from ``http2_protocol_options`` + // + // For routes where CONNECT termination is configured, Envoy will take downstream CONNECT + // requests and forward the CONNECT payload upstream over raw TCP using the tcp connection pool. + // + // The default pool used is the generic connection pool which creates the HTTP upstream for most + // HTTP requests, and the TCP upstream if CONNECT termination is configured. + // + // If users desire custom connection pool or upstream behavior, for example terminating + // CONNECT only if a custom filter indicates it is appropriate, the custom factories + // can be registered and configured here. + // [#extension-category: envoy.upstreams] + core.v3.TypedExtensionConfig upstream_config = 48; + + // Configuration to track optional cluster stats. + TrackClusterStats track_cluster_stats = 49; + + // Preconnect configuration for this cluster. + PreconnectPolicy preconnect_policy = 50; + + // If ``connection_pool_per_downstream_connection`` is true, the cluster will use a separate + // connection pool for every downstream connection + bool connection_pool_per_downstream_connection = 51; +} + +// Extensible load balancing policy configuration. +// +// Every LB policy defined via this mechanism will be identified via a unique name using reverse +// DNS notation. If the policy needs configuration parameters, it must define a message for its +// own configuration, which will be stored in the config field. The name of the policy will tell +// clients which type of message they should expect to see in the config field. +// +// Note that there are cases where it is useful to be able to independently select LB policies +// for choosing a locality and for choosing an endpoint within that locality. For example, a +// given deployment may always use the same policy to choose the locality, but for choosing the +// endpoint within the locality, some clusters may use weighted-round-robin, while others may +// use some sort of session-based balancing. +// +// This can be accomplished via hierarchical LB policies, where the parent LB policy creates a +// child LB policy for each locality. For each request, the parent chooses the locality and then +// delegates to the child policy for that locality to choose the endpoint within the locality. +// +// To facilitate this, the config message for the top-level LB policy may include a field of +// type LoadBalancingPolicy that specifies the child policy. +message LoadBalancingPolicy { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.LoadBalancingPolicy"; + + message Policy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.LoadBalancingPolicy.Policy"; + + reserved 2, 1, 3; + + reserved "config", "name", "typed_config"; + + // [#extension-category: envoy.load_balancing_policies] + core.v3.TypedExtensionConfig typed_extension_config = 4; + } + + // Each client will iterate over the list in order and stop at the first policy that it + // supports. This provides a mechanism for starting to use new LB policies that are not yet + // supported by all clients. + repeated Policy policies = 1; +} + +message UpstreamConnectionOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.UpstreamConnectionOptions"; + + enum FirstAddressFamilyVersion { + // respect the native ranking of destination ip addresses returned from dns + // resolution + DEFAULT = 0; + + V4 = 1; + + V6 = 2; + } + + message HappyEyeballsConfig { + // Specify the IP address family to attempt connection first in happy + // eyeballs algorithm according to RFC8305#section-4. + FirstAddressFamilyVersion first_address_family_version = 1; + + // Specify the number of addresses of the first_address_family_version being + // attempted for connection before the other address family. + google.protobuf.UInt32Value first_address_family_count = 2 [(validate.rules).uint32 = {gte: 1}]; + } + + // If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives. + core.v3.TcpKeepalive tcp_keepalive = 1; + + // If enabled, associates the interface name of the local address with the upstream connection. + // This can be used by extensions during processing of requests. The association mechanism is + // implementation specific. Defaults to false due to performance concerns. + bool set_local_interface_name_on_upstream_connections = 2; + + // Configurations for happy eyeballs algorithm. + // Add configs for first_address_family_version and first_address_family_count + // when sorting destination ip addresses. + HappyEyeballsConfig happy_eyeballs_config = 3; +} + +message TrackClusterStats { + // If timeout_budgets is true, the :ref:`timeout budget histograms + // ` will be published for each + // request. These show what percentage of a request's per try and global timeout was used. A value + // of 0 would indicate that none of the timeout was used or that the timeout was infinite. A value + // of 100 would indicate that the request took the entirety of the timeout given to it. + bool timeout_budgets = 1; + + // If request_response_sizes is true, then the :ref:`histograms + // ` tracking header and body sizes + // of requests and responses will be published. Additionally, number of headers in the requests and responses will be tracked. + bool request_response_sizes = 2; + + // If true, some stats will be emitted per-endpoint, similar to the stats in admin ``/clusters`` + // output. + // + // This does not currently output correct stats during a hot-restart. + // + // This is not currently implemented by all stat sinks. + // + // These stats do not honor filtering or tag extraction rules in :ref:`StatsConfig + // ` (but fixed-value tags are supported). Admin + // endpoint filtering is supported. + // + // This may not be used at the same time as + // :ref:`load_stats_config `. + bool per_endpoint_stats = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/1a40596b4ce5536642785bc6b04b1c565fba95bc59f0231c0d8691078a51a20b9386c7a23bb31e949c7e06153fe30ef05071970f7378ee176850e2ba1428b1b6 b/modules/sync/envoyproxy/envoy/cas/1a40596b4ce5536642785bc6b04b1c565fba95bc59f0231c0d8691078a51a20b9386c7a23bb31e949c7e06153fe30ef05071970f7378ee176850e2ba1428b1b6 new file mode 100644 index 00000000..c5138f05 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/1a40596b4ce5536642785bc6b04b1c565fba95bc59f0231c0d8691078a51a20b9386c7a23bb31e949c7e06153fe30ef05071970f7378ee176850e2ba1428b1b6 @@ -0,0 +1,62 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.geoip.v3; + +import "envoy/config/core/v3/extension.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.geoip.v3"; +option java_outer_classname = "GeoipProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/geoip/v3;geoipv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: Geoip] +// Geoip :ref:`configuration overview `. +// [#extension: envoy.filters.network.geoip] + +// The network geolocation filter performs IP geolocation lookups on incoming connections +// and stores the results in the connection's filter state under the well-known key +// ``envoy.geoip``. The stored data is a ``GeoipInfo`` object that supports +// serialization for access logging and field-level access. +// +// See :ref:`well known filter state ` for details on accessing +// the geolocation data. +message Geoip { + // The prefix to use when emitting statistics. This is useful when there are multiple + // listeners configured with geoip filters, allowing stats to be grouped per listener. + // For example, with ``stat_prefix: "listener_1."``, stats would be emitted as + // ``listener_1.geoip.total``. + string stat_prefix = 1; + + // Geoip driver specific configuration which depends on the driver being instantiated. + // [#extension-category: envoy.geoip_providers] + config.core.v3.TypedExtensionConfig provider = 2 [(validate.rules).message = {required: true}]; + + // Configuration for dynamically extracting the client IP address used for geolocation lookups. + // + // This field accepts the same :ref:`format specifiers ` as used for + // :ref:`HTTP access logging ` to extract the client IP. + // The formatted result must be a valid IPv4 or IPv6 address string. For example: + // + // * ``%FILTER_STATE(my.custom.client.ip:PLAIN)%`` - Read from filter state populated by a preceding filter. + // * ``%DYNAMIC_METADATA(namespace:key)%`` - Read from dynamic metadata. + // * ``%REQ(X-Forwarded-For)%`` - Extract from request header (if applicable in context). + // + // If not specified, defaults to the downstream connection's remote address. + // If specified but the result is empty, ``-``, or not a valid IP address, the filter + // falls back to the downstream connection's remote address. + // + // Example reading from filter state: + // + // .. code-block:: yaml + // + // client_ip: "%FILTER_STATE(my.custom.client.ip:PLAIN)%" + // + string client_ip = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/1ae73302964f63f0d1e375ad6a78da4859bffbf7ed184d4af5e15a9ae0753daa26ddcaf538c25e0685945ce2b2879a7718180dc599bea7a372948d126abdb520 b/modules/sync/envoyproxy/envoy/cas/1ae73302964f63f0d1e375ad6a78da4859bffbf7ed184d4af5e15a9ae0753daa26ddcaf538c25e0685945ce2b2879a7718180dc599bea7a372948d126abdb520 new file mode 100644 index 00000000..8143a044 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/1ae73302964f63f0d1e375ad6a78da4859bffbf7ed184d4af5e15a9ae0753daa26ddcaf538c25e0685945ce2b2879a7718180dc599bea7a372948d126abdb520 @@ -0,0 +1,109 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.proto_api_scrubber.v3; + +import "envoy/config/core/v3/base.proto"; + +import "xds/type/matcher/v3/matcher.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.proto_api_scrubber.v3"; +option java_outer_classname = "ConfigProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/proto_api_scrubber/v3;proto_api_scrubberv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Proto API Scrubber] +// [#extension: envoy.filters.http.proto_api_scrubber] + +// ProtoApiScrubber filter supports filtering of the request and +// response payloads based on the configured field restrictions and actions. +// The field restrictions and actions can be defined using unified matcher API. +// The filter evaluates the configured restriction for each field +// to produce the filtered output using the configured actions. +// The design doc for this filter is available +// `here `_ + +message ProtoApiScrubberConfig { + // An enum enlisting all the filtering modes supported by this filter. + enum FilteringMode { + // Override the original request/response body with the filtered + // request/response body. + OVERRIDE = 0; + } + + // The proto descriptor set for the proto services. + DescriptorSet descriptor_set = 1; + + // Contains the restrictions for the supported proto elements. + Restrictions restrictions = 2; + + // Specifies the filtering mode of this filter. + FilteringMode filtering_mode = 3; +} + +// Specifies the descriptor set for proto services. +message DescriptorSet { + // It could be passed by a local file through ``Datasource.filename`` or + // embedded in the ``Datasource.inline_bytes``. + config.core.v3.DataSource data_source = 1; +} + +// Contains the restrictions for the methods. +message Restrictions { + // Specifies the method restrictions. + // Key - Fully qualified method name e.g., ``endpoints.examples.bookstore.BookStore/GetShelf``. + // Value - Method restrictions. + map method_restrictions = 1; + + // Specifies the message restrictions. + // Key - Fully qualified message name e.g., ``endpoints.examples.bookstore.Book``. + // Value - Message restrictions. + map message_restrictions = 2; +} + +// Contains the method restrictions which include the field level restrictions +// for the request and response fields. +message MethodRestrictions { + // Restrictions that apply to request fields of the method. + // Key - field mask like path of the field e.g., foo.bar.baz + // Value - Restrictions map containing the mapping from restriction name to + // the restriction values. + map request_field_restrictions = 1; + + // Restrictions that apply to response fields of the method. + // Key - field mask like path of the field e.g., foo.bar.baz + // Value - Restrictions map containing the mapping from restriction name to + // the restriction values. + map response_field_restrictions = 2; + + // Optional restriction that applies to the entire method. If present, this + // rule takes precedence for the method itself over field-level or + // message-level rules. The 'matcher' within RestrictionConfig will determine + // if the method is denied/scrubbed. If the matcher evaluates to true: + // + // - The request is **denied**, and further processing is stopped. + // - The implementation should generate an immediate error response + // (e.g., an HTTP 403 Forbidden status) and send it to the client. + RestrictionConfig method_restriction = 3; +} + +// Contains message-level restrictions. +message MessageRestrictions { + // The core restriction to apply to this message type. + // The 'matcher' within RestrictionConfig will determine if the message is + // scrubbed/denied/allowed. + RestrictionConfig config = 1; + + // Restrictions that apply to specific fields within this message type. + // Key - field mask (e.g. "social_security_number"). + // Value - The restriction configuration for that field. + map field_restrictions = 2; +} + +// The restriction configuration. +message RestrictionConfig { + // Matcher tree for matching requests and responses with the configured restrictions. + xds.type.matcher.v3.Matcher matcher = 1; +} diff --git a/modules/sync/envoyproxy/envoy/cas/1b604a7ffa664974b105f56de7c80786e98478d8911ee50e1c24f0d8c75072d4dd09f8ca7a0c8104f7f57d94293065db9c960cd3618af09ff1aa2c37acd745f4 b/modules/sync/envoyproxy/envoy/cas/1b604a7ffa664974b105f56de7c80786e98478d8911ee50e1c24f0d8c75072d4dd09f8ca7a0c8104f7f57d94293065db9c960cd3618af09ff1aa2c37acd745f4 new file mode 100644 index 00000000..2eb8171f --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/1b604a7ffa664974b105f56de7c80786e98478d8911ee50e1c24f0d8c75072d4dd09f8ca7a0c8104f7f57d94293065db9c960cd3618af09ff1aa2c37acd745f4 @@ -0,0 +1,31 @@ +syntax = "proto3"; + +package envoy.tcp.metadataexchange.config; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.tcp.metadataexchange.config"; +option java_outer_classname = "MetadataExchangeProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/tcp/metadataexchange/config"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Metadata exchange TCP filter] +// +// Metadata exchange TCP filter for deriving and propagating peer telemetry attributes. +// [#extension: envoy.filters.network.metadata_exchange] + +// [#protodoc-title: MetadataExchange protocol match and data transfer] +// MetadataExchange protocol match and data transfer +message MetadataExchange { + // Protocol that Alpn should support on the server. + // [#comment:TODO(GargNupur): Make it a list.] + string protocol = 1; + + // If true, will attempt to use WDS in case the prefix peer metadata is not available. + bool enable_discovery = 2; + + // Additional labels to be added to the peer metadata to help your understand the traffic. + // e.g. ``role``, ``location`` etc. + repeated string additional_labels = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/1df85d6b2e4538bf21786d82c70b53e0683f6d87b2f8ab87f5c2b0e50f39dd952b14fdb58c7d0e5548d7912ccb7b068e3dde6ce4203d7c8de1491c7f15b2dc95 b/modules/sync/envoyproxy/envoy/cas/1df85d6b2e4538bf21786d82c70b53e0683f6d87b2f8ab87f5c2b0e50f39dd952b14fdb58c7d0e5548d7912ccb7b068e3dde6ce4203d7c8de1491c7f15b2dc95 new file mode 100644 index 00000000..2ea1a1b3 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/1df85d6b2e4538bf21786d82c70b53e0683f6d87b2f8ab87f5c2b0e50f39dd952b14fdb58c7d0e5548d7912ccb7b068e3dde6ce4203d7c8de1491c7f15b2dc95 @@ -0,0 +1,653 @@ +shake256:a9c4ad5b20a2946a25d5efb7f096b32ffaa567e3e9a7d89984870104aab45f08d7f6f10c7c72affdc4aabab0471066958ae97c3bb5925b7cb268f8afde27ebbf LICENSE +shake256:7a9a5a3a62ffe3acb50d67d1b0806566f798ac145649c493bf156a2e5d927e264464f5d3add734c687acde39586cc032795e8ea07f51f5bb2493fd0423db10c3 bazel/cc_proto_descriptor_library/testdata/test-extension.proto +shake256:9e8bd1676e9fcea1d02e7cd0ce63f87e6c76b4b31467ec3df1f4a580da427488a764f9e48617a5be98d85057c648f46ec1925b05cae4346b207210327283dd11 bazel/cc_proto_descriptor_library/testdata/test.proto +shake256:76295fd73d7f33a987c1243e8821818b80bd8b04634fc9ccd10879ab3c1ade926e3ef847f11d8e07ccf8fcf011561d151a5d4926505d6494a23119614e049aa6 bazel/cc_proto_descriptor_library/testdata/test1.proto +shake256:036e58836a23359ebf2324efe94106d38521bef2ad6dab6b46b0379dc66192e8f29097c96a9f1c3b299274ec10b47204d63d9e23a010eb5e1c5d4ed52f15c3f7 buf.md +shake256:f9abf7473dc3f95cc9ce2dabfabeedbf0f5fd808e1eb09ab07776ca3991ec073784ef8cb2f6df49a8293f1033141e29d687de39f506046b663b258728864f6b4 buf.yaml +shake256:7144b74045a5813f5f81b71eb11ca0ddac4105e3d20b51a146b634f7dc8c529de6fc84d2c4d3fb635eec48616f787eca10287f14ea10ec3d218e9562508be0ba contrib/envoy/extensions/compression/qatzip/compressor/v3alpha/qatzip.proto +shake256:ae38a03abf75ec63838de20438d1fdaf6ca49f6fcc9d701c4f918411027fcabfe08355fb24d7767074d9c440842bc86fd8788ad25e8c47e98782d6b5379f8b42 contrib/envoy/extensions/compression/qatzstd/compressor/v3alpha/qatzstd.proto +shake256:b7a48d5f96609de62c69948d9050b6fe41d81f476f7779a8d46c8d1d8595dbcead84d193fce745eb375f2fb5ba034633c76a4d1c4987627205f9b8b49bcd6104 contrib/envoy/extensions/config/v3alpha/kv_store_xds_delegate_config.proto +shake256:507a8d9386faae791f5ea7cc6b5de36e64384b327e1b9a1738a108783695f21d05108d9aa049668e7b5dca7575e7928229ac2728312523de96648a58949c940f contrib/envoy/extensions/filters/common/workload_discovery/v3/discovery.proto +shake256:a042cae93d024d6bcecdde67e0c856f445cb18ab4555c6f38eb17d049272b6216f1c566b58ee5eb42d649d1bb80e04f9b62fa3a9a6ba3d9c369980eca2214154 contrib/envoy/extensions/filters/common/workload_discovery/v3/extension.proto +shake256:8f8bbcdf0c20b8232d78637ccd2a8aca9ce03f25fb56a75fc83d1bdb8fdaae32d0fa7aad4a1d3b41d8a4f6f9564b4c036e396583710cc37e394cf55f5346fc36 contrib/envoy/extensions/filters/http/alpn/v3/alpn.proto +shake256:fa51c63f2698c8856558be8080bc5340c7d1d9fecfcec48a16e154c6fd7886703897da973a1d4e321bc8748043ec6a7fce2069fe45530f104b73f07b3325296c contrib/envoy/extensions/filters/http/checksum/v3alpha/checksum.proto +shake256:ce179ee97700792b3af9c1cb5081b3e62de6f98743f93e6166f73db8e4eb06c9bfd95fc8eec110af02ce1650d12d3dcf8eb74fd0fa21d5653dcaa2c0b84f7fab contrib/envoy/extensions/filters/http/dynamo/v3/dynamo.proto +shake256:47d573dcc69241ec96ca579a48df33d669b3fd9d3de31066e51bfc0da5ff2c150c38269232e6e63fcf37c8716d72fec1e97c143a061791b15de2a9e4ddaea122 contrib/envoy/extensions/filters/http/golang/v3alpha/golang.proto +shake256:54c295690dbab13abb894fdfc00f7169088c828711f94e5c9980521d5e3d3eeabef5e15980148a4c2c2bc3dc77c044643375b2ce74cd0afc2dbd0cf448f01928 contrib/envoy/extensions/filters/http/istio_stats/v3/istio_stats.proto +shake256:c91ad7320770b1bbacf2ac9cfcb3b9ad4814290098d6b54131979be9acb38393595d69a2c89854e6248984cd3c12df7a9e69eeee4ef8cc1fcb814a91e770fa46 contrib/envoy/extensions/filters/http/language/v3alpha/language.proto +shake256:7c09a0ec365d6a776cf29ae4ba19c2c4a62acf19b785f418f22ffdaeb017d896faf7216ec5901a22acddd5d792ba0ddcd7376523ce79059ca756d8327fc854c0 contrib/envoy/extensions/filters/http/peak_ewma/v3alpha/peak_ewma.proto +shake256:748b4a07decc320986f74c63098d0a67eeb9f9f96c9b5f74c93aa338d40dc469bbaeaac10c43a9727ad42533dba9c73398d8db39d5218701936d632524728117 contrib/envoy/extensions/filters/http/peer_metadata/v3/peer_metadata.proto +shake256:75bebf5cdb07a03584c0367cb291bf599154285a0c28bc56d4190b90fd0ff0734d57a3ef0a8bf88005abd9202cceb47df0c13a0dcbc9af3665513e4e4c96aada contrib/envoy/extensions/filters/http/sxg/v3alpha/sxg.proto +shake256:6f83dfd604349538d13f6a172792fad7f9c9fc13a4a66134ad7b0b6a99b17be0552d9c770cacd46f2649dbc2c6808b95ae652f648e31d340279d1242ae80b895 contrib/envoy/extensions/filters/listener/postgres_inspector/v3alpha/postgres_inspector.proto +shake256:8cf720d1ee2c70bc75784a9e3d1af11106d1a52418ec13671346d4fde5bd552882b95adae8f35e774d5d34d70f5d6150a36d635e0df072de98eec0208bbf0ee8 contrib/envoy/extensions/filters/network/client_ssl_auth/v3/client_ssl_auth.proto +shake256:cb2005d9e1d460d9fb5b6e1d18c3fb0e6b08db1d9e3f20a2287ac91aabe486826b9d8fa0b674b0a075eeb660da61158d86ce0dce9952ea20c1d73e27b47452e6 contrib/envoy/extensions/filters/network/generic_proxy/codecs/kafka/v3/kafka.proto +shake256:b6678557d0f621ab70455895ce208de8c41b4f51ea1c4cd2a661bc4d72a241a39b39a0bdad5521130f1645c78b37cf68ef3f9b2339a66111b27fc3d89adade00 contrib/envoy/extensions/filters/network/golang/v3alpha/golang.proto +shake256:e1d0772c1e79f87f10446e70e445510cee7549c348789cbaa4b6e17ab6931aea85a6051f3d3c056472e6900e9b711063a01a70abcced4d271558e455f397df98 contrib/envoy/extensions/filters/network/kafka_broker/v3/kafka_broker.proto +shake256:3b5eaa38005e7284020fa83bf98b27dc6022bd88b014a2e03ceb284b5145bd3bbb455204f4b844c2d889a290e0e85c4f58b5c91f728fdff07826ecb4e90d1437 contrib/envoy/extensions/filters/network/kafka_mesh/v3alpha/kafka_mesh.proto +shake256:1b604a7ffa664974b105f56de7c80786e98478d8911ee50e1c24f0d8c75072d4dd09f8ca7a0c8104f7f57d94293065db9c960cd3618af09ff1aa2c37acd745f4 contrib/envoy/extensions/filters/network/metadata_exchange/v3/metadata_exchange.proto +shake256:b358663115fc5d273c2fdeae4177ec77e455e830cc5ed529863f229faa531b643ffac3547d974b0675c3da6ab78f71615926c4ec4b2f065bda15fb84fe456ff7 contrib/envoy/extensions/filters/network/mysql_proxy/v3/mysql_proxy.proto +shake256:add12f026b68305a95ca38d27b99c60f2fbd064e6207da36607131627006bda245156eeeabfffd798f85829b81f9f97a749e8936af83702ca652415cb02c5d27 contrib/envoy/extensions/filters/network/postgres_proxy/v3alpha/postgres_proxy.proto +shake256:3f3e2331e55ceb14cd6f56a5add4364b134e731f7f925306998d8d8838f717ebb3f6efdf7c8905be7a7251e6c4038b90e1396bfd84db2d1dce2b22630321aae0 contrib/envoy/extensions/filters/network/rocketmq_proxy/v3/rocketmq_proxy.proto +shake256:f788b766d979ecdf38a9a23d447ec167d9c461bd4776e261a15a5062ebba61c31135066937d088999278481ed593bc7d662ac7ce64885b29e0e670211b938fad contrib/envoy/extensions/filters/network/rocketmq_proxy/v3/route.proto +shake256:726bb7baad0914a388e5094f559c289ffe68b86216453e24a0d477535f4b5248925c1706983b3867fac7fd9ae0eee2a8c2913c5252726812e4bd6fbc4b931c14 contrib/envoy/extensions/filters/network/sip_proxy/router/v3alpha/router.proto +shake256:814c9c9f84d6c9518d7b396be3c45c734f94be7f972e591e3b9ba081a63b9abee6569e32e183e5d03453f462551b69af7dc20461dc31e3e2bcc411be5d8fd8a8 contrib/envoy/extensions/filters/network/sip_proxy/tra/v3alpha/tra.proto +shake256:672f7c0aa8932a96a3a45f20e4f58bfa7aa418771393a8b844facae585b8b4d5d184c304fae94762a8acf54d6e724e20064e535b0ac0e8889e2a0c6d4cfe1660 contrib/envoy/extensions/filters/network/sip_proxy/v3alpha/route.proto +shake256:8ffcc12678ded759d7f71dbc576f4a865c9dfdf5cbde41d77e43694ff4158bd76cbdc04258284f289ca61d2a47941ed53ac8ae0bb71956c1d8098813bfb974a4 contrib/envoy/extensions/filters/network/sip_proxy/v3alpha/sip_proxy.proto +shake256:69807b25c10955f9925955a85ee043e724befa30d498745d5610572efbce5884cbead6c5205a5f4d54b4857a25a5853cdb84983a8e40458729251d87b2f3cd34 contrib/envoy/extensions/load_balancing_policies/peak_ewma/v3alpha/peak_ewma.proto +shake256:bdd1669fcd617d3bda7dc5641875d063e878e343a1535c177f17290637ae649d69960feed3b81bbb378ec04797be4bff4bb13265fd69681cac4b58c86bc88b61 contrib/envoy/extensions/matching/input_matchers/hyperscan/v3alpha/hyperscan.proto +shake256:e1cf9ee5689bd0c31288f67dc28ff17351fdd16d3fa7f111483c34536b861e76d2c407d00bc0d2661aa1f53a32cbf72afba072443a4b49da7b5318576e0bb4f0 contrib/envoy/extensions/network/connection_balance/dlb/v3alpha/dlb.proto +shake256:75de73d5c5355f082e4d607078c0891ac2e1899e281718301e1a6d5a89bd2816304e1473d702c4634bb440d388b990d60cc48d21e8ce698e7de59c096463a201 contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha/cryptomb.proto +shake256:444c37b67f885a3f631bb0dcb8140a07cc0f56503a8b4296bdc89638d06591aad6732f2c3bdae8c4891e44bb4c7cabb592821d95fc6c1477eea81e3b237e7ecd contrib/envoy/extensions/private_key_providers/qat/v3alpha/qat.proto +shake256:33e1082c3889f2641394dc2e7074c5ba5ce3126bdc9ba1060ed407ce7e1ae7d41fa5b3a75575286e681ec3851e0c368bde67cea84c0d6bb065b69722cba624b8 contrib/envoy/extensions/regex_engines/hyperscan/v3alpha/hyperscan.proto +shake256:9825c2f88055cd25c52078a6c508fe77bad594cabb2da12253b4c71057ba330f441300dc8db264a18ab8abd2d324e2fce1089918903ecefacc1bf49c4219c74a contrib/envoy/extensions/router/cluster_specifier/golang/v3alpha/golang.proto +shake256:cc70776633491456a381ae3d23406d5099ca7f1f76e2d50dd2febfd8eff9146d38b60fdb44ef8e42a1a2e054264cfdef847875db46cc09afec3c9ed886bfe31b contrib/envoy/extensions/tap_sinks/udp_sink/v3alpha/udp_sink.proto +shake256:fa5971bfc9d3068cbec7922a2442669502e1085efddbdaf11e2e94924f3693687928380f73d0e49ce95bf13596f3affe99e8794631e7975e51755b31fca26b42 contrib/envoy/extensions/upstreams/http/tcp/golang/v3alpha/golang.proto +shake256:80887a746d8294ce4f4dcd0467ee6fe7b157da9555360459146587cf1f3166560d586c1650e274ce9449d5fceeeee3df9a6a096e100b04cd45394841dba6cc26 contrib/envoy/extensions/vcl/v3alpha/vcl_socket_interface.proto +shake256:4d73b76b955d3478a5f466d844271d6c7b4b453b62f013c24eb7881b03f547d063158a3cf522c37d480ab561ce43060115c75ebe5ff70b193c2d4dd1d3bff60f envoy/admin/v2alpha/certs.proto +shake256:392009644dca0f075cd5dc284bacc4d5a6dc0e9254998b32cb58f6773316f608696de51c8c825c8a5f1f4c42b2cececab719f23d8e33fcf20702d652e4db68fc envoy/admin/v2alpha/clusters.proto +shake256:e4db3591f411e0073c4d281b2573e88576c5f9de4b544efb50bb342b54e7e1acc4fa6585401f2629fbf6def9d6d1d92d499994ff1e2f5dd217ecb0a227c292fc envoy/admin/v2alpha/config_dump.proto +shake256:4f2bce6af0bbc8be1cdece55535545e089ead78542386e3c8296cb92280f7609f52854a8271121b19d5b42e39c51c84d2a77f63e27e9bc5f16733e2328cb53d2 envoy/admin/v2alpha/listeners.proto +shake256:babcaf94ee63ef61c6e8a78b5cec1478bef04363192b5279554ca60f4de7850f43864bfd2131e25b133d6f4e39d1223307126baf092edae54524cf64eec4c139 envoy/admin/v2alpha/memory.proto +shake256:a34da07ab2e4a8bd9209a1399e188eac2be481978cc552ced7c6c5bd2de0ca3ca3dd8f324af7b69888381f0522fa4ea23caf5b997dc6afef44e88687472a88a4 envoy/admin/v2alpha/metrics.proto +shake256:572464b7bb7321d388f6e6bbecd73ec0fdee640812cd58a975615ccb561fb63e384945ee6bcfec2c5428bd98e08562f9cfd48f3fafcc362c8c1ffef50e54dfd7 envoy/admin/v2alpha/mutex_stats.proto +shake256:47d3268ce2101d2c203883255d72b5bc2fda272a1fb0e99dbd44ce214d8ea2f771ccb29809e617dd8fcabe3fe0e5f78c1d8780462ffb8f022f7bce3a37a6be7d envoy/admin/v2alpha/server_info.proto +shake256:7b13e01379b3accf542fc1b635e9773f704929127eca82c3d631bd91d71cb4dc6970a66e9777f93f694ef52f46121c78c40f701e25659f56eed0ea13b8a98ef8 envoy/admin/v2alpha/tap.proto +shake256:b0fc6c0c38c61ab85eddc6842483bafaf3442db13de31ab87de2d8287e8737f3cb2c7c7a24d07bc44d5cbfb9094b7140ef69c83a0285ba6dbed3f5c301e6b082 envoy/admin/v3/certs.proto +shake256:3ecd52c0173847a8f34a9276ea4411f01160e06109098d7b9d3d37f3271cc789b60ad62fbb175188bee7048039a5968dc6aa6488ce20d7c31d0da58bfab013f1 envoy/admin/v3/clusters.proto +shake256:b74573ab490303f5a6d136e1c0c1b8ac1f9a617bebc73db2d44750f0ca4fd4389c58d1fded5624b38a021fb65c48192326a71209468c1cba243ec4b52d2a176d envoy/admin/v3/config_dump.proto +shake256:e5c3e7849f8aab45cf872016d0b6f6288e7d1694fe103e3b0f64e74a7444dec99b7f296e59cbfe28373c351b0404b7c865e1281b175c19434c5b84f3d4225d03 envoy/admin/v3/config_dump_shared.proto +shake256:e72b3a5de25f5c898cbfe5fc83fef8dd66c03bcb396c52fd2edab6870a3b6cf3b696f66591fd3cbd6f7d28cd23e71d49786756a8ddcb6ae42144fb36077132af envoy/admin/v3/init_dump.proto +shake256:6570272d2d533e5eb9d66f2f9cda21c84aae72a753b497192014ceb2cc77f7a3698e9b52488303c04b0ed6e6c653c49912a55781d873b4113f8a66eadd87655c envoy/admin/v3/listeners.proto +shake256:4cea80b96515e73ed166ffb074490e388706151c316a6281d580cad1b94c25c2f2fad927bd57061193640a791bfdb17936a60bca6e44a7332685a143f7eb2f12 envoy/admin/v3/memory.proto +shake256:1fbd58b26fc343916e3a95e7c8bbcd18be83aa4100f0cbb1171556685079dd0c7d6d705bba862d77dbdcf960e9be17cad3e5cb0a5994e9ba9b88b541a9d66411 envoy/admin/v3/metrics.proto +shake256:7d878df1ba81097b3bd150127d366a41db794cd7243a03e0b233c563044e15b5d0f74565d5f9408efff46de7dfb7c3b0a5842cb02882758acbc15323fcb46ceb envoy/admin/v3/mutex_stats.proto +shake256:0d874a925488c9bea4cc70351e808d73c2974bb5cd6b7974775a8655fff22c24d6868f09d929c9ef8889963e43a3fe7ebab7217c13fad02ba1efaa86dce1e5df envoy/admin/v3/server_info.proto +shake256:6a478eb836b32fa6eb4912a3cc311d3e54b267e7a628426efc49cb81959b0b5215ed46deacd0233d4aeaab32a303ca5309fcd030012bfedde2de782fc0787310 envoy/admin/v3/tap.proto +shake256:3adb067791805262a0ab31825adf5239b87c95c057cf3b4dffa4a7a8debf5ed4a53e239ed3108da8981c69fe795b1cde14a02c133f410dd0f886e71f6479319a envoy/annotations/deprecation.proto +shake256:f2de7186256f2d6d35bc5e77e5a2060e3be9256970d9415cfa01bd9d0a063f98e2a7bb47bf7b03706d9d466062aa2faca4ea91f45fc93f995340d497bc9d7186 envoy/annotations/resource.proto +shake256:6bcd4872bc82d5ea2fbb17106cdba7772b0b241931a935266ce04e980804700b5b0ea06ac0156f60645830a6ab234bdfc46a37f51bb49a18afdc6bdc984563c5 envoy/api/v2/auth/cert.proto +shake256:4ee13ab3002ccc1c7a6143d26373585edcef9829006e3f6daf46f4e1aacffce7eb83d4c61f5464a62f021eb73126e855650aac16b222b0e0ea8f3d7700ce07b7 envoy/api/v2/auth/common.proto +shake256:fc23072cb4fe3305d96f0d2906e00ef441ca4168ebdb5e03ae90ff55de2c7f8e597049853e149378f283b87d20270e29b91205729bc4400ac8981fd9a00be0d4 envoy/api/v2/auth/secret.proto +shake256:be1ae530ce5457cf99390111b1c49a4eb22ec4c88a926c88aba17f798283648c5b8c0c19b50e82fc38ab4b86b68b2c7880ceddf200218e8e37e27f66a7825742 envoy/api/v2/auth/tls.proto +shake256:15394420cc45218d6f94c6d4d374afbfaee234bb34f5347c9e24f53351ae1d9702b2e6ee54e212c690065f5ba41e7bec67c797f9f67f66bd73a52646761ac7e4 envoy/api/v2/cds.proto +shake256:8ef3d1a78d916b9aa11b7d1ebd91dc3b8ae11e1c8e0394ace665b30f5af424efa0857fc017ffbfab8180aeda10f374129e77c0649d13897bb3550d803b904a3a envoy/api/v2/cluster.proto +shake256:dcf8ada507f8f3d3bc8e2d27b16ccce79ee4cea169bc664b7a16412816429e4833dc7cfc0c1f9cb93da2857135d9ae785ae595ec16eb2656670d3023e1976962 envoy/api/v2/cluster/circuit_breaker.proto +shake256:c42724147597e47e16d67d23c262164c30794cfb11008029b88608165ef6c28f193f3be64b16024ea38e55b684bf67fb7d1d48b57399669b85cb3be0f4c8dcaf envoy/api/v2/cluster/filter.proto +shake256:641cf1b144e9467ff3a518dcff9303974f5ffd7320833992eb1040b670492055bf51d07c3f94ad4108419964b19a320d4d17f498094df3476f0556026e729933 envoy/api/v2/cluster/outlier_detection.proto +shake256:94d83f6ef94961e92bb3c07c3cf513e755e03408f15ee290af3047f7fcd79a7a3eab72cf2cbab525312a4d58efa3d6e6510014f2df2b79762767b45a491c373c envoy/api/v2/core/address.proto +shake256:23237102de7fddb83c181d3b7bfa7d34e693bb9b414f2ac87bdde48a4ad1bd6d8fda9c26cab0e13869d1f0285f725b1d1f978ad63e310f1bd81bb110315b9e24 envoy/api/v2/core/backoff.proto +shake256:13cf2aac8defd6070f70fcd106137a8fb8cb8bf27ac53fc76c876b0dfc098faeaaa90c87fc31aa9c22ca16e576764f7bc4f6e6bb15264310ea266b3fc577d7f3 envoy/api/v2/core/base.proto +shake256:58c4a77b91b41262c7c5db6d9883ba32b83955cc7490c326a7393bc2716646af68282476e0ff4605541d9cf6049a6a9ed4bd124c45e3dc12089c4346d86b3be0 envoy/api/v2/core/config_source.proto +shake256:6a143f29c2c8a492b4d04bc5ab6258c80c2aef067cd0382050a6813c950ddc47c5ec763f6b797398c6a2c03be3bfba65b127be9ffcf5f07d3b6e9631c74fc2b8 envoy/api/v2/core/event_service_config.proto +shake256:488b4d588a48823ff76c9be096afec4ca1573a0fae135436a7b691494d6153759f08ba1abf8b108949b1d1b9225cf6ed4fc934bc3ee03ea0546f0e97d3732b9e envoy/api/v2/core/grpc_method_list.proto +shake256:7b95620b8d3fb3c0b67d8bc400d7d1c61492f2ce4807f75ab5f77086925eeae9b3bc1275c8568b2bef90cfb386466168be40f3f67e613cd307007a372e8fce3f envoy/api/v2/core/grpc_service.proto +shake256:8f651da5a7966d944fb75b1d3a2c245101cb3cdc4883d2d5ba9a54440a6daf5986f92460c5e8f3f439198131246891093ad1aac6f9d70a32d8ffec3834fc030e envoy/api/v2/core/health_check.proto +shake256:662c11e025424aa76f09f82c7f4f374398d62c59b823f2ef865492b54e0560edfc04b989c8e050f0b2e62d7bd764aea4374859a4fbf97f20d6adb50563c4dcf0 envoy/api/v2/core/http_uri.proto +shake256:9c4b1b16e8883e5a4ab925b8da52d27e5ae1891b5391c9416c01e8ea172a34a9786000c15d3728f031f548101d9f2c4cce42fccbfe603c7189a9504de48e0ae0 envoy/api/v2/core/protocol.proto +shake256:4183d9068d64aacc842a36e6ea35f750e7f08118e1b9a8bb9da1aeade8d4a462dc024b226489f5918511261d4e023a5e7676c05a4b91624dab490df30cb6b1c3 envoy/api/v2/core/socket_option.proto +shake256:87a9f435ecb6daab09bdd9d1615fc8883c3b1951b9dc35e5ac2421e68c749893cd1bdd266bcfb21b816e6518c09e623bd08c3a0d519129c85686fb3e7de92928 envoy/api/v2/discovery.proto +shake256:119c145cf6a5e4e18331364889c9ce3ad897293b9b5a79a0480d566f44338a6781ae5801df1f9e9675c78d6ff4ed1eb91e7f61e7dc3e075855a2ec1b6c6bc024 envoy/api/v2/eds.proto +shake256:09e85cf3be7bb8b48dedcc2f0be2729ffa3e4f8bf3a62477adaa8bbfb096b6bc54ceb3a214f0367bd1e629d27db07b389fc2051b3bc106438f1ac37f5ad8b824 envoy/api/v2/endpoint.proto +shake256:d34472c35bbf374d27edc187d7a9748623b9f315d98ceda6c98a3efd883e8d643711dba2e7def8159a04ea8d32a70a84caa1bc4701a19ac7ef412ff6c74ed474 envoy/api/v2/endpoint/endpoint.proto +shake256:41d9f97e89161ba8aa2a398c753b6692bed579d1abec9df50782c120410a8ccb1d382e70729486028036d5fb81aecf784a5f87a03335790b9a6843f2ea8b3fc8 envoy/api/v2/endpoint/endpoint_components.proto +shake256:b47b6d2db7d09e3059247b3620abd6dfa60be9ed18f53336f5cd0f692a8d5dc98393b20f64461bf440bd3d6dbc92794104e6c56c6021599e31b91b60ef6a66c6 envoy/api/v2/endpoint/load_report.proto +shake256:639c987ea02b03f1c4329299df8fcace9c807fcff8e1fe2c651f1f8110bb39d401c9fae511abc9e8b0c08c2c00eaf7ac6116d64fc428cb72fd116064a012b01b envoy/api/v2/lds.proto +shake256:20dcee2d61c25ab8f6ca81f5dcc45c32bfe28821c419f91a1a013a9afd0a5d2a665afadac356922af4f6fc1807ca89f75ec84703ff04ccb30c5a7479f57debd6 envoy/api/v2/listener.proto +shake256:3660a7db469f0a78a086f2c9a3ea6417ee67fad8d8f66f6df255c096780b2f9fac4058f69fafb7b31bb41371be08d49df8e4dd7cbaab57dc81faa072a0b2d961 envoy/api/v2/listener/listener.proto +shake256:01ed343576226520f26c740fd0ff17db2c90a3b40ceb767b5dac115a5ddc45da4fe8bbba5bc07cb5a5b1b1c2c4ad1b9e8bc9f9d789faa245c4b689b4ad31efa1 envoy/api/v2/listener/listener_components.proto +shake256:9eba07e2c57d6721e5c21bd25db39e433e6beb2690f19cc35e491b6ee398a21c602cc66f5c4998bc671c6c60935def6e9fdb78263ebf619a5ad9c5cd0040bf08 envoy/api/v2/listener/quic_config.proto +shake256:bce97795ccfd54cb5517de97a66f625d6358e490738a83016ad6fc352258bd265962bb5cf02c9c53e40130ef02aa0271c766682588b3bbc53c518da9ccac6d88 envoy/api/v2/listener/udp_listener_config.proto +shake256:c4f13154764837590c09419febc8778291e5de10cdca3b4acc72cda616a6e1f542e0ac7183aac0f37348c9761ac3a506fbe657432daba38469e9c6d7d9237b37 envoy/api/v2/ratelimit/ratelimit.proto +shake256:5109fdb17b9347ab1483afac5e638422b3164935fe79f691a8f371adc240c60430a85caf88385588957e3c07d1855bdc0ebb391940b6d5201e1bd3a0c9f28434 envoy/api/v2/rds.proto +shake256:0eefdba40313bb46ee9d204281aa7bebbd8e21329ebb752dbf82d29e0213e8d76d0139a50221d34977d8fcd3bda842cdbb160b55f33969256e5ecb5c59232c09 envoy/api/v2/route.proto +shake256:6b3fe64c7dce23224bed799cdb5162b71f9152b4020e9a002decddc9f8c366c58e21b3c03d681c643c79e78e8945fab211564ffeea0a16e5d8509b7d3d66a8bc envoy/api/v2/route/route.proto +shake256:f236b4f96272bdd8ba4cf24cf02938cb51d915589dea4bcc7a03923361f616bfc4c5ed05d63e5437f8da95a8d423c391d61907e862f445b3f23b7bec07d8ad9b envoy/api/v2/route/route_components.proto +shake256:bc9898fe8b4765b8bfc498d32721a1ed0209a5420d351825522e73c0dcdc915768c5d88eb3b25dfadb6168bbf9d2cf233620950c32f38bddc382527cefa5c259 envoy/api/v2/scoped_route.proto +shake256:6f247444f93f26c93eacb2890b7b831944c5187ebae43414dbe1455abc2b49a7f0f2d965d787b5db9a6ba585d1865add9c35b4ece5fdeeaf08bab78752d17b6e envoy/api/v2/srds.proto +shake256:11e4ff5a2c6dcb48b7d58a3d37bf0ee7cf0c9725684d856f0a0a56c7d6ad07d67478f8f8b3afce1f5634c3f18ba5497f44d902cf931e1a5d01dd78b639336889 envoy/config/accesslog/v2/als.proto +shake256:f00cdaf3138ffede9241f899df44d894016dc547bba274e945eca8d923f158d848ef208fe3271b639ef4858f8e7141ec86461af7a35259fe265fd76d9aad29bb envoy/config/accesslog/v2/file.proto +shake256:f6879fdc241bb8413bd7a7d7a11ebd2605f85f399e70444bd392d8040ed29e6d7599caa614e64bfa6c37c940606f7688b74628cf43a026a0d64b46e937b02976 envoy/config/accesslog/v3/accesslog.proto +shake256:f17fed4317d85246c5b637ab098c1ec900898a4f1a6de66bf20cc4916d91b19fbfe94b3b8008aff5898f561affb1bf7bfb244a1cc8984928c2f246ffd7b91f63 envoy/config/bootstrap/v2/bootstrap.proto +shake256:8ca3bb1223bba6ed2a5ca12a2eb40ec4e962299d1723bd841e22535a605358433510aeb8e81faf0fc23bb276f459dcfeddbe8481627829993a1d9bdc25ae48dd envoy/config/bootstrap/v3/bootstrap.proto +shake256:ef15d2b7031d8edb952315f6f4dd986f1ca0137662cbf58466fc1ae58d9daaa396a6f79be8da1c5de511dc7620c29dec56ec4a1ca9ef29c1dc24de71da2e40e0 envoy/config/cluster/aggregate/v2alpha/cluster.proto +shake256:e96c45cc69cf74ea9fa9ce48596722f01c84f8164b2c8b213a1c901973d70cd9f88a797b22b83423bd548efa3452793495f5f730f2d6c79a3cc4de88f1e23013 envoy/config/cluster/dynamic_forward_proxy/v2alpha/cluster.proto +shake256:f88d1d71037a70c72f39863a5a9ec8d65ded375d725b7e416d36ec233adcd670e010a8b024c755835c16899a8e4c1d00ee24eacc7bc51c778296d6c5fff1fc8a envoy/config/cluster/redis/redis_cluster.proto +shake256:10a21c816540ed52d9dd7002be5d269527d7927a5b55acff457c434c996df2ad57355f996157d4e4fdab2d6db7f1a80c5f1ce94115c3b31cdef782b5c7d26b7b envoy/config/cluster/v3/circuit_breaker.proto +shake256:19f745562070373e23d5463423482c666d5a48b31da6eacf09d376989cf8ded9f9d067027080242b21fd712aa4587504d1f823bcbd4903351459123c3800ce63 envoy/config/cluster/v3/cluster.proto +shake256:b3be2cbe299480ca14f70ab1684fec6d05045dcea3359785a5c9651036aa8c216b927a23d6107b5c1fd86b6e5bcbb204366562bc7356bb634584ddead1bc2ec0 envoy/config/cluster/v3/filter.proto +shake256:98b1c26901946bf3ffca0a0528724578ea47c176c8de0354aad5c4d2daa7a8436b3b7444741d8645c9ce01f679b1ff83a22daebb1060af8bad082193088b4242 envoy/config/cluster/v3/outlier_detection.proto +shake256:238687121388f8ec3ca6be644812aa45483557f65c5a22f97868ac71fafb3b6770a8256bc28b1f56286d959e8316227035b2606e58aa4b0fae141181f665d4f6 envoy/config/common/dynamic_forward_proxy/v2alpha/dns_cache.proto +shake256:14212536f4874aa3d72398818186611af78b88cd84497439e90174013822a27b0cbd476f0dba6d18be520d6e0969e8a2649530dc89313fdcce7272cb7317a51d envoy/config/common/key_value/v3/config.proto +shake256:36d0af392c209533e79a725e8e1999e141deed82a1769728a96465761fd5346382719b47765b4be6753777f80b1f93b214c6eb8a501d9e7431753ad8b993f136 envoy/config/common/matcher/v3/matcher.proto +shake256:175d2f7896be8a9a86b2eecf8cab4cf5c8e5c5361842335f8c607f3a1ce908a57419a79822d110b334254694bc67e6bd67dfcf0ef08de910b898a8a617eadd4f envoy/config/common/mutation_rules/v3/mutation_rules.proto +shake256:cbad07f379e55edc8e8cbefff8799dee2698ef277b0f8d68d8e4a040cccfc877d2bcd19ca008021ebbc796148d0e7bc01a5f8b6fd1a5dede10e1b1b2672f202c envoy/config/common/tap/v2alpha/common.proto +shake256:93e4a36d900d8a68ed3b3126513013b82a79bda7e7c244b59a7ec2bd2928b8a7912e856da9075624253437ca50cd3d862db39aae56e8f1c916d7bb35a1be0db9 envoy/config/core/v3/address.proto +shake256:fdb34f03c4ddb608eaddf33afadc37719a5844bc0f2b0a3d46acdd3a47e03766e7b0021067c67f2f0f1f55e651e0c7000b9e4d2c44aacef35c0f71b016416750 envoy/config/core/v3/backoff.proto +shake256:5e7d0238586f5b9dcb7eb825f7256694e31cd8082ebd27e23ec810b50a414434f31c6ec652e5bd7aff2d4b6f05f665de1ca58852dd9020af4e70cf1551382d7a envoy/config/core/v3/base.proto +shake256:f31af87cde6202d9e68ca042f27da6dba4d65bdeb94065ce789d59f85dda5eaddc12d4060979422f571ed9dcc382ad1d83d018238ca8b810ff91eeace4dc8123 envoy/config/core/v3/cel.proto +shake256:f3cb7e88d65a8b2d19c1255815c37f61b708887327f5b3a58fe5b6bf8c0c1607d12b7bcabf156947db5c9108c041599af9f6a25ac22d0225326cc1c4418a343d envoy/config/core/v3/config_source.proto +shake256:58094a58339d6781d0d06e48e32ce262aaf8f79448b624a9ac2792248efbd1217c6606c493ec80226069b95efd89e9fa25357a8e76afe0775ddecd40f0ad7d78 envoy/config/core/v3/event_service_config.proto +shake256:fe914c4817a48cf5e7ca7d9cabd28f99eee574396cc29419ca282b75a126126fc4a9c417fe5f702082500b0d9032586a4c7b50f4810ce34c2c1dacef2ab48663 envoy/config/core/v3/extension.proto +shake256:b8c9d6866b3e14f1e41ea50d6977325cf48575bd3a815cc36077ec0f631a69882b3d168c7ae39717b93102a3f3285dadee6d1e0c4aeb461399ea649abf8384b9 envoy/config/core/v3/grpc_method_list.proto +shake256:ce8ca31393368bbd835e656a59ab152cfb4adccc0aae45660c8faa6b27a26ea45bd38647acce9aa7fd5262919c20243a962cfc2e691ebcda0c631a03688fe76d envoy/config/core/v3/grpc_service.proto +shake256:6a4880727a18c76c27422fb04451cb0c08cb6acc712b2ba3b3a68c81cb00feb401d2d4f8d666cbaaa787331838d3b8b8a9cf3a0ec609f9cb00c9f97574edae2a envoy/config/core/v3/health_check.proto +shake256:e72a9109cba19d603c43c8a5e7505dc1d710e9a8f79b135190c7e50e570b728df279d903f13f5c6aa5149f562f613fdad442aa327466650443ad43baf747fb2e envoy/config/core/v3/http_service.proto +shake256:ee0b0b1aeb239c4327f288f4b00507172a97cfcf5449c12d9abe4ee71a07534c6f80578568b0a445a6818604a3cb44e3cf640f66dee9fb212dff8e31de9f3309 envoy/config/core/v3/http_uri.proto +shake256:996a34816af91109a4fac98e114e7c5640f583ca8f46be8567f654ca73c42d77fd53ad3f069872ecf94e5cb968d826f17381445d38c68e84f1ad91118b3baab7 envoy/config/core/v3/protocol.proto +shake256:ffd5b6efba152ae8c135ff89f8c569e21f584379f1047a3dba7e53bbcd62880dc8e0ab883ae66bd8dc69d665a58affa6a2c29dd376fc21da66b09a0194d50b59 envoy/config/core/v3/proxy_protocol.proto +shake256:8dc2e42d6be6f5e608487cc7a5cfd89670edc9a21be4ece3bbff666939f36a2ec7d18283cfa43007557e10e59a603e9844d8e76ce528e51e5d7b79fbfdd041b5 envoy/config/core/v3/resolver.proto +shake256:600c407b3baecc7213d993c5b2c76748c396b7c197de79b94e12427201633d5c5e900dcf1fb3de264dd4ae90c615c8c01194f43d690381f2c79d7604acefc098 envoy/config/core/v3/socket_cmsg_headers.proto +shake256:54fb8bdc367e04a2b306de2e85bcca91f79ee21802d963ea46a5761a344e3db3666600f3c860fe7c18052aae3141b4dcb14e9449e83adb08036e8b2e5848658b envoy/config/core/v3/socket_option.proto +shake256:2ecc944e590837c4b221e72959420b145d0ef24fb8ac4534355cdb0bd6bd6c333093baf209e5d4c933a386cdec5e48e5f7c07859d329b518f937a371e92eb0bb envoy/config/core/v3/substitution_format_string.proto +shake256:ca4da0953d0209d8c791e9d9eb1910c2d2e577a467348e4986a8c3c341db38e52516a7bf6dc4815ea0e8d1ba7566e314e50c89f3d33ee217b19335939b1142d1 envoy/config/core/v3/udp_socket_config.proto +shake256:f21f75567e86558fb38afe39c448339f1a5363d8add311ce8117e6d4ae8cb8c0eb37c8116636004203da6420eb226ee8b142e9306441cce1be69a0475febaa53 envoy/config/endpoint/v3/endpoint.proto +shake256:303fb1667359e27d6ec2aece183975387269521eaf32a9092183560a0cfb88c72976ad820c8d3c2dedbdb1821ad3bf90ed231d827343295779098a0905026cfc envoy/config/endpoint/v3/endpoint_components.proto +shake256:37544485154fc1be701779188515c219db0415ee12110f40fd75e51cf5ac61275914ac75f9c349c711215d45c2a1a525cd589738d1f2d119aa56ee3aec2a234a envoy/config/endpoint/v3/load_report.proto +shake256:2d64307e37f83d7f3d7d7702252ae62811016f56644599787a12e0d59c2a414e6454f8518fad20079a195415d543f1c8532615056f5d1aa58f39d38d0713c509 envoy/config/filter/accesslog/v2/accesslog.proto +shake256:2e04814e594b2f7b966528e191ec9c9d7eee8b81ee070f8f1ce057829aca88bb877666a67534989dd0fc653c86109caf2113d38b5276a9a4ec710e30b303c37e envoy/config/filter/dubbo/router/v2alpha1/router.proto +shake256:cb4a510b6cc2d26c941134827154e1d4f9142add0d92470d7de710bbbf26dfe696eba02d256d97e93c874a4eb3f8ea4215cc1f99a4b478085d044dc27f8f6faa envoy/config/filter/fault/v2/fault.proto +shake256:870cdd98267a9028f41edcbaf811fa8ffa62cf8a09f06386769c7dd46b9e43c7496184fc551ee23dd43e3c37bb87405d599634a0096053d90a5eadbab9c0ef15 envoy/config/filter/http/adaptive_concurrency/v2alpha/adaptive_concurrency.proto +shake256:307f7ba037584aa60c116ab81bdebfc57f955fe2aeab90f71ad08afda92d14cc5ec93bc180e5e026ffb1372f42c9ab610d1238dbd0aba4e0a7fa13b588834a61 envoy/config/filter/http/aws_lambda/v2alpha/aws_lambda.proto +shake256:7837e63e24ef6969166ad19d00d825827ab4f33cd2cdc1d314cdf307130aa4f99642be1490b27f395aa030de57e0620e50436fb4b2915238a943134fdf1e0a03 envoy/config/filter/http/aws_request_signing/v2alpha/aws_request_signing.proto +shake256:993900853d6c5b14b2778802dab83b56056d0a8862cc00fb7ae981f249f037aaae42ec53eeb447275152a83a9825a562c2dacc8391b9550e260f651155e0c700 envoy/config/filter/http/buffer/v2/buffer.proto +shake256:e17bffb8959f0ebd69a5f76aa1fecc5c149a52c8883315499788cd3832aad4a9ab4028aab401d10cd12a54c618ee48e1865a8b7dadf9b174545bda38ade11fd8 envoy/config/filter/http/cache/v2alpha/cache.proto +shake256:366ce40fc1609240c011e89743df49698f53243e673279cfe6df1a3fb5011ec1681a7153670b5a03b401718f26686bf96000094f7c0360e3284754440749c517 envoy/config/filter/http/compressor/v2/compressor.proto +shake256:7edf20c50b174033cef65e0b7546ea572a3f5306bd0106fd30eacc18a82efce49ad9d30f6c39577f36b97b373b281c4048cef86d5ea4bba5075fd2b29c8e1cb0 envoy/config/filter/http/cors/v2/cors.proto +shake256:bb31e2ef037ee26af526662fce06b264b2e166f742ec9f32bf113dba81df5e2a76f033db03d23df77f4417593994502508fcd2512f1dd95928b84969a3ce802d envoy/config/filter/http/csrf/v2/csrf.proto +shake256:1d9282eae617b10bf59dcb7633be402cb61cbbac9285c9e5677218f48bba048a73f459d28ec8b2b7384de99a8281f61fb58c4227dc250b97363860cdd168044e envoy/config/filter/http/dynamic_forward_proxy/v2alpha/dynamic_forward_proxy.proto +shake256:76db280e6229da9e4ae842fc296ba18cd72a9e803c045380a7353ee6f765cb69f4c129b559c22ffe920c7f2437f0404a61ec0108681051b0321fba07f894dbe1 envoy/config/filter/http/dynamo/v2/dynamo.proto +shake256:597e702de8f7a40d1fd9744bacce3076dec835378127af4c19e336e480332c0f27da7e4d5b76ae77f160bc3b5088d54e71e5e65016c97735b1c2eecb511d62df envoy/config/filter/http/ext_authz/v2/ext_authz.proto +shake256:d1b6d7c97efce1de7fccb2ba0472bdf62a20f4d0a716450549b03a3dbf405c4a1592385d7195b629ba43336a6649161e832933f3df2fc193aca16cb06d6b60e2 envoy/config/filter/http/fault/v2/fault.proto +shake256:050055233ed4396d983d99b84e8f6a5c3b0d77c80f7607ab28848156b18e268b57419282cb21d44a877ee43ebb3ba95ccdab886fa861a581e51daa3582ac815c envoy/config/filter/http/grpc_http1_bridge/v2/config.proto +shake256:28e5bedd6b62b170f46454d53864405335b83e56699060794d6b2fd6c41215ec056e13dc69726bf576eb2cc4e5e0ab3ea97b29d31b82bd343bc3715ff3093482 envoy/config/filter/http/grpc_http1_reverse_bridge/v2alpha1/config.proto +shake256:3d7cf31ebca862e3f338116034e2e553a3bb02d824e5c60d36dc16329c8c89d4f983388a6701ff5f28f2836c7504ae8dc4a547c750e61fa2b2ec804d7afdd172 envoy/config/filter/http/grpc_stats/v2alpha/config.proto +shake256:4451c917e256788daea0ace8618859b6d92078cb0f4a521c5f37aff6c1f65c643570375af579af06088bdf134b5d478df3300d0ec1c8499f4675ebe3701c22a8 envoy/config/filter/http/grpc_web/v2/grpc_web.proto +shake256:955bd5acf952e1c646307d585ebff1ddb4b9e12a7c211cdbd18683f9c5ec86bef360d6d501c919cf23307575a4e52bb7e1d8269a6bc13a0895d465067ebc542f envoy/config/filter/http/gzip/v2/gzip.proto +shake256:59e8e289a11351075573f2ddd7a37db76634c8948ed3e6ce6700086fb333c2c5fbb699c32a2a8a953fff83e601c78cd07e1c190b1656fc54c96e580f4a07d2f3 envoy/config/filter/http/header_to_metadata/v2/header_to_metadata.proto +shake256:42d4431a3ab45ef6f56608563c40c650ee96b48e840109bc81b72ace5ee088e1730cc8311942f17c3c7f840401ac795527f37011fa0f8baaa71862f1df4ea3f6 envoy/config/filter/http/health_check/v2/health_check.proto +shake256:7d100ed17b8aa3d24e851dd599ee8265010a64ead4583270004dd1e4119a3347a12ebf54b3bb1d46e82a082739adae9563d6d4a95fae0d72082c49aaecd651e1 envoy/config/filter/http/ip_tagging/v2/ip_tagging.proto +shake256:0e52935864306aaffb1aed4a1ceadb85c9d2faa05d1b85f6ca28f4f2f1c5905d8c1bc3d2e82b784d6b4afa6ac8915fa84e35a5d8b5d61bd1d15162c27795ad38 envoy/config/filter/http/jwt_authn/v2alpha/config.proto +shake256:c0905fa961a0b2650e460950ea69a761bbaecb36f3275501e2af3eab849a118859552ffc25fed71acee9467d821644cf8bc0f63b4b03898cbd409bcf542a0438 envoy/config/filter/http/lua/v2/lua.proto +shake256:ade55f48104a52c6a1a07a69eac9362734ca4d1b2b5b388a723770ac870d9f41aa87a698fddeec5fa5b807e6f3af6cb27bc1306d0c037f2ec16a6316ad9c46e0 envoy/config/filter/http/on_demand/v2/on_demand.proto +shake256:c2ad802957739a45a3aa91759fd5d695873aee61068f8a038f052062057a991d5df8c42940a6f18c158e605702188ce8ecbe8c8fabd108597fb4d153a361b516 envoy/config/filter/http/original_src/v2alpha1/original_src.proto +shake256:7a9da6e3d21b951381677149a4ab86cf91c36da9941460b9f0a5779756a8e8420771414f1a7f8ecdd9d11711e96641c5a513783fd73ec32ebcb78e39a20f6bca envoy/config/filter/http/rate_limit/v2/rate_limit.proto +shake256:f3a1c6647ae372e0b96759e4a81c6a0d3b200e3065f30bd68f53afc8196dcc5e5506bc3e1b87b7fa9f55c6300c2f74202ac6c693558d5b9e129ec356dea99418 envoy/config/filter/http/rbac/v2/rbac.proto +shake256:413fe9d15a14a89a22ce071bc25638552237e23446df0a201ecc174cdbc01b002d0f1214f9229a7189b649d26bd1a074b2ec14a59ba5c883654be8028f79bb03 envoy/config/filter/http/router/v2/router.proto +shake256:b6c5109ebaba66d44558c5b42cbdf0b7a2415bcd33350fa1b3bd87bfb79a57a1cbc1c53b745b3f15d2ae8296185973aef15bc6c35651f054f8f14270c6836fc2 envoy/config/filter/http/squash/v2/squash.proto +shake256:396fb5d3083f51ee0c11021b3c8f12795daa40f767de6ca35259c02710fda3e074777e53b4aeb6d1c0f2df8d12d82e54b211a2bb68260914de7e99176a941cda envoy/config/filter/http/tap/v2alpha/tap.proto +shake256:5b8b39f989d4085aec086bad0adde86332f122d5a7039bd417971ebad896c6b0d3f954ef2cf20f2db3e144fad5faa647fcc4f780855c73610a476ec2ff8479a2 envoy/config/filter/http/transcoder/v2/transcoder.proto +shake256:0d6c3b6012f347a164577edd8719c672791fcf42bfaae8801ea78358f1810948ce8e96f160bb7c0cae6d31e599072b15b7765efbea24b4b66171f654132dea3f envoy/config/filter/listener/http_inspector/v2/http_inspector.proto +shake256:ad9a5ebe5ad5dfbcd7cb9ca60512f309b7977f3e799916f203d16a0e5ffcea17ad6f6754e1dc0b1790b4b310c620f7f7b299a666165b6226d8b11e0411b26db8 envoy/config/filter/listener/original_dst/v2/original_dst.proto +shake256:f0f087b21bf93903c09469582f75f567815ea9e61a60fc696a800d3dc9a715a2f1c6bdc46d254add4deae2b7e099458754cb6e00b2875068d967cc884bfe4177 envoy/config/filter/listener/original_src/v2alpha1/original_src.proto +shake256:e87549581f5c86532b2bb5f98f7b36174de46c3f06eccd5450f7de62d009ed796d271943f8dd097ee97470a9a21f56737ba0619f4abf6ec72e314a4a6ae45c8a envoy/config/filter/listener/proxy_protocol/v2/proxy_protocol.proto +shake256:22f6d98be5ea471289b31b871ecef036632bb6db471a2cab6b7e5ccc11567a3722f8c1bbdb79e3aa74b23bc5d96330b097749d9010e73b180e9d491fb3075c6a envoy/config/filter/listener/tls_inspector/v2/tls_inspector.proto +shake256:1456550bea1922225a08a3b31c07d216ace78840dcd333d7c0fe202643b55c8e743b644b97f817c70558dccd760ff621289bc20582d521c090b5107d1f7f9465 envoy/config/filter/network/client_ssl_auth/v2/client_ssl_auth.proto +shake256:0df0940ecb3b653bbafe1ecba3506cce4b15d0da8ffa99591acc62b6ccab803fcb096cb468891b5b60c8f02ebec00737a2585e8bceb1103ca27dcc2f0466d298 envoy/config/filter/network/direct_response/v2/config.proto +shake256:dbdd276342dcc3634ad05a1a440099992ab5f3d122e4a02a51e5103115f672650aeec58af6f49fe03891c63199c1bd778621adbaced888d4199bd89a81536efa envoy/config/filter/network/dubbo_proxy/v2alpha1/dubbo_proxy.proto +shake256:1d6d4703df00e15becb0f3482904cb9d9e2b3275958478c0e947f213e3169da8c5cb19f71177337529ca7090f67e44ba8f7db0fcc81c71d2e23bb608f381ad5c envoy/config/filter/network/dubbo_proxy/v2alpha1/route.proto +shake256:02b5ec1c189f640a9f3544ae58b6f6eaf99c995f91290b44d4ec279f7faae01cc6672478f67603eff54dba99efba1ae5b6850f76428a08d2247c4c777b4f0f67 envoy/config/filter/network/echo/v2/echo.proto +shake256:f620691491093a0c4deeaa76d679ab9e08733bcfd5782d01e22d3f013326b9af64dc0dc85abe8968d7da59730c5f6f597ea9c7c0153724077af9c22762e553b2 envoy/config/filter/network/ext_authz/v2/ext_authz.proto +shake256:a7f813dbdfaadb034a6a7332b0255a0e3b22c62a143f04961312762d3abbf1f55bead00e1df978bdd79ea16c8d90d7c6fd485b60367217391e39ec5aab637b2b envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto +shake256:c287f1093bd60b0ed243f40f69dc868a8856f31b36cc3f44790c0ed62e24c23fee9046ff0c55512f5fdbabd3f7fb89ca60d13a90ae0e1595189e5f2ef03febb1 envoy/config/filter/network/kafka_broker/v2alpha1/kafka_broker.proto +shake256:35476c557e6f472b50de17f81ba0acb566e934ae8a1f6b074e5516c797bd9737ae81a44a553af1702b2a29b7a60d41a815abff0fbc960ec4032dcbe7dd0dafa7 envoy/config/filter/network/local_rate_limit/v2alpha/local_rate_limit.proto +shake256:ff5bdb82fe17ffc5e034384ede8f7be5ba4dda6b7aedcf79e3e2a6ceb15253b2e7468944000118b6a8825aeeac97437f5850ac702a6bd2fd4f8e007050588c87 envoy/config/filter/network/mongo_proxy/v2/mongo_proxy.proto +shake256:6358160a2bb957573173e82b28b78768815df7674e3b755e2d73b28926aae148219181fc7a728fab85a0bf9046ff8a3148fe266630fbd6213583b61f093fc1a1 envoy/config/filter/network/mysql_proxy/v1alpha1/mysql_proxy.proto +shake256:f7871c4be8c05a913f14222ad951bcae6adbcbb8c06e1054d04fa726ceaddd4b9662bbabca46863b0662a800f07ac5e0d7cd8259e427f179e43410e12261344d envoy/config/filter/network/rate_limit/v2/rate_limit.proto +shake256:28d44c0675c62529d36fe6cdca9b6195cfbd79c0a28c5214e7b1a8dcea07098639385ffb8707a569ae7c073d72731511c48aac49d157181cddabe721617eba51 envoy/config/filter/network/rbac/v2/rbac.proto +shake256:20013e3fa4f7dcbfac0a112706f65603465c3a2690347a5d73a5c51186306f65fa335620753d5df37e40867dba5262c848e91983488a492d4df6cdc5834665ef envoy/config/filter/network/redis_proxy/v2/redis_proxy.proto +shake256:8b1bc807c6c7bcc0ce1eabeb73492054766baa72cc282d9586fe31dbcfd605a585eb4663bbaac2569d92883ca51fc185951739cd61c41cbec0e419a00b966fc6 envoy/config/filter/network/sni_cluster/v2/sni_cluster.proto +shake256:dc8c92bc94f230e7fea77366937e8f7434fe3e1eceaf1fa39efceafbf3abc462d24bb1b9e666e0871d03737ed493c13e617c3d155ab739b072f3de16dc953559 envoy/config/filter/network/tcp_proxy/v2/tcp_proxy.proto +shake256:82e6c06843d291a8b5709eb695063c78c7ae1d2c1a2b8b2292223305dda4428b1e7eaafb5f306c7eb15dfad1235e60003c253f7a6a5d2e60beec891f23e97338 envoy/config/filter/network/thrift_proxy/v2alpha1/route.proto +shake256:114b21fa77aecb64aca3aab1c3b7d53bc1e7066340c773705815ab4fde30388db17f015ce9522572c3dff389942faa04205440f7969a11cdeea4a23af2f1aee2 envoy/config/filter/network/thrift_proxy/v2alpha1/thrift_proxy.proto +shake256:6cbf64dd0d1c15d6e2c93f4e4afde9f5d7f451654331fae4b02c921606f00f23cfb0caa36f2f06fb9f2ccb0d9f234fa0cbf03ca0a874b0a3bba922b4505e2312 envoy/config/filter/network/zookeeper_proxy/v1alpha1/zookeeper_proxy.proto +shake256:da300993632e7361d6ee03a7662b0e6acc5892e7e07fa8520bc17cf2522385532cc563b364cbc8273fb73bc03531b346ac43f230b753ac137f2dc7fc42168a84 envoy/config/filter/thrift/rate_limit/v2alpha1/rate_limit.proto +shake256:1d3dcf44a5b9aa1d72644ce5fd320c750dd4602cf38fe13a84ded28c71f96b18495917e56a5dc5393891f71bca3694625259f5406be8d534af8b4011b82c7927 envoy/config/filter/thrift/router/v2alpha1/router.proto +shake256:8b64c01228242819c686d8298bcc8cd5a0009f46172bb1160a0b504fcd9887a1d1a16f18f601186ba23509ca27d5fab13dc3ab4dcab7fe5d0ec5afec73a3279a envoy/config/filter/udp/udp_proxy/v2alpha/udp_proxy.proto +shake256:9c1bb39ce93f4f855fe268b2e6d4d54dd73bb2542292e0b86bfaf165d3e675e4d064899b0acc06993e0d58336f3260c16e2c1543dd72e9e0428a0b3c36495e45 envoy/config/grpc_credential/v2alpha/aws_iam.proto +shake256:ccd04514495a977770d0f97b6e366907b20b06daf79b935cea836ac8127e59a5a62116085c4a412751562cddd709808ff87781d7bab9e2f659e563b827dba353 envoy/config/grpc_credential/v2alpha/file_based_metadata.proto +shake256:3f8a8ff682430a9deb7aed8aba00fb69ba6696e62ae7161963ca11e80e4195db0bb9d0efca69da4ba67e9cd62fbce30ae0450144bf3e8d905d90e2eb2418ce59 envoy/config/grpc_credential/v3/file_based_metadata.proto +shake256:8913cce18ff3029b4361fe7cd0af29f512b44f31cff11c45f213873000f5e246f5376640a4df5818b9e9b1b296e5790a53909f4f50434154ea12b001fb180f29 envoy/config/health_checker/redis/v2/redis.proto +shake256:55c7c15b14acd86d816cfec4ac71c775f41c28059fa30449b2b636141bf6acaa769751f331d3fa8c2deed0c1c4a5b493d412761f638768fdab99fd08467afe2a envoy/config/listener/v2/api_listener.proto +shake256:047590d1b4f17739e8b57fd51ef0a1595e76358171b4470db6d058ef045fe31b4dbfcefd8aff4d8fd8fa861fa235a90e00ae867bfd65a78887dff4d08863e0a8 envoy/config/listener/v3/api_listener.proto +shake256:bd93ad0724db9b3840188ee614b6a8fe094dacba594e4d989cc33169c3b9ac373fd95ce9c201089b70bdd91a9a9fdd1bea3d2140f524eb8156273e1716684621 envoy/config/listener/v3/listener.proto +shake256:70cc88d4aa127a44d8c9f07ff539b0df74e22f68798bad5d4fe6c2204d9291015b7d8ba081b581e7f84d6762c72c7c9a4c4cbf948fc1a9a0a197e665a683c2bb envoy/config/listener/v3/listener_components.proto +shake256:270a2e5b4b151c02c49ec87874d7fa8a2e2dddef86063a6fea58695044f1972043a9392d7d450a75981dccc38b43da984d68aa9a2c4530afdd9c538c095c8fd9 envoy/config/listener/v3/quic_config.proto +shake256:1d22bc9a3a0507d33d49885136fbee5c011fd5f74ac1f9ef105c7bca44d0ac9159452d54b8b559e428b8ccf83bfd7870911823678b5a38f44eb2ae1f3c8b1b1a envoy/config/listener/v3/udp_listener_config.proto +shake256:4f66defabea04b57f142cab999dd99555839e1eafd08aeda613bf09565089d4526163edcbd8b645798cc030da7731b4ab9e4c1c69fa9b9f5f4566d11d873cf4f envoy/config/metrics/v2/metrics_service.proto +shake256:381b65015b4dcf88a0b952cc9a87e083818051fa779f8cb7cd45ce92cbd24ca51f4a898bd4d35651962428db7cfcc23bd6203666402466a5aba58caeb3a8ff2c envoy/config/metrics/v2/stats.proto +shake256:da3d8f11bc83acc05f23de19e6eb9192dc8c0a438d35b3fdfd0a96eccc0e50fa5a0854b023ada3335d3ad65ecbbb3d4b9130cf8c7827880a339beb089451b51f envoy/config/metrics/v3/metrics_service.proto +shake256:56d8ee2a04129ea5371264bb7dc739ee4d45d1cb87be72d92e5e54cee26576222fd08d38538b750ce610516e2abd4c2b0a98e14d55ef73cfdf0b823adc7befcb envoy/config/metrics/v3/stats.proto +shake256:00f5305f959618a910e0ffdf75afc0666c5217d86f64db2377b7e5c4c742cdbcbfa572a791db73ac3c4c5c37d3b3b41234c36a4b4b313e6a0bab8a48a4dba3ef envoy/config/overload/v2alpha/overload.proto +shake256:e2127d379ca4b3095227bfca37afce4626c1f19c0f12fb5750cb96e102ad44a4b69ef87a9ffe1871025355f89b4c2a4ac2c099ff53da65237672a923c2625006 envoy/config/overload/v3/overload.proto +shake256:89a239eff6cea2da4775f5ba8245b06aa675dd8c55d466537de4c17dca74965a54425b365da798ac31cc2165f497274457cfc8d607fa7872686d0d85b221b4e3 envoy/config/ratelimit/v2/rls.proto +shake256:56a59a28387e09e6e782cbfc68daad166335b3c6de22b367d07981a1d85683405ca5598aff8f3512d781af14e855332eff88cf76472616f7120807bb60ce988e envoy/config/ratelimit/v3/rls.proto +shake256:2ffedca49b310f8130941f9e8de30c1b55f5cc5fcf2adde9db1f041a4fa654fe07c76505d15632304475f0004e9483b3dcc6896d6d7438e21f188c5457fa4c62 envoy/config/rbac/v2/rbac.proto +shake256:a5b9356c8ef2aa3c78941be61e47dbf667813c0a9d73f36aa221543f88d82f7e2e3ee366d2bc81f86874832629ed25e92ada0afa531e8273e930bc46ca4ba02a envoy/config/rbac/v3/rbac.proto +shake256:9d482847cac75e699a0121874df7d06db534dcd9267f6d756691929550a8bf1c2ea73d85eae8ad873e0e7fc27872d06f07402ae8ea3b6163df3d4803b23b5666 envoy/config/resource_monitor/fixed_heap/v2alpha/fixed_heap.proto +shake256:d54077cd2998eb60031387346af05ebbccc9fe88e3b0d6f8d4a6b15ffc3f065b0741f42761ce9c3e6cd8d922ae67eb922c155f5490f0a2684923b0c70b1a09e2 envoy/config/resource_monitor/injected_resource/v2alpha/injected_resource.proto +shake256:864a6dbb71a9dc13b1f4724b7cf798208ab247d5eb4c51a3067fd7bad1e7c871c8c0a0c6cbd753462f43cd911f535756d23e24809848f4fdcce86ce58ff8c4f2 envoy/config/retry/omit_canary_hosts/v2/omit_canary_hosts.proto +shake256:42fcafbdb4d49cb14673cc7e2f1d4d12320d5df4f9ad5ef96398ee7aeaa0d731fc5e7fa8ed0c6d8eb7153f89b5eee8512eb94bde1c9ab42b91fb322140e07e21 envoy/config/retry/omit_host_metadata/v2/omit_host_metadata_config.proto +shake256:33f92a4028d3695fd5acb12636463b5d3217fe99aeecad27aa46c9888347f193c9f8b1c71559d8d3e999eb32785de600478db13e2128f559c3dbdecc44c766af envoy/config/retry/previous_hosts/v2/previous_hosts.proto +shake256:9db8237cbf8f7d69fb0ef897855f00e1b6a6517fba00f5972df3495948cc66c9a15270099b5aa7c6334d373514f1a9a30af239da352a3a6f718cf24ba7ddd6d5 envoy/config/retry/previous_priorities/previous_priorities_config.proto +shake256:9e8d88f559a8724f64cdb259bb06d5d79dcc40430a2c190ceb6be8ad2bc989409748fc5f4d6d1b6f2dfd1deeb4804b13568d2a664d74554b431480d5a275535b envoy/config/route/v3/route.proto +shake256:51ab5857cad263ce58c510f0da0b06eee859677c39da016d6924a2c56a8fdc49e9b07c646d8b2dd518859f467be85aa333c8640fe604e65bbacad6e5cef0ded6 envoy/config/route/v3/route_components.proto +shake256:134c73bfd73b81e521e4e18e6627c1c251e27f3df44ff846832d1330a018176583c0d9dd25711b5f2575b7ead00bc1c74fe14a198c49e2ea50a1ac3139c9249f envoy/config/route/v3/scoped_route.proto +shake256:9c87eab6e7c8b5285888a411d17ac8325dce79b086da2ec31ba0ad1c1df5d9d37b3fc81fd4eb02d6b2b05051b189ea07e764463fb09c3c9e28473b931349a610 envoy/config/tap/v3/common.proto +shake256:44907bc9d2d03cc048d930b0a78bb6b72b4f353bc9f3a6524f2e93f0a47a2c7234c8299bdc989927d0ca64c593732557bab2d80f47b0c0fca3cdb2d87cc8eace envoy/config/trace/v2/datadog.proto +shake256:bef0bd256ae2d3261475815ec6187b5e852b6a0178d5e9927f526da8ee5d7ef61f4de2639f5ea3511093bde05515b62392becb83ed98f669f3e9a3baeacf203b envoy/config/trace/v2/dynamic_ot.proto +shake256:4637407c3a7a724268ec49ee0bee774f940f60c54d7e13838a12ea9c6115fb34ed56fa20c31ab972a2c9d022616784038e940d2f40c43c0fbb3b85bc9f53bf36 envoy/config/trace/v2/http_tracer.proto +shake256:e86033f3fbb58c172f8fc1a5111f060e09aee3d58d1454955a7d8262422de2a4f1a692456696aa46aae0389f4106738412ed50d067815e30b00106fcc7061006 envoy/config/trace/v2/lightstep.proto +shake256:69abf1db7b6b8ab228edfcca9b0e46831ab9b9374979e609a86bf2204df09d906b33279905bd04d9ff62d4f02c94a3a9dbedb042ba6e3dd96f46db72e5c9f67f envoy/config/trace/v2/service.proto +shake256:db7a4656ca79bb7a54e54e6c6d0c7fe39871f6333f32084aceb29823252bc2bca6090d1f79bebf9c0d2cc9517cb9bbf730003164fe278bdb8777765738320a14 envoy/config/trace/v2/trace.proto +shake256:57cd057a541105aa9f9188ce8135599b752cc1297823951edccf8bf4ad7aa45ce5493f923c7073738d524e9a585090ade1b83f75b6e103ced1dbacb7f8e89a12 envoy/config/trace/v2/zipkin.proto +shake256:14278856f8d450a326b53fd4bf1e136132131664538b2e6d56cdb2c0964c4141c959c1ab0670f6dc53cf84341f3450cd02cdf9fcc0086883648b642648298cda envoy/config/trace/v2alpha/xray.proto +shake256:8d3b5af6ae067de523ffd978d48c5d5426c091552276b300c62c4b2e4903bdc33b1b1b3245cf23056875ccb4d744b676cf7e23f2cfa5aa1d0381458174a21ff2 envoy/config/trace/v3/datadog.proto +shake256:6b579882c08e28fb21fd011c98212afc0edefafa702dd6bfb7545c79d105ae3b5abb8d150246aab75c67f9043c1c7a697b71da38dfa012fe52eab5cb93b477da envoy/config/trace/v3/dynamic_ot.proto +shake256:1125570b23390d44e86ae7a592edeefeafce7821b5281748cf452660d73c20022ce1b3ca8cce1e364209a201b57ff3d5cf75b69be828572475720122be764cdb envoy/config/trace/v3/http_tracer.proto +shake256:a4e359032b0711c7e2ec3dac5bdeb45b4910d590096d1f16ee559bb9210b0c94ab61c3e86dc9f85c6c2320f3769cfb97fdcb5d111af3350ac291c53343587c53 envoy/config/trace/v3/lightstep.proto +shake256:5c63a5548079a410d3c40d11a8761f5472beab03ad573a41f061872a8b2f32e4b33a361cbecc54cc472e3bc35072cf299dde525736aa5303bfefa5d7f73d7360 envoy/config/trace/v3/opentelemetry.proto +shake256:c0071ad84f5e61f0075857b2635f283e4e8e62ca3b9c25e0a7a7fa88ef9ce8ffe243002a5633389ea76f772d1a3d9e44a0a385da9c80aa7880f19f2119764421 envoy/config/trace/v3/service.proto +shake256:a457e40b626a98e1714ca795c0f4c1e56c9efefef26b15b62dc0f1978e957de8e3b99f2a862f7b4fd88fafee15e50189af04cfd3c8b2bd8539a0bf0c9a221a74 envoy/config/trace/v3/skywalking.proto +shake256:d0205fe3c89d1f582db76034f79b0ffc035a8bd2c0d6c1b2fa0a080c9836e3fc69ec5c01d2ff82fdb53d52c27ff9e55f424535eb83b118a5bfc4b96654d41f17 envoy/config/trace/v3/trace.proto +shake256:719e4642cbe678ecafd1338699e9535aa6d448bc97ffed191fd59263dd37ee9fc432d7b7b9f7dd2303b1f4eb87416a237ce1d6b76f8a3321fa253e0167ff6a7b envoy/config/trace/v3/xray.proto +shake256:47d7103d97ef0773986433d778f581ee7bf18610bca4308a1ecd757eb83a544df959c45b814cbeaeeae68a6601533e89d40b5581f0fa40e98394bdd4c94ea867 envoy/config/trace/v3/zipkin.proto +shake256:72b952cd7788414d2b15680e550320cacb9c2b05f41eebd366a352bf9a8a196bd13dfb37ae05c61d1dce10e3c20db7da9e08647cf1c021dbc040a06b7796f313 envoy/config/transport_socket/alts/v2alpha/alts.proto +shake256:791160950506e2699fca23d4f0a0064aae30c3d30ce6573ede6cdc993b7eec4c118ebfc80850b5dfe907cc8a2af039898741cb25a3b02fc1509e793c9c1c989e envoy/config/transport_socket/raw_buffer/v2/raw_buffer.proto +shake256:d3a0e662e7812372f28a70493a537c01d08628928062da79a6e328e19dd3d40c8376cf811c14decde7bad578a0123f3439be78c6665a1310d6ea3162a55ef556 envoy/config/transport_socket/tap/v2alpha/tap.proto +shake256:a384da635a4197c3cf8ac48f23e764ede9767970455bd7cf1323a18593efc4508198480c9d1cb36278c210d82d519b6e7822a569fd502eff74509802974dbae5 envoy/config/upstream/local_address_selector/v3/default_local_address_selector.proto +shake256:d7f5be3b0700a9aca56b8103381e2b6c492798c086fc2169808c5b6f57798d6f5e9ed0b2eccf7c2137aec6611a5c7e4e20bb7878bb80cc171fbd2ff0dd39f798 envoy/data/accesslog/v2/accesslog.proto +shake256:7188953c02eed213b986a7f1de8c311441e9e42cfdf01a9d8490667fd71c550d968527bc20be8592bbfc728c874f0dd998dfa3743c8adcdc04b8827b7bacd010 envoy/data/accesslog/v3/accesslog.proto +shake256:678006c89c679ff2bbec15ea088af73a37958d828750a0a760ce561b0ceeab7fddaff1db91bc9abd58c64896a613149eec677169bea9bf49e2cca9a357b2e834 envoy/data/cluster/v2alpha/outlier_detection_event.proto +shake256:ee04b813c98e80ddfffbb24402adc26ea381b319e15c9c311ee9c718d4db80ad89ecabdf4ed455aa025a8a31f8c05a9508cbc69046e6ed48c78fe05d8b17914d envoy/data/cluster/v3/outlier_detection_event.proto +shake256:4949c45e24893b84cd2159ff9bd7abb5493facd0418def75117e1e512d142a8fef8e73e7b2a314621997df36441ccfd9b41d02ffeb114bc1b688940a56cba2f2 envoy/data/core/v2alpha/health_check_event.proto +shake256:5074d5c9185ae449c6d77e0cbf47b96a8d6f16c693196e1cce340dfeeb78efe9e49a8244d06097aa1c473d6db063d2dec759eacebe84e80d757794d53c36f6f7 envoy/data/core/v3/health_check_event.proto +shake256:688fce59f3ffa1578320bdf4c261ed966f3cd468c076768aa0c5ec3b470978850bc3a353fed1e88b648366e52555c0c2c6f85d659ba7438a58d552376ba4c89d envoy/data/core/v3/tlv_metadata.proto +shake256:0ddbf0a812e2cdbfa67cffe6f295dddfe3ff1b67fafe2b189dbe56b794f198ea795af6f704b0106867702bf8ae60b1fb641eea702dafeed356514f56ea1ab8f6 envoy/data/dns/v2alpha/dns_table.proto +shake256:25c641eb9d2005b702048207b9e492e3498ce1c42c53954c645389fdc9d276ff97fb1cb63e06d61204c9ebe695fda0d55561d4f608d5b4903ba267d8d7553b2c envoy/data/dns/v3/dns_table.proto +shake256:65f89ef9986261b3a954ceeefd67a70ffd83ecf80fc8e50dab782d1ab212295a7625c96b56f9d277bd1ab96bbeb2c12525b74a32bcdbc2b09d541a86b7dae7c3 envoy/data/tap/v2alpha/common.proto +shake256:61cde86c7ef95ebe901410b910bf31fc2d0be253300932e44cb3b97a83437127df5c47e3c659e0f27220f44a74e10e2c8682386ba61e4e86f7465fa2f2227f46 envoy/data/tap/v2alpha/http.proto +shake256:53a01b2346d8821a23d0d7aa21fd7c134f89c74b7c33c1894aa94f08b59aef3e0093d0e676f08991dbc81ddd9a329a1008cc689f5ea6ac1b00f47a86aabb3476 envoy/data/tap/v2alpha/transport.proto +shake256:891d5bdb9017028abad1e14c68ee3b0e1646f569b97476b8eb8c63d2b781a4b06cb502a46582409292ee431a7e4c0aaf3b28e0272a25e03fbaa56713cb9e6f6b envoy/data/tap/v2alpha/wrapper.proto +shake256:631bfbc49593e820da137679e03ac21405ef7d76e2d68816de0a484bdf0d419f6d72e7d246591904c7712e002e10ebf7b0422c61818d26f1d23337e676f93652 envoy/data/tap/v3/common.proto +shake256:fb758aa0b36e31dccf24f3a64b1621e97ef5d8c80f86e6dfa0844df109d719209dbb6a15d74536f66fcefda9fee5154462dbf640963243a2641b84d17b0a4502 envoy/data/tap/v3/http.proto +shake256:cffb4b03c2cdaf87e95ae70b72ee7afa4952783c02b23cd850bc658223cf7b635a6ae46a4457fe5cc69daa957dbedc9f09477828b46cc0d40c4cc85c42414e80 envoy/data/tap/v3/transport.proto +shake256:06a9c81be98880bf743fdc7bad0cfbadad1bd333d89c88364ebe24deeaf2287c33be918618f2dfe9cafa31bd85a0e82a1f5c834d0d13ca285835813aeae7ab9a envoy/data/tap/v3/wrapper.proto +shake256:6a79c855b6c0be08965931e01925e38b0dd6b550fbf8a89822f2c358fb26fbfda4c2ca08eade15ac926c325d8ccdab9604f26a6e74fcf63928b179f7a5c35443 envoy/extensions/access_loggers/dynamic_modules/v3/dynamic_modules.proto +shake256:751d80e997924ab9d8826ac8deb4645239f57629571ac7cc458cacb8ada4779999258188a10d9728c0c17961305cb587074c054d6b23391dbfa3852a94a42c1e envoy/extensions/access_loggers/file/v3/file.proto +shake256:b5d9ec9f7834d656e6f73dd7ac2b1ac4765c8888d02fb3e42d51f9447008c8d52f40bebafca0ffeb7326e238dd44a3d0cd59c9aa67748e5dfc36ee8766bb58b8 envoy/extensions/access_loggers/filters/cel/v3/cel.proto +shake256:d24f80ec625ca4a34589ee26dc9092322920a57c5c68562f26c7a6438922039682f2dbc66d9e212c41657197446184f9acfd684ff12de00b492b04fd8a49e2e6 envoy/extensions/access_loggers/filters/process_ratelimit/v3/process_ratelimit.proto +shake256:56b5bfeea1b9589f8782e223818f04fc325bb38825f275cbb89387474f4e7fded90c907292e660bc01f02f2313aeeb19a29c9fefc0c82e031347130bc4fe9ebf envoy/extensions/access_loggers/fluentd/v3/fluentd.proto +shake256:cea5ade650586c7e3d0f5f583c76140ad465de448b21d230b21aebf5b0f6184bc79b12a11374d7672221a612c59a82a23f6061c3bcd978d4cb4d3b7eb321c613 envoy/extensions/access_loggers/grpc/v3/als.proto +shake256:98893684c42a2e2520895a664623c59426eec1edc6b04ae90296ef27eb47fe1f12574a0c196d0979a001628aad4d85208c73897c8ea130ff31aa621b8284df26 envoy/extensions/access_loggers/open_telemetry/v3/logs_service.proto +shake256:8279990477d97efaa433be0a4321dc7d2291ee5d8aa833d9a24487786d43ed370fc0e7f1b3a4810025e61d45c0600d5ab4900396c58cd9419b3aa281f69077a3 envoy/extensions/access_loggers/stats/v3/stats.proto +shake256:667450b661666527e11db45d12b9a0b0376e9c8eded7a80cbe8be51d33569ce931ed8267ac4be3d3cf8f1d1d689b3fe8ce52ddaf61fd2942a52bbf550dcbdb05 envoy/extensions/access_loggers/stream/v3/stream.proto +shake256:dc17cdcb684c9ed3fbd22ebb50989ccaba1edaafe8b2788b64c2aabe277a2540c48136b9db30129543b72ccc3835b563c43589187c10d932d24f55efa43d1ff3 envoy/extensions/access_loggers/wasm/v3/wasm.proto +shake256:6fce554d394bed9723dc38e8dbad13f7ed0b955cff4ef9af3492024133d2241b8097a22109e5bae906b63bf468a58f7cf3b5fbad9a7ba6d9deafb339dae8d9be envoy/extensions/bootstrap/dynamic_modules/v3/dynamic_modules.proto +shake256:02c3685ee9a377c8dc2d6dda1e5906e97b78d430219252c734d583bacb37dbe13bc2f7e9b8fe6d3a919d56e66349c076e4ce243aa955d0ebe5bc1dbb8d0d78ba envoy/extensions/bootstrap/internal_listener/v3/internal_listener.proto +shake256:e1ef5c6288164e96ad75f885a9de2fe652bbbdfdd8a7f007ebee1983286e2b9efdd7028b76c68ba529d2783956b5e79730a868ace2c4c115c1e7107f9fefa993 envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.proto +shake256:619a9180e9bacad6103038fc2244b8239b0d849569f64f226ba8bf506a296f923e2eaf23e2aaa884d68b3d2e4de525d3324ced0436a98f5697ace6c8c77c640b envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto +shake256:d5eac6c1a79275aef661d3fdf96f471580083b55a808b79b9c01d69204252fcba82f67f47a80a456abf6ec930fe687ce26f08866f116e0fbe4c7be200d68f1d9 envoy/extensions/clusters/aggregate/v3/cluster.proto +shake256:e3fbc3da2acacca933166dc9dabde689f5f20e29f2b7ab43f839c0b29c8bb5bea668ff8536544d06a5a0020b7c537e3789fe9a671b2e217880442891c899d9a3 envoy/extensions/clusters/common/dns/v3/dns.proto +shake256:f4b676ef5840cc1e1d8e3fe0c4082b16c423ac1a7b25f9e58f1a3f43733cf51bb7902519dc780939132ae3287dc5c00b99d6894a6da03ad841517d12e072d5e9 envoy/extensions/clusters/composite/v3/cluster.proto +shake256:b8474a002d72c2f26c487b3f7ff34c9d28dede1ae5deebca5bca92acdc82e3eb084a31405538e2210f87d882cc4cedc05abe0a337497ff6dc211e65c16dcf02a envoy/extensions/clusters/dns/v3/dns_cluster.proto +shake256:7e03724651ff36311b8dc7064d7edd827f2b39c1d84707d9adbdba769385598813dcfe57343b470230c54a1d953ce09eba33b42e1b3baa52e3cc4e9b35565e7a envoy/extensions/clusters/dynamic_forward_proxy/v3/cluster.proto +shake256:5f8a02cf67b5c30f47a9459137ed47a77744906a5bb75baafbce675671109b7038b8464dc2b5e186728bd6360fa0d889df05ff944a21894a27d3cd2d7e38218b envoy/extensions/clusters/redis/v3/redis_cluster.proto +shake256:713d411cee39f04b628ebfc3532d4a8af422cfb8885f372599ed0d86dd4011f743d160c66485159be9dee939ecf66de5c323cd1fc4523f1c3be62bde4e3bbbac envoy/extensions/clusters/reverse_connection/v3/reverse_connection.proto +shake256:9a433eba11a7f4b3fa7ec0c57f89f1d8d9bb514953054bdbb6084f8aec89120f49a316d7b5a38b1cd16d4ab69e09ee5f4beed66abaf2fa285710024cb2be8468 envoy/extensions/common/async_files/v3/async_file_manager.proto +shake256:7ab7551b0c8fc52259981599b1b118ec1aa8abc5692a0d550014d427dc5553c054ccd0c9d0262f7be1cf664e1840f1ea633e4cfc995cab69f3d5b9db44f8888a envoy/extensions/common/aws/v3/credential_provider.proto +shake256:b507b895388f9b46bd947d35a58112996e4d468a2002e06ab5511ebe3f03db0f6e5015ecdd0d04b06a65cde949cf2a5165ee7131fbf6dc2e3263970374d9c72c envoy/extensions/common/dynamic_forward_proxy/v3/dns_cache.proto +shake256:dee56c7243546db3dcb520fc8c60eeca88376540e5bdbc2a4002dbcf8c61f2c012b17c1e87fc23cc833906440619398fa8a19cf1b4f5cfee4901ccad6c67c8e7 envoy/extensions/common/matching/v3/extension_matcher.proto +shake256:1c6def9643491a1c8aa4b53cb2d0bb744acce4945d9eb63a3e7733d3f6a568c3a1d90531b42787d751a6ce3bbc861db13d1ac2a031892895ee3a2b66c70877db envoy/extensions/common/ratelimit/v3/ratelimit.proto +shake256:d0460fa03ea121f02b6240c234f86f50569c78e1e1b0751d21bdcd3f07e90a1f551cfd6b5b1beb96623f89ca1dd5fa409722e112d8fae05afc83611d37add45d envoy/extensions/common/tap/v3/common.proto +shake256:9da9e3129e59f3177a102a530d9c11b974c06bceb112924d1612993e48c266bbdd32f366fb9dd7c86dbb64666edc716ed8266e00f750d8a729b85a0bfb932a97 envoy/extensions/compression/brotli/compressor/v3/brotli.proto +shake256:e75815678d15ffdfee38535448fe91b904f26d1a2d8e25c3a16197c3e9713e94a5c7c9e893cd8eaf3f0d34f00168aaa53f3bc50a03ba3aa12f57ff98e5b9461d envoy/extensions/compression/brotli/decompressor/v3/brotli.proto +shake256:478847c0e8b17d45ba72ce23d3c0e658e8f479ddb8e70217a2b01f95f5005559432f958ffc1f3bbe524ec1afaa9d3c743f3d7e6b23380863847e37c4b309c537 envoy/extensions/compression/gzip/compressor/v3/gzip.proto +shake256:cefe1d4f68cf744c03b12227f097ed1cb32af4d23fbc72ba227c012da5d06ea82cb1e7cdba3558cca9d942bcb976ef9b71fe65bc80379a9942de1937604aece1 envoy/extensions/compression/gzip/decompressor/v3/gzip.proto +shake256:6970164ab52037dc7cb57972e4949deecda9f9a807cfa875f98cf96392ef3f88c12791bdf03f207885940fb888fc4df0e1f3350c8a86fb6ee0e1492da0d2fea5 envoy/extensions/compression/zstd/compressor/v3/zstd.proto +shake256:e63326da75acfa8ec8373a4f5552d89e171ddea73f8e081375a125a1a0d66f6ec85ade9b0a05fad190f4f5295a7f856fec6c6748e3faaaf356d4b5bab27e6954 envoy/extensions/compression/zstd/decompressor/v3/zstd.proto +shake256:3d8958129036bc56f9b6546fdc0d75d0b3bebbdcbb26b6f267c96f83031abd01bac80e946942cff60f46b3df0586a2f50539074ec4d93f20ea99505e9afbcd7b envoy/extensions/config/validators/minimum_clusters/v3/minimum_clusters.proto +shake256:9807d3ebad080c0acd2fbcc4286e17d94c2ea09233f52c89455ec54d6d1fb13b19b841faa36608cabf8e1e85f9f23fc0bf0f317ea5bf3a03c792c399121e980e envoy/extensions/dynamic_modules/v3/dynamic_modules.proto +shake256:10d9f4d444b46337f205d8690ab38b50a4b8464aefafc1de2f0871f2b5000782bc237fa6f1934543bf87e9cff15a83145f31f972409ec7c2868c00eca946e322 envoy/extensions/early_data/v3/default_early_data_policy.proto +shake256:214ce39eefd934f17dd4a3f5912580313c1c548eace2cda4674c72916827fb79c3752ae8bd95c8e0c50fda9a8dca3eacfca5e155e145786690b05f30d1e44654 envoy/extensions/filters/common/dependency/v3/dependency.proto +shake256:1dc0cd631dc4ab17eb4b5eb919f7daf9b45d61d88a72bdd0888c853b33563966a7c89948948d6454c70c3662282a98d33121d71482babd07ddb13d66cf24e641 envoy/extensions/filters/common/fault/v3/fault.proto +shake256:df574600c0b95f0d3a67e84873051d67fb2204bd1416334e9a6604b12f69c1702988042636741c3979d120a525a098b12c1d976abd0381d4efc97eda88754fcc envoy/extensions/filters/common/matcher/action/v3/skip_action.proto +shake256:59527f51b36370ee87eaa093e454df957c4f537e2201e02da2928c072be789221d7850b0773d9772b06e4e6ead2c25e8b7534c4265c5ddd7a888ccb7f0c92c16 envoy/extensions/filters/common/set_filter_state/v3/value.proto +shake256:e6df3bb2bfd67f962c667bf9357058f6525731e037937de2db16a88222ed331f2ae53bfc0878a878ad30517f3e80381bed41198d30ac3963f243dae9672a72c3 envoy/extensions/filters/http/adaptive_concurrency/v3/adaptive_concurrency.proto +shake256:3b505ee35fb0516a12fb2b6a8719392717d0d8edb3b5ca0bc76bff8d7d7f415f52fd1bf7a646aabb476606dae85971fa1e273dae165c400b662d7d3f06e80f9e envoy/extensions/filters/http/admission_control/v3/admission_control.proto +shake256:a78504454f77d6b293890693de4d63ec9ccbb54b5bfd88421221c2ab8cd55ccbf343d8de99591eb5e912cf3dc0cf9193b6b065d4056c32cb2e48c46f983560aa envoy/extensions/filters/http/alternate_protocols_cache/v3/alternate_protocols_cache.proto +shake256:5a0cd327b6fa81883930058fdf67a8544df52a5fab5b2d5846561275ab474f0b7a17f1830065f9edc84c841343becb39986ff68f497d1d6b49a62edc73375b71 envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto +shake256:208e15cc704c30a3a37f03fd72c98eed16c47e31e653e12c4c3829bd1a7746757da98ec919f2fd034972bed671e50690f6e302a68f6d1fe850d395bb99fed659 envoy/extensions/filters/http/aws_lambda/v3/aws_lambda.proto +shake256:ec87b6ead92bdf9a5dc242a21f782d7a0f82a292522cbe59b802292b21e03f891b40218ed283b5a5c7c6d5f8196f00e8e3685cf49677ccd616077b68a956180e envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto +shake256:a012539b93b3211ab8eaa539d7e5792c404eabbcadc186a517229c24f109368600dc9fa7101a18216b333310c6c214f0daf76a1d65aa824c7aae8a6c56834550 envoy/extensions/filters/http/bandwidth_limit/v3/bandwidth_limit.proto +shake256:0658d9ac6676216ef3c6a8d93e91d5ed61e9ebff0c4be5bfd1d7cdafdb3e4179a796bb5128b97da5497fe76f13f8b4c9b3c1d567257200326ad0f33275314592 envoy/extensions/filters/http/basic_auth/v3/basic_auth.proto +shake256:206a2c768f2b92f64a57eccf17009e8a6dc212dc7093b5fea083be08cae2f3df5ca3757aa37ee3e5bd4f5c7feaff43cae53e6cfe028ea1c3f3f18859321d0e26 envoy/extensions/filters/http/buffer/v3/buffer.proto +shake256:092c99ed8673f473541343b33d81bc4d0e0e5d5cc1d480ca1a2a99e502a72f91444c69ddec54957a7acf7f69e9a163f99d211a50fcad50d1941a2afea84726cd envoy/extensions/filters/http/cache/v3/cache.proto +shake256:32ec3f8854e5a6ceed6ac53d62142d707ea1c335da41359d8d57cfd3cff4edd5afbe1fd1d7a40057a17ae0f20c106756d7d29480007969dcd4b1845fb2e3ad6b envoy/extensions/filters/http/cache_v2/v3/cache.proto +shake256:44aee45498a29aab141211300debf8d21ca32b91974b941358765eddaff8edf6a44b4f1f201b9156b78ecaf90fde2e204bbdc4ace89bef75fa30afdd2d300658 envoy/extensions/filters/http/cdn_loop/v3/cdn_loop.proto +shake256:002cd85799c5af02bd7a35f7d889014754cb0265dfb84cc39b9e8b569beb221ae9950bcd19b5580b9c50e016cf405b080946c52b7802bb63eef81279471798f0 envoy/extensions/filters/http/composite/v3/composite.proto +shake256:81791ad5ea2a3098874b479dccc17f83f0c81af3589b0c1edc99b99fef85ff69ee544e25b234ba6a3dc717e49df5a45f0adba27df13f5d1d56a6c8a4c7e6246f envoy/extensions/filters/http/compressor/v3/compressor.proto +shake256:f76396fc10338f03835c8015117c14c6345e9544bff3300eda5aca31281d342902fdbfc69924318db6c8b22beba6e26b63e04b2de12248f98eeb6dface9a89df envoy/extensions/filters/http/connect_grpc_bridge/v3/config.proto +shake256:677757e90aaa84b929d892f82079e879572b926402a7024684ff19fd7d1cefcd874d472427d46492fb412c44339653394979691d2be35700d4e0354302c636cc envoy/extensions/filters/http/cors/v3/cors.proto +shake256:24767a84ee65b6e9e6428051c9743be3072eea6c2a53fcf956ec59b47f2427aceb4dbf795b9ea6f87bd5bd15493338f74bcb878e2417543c78db9611eaaadbce envoy/extensions/filters/http/credential_injector/v3/credential_injector.proto +shake256:86d3b5213890d1c4282fe4b466d3cbc3ab2a8afe6e91c6449b5ed1dde08ce5d7e48fe921551639033d0a744d6f08cc56865386fad1ad61d75e27fac18b550a93 envoy/extensions/filters/http/csrf/v3/csrf.proto +shake256:82ffd0cbfca838b0c290aa200fab3203a91825fb676853feb477c97c3cfd0b92f209e5af6daab0257bde72d859764e46cd4f986aca0227e98bd77023fc4b0765 envoy/extensions/filters/http/custom_response/v3/custom_response.proto +shake256:b6ad74944a6e9d41423c56167880b837e29398140519214771a4620522f8eaf703d17ace4ced56f00b4cdbd0858652c73e6da54bf45c283b4e3335e7bd9729fd envoy/extensions/filters/http/decompressor/v3/decompressor.proto +shake256:e17e1ccadd977742a7884357a8920b35a26bcfa9bb6a50caf00bc88b151ca809c5e651f2f04aba6135aa0c969a47a6f2be403d8a7af923ee6e69b25999d93e17 envoy/extensions/filters/http/dynamic_forward_proxy/v3/dynamic_forward_proxy.proto +shake256:9e76a22c9cdead3f586feeec0952f4809fe77c613adbaea2ffc25d357cdea64c3468f7b960227208a372f53ac5a25345af4db2bfd9a93a1562efb0e2d4e8323b envoy/extensions/filters/http/dynamic_modules/v3/dynamic_modules.proto +shake256:5753ad827ada06f3e3f0f98a57a0b70e93a6bbdd8b8b8a969e9c34d99804516e4593ed746c4e132edc3354c404be5ccff2a2f8553dd32667d4a3d6e7db8feaf0 envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto +shake256:bb668849b33a7391d165b6b1e36b7049fc3ec26026d0e968c9398a8c2b56f1b2c3b5926bfe0d17ab81683a5454c0a99d36c28a61aac13b7d46dd3e754d04dd10 envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto +shake256:7c47e01e6bd412b0dfa541a4e7337df6e21bafd4e16296091b1481cfafd975ec4c0405cf2262dde4f8dbe2a1227b4d344d54e2cc11f43f5ed7844279dbdd41e1 envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto +shake256:943b936172d2c0860b92a0afa56913a1be1352d1271f46602903adbce38a51c7f651d973e5005f2e7baadee6391622726288c0f4b9481db3c1d6d01a6771b30a envoy/extensions/filters/http/fault/v3/fault.proto +shake256:17a99bcf1de1e3157f141247a5c03ee70c9b537ed3b45e255a01952a6492201b82e077f9d30d88266019b2abb34c4f2576aa1fb97f305e2f744297b8573533ce envoy/extensions/filters/http/file_system_buffer/v3/file_system_buffer.proto +shake256:32c11e93a8a0fd4d7d72d3676d66c1a0f14764d7a7df9ab8ac35a6fe8384b1a8a5cdd3bd7662994a51ed5833840855a9495f2baddadd8a29bd06f0fba39a1ce3 envoy/extensions/filters/http/gcp_authn/v3/gcp_authn.proto +shake256:f1ce76dc162b62f57898c3f089e2afdd5c6543e14fed6ad02a2ebbc220d55f53378ee6e19f05eb1a2cb4c5b6836ebcd125d3abbc26012190cf544c9ce97717ce envoy/extensions/filters/http/geoip/v3/geoip.proto +shake256:47e47d602ed52567c8ea6649f1dadf18ed958b2ddff78b2376dfc19922a4f01817bae6250660ccf2b85c8fa98ef6db326105d33905c600727e4e7e9084855dda envoy/extensions/filters/http/grpc_field_extraction/v3/config.proto +shake256:54ccc9976e5be2c8496523ee57a6de9c6b9237930e904c43a6531d6d6ff5c88cec12037998ad3a90beffcde8d9ada39d0c09c0b17fadd461dec04f94d8d3f6c4 envoy/extensions/filters/http/grpc_http1_bridge/v3/config.proto +shake256:35678736fadaab25fc9272b2cb7eeef51ad4b9918db5397823fc8acef4a53b16257eca5c8b321a8c76ad75b92179ed78391978d522366baa2d2276d960a3b883 envoy/extensions/filters/http/grpc_http1_reverse_bridge/v3/config.proto +shake256:9785b66a76a0a40de3ba46c4ea9f51964da7959430d165835edba22073a17f7333fc102e3245606aba6b419c0da0053692c07c8ca83ed4925ea172aa9181bbbd envoy/extensions/filters/http/grpc_json_reverse_transcoder/v3/transcoder.proto +shake256:294f73c06abd0145671ef0990937f3db59ec9853b2acf381016e62b43d622340285febb07118c3b5a7b677d996d9bd2ac9d1c83a50782e660e31a26f3c658faa envoy/extensions/filters/http/grpc_json_transcoder/v3/transcoder.proto +shake256:d9a4d41a9792b6012069dca15e2c976f6ddd652efea683a3a55220b846b4bcff6035c1d6e15d87de5c4b86805d37bd289e305047e4577f500cd5a8d944c1ef4b envoy/extensions/filters/http/grpc_stats/v3/config.proto +shake256:3a59bc4b6b35fdc24ec0d2b13aad7e9d87fcc0f2d6bac1173870a993cd643defab7ee86ea754985ef2ec40af21385d002f3ce4a042a8d1cd86fab9348eff427f envoy/extensions/filters/http/grpc_web/v3/grpc_web.proto +shake256:b8efb51f7b329e3d2e96c2aae437cf032560c7fe34fbfaf77a0365d6a5d328a52b69a740867a3ef2ada2181764cf30d101901d7002b95f61550066299ac98924 envoy/extensions/filters/http/gzip/v3/gzip.proto +shake256:bc32e26f241c733ed2ad7058be7245b29174a9b3a5e7e2fbaeea928da4ce0739672bb423ea15485dd903bb5f14fd126edac775dafd9a5d279b78a4c9756a1344 envoy/extensions/filters/http/header_mutation/v3/header_mutation.proto +shake256:47a85b1ba384f1512d854424c1f56d8b385ea6444b86df61c1c4710c3e1ad7f3a33fa02802e7c75a49654da1427a0efba7764bc5916bf6de58428cd63693ded1 envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto +shake256:f865f9d2e827432ef4c8c9e0ac8e846235caca27c3660f45be67ac76263d744ed14229a30cf92c60def1be82776df857bf578d08ffb9cece051b72bd8241e24e envoy/extensions/filters/http/health_check/v3/health_check.proto +shake256:e21dabe4f701068b930a6c2586ed13869ab20e7756b0ab88bf4730ac17d0eca7b68083f2fb86a8a15acf96150b78411dd840a35bb2865cceeb2c2840913e3f59 envoy/extensions/filters/http/ip_tagging/v3/ip_tagging.proto +shake256:45c4c0ac25f4b6ca432de42473f54e11620bf8b355c27c242ab40a0d1a215e889c98a4a36c61680b8f3873a9f886317cc905d715dbceb3cf12da2c5a9c8be57f envoy/extensions/filters/http/json_to_metadata/v3/json_to_metadata.proto +shake256:7a694f7096a90eea01c8587b07066334b4fa525478303ea8a2b78d38185f17b025b1d71070421b8f9ba58f097fc78cb557caae8f16d213080496f934263a378f envoy/extensions/filters/http/jwt_authn/v3/config.proto +shake256:49399294c8f69e4092b27abaf692a23c812c3f687661268a7fdef357633f6092e9b7949537e203c81ddbe3f2d649636fc5baf98a298a4e47f654b8b5e473902f envoy/extensions/filters/http/kill_request/v3/kill_request.proto +shake256:19ec3cf38907ae52aaec3e7ca8b03c11606425d9da90edc01a6922decf1e8c7962fa4b68dd625d9002863d5465c09eae29b724c4a4bffb7f3a718c936cc59614 envoy/extensions/filters/http/local_ratelimit/v3/local_rate_limit.proto +shake256:9a844d826893023debba55942b249a822aa24d24efc5df4df8fe21a2efb31a0ac07acb1ada1247ff21c8b1c8a7f508f25f01eff03b7f48c9417bb2ef412e5fb9 envoy/extensions/filters/http/lua/v3/lua.proto +shake256:465bfc5258cfc02a55d62f64738c2e9c23266138751628c32cbe61da84cc8d12bdfb7a19577e3fb4e433cbc9c30cbea7d7d0d61d5a8119996380c0fab161a8e2 envoy/extensions/filters/http/mcp/v3/mcp.proto +shake256:5667f8c87679bf1644503044802c8f3e1cf67eac83eafd7a9c0abd969bdc1addc7670b39c482a0cacc8a58d9eea6ba734baa8d7fcb82a6cd0bfcf346a5da0aa8 envoy/extensions/filters/http/mcp_router/v3/mcp_router.proto +shake256:9f939fda4e1780444a5842e1b5a8c49ea62094afc0b6d83dbfd7479bfa3623be6a5c876538f9e4f7494fce932d88b9f04169da5ff732e44b87b8b318e85a7841 envoy/extensions/filters/http/oauth2/v3/oauth.proto +shake256:fd2c273b62f3393a47ba7268781f55343d960d6d73d11f37fadb455f1dd4c1d4180fa119a5599ba3434e1032314cc1bf08482ade1ec956fdde963c996aacdb10 envoy/extensions/filters/http/on_demand/v3/on_demand.proto +shake256:1d3227dce10e77b73f813d975d24dafd38c5d3ab6a2491a45f3b56a4e8d6412a9b7d687db0e83e300672d7e1bad9998066dbeac43580d6027713e2793cd44e30 envoy/extensions/filters/http/original_src/v3/original_src.proto +shake256:1ae73302964f63f0d1e375ad6a78da4859bffbf7ed184d4af5e15a9ae0753daa26ddcaf538c25e0685945ce2b2879a7718180dc599bea7a372948d126abdb520 envoy/extensions/filters/http/proto_api_scrubber/v3/config.proto +shake256:18a36552f74feffb5e870e31aa73db971de269d00a5b11a0e727722f894450a10a09768b71ad75fa3e532732c65427bfa87772fbab5180477d39765cd27f4e12 envoy/extensions/filters/http/proto_api_scrubber/v3/matcher_actions.proto +shake256:61fa4bc0c15dd4f8db3915ce16d05d830f94e84503ecc3dbe95d45282ffbe1b37f6103c91c139b11893438f0ba0fa806b4a73deabc0e184235739b994264acb0 envoy/extensions/filters/http/proto_message_extraction/v3/config.proto +shake256:28bd12f97bccae3aa606022c3f09d1d4acade512e586542287c6e6af79242d005caaa91ff24ae517a498d38a63e34906ac899f286461d4701c824be602b0a24b envoy/extensions/filters/http/rate_limit_quota/v3/rate_limit_quota.proto +shake256:f6b9dcc9dfb1e6fbaa6b7a84c89c621eb79ec5c7341c179bbe08c3382de9aa3ed34fb549aa090e2c770693b966b3ca9851caf6746064d71c82909c549b2961d7 envoy/extensions/filters/http/ratelimit/v3/rate_limit.proto +shake256:0ecfb10ccedca83b3f7d88257cf2f82c341acc72d04085dcc65d469306ae5e2af7b8c851fb0347033f98decb8f571e4c2fb0ad941f11592fc9095eb354d89244 envoy/extensions/filters/http/rbac/v3/rbac.proto +shake256:dc63fcce9d1ed50b4322387791cddf8c021412eb8dc5cb27e63eaa51cb5aa48ccd055477b338e95e007371d79d994f3839140015015bbd8ace57ea993261494f envoy/extensions/filters/http/router/v3/router.proto +shake256:d38cb8d1499d4aca120889be75342aa6a764b98840210510553bba03db976148eb33f935fa8d18fdbb6a306bb5fcf39bf01cd143b51a7308566638858ba2c8e3 envoy/extensions/filters/http/set_filter_state/v3/set_filter_state.proto +shake256:2d8d34eb836ad52142372664bc0d5e2c0a3432beb2ac2baf5e5190bedd33b625ec3a4c646d45bcf3612ee34b4d27bd598ccb957701ace8adc2d69002d03e1a8d envoy/extensions/filters/http/set_metadata/v3/set_metadata.proto +shake256:da97c315f9061cb3ed2e89bd696f2f6adc39416b878ae97e5727af3f7b85523eb976d0ff80b28d93cd51923fb49113b14fd54ea90861caed40e570ae541899da envoy/extensions/filters/http/stateful_session/v3/stateful_session.proto +shake256:7cf78e9c1627775630db0c853ca3602c21b43a5d2abae605e1e15ae338498104787d3a8ccebeb93e93ed60f546c1ba3734c4201e9093e245b02b6fb65e6efe86 envoy/extensions/filters/http/tap/v3/tap.proto +shake256:43e45fb3e4a545ad85e52c78ab7a51420e9394fd1f861c4dabd90a19c084721263ae2e4aba91ea48fb9d1f0c1a8ba626850d45cfbcac18042ef50581fafaae9a envoy/extensions/filters/http/thrift_to_metadata/v3/thrift_to_metadata.proto +shake256:3d4d166abf61af4d0844593c3eccc0196688d3e6f40ad4092df9b75534d8c9d3110083fa6237da870e34d7f04602da74c67dd184e9108c2c51a2cc15b0e69649 envoy/extensions/filters/http/transform/v3/transform.proto +shake256:62ca580d449d9bfbc44a50576ce74ae2449838aa77333ce29b32dc1157ce4f5ff9bbc5f55e8aa47bee9c0a81bb311656458254570cfac7c5755baf1a54d1199e envoy/extensions/filters/http/upstream_codec/v3/upstream_codec.proto +shake256:7be62eac9f7e39c3ffa0070ae67183e9f795a6da804cfb80fa698e74236fa7f2ecca7eb7643750881ed954e23e47121b4340fa8b834924fe235b3f22001af52e envoy/extensions/filters/http/wasm/v3/wasm.proto +shake256:db215158abc795f16af911490b416d119eccc3ec6d16fe9d6a094f76db6ea54c007d28d77ae1b70529f7ba12ea94df50f80c49bfdcdd5267e9de43bda3b58b47 envoy/extensions/filters/listener/dynamic_modules/v3/dynamic_modules.proto +shake256:42754ad153b616a11218efdf3758ef197b6fa86a79b7eb54c2a69dc7a8a7516f277f13d417a2edc1da4335c1bc7ee788ba3d004d94db1ec2fd65d45033a95d8a envoy/extensions/filters/listener/http_inspector/v3/http_inspector.proto +shake256:ff875be86e430acc9cf5417559b1dcbe9908d93fe650a8c2bb8efa1477380310cb4b28e2b99f0123f63ed403e02b86e7d4b54bc6ac4321c1c39d4bb49724c320 envoy/extensions/filters/listener/local_ratelimit/v3/local_ratelimit.proto +shake256:4a6222cdacd18827561373bb4b265bfd8fce19d1d0ba98f8684d4ab00c25df3e828b5ed1b2cbd5613098947f3fe6a6cb4f98a4328a087affc3e5500cae2a8152 envoy/extensions/filters/listener/original_dst/v3/original_dst.proto +shake256:66ba94f4db7b435bf3334fd6f1e9cff5cc57a16f1482473043266888af1de5c3b367cd3597eeeb2f651479fea2131f6dec7bc2060e1a2b2137ac07d5886af19f envoy/extensions/filters/listener/original_src/v3/original_src.proto +shake256:2a3f58f19a05d4bb14ea75736b81862c7acd196b73db4ed172be24876e6c9efc18905db4c243fe3a266c1b9f260aed9a3b7421ee76f5dc39ae73158ae4e7be9d envoy/extensions/filters/listener/proxy_protocol/v3/proxy_protocol.proto +shake256:9ee0b29aed3777812c8d5348bdc7ba125d07c57cec49e831873382c2cdf523b4b5e83788c4ab5ff7d68154d00ba17f627fb92ddfb625c6cecf43b1b3ce9860aa envoy/extensions/filters/listener/tls_inspector/v3/tls_inspector.proto +shake256:7fb4a9e553e835261f8b5ceadaab651f2c62e087b21ea911fa73f93a7a225280400dae1ed41dc8c12e6e48ae03140ffa5b42703fc4108bb4e8d3c1d46b1c01e9 envoy/extensions/filters/network/connection_limit/v3/connection_limit.proto +shake256:e25fa5bec0ccbb67c93a7490ef54159ef21897f7152d693133098346224b8b3fe3f7384397d2f8fb9c1bbc019ff7af93e107fd157194eae16066f7cee812dcda envoy/extensions/filters/network/direct_response/v3/config.proto +shake256:cc08f1da65cfd2a369dd00ebdcbeaec212436b7447914ea40ae9663db6b0c8d6383a20833d8b1f7c162fa0ef55cb159f578c1d596f51f7da021643628051810a envoy/extensions/filters/network/dubbo_proxy/router/v3/router.proto +shake256:4aa8fbb891c4f33443faab88bfcc469e6c43febd790ae7a42b2344f15da519a254362c1033ad0eaff1fdaf2d2dd23d6ae8ea6e1eb4fd2222b512f248b857be7a envoy/extensions/filters/network/dubbo_proxy/v3/dubbo_proxy.proto +shake256:b5aa593876329390075e36b05896ba1a53f7a6cec718f0dc36fb4d0fbd23426803ed3a035b00082a296e5e0bd54d3b8e321407bf87c2342b48c3941255a942a9 envoy/extensions/filters/network/dubbo_proxy/v3/route.proto +shake256:a57d27a8b05774d301f856d2f82d3f94ab03fbcd8b9d188f3edd115325f9054463979c76015c671ebd4cc35c960fd035c8a5049716f71abc97bd332996de3bd2 envoy/extensions/filters/network/dynamic_modules/v3/dynamic_modules.proto +shake256:6bbcfb264094ea05e42dde37d991b735d59286c5aebcf78d1b263379541f1fe2119ea72580aecb53edff47bddaba873e1badc96d73956ae64923e472ffb537c2 envoy/extensions/filters/network/echo/v3/echo.proto +shake256:abfd42b3e363fbe849273f3400b4557ff8c511986893e362f7a3c524a33f10bc770a0e54e3160a7e02ad187d67b3d9fd38ae158946b5b38277065a2d0bfde960 envoy/extensions/filters/network/ext_authz/v3/ext_authz.proto +shake256:8118f88a7d299a9b7a57a7a94aa210aca62d813d5e4d64cca7c913cbe8334daa5bf391ae923972f6abbbee1e223d62dcb39d823d26c5a1d487d1730c552bc10c envoy/extensions/filters/network/ext_proc/v3/ext_proc.proto +shake256:e457b38d22593438c13d6c7c1e8034c1f26880994e3a0b1f0bbfa70fb8fee2af67095abbeb8d9a2a7a51f6d1b43d4c466f63f22f3ebd1e9b4fca5e403f58637a envoy/extensions/filters/network/generic_proxy/action/v3/action.proto +shake256:5d42e421358f8b855a150c085d481c86fc97d63467e349a09ee370b9ece4ca9f324c1ad82216d347ee09dc21ae461e74af87900df20f5ec7bdc4416179cd62b8 envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3/dubbo.proto +shake256:a2f773aa218c0be748f502dc38227451ffd316db83b6dc4c25c1c38a880505f1fb54fa880e5185e6cb5df419182d76c9142550145a808a8377e9beced176053b envoy/extensions/filters/network/generic_proxy/codecs/http1/v3/http1.proto +shake256:38c38372911fc508b09d7643f104662c8b756deb2f4074cc7786ac71cbe25afb95040b0f1c5fe0ca0fb3e3c048fc13fd47722a73037d99edb18ed24d7171529b envoy/extensions/filters/network/generic_proxy/matcher/v3/matcher.proto +shake256:990910042d14b791cfc23677df7592313d816696cb7c4c9f5d352286a5882ddfd0be3e93e0226daa3d1473f2863ed503b4e076228b93c31a85c56a0ba98a683c envoy/extensions/filters/network/generic_proxy/router/v3/router.proto +shake256:f28e303b2c8ebf38f22f3248e6e949bbd1eb6d08e6700cbc810d283553a27dbe0b04a8c172554efeb4cfe430fe57c0650337be449f6670e8208aecd407cac5b1 envoy/extensions/filters/network/generic_proxy/v3/generic_proxy.proto +shake256:7084f88ef89e808dff1f0246917ce721896f8467b69e801a0e0b4148fa3f71abc7205b0f9e098dc07dfa635cdbf4b514ab410856d3342febf0e308e979bebbb0 envoy/extensions/filters/network/generic_proxy/v3/route.proto +shake256:1a40596b4ce5536642785bc6b04b1c565fba95bc59f0231c0d8691078a51a20b9386c7a23bb31e949c7e06153fe30ef05071970f7378ee176850e2ba1428b1b6 envoy/extensions/filters/network/geoip/v3/geoip.proto +shake256:ab4879612ab6ac4cd7e0baeda3622cda45273b419ad9bd1d79bdc707aaf11f9cca1b5fbecc5c290cb93e63d7396d6d0fbe9c1beee5d3305f72252035f8604fd4 envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto +shake256:668f665598f56fc23cf72fb07af2ea9bd19f1f0f4559d83f664cdbc865d066a9f2414579ce72207fc2efe04ab1cd1175d449f6f572f021cd9c60e467b1b7bbda envoy/extensions/filters/network/local_ratelimit/v3/local_rate_limit.proto +shake256:ed382c5021bdd2dcdead147278a9b343cd78fa4e1e6142a09f0479375edf664c6d40fe69b7bcdcaf4a6ac500e5be27bfb824c402d6934695e605b5540ce6f17a envoy/extensions/filters/network/mongo_proxy/v3/mongo_proxy.proto +shake256:4275b6a6cf29c0bea83f4af29f74d74061d8138bd5dd3fced6b848dd6925e75123ff26b5caec6a391703a0f72e1688eaae92a48fbab238d78669db1b114b4664 envoy/extensions/filters/network/ratelimit/v3/rate_limit.proto +shake256:781b40a8c70122b1a22be027ac05afb870f68a0d6b90894748005adb032e91f1ef800f0d37afa73677b95e2fdf08965b8b9f08388af4a4737e18d84b0c6f3d31 envoy/extensions/filters/network/rbac/v3/rbac.proto +shake256:c533295400884a2028aebefc3c33e91ac5f04292175bbe92f403d268e72f956da90fa837cf7427f0b7b195ae4ac6d8b20b2f26fefbccfbf38f82f0b4d10bc3ef envoy/extensions/filters/network/redis_proxy/v3/redis_proxy.proto +shake256:2b79397942da5d50b1f2e3a350b069126a771b2449592441e1d34be8f2ff15eb0433de0557ed71a68a874bb18b86e373a0fba9beebd612c34ae2ecf2f57b9857 envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.proto +shake256:4da937ae2f2013c8ab4c4b708457a63ed4acb07c2afac20418e6c55fde423553fcaadd570763a827644373da80f6ba861f1f0f6f407aa49f65b551add68f985b envoy/extensions/filters/network/set_filter_state/v3/set_filter_state.proto +shake256:25bd66409ff35d0586bc0044e66f1e1dce1d0468827a918b24e47e7d462eed3111f16422598a7178fad89ce05dcf2d2b6a153c88e56993d3448429e83ecd7070 envoy/extensions/filters/network/sni_cluster/v3/sni_cluster.proto +shake256:e3ea7ba1c2fcc332e031713bde4b92e894ad6d650df9355b1d6cfd29439fe33578be62cba39f88f3c8a8845edeb0fae6a15a7874043b40b4f45e566c639bb19b envoy/extensions/filters/network/sni_dynamic_forward_proxy/v3/sni_dynamic_forward_proxy.proto +shake256:883c1ea8b63022032112fac2bdb495ae2b5f80041c3d955b3e7f5e7dbf21025fccbdd1d656ebb024ef61220a85e330791f1bc2794bb19a389e65fddfe8ecf9fa envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto +shake256:053b0baab6180520c5c2286be33254d0b50ec7c9cc4be9da19f61d59b21025de7de78dad34af65fba8396fcbf45ef35a1db9b7bbc0da489cc723c43b848a9f40 envoy/extensions/filters/network/thrift_proxy/filters/header_to_metadata/v3/header_to_metadata.proto +shake256:e0fbef37510c2cb48041d269bdbf648a265a2ab859daac9c0d7c16c9ada91d4f4d07854e9d3af7f3f4ce92f7838625e603afbb92ad7404f98def19eead357875 envoy/extensions/filters/network/thrift_proxy/filters/payload_to_metadata/v3/payload_to_metadata.proto +shake256:c2810280f8595c193b5c9cef0cf1b664046fd568e240e3169f6c5f9d98b223c83e2e7850b7b4ebdb99fe36e7e493bb9d9c500303465f9295e32559175c943d7d envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v3/rate_limit.proto +shake256:0c8fceafc6119af0fcea55ccbcd514a77a471f822e4f8cf8ba899eca1392e326aef811bcd03b5989e4cf3832aa0a6ef0928ccda72f5f0becb9308c2b37401d64 envoy/extensions/filters/network/thrift_proxy/router/v3/router.proto +shake256:dd60313c8303ec66220535b1f1089c4c3670f261b5ca1c85eadc9ad1686f7f16e41683ef86c6e1c9d6e33a8b1ef892a03b5652b8ae9ed9631c6e6ff35cdfd211 envoy/extensions/filters/network/thrift_proxy/v3/route.proto +shake256:7ed9f82e986f8b4536bbc8343b7f6a20bb3b1c5f53e55266d00792f55d7a2e08ee9400d9feec448c38ac7abd5a6c4dc80ed20a7f43fa8b242ba6bd1945b56183 envoy/extensions/filters/network/thrift_proxy/v3/thrift_proxy.proto +shake256:1d16001d635cd983fdd0021dbfdb73f87efb41508b6cb5e637ab343f20f9bac8e0419ab3be7a5865c908c4e8d1317f29fcb6682991a2c76cd523091e875d6f66 envoy/extensions/filters/network/wasm/v3/wasm.proto +shake256:9ba04c15ed1a83409dd6102333eca6f31995c479bce9d0af3584d600599a877e31e6b4aa76ac8b0767384128dcefe302ea6f0836a74dd648ef86b6150d00ffbb envoy/extensions/filters/network/zookeeper_proxy/v3/zookeeper_proxy.proto +shake256:5fe000c8a7be0d8c110a23b7051a145c3bbc3dfb96ebc31f92a4c897bde8e7e6d2d09da8733cc1de3ac0a20f1e3157f3fedd27164de77d1584ad6bfa551a74f4 envoy/extensions/filters/udp/dns_filter/v3/dns_filter.proto +shake256:4f7867b0773a6edbbff3f6032fb65b475a5cee759f6662696a55d74c25d4bb96c288630f05d6c12ba2806ee9a5e5fddf7ab2520840913725cfdebb6b588ee702 envoy/extensions/filters/udp/dynamic_modules/v3/dynamic_modules.proto +shake256:ce2cc8854cf066d5af22d29382cf8c48fec21386ea035ef7a6e7b6acecfe9e2e32575c577e2e3905de816cee3e02f9d2baa653e15a4283c9e1783aaaa269ce08 envoy/extensions/filters/udp/udp_proxy/session/dynamic_forward_proxy/v3/dynamic_forward_proxy.proto +shake256:12840ff55337412639f5723ad910c1a12a665f9d1a2b949de3df273d49b3998b79d093fa550d75b87d300b7ec948ace5d9f1dd15fc4f086ab987dd5382ad3602 envoy/extensions/filters/udp/udp_proxy/session/http_capsule/v3/http_capsule.proto +shake256:e5efd7c39a13bd85f51e45e06146e65abbde3d1755fa33b1f04cff6201ececb28c9d18cc9a216db49facda118f4a2a777415e418688c98cdd0d9eae78dfd069a envoy/extensions/filters/udp/udp_proxy/v3/route.proto +shake256:90c9a5e1b2bfe3cf7dccc8cb444c46a99c9214ab0a7b0c78c19f9f9cdb9787c35a1a85547849ae858e97f440352069bbabe91c5efeb9d8643c457a64737ac00c envoy/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto +shake256:98b4491dad61ce1a62c98a1e229268e712489637a1dbc034c37dc031d42039921071f4396bf583fdebbc731db21196e192bd4c90f847caf51a90c8c54b84775a envoy/extensions/formatter/cel/v3/cel.proto +shake256:b01b9c08ea0d0da34c23042bd8da58ca40d92f1f7346b2a922c78409fa0e51d0b0acd6787de220b4b32397f96bb0acf7edd8ee83131d7b27524cf538b96c7bf2 envoy/extensions/formatter/metadata/v3/metadata.proto +shake256:fea0013ee58d5bab8985c8ccc364e378f131377f0f7caf0f94c06e4222a973dcef18c139eeba10ce16454423547376d1f32850321f8721621344f2470a29d4e6 envoy/extensions/formatter/req_without_query/v3/req_without_query.proto +shake256:27e7ea433e4e41e8bf8bee95418d6cad45942674cea4f325f7888bd75ca5851a678f728c72fd13140659fef678d15c1d1b6303c31512879253f2f3339d4d46c0 envoy/extensions/geoip_providers/common/v3/common.proto +shake256:7612c46eac426d19af9cedcef0dfc3307ddcc0135198548676b789bb15ae69cb0bf62883344bff9c6019492dfce5c03026fff6a317db73f7ce90cb8c4987e722 envoy/extensions/geoip_providers/maxmind/v3/maxmind.proto +shake256:7f89d816c9b3dd99415e179c26bc1a20c9404b6bfeee89f0e0f6449ecfe84964676d13b594b72f0ae8a8506128500e1e16f933ce8df9d394d1c0c4b45813aa17 envoy/extensions/grpc_service/call_credentials/access_token/v3/access_token_credentials.proto +shake256:738f54621e145760f7b19dfd49f2a1b93f3e7e906e90b0d10d8020dfb60671ba007e5a16ad49b43c0f17c26263ad7b75037096c0d099ab9b3766a134b967f4ec envoy/extensions/grpc_service/call_credentials/file_based_metadata/v3/file_based_metadata_credentials.proto +shake256:9b994b424db196e4024393e9773eb91d6c04f40ff51d62ddc3c5be89bf43a44361f944a70c2a1ef8c60e03fd31bf84b4f94a86b60f0ebadc2c8693a8d50bda2b envoy/extensions/grpc_service/call_credentials/google_compute_engine/v3/google_compute_engine_credentials.proto +shake256:3a4bba752e25fbe98c5decf5fb7cef33f26d62cb772a1090a70f52d120f0649f2dd7597c650b360e5b8cb94c73127bc4218ea40d973b391377fe723e65f0297b envoy/extensions/grpc_service/call_credentials/google_iam/v3/google_iam_credentials.proto +shake256:287739521df4ccf47e2466a84022be6911d45006c26e28da2adadf3c8de7173b3d1677c66ca4b77e17a9fb1b672f484df217e1b4611c93488d60245e6e44e1ad envoy/extensions/grpc_service/call_credentials/google_refresh_token/v3/google_refresh_token_credentials.proto +shake256:c4f207e0dd455917f2d2ff262738b2251f0ad9e2089ee7eede8bb1db6616c30ab66a50aefa73b453651d3354aff71bb825481afce3d128202e1e1df32242e949 envoy/extensions/grpc_service/call_credentials/service_account_jwt_access/v3/service_account_jwt_access_credentials.proto +shake256:e15b227bff5203ad4e5f26f97f15b19a8737d04089d7548c23a541220080f846ad5c4417fd874560786f53863bc4c76a04dca54138758749257029360097bac3 envoy/extensions/grpc_service/call_credentials/sts_service/v3/sts_service_credentials.proto +shake256:baaa05a38dbd4935506087fa463cfc3a8835aa79213b713885956c4176beea297948117e5ed8dc6a3d1dbb56730ee3f9af5dd3e452dcbc366fc9ef4bb1387570 envoy/extensions/grpc_service/channel_credentials/google_default/v3/google_default_credentials.proto +shake256:4bcf0fe81cddf339e3add76e432b404823cee937521b87cfa3d3062cccc6737ea842028dab050f99f4aeb2e8950ed82e359707125e6093916f8fdcc6a879f8e5 envoy/extensions/grpc_service/channel_credentials/insecure/v3/insecure_credentials.proto +shake256:bb28c723bc3100a46e0f6df343066f7360925ecf2fc8e6c85b07bf99d452c1777085d39e189ebc8c38142048aa9b0881481de9b10ce0c667c18fc0f12a6dfefc envoy/extensions/grpc_service/channel_credentials/local/v3/local_credentials.proto +shake256:7215f9898193b8af53eb913822e4a62030a22efcd12ab8b10e268e0a04ed5c2c6e5c827f445c7948a594fc9baaeb9dac34dc6cf9bfa1e76d4e1d4273bd9b1b87 envoy/extensions/grpc_service/channel_credentials/tls/v3/tls_credentials.proto +shake256:ac5ba8062d33e4d5aa748d0361c4432c67fc338e29d9e413c1477e57967de535e1f79f135a7ac836cfbc32678b2ee1862b0d14315c6faa0912e542d24be2c20f envoy/extensions/grpc_service/channel_credentials/xds/v3/xds_credentials.proto +shake256:4a151f7408451fe2eae927cdc8ec73a2fda8de863151640fed965d0b7330a60578db177089f2e7811a050de2a800c7b62d15047a55d87420f86bd910ce437587 envoy/extensions/health_check/event_sinks/file/v3/file.proto +shake256:227bef7a6683e83eb2544b81cddf8d085d588b5323cb3a70310c6d43083b1799ed370a67042e8fe15c9a4766b7a0b0735f21a7fdb7b642b3cd528f4c66dca8c5 envoy/extensions/health_checkers/redis/v3/redis.proto +shake256:bc7fad5e1d7ce4fef15a7f97c8d6f3e66f6601c90c4c987ee4b14457e84b0af1bc51015a816b5b0077924c2278a3e55df3b3682ed0e75d6988890b70febc8966 envoy/extensions/health_checkers/thrift/v3/thrift.proto +shake256:ff9835c6f498d4d3c8ff151878270548673fc15db88f48aaed4ae4c8c89baa1080e829fe8276d2b014fd83653fe04c52cdd9b2620fe8c88c456942bf0e96588e envoy/extensions/http/cache/file_system_http_cache/v3/file_system_http_cache.proto +shake256:15c5fe0f88d3faf64dd64ae8c4515a10bd20819565f23b202cfbf8e908cd252bb279458607dc0968e021728e44b716e819d802926956f41e91dd1cdc932e783a envoy/extensions/http/cache/simple_http_cache/v3/config.proto +shake256:df1206e2109fc9b8c5709f4ca2b97bee1b542246208dfade5d301f75f7c2465784191d253bfd96459324e467aed1de28e7af8b1940363ebce406534008fbd60a envoy/extensions/http/cache_v2/file_system_http_cache/v3/file_system_http_cache.proto +shake256:7a766c160b8106c34fe067b54d44f89736dc070bc115d8fe475172b262c98d33b717fe58c1561bfbe44f3fdd5856120c2583c7fc1b38d0099acc3dd6d5ef76c8 envoy/extensions/http/cache_v2/simple_http_cache/v3/config.proto +shake256:6f61959660cff32b12feab412ab5763c2ca598c7af8439e3de8ab409eee02d60f7424ae5368588ef48a6215290183bc718e582c18d46f04b3ce8e65d70dfff21 envoy/extensions/http/custom_response/local_response_policy/v3/local_response_policy.proto +shake256:4950afe9d63476b20e8bf7e1f474bfdf4e9f3dcfdffeb2e51cbdb84314bf18774b60751e5c756922e4356b5a7751b0177d09b344fec53b1183749dc96ff03196 envoy/extensions/http/custom_response/redirect_policy/v3/redirect_policy.proto +shake256:7f0e981a037ddd48e37e73f0f9dbe999ca911b4ae917b5ce06123a733bbc220bd5ef3308a7c3d3ebc64604a83c3349c06e12cabfcd64fd1a08c1260a81d1ad2e envoy/extensions/http/early_header_mutation/header_mutation/v3/header_mutation.proto +shake256:4e474273521f8df5a92019d315c4bc4435a04903b0de9fd31d8700d36c88e87058eb07dbeb966abb786d6969182e55c89d16771df219dfd6448f73a0fb01c682 envoy/extensions/http/ext_proc/processing_request_modifiers/mapped_attribute_builder/v3/mapped_attribute_builder.proto +shake256:c851fc9464f1389754d1246830fae57cb7caa2c3ea5904bb69e394a07cb0ce6e9459fa2499fdc619cf0acde50832b8cfe0198e4691a23023e95d12bc7a914269 envoy/extensions/http/ext_proc/response_processors/save_processing_response/v3/save_processing_response.proto +shake256:a181479f6dc29ac082a54cab8fb709f4bca39c35d1be062d830a211f03df0b549a2d18dc7eb2cdd34e6b4a6388959760a63225f012255b6ca285e6b28dfee5dc envoy/extensions/http/header_formatters/preserve_case/v3/preserve_case.proto +shake256:114aef732cbb5085916309eac9a199ad819ae7fd22780c959e71bb2c4fb739bb0dbb7357e884dd2879f6407df6158c298da830f0dfaa8a4cb7ea442fd1206f93 envoy/extensions/http/header_validators/envoy_default/v3/header_validator.proto +shake256:678bff6a6a4338b1448420ce629ec7d093dd5ce9c1f11ac247940ca93dbc3a91ef26fc38b8673606c8f52b74e55d5a857878ef3b46e5b3e10a75112450bfbcc3 envoy/extensions/http/injected_credentials/generic/v3/generic.proto +shake256:59d9350a541de8f92284737869e627928b411fee305ce1c0b4960a60f13f003f6dcf4463bbf658273fe8a974cb1444674c6bc399a146fc138fd5f9a4256c3d4e envoy/extensions/http/injected_credentials/oauth2/v3/oauth2.proto +shake256:97a7c1a7dbec726161b4b980259f51744f4839253f20752e51c31213c041d8109c85c29cae138e7d575ddc27f1edda599007802ebeaad57583b5f5c45b93a4ec envoy/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto +shake256:7019fbab61a8adb1bb613ffc714c741a043d90d5c8fe10f77d87d9e76882e2824bbe92b137736cbf32d17d79051056a7f02e6ccf57ee5e002356c4df121ad6a2 envoy/extensions/http/original_ip_detection/xff/v3/xff.proto +shake256:dc55ecb0f8715e8a44b37595950f7660c38048cc7f8c1ead8f859889b189c8a27b060357d6ca46069aa73566698d6180126288480df5780e1703a1acd71b67ad envoy/extensions/http/stateful_session/cookie/v3/cookie.proto +shake256:dec5e094a90a34c797d9a57d4ddc8c503bf62dbba0fdb84df509d681501b529932234730ff2083e4892fafdcc61ffb4a5e0b2ac72f91d45e14107c46be9ed9ca envoy/extensions/http/stateful_session/envelope/v3/envelope.proto +shake256:d65ef8c09d91ea81c580be40025e8d47304949e771c7703878c9401eb2890424cf3195259c57e36ccbafc723e4f2453d38b5cff55bca01d885dc9919753d6917 envoy/extensions/http/stateful_session/header/v3/header.proto +shake256:f4f40da154b91c5e812b9052ebb2f40e2a2197abcb0da08c06f80421907fe23fa51d2cdacce3c386013dee3e5012c333486f41c7482cfc8746e196b999762fa5 envoy/extensions/internal_redirect/allow_listed_routes/v3/allow_listed_routes_config.proto +shake256:3a0fe2dda37d6ef760596f9ef1217837d0ca6045f0b4e37c2bf79d3c9d3d2462fea787b78107a364b2d5dc20d05c5487b10b53e8b5bdcb95cf01848a07708ed2 envoy/extensions/internal_redirect/previous_routes/v3/previous_routes_config.proto +shake256:9bf7115b738e507c09777b248ae7fcdcffb7908769d316c479b6cc6a526deb0d599e6b9f9c7f64afb2d6b193f54aa1e7e7a846ffa73294386db4c4bf9adb6f12 envoy/extensions/internal_redirect/safe_cross_scheme/v3/safe_cross_scheme_config.proto +shake256:6a007316c0ee2726a32af18a23e61cdf8b129c7ebb01f3cf1e101b0a18c47e78d5f14c2584c84b23e58f6f52468be3b2c4c175bdc7fc2c53e2668afb8b8c5677 envoy/extensions/key_value/file_based/v3/config.proto +shake256:894ee44a49e973f8c2e094bfa3053351c0826c3da87d2f0f54d1d6c907892e49355a9437d0c938581bae75af5da62139bb562d43989ea7af85cc643cff01ac52 envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.proto +shake256:0116ad69672ab05cfdf0c0d476e470bb880db0a497883377aaad5d1bc443a590f27681c2abd73df2ca19de21d330a7de69c8be19e15e80fec3f257479a9c4a93 envoy/extensions/load_balancing_policies/cluster_provided/v3/cluster_provided.proto +shake256:87692495bfc4ebe3af7e717827ef318d02ea70d14321bdb6a752efb7b21fb7ea727e7c085cfbac1b698eab1506a9ac73b97ba663a8ddb5d1a24eea0dc07fd5c4 envoy/extensions/load_balancing_policies/common/v3/common.proto +shake256:25c22487c24a950f4300c5082e57ef5e5a965b863668b8f3dc9263a861f9505c8849013aca73a6fda9112fd19c6451400e3d225d620c315d673bfaea1bfaf168 envoy/extensions/load_balancing_policies/least_request/v3/least_request.proto +shake256:82b636496e8c69961fc462d5cd88bbde2493a146bb59458ae0b28842006ffa025388f9f604a014f145c236c938eecebab3ee64a2d77f83c4497e8009c7e955c2 envoy/extensions/load_balancing_policies/maglev/v3/maglev.proto +shake256:07b9ce71f7219bcc1d79957620a25c0896986b305f8139cc9a74d047e56e919af6596351ae2f887cc0f3c6b08802550affdde52eeb717be2c4b7c0f3b7accbba envoy/extensions/load_balancing_policies/override_host/v3/override_host.proto +shake256:d88e3d6952bc9827ef7e92790c4aa7bcddd81486f4a3162afe6c97e0ed3281b85e94cdecf5c4100d9d07a151ec6c0e0088641dcdf09d2e67d425ffb46907bd2a envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.proto +shake256:14035bc49cef4a7e0d25930d409af20d8f74032a102a88953dc77b620205df625bcadfe69ec9881e73481b3b23bfcfbef1b87247460be38e68d749291af318df envoy/extensions/load_balancing_policies/random/v3/random.proto +shake256:056ea98f23a22a25955841d4606958174b1990f85452169d990a656b9fd06d8131521516969d1b0e21d6d6615e1b99e48d6795eaa1442b06f62d236b13d43c02 envoy/extensions/load_balancing_policies/random_subsetting/v3/random_subsetting.proto +shake256:6ef8080f4b9cc3d9766a69e26d789b16d149e6f0754b7f211038e2b657afe4560bcfe34fb2f2e025343c7017062a83642e6f3452c74838788c0b09cf25a7f56c envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.proto +shake256:691efa6e69d36bef31bd84c3002119e91a7ca7efaa60569ab0c18f4e78423f887086eb9db941806511d78bf6061c257c99fcb199b060c9beb7f4b1c5666aa8d3 envoy/extensions/load_balancing_policies/round_robin/v3/round_robin.proto +shake256:fa99fb6373f07bb327f4c8c0f0f8ab64c3a839ba4ad393c7fdb8d05056dda912fee08bf412db38d93348d23371fbc45c6f9d02c454563493a811b3979bdcabe5 envoy/extensions/load_balancing_policies/subset/v3/subset.proto +shake256:c866183a84e3031e4a37288a46498f7e38bb7b544267a8ccdcd7c4ba4e9f498aba720e36f94819ffa6d72fdf785aa4f7d16b3a5a4262a697634624976f92d793 envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.proto +shake256:c0db1853e908e8135812c85e8a3a1a62c5c85e470976c46d8e9664b930f4c4aac87e4c4a81c4a8c514190efef87e2a92d80b763512663bbddcc13f5af9bd8608 envoy/extensions/local_address_selectors/filter_state_override/v3/config.proto +shake256:1e37d347ef665bbf89aa2437a21c2bdeb64e7a303eb2be072a786af97d4ba1d76063f1f2026e2fd2f3c22e542c4b0c8f319a6899108dfa2d959d5a229c73d656 envoy/extensions/matching/common_inputs/environment_variable/v3/input.proto +shake256:b22fb32e8f220cb821a316a53743bd76e1b451f2cd1ee36a8ddb9f3ff52f1f6d3ea9512edd7df45bba24f80b6af8b23de34793e48672ff2d384b675883aa5a7c envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto +shake256:d227dc732d21538dabc1aebbda1423e1e7edcf9fc3815d7161a5f2451956ce6b7f0874150246a1128d8cd031d59f6f237df8d27624d44495eabce26326aa5f43 envoy/extensions/matching/common_inputs/ssl/v3/ssl_inputs.proto +shake256:5be0d34d2448031378eb44f676a6f51827f9d2d2546ab6df3b67c5c3da1011face37d508a8a0b95bdc4cce3abd94ea5f1fa591428646ff478a153466eae1494f envoy/extensions/matching/common_inputs/stats/v3/stats.proto +shake256:37161b50fb369c7d99d81420e78eb5528031cb8963387b21f3b16a346425d4a48cac4fa95d2398dd4a8556927c12a6af6b68d36b65c8babdda818d773cd3720f envoy/extensions/matching/common_inputs/transport_socket/v3/transport_socket_inputs.proto +shake256:c8ad4158166bc5d9552173149b76287d35e0f142457740a971d8d50a1a31ca154c5bac3aa8265d1abdf9cd0223643afa30db998c0e354f26ff66035b0fc617c9 envoy/extensions/matching/input_matchers/consistent_hashing/v3/consistent_hashing.proto +shake256:8f1301b6a4f15025967881d846e1866c0abd637f645202da0137196db618f307bb3be31429d6c841bf642556fbb0a8bf964ed90bb144ef921d062764444677e6 envoy/extensions/matching/input_matchers/ip/v3/ip.proto +shake256:10c52742299d0dc8b6eea424790a9f44c39f28b204d7ad0af6da35fc33d8a3f89154d42d769eb559aa0acc28a9e6fd896d2a6560fd95c91afe234d4e75636915 envoy/extensions/matching/input_matchers/metadata/v3/metadata.proto +shake256:88434c32dad5c61f6898371ff51de383160f36ee292c7b46983de2a4d54a0af20843221b52d8061759fa9b4767a387f4891c3d9aabc1bb4c56faa6d3e7a3345e envoy/extensions/matching/input_matchers/runtime_fraction/v3/runtime_fraction.proto +shake256:84fa5b00e53d153b1958f4cd8ec6ca9702f27208f44b546a259e3935d899d4d7cf80cda04664f71c289b33e3070ff7b37efb5a00170bef7945b3451bffc60330 envoy/extensions/network/dns_resolver/apple/v3/apple_dns_resolver.proto +shake256:f0a4d81196f500745a531f588d89c7622fe7d394cb4b967d4a12de27a8b9b9cbc84bfd0ba97446abf7d556c15a5071830c1599a7fe37028e9b5149c85afd7cce envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto +shake256:4c84314b7b487a19899212080e03bc56720f7a7bd9d2ea5bb5096b3afffbec2db6459fca8b4b919aa6ed7d5bd57947588cf58d5720d4a3818abf018c3ae42abb envoy/extensions/network/dns_resolver/getaddrinfo/v3/getaddrinfo_dns_resolver.proto +shake256:c4b373033fef9f58de1beaff37f5c835eecbc378b775d04d08147b3cbacbfc6629923f109eb754096604444c7791a43edbe0a15398843c7790a20aac6e82ae1c envoy/extensions/network/socket_interface/v3/default_socket_interface.proto +shake256:feee06cda1e05a53ff064f726ba892b2bdc07c192adcc50052818cb62ba1880cce1a559c352f35dc45eb275e8fd8fdde3602257ce4742d7485de67a77b6485ec envoy/extensions/outlier_detection_monitors/common/v3/error_types.proto +shake256:ef828f1761de1b5bcf19f71e99c4874d4b1e33475fe7ee3aa1c461d202afc3e4ff0ac4e3de52f4ef8c79f700ff481b6af3fa25084856e80a05b9181a9aecb701 envoy/extensions/outlier_detection_monitors/consecutive_errors/v3/consecutive_errors.proto +shake256:b59aa69fbb5a3fd019d0629969b596f1ef33d11c2db37b7167c80d49825c56ba11514538b5b5e18d9305862104bfd2ce2232b462a3632484756a12bdf3287943 envoy/extensions/path/match/uri_template/v3/uri_template_match.proto +shake256:4c14d13dd9e1e782b7a0dc85854642bfb2df4839adc50747cc71fa12c706d05a544208edeed5c5245f3506dfd83004a899d96d8fdf39dfe653382e92e8b6a3cf envoy/extensions/path/rewrite/uri_template/v3/uri_template_rewrite.proto +shake256:d77cca717af1b36b3af64c7621f965ee6eb7288b95939fe5c280e564f38faf46bbcd539a0eb8f535314f9cd2900e2db4b599e94bafacabc6dc4adf0618f3e548 envoy/extensions/quic/client_writer_factory/v3/default_client_writer.proto +shake256:f7680ea8269c00d0a1c18ee2f3af1e75f8dd2c000c5e8b943910b9d94929ab55ee5d987f52e72a9de04314d7b1067f32b720b754a90f86de61696b264851498e envoy/extensions/quic/connection_debug_visitor/quic_stats/v3/quic_stats.proto +shake256:1f74c6723791858d9dea2478140f942cd69348c0b3914dc9e8e0fdbeb37ceebdec52d13770018d4ef0b13b65bdf421da6211355bdfde5cfed9b71b4b20532c9a envoy/extensions/quic/connection_debug_visitor/v3/connection_debug_visitor_basic.proto +shake256:8a58afa18cfd1cbde48136072f331fe02420900d28cff068cca484cb2dff09f3b12409f8ba400ddd9452a4b355431eb52a493c17b870ddf9bd539c0ebd29de0e envoy/extensions/quic/connection_id_generator/quic_lb/v3/quic_lb.proto +shake256:b35b11e7deba787adcaa488361dce33d97804b1f276dcaa3c936a50dea030722b9d8707590b3d9e29093061ee67c6eac3ac1d107aa88d58a209d055674198b6a envoy/extensions/quic/connection_id_generator/v3/envoy_deterministic_connection_id_generator.proto +shake256:0d5c109aec1c8a34845c051213323cef13b8acb789a973993caab647c2015addd698e8b7d1df443e81dd966f198cf9029f3ad8e941b1308837d6e317212c2b43 envoy/extensions/quic/crypto_stream/v3/crypto_stream.proto +shake256:b81a6625d0afccd2d290f73787080f319dc2cbac737ff9f655a40d285847b80de77e5b4361d6f5208cb68e439517fccbed20d590e5ce2b47e5276f73a614764e envoy/extensions/quic/proof_source/v3/proof_source.proto +shake256:65be7ddec7f03e73203304f27b2dab6c0adb2f96bcf27859e458d1ee924c4cc13224b7b78b298e07baeedd9bfe26dcdb04c95e93363c32a34ae919edd722c46e envoy/extensions/quic/server_preferred_address/v3/datasource.proto +shake256:bd5330bdb3af2fdd0d6c19e7d2dea7f1f9f3a33b23b8abe7b3ce5e00986ce129e525839820b220d83a2778cce498c427cc8b81685d7e47fce1530bf3ec6e891b envoy/extensions/quic/server_preferred_address/v3/fixed_server_preferred_address_config.proto +shake256:2cb8ebd50ee8f7dbe73b59288a57e8ce66169d0cf29fc0eac26709c6284e36e54582383668fd57d81428187b36b4c2c551b5a4192091ad7d7e8afcae14550e78 envoy/extensions/rate_limit_descriptors/expr/v3/expr.proto +shake256:efefeef95cda09d43c21ea224d984c6164d9eda0b5c74dc3103bb2125bbd19f6296557896636464cb6df3ece2ec78f92554204f6c2e8d269cc3ee78ce8952891 envoy/extensions/rbac/audit_loggers/stream/v3/stream.proto +shake256:12e6aab5a6bb2b487e96b85d1df9a327e4915ee2990d1e5b335a5d02b5b5ab74ef3e5357fb7c01b07cecce676349c9023fdd5fdc3954ff85a32e67232ca01883 envoy/extensions/rbac/matchers/upstream_ip_port/v3/upstream_ip_port_matcher.proto +shake256:516e7d1e52f23285dc29da142505c4c5b1752e48f9fec69021cd8df1e163ed5a2c0be22dce9f050ce81f15e9ed3994403e598ef577fad62f829f6fc56206f1c1 envoy/extensions/rbac/principals/mtls_authenticated/v3/mtls_authenticated.proto +shake256:ed50a0a24b7ede925b68420c09fcd56b455eff0efa60a01082c77f61835ce52d988901474e3c3003545a1c8c16e6d97629f4d23e543d06041237fa650a8d0f5e envoy/extensions/regex_engines/v3/google_re2.proto +shake256:acedfc0d080637f91af6bd52396281588d2e7216106d9c0fe4db78bb876e85f60e5cb8da19952d04c610e0889f43e14c3074485c4886a7262c3d4cabf2b13435 envoy/extensions/request_id/uuid/v3/uuid.proto +shake256:298c4e17fc11e286b92291f710b2eda207d4bfbe91758e2f81ca934f7d1d1ceead2d96629922ca5764920e16f6b57e3ebb91a8ed7ecfe0cc214187d026e83c0a envoy/extensions/resource_monitors/cgroup_memory/v3/cgroup_memory.proto +shake256:f16bf9d750ade1919fe6da89224ba8951dedc35f291bb221ce5a69509caeb2b2b0c25b67e5ac580b9b7119efefe37cf900d978acbdc147470c8fbba3f326de15 envoy/extensions/resource_monitors/cpu_utilization/v3/cpu_utilization.proto +shake256:7f052f002d7e537933393a868929ec03b18b400819f44912c47f99a8fedfcad3dd11b77aeea43550e0ad5615384eb09f31ce8fc3db239543a1b92a6a003aa7d6 envoy/extensions/resource_monitors/downstream_connections/v3/downstream_connections.proto +shake256:12822650ee1addeed10c840b45b21a1578afff4ad262643364a5379a198fcf23dcb812e68cb8be40cea686ad0d4b6e575e1cd439a8ad5a261980f56e4b4f7ee4 envoy/extensions/resource_monitors/fixed_heap/v3/fixed_heap.proto +shake256:a99a18f73f95166d72f4daad65414723da4f3979be982e87e6a0e2e5f3a49dc5b0e49ff4f35c775aa48f3963d1522dfba66b7fddf1e13019b7503920fe7c0d62 envoy/extensions/resource_monitors/injected_resource/v3/injected_resource.proto +shake256:2d3237daa2aabf8c1379f7f16a5d10b87e41171a0eb5566e64b076fffd5725149040bae21fa5ce5fad3a244ac4118d9d90fa9b99219795648b3b39d2d85dacce envoy/extensions/retry/host/omit_canary_hosts/v3/omit_canary_hosts.proto +shake256:fbbab489437bd68a2d6dc6d762674947e94a5cbe005136ab35ac841b1ebc055df5aaf1c93e371cb4ff75dd84e9d5c13e8f581e87a2fc3ce70f84ba444abd4cde envoy/extensions/retry/host/omit_host_metadata/v3/omit_host_metadata_config.proto +shake256:541e01abca6919462a0d0cf1c85380321afbd0ad796915fa5734c13420603761ab956dfb51a4b1f9e3ed0658eb36f8e29f98e909044efc4998b5f0ac3187f895 envoy/extensions/retry/host/previous_hosts/v3/previous_hosts.proto +shake256:03777221093ecc5820256aa74fddbd488cbd21276dfb6f4155c379078d8070b1757464dfd3d657139733272d5f2308140af8fade16a491757156a9c96502d146 envoy/extensions/retry/priority/previous_priorities/v3/previous_priorities_config.proto +shake256:73aafa2c0d0ef67990969355e95643e8194dc84941666c70b9a1aeba1b4be20bbe8091825f496c26ec52f2f1ffd837abc2255b67f7e2a4a59a913beb20898b44 envoy/extensions/router/cluster_specifiers/lua/v3/lua.proto +shake256:69537d185104e9a65353c4103e9446f326e66207e18b54358d25f14660db77ce2a8a0a94d67d0b6efef5ad70a47174a259a61ba874b711062b1ff49f29bb37dd envoy/extensions/router/cluster_specifiers/matcher/v3/matcher.proto +shake256:baaef5b0dcd805f206a977806ecf55cd8785134085fa515bd3ddb848d3986d502fb8144bb0f6f06a11595c5444ff42da361497a4b70eeb21f1a8e0095b183c3b envoy/extensions/stat_sinks/graphite_statsd/v3/graphite_statsd.proto +shake256:689c6756c416364b43a239d885aed8e13d410aa5f2efdb60e5240f8e709925c29a1574bd32b3d5f7c4e663581ac0d69b00379cd8e2b29ed880483d0e4f2ac33c envoy/extensions/stat_sinks/open_telemetry/v3/open_telemetry.proto +shake256:af239d758d000d60037294ba32773a6c102bd1a2de6c685299e94f127f09445a72a9f88821459c921fae1e9f9fe71259a20334fe4e9a96ac98e8efd59c9a5d87 envoy/extensions/stat_sinks/wasm/v3/wasm.proto +shake256:d7f75c34e0b7f8789150ee0eb5b19e71db666175432858ae35a618e1ed1d11c22833a10b0b7dab072dace62c6128b14ba0c1aed987b36594e77a0d78c4fea8e8 envoy/extensions/string_matcher/lua/v3/lua.proto +shake256:6e72f2f15a05142e84506fe9c5e5a52365f4bc84a2832ff2920e05e5a770b8c065bfc548f30a152619c7d1089aa835cb82fb1180cc1ca1f9e4125ec5b9b6ce15 envoy/extensions/tracers/fluentd/v3/fluentd.proto +shake256:2dea78d980bdbcfd314655d85f68cdb80170b1a3a26689033ce3ab8d6b2323ee2f5f9ca431521c888046b1f67fe1b1df7e1b41e72a9525255a892647d03ba47e envoy/extensions/tracers/opentelemetry/resource_detectors/v3/dynatrace_resource_detector.proto +shake256:0b54ea2b09ad005e0f28e296f023999896dd1007d70b19359a8f771f82b222bf2987c8fbf517530c3f45e6a4319efc8aa63af3bad9659194a52854bfa39e7491 envoy/extensions/tracers/opentelemetry/resource_detectors/v3/environment_resource_detector.proto +shake256:5371f5be86060c954b6f8ff11aa8a8c8b2ef94175278fb84547bcfe1bce1496cbff48c324a90b2bc59a57f5d622bcd8be23f907252238be7e3cd391b241ffe18 envoy/extensions/tracers/opentelemetry/resource_detectors/v3/static_config_resource_detector.proto +shake256:d3ab1839e0d23b7027166b6e3c4ed1eb161268611607a79e8a0fe7c3d6ab5f744f66f925ea3390a6031fcd8aeae23c4711e4b5c8bcdc92cd8f4bb8bb8dc89dd2 envoy/extensions/tracers/opentelemetry/samplers/v3/always_on_sampler.proto +shake256:5cf81b0cf871e6a216da80ab14a9e98d6cf071015137f1ebe567f5710d7122832bce5e3eb9e99532ecbf4602248b7c3f995a48c09d48bad6cfed8958fc3b8145 envoy/extensions/tracers/opentelemetry/samplers/v3/cel_sampler.proto +shake256:265484879d7ae5d9a0bb600cce1741b0f6d64ae04be75e7ce927c771066a565c54e1d99758ed3f85a04b3d17dd087018ed6fa0c21f46f90c59fb2d1d4c50cc67 envoy/extensions/tracers/opentelemetry/samplers/v3/dynatrace_sampler.proto +shake256:541e1172fd525e99b287600e7a58bd7b2bc7e0eb07514d8cec74002aadbf0c5385f93bb2efa3ab1f80f98e009996bab83fbb3bca3a19dbd394153172960781f4 envoy/extensions/tracers/opentelemetry/samplers/v3/parent_based_sampler.proto +shake256:e4b240ec009feb9dc7a44a85a04f71753af28a2ca562c606283a22d87d2b8f96dd9898bd34655f72259ac17f177c3254ffcbafa87ede213ea3a9399aa541b716 envoy/extensions/tracers/opentelemetry/samplers/v3/trace_id_ratio_based_sampler.proto +shake256:5b0a26f3fef746f0134abbfb12488a75cb6f71f1fe32cb3010571df1c61a0cbd9c60dcd14f7518e5cab37b005ba0bb90a25f0e4c6d1095bcfc75046023720725 envoy/extensions/transport_sockets/alts/v3/alts.proto +shake256:c89926efa58f9b00f2eef628d75352686701d1e12b269de0ffba93f7649233152a576759931350ba542d7ab374ddb4a982e8a248be9bb2297ae096cf86149293 envoy/extensions/transport_sockets/http_11_proxy/v3/upstream_http_11_connect.proto +shake256:6acc101dff2f6d9dfd42d93835b7eaab9d899ce27194865d6daa1c171d12bbb277784d478d2f2810f1bba0cf84341f59c7271bf3435d6583d9b6ab8b074123fb envoy/extensions/transport_sockets/internal_upstream/v3/internal_upstream.proto +shake256:432449b6de25f852f1c6d8ebb4df1376dfa0042cfa816a7906cafa4739032b3f66f887a2d85fbc00c2e6fd948515acb3732d7be761bf2e9af2d1739dde866b91 envoy/extensions/transport_sockets/proxy_protocol/v3/upstream_proxy_protocol.proto +shake256:5c82678245095a18a9122648576780eb70221f36a71127ab80f6edd19b9c2316831b39b49848b5df74c31c208e4e16220772d4b0d8d47616ec718ed88f7edcab envoy/extensions/transport_sockets/quic/v3/quic_transport.proto +shake256:142e115afeaa6a4f0579552383c702b436bd640e359d05ad2617da6bad6044951b3d6ba0e9474fe34c2ac1e8d8468c0eb6417c4dcbef4317d24a694f65585af3 envoy/extensions/transport_sockets/raw_buffer/v3/raw_buffer.proto +shake256:655ebe077789126227c45261078f8d64dd0d989295108efcbc136d2b59a717c6b2a486289156584173a79a7d90cf9429b8d43154cb534cb1aa671eb6a3abda22 envoy/extensions/transport_sockets/s2a/v3/s2a.proto +shake256:b65431721a1a46acfdd0a792ff8b87e2aa557a27cc2e8db151f97d02da20a70f02cdc21ebf72656e165931fcdac08deb6e3075d4431fc4bba160d3a8455776d3 envoy/extensions/transport_sockets/starttls/v3/starttls.proto +shake256:b55ba8ad8802bf22c4a8110670ff402dc1d61dac65692b1d88e05d4ba9b937c0e7f9549c93127bf58a5d01deeb5d09d115fb2c9ddcb71aaf61aee0643e40fdc0 envoy/extensions/transport_sockets/tap/v3/tap.proto +shake256:2db6ce813ff15044dcf88785d43e388e2bb26d59cf4015c0630a6cad9a2439e82f8bd8c2b254c420745604abadf2da52ff4da9bb3c6dff6fd6431eb6417a88f3 envoy/extensions/transport_sockets/tcp_stats/v3/tcp_stats.proto +shake256:34211b28c5a19fa7da842985be337476e1bac2c0c5c71b81a5e3aa2e2d9a9aee72aa176897d0ac7cefda676c705ff47799f06efa85eab306eb0b0d616342e9f6 envoy/extensions/transport_sockets/tls/cert_mappers/sni/v3/config.proto +shake256:10eee635abc4bc9035d7c3fee3bf5459aff50302192c37f03fef2640149c4907e474b43bfbec062fba65b56ec84802dd546fd2e0052d9eb7f96f76857e43d667 envoy/extensions/transport_sockets/tls/cert_mappers/static_name/v3/config.proto +shake256:882661bb841648d59bb1f2acb187a340814f68ef6185cfa69dfe831ee21a826a7ecd8079ce8e511bf98598402649240a9459a17899ae8434aeed66f2c468e733 envoy/extensions/transport_sockets/tls/cert_selectors/on_demand_secret/v3/config.proto +shake256:70c3f79a8f5ada5334027f2ea99ebeee20e3dd431ef94d82eb096355a8aee3784a309eb588ce1f474844ba17fc17b0220fa2470b69908245d6b2ea3aef26c22a envoy/extensions/transport_sockets/tls/v3/cert.proto +shake256:e5c7d2878ae07f98b7b076de1060c76cae457efb0558322736cdc1139f8c38c3bbada85ae0efbe867f5e8aae201c82d0aadba8f88a4c217cfc315c96a4b1ea98 envoy/extensions/transport_sockets/tls/v3/common.proto +shake256:d541b64ff4c04ea5298fcf5208c8571980ce1a691fe5c2b86d8f0a94427160e244adb2381204e45d8d237864211281dbd0ab1bc6f48810625310c15af14fc509 envoy/extensions/transport_sockets/tls/v3/secret.proto +shake256:f6ab25059c8421c806ba9672ecac55c6d74fc37d4b102962632c85a088cfc621f4953537f7605b8fd27ddfd4d842d6ebdf6b6ade161ded40e9d625f94773c69e envoy/extensions/transport_sockets/tls/v3/tls.proto +shake256:ef69428a40297702fd453f6613f08e24a434f80a18b1cb7099ecf856ef9eaee3fa624afe50fd0c50f311ea91d070338d43f31ea8a0717bfee51f935d6170c47b envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto +shake256:5ed9430060ee0140165e8bb75940bc40dd565350df5c01e0f3e154b708e4d39ebd525fd439a64da2b8656d438a39da89fa5250b721b90f4a84ea1f682b33ce35 envoy/extensions/udp_packet_writer/v3/udp_default_writer_factory.proto +shake256:628eef9f3842581bfef3c63dcb967478ecbf486c3da4491eefa31814f8fcd4d782b9f5fe81454015dfb2762d447fa6561a05622a59d52d34b75591413fea6321 envoy/extensions/udp_packet_writer/v3/udp_gso_batch_writer_factory.proto +shake256:79f80278f4f4e33eb6864b817786b5305cc6ae0da122f53e426e567cea75b910af45ab9cb858c81a91553386afe0ba5f2b0bbd4d17f855b3cd219a0b08d1b4f4 envoy/extensions/upstreams/http/generic/v3/generic_connection_pool.proto +shake256:1bc3d5c62725d72b2b5959f92e15634cc579ed8e136a92532150f83c2481dd0e9f251fad8f969390d298a39b3d05cd33754c8ce9cd994a321a7da9a0e5e6adf5 envoy/extensions/upstreams/http/http/v3/http_connection_pool.proto +shake256:102e997c91c76da612869b2a666ffe2e554593d6c3bdd63a5bbc9ac70d1a0064346c9415fa2f74368db77b4c3be872636c2917899d9dd951d959ae52ae15176b envoy/extensions/upstreams/http/tcp/v3/tcp_connection_pool.proto +shake256:d56f95c23b4fd61618df5dccf70e260f07194b05638161cbfe7b1636aff5114d7e90b49660b32891f570dae71fd2484ac392716197e2dea6318c2f3ccb5ee951 envoy/extensions/upstreams/http/udp/v3/udp_connection_pool.proto +shake256:316dc86defec70a70aa1e5901c99751f3fdea7250983b5f790f4fafa96ab9f2658f2eeea685f9c5110e3db69d67560bcab9adcebad108e0d5d06871587e881e9 envoy/extensions/upstreams/http/v3/http_protocol_options.proto +shake256:622d6f175b2b12659fad78cd611c5393c3866f584985ff06c29e1ab8a4a4628ead7c2db69a6380c7debf88bae406747b39780d23afc07aa17e7687ad45761a20 envoy/extensions/upstreams/tcp/generic/v3/generic_connection_pool.proto +shake256:96f4fcb2c56df1b0b0ac3414449baf6774e2aa8969255016a23513e170fec1536a30b6b4739f314403d7d61f6d6c3c78a5751e3fe112a4f946d5b8e065bea1de envoy/extensions/upstreams/tcp/v3/tcp_protocol_options.proto +shake256:4383b785c7cf3c88d63153c5d841c7a5125c1a883789f36dd07b11434ad73ce8da5af9292b4a078e98101fb11769d14ba8a55b088f0fec67540d9a55364fde80 envoy/extensions/wasm/v3/wasm.proto +shake256:762e5a35ffa359e351715abcb4d10973dc3eb542f39faf50fb2fd1a69d747413e88c992e218bba253a5a57745a384e923a24bda721056db31c0b2a310f80ba44 envoy/extensions/watchdog/profile_action/v3/profile_action.proto +shake256:4996109c5c6ad7c4df245ff378f41569c9323f6691c2f02bf26e6ded7b6059aed8b5214deb18008cf4fdcc9dd12499f170c570d0381ffc656e6119bfdcbd7205 envoy/service/accesslog/v2/als.proto +shake256:f4a29b2899acf38dc693efa125c0434c56847ea1569b056df833528e5a0603b3f6a62df53b9cf40ec9aa06e30b4cef0688764d468a6eb8da3680e99897106a68 envoy/service/accesslog/v3/als.proto +shake256:a8b6784c472dbaa98f1f3fddd68a50f4dfed29af2c11e7cb0ff350275fdc4cf60b9bf9224c06766af0389b082af73d219cd4f494db207ab45fc88edd7c0ed909 envoy/service/auth/v2/attribute_context.proto +shake256:08a77da191422df68e2e2c432f597478b353b8d04455b618922e642f5938513fea27ec1950aa52acd3333b9d7d82be1035e3c0a253e5b97648cff309bcc8deef envoy/service/auth/v2/external_auth.proto +shake256:4eb4d2e4dd59617cf8ed6ba4d58661099422e8ede70006d905916dd5c60c660380fe977aa61f16361fe6d733c485c853c228dd5483dc4fd40ba7961e7319db8b envoy/service/auth/v2alpha/external_auth.proto +shake256:ef19b99ed5f32b4e64a0001c1fa08917f7ab7374852f3599be77864a113908dd7cfa5287be61aa838423b151fe7af3e8193f2569ca452807875b4a2836171aff envoy/service/auth/v3/attribute_context.proto +shake256:820d7943bb9e5754b8275f131b6ecab54f6ab7a3eb9d4276c04973ec75434b8a57cdbb329cbfd83549b7ab4e826c3255eb63b88fef390fb0011e62ed8f736032 envoy/service/auth/v3/external_auth.proto +shake256:2217dc6bf6933bed2e621b0a8a1f9a3ed3b77239591020eda87b0f592c3c00dbe299988b262029e022705549c0621b17dac6f1d320ff3a5dfc5aa07fcdea0e61 envoy/service/cluster/v3/cds.proto +shake256:c1370a13fe2e5e6b894233bb6432a0b8af8ddf1cf1078de0c750484b3055a78f7974a39fd6f1493d7ed485bcb0261715fa1be067c25f43e4f9469f48df8000da envoy/service/discovery/v2/ads.proto +shake256:ee52e1e4dacec7ff8d1a05136a89bdf7475eb1e6efaeb773f6e608a5f7d00379a3d4211d22a8ea82750a6eb36c8034522da5ab99007cef8c989d58a551717de1 envoy/service/discovery/v2/hds.proto +shake256:0318c755e701e782a34e6faa9e63ff5df3c75f4b8c7b78ed0648e1cd5fc815de826d24b1e9cf3908432c2023d3e6e2d7a3018ab2042be851fbfc1f81a82fc72d envoy/service/discovery/v2/rtds.proto +shake256:9d4cd9fdba3a202916bf6cff81d6eb2529974dc817135aaa900e859e678f9420b78821e80e6891bbde807a71bff8b5b7ceb4b3e31fb01a098d0ef252ec4d0832 envoy/service/discovery/v2/sds.proto +shake256:732ae86f43a83be70c45a2938b8d66e20bfc1abdab938a8705ad971039eaf5931dc9414c4e7299acf00c948e45afa5b1f16b70cffd4ce3e33775a88985a3ca97 envoy/service/discovery/v3/ads.proto +shake256:d0363f981b6164e21562c4686a479114fa780df94fce216e2796b71da32440ee994b4df3365f28dd16f6e029e25eb8aeca72e6437212f48613e617a6f0dddb35 envoy/service/discovery/v3/discovery.proto +shake256:e8a56f89e6931dfa885cfd8de54dc6f92ae0164e007d0e5f366dcc25705008c5e263f636be831687f270d531ae698f7350b91623f9a647a242e49cf6b15931fa envoy/service/endpoint/v3/eds.proto +shake256:416d8c86026458e77fe8ae3845a769f59e3845ef062b5dbe6288745598223e2a450d28cebbc3cd8c6bd07f9838dc836ae7a2193a5c4ba81b14b1ff7c66daa10c envoy/service/endpoint/v3/leds.proto +shake256:b5bf9e082c4ec76d09d874ea26f0f2f70c77bf64caf46de1f9533dc61155ad06da023d650ab6f030c67da25f10488b47caeea7ff20efbc574ab3ff749f7e15c7 envoy/service/event_reporting/v2alpha/event_reporting_service.proto +shake256:357a584bbb25276c4dc0262c69fdd6f44fd6eeb08d50a2c4f8cb1b9f2a16b10385df785ca42ae0ca173bf38aefe80b14572ebf939b97d46ee84688218e1ba920 envoy/service/event_reporting/v3/event_reporting_service.proto +shake256:5606420f7e0e3365e9bdaa012bb3380ef16ab399b2b010998c9524e73e3a2bf40e844ebb97cab1ad5ede1b84351ad026c49cf596865b4b3711b10e60fbd7f545 envoy/service/ext_proc/v3/external_processor.proto +shake256:8ed6ff32eba9f5a768ed19ffa70ed80227a7beca9ab61da117f3858af346fc3f5445d14aa839231c6d5c8a8a64988a1e3623a3a61132b0120fdfcfbf10a01bb6 envoy/service/extension/v3/config_discovery.proto +shake256:8dc8e6bba48aa83023d8af0412d52cebd600eab03b0561a5c1c26b0ee561058eb3e11edf4ece580c2c5b8360a28264dc47c3a9e496701f2c796515dce5ed80fb envoy/service/health/v3/hds.proto +shake256:b30e1a9c40bddf8c84bbeeba1c23d3a391a440e0900b1fc589032b29601f055913c7ccacca2e200c1e4db6cb1131d29bf36161e1dd2e54210a9285adce491076 envoy/service/listener/v3/lds.proto +shake256:e6295415f5e5c97db3d7a76bf1ff2fbadc3d0bbb9dc89560869e243b497c84c21b8b811984d03e2f05fde18c0be89b84f3c4961e1623eda41be9e0cc582eff27 envoy/service/load_stats/v2/lrs.proto +shake256:699477da8f3f972de622c6a2945200c249456c1544c0b5890be78007e6b2549e2e7cdea581b0b1648fa45ad472eae3ab70461eb9f05ea069127b8e0d18d4d531 envoy/service/load_stats/v3/lrs.proto +shake256:b449e325335c4a27aaffffee78cd8efd0dc7f341590c6960ca3fc0820cd6c16cd43f600f602b4e505c0bef8ff96397b80fe3483315cb7ab0e8715c7a09f04e3f envoy/service/metrics/v2/metrics_service.proto +shake256:91f3b9e83028d2470ea9cdd586cc834f7e849b3ce3c1deac251fcbcbb7d1384e671a094596c6782563a3a3d2745da8e4a2aab0be31f980968a9a7a7208a8b9b2 envoy/service/metrics/v3/metrics_service.proto +shake256:8bd5e085a8a4d58e707005ccc2150b5e4ba95ee45625ee96156e4daa0b9c5e95204c74ea56fcf7f4ee6d28471cb4adcd6b55501c53f4432360641b19f6c3adb5 envoy/service/network_ext_proc/v3/network_external_processor.proto +shake256:4134d14b8efd20d58f826e9849d6e53b2d3ac7242560d367b7abc6d2a7ee155135e112da7a9bd738e5ebb22180c4bdbad8071c9c9574e945897bf6a608c7260d envoy/service/rate_limit_quota/v3/rlqs.proto +shake256:d2ae1ae11068ba99047618b4f3355c6c63b0cadb7f2b92b62ecaa418d6012a7bd2590ffd8ac4f1d30b9586b3eec6d14a8dacf67d7f4edf7f3946eb606609f962 envoy/service/ratelimit/v2/rls.proto +shake256:9641a91435e6e6b8c64e8e68adb42c0ce592170cc68972d4724169361766892b4d2a00b16e4dc9a2863d7b4d05ff1ebd27e820622355d2de4f5d09b7d71983ef envoy/service/ratelimit/v3/rls.proto +shake256:216d9b8b599926c745c66f9213c7158da4d4578f3a014d92900ba387032b086041bf6ecb1335a93d113fa08c10fc5d7f0601f5d13977d11e718820a5f9e30d15 envoy/service/redis_auth/v3/redis_external_auth.proto +shake256:d8c032e24b649e9bcd34a34c1aa7a3301636cac0d28ba8f2f66bf913f4020518c7147c5258ae7456b2c2a9098238e7d348682e510eec4b22b89ef0a6083b97ee envoy/service/route/v3/rds.proto +shake256:851029f814d9f06c8ddce15d14758f3b6bd3a12fc22f94abddb181a557e345053c6d99cef3f5fe00629e1c9880c606a677b3e146a0bc416e771eb63a32928c30 envoy/service/route/v3/srds.proto +shake256:bc3b113db998b71b675b735aacef60a5a44c4e5b4ae806c3451609adaa29d1abde505591df5e59afa71256aaadd47954750fc8d52b23dfb1a77b14a979e3195c envoy/service/runtime/v3/rtds.proto +shake256:224273be92cff332779fbc3c4cc05e9d896f07f7399755eaef09d4393c823c1417db21551aba27d8d638e9d2c5b2faa0ec7be818a80f669bf0bb3f2c050f3bf5 envoy/service/secret/v3/sds.proto +shake256:2e52093226a25dcfa49f732d9eb94d4e0cf45ea33ffaba69d33e237e1b3b57a1c09125dfe84aea26cf027949c665e65a1e0c3816a0f7632bfc1a27e60164afa1 envoy/service/status/v2/csds.proto +shake256:ac4a57cb2f25fbfce2a8daef2546317e33d09d8162447b82d56491df84b4847880ea6fa7048a0d82380191fced4f1caa1490773c8584aac1251b274429a8335b envoy/service/status/v3/csds.proto +shake256:8c3cdd75a9d29c3cab6409ef44c6560d04b701a5fbb750110a3c690cceed6579eebfa31ba1d3c24220fd30311fc3b1fc71382fd75b87617289584cb89614a8af envoy/service/tap/v2alpha/common.proto +shake256:9238348d1c026eaae1bbcb2eaf891214f11caa40506ac196f09635cef0d600b3fff85c7940f470bdfd0c77ede8b043bd595ef40fb49ef1d570d09b974ae3aee8 envoy/service/tap/v2alpha/tap.proto +shake256:7b68954434433606940c6fa3e32b470dfd6bd645d00e45d70292b0590be710452082946dd19eeaed41fe1a01395c093b0b2c5d5b4b5d25d8ed3d758b854dc629 envoy/service/tap/v3/tap.proto +shake256:690a4716c9c4c5360fc02c82ae8293203c13be4e1134f4d0cc335d6a5da7215b3c0d5448c04926e3e06a790c0a4d012054fff23ac609209e9c1cc3c2a32319ec envoy/type/hash_policy.proto +shake256:d19e024e24adeec5f0b76401119a091029122e4ac3f8a3294b47dca1ec8f8f65ae752c85d68375097421fdd0a5d5cb795603e2d721c5be802b8425f2ffae6755 envoy/type/http.proto +shake256:f6c1ee6c7e0835c3eb5f79a4b6c82fe6cc0875db25649420b9b074f0de7457c89892acc979e2fc37a5ee1b46f441635d19ed243505f0fe47c67ab56472d02474 envoy/type/http/v3/cookie.proto +shake256:0ae546ed47fc0e7f7067fe017de48efd5de4d88d4aa1fa4df6b9eaa51531830675076ff50f13011b4e5d1244aefaa3475e4102f25c9c07fe5fd4f93cdc1e9f92 envoy/type/http/v3/path_transformation.proto +shake256:9809a923db1af1a7ddc5ce050f7cdb9161e42b486765f9dc4c278ca55245897e524ece578d9200cbc16e5dc558b6e62ae0ad9bbbb28f0256444977007d125bf6 envoy/type/http_status.proto +shake256:c72973b0f8238dcde807395ef1b3722004a0fdd34c3e08118914285246babaa837ab4e1614f9a1cbeb93d3d8942f316bc870fc9d40afd1df9f4e08362694a784 envoy/type/matcher/metadata.proto +shake256:4a704a75f9c4816bfa4ab17ae4e9672b1b7e2e5a89177d4413ec3c13296e02918fc511aea1ca3e67bd4927691065b038392f5f6370780b78bb0b3c4fdc77e4b4 envoy/type/matcher/node.proto +shake256:0f00d2d7c167ff88b003036b0cc735fa7d839ab1a914fa03e38f9e67f8fc010fc50b7e743322141d3932169ed51fea1481af7bf5494ba47bb8793d932fba51d0 envoy/type/matcher/number.proto +shake256:4b05ff8e5ecf96d4a5fe628207d9ebf496207b03bdf7a4ca919821744ca76c715799b5f9bfad2caa1dce7d9d1941cc89fa84272603bf7081200f4ba059a7cdba envoy/type/matcher/path.proto +shake256:f64d77676fe9afb578981a25087575bd5473a0339bf128c008b266f89eeafe4615208e0ff2f3b82f9a3a77152c7f8ce49adf14fddd1c52e67362b44a3ab464cd envoy/type/matcher/regex.proto +shake256:cbd2eeb817c033f1083f650aa40e899eccbd5fb928901b2b7d00090a3255adfd14ee71f696ee01cd5db9ea298c9dd1a080ec578d94cdfaa0326b0cc014bcba63 envoy/type/matcher/string.proto +shake256:839ad15eb02acdb2dae9af33fa54e09d1681db3309c2cc28a5a83ab7490f8881d34487caa3e13c1cb2a10749f5f8d7c3c0ae43a69c2c1a9e6c11e0f91ef0834c envoy/type/matcher/struct.proto +shake256:b8aeb0435ab80c4f331ede8ee6367cf5eb25df2219c291e177b1be3dae38269671d7d2c2855e045c88058f0e973fdd447875a154228148abb5f00e94f4c47281 envoy/type/matcher/v3/address.proto +shake256:368384c1f18c40e250a3c223bad867c16c2171e4f3e81dc0e64f95ab0ac8ffa138e3615f975ff473c19ac9cc1de304ce6de23935424d7246b15449a70c8a1f55 envoy/type/matcher/v3/filter_state.proto +shake256:5f019ed81965c01108460610edac0725a6870e0fb85ffd2a1f64af152acb81e1333c24ae15f1c4aef42584271bac8bc6b70e1101ecbcaea42bce4661ed61604f envoy/type/matcher/v3/http_inputs.proto +shake256:125f10e793bed8cf67953b7f5509561afaf62088e12d3e09e386e745a351a7c907684a4978bf06333d9016ca027f19f4dda33385651c8ddefabf97f5809324c6 envoy/type/matcher/v3/metadata.proto +shake256:80fa673ba90f13a4986f6e6119784a9c59c841826227c38ed3ff837bd8213e9cb9a831a890f524b01f180664bbc8318ba8ecc52f7ef10fef2e5c55024681fca0 envoy/type/matcher/v3/node.proto +shake256:5cdefb24c00ba89be1cfd0ff3f0d1e191b0679d13a1dbaef9fcf16075c0d8d5e4f29ee460c29514b12074b53343198695873edacd165261d7ccccd4a4f590acb envoy/type/matcher/v3/number.proto +shake256:6332bfd31883dd3f0adb9cf32312f33ed4405ad8c371f60d6c325b8c7ca490760c0900c78c141b38b46d042b8155f141cefad9a6b3575f8a218ac653b8c4158a envoy/type/matcher/v3/path.proto +shake256:e34e7701305faf83076adebc1d9369573633e627a0e88a9c53fea1ab24a0e2dd400fd6772d75babdcac0174f54562e006792d65bf9c36565453b229ef02e0ad5 envoy/type/matcher/v3/regex.proto +shake256:262bde80e71fe6a168dd1b6a9ee1d1b27d3bbfe0e9e1e91129921cc0732f28380f5bb1cb18c041c29d57c93848b8c2ce35a16b0d4428d4df4e044c0fd6624bf0 envoy/type/matcher/v3/status_code_input.proto +shake256:5fddb73ab97242cae4a7799462d4ff64408489e07cbf4443cb5409f4cb666c8aa5165bafde373670a5db0084f80cca5797b63aba31f893174715e3be15c1dab5 envoy/type/matcher/v3/string.proto +shake256:0f38a58bd6eeba1aa88f3a5abdac8668f2540c620fcff2170763d93a5f764ef6694c0630c311d919fd8bc89735a5effcf50ac43fa77b2073392eaa206dcf501a envoy/type/matcher/v3/struct.proto +shake256:ad88cc2e97d5cd12d8392a43fa42460b65a2a3b23825c4e14ef43fa2f559eba6fb9fa12e9d07072fb67fd3c15db9339ce70bcdd1e88476a0864441e122395bab envoy/type/matcher/v3/value.proto +shake256:2894818b159d82e436454b897303459c693593507e5ddfd71291a3aafd6f5e5ff829b72738d56910423f1f06c8712d6c0968db606d275420b4ff2d333d7e8b34 envoy/type/matcher/value.proto +shake256:c61a778022e769b7b86a6f2cf3311fa799234b4b8e8ca8645031605c6c6879b72dfef9928703ec02fdd24618b3afe1adcd0524d60af763d35dfb0c81c7c08c4b envoy/type/metadata/v2/metadata.proto +shake256:35ee01ad69132a5e671569227885b005ffee1364d7c60a3ebbf8c630872d444446d0bd4c964168d2d81d91806800ebdcfaa0b18a79dd436725295d0d9842fcaa envoy/type/metadata/v3/metadata.proto +shake256:ddfe76d43d5adbe5f2cbab06d966d142799b6cda620586672398c31f0ce34c0573112c6c55d9bc01e71782626d3808ad13f7c9ec79b00b430e3c77b788903156 envoy/type/percent.proto +shake256:17b206d1bff0fd1139d6be415b51e54947515ebbaf3ef6cefbe3849d2038eada9ff6bf7b1297066f624711966a9637ff3e78086274a5209f9d053c4ed7e04a6b envoy/type/range.proto +shake256:161720c94d007dfc3bd529c5a702119b85ba308622708caa6f942415e70c5df4615d58692574fcc217f07c11556c64982d94408ca3a1f78659dccbb96f31e8ff envoy/type/semantic_version.proto +shake256:b135fdd513959ff7a4e66d9935e9cb29f5ddeb4fca8e2e342fcf382c6f8e850126491d37a6ef8e234713490e4e95e8ed8d043399fce783d0398652f3c8af0667 envoy/type/token_bucket.proto +shake256:d201238906946214da41f85403023182139eb36c964414993bb659243aded648f4988b0a16875a6ee6e1e0bb1211a2c86a85b416cad62d4d00417a69fcca5d85 envoy/type/tracing/v2/custom_tag.proto +shake256:5d1365c2a15eac67472851d97a23e17d24470ae21d04f87d9daf23a968cf1c85e76bae0aacfbee7e22d0fc57e8d0ab2185c3c3bb797087a5755ec577410483f0 envoy/type/tracing/v3/custom_tag.proto +shake256:884e6803443363459542a1df859f5172ebdf5cae23fba2b2695a471af539c472d410bae54566813d865f05e079978a26c3406e174bc4076aed578ee6b690f5a1 envoy/type/v3/hash_policy.proto +shake256:406e55d1c3c28926cdcec7950f4e1ddac8f71fe9524f26df66e5f04e865b7fe37ec881c2c2ea96ee5928856a4f07ffc8b05e95a9987b99edc58ca8bf01668c04 envoy/type/v3/http.proto +shake256:d202ec6e99b45a8e9a5671718b070c368e6a5067194ab1c73da32705d28d45802db75994b6e5fb938b9bf4bd2eff59d52dddc8797e085ee99ca6a8d6db475de8 envoy/type/v3/http_status.proto +shake256:93083c00b1962447c795b3c85e8f291fb8fe80688209e48f07f1924b717fed0f76daac681f35b9da6f8719e77156feaf858694e8181df4174e450b46d499a478 envoy/type/v3/percent.proto +shake256:2a803a46ac7d02d32b5208db241509bda30e370014f07f211863e6086ac7ff1ae0cb1966cd60a32ca0cfed5aa2f35415cf676ea8c4120e0fd6fec7ad5dda2bfa envoy/type/v3/range.proto +shake256:e6fddcc8548f308a8bbc564bf1e302e640c95e2c1089a91891eac9711084b3d6b0d69341d9d9bbf7b49f485768df4b6454fb8778d3a76b7a732e0107b2e2b1b6 envoy/type/v3/ratelimit_strategy.proto +shake256:927bc95f9752bc98d44dac7bd56fc63f2e8fd8d8d4416704c396f5b4480c2f5d07ecb0b431050d0f9dc76af34d05731c18a28e62853a4787a9f0e95ca94891a2 envoy/type/v3/ratelimit_unit.proto +shake256:e802325fe5d940c76aab0881202db793985b6b26cbbe58d478363f1145a0c68b400754bd7b96d589d6a441a8f4a8eef8edb2409a202b0ee288818f0db3bcb726 envoy/type/v3/semantic_version.proto +shake256:cdd6fe9a656c7bde8194e9107f48f520b6f73ad7bc8a01b61df2fc56a9a79a09338503cbbcf457e0a9ec23b069851eb6deac656ba2ef31ef19bcc0b5b7fdb69d envoy/type/v3/token_bucket.proto +shake256:b85a6a8a18ed14fd96fa1d81be0f8d40a5f1a873f7dee40f037c004f5d77b5930dbbb9058bceee6ea5a1679cbec098795d13a261aa13afaf4d7e6b29fd7d19fb envoy/watchdog/v3/abort_action.proto diff --git a/modules/sync/envoyproxy/envoy/cas/208e15cc704c30a3a37f03fd72c98eed16c47e31e653e12c4c3829bd1a7746757da98ec919f2fd034972bed671e50690f6e302a68f6d1fe850d395bb99fed659 b/modules/sync/envoyproxy/envoy/cas/208e15cc704c30a3a37f03fd72c98eed16c47e31e653e12c4c3829bd1a7746757da98ec919f2fd034972bed671e50690f6e302a68f6d1fe850d395bb99fed659 new file mode 100644 index 00000000..9200ae94 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/208e15cc704c30a3a37f03fd72c98eed16c47e31e653e12c4c3829bd1a7746757da98ec919f2fd034972bed671e50690f6e302a68f6d1fe850d395bb99fed659 @@ -0,0 +1,102 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.aws_lambda.v3; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.aws_lambda.v3"; +option java_outer_classname = "AwsLambdaProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/aws_lambda/v3;aws_lambdav3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: AWS Lambda] +// AWS Lambda :ref:`configuration overview `. +// [#extension: envoy.filters.http.aws_lambda] + +// AWS Lambda filter config +// [#next-free-field: 7] +message Config { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.aws_lambda.v2alpha.Config"; + + enum InvocationMode { + // This is the more common mode of invocation, in which Lambda responds after it has completed the function. In + // this mode the output of the Lambda function becomes the response of the HTTP request. + SYNCHRONOUS = 0; + + // In this mode Lambda responds immediately but continues to process the function asynchronously. This mode can be + // used to signal events for example. In this mode, Lambda responds with an acknowledgment that it received the + // call which is translated to an HTTP 200 OK by the filter. + ASYNCHRONOUS = 1; + } + + // The ARN of the AWS Lambda to invoke when the filter is engaged + // Must be in the following format: + // arn::lambda:::function: + string arn = 1 [(validate.rules).string = {min_len: 1}]; + + // Whether to transform the request (headers and body) to a JSON payload or pass it as is. + bool payload_passthrough = 2; + + // Determines the way to invoke the Lambda function. + InvocationMode invocation_mode = 3 [(validate.rules).enum = {defined_only: true}]; + + // Indicates that before signing headers, the host header will be swapped with + // this value. If not set or empty, the original host header value + // will be used and no rewrite will happen. + // + // .. note:: + // This rewrite affects both signing and host header forwarding. However, this + // option shouldn't be used with + // :ref:`HCM host rewrite ` given that the + // value set here would be used for signing whereas the value set in the HCM would be used + // for host header forwarding which is not the desired outcome. + // + // Changing the value of the host header can result in a different route to be selected + // if an HTTP filter after AWS lambda re-evaluates the route (clears route cache). + string host_rewrite = 4; + + // Specifies the credentials profile to be used from the AWS credentials file. + // This parameter is optional. If set, it will override the value set in the AWS_PROFILE env variable and + // the provider chain is limited to the AWS credentials file Provider. + // If credentials configuration is provided, this configuration will be ignored. + // If this field is provided, then the default providers chain specified in the documentation will be ignored. + // (See :ref:`default credentials providers `). + string credentials_profile = 5; + + // Specifies the credentials to be used. This parameter is optional and if it is set, + // it will override other providers and will take precedence over credentials_profile. + // The provider chain is limited to the configuration credentials provider. + // If this field is provided, then the default providers chain specified in the documentation will be ignored. + // (See :ref:`default credentials providers `). + // + // .. warning:: + // Distributing the AWS credentials via this configuration should not be done in production. + Credentials credentials = 6; +} + +// AWS Lambda Credentials config. +message Credentials { + // AWS access key id. + string access_key_id = 1 [(validate.rules).string = {min_len: 1}]; + + // AWS secret access key. + string secret_access_key = 2 [(validate.rules).string = {min_len: 1}]; + + // AWS session token. + // This parameter is optional. If it is set to empty string it will not be consider in the request. + // It is required if temporary security credentials retrieved directly from AWS STS operations are used. + string session_token = 3; +} + +// Per-route configuration for AWS Lambda. This can be useful when invoking a different Lambda function or a different +// version of the same Lambda depending on the route. +message PerRouteConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.aws_lambda.v2alpha.PerRouteConfig"; + + Config invoke_config = 1; +} diff --git a/modules/sync/envoyproxy/envoy/cas/270a2e5b4b151c02c49ec87874d7fa8a2e2dddef86063a6fea58695044f1972043a9392d7d450a75981dccc38b43da984d68aa9a2c4530afdd9c538c095c8fd9 b/modules/sync/envoyproxy/envoy/cas/270a2e5b4b151c02c49ec87874d7fa8a2e2dddef86063a6fea58695044f1972043a9392d7d450a75981dccc38b43da984d68aa9a2c4530afdd9c538c095c8fd9 new file mode 100644 index 00000000..c208a58f --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/270a2e5b4b151c02c49ec87874d7fa8a2e2dddef86063a6fea58695044f1972043a9392d7d450a75981dccc38b43da984d68aa9a2c4530afdd9c538c095c8fd9 @@ -0,0 +1,108 @@ +syntax = "proto3"; + +package envoy.config.listener.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/protocol.proto"; +import "envoy/config/core/v3/socket_cmsg_headers.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.listener.v3"; +option java_outer_classname = "QuicConfigProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3;listenerv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: QUIC listener config] + +// Configuration specific to the UDP QUIC listener. +// [#next-free-field: 15] +message QuicProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.listener.QuicProtocolOptions"; + + core.v3.QuicProtocolOptions quic_protocol_options = 1; + + // Maximum number of milliseconds that connection will be alive when there is + // no network activity. + // + // If it is less than 1ms, Envoy will use 1ms. 300000ms if not specified. + google.protobuf.Duration idle_timeout = 2; + + // Connection timeout in milliseconds before the crypto handshake is finished. + // + // If it is less than 5000ms, Envoy will use 5000ms. 20000ms if not specified. + google.protobuf.Duration crypto_handshake_timeout = 3; + + // Runtime flag that controls whether the listener is enabled or not. If not specified, defaults + // to enabled. + core.v3.RuntimeFeatureFlag enabled = 4; + + // A multiplier to number of connections which is used to determine how many packets to read per + // event loop. A reasonable number should allow the listener to process enough payload but not + // starve TCP and other UDP sockets and also prevent long event loop duration. + // The default value is 32. This means if there are N QUIC connections, the total number of + // packets to read in each read event will be 32 * N. + // The actual number of packets to read in total by the UDP listener is also + // bound by 6000, regardless of this field or how many connections there are. + google.protobuf.UInt32Value packets_to_read_to_connection_count_ratio = 5 + [(validate.rules).uint32 = {gte: 1}]; + + // Configure which implementation of ``quic::QuicCryptoClientStreamBase`` to be used for this listener. + // If not specified the :ref:`QUICHE default one configured by ` will be used. + // [#extension-category: envoy.quic.server.crypto_stream] + core.v3.TypedExtensionConfig crypto_stream_config = 6; + + // Configure which implementation of ``quic::ProofSource`` to be used for this listener. + // If not specified the :ref:`default one configured by ` will be used. + // [#extension-category: envoy.quic.proof_source] + core.v3.TypedExtensionConfig proof_source_config = 7; + + // Config which implementation of ``quic::ConnectionIdGeneratorInterface`` to be used for this listener. + // If not specified the :ref:`default one configured by ` will be used. + // [#extension-category: envoy.quic.connection_id_generator] + core.v3.TypedExtensionConfig connection_id_generator_config = 8; + + // Configure the server's preferred address to advertise so that client can migrate to it. See :ref:`example ` which configures a pair of v4 and v6 preferred addresses. + // The current QUICHE implementation will advertise only one of the preferred IPv4 and IPv6 addresses based on the address family the client initially connects with. + // If not specified, Envoy will not advertise any server's preferred address. + // [#extension-category: envoy.quic.server_preferred_address] + core.v3.TypedExtensionConfig server_preferred_address_config = 9 + [(xds.annotations.v3.field_status).work_in_progress = true]; + + // Configure the server to send transport parameter `disable_active_migration `_. + // Defaults to false (do not send this transport parameter). + google.protobuf.BoolValue send_disable_active_migration = 10; + + // Configure which implementation of ``quic::QuicConnectionDebugVisitor`` to be used for this listener. + // If not specified, no debug visitor will be attached to connections. + // [#extension-category: envoy.quic.connection_debug_visitor] + core.v3.TypedExtensionConfig connection_debug_visitor_config = 11; + + // Configure a type of UDP cmsg to pass to listener filters via QuicReceivedPacket. + // Both level and type must be specified for cmsg to be saved. + // Cmsg may be truncated or omitted if expected size is not set. + // If not specified, no cmsg will be saved to QuicReceivedPacket. + repeated core.v3.SocketCmsgHeaders save_cmsg_config = 12 + [(validate.rules).repeated = {max_items: 1}]; + + // If true, the listener will reject connection-establishing packets at the + // QUIC layer by replying with an empty version negotiation packet to the + // client. + bool reject_new_connections = 13; + + // Maximum number of QUIC sessions to create per event loop. + // If not specified, the default value is 16. + // This is an equivalent of the TCP listener option + // max_connections_to_accept_per_socket_event. + google.protobuf.UInt32Value max_sessions_per_event_loop = 14 [(validate.rules).uint32 = {gt: 0}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/27e7ea433e4e41e8bf8bee95418d6cad45942674cea4f325f7888bd75ca5851a678f728c72fd13140659fef678d15c1d1b6303c31512879253f2f3339d4d46c0 b/modules/sync/envoyproxy/envoy/cas/27e7ea433e4e41e8bf8bee95418d6cad45942674cea4f325f7888bd75ca5851a678f728c72fd13140659fef678d15c1d1b6303c31512879253f2f3339d4d46c0 new file mode 100644 index 00000000..778b2ca2 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/27e7ea433e4e41e8bf8bee95418d6cad45942674cea4f325f7888bd75ca5851a678f728c72fd13140659fef678d15c1d1b6303c31512879253f2f3339d4d46c0 @@ -0,0 +1,152 @@ +syntax = "proto3"; + +package envoy.extensions.geoip_providers.common.v3; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.geoip_providers.common.v3"; +option java_outer_classname = "CommonProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/geoip_providers/common/v3;commonv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Common Geolocation Provider Configuration] +// Common geolocation provider :ref:`configuration overview `. +// Common configuration shared across geolocation providers. + +message CommonGeoipProviderConfig { + // The set of geolocation headers to add to request. If any of the configured headers is present + // in the incoming request, it will be overridden by the :ref:`HTTP GeoIP filter `. + // [#next-free-field: 13] + // + // .. attention:: + // This field is deprecated in favor of :ref:`geo_field_keys + // `. + message GeolocationHeadersToAdd { + // If set, the header will be used to populate the country ISO code associated with the IP address. + string country = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the header will be used to populate the city associated with the IP address. + string city = 2 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the header will be used to populate the region ISO code associated with the IP address. + // The least specific subdivision will be selected as the region value. + string region = 3 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the header will be used to populate the ASN associated with the IP address. + string asn = 4 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // This field is deprecated; use ``anon`` instead. + string is_anon = 5 [ + deprecated = true, + (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If set, the IP address will be checked if it belongs to any type of anonymization network (e.g., VPN, public proxy). + // The header will be populated with the check result. Header value will be set to either ``true`` or ``false`` depending on the check result. + string anon = 12 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the IP address will be checked if it belongs to a VPN and the header will be populated with the check result. + // Header value will be set to either ``true`` or ``false`` depending on the check result. + string anon_vpn = 6 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the IP address will be checked if it belongs to a hosting provider and the header will be populated with the check result. + // Header value will be set to either ``true`` or ``false`` depending on the check result. + string anon_hosting = 7 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the IP address will be checked if it belongs to a TOR exit node and the header will be populated with the check result. + // Header value will be set to either ``true`` or ``false`` depending on the check result. + string anon_tor = 8 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the IP address will be checked if it belongs to a public proxy and the header will be populated with the check result. + // Header value will be set to either ``true`` or ``false`` depending on the check result. + string anon_proxy = 9 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the header will be used to populate the ISP associated with the IP address. + string isp = 10 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the IP address will be checked if it belongs to the ISP named iCloud Private Relay and the header will be populated with the check result. + // Header value will be set to either ``true`` or ``false`` depending on the check result. + string apple_private_relay = 11 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + } + + // The set of geolocation field keys to use for storing lookup results. + // These keys define how the geolocation lookup results will be stored. The actual storage + // mechanism depends on the filter using the provider: + // + // - The :ref:`HTTP GeoIP filter ` stores results as HTTP request headers. + // - The :ref:`Network GeoIP filter ` stores results in the + // connection's filter state under the well-known key ``envoy.geoip``. + // + // [#next-free-field: 12] + message GeolocationFieldKeys { + // If set, the key will be used to populate the country ISO code associated with the IP address. + string country = 1; + + // If set, the key will be used to populate the city associated with the IP address. + string city = 2; + + // If set, the key will be used to populate the region ISO code associated with the IP address. + // The least specific subdivision will be selected as the region value. + string region = 3; + + // If set, the key will be used to populate the ASN associated with the IP address. + string asn = 4; + + // If set, the IP address will be checked if it belongs to any type of anonymization network + // (e.g., VPN, public proxy). The result will be stored with this key. Value will be set to + // either ``true`` or ``false`` depending on the check result. + string anon = 5; + + // If set, the IP address will be checked if it belongs to a VPN and the result will be stored + // with this key. Value will be set to either ``true`` or ``false`` depending on the check result. + string anon_vpn = 6; + + // If set, the IP address will be checked if it belongs to a hosting provider and the result + // will be stored with this key. Value will be set to either ``true`` or ``false`` depending on + // the check result. + string anon_hosting = 7; + + // If set, the IP address will be checked if it belongs to a TOR exit node and the result will + // be stored with this key. Value will be set to either ``true`` or ``false`` depending on the + // check result. + string anon_tor = 8; + + // If set, the IP address will be checked if it belongs to a public proxy and the result will + // be stored with this key. Value will be set to either ``true`` or ``false`` depending on the + // check result. + string anon_proxy = 9; + + // If set, the key will be used to populate the ISP associated with the IP address. + string isp = 10; + + // If set, the IP address will be checked if it belongs to the ISP named iCloud Private Relay + // and the result will be stored with this key. Value will be set to either ``true`` or ``false`` + // depending on the check result. + string apple_private_relay = 11; + } + + // Configuration for geolocation headers to add to HTTP requests. + // This field is deprecated in favor of ``geo_field_keys``. If both are set, ``geo_field_keys`` + // takes precedence. + GeolocationHeadersToAdd geo_headers_to_add = 1 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Configuration for geolocation field keys. + // At least one of ``geo_headers_to_add`` or ``geo_field_keys`` must be set. + GeolocationFieldKeys geo_field_keys = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/2a3f58f19a05d4bb14ea75736b81862c7acd196b73db4ed172be24876e6c9efc18905db4c243fe3a266c1b9f260aed9a3b7421ee76f5dc39ae73158ae4e7be9d b/modules/sync/envoyproxy/envoy/cas/2a3f58f19a05d4bb14ea75736b81862c7acd196b73db4ed172be24876e6c9efc18905db4c243fe3a266c1b9f260aed9a3b7421ee76f5dc39ae73158ae4e7be9d new file mode 100644 index 00000000..b90d08dc --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/2a3f58f19a05d4bb14ea75736b81862c7acd196b73db4ed172be24876e6c9efc18905db4c243fe3a266c1b9f260aed9a3b7421ee76f5dc39ae73158ae4e7be9d @@ -0,0 +1,107 @@ +syntax = "proto3"; + +package envoy.extensions.filters.listener.proxy_protocol.v3; + +import "envoy/config/core/v3/proxy_protocol.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.listener.proxy_protocol.v3"; +option java_outer_classname = "ProxyProtocolProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/proxy_protocol/v3;proxy_protocolv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Proxy Protocol Filter] +// PROXY protocol listener filter. +// [#extension: envoy.filters.listener.proxy_protocol] + +// [#next-free-field: 7] +message ProxyProtocol { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.listener.proxy_protocol.v2.ProxyProtocol"; + + // Controls where TLV values are stored when rules match. + enum TlvLocation { + // Store TLV values in dynamic metadata. + DYNAMIC_METADATA = 0; + + // Store TLV values in filter state as a single map-like object. + FILTER_STATE = 1; + } + + message KeyValuePair { + // The namespace — if this is empty, the filter's namespace will be used. + string metadata_namespace = 1; + + // The key to use within the namespace. + string key = 2 [(validate.rules).string = {min_len: 1}]; + } + + // A Rule defines what metadata to apply when a header is present or missing. + message Rule { + // The type that triggers the rule - required + // TLV type is defined as uint8_t in proxy protocol. See `the spec + // `_ for details. + uint32 tlv_type = 1 [(validate.rules).uint32 = {lt: 256}]; + + // If the TLV type is present, apply this metadata KeyValuePair. + KeyValuePair on_tlv_present = 2; + } + + // The list of rules to apply to requests. + repeated Rule rules = 1; + + // Allow requests through that don't use proxy protocol. Defaults to false. + // + // .. attention:: + // + // This breaks conformance with the specification. + // Only enable if ALL traffic to the listener comes from a trusted source. + // For more information on the security implications of this feature, see + // https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt + // + // .. attention:: + // + // Requests of 12 or fewer bytes that match the proxy protocol v2 signature + // and requests of 6 or fewer bytes that match the proxy protocol v1 + // signature will timeout (Envoy is unable to differentiate these requests + // from incomplete proxy protocol requests). + bool allow_requests_without_proxy_protocol = 2; + + // This config controls which TLVs can be passed to filter state if it is Proxy Protocol + // V2 header. If there is no setting for this field, no TLVs will be passed through. + // + // .. note:: + // + // If this is configured, you likely also want to set + // :ref:`core.v3.ProxyProtocolConfig.pass_through_tlvs `, + // which controls pass-through for the upstream. + config.core.v3.ProxyProtocolPassThroughTLVs pass_through_tlvs = 3; + + // The PROXY protocol versions that won't be matched. Useful to limit the scope and attack surface of the filter. + // + // When the filter receives PROXY protocol data that is disallowed, it will reject the connection. + // By default, the filter will match all PROXY protocol versions. + // See https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt for details. + // + // .. attention:: + // + // When used in conjunction with the :ref:`allow_requests_without_proxy_protocol `, + // the filter will not attempt to match signatures for the disallowed versions. + // For example, when ``disallowed_versions=V2``, ``allow_requests_without_proxy_protocol=true``, + // and an incoming request matches the V2 signature, the filter will allow the request through without any modification. + // The filter treats this request as if it did not have any PROXY protocol information. + repeated config.core.v3.ProxyProtocolConfig.Version disallowed_versions = 4; + + // The human readable prefix to use when emitting statistics for the filter. + // If not configured, statistics will be emitted without the prefix segment. + // See the :ref:`filter's statistics documentation ` for + // more information. + string stat_prefix = 5; + + // Controls where TLV values are stored when rules match. Defaults to DYNAMIC_METADATA. + TlvLocation tlv_location = 6; +} diff --git a/modules/sync/envoyproxy/envoy/cas/2b79397942da5d50b1f2e3a350b069126a771b2449592441e1d34be8f2ff15eb0433de0557ed71a68a874bb18b86e373a0fba9beebd612c34ae2ecf2f57b9857 b/modules/sync/envoyproxy/envoy/cas/2b79397942da5d50b1f2e3a350b069126a771b2449592441e1d34be8f2ff15eb0433de0557ed71a68a874bb18b86e373a0fba9beebd612c34ae2ecf2f57b9857 new file mode 100644 index 00000000..98e9b722 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/2b79397942da5d50b1f2e3a350b069126a771b2449592441e1d34be8f2ff15eb0433de0557ed71a68a874bb18b86e373a0fba9beebd612c34ae2ecf2f57b9857 @@ -0,0 +1,122 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.reverse_tunnel.v3; + +import "envoy/config/core/v3/base.proto"; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.reverse_tunnel.v3"; +option java_outer_classname = "ReverseTunnelProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/reverse_tunnel/v3;reverse_tunnelv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Reverse Tunnel Network Filter] +// Reverse Tunnel Network Filter :ref:`configuration overview `. +// [#extension: envoy.filters.network.reverse_tunnel] + +// Validation configuration for reverse tunnel identifiers. +// Validates the node ID and cluster ID extracted from reverse tunnel handshake headers +// against expected values specified using format strings. +message Validation { + // Format string to extract the expected node identifier for validation. + // The formatted value is compared against the ``x-envoy-reverse-tunnel-node-id`` header + // from the incoming handshake request. If they do not match, the connection is rejected + // with HTTP ``403 Forbidden``. + // + // Supports Envoy's :ref:`command operators `: + // + // * ``%DYNAMIC_METADATA(namespace:key)%``: Extract expected value from dynamic metadata. + // * ``%FILTER_STATE(key)%``: Extract expected value from filter state. + // * ``%DOWNSTREAM_REMOTE_ADDRESS%``: Use downstream connection IP address. + // * Plain strings: Use a static expected value. + // + // If empty, node ID validation is skipped. + // + // Example using dynamic metadata allowlist: + // + // .. code-block:: yaml + // + // node_id_format: "%DYNAMIC_METADATA(envoy.reverse_tunnel.allowlist:expected_node_id)%" + // + string node_id_format = 1 [(validate.rules).string = {max_len: 1024}]; + + // Format string to extract the expected cluster identifier for validation. + // The formatted value is compared against the ``x-envoy-reverse-tunnel-cluster-id`` header + // from the incoming handshake request. If they do not match, the connection is rejected + // with HTTP ``403 Forbidden``. + // + // Supports the same :ref:`command operators ` as + // ``node_id_format``. + // + // If empty, cluster ID validation is skipped. + // + // Example using filter state: + // + // .. code-block:: yaml + // + // cluster_id_format: "%FILTER_STATE(expected_cluster_id)%" + // + string cluster_id_format = 2 [(validate.rules).string = {max_len: 1024}]; + + // Whether to emit validation results as dynamic metadata. + // When enabled, the filter emits metadata under the namespace specified by + // ``dynamic_metadata_namespace`` containing: + // + // * ``node_id``: The actual node ID from the handshake request. + // * ``cluster_id``: The actual cluster ID from the handshake request. + // * ``validation_result``: Either ``allowed`` or ``denied``. + // + // This metadata can be used by subsequent filters or for access logging. + // Defaults to ``false``. + bool emit_dynamic_metadata = 3; + + // Namespace for emitted dynamic metadata when ``emit_dynamic_metadata`` is ``true``. + // If not specified, defaults to ``envoy.filters.network.reverse_tunnel``. + string dynamic_metadata_namespace = 4 [(validate.rules).string = {max_len: 255}]; +} + +// Configuration for the reverse tunnel network filter. +// This filter handles reverse tunnel connection acceptance and rejection by processing +// HTTP requests where required identification values are provided via HTTP headers. +// [#next-free-field: 7] +message ReverseTunnel { + // Ping interval for health checks on established reverse tunnel connections. + // If not specified, defaults to ``2 seconds``. + google.protobuf.Duration ping_interval = 1 [(validate.rules).duration = { + lte {seconds: 300} + gte {nanos: 1000000} + }]; + + // Whether to automatically close connections after processing reverse tunnel requests. + // + // * When set to ``true``, connections are closed after acceptance or rejection. + // * When set to ``false``, connections remain open for potential reuse. + // + // Defaults to ``false``. + bool auto_close_connections = 2; + + // HTTP path to match for reverse tunnel requests. + // If not specified, defaults to ``/reverse_connections/request``. + string request_path = 3 [(validate.rules).string = {min_len: 1 max_len: 255 ignore_empty: true}]; + + // HTTP method to match for reverse tunnel requests. + // If not specified (``METHOD_UNSPECIFIED``), this defaults to ``GET``. + config.core.v3.RequestMethod request_method = 4 [(validate.rules).enum = {defined_only: true}]; + + // Optional validation configuration for node and cluster identifiers. + // If specified, the filter validates the ``x-envoy-reverse-tunnel-node-id`` and + // ``x-envoy-reverse-tunnel-cluster-id`` headers against expected values extracted + // using format strings. Requests that fail validation are rejected with HTTP ``403 Forbidden``. + Validation validation = 5; + + // Required cluster name for validating reverse tunnel connection initiations. + // When set, the filter validates that the upstream cluster of the initiator envoy matches this name + // via ``x-envoy-reverse-tunnel-upstream-cluster-name`` header. Connections with mismatched or missing + // cluster names are rejected with HTTP ``400 Bad Request``. When empty, no cluster name validation is performed. + string required_cluster_name = 6 [(validate.rules).string = {max_len: 255 ignore_empty: true}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/316dc86defec70a70aa1e5901c99751f3fdea7250983b5f790f4fafa96ab9f2658f2eeea685f9c5110e3db69d67560bcab9adcebad108e0d5d06871587e881e9 b/modules/sync/envoyproxy/envoy/cas/316dc86defec70a70aa1e5901c99751f3fdea7250983b5f790f4fafa96ab9f2658f2eeea685f9c5110e3db69d67560bcab9adcebad108e0d5d06871587e881e9 new file mode 100644 index 00000000..03f0158e --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/316dc86defec70a70aa1e5901c99751f3fdea7250983b5f790f4fafa96ab9f2658f2eeea685f9c5110e3db69d67560bcab9adcebad108e0d5d06871587e881e9 @@ -0,0 +1,223 @@ +syntax = "proto3"; + +package envoy.extensions.upstreams.http.v3; + +import "envoy/config/common/matcher/v3/matcher.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/protocol.proto"; +import "envoy/config/route/v3/route_components.proto"; +import "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.upstreams.http.v3"; +option java_outer_classname = "HttpProtocolOptionsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/v3;httpv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP Protocol Options] +// [#extension: envoy.upstreams.http.http_protocol_options] + +// HttpProtocolOptions specifies Http upstream protocol options. This object +// is used in +// :ref:`typed_extension_protocol_options`, +// keyed by the name ``envoy.extensions.upstreams.http.v3.HttpProtocolOptions``. +// +// This controls what protocol(s) should be used for upstream and how said protocol(s) are configured. +// +// This replaces the prior pattern of explicit protocol configuration directly +// in the cluster. So a configuration like this, explicitly configuring the use of HTTP/2 upstream: +// +// .. code:: +// +// clusters: +// - name: some_service +// connect_timeout: 5s +// upstream_http_protocol_options: +// auto_sni: true +// common_http_protocol_options: +// idle_timeout: 1s +// http2_protocol_options: +// max_concurrent_streams: 100 +// .... [further cluster config] +// +// Would now look like this: +// +// .. code:: +// +// clusters: +// - name: some_service +// connect_timeout: 5s +// typed_extension_protocol_options: +// envoy.extensions.upstreams.http.v3.HttpProtocolOptions: +// "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions +// upstream_http_protocol_options: +// auto_sni: true +// common_http_protocol_options: +// idle_timeout: 1s +// explicit_http_config: +// http2_protocol_options: +// max_concurrent_streams: 100 +// .... [further cluster config] +// [#next-free-field: 12] +message HttpProtocolOptions { + // If this is used, the cluster will only operate on one of the possible upstream protocols. + // Note that HTTP/2 or above should generally be used for upstream gRPC clusters. + message ExplicitHttpConfig { + oneof protocol_config { + option (validate.required) = true; + + config.core.v3.Http1ProtocolOptions http_protocol_options = 1; + + config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; + + // .. warning:: + // QUIC upstream support is currently not ready for internet use. + // Please see :ref:`here ` for details. + config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; + } + } + + // If this is used, the cluster can use either of the configured protocols, and + // will use whichever protocol was used by the downstream connection. + // + // If HTTP/3 is configured for downstream and not configured for upstream, + // HTTP/3 requests will fail over to HTTP/2. + message UseDownstreamHttpConfig { + config.core.v3.Http1ProtocolOptions http_protocol_options = 1; + + config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; + + // .. warning:: + // QUIC upstream support is currently not ready for internet use. + // Please see :ref:`here ` for details. + config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; + } + + // If this is used, the cluster can use either HTTP/1 or HTTP/2, and will use whichever + // protocol is negotiated by ALPN with the upstream. + // Clusters configured with ``AutoHttpConfig`` will use the highest available + // protocol; HTTP/2 if supported, otherwise HTTP/1. + // If the upstream does not support ALPN, ``AutoHttpConfig`` will fail over to HTTP/1. + // This can only be used with transport sockets which support ALPN. Using a + // transport socket which does not support ALPN will result in configuration + // failure. The transport layer may be configured with custom ALPN, but the default ALPN + // for the cluster (or if custom ALPN fails) will be "h2,http/1.1". + message AutoHttpConfig { + config.core.v3.Http1ProtocolOptions http_protocol_options = 1; + + config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; + + // Unlike HTTP/1 and HTTP/2, HTTP/3 will not be configured unless it is + // present, and (soon) only if there is an indication of server side + // support. + // See :ref:`here ` for more information on + // when HTTP/3 will be used, and when Envoy will fail over to TCP. + // + // .. warning:: + // QUIC upstream support is currently not ready for internet use. + // Please see :ref:`here ` for details. + config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; + + // The presence of alternate protocols cache options causes the use of the + // alternate protocols cache, which is responsible for parsing and caching + // HTTP Alt-Svc headers. This enables the use of HTTP/3 for origins that + // advertise supporting it. + // + // .. note:: + // This is required when HTTP/3 is enabled. + config.core.v3.AlternateProtocolsCacheOptions alternate_protocols_cache_options = 4; + } + + message OutlierDetection { + // If specified, only responses matching the matcher will be treated by outlier detection as errors. + // If not specified, only 5xx codes are treated by outlier detection as errors. + config.common.matcher.v3.MatchPredicate error_matcher = 1 + [(validate.rules).message = {required: true}]; + } + + // This contains options common across HTTP/1 and HTTP/2 + config.core.v3.HttpProtocolOptions common_http_protocol_options = 1; + + // This contains common protocol options which are only applied upstream. + config.core.v3.UpstreamHttpProtocolOptions upstream_http_protocol_options = 2; + + // This controls the actual protocol to be used upstream. + oneof upstream_protocol_options { + option (validate.required) = true; + + // To explicitly configure either HTTP/1 or HTTP/2 (but not both!) use ``explicit_http_config``. + ExplicitHttpConfig explicit_http_config = 3; + + // This allows switching on protocol based on what protocol the downstream + // connection used. + UseDownstreamHttpConfig use_downstream_protocol_config = 4; + + // This allows switching on protocol based on ALPN + AutoHttpConfig auto_config = 5; + } + + // Optional HTTP filters for the upstream HTTP filter chain. + // + // .. note:: + // Upstream HTTP filters are currently in alpha. + // + // + // These filters will be applied for all HTTP streams which flow through this + // cluster. Unlike downstream HTTP filters, they will *not* be applied to terminated CONNECT requests. + // + // If using upstream HTTP filters, please be aware that local errors sent by + // upstream HTTP filters will not trigger retries, and local errors sent by + // upstream HTTP filters will count as a final response if hedging is configured. + // [#extension-category: envoy.filters.http.upstream] + repeated filters.network.http_connection_manager.v3.HttpFilter http_filters = 6; + + // Configuration options for Unified Header Validation (UHV). + // UHV is an extensible mechanism for checking validity of HTTP responses. + // + // [#comment:TODO(yanavlasov): Make it a link to the default header validator doc when it becomes visible.] + // Leaving this field unspecified, selects the default header validator ``envoy.http.header_validators.envoy_default``. + // + // [#not-implemented-hide:] + // [#extension-category: envoy.http.header_validators] + config.core.v3.TypedExtensionConfig header_validation_config = 7; + + // Defines http specific outlier detection parameters. + OutlierDetection outlier_detection = 8; + + // Specifies a list of HTTP-level mirroring policies for requests routed to this cluster. + // Cluster-level policies override route-level policies when they both are configured. + // + // .. note:: + // + // Mirroring will not be triggered if the :ref:`primary cluster + // ` does not exist. + repeated config.route.v3.RouteAction.RequestMirrorPolicy request_mirror_policies = 9; + + // Specifies a list of hash policies for consistent hashing load balancing (e.g., Ring Hash or + // Maglev) for requests routed to this cluster. When configured, cluster-level policies override + // route-level policies. When not configured, route-level policies (if any) will be used. + // + // This enables consistent routing to the same upstream host for all requests to a cluster, + // which is particularly useful for stateful services like caching, session management, or + // sticky routing requirements. + // + // .. note:: + // + // Hash policies are only effective when the cluster is configured with a hash-based load + // balancing policy (e.g., :ref:`RING_HASH ` + // or :ref:`MAGLEV `). + repeated config.route.v3.RouteAction.HashPolicy hash_policy = 10; + + // Specifies the retry policy for requests routed to this cluster. When configured, + // cluster-level retry policy overrides route-level retry policy. When not configured, + // route-level retry policy (if any) will be used. + // + // .. note:: + // + // Cluster-level retry policy will override route-level retry policy entirely. Policies are + // not merged. + config.route.v3.RetryPolicy retry_policy = 11; +} diff --git a/modules/sync/envoyproxy/envoy/cas/34211b28c5a19fa7da842985be337476e1bac2c0c5c71b81a5e3aa2e2d9a9aee72aa176897d0ac7cefda676c705ff47799f06efa85eab306eb0b0d616342e9f6 b/modules/sync/envoyproxy/envoy/cas/34211b28c5a19fa7da842985be337476e1bac2c0c5c71b81a5e3aa2e2d9a9aee72aa176897d0ac7cefda676c705ff47799f06efa85eab306eb0b0d616342e9f6 new file mode 100644 index 00000000..e39abd2a --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/34211b28c5a19fa7da842985be337476e1bac2c0c5c71b81a5e3aa2e2d9a9aee72aa176897d0ac7cefda676c705ff47799f06efa85eab306eb0b0d616342e9f6 @@ -0,0 +1,21 @@ +syntax = "proto3"; + +package envoy.extensions.transport_sockets.tls.cert_mappers.sni.v3; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.cert_mappers.sni.v3"; +option java_outer_classname = "ConfigProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/cert_mappers/sni/v3;sniv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: SNI certificate mapper] +// [#extension: envoy.tls.certificate_mappers.sni] + +// Uses the SNI value from the TLS client hello as the secret resource name. +message SNI { + // The value to use as the secret name when SNI is empty or absent. + string default_value = 1 [(validate.rules).string = {min_len: 1}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/37161b50fb369c7d99d81420e78eb5528031cb8963387b21f3b16a346425d4a48cac4fa95d2398dd4a8556927c12a6af6b68d36b65c8babdda818d773cd3720f b/modules/sync/envoyproxy/envoy/cas/37161b50fb369c7d99d81420e78eb5528031cb8963387b21f3b16a346425d4a48cac4fa95d2398dd4a8556927c12a6af6b68d36b65c8babdda818d773cd3720f new file mode 100644 index 00000000..9ddc1abc --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/37161b50fb369c7d99d81420e78eb5528031cb8963387b21f3b16a346425d4a48cac4fa95d2398dd4a8556927c12a6af6b68d36b65c8babdda818d773cd3720f @@ -0,0 +1,124 @@ +syntax = "proto3"; + +package envoy.extensions.matching.common_inputs.transport_socket.v3; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.matching.common_inputs.transport_socket.v3"; +option java_outer_classname = "TransportSocketInputsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/transport_socket/v3;transport_socketv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Transport Socket Matching Inputs] + +// Specifies that matching should be performed by the endpoint metadata. +// This input extracts metadata from the selected endpoint for transport socket selection. +// The metadata is extracted using a filter and path specification similar to +// :ref:`DynamicMetadataInput `. +// +// Example: Extract a metadata value for transport socket matching. +// +// .. code-block:: yaml +// +// typed_config: +// "@type": type.googleapis.com/envoy.extensions.matching.common_inputs.transport_socket.v3.EndpointMetadataInput +// filter: "envoy.transport_socket_match" +// path: +// - key: "socket_type" +// +// This configuration extracts the value at path ``["envoy.transport_socket_match"]["socket_type"]`` +// from the endpoint metadata for use in transport socket selection. +// +// [#extension: envoy.matching.inputs.endpoint_metadata] +message EndpointMetadataInput { + // Specifies the segment in a path to retrieve value from Metadata. + // Note: Currently it's not supported to retrieve a value from a list in Metadata. This means that + // if the segment key refers to a list, it has to be the last segment in a path. + message PathSegment { + oneof segment { + option (validate.required) = true; + + // If specified, use the key to retrieve the value in a Struct. + string key = 1 [(validate.rules).string = {min_len: 1}]; + } + } + + // The filter name to retrieve the Struct from the endpoint metadata. + // If not specified, defaults to ``envoy.lb`` which is commonly used for load balancing metadata. + string filter = 1; + + // The path to retrieve the Value from the Struct. + repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; +} + +// Specifies that matching should be performed by the locality metadata. +// This input extracts metadata from the endpoint's locality for transport socket selection. +// The metadata is extracted using a filter and path specification similar to +// :ref:`DynamicMetadataInput `. +// +// Example: Extract a metadata value from locality for transport socket matching. +// +// .. code-block:: yaml +// +// typed_config: +// "@type": type.googleapis.com/envoy.extensions.matching.common_inputs.transport_socket.v3.LocalityMetadataInput +// filter: "envoy.transport_socket_match" +// path: +// - key: "region" +// +// This configuration extracts the value at path ``["envoy.transport_socket_match"]["region"]`` +// from the locality metadata for use in transport socket selection. +// +// [#extension: envoy.matching.inputs.locality_metadata] +message LocalityMetadataInput { + // Specifies the segment in a path to retrieve value from Metadata. + // Note: Currently it's not supported to retrieve a value from a list in Metadata. This means that + // if the segment key refers to a list, it has to be the last segment in a path. + message PathSegment { + oneof segment { + option (validate.required) = true; + + // If specified, use the key to retrieve the value in a Struct. + string key = 1 [(validate.rules).string = {min_len: 1}]; + } + } + + // The filter name to retrieve the Struct from the locality metadata. + // If not specified, defaults to ``envoy.lb`` which is commonly used for load balancing metadata. + string filter = 1; + + // The path to retrieve the Value from the Struct. + repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; +} + +// Specifies that matching should be performed by filter state. +// This input extracts a value from filter state that was explicitly shared from the +// downstream connection to the upstream connection via ``TransportSocketOptions``. +// This enables flexible downstream-connection-based transport socket selection, +// such as matching on network namespace or any custom filter state data. +// +// Example: Match on network namespace stored in filter state. +// +// .. code-block:: yaml +// +// typed_config: +// "@type": type.googleapis.com/envoy.extensions.matching.common_inputs.transport_socket.v3.FilterStateInput +// key: "envoy.network.namespace" +// +// [#extension: envoy.matching.inputs.transport_socket_filter_state] +message FilterStateInput { + // The key of the filter state object to retrieve. + // The object must implement serializeAsString() to be used for matching. + string key = 1 [(validate.rules).string = {min_len: 1}]; +} + +// Configuration for the transport socket name action. +// This action sets the name of the transport socket to use when the matcher matches. +// [#extension: envoy.matching.action.transport_socket.name] +message TransportSocketNameAction { + // The name of the transport socket to use. + // This name must reference a named transport socket in the cluster's transport_socket_matches. + string name = 1 [(validate.rules).string = {min_len: 1}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/3d4d166abf61af4d0844593c3eccc0196688d3e6f40ad4092df9b75534d8c9d3110083fa6237da870e34d7f04602da74c67dd184e9108c2c51a2cc15b0e69649 b/modules/sync/envoyproxy/envoy/cas/3d4d166abf61af4d0844593c3eccc0196688d3e6f40ad4092df9b75534d8c9d3110083fa6237da870e34d7f04602da74c67dd184e9108c2c51a2cc15b0e69649 new file mode 100644 index 00000000..f971a31d --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/3d4d166abf61af4d0844593c3eccc0196688d3e6f40ad4092df9b75534d8c9d3110083fa6237da870e34d7f04602da74c67dd184e9108c2c51a2cc15b0e69649 @@ -0,0 +1,99 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.transform.v3; + +import "envoy/config/common/mutation_rules/v3/mutation_rules.proto"; +import "envoy/config/core/v3/substitution_format_string.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.transform.v3"; +option java_outer_classname = "TransformProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/transform/v3;transformv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Transform filter configuration] +// Transform filter :ref:`configuration overview ` to perform +// HTTP header and body transformations. +// [#extension: envoy.filters.http.transform] + +// Configuration for the transform filter. The filter may buffer the request/response until the +// entire body is received, and then mutate the headers and body according to the contents +// of the request/response. The request and response transformations are independent and could +// be configured separately. +// Only JSON body transformation is supported for now. +message TransformConfig { + // Configuration for transforming request. + // + // .. note:: + // + // If set then the entire request headers and body will always be buffered on a JSON request + // even if only headers are transformed. + Transformation request_transformation = 1; + + // Configuration for transforming response. + // + // .. note:: + // + // If set then the entire response headers and body will always be buffered on a JSON response + // even if only headers are transformed. + Transformation response_transformation = 2; + + // If true and the request headers are transformed, Envoy will re-evaluate the target + // cluster in the same route. Please ensure the cluster specifier in the route supports + // dynamic evaluation or this flag will have no effect, e.g. + // :ref:`matcher cluster specifier + // `. + // + // Only one of ``clear_cluster_cache`` and ``clear_route_cache`` can be true. + bool clear_cluster_cache = 3; + + // If true and the request headers are transformed, Envoy will clear the route cache for + // the current request and force re-evaluation of the route. This has performance penalty and + // should only be used when the route match criteria depends on the transformed headers. + // + // Only one of ``clear_cluster_cache`` and ``clear_route_cache`` can be true. + bool clear_route_cache = 4; +} + +message Transformation { + // The header mutations to perform. + // The :ref:`substitution format specifier ` could be applied here. + // In addition to the commonly used format specifiers, this filter introduces additional format specifiers: + // + // * ``%REQUEST_BODY(KEY*)%``: the request body. And ``Key`` KEY is an optional + // lookup key in the namespace with the option of specifying nested keys separated by ':'. + // * ``%RESPONSE_BODY(KEY*)%``: the response body. And ``Key`` KEY is an optional + // lookup key in the namespace with the option of specifying nested keys separated by ':'. + repeated config.common.mutation_rules.v3.HeaderMutation headers_mutations = 1; + + // The body transformation configuration. If not set, no body transformation will be performed. + BodyTransformation body_transformation = 2; +} + +message BodyTransformation { + enum TransformAction { + // Merge the transformed body with the original body. This is the default action. + MERGE = 0; + + // Replace the original body with the transformed body. + REPLACE = 1; + } + + // Body transformation configuration. The substitution format string is used as the template + // to generate the transformed new body content. + // The :ref:`substitution format specifier ` could be applied here. + // And except the commonly used format specifiers, the additional format specifiers + // ``%REQUEST_BODY(KEY*)%`` and ``%RESPONSE_BODY(KEY*)%`` could also be used here. + config.core.v3.SubstitutionFormatString body_format = 1 + [(validate.rules).message = {required: true}]; + + // The action to perform for new body content and original body content. + // For example, if ``MERGE`` is used, then the new body content generated from the ``body_format`` + // will be merged into the original body content. + // + // Default is ``MERGE``. + TransformAction action = 2; +} diff --git a/modules/sync/envoyproxy/envoy/cas/465bfc5258cfc02a55d62f64738c2e9c23266138751628c32cbe61da84cc8d12bdfb7a19577e3fb4e433cbc9c30cbea7d7d0d61d5a8119996380c0fab161a8e2 b/modules/sync/envoyproxy/envoy/cas/465bfc5258cfc02a55d62f64738c2e9c23266138751628c32cbe61da84cc8d12bdfb7a19577e3fb4e433cbc9c30cbea7d7d0d61d5a8119996380c0fab161a8e2 new file mode 100644 index 00000000..5d2825e7 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/465bfc5258cfc02a55d62f64738c2e9c23266138751628c32cbe61da84cc8d12bdfb7a19577e3fb4e433cbc9c30cbea7d7d0d61d5a8119996380c0fab161a8e2 @@ -0,0 +1,106 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.mcp.v3; + +import "google/protobuf/wrappers.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.mcp.v3"; +option java_outer_classname = "McpProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/mcp/v3;mcpv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: MCP] +// MCP filter :ref:`configuration overview `. +// [#extension: envoy.filters.http.mcp] + +// This filter will inspect and get attributes from MCP traffic. +message Mcp { + // Traffic handling mode for non-MCP traffic. + enum TrafficMode { + // Proxies the HTTP request and response without MCP spec check. + // This is the default mode. + PASS_THROUGH = 0; + + // Reject requests that are not following MCP spec. + // Valid MCP requests are: + // - POST requests with JSON-RPC 2.0 messages + // - GET requests for SSE streams (with Accept: text/event-stream) + REJECT_NO_MCP = 1; + } + + // Configures how the filter handles non-MCP traffic. + TrafficMode traffic_mode = 1 [(validate.rules).enum = {defined_only: true}]; + + // When set to true, the filter will clear the route cache after setting dynamic metadata. + // This allows the route to be re-selected based on the MCP metadata (e.g., method, params). + // Defaults to false. + bool clear_route_cache = 2; + + // Maximum size of the request body to buffer for JSON-RPC validation. + // If the request body exceeds this size, the request is rejected with ``413 Payload Too Large``. + // This limit applies to both ``REJECT_NO_MCP`` and ``PASS_THROUGH`` modes to prevent unbounded buffering. + // + // It defaults to 8KB (8192 bytes) and the maximum allowed value is 10MB (10485760 bytes). + // + // Setting it to 0 would disable the limit. It is not recommended to do so in production. + google.protobuf.UInt32Value max_request_body_size = 3 [(validate.rules).uint32 = {lte: 10485760}]; + + // Parser configuration, this provide the attribute extraction override. + ParserConfig parser_config = 4; +} + +// Parser configuration with method-specific rules. +// This configuration allows overriding the default attribute extraction behavior for specific MCP methods. +message ParserConfig { + // A single attribute extraction rule. + message AttributeExtractionRule { + // JSON path to extract (e.g., "params.name", "params.uri"). + // The path is a dot-separated string representing the location of the field in the JSON payload. + // For example, "params.name" extracts the "name" field from the "params" object. + string path = 1 [(validate.rules).string = {min_len: 1}]; + } + + // Configuration for a specific MCP method. + message MethodConfig { + // Method name (e.g., "tools/call", "resources/read", "initialize"). + // This matches the "method" field in the JSON-RPC request. + string method = 1 [(validate.rules).string = {min_len: 1}]; + + // The group/category name to assign to this method (e.g., "tool", "lifecycle"). + // This will be emitted to dynamic metadata under the key specified by group_metadata_key. + // If empty, the built-in group classification is used. + string group = 2; + + // Attributes to extract for this method. + // If empty, only default attributes (jsonrpc, method) are extracted. + repeated AttributeExtractionRule extraction_rules = 3; + } + + // List of rules for classification and extraction. + // Rules are evaluated in order; the first match wins. + // If no rule matches, extraction defaults are used and group falls back to built-in classification. + // Built-in groups: lifecycle, tool, resource, prompt, notification, logging, sampling, completion, unknown. + repeated MethodConfig methods = 1; + + // The dynamic metadata key where the group name will be stored. + // If empty, group classification is disabled. + string group_metadata_key = 2; +} + +// Per-route override configuration for MCP filter +message McpOverride { + // Optional per-route traffic mode override + Mcp.TrafficMode traffic_mode = 1 [(validate.rules).enum = {defined_only: true}]; + + // Optional per-route max request body size override. + // When set, this overrides the global max_request_body_size for this route. + // It defaults to 8KB (8192 bytes) and the maximum allowed value is 10MB (10485760 bytes). + google.protobuf.UInt32Value max_request_body_size = 2 [(validate.rules).uint32 = {lte: 10485760}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/47d7103d97ef0773986433d778f581ee7bf18610bca4308a1ecd757eb83a544df959c45b814cbeaeeae68a6601533e89d40b5581f0fa40e98394bdd4c94ea867 b/modules/sync/envoyproxy/envoy/cas/47d7103d97ef0773986433d778f581ee7bf18610bca4308a1ecd757eb83a544df959c45b814cbeaeeae68a6601533e89d40b5581f0fa40e98394bdd4c94ea867 new file mode 100644 index 00000000..2364983e --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/47d7103d97ef0773986433d778f581ee7bf18610bca4308a1ecd757eb83a544df959c45b814cbeaeeae68a6601533e89d40b5581f0fa40e98394bdd4c94ea867 @@ -0,0 +1,176 @@ +syntax = "proto3"; + +package envoy.config.trace.v3; + +import "envoy/config/core/v3/http_service.proto"; + +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.config.trace.v3"; +option java_outer_classname = "ZipkinProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/trace/v3;tracev3"; +option (udpa.annotations.file_migrate).move_to_package = "envoy.extensions.tracers.zipkin.v4alpha"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Zipkin tracer] + +// Configuration for the Zipkin tracer. +// [#extension: envoy.tracers.zipkin] +// [#next-free-field: 10] +message ZipkinConfig { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.trace.v2.ZipkinConfig"; + + // Available trace context options for handling different trace header formats. + enum TraceContextOption { + // Use B3 headers only (default behavior). + USE_B3 = 0; + + // Enable B3 and W3C dual header support: + // - For downstream: Extract from B3 headers first, fallback to W3C traceparent if B3 is unavailable. + // - For upstream: Inject both B3 and W3C traceparent headers. + // When this option is NOT set, only B3 headers are used for both extraction and injection. + USE_B3_WITH_W3C_PROPAGATION = 1; + } + + // Available Zipkin collector endpoint versions. + enum CollectorEndpointVersion { + // Zipkin API v1, JSON over HTTP. + // [#comment: The default implementation of Zipkin client before this field is added was only v1 + // and the way user configure this was by not explicitly specifying the version. Consequently, + // before this is added, the corresponding Zipkin collector expected to receive v1 payload. + // Hence the motivation of adding HTTP_JSON_V1 as the default is to avoid a breaking change when + // user upgrading Envoy with this change. Furthermore, we also immediately deprecate this field, + // since in Zipkin realm this v1 version is considered to be not preferable anymore.] + DEPRECATED_AND_UNAVAILABLE_DO_NOT_USE = 0 + [deprecated = true, (envoy.annotations.disallowed_by_default_enum) = true]; + + // Zipkin API v2, JSON over HTTP. + HTTP_JSON = 1; + + // Zipkin API v2, protobuf over HTTP. + HTTP_PROTO = 2; + + // [#not-implemented-hide:] + GRPC = 3; + } + + // The cluster manager cluster that hosts the Zipkin collectors. + // + // .. note:: + // This field will be deprecated in future releases in favor of + // :ref:`collector_service `. + // + // Either this field or ``collector_service`` must be specified. + string collector_cluster = 1; + + // The API endpoint of the Zipkin service where the spans will be sent. When + // using a standard Zipkin installation. + // + // .. note:: + // This field will be deprecated in future releases in favor of + // :ref:`collector_service `. + // + // Required when using ``collector_cluster``. + string collector_endpoint = 2; + + // Determines whether a 128bit trace id will be used when creating a new + // trace instance. The default value is false, which will result in a 64 bit trace id being used. + bool trace_id_128bit = 3; + + // Determines whether client and server spans will share the same span context. + // The default value is true. + google.protobuf.BoolValue shared_span_context = 4; + + // Determines the selected collector endpoint version. + CollectorEndpointVersion collector_endpoint_version = 5; + + // Optional hostname to use when sending spans to the collector_cluster. Useful for collectors + // that require a specific hostname. Defaults to :ref:`collector_cluster ` above. + // + // .. note:: + // This field will be deprecated in future releases in favor of + // :ref:`collector_service `. + string collector_hostname = 6; + + // If this is set to true, then Envoy will be treated as an independent hop in trace chain. A complete span pair will be created for a single + // request. Server span will be created for the downstream request and client span will be created for the related upstream request. + // This should be set to true in the following cases: + // + // * The Envoy Proxy is used as gateway or ingress. + // * The Envoy Proxy is used as sidecar but inbound traffic capturing or outbound traffic capturing is disabled. + // * Any case that the :ref:`start_child_span of router ` is set to true. + // + // .. attention:: + // + // If this is set to true, then the + // :ref:`start_child_span of router ` + // SHOULD be set to true also to ensure the correctness of trace chain. + // + // Both this field and ``start_child_span`` are deprecated by the + // :ref:`spawn_upstream_span `. + // Please use that ``spawn_upstream_span`` field to control the span creation. + bool split_spans_for_request = 7 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Determines which trace context format to use for trace header extraction and propagation. + // This controls both downstream request header extraction and upstream request header injection. + // Here is the spec for W3C trace headers: https://www.w3.org/TR/trace-context/ + // The default value is USE_B3 to maintain backward compatibility. + TraceContextOption trace_context_option = 8; + + // HTTP service configuration for the Zipkin collector. + // When specified, this configuration takes precedence over the legacy fields: + // collector_cluster, collector_endpoint, and collector_hostname. + // This provides a complete HTTP service configuration including cluster, URI, timeout, and headers. + // If not specified, the legacy fields above will be used for backward compatibility. + // + // Required fields when using collector_service: + // + // * ``http_uri.cluster`` - Must be specified and non-empty + // * ``http_uri.uri`` - Must be specified and non-empty + // * ``http_uri.timeout`` - Optional + // + // Full URI Support with Automatic Parsing: + // + // The ``uri`` field supports both path-only and full URI formats: + // + // .. code-block:: yaml + // + // tracing: + // provider: + // name: envoy.tracers.zipkin + // typed_config: + // "@type": type.googleapis.com/envoy.config.trace.v3.ZipkinConfig + // collector_service: + // http_uri: + // # Full URI format - hostname and path are extracted automatically + // uri: "https://zipkin-collector.example.com/api/v2/spans" + // cluster: zipkin + // timeout: 5s + // request_headers_to_add: + // - header: + // key: "X-Custom-Token" + // value: "your-custom-token" + // - header: + // key: "X-Service-ID" + // value: "your-service-id" + // + // URI Parsing Behavior: + // + // * Full URI: ``"https://zipkin-collector.example.com/api/v2/spans"`` + // + // * Hostname: ``zipkin-collector.example.com`` (sets HTTP ``Host`` header) + // * Path: ``/api/v2/spans`` (sets HTTP request path) + // + // * Path only: ``"/api/v2/spans"`` + // + // * Hostname: Uses cluster name as fallback + // * Path: ``/api/v2/spans`` + core.v3.HttpService collector_service = 9; +} diff --git a/modules/sync/envoyproxy/envoy/cas/4da937ae2f2013c8ab4c4b708457a63ed4acb07c2afac20418e6c55fde423553fcaadd570763a827644373da80f6ba861f1f0f6f407aa49f65b551add68f985b b/modules/sync/envoyproxy/envoy/cas/4da937ae2f2013c8ab4c4b708457a63ed4acb07c2afac20418e6c55fde423553fcaadd570763a827644373da80f6ba861f1f0f6f407aa49f65b551add68f985b new file mode 100644 index 00000000..f4be26f3 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/4da937ae2f2013c8ab4c4b708457a63ed4acb07c2afac20418e6c55fde423553fcaadd570763a827644373da80f6ba861f1f0f6f407aa49f65b551add68f985b @@ -0,0 +1,34 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.set_filter_state.v3; + +import "envoy/extensions/filters/common/set_filter_state/v3/value.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.set_filter_state.v3"; +option java_outer_classname = "SetFilterStateProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/set_filter_state/v3;set_filter_statev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Set-Filter-State Filter] +// +// This filter sets or updates the dynamic filter state. See :ref:`the filter +// documentation ` for more +// information on how this filter should be used. +// +// [#extension: envoy.filters.network.set_filter_state] + +message Config { + // A sequence of the filter state values to apply in the specified order + // when a new connection is received. + repeated common.set_filter_state.v3.FilterStateValue on_new_connection = 1; + + // A sequence of the filter state values to apply in the specified order + // when the downstream TLS handshake is complete. + // + // For non-TLS downstream connections (where there is no TLS handshake), this + // list is applied when a new connection is received. + repeated common.set_filter_state.v3.FilterStateValue on_downstream_tls_handshake = 2; +} diff --git a/modules/sync/envoyproxy/envoy/cas/4e474273521f8df5a92019d315c4bc4435a04903b0de9fd31d8700d36c88e87058eb07dbeb966abb786d6969182e55c89d16771df219dfd6448f73a0fb01c682 b/modules/sync/envoyproxy/envoy/cas/4e474273521f8df5a92019d315c4bc4435a04903b0de9fd31d8700d36c88e87058eb07dbeb966abb786d6969182e55c89d16771df219dfd6448f73a0fb01c682 new file mode 100644 index 00000000..2093797c --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/4e474273521f8df5a92019d315c4bc4435a04903b0de9fd31d8700d36c88e87058eb07dbeb966abb786d6969182e55c89d16771df219dfd6448f73a0fb01c682 @@ -0,0 +1,80 @@ +syntax = "proto3"; + +package envoy.extensions.http.ext_proc.processing_request_modifiers.mapped_attribute_builder.v3; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.http.ext_proc.processing_request_modifiers.mapped_attribute_builder.v3"; +option java_outer_classname = "MappedAttributeBuilderProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/http/ext_proc/processing_request_modifiers/mapped_attribute_builder/v3;mapped_attribute_builderv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: Mapped Attribute Builder for the external processor] +// [#extension: envoy.http.ext_proc.processing_request_modifiers.mapped_attribute_builder] + +// Extension to build custom attributes in the :ref:`request +// ` based on a configurable mapping. The +// native implementation uses the CEL expression as the key, which is not always desirable. Using this +// extension, one can re-map a CEL expression that references internal filter state into a more +// user-friendly key that decouples the value from the underlying filter implementation. +// +// If a given CEL expression fails to eval, it will not be present in the attributes struct. +// +// If this extension is configured, then the original :ref:`ProcessingRequest +// `'s ``request_attributes`` are ignored, +// and all attributes should be explicitly set via this extension. +// +// An example configuration may look like so: +// +// .. code-block:: yaml +// +// mapped_request_attributes: +// "request.path": "request.path" +// "source.country": "metadata.filter_metadata['com.example.location_filter']['country_code']" +// +// In the above example, the complex filter_metadata expression is evaluated via CEL, and the value +// is stored under the friendlier ``source.country`` key. ``The ProcessingRequest`` would look like: +// +// .. code-block:: text +// +// attributes { +// key: "envoy.filters.http.ext_proc" +// value { +// fields { +// key: "request.path" +// value { +// string_value: "/profile" +// } +// } +// fields { +// key: "source.country" +// value { +// string_value: "US" +// } +// } +// } +// } +// +// .. note:: +// Processing request modifiers are currently in alpha. +// +message MappedAttributeBuilder { + // A map of request attributes to set in the attributes struct. + // The key is the attribute name, the value is the attribute value, + // interpretable by CEL. This allows for the re-mapping of attributes, which is not supported + // by the native attribute building logic. + map mapped_request_attributes = 1; + + // Similar to ``mapped_request_attributes``, but for response attributes. The + // response nomenclature here just indicates that the attributes, whatever they may be, are sent + // with a response headers, body, or trailers ext_proc call. + // If a value contains a request key, e.g., ``request.host``, then the attribute would + // just be sent along in the response. This is useful if a given ext_proc extension is only + // enabled for response handling, e.g., ``RESPONSE_HEADERS`` but the backend wants to access request + // metadata. + map mapped_response_attributes = 2; +} diff --git a/modules/sync/envoyproxy/envoy/cas/4f7867b0773a6edbbff3f6032fb65b475a5cee759f6662696a55d74c25d4bb96c288630f05d6c12ba2806ee9a5e5fddf7ab2520840913725cfdebb6b588ee702 b/modules/sync/envoyproxy/envoy/cas/4f7867b0773a6edbbff3f6032fb65b475a5cee759f6662696a55d74c25d4bb96c288630f05d6c12ba2806ee9a5e5fddf7ab2520840913725cfdebb6b588ee702 new file mode 100644 index 00000000..7f0defc7 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/4f7867b0773a6edbbff3f6032fb65b475a5cee759f6662696a55d74c25d4bb96c288630f05d6c12ba2806ee9a5e5fddf7ab2520840913725cfdebb6b588ee702 @@ -0,0 +1,65 @@ +syntax = "proto3"; + +package envoy.extensions.filters.udp.dynamic_modules.v3; + +import "envoy/extensions/dynamic_modules/v3/dynamic_modules.proto"; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.udp.dynamic_modules.v3"; +option java_outer_classname = "DynamicModulesProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/udp/dynamic_modules/v3;dynamic_modulesv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Dynamic Modules UDP Listener Filter] +// [#extension: envoy.filters.udp_listener.dynamic_modules] + +// Configuration for the Dynamic Modules UDP listener filter. This filter allows loading shared object +// files that can be loaded via ``dlopen`` to extend the UDP listener filter chain. +// +// A module can be loaded by multiple UDP listener filters; the module is loaded only once and shared +// across multiple filters. +message DynamicModuleUdpListenerFilter { + // Specifies the shared-object level configuration. + envoy.extensions.dynamic_modules.v3.DynamicModuleConfig dynamic_module_config = 1; + + // The name for this filter configuration. + // + // This can be used to distinguish between different filter implementations inside a dynamic + // module. For example, a module can have completely different filter implementations. When Envoy + // receives this configuration, it passes the ``filter_name`` to the dynamic module's UDP listener + // filter config init function together with the ``filter_config``. That way a module can decide + // which in-module filter implementation to use based on the name at load time. + string filter_name = 2; + + // The configuration for the filter chosen by ``filter_name``. + // + // This is passed to the module's UDP listener filter initialization function. Together with the + // ``filter_name``, the module can decide which in-module filter implementation to use and + // fine-tune the behavior of the filter. + // + // For example, if a module has two filter implementations, one for echo and one for rate + // limiting, ``filter_name`` is used to choose either echo or rate limiting. The + // ``filter_config`` can be used to configure the echo behavior or the rate limiting parameters. + // + // ``google.protobuf.Struct`` is serialized as JSON before passing it to the module. + // ``google.protobuf.BytesValue`` and ``google.protobuf.StringValue`` are passed directly + // without the wrapper. + // + // .. code-block:: yaml + // + // # Passing a string value + // filter_config: + // "@type": "type.googleapis.com/google.protobuf.StringValue" + // value: hello + // + // # Passing raw bytes + // filter_config: + // "@type": "type.googleapis.com/google.protobuf.BytesValue" + // value: aGVsbG8= # echo -n "hello" | base64 + // + google.protobuf.Any filter_config = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/507a8d9386faae791f5ea7cc6b5de36e64384b327e1b9a1738a108783695f21d05108d9aa049668e7b5dca7575e7928229ac2728312523de96648a58949c940f b/modules/sync/envoyproxy/envoy/cas/507a8d9386faae791f5ea7cc6b5de36e64384b327e1b9a1738a108783695f21d05108d9aa049668e7b5dca7575e7928229ac2728312523de96648a58949c940f new file mode 100644 index 00000000..f64ebdf4 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/507a8d9386faae791f5ea7cc6b5de36e64384b327e1b9a1738a108783695f21d05108d9aa049668e7b5dca7575e7928229ac2728312523de96648a58949c940f @@ -0,0 +1,249 @@ +syntax = "proto3"; + +package istio.workload; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.istio.workload"; +option java_outer_classname = "DiscoveryProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/contrib/istio/workload"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// +// Warning: Derived from +// https://github.com/istio/ztunnel/blob/e36680f1534fae3d158964500ae9185495ec5d7b/proto/workload.proto +// with the following changes: +// +// 1) change go_package; +// 2) append bootstrap extension stub; + +// NetworkMode indicates how the addresses of the workload should be treated. +enum NetworkMode { + // STANDARD means that the workload is uniquely identified by its address (within its network). + STANDARD = 0; + + // HOST_NETWORK means the workload has an IP address that is shared by many workloads. The data plane should avoid + // attempting to lookup these workloads by IP address (which could return the wrong result). + HOST_NETWORK = 1; +} + +enum WorkloadStatus { + // Workload is healthy and ready to serve traffic. + HEALTHY = 0; + + // Workload is unhealthy and NOT ready to serve traffic. + UNHEALTHY = 1; +} + +enum WorkloadType { + DEPLOYMENT = 0; + CRONJOB = 1; + POD = 2; + JOB = 3; +} + +// TunnelProtocol indicates the tunneling protocol for requests. +enum TunnelProtocol { + // NONE means requests should be forwarded as-is, without tunneling. + NONE = 0; + + // HBONE means requests should be tunneled over HTTP. + // This does not dictate HTTP/1.1 vs HTTP/2; ALPN should be used for that purpose. + HBONE = 1; + // Future options may include things like QUIC/HTTP3, etc. +} + +// Workload represents a workload - an endpoint (or collection behind a hostname). +// The xds primary key is "uid" as defined on the workload below. +// Secondary (alias) keys are the unique ``network/IP`` pairs that the workload can be reached at. +// [#next-free-field: 26] +message Workload { + reserved 15; + + // UID represents a globally unique opaque identifier for this workload. + // For k8s resources, it is recommended to use the more readable format: + // + // cluster/group/kind/namespace/name/section-name + // + // As an example, a ServiceEntry with two WorkloadEntries inlined could become + // two Workloads with the following UIDs: + // - cluster1/networking.istio.io/v1alpha3/ServiceEntry/default/external-svc/endpoint1 + // - cluster1/networking.istio.io/v1alpha3/ServiceEntry/default/external-svc/endpoint2 + // + // For VMs and other workloads other formats are also supported; for example, + // a single UID string: "0ae5c03d-5fb3-4eb9-9de8-2bd4b51606ba" + string uid = 20; + + // Name represents the name for the workload. + // For Kubernetes, this is the pod name. + // This is just for debugging and may be elided as an optimization. + string name = 1; + + // Namespace represents the namespace for the workload. + // This is just for debugging and may be elided as an optimization. + string namespace = 2; + + // Address represents the IPv4/IPv6 address for the workload. + // This should be globally unique. + // This should not have a port number. + // Each workload must have at least either an address or hostname; not both. + repeated bytes addresses = 3; + + // The hostname for the workload to be resolved by the ztunnel. + // DNS queries are sent on-demand by default. + // If the resolved DNS query has several endpoints, the request will be forwarded + // to the first response. + // + // At a minimum, each workload must have either an address or hostname. For example, + // a workload that backs a Kubernetes service will typically have only endpoints. A + // workload that backs a headless Kubernetes service, however, will have both + // addresses as well as a hostname used for direct access to the headless endpoint. + string hostname = 21; + + // Network represents the network this workload is on. This may be elided for the default network. + // A (network,address) pair makeup a unique key for a workload *at a point in time*. + string network = 4; + + // Protocol that should be used to connect to this workload. + TunnelProtocol tunnel_protocol = 5; + + // The SPIFFE identity of the workload. The identity is joined to form spiffe:///ns//sa/. + // TrustDomain of the workload. May be elided if this is the mesh wide default (typically cluster.local) + string trust_domain = 6; + + // ServiceAccount of the workload. May be elided if this is "default" + string service_account = 7; + + // If present, the waypoint proxy for this workload. + // All incoming requests must go through the waypoint. + GatewayAddress waypoint = 8; + + // If present, East West network gateway this workload can be reached through. + // Requests from remote networks should traverse this gateway. + GatewayAddress network_gateway = 19; + + // Name of the node the workload runs on + string node = 9; + + // CanonicalName for the workload. Used for telemetry. + string canonical_name = 10; + + // CanonicalRevision for the workload. Used for telemetry. + string canonical_revision = 11; + + // WorkloadType represents the type of the workload. Used for telemetry. + WorkloadType workload_type = 12; + + // WorkloadName represents the name for the workload (of type WorkloadType). Used for telemetry. + string workload_name = 13; + + // If set, this indicates a workload expects to directly receive tunnel traffic. + // In ztunnel, this means: + // * Requests *from* this workload do not need to be tunneled if they already are tunneled by the tunnel_protocol. + // * Requests *to* this workload, via the tunnel_protocol, do not need to be de-tunneled. + bool native_tunnel = 14; + + // If an application, such as a sandwiched waypoint proxy, supports directly + // receiving information from zTunnel they can set application_protocol. + ApplicationTunnel application_tunnel = 23; + + // The services for which this workload is an endpoint. + // The key is the NamespacedHostname string of the format namespace/hostname. + map services = 22; + + // A list of authorization policies applicable to this workload. + // NOTE: this *only* includes Selector based policies. Namespace and global polices + // are returned out of band. + // Authorization policies are only valid for workloads with ``addresses`` rather than ``hostname``. + repeated string authorization_policies = 16; + + WorkloadStatus status = 17; + + // The cluster ID that the workload instance belongs to + string cluster_id = 18; + + // The Locality defines information about where a workload is geographically deployed + Locality locality = 24; + + NetworkMode network_mode = 25; +} + +message Locality { + string region = 1; + + string zone = 2; + + string subzone = 3; +} + +// This represents the ports for a service +message PortList { + repeated Port ports = 1; +} + +message Port { + // Port the service is reached at (frontend). + uint32 service_port = 1; + + // Port the service forwards to (backend). + uint32 target_port = 2; +} + +// ApplicationProtocol specifies a workload (application or gateway) can +// consume tunnel information. +message ApplicationTunnel { + enum Protocol { + // Bytes are copied from the inner stream without modification. + NONE = 0; + + // Prepend PROXY protocol headers before copying bytes + // Standard PROXY source and destination information + // is included, along with potential extra TLV headers: + // 0xD0 - The SPIFFE identity of the source workload + // 0xD1 - The FQDN or Hostname of the targeted Service + PROXY = 1; + } + + // A target natively handles this type of traffic. + Protocol protocol = 1; + + // optional: if set, traffic should be sent to this port after the last zTunnel hop + uint32 port = 2; +} + +// GatewayAddress represents the address of a gateway +message GatewayAddress { + reserved 4; + + reserved "hbone_single_tls_port"; + + // address can either be a hostname (ex: gateway.example.com) or an IP (ex: 1.2.3.4). + oneof destination { + // TODO: add support for hostname lookup + NamespacedHostname hostname = 1; + + NetworkAddress address = 2; + } + + // port to reach the gateway at for mTLS HBONE connections + uint32 hbone_mtls_port = 3; +} + +// NetworkAddress represents an address bound to a specific network. +message NetworkAddress { + // Network represents the network this address is on. + string network = 1; + + // Address presents the IP (v4 or v6). + bytes address = 2; +} + +// NamespacedHostname represents a service bound to a specific namespace. +message NamespacedHostname { + // The namespace the service is in. + string namespace = 1; + + // hostname (ex: gateway.example.com) + string hostname = 2; +} diff --git a/modules/sync/envoyproxy/envoy/cas/51ab5857cad263ce58c510f0da0b06eee859677c39da016d6924a2c56a8fdc49e9b07c646d8b2dd518859f467be85aa333c8640fe604e65bbacad6e5cef0ded6 b/modules/sync/envoyproxy/envoy/cas/51ab5857cad263ce58c510f0da0b06eee859677c39da016d6924a2c56a8fdc49e9b07c646d8b2dd518859f467be85aa333c8640fe604e65bbacad6e5cef0ded6 new file mode 100644 index 00000000..4587ef10 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/51ab5857cad263ce58c510f0da0b06eee859677c39da016d6924a2c56a8fdc49e9b07c646d8b2dd518859f467be85aa333c8640fe604e65bbacad6e5cef0ded6 @@ -0,0 +1,2918 @@ +syntax = "proto3"; + +package envoy.config.route.v3; + +import "envoy/config/common/mutation_rules/v3/mutation_rules.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/proxy_protocol.proto"; +import "envoy/config/core/v3/substitution_format_string.proto"; +import "envoy/type/matcher/v3/filter_state.proto"; +import "envoy/type/matcher/v3/metadata.proto"; +import "envoy/type/matcher/v3/regex.proto"; +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/metadata/v3/metadata.proto"; +import "envoy/type/tracing/v3/custom_tag.proto"; +import "envoy/type/v3/percent.proto"; +import "envoy/type/v3/range.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/type/matcher/v3/matcher.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.route.v3"; +option java_outer_classname = "RouteComponentsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/route/v3;routev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP route components] +// * Routing :ref:`architecture overview ` +// * HTTP :ref:`router filter ` + +// The top level element in the routing configuration is a virtual host. Each virtual host has +// a logical name as well as a set of domains that get routed to it based on the incoming request's +// host header. This allows a single listener to service multiple top level domain path trees. Once +// a virtual host is selected based on the domain, the routes are processed in order to see which +// upstream cluster to route to or whether to perform a redirect. +// [#next-free-field: 26] +message VirtualHost { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.VirtualHost"; + + enum TlsRequirementType { + // No TLS requirement for the virtual host. + NONE = 0; + + // External requests must use TLS. If a request is external and it is not + // using TLS, a 301 redirect will be sent telling the client to use HTTPS. + EXTERNAL_ONLY = 1; + + // All requests must use TLS. If a request is not using TLS, a 301 redirect + // will be sent telling the client to use HTTPS. + ALL = 2; + } + + reserved 9, 12; + + reserved "per_filter_config"; + + // The logical name of the virtual host. This is used when emitting certain + // statistics but is not relevant for routing. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // A list of domains (host/authority header) that will be matched to this + // virtual host. Wildcard hosts are supported in the suffix or prefix form. + // + // Domain search order: + // 1. Exact domain names: ``www.foo.com``. + // 2. Suffix domain wildcards: ``*.foo.com`` or ``*-bar.foo.com``. + // 3. Prefix domain wildcards: ``foo.*`` or ``foo-*``. + // 4. Special wildcard ``*`` matching any domain. + // + // .. note:: + // + // The wildcard will not match the empty string. + // For example, ``*-bar.foo.com`` will match ``baz-bar.foo.com`` but not ``-bar.foo.com``. + // The longest wildcards match first. + // Only a single virtual host in the entire route configuration can match on ``*``. A domain + // must be unique across all virtual hosts or the config will fail to load. + // + // Domains cannot contain control characters. This is validated by the well_known_regex HTTP_HEADER_VALUE. + repeated string domains = 2 [(validate.rules).repeated = { + min_items: 1 + items {string {well_known_regex: HTTP_HEADER_VALUE strict: false}} + }]; + + // The list of routes that will be matched, in order, for incoming requests. + // The first route that matches will be used. + // Only one of this and ``matcher`` can be specified. + repeated Route routes = 3 [(udpa.annotations.field_migrate).oneof_promotion = "route_selection"]; + + // The match tree to use when resolving route actions for incoming requests. Only one of this and ``routes`` + // can be specified. + xds.type.matcher.v3.Matcher matcher = 21 + [(udpa.annotations.field_migrate).oneof_promotion = "route_selection"]; + + // Specifies the type of TLS enforcement the virtual host expects. If this option is not + // specified, there is no TLS requirement for the virtual host. + TlsRequirementType require_tls = 4 [(validate.rules).enum = {defined_only: true}]; + + // A list of virtual clusters defined for this virtual host. Virtual clusters + // are used for additional statistics gathering. + repeated VirtualCluster virtual_clusters = 5; + + // Specifies a set of rate limit configurations that will be applied to the + // virtual host. + repeated RateLimit rate_limits = 6; + + // Specifies a list of HTTP headers that should be added to each request + // handled by this virtual host. Headers specified at this level are applied + // after headers from enclosed :ref:`envoy_v3_api_msg_config.route.v3.Route` and before headers from the + // enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including + // details on header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption request_headers_to_add = 7 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each request + // handled by this virtual host. + repeated string request_headers_to_remove = 13 [(validate.rules).repeated = { + items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Specifies a list of HTTP headers that should be added to each response + // handled by this virtual host. Headers specified at this level are applied + // after headers from enclosed :ref:`envoy_v3_api_msg_config.route.v3.Route` and before headers from the + // enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including + // details on header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption response_headers_to_add = 10 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each response + // handled by this virtual host. + repeated string response_headers_to_remove = 11 [(validate.rules).repeated = { + items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Indicates that the virtual host has a CORS policy. This field is ignored if related cors policy is + // found in the + // :ref:`VirtualHost.typed_per_filter_config`. + // + // .. attention:: + // + // This option has been deprecated. Please use + // :ref:`VirtualHost.typed_per_filter_config` + // to configure the CORS HTTP filter. + CorsPolicy cors = 8 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // This field can be used to provide virtual host level per filter config. The key should match the + // :ref:`filter config name + // `. + // See :ref:`HTTP filter route-specific config ` + // for details. + // [#comment: An entry's value may be wrapped in a + // :ref:`FilterConfig` + // message to specify additional options.] + map typed_per_filter_config = 15; + + // Decides whether the :ref:`x-envoy-attempt-count + // ` header should be included + // in the upstream request. Setting this option will cause it to override any existing header + // value, so in the case of two Envoys on the request path with this option enabled, the upstream + // will see the attempt count as perceived by the second Envoy. + // + // Defaults to ``false``. + // + // This header is unaffected by the + // :ref:`suppress_envoy_headers + // ` flag. + // + // [#next-major-version: rename to include_attempt_count_in_request.] + bool include_request_attempt_count = 14; + + // Decides whether the :ref:`x-envoy-attempt-count + // ` header should be included + // in the downstream response. Setting this option will cause the router to override any existing header + // value, so in the case of two Envoys on the request path with this option enabled, the downstream + // will see the attempt count as perceived by the Envoy closest upstream from itself. + // + // Defaults to ``false``. + // + // This header is unaffected by the + // :ref:`suppress_envoy_headers + // ` flag. + bool include_attempt_count_in_response = 19; + + // Indicates the retry policy for all routes in this virtual host. Note that setting a + // route level entry will take precedence over this config and it'll be treated + // independently (e.g., values are not inherited). + RetryPolicy retry_policy = 16; + + // [#not-implemented-hide:] + // Specifies the configuration for retry policy extension. Note that setting a route level entry + // will take precedence over this config and it'll be treated independently (e.g., values are not + // inherited). :ref:`Retry policy ` should not be + // set if this field is used. + google.protobuf.Any retry_policy_typed_config = 20; + + // Indicates the hedge policy for all routes in this virtual host. Note that setting a + // route level entry will take precedence over this config and it'll be treated + // independently (e.g., values are not inherited). + HedgePolicy hedge_policy = 17; + + // Decides whether to include the :ref:`x-envoy-is-timeout-retry ` + // request header in retries initiated by per-try timeouts. + bool include_is_timeout_retry_header = 23; + + // The maximum bytes which will be buffered for retries and shadowing. If set, the bytes actually buffered will be + // the minimum value of this and the listener ``per_connection_buffer_limit_bytes``. + // + // .. attention:: + // + // This field has been deprecated. Please use :ref:`request_body_buffer_limit + // ` instead. + // Only one of ``per_request_buffer_limit_bytes`` and ``request_body_buffer_limit`` could be set. + google.protobuf.UInt32Value per_request_buffer_limit_bytes = 18 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // The maximum bytes which will be buffered for request bodies to support large request body + // buffering beyond the ``per_connection_buffer_limit_bytes``. + // + // This limit is specifically for the request body buffering and allows buffering larger payloads while maintaining + // flow control. + // + // Buffer limit precedence (from highest to lowest priority): + // + // 1. If ``request_body_buffer_limit`` is set, then ``request_body_buffer_limit`` will be used. + // 2. If :ref:`per_request_buffer_limit_bytes ` + // is set but ``request_body_buffer_limit`` is not, then ``min(per_request_buffer_limit_bytes, per_connection_buffer_limit_bytes)`` + // will be used. + // 3. If neither is set, then ``per_connection_buffer_limit_bytes`` will be used. + // + // For flow control chunk sizes, ``min(per_connection_buffer_limit_bytes, 16KB)`` will be used. + // + // Only one of :ref:`per_request_buffer_limit_bytes ` + // and ``request_body_buffer_limit`` could be set. + google.protobuf.UInt64Value request_body_buffer_limit = 25 + [(validate.rules).message = {required: false}]; + + // Specify a set of default request mirroring policies for every route under this virtual host. + // It takes precedence over the route config mirror policy entirely. + // That is, policies are not merged, the most specific non-empty one becomes the mirror policies. + repeated RouteAction.RequestMirrorPolicy request_mirror_policies = 22; + + // The metadata field can be used to provide additional information + // about the virtual host. It can be used for configuration, stats, and logging. + // The metadata should go under the filter namespace that will need it. + // For instance, if the metadata is intended for the Router filter, + // the filter name should be specified as ``envoy.filters.http.router``. + core.v3.Metadata metadata = 24; +} + +// A filter-defined action type. +message FilterAction { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.FilterAction"; + + google.protobuf.Any action = 1; +} + +// This can be used in route matcher :ref:`VirtualHost.matcher `. +// When the matcher matches, routes will be matched and run. +message RouteList { + // The list of routes that will be matched and run, in order. The first route that matches will be used. + repeated Route routes = 1; +} + +// A route is both a specification of how to match a request as well as an indication of what to do +// next (e.g., redirect, forward, rewrite, etc.). +// +// .. attention:: +// +// Envoy supports routing on HTTP method via :ref:`header matching +// `. +// [#next-free-field: 21] +message Route { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.Route"; + + reserved 6, 8; + + reserved "per_filter_config"; + + // Name for the route. + string name = 14; + + // Route matching parameters. + RouteMatch match = 1 [(validate.rules).message = {required: true}]; + + oneof action { + option (validate.required) = true; + + // Route request to some upstream cluster. + RouteAction route = 2; + + // Return a redirect. + RedirectAction redirect = 3; + + // Return an arbitrary HTTP response directly, without proxying. + DirectResponseAction direct_response = 7; + + // [#not-implemented-hide:] + // A filter-defined action (e.g., it could dynamically generate the RouteAction). + // [#comment: TODO(samflattery): Remove cleanup in route_fuzz_test.cc when + // implemented] + FilterAction filter_action = 17; + + // [#not-implemented-hide:] + // An action used when the route will generate a response directly, + // without forwarding to an upstream host. This will be used in non-proxy + // xDS clients like the gRPC server. It could also be used in the future + // in Envoy for a filter that directly generates responses for requests. + NonForwardingAction non_forwarding_action = 18; + } + + // The Metadata field can be used to provide additional information + // about the route. It can be used for configuration, stats, and logging. + // The metadata should go under the filter namespace that will need it. + // For instance, if the metadata is intended for the Router filter, + // the filter name should be specified as ``envoy.filters.http.router``. + core.v3.Metadata metadata = 4; + + // Decorator for the matched route. + Decorator decorator = 5; + + // This field can be used to provide route specific per filter config. The key should match the + // :ref:`filter config name + // `. + // See :ref:`HTTP filter route-specific config ` + // for details. + // [#comment: An entry's value may be wrapped in a + // :ref:`FilterConfig` + // message to specify additional options.] + map typed_per_filter_config = 13; + + // Specifies a set of headers that will be added to requests matching this + // route. Headers specified at this level are applied before headers from the + // enclosing :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` and + // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on + // header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption request_headers_to_add = 9 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each request + // matching this route. + repeated string request_headers_to_remove = 12 [(validate.rules).repeated = { + items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Specifies a set of headers that will be added to responses to requests + // matching this route. Headers specified at this level are applied before + // headers from the enclosing :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` and + // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including + // details on header value syntax, see the documentation on + // :ref:`custom request headers `. + repeated core.v3.HeaderValueOption response_headers_to_add = 10 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each response + // to requests matching this route. + repeated string response_headers_to_remove = 11 [(validate.rules).repeated = { + items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Presence of the object defines whether the connection manager's tracing configuration + // is overridden by this route specific instance. + Tracing tracing = 15; + + // The maximum bytes which will be buffered for retries and shadowing. + // If set, the bytes actually buffered will be the minimum value of this and the + // listener per_connection_buffer_limit_bytes. + // + // .. attention:: + // + // This field has been deprecated. Please use :ref:`request_body_buffer_limit + // ` instead. + // Only one of ``per_request_buffer_limit_bytes`` and ``request_body_buffer_limit`` may be set. + google.protobuf.UInt32Value per_request_buffer_limit_bytes = 16 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // The human readable prefix to use when emitting statistics for this endpoint. + // The statistics are rooted at vhost..route.. + // This should be set for highly critical + // endpoints that one wishes to get “per-route” statistics on. + // If not set, endpoint statistics are not generated. + // + // The emitted statistics are the same as those documented for :ref:`virtual clusters `. + // + // .. warning:: + // + // We do not recommend setting up a stat prefix for + // every application endpoint. This is both not easily maintainable and + // statistics use a non-trivial amount of memory (approximately 1KiB per route). + string stat_prefix = 19; + + // The maximum bytes which will be buffered for request bodies to support large request body + // buffering beyond the ``per_connection_buffer_limit_bytes``. + // + // This limit is specifically for the request body buffering and allows buffering larger payloads while maintaining + // flow control. + // + // Buffer limit precedence (from highest to lowest priority): + // + // 1. If ``request_body_buffer_limit`` is set: use ``request_body_buffer_limit`` + // 2. If :ref:`per_request_buffer_limit_bytes ` + // is set but ``request_body_buffer_limit`` is not: use ``min(per_request_buffer_limit_bytes, per_connection_buffer_limit_bytes)`` + // 3. If neither is set: use ``per_connection_buffer_limit_bytes`` + // + // For flow control chunk sizes, use ``min(per_connection_buffer_limit_bytes, 16KB)``. + // + // Only one of :ref:`per_request_buffer_limit_bytes ` + // and ``request_body_buffer_limit`` may be set. + google.protobuf.UInt64Value request_body_buffer_limit = 20; +} + +// Compared to the :ref:`cluster ` field that specifies a +// single upstream cluster as the target of a request, the :ref:`weighted_clusters +// ` option allows for specification of +// multiple upstream clusters along with weights that indicate the percentage of +// traffic to be forwarded to each cluster. The router selects an upstream cluster based on the +// weights. +// [#next-free-field: 6] +message WeightedCluster { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.WeightedCluster"; + + // [#next-free-field: 13] + message ClusterWeight { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.WeightedCluster.ClusterWeight"; + + reserved 7, 8; + + reserved "per_filter_config"; + + // Only one of ``name`` and ``cluster_header`` may be specified. + // [#next-major-version: Need to add back the validation rule: (validate.rules).string = {min_len: 1}] + // Name of the upstream cluster. The cluster must exist in the + // :ref:`cluster manager configuration `. + string name = 1 [(udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier"]; + + // Only one of ``name`` and ``cluster_header`` may be specified. + // [#next-major-version: Need to add back the validation rule: (validate.rules).string = {min_len: 1 }] + // Envoy will determine the cluster to route to by reading the value of the + // HTTP header named by cluster_header from the request headers. If the + // header is not found or the referenced cluster does not exist, Envoy will + // return a 404 response. + // + // .. attention:: + // + // Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 + // ``Host`` header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string cluster_header = 12 [ + (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}, + (udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier" + ]; + + // The weight of the cluster. This value is relative to the other clusters' + // weights. When a request matches the route, the choice of an upstream cluster + // is determined by its weight. The sum of weights across all + // entries in the clusters array must be greater than 0, and must not exceed + // uint32_t maximal value (4294967295). + google.protobuf.UInt32Value weight = 2; + + // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in + // the upstream cluster with metadata matching what is set in this field will be considered for + // load balancing. Note that this will be merged with what's provided in + // :ref:`RouteAction.metadata_match `, with + // values here taking precedence. The filter name should be specified as ``envoy.lb``. + core.v3.Metadata metadata_match = 3; + + // Specifies a list of headers to be added to requests when this cluster is selected + // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. + // Headers specified at this level are applied before headers from the enclosing + // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`, and + // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on + // header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption request_headers_to_add = 4 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each request when + // this cluster is selected through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. + repeated string request_headers_to_remove = 9 [(validate.rules).repeated = { + items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Specifies a list of headers to be added to responses when this cluster is selected + // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. + // Headers specified at this level are applied before headers from the enclosing + // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`, and + // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on + // header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption response_headers_to_add = 5 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of headers to be removed from responses when this cluster is selected + // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. + repeated string response_headers_to_remove = 6 [(validate.rules).repeated = { + items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // This field can be used to provide weighted cluster specific per filter config. The key should match the + // :ref:`filter config name + // `. + // See :ref:`HTTP filter route-specific config ` + // for details. + // [#comment: An entry's value may be wrapped in a + // :ref:`FilterConfig` + // message to specify additional options.] + map typed_per_filter_config = 10; + + oneof host_rewrite_specifier { + // Indicates that during forwarding, the host header will be swapped with + // this value. + string host_rewrite_literal = 11 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + } + } + + // Specifies one or more upstream clusters associated with the route. + repeated ClusterWeight clusters = 1 [(validate.rules).repeated = {min_items: 1}]; + + // Specifies the total weight across all clusters. The sum of all cluster weights must equal this + // value, if this is greater than 0. + // This field is now deprecated, and the client will use the sum of all + // cluster weights. It is up to the management server to supply the correct weights. + google.protobuf.UInt32Value total_weight = 3 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Specifies the runtime key prefix that should be used to construct the + // runtime keys associated with each cluster. When the ``runtime_key_prefix`` is + // specified, the router will look for weights associated with each upstream + // cluster under the key ``runtime_key_prefix`` + ``.`` + ``cluster[i].name`` where + // ``cluster[i]`` denotes an entry in the clusters array field. If the runtime + // key for the cluster does not exist, the value specified in the + // configuration file will be used as the default weight. See the :ref:`runtime documentation + // ` for how key names map to the underlying implementation. + string runtime_key_prefix = 2; + + oneof random_value_specifier { + // Specifies the header name that is used to look up the random value passed in the request header. + // This is used to ensure consistent cluster picking across multiple proxy levels for weighted traffic. + // If header is not present or invalid, Envoy will fall back to use the internally generated random value. + // This header is expected to be single-valued header as we only want to have one selected value throughout + // the process for the consistency. And the value is a unsigned number between 0 and UINT64_MAX. + string header_name = 4 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // When set to true, the hash policies will be used to generate the random value for weighted cluster selection. + // This could ensure consistent cluster picking across multiple proxy levels for weighted traffic. + google.protobuf.BoolValue use_hash_policy = 5; + } +} + +// Configuration for a cluster specifier plugin. +message ClusterSpecifierPlugin { + // The name of the plugin and its opaque configuration. + // + // [#extension-category: envoy.router.cluster_specifier_plugin] + core.v3.TypedExtensionConfig extension = 1 [(validate.rules).message = {required: true}]; + + // If is_optional is not set or is set to false and the plugin defined by this message is not a + // supported type, the containing resource is NACKed. If is_optional is set to true, the resource + // would not be NACKed for this reason. In this case, routes referencing this plugin's name would + // not be treated as an illegal configuration, but would result in a failure if the route is + // selected. + bool is_optional = 2; +} + +// [#next-free-field: 18] +message RouteMatch { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteMatch"; + + message GrpcRouteMatchOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteMatch.GrpcRouteMatchOptions"; + } + + message TlsContextMatchOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteMatch.TlsContextMatchOptions"; + + // If specified, the route will match against whether or not a certificate is presented. + // If not specified, certificate presentation status (true or false) will not be considered when route matching. + google.protobuf.BoolValue presented = 1; + + // If specified, the route will match against whether or not a certificate is validated. + // If not specified, certificate validation status (true or false) will not be considered when route matching. + // + // .. warning:: + // + // Client certificate validation is not currently performed upon TLS session resumption. For + // a resumed TLS session the route will match only when ``validated`` is false, regardless of + // whether the client TLS certificate is valid. + // + // The only known workaround for this issue is to disable TLS session resumption entirely, by + // setting both :ref:`disable_stateless_session_resumption ` + // and :ref:`disable_stateful_session_resumption ` on the DownstreamTlsContext. + google.protobuf.BoolValue validated = 2; + } + + // An extensible message for matching CONNECT or CONNECT-UDP requests. + message ConnectMatcher { + } + + reserved 5, 3; + + reserved "regex"; + + oneof path_specifier { + option (validate.required) = true; + + // If specified, the route is a prefix rule meaning that the prefix must + // match the beginning of the ``:path`` header. + string prefix = 1; + + // If specified, the route is an exact path rule meaning that the path must + // exactly match the ``:path`` header once the query string is removed. + string path = 2; + + // If specified, the route is a regular expression rule meaning that the + // regex must match the ``:path`` header once the query string is removed. The entire path + // (without the query string) must match the regex. The rule will not match if only a + // subsequence of the ``:path`` header matches the regex. + // + // [#next-major-version: In the v3 API we should redo how path specification works such + // that we utilize StringMatcher, and additionally have consistent options around whether we + // strip query strings, do a case-sensitive match, etc. In the interim it will be too disruptive + // to deprecate the existing options. We should even consider whether we want to do away with + // path_specifier entirely and just rely on a set of header matchers which can already match + // on :path, etc. The issue with that is it is unclear how to generically deal with query string + // stripping. This needs more thought.] + type.matcher.v3.RegexMatcher safe_regex = 10 [(validate.rules).message = {required: true}]; + + // If this is used as the matcher, the matcher will only match CONNECT or CONNECT-UDP requests. + // Note that this will not match other Extended CONNECT requests (WebSocket and the like) as + // they are normalized in Envoy as HTTP/1.1 style upgrades. + // This is the only way to match CONNECT requests for HTTP/1.1. For HTTP/2 and HTTP/3, + // where Extended CONNECT requests may have a path, the path matchers will work if + // there is a path present. + // Note that CONNECT support is currently considered alpha in Envoy. + // [#comment: TODO(htuch): Replace the above comment with an alpha tag.] + ConnectMatcher connect_matcher = 12; + + // If specified, the route is a path-separated prefix rule meaning that the + // ``:path`` header (without the query string) must either exactly match the + // ``path_separated_prefix`` or have it as a prefix, followed by ``/`` + // + // For example, ``/api/dev`` would match + // ``/api/dev``, ``/api/dev/``, ``/api/dev/v1``, and ``/api/dev?param=true`` + // but would not match ``/api/developer`` + // + // Expect the value to not contain ``?`` or ``#`` and not to end in ``/`` + string path_separated_prefix = 14 [(validate.rules).string = {pattern: "^[^?#]+[^?#/]$"}]; + + // [#extension-category: envoy.path.match] + core.v3.TypedExtensionConfig path_match_policy = 15; + } + + // Indicates that prefix/path matching should be case-sensitive. The default + // is true. Ignored for safe_regex matching. + google.protobuf.BoolValue case_sensitive = 4; + + // Indicates that the route should additionally match on a runtime key. Every time the route + // is considered for a match, it must also fall under the percentage of matches indicated by + // this field. For some fraction N/D, a random number in the range [0,D) is selected. If the + // number is <= the value of the numerator N, or if the key is not present, the default + // value, the router continues to evaluate the remaining match criteria. A runtime_fraction + // route configuration can be used to roll out route changes in a gradual manner without full + // code/config deploys. Refer to the :ref:`traffic shifting + // ` docs for additional documentation. + // + // .. note:: + // + // Parsing this field is implemented such that the runtime key's data may be represented + // as a FractionalPercent proto represented as JSON/YAML and may also be represented as an + // integer with the assumption that the value is an integral percentage out of 100. For + // instance, a runtime key lookup returning the value "42" would parse as a FractionalPercent + // whose numerator is 42 and denominator is HUNDRED. This preserves legacy semantics. + core.v3.RuntimeFractionalPercent runtime_fraction = 9; + + // Specifies a set of headers that the route should match on. The router will + // check the request’s headers against all the specified headers in the route + // config. A match will happen if all the headers in the route are present in + // the request with the same values (or based on presence if the value field + // is not in the config). + repeated HeaderMatcher headers = 6; + + // Specifies a set of URL query parameters on which the route should + // match. The router will check the query string from the ``path`` header + // against all the specified query parameters. If the number of specified + // query parameters is nonzero, they all must match the ``path`` header's + // query string for a match to occur. In the event query parameters are + // repeated, only the first value for each key will be considered. + // + // .. note:: + // + // If query parameters are used to pass request message fields when + // `grpc_json_transcoder `_ + // is used, the transcoded message fields may be different. The query parameters are + // URL-encoded, but the message fields are not. For example, if a query + // parameter is "foo%20bar", the message field will be "foo bar". + repeated QueryParameterMatcher query_parameters = 7; + + // Specifies a set of cookies on which the route should match. The router parses the ``Cookie`` + // header and evaluates the named cookie against each matcher. If the number of specified cookie + // matchers is nonzero, they all must match for the route to be selected. + repeated CookieMatcher cookies = 17; + + // If specified, only gRPC requests will be matched. The router will check + // that the ``Content-Type`` header has ``application/grpc`` or one of the various + // ``application/grpc+`` values. + GrpcRouteMatchOptions grpc = 8; + + // If specified, the client tls context will be matched against the defined + // match options. + // + // [#next-major-version: unify with RBAC] + TlsContextMatchOptions tls_context = 11; + + // Specifies a set of dynamic metadata matchers on which the route should match. + // The router will check the dynamic metadata against all the specified dynamic metadata matchers. + // If the number of specified dynamic metadata matchers is nonzero, they all must match the + // dynamic metadata for a match to occur. + repeated type.matcher.v3.MetadataMatcher dynamic_metadata = 13; + + // Specifies a set of filter state matchers on which the route should match. + // The router will check the filter state against all the specified filter state matchers. + // If the number of specified filter state matchers is nonzero, they all must match the + // filter state for a match to occur. + repeated type.matcher.v3.FilterStateMatcher filter_state = 16; +} + +// Cors policy configuration. +// +// .. attention:: +// +// This message has been deprecated. Please use +// :ref:`CorsPolicy in filter extension ` +// as as alternative. +// +// [#next-free-field: 14] +message CorsPolicy { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.CorsPolicy"; + + reserved 1, 8, 7; + + reserved "allow_origin", "allow_origin_regex", "enabled"; + + // Specifies string patterns that match allowed origins. An origin is allowed if any of the + // string matchers match. + repeated type.matcher.v3.StringMatcher allow_origin_string_match = 11; + + // Specifies the content for the ``access-control-allow-methods`` header. + string allow_methods = 2; + + // Specifies the content for the ``access-control-allow-headers`` header. + string allow_headers = 3; + + // Specifies the content for the ``access-control-expose-headers`` header. + string expose_headers = 4; + + // Specifies the content for the ``access-control-max-age`` header. + string max_age = 5; + + // Specifies whether the resource allows credentials. + google.protobuf.BoolValue allow_credentials = 6; + + oneof enabled_specifier { + // Specifies the % of requests for which the CORS filter is enabled. + // + // If neither ``enabled``, ``filter_enabled``, nor ``shadow_enabled`` are specified, the CORS + // filter will be enabled for 100% of the requests. + // + // If :ref:`runtime_key ` is + // specified, Envoy will lookup the runtime key to get the percentage of requests to filter. + core.v3.RuntimeFractionalPercent filter_enabled = 9; + } + + // Specifies the % of requests for which the CORS policies will be evaluated and tracked, but not + // enforced. + // + // This field is intended to be used when ``filter_enabled`` and ``enabled`` are off. One of those + // fields have to explicitly disable the filter in order for this setting to take effect. + // + // If :ref:`runtime_key ` is specified, + // Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate + // and track the request's ``Origin`` to determine if it's valid but will not enforce any policies. + core.v3.RuntimeFractionalPercent shadow_enabled = 10; + + // Specify whether allow requests whose target server's IP address is more private than that from + // which the request initiator was fetched. + // + // More details refer to https://developer.chrome.com/blog/private-network-access-preflight. + google.protobuf.BoolValue allow_private_network_access = 12; + + // Specifies if preflight requests not matching the configured allowed origin should be forwarded + // to the upstream. Default is ``true``. + google.protobuf.BoolValue forward_not_matching_preflights = 13; +} + +// [#next-free-field: 46] +message RouteAction { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteAction"; + + enum ClusterNotFoundResponseCode { + // HTTP status code - 503 Service Unavailable. + SERVICE_UNAVAILABLE = 0; + + // HTTP status code - 404 Not Found. + NOT_FOUND = 1; + + // HTTP status code - 500 Internal Server Error. + INTERNAL_SERVER_ERROR = 2; + } + + // Configures :ref:`internal redirect ` behavior. + // [#next-major-version: remove this definition - it's defined in the InternalRedirectPolicy message.] + enum InternalRedirectAction { + option deprecated = true; + + PASS_THROUGH_INTERNAL_REDIRECT = 0; + HANDLE_INTERNAL_REDIRECT = 1; + } + + // The router is capable of shadowing traffic from one cluster to another. The current + // implementation is "fire and forget," meaning Envoy will not wait for the shadow cluster to + // respond before returning the response from the primary cluster. All normal statistics are + // collected for the shadow cluster making this feature useful for testing. + // + // During shadowing, the host/authority header is altered such that ``-shadow`` is appended. This is + // useful for logging. For example, ``cluster1`` becomes ``cluster1-shadow``. This behavior can be + // disabled by setting ``disable_shadow_host_suffix_append`` to ``true``. + // + // .. note:: + // + // Shadowing will not be triggered if the primary cluster does not exist. + // + // .. note:: + // + // Shadowing doesn't support HTTP CONNECT and upgrades. + // [#next-free-field: 9] + message RequestMirrorPolicy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.RequestMirrorPolicy"; + + reserved 2; + + reserved "runtime_key"; + + // Only one of ``cluster`` and ``cluster_header`` can be specified. + // [#next-major-version: Need to add back the validation rule: (validate.rules).string = {min_len: 1}] + // Specifies the cluster that requests will be mirrored to. The cluster must + // exist in the cluster manager configuration. + string cluster = 1 [(udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier"]; + + // Only one of ``cluster`` and ``cluster_header`` can be specified. + // Envoy will determine the cluster to route to by reading the value of the + // HTTP header named by cluster_header from the request headers. Only the first value in header is used, + // and no shadow request will happen if the value is not found in headers. Envoy will not wait for + // the shadow cluster to respond before returning the response from the primary cluster. + // + // .. attention:: + // + // Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 + // ``Host`` header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string cluster_header = 5 [ + (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}, + (udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier" + ]; + + // If not specified, all requests to the target cluster will be mirrored. + // + // If specified, this field takes precedence over the ``runtime_key`` field and requests must also + // fall under the percentage of matches indicated by this field. + // + // For some fraction N/D, a random number in the range [0,D) is selected. If the + // number is <= the value of the numerator N, or if the key is not present, the default + // value, the request will be mirrored. + core.v3.RuntimeFractionalPercent runtime_fraction = 3; + + // Specifies whether the trace span for the shadow request should be sampled. If this field is not explicitly set, + // the shadow request will inherit the sampling decision of its parent span. This ensures consistency with the trace + // sampling policy of the original request and prevents oversampling, especially in scenarios where runtime sampling + // is disabled. + google.protobuf.BoolValue trace_sampled = 4; + + // Disables appending the ``-shadow`` suffix to the shadowed ``Host`` header. + // + // Defaults to ``false``. + bool disable_shadow_host_suffix_append = 6; + + // Specifies a list of header mutations that should be applied to each mirrored request. + // Header mutations are applied in the order they are specified. For more information, including + // details on header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated common.mutation_rules.v3.HeaderMutation request_headers_mutations = 7 + [(validate.rules).repeated = {max_items: 1000}]; + + // Indicates that during mirroring, the host header will be swapped with this value. + // :ref:`disable_shadow_host_suffix_append + // ` + // is implicitly enabled if this field is set. + string host_rewrite_literal = 8 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + } + + // Specifies the route's hashing policy if the upstream cluster uses a hashing :ref:`load balancer + // `. + // [#next-free-field: 7] + message HashPolicy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy"; + + message Header { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy.Header"; + + // The name of the request header that will be used to obtain the hash + // key. If the request header is not present, no hash will be produced. + string header_name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // If specified, the request header value will be rewritten and used + // to produce the hash key. + type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 2; + } + + // CookieAttribute defines an API for adding additional attributes for a HTTP cookie. + message CookieAttribute { + // The name of the cookie attribute. + string name = 1 + [(validate.rules).string = + {min_len: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // The optional value of the cookie attribute. + string value = 2 [(validate.rules).string = + {max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}]; + } + + // Envoy supports two types of cookie affinity: + // + // 1. Passive. Envoy takes a cookie that's present in the cookies header and + // hashes on its value. + // + // 2. Generated. Envoy generates and sets a cookie with an expiration (TTL) + // on the first request from the client in its response to the client, + // based on the endpoint the request gets sent to. The client then + // presents this on the next and all subsequent requests. The hash of + // this is sufficient to ensure these requests get sent to the same + // endpoint. The cookie is generated by hashing the source and + // destination ports and addresses so that multiple independent HTTP2 + // streams on the same connection will independently receive the same + // cookie, even if they arrive at the Envoy simultaneously. + message Cookie { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy.Cookie"; + + // The name of the cookie that will be used to obtain the hash key. If the + // cookie is not present and ttl below is not set, no hash will be + // produced. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // If specified, a cookie with the TTL will be generated if the cookie is + // not present. If the TTL is present and zero, the generated cookie will + // be a session cookie. + google.protobuf.Duration ttl = 2; + + // The name of the path for the cookie. If no path is specified here, no path + // will be set for the cookie. + string path = 3; + + // Additional attributes for the cookie. They will be used when generating a new cookie. + repeated CookieAttribute attributes = 4; + } + + message ConnectionProperties { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy.ConnectionProperties"; + + // Hash on source IP address. + bool source_ip = 1; + } + + message QueryParameter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy.QueryParameter"; + + // The name of the URL query parameter that will be used to obtain the hash + // key. If the parameter is not present, no hash will be produced. Query + // parameter names are case-sensitive. If query parameters are repeated, only + // the first value will be considered. + string name = 1 [(validate.rules).string = {min_len: 1}]; + } + + message FilterState { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy.FilterState"; + + // The name of the Object in the per-request filterState, which is an + // Envoy::Hashable object. If there is no data associated with the key, + // or the stored object is not Envoy::Hashable, no hash will be produced. + string key = 1 [(validate.rules).string = {min_len: 1}]; + } + + oneof policy_specifier { + option (validate.required) = true; + + // Header hash policy. + Header header = 1; + + // Cookie hash policy. + Cookie cookie = 2; + + // Connection properties hash policy. + ConnectionProperties connection_properties = 3; + + // Query parameter hash policy. + QueryParameter query_parameter = 5; + + // Filter state hash policy. + FilterState filter_state = 6; + } + + // The flag that short-circuits the hash computing. This field provides a + // 'fallback' style of configuration: "if a terminal policy doesn't work, + // fallback to rest of the policy list", it saves time when the terminal + // policy works. + // + // If true, and there is already a hash computed, ignore rest of the + // list of hash polices. + // For example, if the following hash methods are configured: + // + // ========= ======== + // specifier terminal + // ========= ======== + // Header A true + // Header B false + // Header C false + // ========= ======== + // + // The generateHash process ends if policy "header A" generates a hash, as + // it's a terminal policy. + bool terminal = 4; + } + + // Allows enabling and disabling upgrades on a per-route basis. + // This overrides any enabled/disabled upgrade filter chain specified in the + // HttpConnectionManager + // :ref:`upgrade_configs + // ` + // but does not affect any custom filter chain specified there. + message UpgradeConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.UpgradeConfig"; + + // Configuration for sending data upstream as a raw data payload. This is used for + // CONNECT or POST requests, when forwarding request payload as raw TCP. + message ConnectConfig { + // If present, the proxy protocol header will be prepended to the CONNECT payload sent upstream. + core.v3.ProxyProtocolConfig proxy_protocol_config = 1; + + // If set, the route will also allow forwarding POST payload as raw TCP. + bool allow_post = 2; + } + + // The case-insensitive name of this upgrade, for example, "websocket". + // For each upgrade type present in upgrade_configs, requests with + // Upgrade: [upgrade_type] will be proxied upstream. + string upgrade_type = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Determines if upgrades are available on this route. + // + // Defaults to ``true``. + google.protobuf.BoolValue enabled = 2; + + // Configuration for sending data upstream as a raw data payload. This is used for + // CONNECT requests, when forwarding CONNECT payload as raw TCP. + // Note that CONNECT support is currently considered alpha in Envoy. + // [#comment: TODO(htuch): Replace the above comment with an alpha tag.] + ConnectConfig connect_config = 3; + } + + message MaxStreamDuration { + // Specifies the maximum duration allowed for streams on the route. If not specified, the value + // from the :ref:`max_stream_duration + // ` field in + // :ref:`HttpConnectionManager.common_http_protocol_options + // ` + // is used. If this field is set explicitly to zero, any + // HttpConnectionManager max_stream_duration timeout will be disabled for + // this route. + google.protobuf.Duration max_stream_duration = 1; + + // If present, and the request contains a `grpc-timeout header + // `_, use that value as the + // ``max_stream_duration``, but limit the applied timeout to the maximum value specified here. + // If set to 0, the ``grpc-timeout`` header is used without modification. + google.protobuf.Duration grpc_timeout_header_max = 2; + + // If present, Envoy will adjust the timeout provided by the ``grpc-timeout`` header by + // subtracting the provided duration from the header. This is useful for allowing Envoy to set + // its global timeout to be less than that of the deadline imposed by the calling client, which + // makes it more likely that Envoy will handle the timeout instead of having the call canceled + // by the client. If, after applying the offset, the resulting timeout is zero or negative, + // the stream will timeout immediately. + google.protobuf.Duration grpc_timeout_header_offset = 3; + } + + reserved 12, 18, 19, 16, 22, 21, 10; + + reserved "request_mirror_policy"; + + oneof cluster_specifier { + option (validate.required) = true; + + // Indicates the upstream cluster to which the request should be routed + // to. + string cluster = 1 [(validate.rules).string = {min_len: 1}]; + + // Envoy will determine the cluster to route to by reading the value of the + // HTTP header named by cluster_header from the request headers. If the + // header is not found or the referenced cluster does not exist, Envoy will + // return a 404 response. + // + // .. attention:: + // + // Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 + // ``Host`` header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string cluster_header = 2 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // Multiple upstream clusters can be specified for a given route. The + // request is routed to one of the upstream clusters based on weights + // assigned to each cluster. See + // :ref:`traffic splitting ` + // for additional documentation. + WeightedCluster weighted_clusters = 3; + + // Name of the cluster specifier plugin to use to determine the cluster for requests on this route. + // The cluster specifier plugin name must be defined in the associated + // :ref:`cluster specifier plugins ` + // in the :ref:`name ` field. + string cluster_specifier_plugin = 37; + + // Custom cluster specifier plugin configuration to use to determine the cluster for requests + // on this route. + ClusterSpecifierPlugin inline_cluster_specifier_plugin = 39; + } + + // The HTTP status code to use when configured cluster is not found. + // The default response code is 503 Service Unavailable. + ClusterNotFoundResponseCode cluster_not_found_response_code = 20 + [(validate.rules).enum = {defined_only: true}]; + + // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints + // in the upstream cluster with metadata matching what's set in this field will be considered + // for load balancing. If using :ref:`weighted_clusters + // `, metadata will be merged, with values + // provided there taking precedence. The filter name should be specified as ``envoy.lb``. + core.v3.Metadata metadata_match = 4; + + // Indicates that during forwarding, the matched prefix (or path) should be + // swapped with this value. This option allows application URLs to be rooted + // at a different path from those exposed at the reverse proxy layer. The router filter will + // place the original path before rewrite into the :ref:`x-envoy-original-path + // ` header. + // + // Only one of :ref:`regex_rewrite `, + // :ref:`path_rewrite_policy `, + // :ref:`path_rewrite `, + // or :ref:`prefix_rewrite ` + // may be specified. + // + // .. attention:: + // + // Pay careful attention to the use of trailing slashes in the + // :ref:`route's match ` prefix value. + // Stripping a prefix from a path requires multiple Routes to handle all cases. For example, + // rewriting ``/prefix`` to ``/`` and ``/prefix/etc`` to ``/etc`` cannot be done in a single + // :ref:`Route `, as shown by the below config entries: + // + // .. code-block:: yaml + // + // - match: + // prefix: "/prefix/" + // route: + // prefix_rewrite: "/" + // - match: + // prefix: "/prefix" + // route: + // prefix_rewrite: "/" + // + // Having above entries in the config, requests to ``/prefix`` will be stripped to ``/``, while + // requests to ``/prefix/etc`` will be stripped to ``/etc``. + string prefix_rewrite = 5 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Indicates that during forwarding, portions of the path that match the + // pattern should be rewritten, even allowing the substitution of capture + // groups from the pattern into the new path as specified by the rewrite + // substitution string. This is useful to allow application paths to be + // rewritten in a way that is aware of segments with variable content like + // identifiers. The router filter will place the original path as it was + // before the rewrite into the :ref:`x-envoy-original-path + // ` header. + // + // Only one of :ref:`regex_rewrite `, + // :ref:`path_rewrite_policy `, + // :ref:`path_rewrite `, + // or :ref:`prefix_rewrite ` + // may be specified. + // + // Examples using Google's `RE2 `_ engine: + // + // * The path pattern ``^/service/([^/]+)(/.*)$`` paired with a substitution + // string of ``\2/instance/\1`` would transform ``/service/foo/v1/api`` + // into ``/v1/api/instance/foo``. + // + // * The pattern ``one`` paired with a substitution string of ``two`` would + // transform ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/two/zzz``. + // + // * The pattern ``^(.*?)one(.*)$`` paired with a substitution string of + // ``\1two\2`` would replace only the first occurrence of ``one``, + // transforming path ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/one/zzz``. + // + // * The pattern ``(?i)/xxx/`` paired with a substitution string of ``/yyy/`` + // would do a case-insensitive match and transform path ``/aaa/XxX/bbb`` to + // ``/aaa/yyy/bbb``. + type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 32; + + // [#extension-category: envoy.path.rewrite] + core.v3.TypedExtensionConfig path_rewrite_policy = 41; + + // Rewrites the whole path (without query parameters) with the given path value. + // The router filter will + // place the original path before rewrite into the :ref:`x-envoy-original-path + // ` header. + // + // Only one of :ref:`regex_rewrite `, + // :ref:`path_rewrite_policy `, + // :ref:`path_rewrite `, + // or :ref:`prefix_rewrite ` + // may be specified. + // + // The :ref:`substitution format specifier ` could be applied here. + // For example, with the following config: + // + // .. code-block:: yaml + // + // path_rewrite: "/new_path_prefix%REQ(custom-path-header-name)%" + // + // Would rewrite the path to ``/new_path_prefix/some_value`` given the header + // ``custom-path-header-name: some_value``. If the header is not present, the path will be + // rewritten to ``/new_path_prefix``. + // + // + // If the final output of the path rewrite is empty, then the update will be ignored and the + // original path will be preserved. + string path_rewrite = 45; + + // If one of the host rewrite specifiers is set and the + // :ref:`suppress_envoy_headers + // ` flag is not + // set to true, the router filter will place the original host header value before + // rewriting into the :ref:`x-envoy-original-host + // ` header. + // + // And if the + // :ref:`append_x_forwarded_host ` + // is set to true, the original host value will also be appended to the + // :ref:`config_http_conn_man_headers_x-forwarded-host` header. + // + oneof host_rewrite_specifier { + // Indicates that during forwarding, the host header will be swapped with + // this value. + string host_rewrite_literal = 6 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Indicates that during forwarding, the host header will be swapped with + // the hostname of the upstream host chosen by the cluster manager. This + // option is applicable only when the destination cluster for a route is of + // type ``strict_dns`` or ``logical_dns``, + // or when :ref:`hostname ` + // field is not empty. Setting this to true with other cluster types + // has no effect. + google.protobuf.BoolValue auto_host_rewrite = 7; + + // Indicates that during forwarding, the host header will be swapped with the content of given + // downstream or :ref:`custom ` header. + // If header value is empty, host header is left intact. + // + // .. attention:: + // + // Pay attention to the potential security implications of using this option. Provided header + // must come from trusted source. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string host_rewrite_header = 29 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // Indicates that during forwarding, the host header will be swapped with + // the result of the regex substitution executed on path value with query and fragment removed. + // This is useful for transitioning variable content between path segment and subdomain. + // + // For example with the following config: + // + // .. code-block:: yaml + // + // host_rewrite_path_regex: + // pattern: + // google_re2: {} + // regex: "^/(.+)/.+$" + // substitution: \1 + // + // Would rewrite the host header to ``envoyproxy.io`` given the path ``/envoyproxy.io/some/path``. + type.matcher.v3.RegexMatchAndSubstitute host_rewrite_path_regex = 35; + + // Rewrites the host header with the value of this field. The router filter will + // place the original host header value before rewriting into the :ref:`x-envoy-original-host + // ` header. + // + // The :ref:`substitution format specifier ` could be applied here. + // For example, with the following config: + // + // .. code-block:: yaml + // + // host_rewrite: "prefix-%REQ(custom-host-header-name)%" + // + // Would rewrite the host header to ``prefix-some_value`` given the header + // ``custom-host-header-name: some_value``. If the header is not present, the host header will + // be rewritten to an value of ``prefix-``. + // + // If the final output of the host rewrite is empty, then the update will be ignored and the + // original host header will be preserved. + string host_rewrite = 44; + } + + // If set, then a host rewrite action (one of + // :ref:`host_rewrite_literal `, + // :ref:`auto_host_rewrite `, + // :ref:`host_rewrite_header `, or + // :ref:`host_rewrite_path_regex `) + // causes the original value of the host header, if any, to be appended to the + // :ref:`config_http_conn_man_headers_x-forwarded-host` HTTP header if it is different to the last value appended. + bool append_x_forwarded_host = 38; + + // Specifies the upstream timeout for the route. If not specified, the default is 15s. This + // spans between the point at which the entire downstream request (i.e. end-of-stream) has been + // processed and when the upstream response has been completely processed. A value of 0 will + // disable the route's timeout. + // + // .. note:: + // + // This timeout includes all retries. See also + // :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`, + // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms`, and the + // :ref:`retry overview `. + google.protobuf.Duration timeout = 8; + + // Specifies the idle timeout for the route. If not specified, there is no per-route idle timeout, + // although the connection manager wide :ref:`stream_idle_timeout + // ` + // will still apply. A value of 0 will completely disable the route's idle timeout, even if a + // connection manager stream idle timeout is configured. + // + // The idle timeout is distinct to :ref:`timeout + // `, which provides an upper bound + // on the upstream response time; :ref:`idle_timeout + // ` instead bounds the amount + // of time the request's stream may be idle. + // + // After header decoding, the idle timeout will apply on downstream and + // upstream request events. Each time an encode/decode event for headers or + // data is processed for the stream, the timer will be reset. If the timeout + // fires, the stream is terminated with a 408 Request Timeout error code if no + // upstream response header has been received, otherwise a stream reset + // occurs. + // + // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" + // is configured, this timeout is scaled according to the value for + // :ref:`HTTP_DOWNSTREAM_STREAM_IDLE `. + // + // This timeout may also be used in place of ``flush_timeout`` in very specific cases. See the + // documentation for ``flush_timeout`` for more details. + google.protobuf.Duration idle_timeout = 24; + + // Specifies the codec stream flush timeout for the route. + // + // If not specified, the first preference is the global :ref:`stream_flush_timeout + // `, + // but only if explicitly configured. + // + // If neither the explicit HCM-wide flush timeout nor this route-specific flush timeout is configured, + // the route's stream idle timeout is reused for this timeout. This is for + // backwards compatibility since both behaviors were historically controlled by the one timeout. + // + // If the route also does not have an idle timeout configured, the global :ref:`stream_idle_timeout + // `. used, again + // for backwards compatibility. That timeout defaults to 5 minutes. + // + // A value of 0 via any of the above paths will completely disable the timeout for a given route. + google.protobuf.Duration flush_timeout = 42; + + // Specifies how to send request over TLS early data. + // If absent, allows `safe HTTP requests `_ to be sent on early data. + // [#extension-category: envoy.route.early_data_policy] + core.v3.TypedExtensionConfig early_data_policy = 40; + + // Indicates that the route has a retry policy. Note that if this is set, + // it'll take precedence over the virtual host level retry policy entirely + // (e.g., policies are not merged, the most internal one becomes the enforced policy). + RetryPolicy retry_policy = 9; + + // [#not-implemented-hide:] + // Specifies the configuration for retry policy extension. Note that if this is set, it'll take + // precedence over the virtual host level retry policy entirely (e.g., policies are not merged, + // the most internal one becomes the enforced policy). :ref:`Retry policy ` + // should not be set if this field is used. + google.protobuf.Any retry_policy_typed_config = 33; + + // Specify a set of route request mirroring policies. + // It takes precedence over the virtual host and route config mirror policy entirely. + // That is, policies are not merged, the most specific non-empty one becomes the mirror policies. + repeated RequestMirrorPolicy request_mirror_policies = 30; + + // Optionally specifies the :ref:`routing priority `. + core.v3.RoutingPriority priority = 11 [(validate.rules).enum = {defined_only: true}]; + + // Specifies a set of rate limit configurations that could be applied to the + // route. + repeated RateLimit rate_limits = 13; + + // Specifies if the rate limit filter should include the virtual host rate + // limits. By default, if the route configured rate limits, the virtual host + // :ref:`rate_limits ` are not applied to the + // request. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`vh_rate_limits ` + google.protobuf.BoolValue include_vh_rate_limits = 14 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Specifies a list of hash policies to use for ring hash load balancing. Each + // hash policy is evaluated individually and the combined result is used to + // route the request. The method of combination is deterministic such that + // identical lists of hash policies will produce the same hash. Since a hash + // policy examines specific parts of a request, it can fail to produce a hash + // (i.e. if the hashed header is not present). If (and only if) all configured + // hash policies fail to generate a hash, no hash will be produced for + // the route. In this case, the behavior is the same as if no hash policies + // were specified (i.e. the ring hash load balancer will choose a random + // backend). If a hash policy has the "terminal" attribute set to true, and + // there is already a hash generated, the hash is returned immediately, + // ignoring the rest of the hash policy list. + repeated HashPolicy hash_policy = 15; + + // Indicates that the route has a CORS policy. This field is ignored if related cors policy is + // found in the :ref:`Route.typed_per_filter_config` or + // :ref:`WeightedCluster.ClusterWeight.typed_per_filter_config`. + // + // .. attention:: + // + // This option has been deprecated. Please use + // :ref:`Route.typed_per_filter_config` or + // :ref:`WeightedCluster.ClusterWeight.typed_per_filter_config` + // to configure the CORS HTTP filter. + CorsPolicy cors = 17 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Deprecated by :ref:`grpc_timeout_header_max ` + // If present, and the request is a gRPC request, use the + // `grpc-timeout header `_, + // or its default value (infinity) instead of + // :ref:`timeout `, but limit the applied timeout + // to the maximum value specified here. If configured as 0, the maximum allowed timeout for + // gRPC requests is infinity. If not configured at all, the ``grpc-timeout`` header is not used + // and gRPC requests time out like any other requests using + // :ref:`timeout ` or its default. + // This can be used to prevent unexpected upstream request timeouts due to potentially long + // time gaps between gRPC request and response in gRPC streaming mode. + // + // .. note:: + // + // If a timeout is specified using :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`, it takes + // precedence over `grpc-timeout header `_, when + // both are present. See also + // :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`, + // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms`, and the + // :ref:`retry overview `. + google.protobuf.Duration max_grpc_timeout = 23 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Deprecated by :ref:`grpc_timeout_header_offset `. + // If present, Envoy will adjust the timeout provided by the ``grpc-timeout`` header by subtracting + // the provided duration from the header. This is useful in allowing Envoy to set its global + // timeout to be less than that of the deadline imposed by the calling client, which makes it more + // likely that Envoy will handle the timeout instead of having the call canceled by the client. + // The offset will only be applied if the provided grpc_timeout is greater than the offset. This + // ensures that the offset will only ever decrease the timeout and never set it to 0 (meaning + // infinity). + google.protobuf.Duration grpc_timeout_offset = 28 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + repeated UpgradeConfig upgrade_configs = 25; + + // If present, Envoy will try to follow an upstream redirect response instead of proxying the + // response back to the downstream. An upstream redirect response is defined + // by :ref:`redirect_response_codes + // `. + InternalRedirectPolicy internal_redirect_policy = 34; + + InternalRedirectAction internal_redirect_action = 26 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // An internal redirect is handled, iff the number of previous internal redirects that a + // downstream request has encountered is lower than this value, and + // :ref:`internal_redirect_action ` + // is set to :ref:`HANDLE_INTERNAL_REDIRECT + // ` + // In the case where a downstream request is bounced among multiple routes by internal redirect, + // the first route that hits this threshold, or has + // :ref:`internal_redirect_action ` + // set to + // :ref:`PASS_THROUGH_INTERNAL_REDIRECT + // ` + // will pass the redirect back to downstream. + // + // If not specified, at most one redirect will be followed. + google.protobuf.UInt32Value max_internal_redirects = 31 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Indicates that the route has a hedge policy. Note that if this is set, + // it'll take precedence over the virtual host level hedge policy entirely + // (e.g., policies are not merged, the most internal one becomes the enforced policy). + HedgePolicy hedge_policy = 27; + + // Specifies the maximum stream duration for this route. + MaxStreamDuration max_stream_duration = 36; +} + +// HTTP retry :ref:`architecture overview `. +// [#next-free-field: 14] +message RetryPolicy { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RetryPolicy"; + + enum ResetHeaderFormat { + SECONDS = 0; + UNIX_TIMESTAMP = 1; + } + + message RetryPriority { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RetryPolicy.RetryPriority"; + + reserved 2; + + reserved "config"; + + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // [#extension-category: envoy.retry_priorities] + oneof config_type { + google.protobuf.Any typed_config = 3; + } + } + + message RetryHostPredicate { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RetryPolicy.RetryHostPredicate"; + + reserved 2; + + reserved "config"; + + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // [#extension-category: envoy.retry_host_predicates] + oneof config_type { + google.protobuf.Any typed_config = 3; + } + } + + message RetryBackOff { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RetryPolicy.RetryBackOff"; + + // Specifies the base interval between retries. This parameter is required and must be greater + // than zero. Values less than 1 ms are rounded up to 1 ms. + // See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion of Envoy's + // back-off algorithm. + google.protobuf.Duration base_interval = 1 [(validate.rules).duration = { + required: true + gt {} + }]; + + // Specifies the maximum interval between retries. This parameter is optional, but must be + // greater than or equal to the ``base_interval`` if set. The default is 10 times the + // ``base_interval``. See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion + // of Envoy's back-off algorithm. + google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}]; + } + + message ResetHeader { + // The name of the reset header. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // The format of the reset header. + ResetHeaderFormat format = 2 [(validate.rules).enum = {defined_only: true}]; + } + + // A retry back-off strategy that applies when the upstream server rate limits + // the request. + // + // Given this configuration: + // + // .. code-block:: yaml + // + // rate_limited_retry_back_off: + // reset_headers: + // - name: Retry-After + // format: SECONDS + // - name: X-RateLimit-Reset + // format: UNIX_TIMESTAMP + // max_interval: "300s" + // + // The following algorithm will apply: + // + // 1. If the response contains the header ``Retry-After`` its value must be on + // the form ``120`` (an integer that represents the number of seconds to + // wait before retrying). If so, this value is used as the back-off interval. + // 2. Otherwise, if the response contains the header ``X-RateLimit-Reset`` its + // value must be on the form ``1595320702`` (an integer that represents the + // point in time at which to retry, as a Unix timestamp in seconds). If so, + // the current time is subtracted from this value and the result is used as + // the back-off interval. + // 3. Otherwise, Envoy will use the default + // :ref:`exponential back-off ` + // strategy. + // + // No matter which format is used, if the resulting back-off interval exceeds + // ``max_interval`` it is discarded and the next header in ``reset_headers`` + // is tried. If a request timeout is configured for the route it will further + // limit how long the request will be allowed to run. + // + // To prevent many clients retrying at the same point in time jitter is added + // to the back-off interval, so the resulting interval is decided by taking: + // ``random(interval, interval * 1.5)``. + // + // .. attention:: + // + // Configuring ``rate_limited_retry_back_off`` will not by itself cause a request + // to be retried. You will still need to configure the right retry policy to match + // the responses from the upstream server. + message RateLimitedRetryBackOff { + // Specifies the reset headers (like ``Retry-After`` or ``X-RateLimit-Reset``) + // to match against the response. Headers are tried in order, and matched case + // insensitive. The first header to be parsed successfully is used. If no headers + // match the default exponential back-off is used instead. + repeated ResetHeader reset_headers = 1 [(validate.rules).repeated = {min_items: 1}]; + + // Specifies the maximum back off interval that Envoy will allow. If a reset + // header contains an interval longer than this then it will be discarded and + // the next header will be tried. + // + // Defaults to 300 seconds. + google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}]; + } + + // Specifies the conditions under which retry takes place. These are the same + // conditions documented for :ref:`config_http_filters_router_x-envoy-retry-on` and + // :ref:`config_http_filters_router_x-envoy-retry-grpc-on`. + string retry_on = 1; + + // Specifies the allowed number of retries. This parameter is optional and + // defaults to 1. These are the same conditions documented for + // :ref:`config_http_filters_router_x-envoy-max-retries`. + google.protobuf.UInt32Value num_retries = 2 + [(udpa.annotations.field_migrate).rename = "max_retries"]; + + // Specifies a non-zero upstream timeout per retry attempt (including the initial attempt). This + // parameter is optional. The same conditions documented for + // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms` apply. + // + // .. note:: + // + // If left unspecified, Envoy will use the global + // :ref:`route timeout ` for the request. + // Consequently, when using a :ref:`5xx ` based + // retry policy, a request that times out will not be retried as the total timeout budget + // would have been exhausted. + google.protobuf.Duration per_try_timeout = 3; + + // Specifies an upstream idle timeout per retry attempt (including the initial attempt). This + // parameter is optional and if absent there is no per-try idle timeout. The semantics of the per- + // try idle timeout are similar to the + // :ref:`route idle timeout ` and + // :ref:`stream idle timeout + // ` + // both enforced by the HTTP connection manager. The difference is that this idle timeout + // is enforced by the router for each individual attempt and thus after all previous filters have + // run, as opposed to *before* all previous filters run for the other idle timeouts. This timeout + // is useful in cases in which total request timeout is bounded by a number of retries and a + // :ref:`per_try_timeout `, but + // there is a desire to ensure each try is making incremental progress. Note also that similar + // to :ref:`per_try_timeout `, + // this idle timeout does not start until after both the entire request has been received by the + // router *and* a connection pool connection has been obtained. Unlike + // :ref:`per_try_timeout `, + // the idle timer continues once the response starts streaming back to the downstream client. + // This ensures that response data continues to make progress without using one of the HTTP + // connection manager idle timeouts. + google.protobuf.Duration per_try_idle_timeout = 13; + + // Specifies an implementation of a RetryPriority which is used to determine the + // distribution of load across priorities used for retries. Refer to + // :ref:`retry plugin configuration ` for more details. + RetryPriority retry_priority = 4; + + // Specifies a collection of RetryHostPredicates that will be consulted when selecting a host + // for retries. If any of the predicates reject the host, host selection will be reattempted. + // Refer to :ref:`retry plugin configuration ` for more + // details. + repeated RetryHostPredicate retry_host_predicate = 5; + + // Retry options predicates that will be applied prior to retrying a request. These predicates + // allow customizing request behavior between retries. + // [#comment: add [#extension-category: envoy.retry_options_predicates] when there are built-in extensions] + repeated core.v3.TypedExtensionConfig retry_options_predicates = 12; + + // The maximum number of times host selection will be reattempted before giving up, at which + // point the host that was last selected will be routed to. If unspecified, this will default to + // retrying once. + int64 host_selection_retry_max_attempts = 6; + + // HTTP status codes that should trigger a retry in addition to those specified by retry_on. + repeated uint32 retriable_status_codes = 7; + + // Specifies parameters that control exponential retry back off. This parameter is optional, in which case the + // default base interval is 25 milliseconds or, if set, the current value of the + // ``upstream.base_retry_backoff_ms`` runtime parameter. The default maximum interval is 10 times + // the base interval. The documentation for :ref:`config_http_filters_router_x-envoy-max-retries` + // describes Envoy's back-off algorithm. + RetryBackOff retry_back_off = 8; + + // Specifies parameters that control a retry back-off strategy that is used + // when the request is rate limited by the upstream server. The server may + // return a response header like ``Retry-After`` or ``X-RateLimit-Reset`` to + // provide feedback to the client on how long to wait before retrying. If + // configured, this back-off strategy will be used instead of the + // default exponential back off strategy (configured using ``retry_back_off``) + // whenever a response includes the matching headers. + RateLimitedRetryBackOff rate_limited_retry_back_off = 11; + + // HTTP response headers that trigger a retry if present in the response. A retry will be + // triggered if any of the header matches match the upstream response headers. + // The field is only consulted if 'retriable-headers' retry policy is active. + repeated HeaderMatcher retriable_headers = 9; + + // HTTP headers which must be present in the request for retries to be attempted. + repeated HeaderMatcher retriable_request_headers = 10; +} + +// HTTP request hedging :ref:`architecture overview `. +message HedgePolicy { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.HedgePolicy"; + + // Specifies the number of initial requests that should be sent upstream. + // Must be at least 1. + // + // Defaults to 1. + // [#not-implemented-hide:] + google.protobuf.UInt32Value initial_requests = 1 [(validate.rules).uint32 = {gte: 1}]; + + // Specifies a probability that an additional upstream request should be sent + // on top of what is specified by initial_requests. + // + // Defaults to 0. + // [#not-implemented-hide:] + type.v3.FractionalPercent additional_request_chance = 2; + + // Indicates that a hedged request should be sent when the per-try timeout is hit. + // This means that a retry will be issued without resetting the original request, leaving multiple upstream requests in flight. + // The first request to complete successfully will be the one returned to the caller. + // + // * At any time, a successful response (i.e. not triggering any of the retry-on conditions) would be returned to the client. + // * Before per-try timeout, an error response (per retry-on conditions) would be retried immediately or returned to the client + // if there are no more retries left. + // * After per-try timeout, an error response would be discarded, as a retry in the form of a hedged request is already in progress. + // + // .. note:: + // + // For this to have effect, you must have a :ref:`RetryPolicy ` that retries at least + // one error code and specifies a maximum number of retries. + // + // Defaults to ``false``. + bool hedge_on_per_try_timeout = 3; +} + +// [#next-free-field: 10] +message RedirectAction { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RedirectAction"; + + enum RedirectResponseCode { + // Moved Permanently HTTP Status Code - 301. + MOVED_PERMANENTLY = 0; + + // Found HTTP Status Code - 302. + FOUND = 1; + + // See Other HTTP Status Code - 303. + SEE_OTHER = 2; + + // Temporary Redirect HTTP Status Code - 307. + TEMPORARY_REDIRECT = 3; + + // Permanent Redirect HTTP Status Code - 308. + PERMANENT_REDIRECT = 4; + } + + // When the scheme redirection take place, the following rules apply: + // 1. If the source URI scheme is ``http`` and the port is explicitly + // set to ``:80``, the port will be removed after the redirection + // 2. If the source URI scheme is ``https`` and the port is explicitly + // set to ``:443``, the port will be removed after the redirection + oneof scheme_rewrite_specifier { + // The scheme portion of the URL will be swapped with "https". + bool https_redirect = 4; + + // The scheme portion of the URL will be swapped with this value. + string scheme_redirect = 7; + } + + // The host portion of the URL will be swapped with this value. + string host_redirect = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // The port value of the URL will be swapped with this value. + uint32 port_redirect = 8; + + oneof path_rewrite_specifier { + // The path portion of the URL will be swapped with this value. + // Please note that query string in path_redirect will override the + // request's query string and will not be stripped. + // + // For example, let's say we have the following routes: + // + // - match: { path: "/old-path-1" } + // redirect: { path_redirect: "/new-path-1" } + // - match: { path: "/old-path-2" } + // redirect: { path_redirect: "/new-path-2", strip-query: "true" } + // - match: { path: "/old-path-3" } + // redirect: { path_redirect: "/new-path-3?foo=1", strip_query: "true" } + // + // 1. if request uri is "/old-path-1?bar=1", users will be redirected to "/new-path-1?bar=1" + // 2. if request uri is "/old-path-2?bar=1", users will be redirected to "/new-path-2" + // 3. if request uri is "/old-path-3?bar=1", users will be redirected to "/new-path-3?foo=1" + string path_redirect = 2 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Indicates that during redirection, the matched prefix (or path) + // should be swapped with this value. This option allows redirect URLs be dynamically created + // based on the request. + // + // .. attention:: + // + // Pay attention to the use of trailing slashes as mentioned in + // :ref:`RouteAction's prefix_rewrite `. + string prefix_rewrite = 5 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Indicates that during redirect, portions of the path that match the + // pattern should be rewritten, even allowing the substitution of capture + // groups from the pattern into the new path as specified by the rewrite + // substitution string. This is useful to allow application paths to be + // rewritten in a way that is aware of segments with variable content like + // identifiers. + // + // Examples using Google's `RE2 `_ engine: + // + // * The path pattern ``^/service/([^/]+)(/.*)$`` paired with a substitution + // string of ``\2/instance/\1`` would transform ``/service/foo/v1/api`` + // into ``/v1/api/instance/foo``. + // + // * The pattern ``one`` paired with a substitution string of ``two`` would + // transform ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/two/zzz``. + // + // * The pattern ``^(.*?)one(.*)$`` paired with a substitution string of + // ``\1two\2`` would replace only the first occurrence of ``one``, + // transforming path ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/one/zzz``. + // + // * The pattern ``(?i)/xxx/`` paired with a substitution string of ``/yyy/`` + // would do a case-insensitive match and transform path ``/aaa/XxX/bbb`` to + // ``/aaa/yyy/bbb``. + type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 9; + } + + // The HTTP status code to use in the redirect response. The default response + // code is MOVED_PERMANENTLY (301). + RedirectResponseCode response_code = 3 [(validate.rules).enum = {defined_only: true}]; + + // Indicates that during redirection, the query portion of the URL will + // be removed. Default value is false. + bool strip_query = 6; +} + +message DirectResponseAction { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.DirectResponseAction"; + + // Specifies the HTTP response status to be returned. + uint32 status = 1 [(validate.rules).uint32 = {lt: 600 gte: 200}]; + + // Specifies the content of the response body. If this setting is omitted, + // no body is included in the generated response. + // + // .. note:: + // + // Headers can be specified using ``response_headers_to_add`` in the enclosing + // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` or + // :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`. + core.v3.DataSource body = 2; + + // Specifies a format string for the response body. If present, the contents of + // ``body_format`` will be formatted and used as the response body, where the + // contents of ``body`` (may be empty) will be passed as the variable ``%LOCAL_REPLY_BODY%``. + // If neither are provided, no body is included in the generated response. + core.v3.SubstitutionFormatString body_format = 3; +} + +// [#not-implemented-hide:] +message NonForwardingAction { +} + +message Decorator { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.Decorator"; + + // The operation name associated with the request matched to this route. If tracing is + // enabled, this information will be used as the span name reported for this request. + // + // .. note:: + // + // For ingress (inbound) requests, or egress (outbound) responses, this value may be overridden + // by the :ref:`x-envoy-decorator-operation + // ` header. + string operation = 1 [(validate.rules).string = {min_len: 1}]; + + // Whether the decorated details should be propagated to the other party. The default is ``true``. + google.protobuf.BoolValue propagate = 2; +} + +// [#next-free-field: 7] +message Tracing { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.Tracing"; + + // Target percentage of requests managed by this HTTP connection manager that will be force + // traced if the :ref:`x-client-trace-id ` + // header is set. This field is a direct analog for the runtime variable + // 'tracing.client_enabled' in the :ref:`HTTP Connection Manager + // `. + // Default: 100% + type.v3.FractionalPercent client_sampling = 1; + + // Target percentage of requests managed by this HTTP connection manager that will be randomly + // selected for trace generation, if not requested by the client or not forced. This field is + // a direct analog for the runtime variable 'tracing.random_sampling' in the + // :ref:`HTTP Connection Manager `. + // Default: 100% + type.v3.FractionalPercent random_sampling = 2; + + // Target percentage of requests managed by this HTTP connection manager that will be traced + // after all other sampling checks have been applied (client-directed, force tracing, random + // sampling). This field functions as an upper limit on the total configured sampling rate. For + // instance, setting client_sampling to 100% but overall_sampling to 1% will result in only 1% + // of client requests with the appropriate headers to be force traced. This field is a direct + // analog for the runtime variable 'tracing.global_enabled' in the + // :ref:`HTTP Connection Manager `. + // Default: 100% + type.v3.FractionalPercent overall_sampling = 3; + + // A list of custom tags with unique tag name to create tags for the active span. + // It will take effect after merging with the :ref:`corresponding configuration + // ` + // configured in the HTTP connection manager. If two tags with the same name are configured + // each in the HTTP connection manager and the route level, the one configured here takes + // priority. + repeated type.tracing.v3.CustomTag custom_tags = 4; + + // The operation name of the span which will be used for tracing. + // + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here, however + // unknown specifier values are replaced with the empty string instead of ``-``. + // + // This field will take precedence over and make following settings ineffective: + // + // * :ref:`route decorator `. + // * :ref:`x-envoy-decorator-operation `. + // * :ref:`HCM tracing operation + // `. + string operation = 5; + + // The operation name of the upstream span which will be used for tracing. + // This only takes effect when ``spawn_upstream_span`` is set to true and the upstream + // span is created. + // + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here, however + // unknown specifier values are replaced with the empty string instead of ``-``. + // + // This field will take precedence over and make following settings ineffective: + // + // * :ref:`HCM tracing upstream operation + // ` + string upstream_operation = 6; +} + +// A virtual cluster is a way of specifying a regex matching rule against +// certain important endpoints such that statistics are generated explicitly for +// the matched requests. The reason this is useful is that when doing +// prefix/path matching Envoy does not always know what the application +// considers to be an endpoint. Thus, it’s impossible for Envoy to generically +// emit per endpoint statistics. However, often systems have highly critical +// endpoints that they wish to get “perfect” statistics on. Virtual cluster +// statistics are perfect in the sense that they are emitted on the downstream +// side such that they include network level failures. +// +// Documentation for :ref:`virtual cluster statistics `. +// +// .. note:: +// +// Virtual clusters are a useful tool, but we do not recommend setting up a virtual cluster for +// every application endpoint. This is both not easily maintainable and as well the matching and +// statistics output are not free. +message VirtualCluster { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.VirtualCluster"; + + reserved 1, 3; + + reserved "pattern", "method"; + + // Specifies a list of header matchers to use for matching requests. Each specified header must + // match. The pseudo-headers ``:path`` and ``:method`` can be used to match the request path and + // method, respectively. + repeated HeaderMatcher headers = 4; + + // Specifies the name of the virtual cluster. The virtual cluster name as well + // as the virtual host name are used when emitting statistics. The statistics are emitted by the + // router filter and are documented :ref:`here `. + string name = 2 [(validate.rules).string = {min_len: 1}]; +} + +// Global rate limiting :ref:`architecture overview `. +// Also applies to Local rate limiting :ref:`using descriptors `. +// [#next-free-field: 7] +message RateLimit { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RateLimit"; + + // [#next-free-field: 13] + message Action { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action"; + + // The following descriptor entry is appended to the descriptor: + // + // .. code-block:: cpp + // + // ("source_cluster", "") + // + // is derived from the :option:`--service-cluster` option. + message SourceCluster { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.SourceCluster"; + } + + // The following descriptor entry is appended to the descriptor: + // + // .. code-block:: cpp + // + // ("destination_cluster", "") + // + // Once a request matches against a route table rule, a routed cluster is determined by one of + // the following :ref:`route table configuration ` + // settings: + // + // * :ref:`cluster ` indicates the upstream cluster + // to route to. + // * :ref:`weighted_clusters ` + // chooses a cluster randomly from a set of clusters with attributed weight. + // * :ref:`cluster_header ` indicates which + // header in the request contains the target cluster. + message DestinationCluster { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.DestinationCluster"; + } + + // The following descriptor entry is appended when a header contains a key that matches the + // ``header_name``: + // + // .. code-block:: cpp + // + // ("", "") + message RequestHeaders { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.RequestHeaders"; + + // The header name to be queried from the request headers. The header’s + // value is used to populate the value of the descriptor entry for the + // descriptor_key. + string header_name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // The key to use in the descriptor entry. + string descriptor_key = 2 [(validate.rules).string = {min_len: 1}]; + + // Controls the behavior when the specified header is not present in the request. + // + // If set to ``false`` (default): + // + // * Envoy does **NOT** call the rate limiting service for this descriptor. + // * Useful if the header is optional and you prefer to skip rate limiting when it's absent. + // + // If set to ``true``: + // + // * Envoy calls the rate limiting service but omits this descriptor if the header is missing. + // * Useful if you want Envoy to enforce rate limiting even when the header is not present. + // + bool skip_if_absent = 3; + } + + // The following descriptor entry is appended when a query parameter contains a key that matches the + // ``query_parameter_name``: + // + // .. code-block:: cpp + // + // ("", "") + message QueryParameters { + // The name of the query parameter to use for rate limiting. Value of this query parameter is used to populate + // the value of the descriptor entry for the descriptor_key. + string query_parameter_name = 1 [(validate.rules).string = {min_len: 1}]; + + // The key to use when creating the rate limit descriptor entry. This descriptor key will be used to identify the + // rate limit rule in the rate limiting service. + string descriptor_key = 2 [(validate.rules).string = {min_len: 1}]; + + // Controls the behavior when the specified query parameter is not present in the request. + // + // If set to ``false`` (default): + // + // * Envoy does **NOT** call the rate limiting service for this descriptor. + // * Useful if the query parameter is optional and you prefer to skip rate limiting when it's absent. + // + // If set to ``true``: + // + // * Envoy calls the rate limiting service but omits this descriptor if the query parameter is missing. + // * Useful if you want Envoy to enforce rate limiting even when the query parameter is not present. + // + bool skip_if_absent = 3; + } + + // The following descriptor entry is appended to the descriptor and is populated using the + // trusted address from :ref:`x-forwarded-for `: + // + // .. code-block:: cpp + // + // ("remote_address", "") + message RemoteAddress { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.RemoteAddress"; + } + + // The following descriptor entry is appended to the descriptor and is populated using the + // masked address from :ref:`x-forwarded-for `: + // + // .. code-block:: cpp + // + // ("masked_remote_address", "") + message MaskedRemoteAddress { + // Length of prefix mask len for IPv4 (e.g. 0, 32). + // + // Defaults to 32 when unset. + // + // For example, trusted address from x-forwarded-for is ``192.168.1.1``, + // the descriptor entry is ("masked_remote_address", "192.168.1.1/32"); + // if mask len is 24, the descriptor entry is ("masked_remote_address", "192.168.1.0/24"). + google.protobuf.UInt32Value v4_prefix_mask_len = 1 [(validate.rules).uint32 = {lte: 32}]; + + // Length of prefix mask len for IPv6 (e.g. 0, 128). + // + // Defaults to 128 when unset. + // + // For example, trusted address from x-forwarded-for is ``2001:abcd:ef01:2345:6789:abcd:ef01:234``, + // the descriptor entry is ("masked_remote_address", "2001:abcd:ef01:2345:6789:abcd:ef01:234/128"); + // if mask len is 64, the descriptor entry is ("masked_remote_address", "2001:abcd:ef01:2345::/64"). + google.protobuf.UInt32Value v6_prefix_mask_len = 2 [(validate.rules).uint32 = {lte: 128}]; + } + + // The following descriptor entry is appended to the descriptor: + // + // .. code-block:: cpp + // + // ("generic_key", "") + message GenericKey { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.GenericKey"; + + // Descriptor value of entry. + // + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here, however + // unknown specifier values are replaced with the empty string instead of ``-``. + // + // .. note:: + // + // Formatter parsing is controlled by the runtime feature flag + // ``envoy.reloadable_features.enable_formatter_for_ratelimit_action_descriptor_value`` + // (disabled by default). + // + // When enabled: The format string can contain multiple valid substitution + // fields. If multiple substitution fields are present, their results will be concatenated + // to form the final descriptor value. If it contains no substitution fields, the value + // will be used as is. If the final concatenated result is empty and ``default_value`` is set, + // the ``default_value`` will be used. If ``default_value`` is not set and the result is + // empty, this descriptor will be skipped and not included in the rate limit call. + // + // When disabled (default): The descriptor_value is used as a literal string without any formatter + // parsing or substitution. + // + // For example, ``static_value`` will be used as is since there are no substitution fields. + // ``%REQ(:method)%`` will be replaced with the HTTP method, and + // ``%REQ(:method)%%REQ(:path)%`` will be replaced with the concatenation of the HTTP method and path. + // ``%CEL(request.headers['user-id'])%`` will use CEL to extract the user ID from request headers. + // + string descriptor_value = 1 [(validate.rules).string = {min_len: 1}]; + + // An optional value to use if the final concatenated ``descriptor_value`` result is empty. + // Only applicable when formatter parsing is enabled by the runtime feature flag + // ``envoy.reloadable_features.enable_formatter_for_ratelimit_action_descriptor_value`` (disabled by default). + string default_value = 3; + + // An optional key to use in the descriptor entry. If not set it defaults + // to 'generic_key' as the descriptor key. + string descriptor_key = 2; + } + + // The following descriptor entry is appended to the descriptor: + // + // .. code-block:: cpp + // + // ("header_match", "") + // [#next-free-field: 6] + message HeaderValueMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.HeaderValueMatch"; + + // Descriptor value of entry. + // + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here, however + // unknown specifier values are replaced with the empty string instead of ``-``. + // + // .. note:: + // + // Formatter parsing is controlled by the runtime feature flag + // ``envoy.reloadable_features.enable_formatter_for_ratelimit_action_descriptor_value`` + // (disabled by default). + // + // When enabled: The format string can contain multiple valid substitution + // fields. If multiple substitution fields are present, their results will be concatenated + // to form the final descriptor value. If it contains no substitution fields, the value + // will be used as is. All substitution fields will be evaluated and their results + // concatenated. If the final concatenated result is empty and ``default_value`` is set, + // the ``default_value`` will be used. If ``default_value`` is not set and the result is + // empty, this descriptor will be skipped and not included in the rate limit call. + // + // When disabled (default): The descriptor_value is used as a literal string without any formatter + // parsing or substitution. + // + // For example, ``static_value`` will be used as is since there are no substitution fields. + // ``%REQ(:method)%`` will be replaced with the HTTP method, and + // ``%REQ(:method)%%REQ(:path)%`` will be replaced with the concatenation of the HTTP method and path. + // ``%CEL(request.headers['user-id'])%`` will use CEL to extract the user ID from request headers. + // + string descriptor_value = 1 [(validate.rules).string = {min_len: 1}]; + + // An optional value to use if the final concatenated ``descriptor_value`` result is empty. + // Only applicable when formatter parsing is enabled by the runtime feature flag + // ``envoy.reloadable_features.enable_formatter_for_ratelimit_action_descriptor_value`` (disabled by default). + string default_value = 5; + + // The key to use in the descriptor entry. + // + // Defaults to ``header_match``. + string descriptor_key = 4; + + // If set to true, the action will append a descriptor entry when the + // request matches the headers. If set to false, the action will append a + // descriptor entry when the request does not match the headers. The + // default value is true. + google.protobuf.BoolValue expect_match = 2; + + // Specifies a set of headers that the rate limit action should match + // on. The action will check the request's headers against all the + // specified headers in the config. A match will happen if all the + // headers in the config are present in the request with the same values + // (or based on presence if the value field is not in the config). + repeated HeaderMatcher headers = 3 [(validate.rules).repeated = {min_items: 1}]; + } + + // The following descriptor entry is appended when the + // :ref:`dynamic metadata ` contains a key value: + // + // .. code-block:: cpp + // + // ("", "") + // + // .. attention:: + // This action has been deprecated in favor of the :ref:`metadata ` action + message DynamicMetaData { + // The key to use in the descriptor entry. + string descriptor_key = 1 [(validate.rules).string = {min_len: 1}]; + + // Metadata struct that defines the key and path to retrieve the string value. A match will + // only happen if the value in the dynamic metadata is of type string. + type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}]; + + // An optional value to use if ``metadata_key`` is empty. If not set and + // no value is present under the metadata_key then no descriptor is generated. + string default_value = 3; + } + + // The following descriptor entry is appended when the metadata contains a key value: + // + // .. code-block:: cpp + // + // ("", "") + // [#next-free-field: 6] + message MetaData { + enum Source { + // Query :ref:`dynamic metadata ` + DYNAMIC = 0; + + // Query :ref:`route entry metadata ` + ROUTE_ENTRY = 1; + } + + // The key to use in the descriptor entry. + string descriptor_key = 1 [(validate.rules).string = {min_len: 1}]; + + // Metadata struct that defines the key and path to retrieve the string value. A match will + // only happen if the value in the metadata is of type string. + type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}]; + + // An optional value to use if ``metadata_key`` is empty. If not set and + // no value is present under the metadata_key then ``skip_if_absent`` is followed to + // skip calling the rate limiting service or skip the descriptor. + string default_value = 3; + + // Source of metadata + Source source = 4 [(validate.rules).enum = {defined_only: true}]; + + // Controls the behavior when the specified ``metadata_key`` is empty and ``default_value`` is not set. + // + // If set to ``false`` (default): + // + // * Envoy does **NOT** call the rate limiting service for this descriptor. + // * Useful if the metadata is optional and you prefer to skip rate limiting when it's absent. + // + // If set to ``true``: + // + // * Envoy calls the rate limiting service but omits this descriptor if the ``metadata_key`` is empty and + // ``default_value`` is missing. + // * Useful if you want Envoy to enforce rate limiting even when the metadata is not present. + // + bool skip_if_absent = 5; + } + + // The following descriptor entry is appended to the descriptor: + // + // .. code-block:: cpp + // + // ("query_match", "") + // [#next-free-field: 6] + message QueryParameterValueMatch { + // Descriptor value of entry. + // + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here, however + // unknown specifier values are replaced with the empty string instead of ``-``. + // + // .. note:: + // + // Formatter parsing is controlled by the runtime feature flag + // ``envoy.reloadable_features.enable_formatter_for_ratelimit_action_descriptor_value`` + // (disabled by default). + // + // When enabled: The format string can contain multiple valid substitution + // fields. If multiple substitution fields are present, their results will be concatenated + // to form the final descriptor value. If it contains no substitution fields, the value + // will be used as is. All substitution fields will be evaluated and their results + // concatenated. If the final concatenated result is empty and ``default_value`` is set, + // the ``default_value`` will be used. If ``default_value`` is not set and the result is + // empty, this descriptor will be skipped and not included in the rate limit call. + // + // When disabled (default): The descriptor_value is used as a literal string without any formatter + // parsing or substitution. + // + // For example, ``static_value`` will be used as is since there are no substitution fields. + // ``%REQ(:method)%`` will be replaced with the HTTP method, and + // ``%REQ(:method)%%REQ(:path)%`` will be replaced with the concatenation of the HTTP method and path. + // ``%CEL(request.headers['user-id'])%`` will use CEL to extract the user ID from request headers. + // + string descriptor_value = 1 [(validate.rules).string = {min_len: 1}]; + + // An optional value to use if the final concatenated ``descriptor_value`` result is empty. + // Only applicable when formatter parsing is enabled by the runtime feature flag + // ``envoy.reloadable_features.enable_formatter_for_ratelimit_action_descriptor_value`` (disabled by default). + string default_value = 5; + + // The key to use in the descriptor entry. + // + // Defaults to ``query_match``. + string descriptor_key = 4; + + // If set to true, the action will append a descriptor entry when the + // request matches the headers. If set to false, the action will append a + // descriptor entry when the request does not match the headers. The + // default value is true. + google.protobuf.BoolValue expect_match = 2; + + // Specifies a set of query parameters that the rate limit action should match + // on. The action will check the request's query parameters against all the + // specified query parameters in the config. A match will happen if all the + // query parameters in the config are present in the request with the same values + // (or based on presence if the value field is not in the config). + repeated QueryParameterMatcher query_parameters = 3 + [(validate.rules).repeated = {min_items: 1}]; + } + + oneof action_specifier { + option (validate.required) = true; + + // Rate limit on source cluster. + SourceCluster source_cluster = 1; + + // Rate limit on destination cluster. + DestinationCluster destination_cluster = 2; + + // Rate limit on request headers. + RequestHeaders request_headers = 3; + + // Rate limit on query parameters. + QueryParameters query_parameters = 12; + + // Rate limit on remote address. + RemoteAddress remote_address = 4; + + // Rate limit on a generic key. + GenericKey generic_key = 5; + + // Rate limit on the existence of request headers. + HeaderValueMatch header_value_match = 6; + + // Rate limit on dynamic metadata. + // + // .. attention:: + // This field has been deprecated in favor of the :ref:`metadata ` field + DynamicMetaData dynamic_metadata = 7 [ + deprecated = true, + (envoy.annotations.deprecated_at_minor_version) = "3.0", + (envoy.annotations.disallowed_by_default) = true + ]; + + // Rate limit on metadata. + MetaData metadata = 8; + + // Rate limit descriptor extension. See the rate limit descriptor extensions documentation. + // + // :ref:`HTTP matching input functions ` are + // permitted as descriptor extensions. The input functions are only + // looked up if there is no rate limit descriptor extension matching + // the type URL. + // + // [#extension-category: envoy.rate_limit_descriptors] + core.v3.TypedExtensionConfig extension = 9; + + // Rate limit on masked remote address. + MaskedRemoteAddress masked_remote_address = 10; + + // Rate limit on the existence of query parameters. + QueryParameterValueMatch query_parameter_value_match = 11; + } + } + + message Override { + // Fetches the override from the dynamic metadata. + message DynamicMetadata { + // Metadata struct that defines the key and path to retrieve the struct value. + // The value must be a struct containing an integer "requests_per_unit" property + // and a "unit" property with a value parseable to :ref:`RateLimitUnit + // enum ` + type.metadata.v3.MetadataKey metadata_key = 1 [(validate.rules).message = {required: true}]; + } + + oneof override_specifier { + option (validate.required) = true; + + // Limit override from dynamic metadata. + DynamicMetadata dynamic_metadata = 1; + } + } + + message HitsAddend { + // Fixed number of hits to add to the rate limit descriptor. + // + // One of the ``number`` or ``format`` fields should be set but not both. + google.protobuf.UInt64Value number = 1 [(validate.rules).uint64 = {lte: 1000000000}]; + + // Substitution format string to extract the number of hits to add to the rate limit descriptor. + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here. + // + // .. note:: + // + // The format string must contains only single valid substitution field. If the format string + // not meets the requirement, the configuration will be rejected. + // + // The substitution field should generates a non-negative number or string representation of + // a non-negative number. The value of the non-negative number should be less than or equal + // to 1000000000 like the ``number`` field. If the output of the substitution field not meet + // the requirement, this will be treated as an error and the current descriptor will be ignored. + // + // For example, the ``%BYTES_RECEIVED%`` format string will be replaced with the number of bytes + // received in the request. + // + // One of the ``number`` or ``format`` fields should be set but not both. + string format = 2 [(validate.rules).string = {prefix: "%" suffix: "%" ignore_empty: true}]; + } + + // Refers to the stage set in the filter. The rate limit configuration only + // applies to filters with the same stage number. The default stage number is + // 0. + // + // .. note:: + // + // The filter supports a range of 0 - 10 inclusively for stage numbers. + // + // .. note:: + // This is not supported if the rate limit action is configured in the ``typed_per_filter_config`` like + // :ref:`VirtualHost.typed_per_filter_config` or + // :ref:`Route.typed_per_filter_config`, etc. + google.protobuf.UInt32Value stage = 1 [(validate.rules).uint32 = {lte: 10}]; + + // The key to be set in runtime to disable this rate limit configuration. + // + // .. note:: + // This is not supported if the rate limit action is configured in the ``typed_per_filter_config`` like + // :ref:`VirtualHost.typed_per_filter_config` or + // :ref:`Route.typed_per_filter_config`, etc. + string disable_key = 2; + + // A list of actions that are to be applied for this rate limit configuration. + // Order matters as the actions are processed sequentially and the descriptor + // is composed by appending descriptor entries in that sequence. If an action + // cannot append a descriptor entry, no descriptor is generated for the + // configuration. See :ref:`composing actions + // ` for additional documentation. + repeated Action actions = 3 [(validate.rules).repeated = {min_items: 1}]; + + // An optional limit override to be appended to the descriptor produced by this + // rate limit configuration. If the override value is invalid or cannot be resolved + // from metadata, no override is provided. See :ref:`rate limit override + // ` for more information. + // + // .. note:: + // This is not supported if the rate limit action is configured in the ``typed_per_filter_config`` like + // :ref:`VirtualHost.typed_per_filter_config` or + // :ref:`Route.typed_per_filter_config`, etc. + Override limit = 4; + + // An optional hits addend to be appended to the descriptor produced by this rate limit + // configuration. + // + // .. note:: + // This is only supported if the rate limit action is configured in the ``typed_per_filter_config`` like + // :ref:`VirtualHost.typed_per_filter_config` or + // :ref:`Route.typed_per_filter_config`, etc. + HitsAddend hits_addend = 5; + + // If true, the rate limit request will be applied when the stream completes. The default value is false. + // This is useful when the rate limit budget needs to reflect the response context that is not available + // on the request path. + // + // For example, let's say the upstream service calculates the usage statistics and returns them in the response body + // and we want to utilize these numbers to apply the rate limit action for the subsequent requests. + // Combined with another filter that can set the desired addend based on the response (e.g. Lua filter), + // this can be used to subtract the usage statistics from the rate limit budget. + // + // A rate limit applied on the stream completion is "fire-and-forget" by nature, and rate limit is not enforced by this config. + // In other words, the current request won't be blocked when this is true, but the budget will be updated for the subsequent + // requests based on the action with this field set to true. Users should ensure that the rate limit is enforced by the actions + // applied on the request path, i.e. the ones with this field set to false. + // + // Currently, this is only supported by the HTTP global rate filter. + bool apply_on_stream_done = 6; +} + +// .. attention:: +// +// Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 ``Host`` +// header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead. +// +// .. attention:: +// +// To route on HTTP method, use the special HTTP/2 ``:method`` header. This works for both +// HTTP/1 and HTTP/2 as Envoy normalizes headers. E.g., +// +// .. code-block:: json +// +// { +// "name": ":method", +// "string_match": { +// "exact": "POST" +// } +// } +// +// .. attention:: +// In the absence of any header match specifier, match will default to :ref:`present_match +// `. i.e, a request that has the :ref:`name +// ` header will match, regardless of the header's +// value. +// +// [#next-major-version: HeaderMatcher should be refactored to use StringMatcher.] +// [#next-free-field: 15] +message HeaderMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.HeaderMatcher"; + + reserved 2, 3, 5; + + reserved "regex_match"; + + // Specifies the name of the header in the request. + string name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // Specifies how the header match will be performed to route the request. + oneof header_match_specifier { + // If specified, header match will be performed based on the value of the header. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`string_match `. + string exact_match = 4 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // If specified, this regex string is a regular expression rule which implies the entire request + // header value must match the regex. The rule will not match if only a subsequence of the + // request header value matches the regex. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`string_match `. + type.matcher.v3.RegexMatcher safe_regex_match = 11 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // If specified, header match will be performed based on range. + // The rule will match if the request header value is within this range. + // The entire request header value must represent an integer in base 10 notation: consisting of + // an optional plus or minus sign followed by a sequence of digits. The rule will not match if + // the header value does not represent an integer. Match will fail for empty values, floating + // point numbers or if only a subsequence of the header value is an integer. + // + // Examples: + // + // * For range [-10,0), route will match for header value -1, but not for 0, ``somestring``, 10.9, + // ``-1somestring`` + type.v3.Int64Range range_match = 6; + + // If specified as true, header match will be performed based on whether the header is in the + // request. If specified as false, header match will be performed based on whether the header is absent. + bool present_match = 7; + + // If specified, header match will be performed based on the prefix of the header value. + // + // .. note:: + // + // Empty prefix is not allowed. Please use ``present_match`` instead. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`string_match `. + // + // Examples: + // + // * The prefix ``abcd`` matches the value ``abcdxyz``, but not for ``abcxyz``. + string prefix_match = 9 [ + deprecated = true, + (validate.rules).string = {min_len: 1}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If specified, header match will be performed based on the suffix of the header value. + // + // .. note:: + // + // Empty suffix is not allowed. Please use ``present_match`` instead. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`string_match `. + // + // Examples: + // + // * The suffix ``abcd`` matches the value ``xyzabcd``, but not for ``xyzbcd``. + string suffix_match = 10 [ + deprecated = true, + (validate.rules).string = {min_len: 1}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If specified, header match will be performed based on whether the header value contains + // the given value or not. + // + // .. note:: + // + // Empty contains match is not allowed. Please use ``present_match`` instead. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`string_match `. + // + // Examples: + // + // * The value ``abcd`` matches the value ``xyzabcdpqr``, but not for ``xyzbcdpqr``. + string contains_match = 12 [ + deprecated = true, + (validate.rules).string = {min_len: 1}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If specified, header match will be performed based on the string match of the header value. + type.matcher.v3.StringMatcher string_match = 13; + } + + // If specified, the match result will be inverted before checking. + // + // Defaults to ``false``. + // + // Examples: + // + // * The regex ``\d{3}`` does not match the value ``1234``, so it will match when inverted. + // * The range [-10,0) will match the value -1, so it will not match when inverted. + bool invert_match = 8; + + // If specified, for any header match rule, if the header match rule specified header + // does not exist, this header value will be treated as empty. + // + // Defaults to ``false``. + // + // Examples: + // + // * The header match rule specified header "header1" to range match of [0, 10], + // :ref:`invert_match ` + // is set to true and :ref:`treat_missing_header_as_empty ` + // is set to true; The "header1" header is not present. The match rule will + // treat the "header1" as an empty header. The empty header does not match the range, + // so it will match when inverted. + // * The header match rule specified header "header2" to range match of [0, 10], + // :ref:`invert_match ` + // is set to true and :ref:`treat_missing_header_as_empty ` + // is set to false; The "header2" header is not present and the header + // matcher rule for "header2" will be ignored so it will not match. + // * The header match rule specified header "header3" to a string regex match + // ``^$`` which means an empty string, and + // :ref:`treat_missing_header_as_empty ` + // is set to true; The "header3" header is not present. + // The match rule will treat the "header3" header as an empty header so it will match. + // * The header match rule specified header "header4" to a string regex match + // ``^$`` which means an empty string, and + // :ref:`treat_missing_header_as_empty ` + // is set to false; The "header4" header is not present. + // The match rule for "header4" will be ignored so it will not match. + bool treat_missing_header_as_empty = 14; +} + +// Query parameter matching treats the query string of a request's :path header +// as an ampersand-separated list of keys and/or key=value elements. +// [#next-free-field: 7] +message QueryParameterMatcher { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.QueryParameterMatcher"; + + reserved 3, 4; + + reserved "value", "regex"; + + // Specifies the name of a key that must be present in the requested + // ``path``'s query string. + string name = 1 [(validate.rules).string = {min_len: 1 max_bytes: 1024}]; + + oneof query_parameter_match_specifier { + // Specifies whether a query parameter value should match against a string. + type.matcher.v3.StringMatcher string_match = 5 [(validate.rules).message = {required: true}]; + + // Specifies whether a query parameter should be present. + bool present_match = 6; + } +} + +// Cookie matching inspects individual name/value pairs parsed from the ``Cookie`` header. +message CookieMatcher { + // Specifies the cookie name to evaluate. + string name = 1 [(validate.rules).string = {min_len: 1 max_bytes: 1024}]; + + // Match the cookie value using :ref:`StringMatcher + // ` semantics. + type.matcher.v3.StringMatcher string_match = 2 [(validate.rules).message = {required: true}]; + + // Invert the match result. If the cookie is not present, the match result is false, so + // ``invert_match`` will cause the matcher to succeed when the cookie is absent. + bool invert_match = 3; +} + +// HTTP Internal Redirect :ref:`architecture overview `. +// [#next-free-field: 6] +message InternalRedirectPolicy { + // An internal redirect is not handled, unless the number of previous internal redirects that a + // downstream request has encountered is lower than this value. + // In the case where a downstream request is bounced among multiple routes by internal redirect, + // the first route that hits this threshold, or does not set :ref:`internal_redirect_policy + // ` + // will pass the redirect back to downstream. + // + // If not specified, at most one redirect will be followed. + google.protobuf.UInt32Value max_internal_redirects = 1; + + // Defines what upstream response codes are allowed to trigger internal redirect. If unspecified, + // only 302 will be treated as internal redirect. + // Only 301, 302, 303, 307 and 308 are valid values. Any other codes will be ignored. + repeated uint32 redirect_response_codes = 2 [(validate.rules).repeated = {max_items: 5}]; + + // Specifies a list of predicates that are queried when an upstream response is deemed + // to trigger an internal redirect by all other criteria. Any predicate in the list can reject + // the redirect, causing the response to be proxied to downstream. + // [#extension-category: envoy.internal_redirect_predicates] + repeated core.v3.TypedExtensionConfig predicates = 3; + + // Allow internal redirect to follow a target URI with a different scheme than the value of + // x-forwarded-proto. The default is ``false``. + bool allow_cross_scheme_redirect = 4; + + // Specifies a list of headers, by name, to copy from the internal redirect into the subsequent + // request. If a header is specified here but not present in the redirect, it will be cleared in + // the subsequent request. + repeated string response_headers_to_copy = 5 [(validate.rules).repeated = { + unique: true + items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; +} + +// A simple wrapper for an HTTP filter config. This is intended to be used as a wrapper for the +// map value in +// :ref:`VirtualHost.typed_per_filter_config`, +// :ref:`Route.typed_per_filter_config`, +// or :ref:`WeightedCluster.ClusterWeight.typed_per_filter_config` +// to add additional flags to the filter. +message FilterConfig { + // The filter config. + google.protobuf.Any config = 1; + + // If true, the filter is optional, meaning that if the client does + // not support the specified filter, it may ignore the map entry rather + // than rejecting the config. + bool is_optional = 2; + + // If true, the filter is disabled in the route or virtual host and the ``config`` field is ignored. + // See :ref:`route based filter chain ` + // for more details. + // + // .. note:: + // + // This field will take effect when the request arrive and filter chain is created for the request. + // If initial route is selected for the request and a filter is disabled in the initial route, then + // the filter will not be added to the filter chain. + // And if the request is mutated later and re-match to another route, the disabled filter by the + // initial route will not be added back to the filter chain because the filter chain is already + // created and it is too late to change the chain. + // + bool disabled = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/54c295690dbab13abb894fdfc00f7169088c828711f94e5c9980521d5e3d3eeabef5e15980148a4c2c2bc3dc77c044643375b2ce74cd0afc2dbd0cf448f01928 b/modules/sync/envoyproxy/envoy/cas/54c295690dbab13abb894fdfc00f7169088c828711f94e5c9980521d5e3d3eeabef5e15980148a4c2c2bc3dc77c044643375b2ce74cd0afc2dbd0cf448f01928 new file mode 100644 index 00000000..27c528d2 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/54c295690dbab13abb894fdfc00f7169088c828711f94e5c9980521d5e3d3eeabef5e15980148a4c2c2bc3dc77c044643375b2ce74cd0afc2dbd0cf448f01928 @@ -0,0 +1,108 @@ +syntax = "proto3"; + +package stats; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.stats"; +option java_outer_classname = "IstioStatsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/contrib/stats"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Istio stats HTTP filter] +// +// Istio stats HTTP filter for collecting and reporting metrics. +// [#extension: envoy.filters.http.istio_stats] + +enum MetricType { + COUNTER = 0; + GAUGE = 1; + HISTOGRAM = 2; +} + +// Specifies the proxy deployment type. +enum Reporter { + // Default value is inferred from the listener direction, as either client or + // server sidecar. + UNSPECIFIED = 0; + + // Shared server gateway, e.g. "waypoint". + SERVER_GATEWAY = 1; +} + +// Metric instance configuration overrides. +// The metric value and the metric type are optional and permit changing the +// reported value for an existing metric. +// The standard metrics are optimized and reported through a "fast-path". +// The customizations allow full configurability, at the cost of a "slower" +// path. +// [#next-free-field: 6] +message MetricConfig { + // (Optional) Collection of tag names and tag expressions to include in the + // metric. Conflicts are resolved by the tag name by overriding previously + // supplied values. + map dimensions = 1; + + // (Optional) Metric name to restrict the override to a metric. If not + // specified, applies to all. + string name = 2; + + // (Optional) A list of tags to remove. + repeated string tags_to_remove = 3; + + // NOT IMPLEMENTED. (Optional) Conditional enabling the override. + string match = 4; + + // (Optional) If this is set to true, the metric(s) selected by this + // configuration will not be generated or reported. + bool drop = 5; +} + +message MetricDefinition { + // Metric name. + string name = 1; + + // Metric value expression. + string value = 2; + + // Metric type. + MetricType type = 3; +} + +// [#next-free-field: 13] +message PluginConfig { + reserved 1, 2, 3, 4, 5; + + reserved "debug", "max_peer_cache_size", "stat_prefix", "field_separator", "value_separator"; + + // Optional: Disable using host header as a fallback if destination service is + // not available from the control plane. Disable the fallback if the host + // header originates outsides the mesh, like at ingress. + bool disable_host_header_fallback = 6; + + // Optional. Allows configuration of the time between calls out to for TCP + // metrics reporting. The default duration is ``5s``. + google.protobuf.Duration tcp_reporting_duration = 7; + + // Metric overrides. + repeated MetricConfig metrics = 8; + + // Metric definitions. + repeated MetricDefinition definitions = 9; + + // Proxy deployment type. + Reporter reporter = 10; + + // Metric scope rotation interval. Set to 0 to disable the metric scope rotation. + // Defaults to 0. + // DEPRECATED. + google.protobuf.Duration rotation_interval = 11; + + // Metric expiry graceful deletion interval. No-op if the metric rotation is disabled. + // Defaults to 5m. Must be >=1s. + // DEPRECATED. + google.protobuf.Duration graceful_deletion_interval = 12; +} diff --git a/modules/sync/envoyproxy/envoy/cas/5606420f7e0e3365e9bdaa012bb3380ef16ab399b2b010998c9524e73e3a2bf40e844ebb97cab1ad5ede1b84351ad026c49cf596865b4b3711b10e60fbd7f545 b/modules/sync/envoyproxy/envoy/cas/5606420f7e0e3365e9bdaa012bb3380ef16ab399b2b010998c9524e73e3a2bf40e844ebb97cab1ad5ede1b84351ad026c49cf596865b4b3711b10e60fbd7f545 new file mode 100644 index 00000000..1c033c08 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/5606420f7e0e3365e9bdaa012bb3380ef16ab399b2b010998c9524e73e3a2bf40e844ebb97cab1ad5ede1b84351ad026c49cf596865b4b3711b10e60fbd7f545 @@ -0,0 +1,533 @@ +syntax = "proto3"; + +package envoy.service.ext_proc.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto"; +import "envoy/type/v3/http_status.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/struct.proto"; + +import "xds/annotations/v3/status.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.service.ext_proc.v3"; +option java_outer_classname = "ExternalProcessorProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/ext_proc/v3;ext_procv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: External processing service] + +// A service that can access and modify HTTP requests and responses +// as part of a filter chain. +// The overall external processing protocol works like this: +// +// 1. The data plane sends to the service information about the HTTP request. +// 2. The service sends back a ProcessingResponse message that directs +// the data plane to either stop processing, continue without it, or send +// it the next chunk of the message body. +// 3. If so requested, the data plane sends the server the message body in +// chunks, or the entire body at once. In either case, the server may send +// back a ProcessingResponse for each message it receives, or wait for +// a certain amount of body chunks received before streaming back the +// ProcessingResponse messages. +// 4. If so requested, the data plane sends the server the HTTP trailers, +// and the server sends back a ProcessingResponse. +// 5. At this point, request processing is done, and we pick up again +// at step 1 when the data plane receives a response from the upstream +// server. +// 6. At any point above, if the server closes the gRPC stream cleanly, +// then the data plane proceeds without consulting the server. +// 7. At any point above, if the server closes the gRPC stream with an error, +// then the data plane returns a 500 error to the client, unless the filter +// was configured to ignore errors. +// +// In other words, the process is a request/response conversation, but +// using a gRPC stream to make it easier for the server to +// maintain state. +service ExternalProcessor { + // This begins the bidirectional stream that the data plane will use to + // give the server control over what the filter does. The actual + // protocol is described by the ProcessingRequest and ProcessingResponse + // messages below. + rpc Process(stream ProcessingRequest) returns (stream ProcessingResponse) { + } +} + +// This message specifies the filter protocol configurations which will be sent to the ext_proc +// server in a :ref:`ProcessingRequest `. +// If the server does not support these protocol configurations, it may choose to close the gRPC stream. +// If the server supports these protocol configurations, it should respond based on the API specifications. +message ProtocolConfiguration { + // Specify the filter configuration :ref:`request_body_mode + // ` + envoy.extensions.filters.http.ext_proc.v3.ProcessingMode.BodySendMode request_body_mode = 1 + [(validate.rules).enum = {defined_only: true}]; + + // Specify the filter configuration :ref:`response_body_mode + // ` + envoy.extensions.filters.http.ext_proc.v3.ProcessingMode.BodySendMode response_body_mode = 2 + [(validate.rules).enum = {defined_only: true}]; + + // Specify the filter configuration :ref:`send_body_without_waiting_for_header_response + // ` + // If the client is waiting for a header response from the server, setting ``true`` means the client will send body to the server + // as they arrive. Setting ``false`` means the client will buffer the arrived data and not send it to the server immediately. + bool send_body_without_waiting_for_header_response = 3; +} + +// This represents the different types of messages that the data plane can send +// to an external processing server. +// [#next-free-field: 12] +message ProcessingRequest { + reserved 1; + + reserved "async_mode"; + + // Each request message will include one of the following sub-messages. Which + // ones are set for a particular HTTP request/response depend on the + // processing mode. + oneof request { + option (validate.required) = true; + + // Information about the HTTP request headers, as well as peer info and additional + // properties. Unless ``observability_mode`` is ``true``, the server must send back a + // HeaderResponse message, an ImmediateResponse message, or close the stream. + HttpHeaders request_headers = 2; + + // Information about the HTTP response headers, as well as peer info and additional + // properties. Unless ``observability_mode`` is ``true``, the server must send back a + // HeaderResponse message or close the stream. + HttpHeaders response_headers = 3; + + // A chunk of the HTTP request body. Unless ``observability_mode`` is true, the server must send back + // a BodyResponse message, an ImmediateResponse message, or close the stream. + HttpBody request_body = 4; + + // A chunk of the HTTP response body. Unless ``observability_mode`` is ``true``, the server must send back + // a BodyResponse message or close the stream. + HttpBody response_body = 5; + + // The HTTP trailers for the request path. Unless ``observability_mode`` is ``true``, the server + // must send back a TrailerResponse message or close the stream. + // + // This message is only sent if the trailers processing mode is set to ``SEND`` and + // the original downstream request has trailers. + HttpTrailers request_trailers = 6; + + // The HTTP trailers for the response path. Unless ``observability_mode`` is ``true``, the server + // must send back a TrailerResponse message or close the stream. + // + // This message is only sent if the trailers processing mode is set to ``SEND`` and + // the original upstream response has trailers. + HttpTrailers response_trailers = 7; + } + + // Dynamic metadata associated with the request. + config.core.v3.Metadata metadata_context = 8; + + // The values of properties selected by the ``request_attributes`` + // or ``response_attributes`` list in the configuration. Each entry + // in the list is populated from the standard + // :ref:`attributes ` supported in the data plane. + map attributes = 9; + + // Specify whether the filter that sent this request is running in :ref:`observability_mode + // ` + // and defaults to false. + // + // * A value of ``false`` indicates that the server must respond + // to this message by either sending back a matching ProcessingResponse message, + // or by closing the stream. + // * A value of ``true`` indicates that the server should not respond to this message, as any + // responses will be ignored. However, it may still close the stream to indicate that no more messages + // are needed. + // + bool observability_mode = 10; + + // Specify the filter protocol configurations to be sent to the server. + // ``protocol_config`` is only encoded in the first ``ProcessingRequest`` message from the client to the server. + ProtocolConfiguration protocol_config = 11; +} + +// This represents the different types of messages the server may send back to the data plane +// when the ``observability_mode`` field in the received ProcessingRequest is set to false. +// +// * If the corresponding ``BodySendMode`` in the +// :ref:`processing_mode ` +// is not set to ``FULL_DUPLEX_STREAMED``, then for every received ProcessingRequest, +// the server must send back exactly one ProcessingResponse message. +// * If it is set to ``FULL_DUPLEX_STREAMED``, the server must follow the API defined +// for this mode to send the ProcessingResponse messages. +// [#next-free-field: 13] +message ProcessingResponse { + // The response type that is sent by the server. + oneof response { + option (validate.required) = true; + + // The server must send back this message in response to a message with the + // ``request_headers`` field set. + HeadersResponse request_headers = 1; + + // The server must send back this message in response to a message with the + // ``response_headers`` field set. + HeadersResponse response_headers = 2; + + // The server must send back this message in response to a message with + // the ``request_body`` field set. + BodyResponse request_body = 3; + + // The server must send back this message in response to a message with + // the ``response_body`` field set. + BodyResponse response_body = 4; + + // The server must send back this message in response to a message with + // the ``request_trailers`` field set. + TrailersResponse request_trailers = 5; + + // The server must send back this message in response to a message with + // the ``response_trailers`` field set. + TrailersResponse response_trailers = 6; + + // If specified, attempt to create a locally generated response, send it + // downstream, and stop processing additional filters and ignore any + // additional messages received from the remote server for this request or + // response. If a response has already started -- for example, if this + // message is sent response to a ``response_body`` message -- then + // this will either ship the reply directly to the downstream codec, + // or reset the stream. + ImmediateResponse immediate_response = 7; + + // The server sends back this message to initiate or continue local response streaming. + // The server must initiate local response streaming with the ``headers_response`` in response to a ProcessingRequest + // with the ``request_headers`` only. + // The server may follow up with multiple messages containing ``body_response``. The server must indicate + // end of stream by setting ``end_of_stream`` to ``true`` in the ``headers_response`` + // or ``body_response`` message or by sending a ``trailers_response`` message. + // The client may send a ``request_body`` or ``request_trailers`` to the server depending on configuration. + // The streaming local response can only be sent when the ``request_header_mode`` in the filter + // :ref:`processing_mode ` + // is set to ``SEND``. The ext_proc server should not send StreamedImmediateResponse if it did not observe request headers, + // as it will result in the race with the upstream server response and reset of the client request. + // Presently only the FULL_DUPLEX_STREAMED or NONE body modes are supported. + StreamedImmediateResponse streamed_immediate_response = 11; + } + + // Optional metadata that will be emitted as dynamic metadata to be consumed by + // following filters. This metadata will be placed in the namespace(s) specified by the top-level + // field name(s) of the struct. + google.protobuf.Struct dynamic_metadata = 8; + + // Override how parts of the HTTP request and response are processed + // for the duration of this particular request/response only. Servers + // may use this to intelligently control how requests are processed + // based on the headers and other metadata that they see. + // This field is only applicable when servers responding to the header requests. + // If it is set in the response to the body or trailer requests, it will be ignored by the data plane. + // It is also ignored by the data plane when the ext_proc filter config + // :ref:`allow_mode_override + // ` + // is set to false, or + // :ref:`send_body_without_waiting_for_header_response + // ` + // is set to true. + envoy.extensions.filters.http.ext_proc.v3.ProcessingMode mode_override = 9; + + // [#not-implemented-hide:] + // Used only in ``FULL_DUPLEX_STREAMED`` and ``GRPC`` body send modes. + // Instructs the data plane to stop sending body data and to send a + // half-close on the ext_proc stream. The ext_proc server should then echo + // back all subsequent body contents as-is until it sees the client's + // half-close, at which point the ext_proc server can terminate the stream + // with an OK status. This provides a safe way for the ext_proc server + // to indicate that it does not need to see the rest of the stream; + // without this, the ext_proc server could not terminate the stream + // early, because it would wind up dropping any body contents that the + // client had already sent before it saw the ext_proc stream termination. + bool request_drain = 12; + + // When ext_proc server receives a request message, in case it needs more + // time to process the message, it sends back a ProcessingResponse message + // with a new timeout value. When the data plane receives this response + // message, it ignores other fields in the response, just stop the original + // timer, which has the timeout value specified in + // :ref:`message_timeout + // ` + // and start a new timer with this ``override_message_timeout`` value and keep the + // data plane ext_proc filter state machine intact. + // Has to be >= 1ms and <= + // :ref:`max_message_timeout ` + // Such message can be sent at most once in a particular data plane ext_proc filter processing state. + // To enable this API, one has to set ``max_message_timeout`` to a number >= 1ms. + google.protobuf.Duration override_message_timeout = 10; +} + +// The following are messages that are sent to the server. + +// This message is sent to the external server when the HTTP request and responses +// are first received. +message HttpHeaders { + // The HTTP request headers. All header keys will be + // lower-cased, because HTTP header keys are case-insensitive. + // The header value is encoded in the + // :ref:`raw_value ` field. + config.core.v3.HeaderMap headers = 1; + + // [#not-implemented-hide:] + // This field is deprecated and not implemented. Attributes will be sent in + // the top-level :ref:`attributes attributes = 2 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // If ``true``, then there is no message body associated with this + // request or response. + bool end_of_stream = 3; +} + +// This message is sent to the external server when the HTTP request and +// response bodies are received. +message HttpBody { + // The contents of the body in the HTTP request/response. Note that in + // streaming mode multiple ``HttpBody`` messages may be sent. + // + // In ``GRPC`` body send mode, a separate ``HttpBody`` message will be + // sent for each message in the gRPC stream. + bytes body = 1; + + // If ``true``, this will be the last ``HttpBody`` message that will be sent and no + // trailers will be sent for the current request/response. + bool end_of_stream = 2; + + // This field is used in ``GRPC`` body send mode when ``end_of_stream`` is + // true and ``body`` is empty. Those values would normally indicate an + // empty message on the stream with the end-of-stream bit set. + // However, if the half-close happens after the last message on the + // stream was already sent, then this field will be true to indicate an + // end-of-stream with *no* message (as opposed to an empty message). + bool end_of_stream_without_message = 3; + + // This field is used in ``GRPC`` body send mode to indicate whether + // the message is compressed. This will never be set to true by gRPC + // but may be set to true by a proxy like Envoy. + bool grpc_message_compressed = 4; +} + +// This message is sent to the external server when the HTTP request and +// response trailers are received. +message HttpTrailers { + // The header value is encoded in the + // :ref:`raw_value ` field. + config.core.v3.HeaderMap trailers = 1; +} + +// The following are messages that may be sent back by the server. + +// This message is sent by the external server to the data plane after ``HttpHeaders`` was +// sent to it. +message HeadersResponse { + // Details the modifications (if any) to be made by the data plane to the current + // request/response. + CommonResponse response = 1; +} + +// This message is sent by the external server to the data plane after ``HttpBody`` was +// sent to it. +message BodyResponse { + // Details the modifications (if any) to be made by the data plane to the current + // request/response. + CommonResponse response = 1; +} + +// This message is sent by the external server to the data plane after ``HttpTrailers`` was +// sent to it. +message TrailersResponse { + // Details the modifications (if any) to be made by the data plane to the current + // request/response trailers. + HeaderMutation header_mutation = 1; +} + +// This message is sent by the external server to the data plane after ``HttpHeaders`` +// to initiate local response streaming. The server may follow up with multiple messages containing ``body_response``. +// The server must indicate end of stream by setting ``end_of_stream`` to ``true`` in the ``headers_response`` +// or ``body_response`` message or by sending a ``trailers_response`` message. +message StreamedImmediateResponse { + oneof response { + // Response headers to be sent downstream. The ":status" header must be set. + HttpHeaders headers_response = 1; + + // Response body to be sent downstream. + StreamedBodyResponse body_response = 2; + + // Response trailers to be sent downstream. + config.core.v3.HeaderMap trailers_response = 3; + } +} + +// This message contains common fields between header and body responses. +// [#next-free-field: 6] +message CommonResponse { + // The status of the response. + enum ResponseStatus { + // Apply the mutation instructions in this message to the + // request or response, and then continue processing the filter + // stream as normal. This is the default. + CONTINUE = 0; + + // Apply the specified header mutation, replace the body with the body + // specified in the body mutation (if present), and do not send any + // further messages for this request or response even if the processing + // mode is configured to do so. + // + // When used in response to a request_headers or response_headers message, + // this status makes it possible to either completely replace the body + // while discarding the original body, or to add a body to a message that + // formerly did not have one. + // + // In other words, this response makes it possible to turn an HTTP GET + // into a POST, PUT, or PATCH. + // + // Not supported if the body send mode is ``GRPC``. + CONTINUE_AND_REPLACE = 1; + } + + // If set, provide additional direction on how the data plane should + // handle the rest of the HTTP filter chain. + ResponseStatus status = 1 [(validate.rules).enum = {defined_only: true}]; + + // Instructions on how to manipulate the headers. When responding to an + // HttpBody request, header mutations will only take effect if + // the current processing mode for the body is BUFFERED. + HeaderMutation header_mutation = 2; + + // Replace the body of the last message sent to the remote server on this + // stream. If responding to an HttpBody request, simply replace or clear + // the body chunk that was sent with that request. Body mutations may take + // effect in response either to ``header`` or ``body`` messages. When it is + // in response to ``header`` messages, it only take effect if the + // :ref:`status ` + // is set to CONTINUE_AND_REPLACE. + BodyMutation body_mutation = 3; + + // [#not-implemented-hide:] + // Add new trailers to the message. This may be used when responding to either a + // HttpHeaders or HttpBody message, but only if this message is returned + // along with the CONTINUE_AND_REPLACE status. + // The header value is encoded in the + // :ref:`raw_value ` field. + config.core.v3.HeaderMap trailers = 4; + + // Clear the route cache for the current client request. This is necessary + // if the remote server modified headers that are used to calculate the route. + // This field is ignored in the response direction. This field is also ignored + // if the data plane ext_proc filter is in the upstream filter chain. + bool clear_route_cache = 5; +} + +// This message causes the filter to attempt to create a locally +// generated response, send it downstream, stop processing +// additional filters, and ignore any additional messages received +// from the remote server for this request or response. If a response +// has already started, then this will either ship the reply directly +// to the downstream codec, or reset the stream. +// [#next-free-field: 6] +message ImmediateResponse { + // The response code to return. + type.v3.HttpStatus status = 1 [(validate.rules).message = {required: true}]; + + // Apply changes to the default headers, which will include content-type. + HeaderMutation headers = 2; + + // The message body to return with the response which is sent using the + // text/plain content type, or encoded in the grpc-message header. + bytes body = 3; + + // If set, then include a gRPC status trailer. + GrpcStatus grpc_status = 4; + + // A string detailing why this local reply was sent, which may be included + // in log and debug output (e.g. this populates the %RESPONSE_CODE_DETAILS% + // command operator field for use in access logging). + string details = 5; +} + +// This message specifies a gRPC status for an ImmediateResponse message. +message GrpcStatus { + // The actual gRPC status. + uint32 status = 1; +} + +// Change HTTP headers or trailers by appending, replacing, or removing +// headers. +message HeaderMutation { + // Add or replace HTTP headers. Attempts to set the value of + // any ``x-envoy`` header, and attempts to set the ``:method``, + // ``:authority``, ``:scheme``, or ``host`` headers will be ignored. + // The header value is encoded in the + // :ref:`raw_value ` field. + repeated config.core.v3.HeaderValueOption set_headers = 1; + + // Remove these HTTP headers. Attempts to remove system headers -- + // any header starting with ``:``, plus ``host`` -- will be ignored. + repeated string remove_headers = 2; +} + +// The body response message corresponding to ``FULL_DUPLEX_STREAMED`` or ``GRPC`` body modes. +message StreamedBodyResponse { + // In ``FULL_DUPLEX_STREAMED`` body send mode, contains the body response chunk that will be + // passed to the upstream/downstream by the data plane. In ``GRPC`` body send mode, contains + // a serialized gRPC message to be passed to the upstream/downstream by the data plane. + bytes body = 1; + + // The server sets this flag to true if it has received a body request with + // :ref:`end_of_stream ` set to true, + // and this is the last chunk of body responses. + // Note that in ``GRPC`` body send mode, this allows the ext_proc + // server to tell the data plane to send a half close after a client + // message, which will result in discarding any other messages sent by + // the client application. + bool end_of_stream = 2; + + // This field is used in ``GRPC`` body send mode when ``end_of_stream`` is + // true and ``body`` is empty. Those values would normally indicate an + // empty message on the stream with the end-of-stream bit set. + // However, if the half-close happens after the last message on the + // stream was already sent, then this field will be true to indicate an + // end-of-stream with *no* message (as opposed to an empty message). + bool end_of_stream_without_message = 3; + + // This field is used in ``GRPC`` body send mode to indicate whether + // the message is compressed. This will never be set to true by gRPC + // but may be set to true by a proxy like Envoy. + bool grpc_message_compressed = 4; +} + +// This message specifies the body mutation the server sends to the data plane. +message BodyMutation { + // The type of mutation for the body. + oneof mutation { + // The entire body to replace. + // Should only be used when the corresponding ``BodySendMode`` in the + // :ref:`processing_mode ` + // is not set to ``FULL_DUPLEX_STREAMED`` or ``GRPC``. + bytes body = 1; + + // Clear the corresponding body chunk. + // Should only be used when the corresponding ``BodySendMode`` in the + // :ref:`processing_mode ` + // is not set to ``FULL_DUPLEX_STREAMED`` or ``GRPC``. + // Clear the corresponding body chunk. + bool clear_body = 2; + + // Must be used when the corresponding ``BodySendMode`` in the + // :ref:`processing_mode ` + // is set to ``FULL_DUPLEX_STREAMED`` or ``GRPC``. + StreamedBodyResponse streamed_response = 3 + [(xds.annotations.v3.field_status).work_in_progress = true]; + } +} diff --git a/modules/sync/envoyproxy/envoy/cas/5667f8c87679bf1644503044802c8f3e1cf67eac83eafd7a9c0abd969bdc1addc7670b39c482a0cacc8a58d9eea6ba734baa8d7fcb82a6cd0bfcf346a5da0aa8 b/modules/sync/envoyproxy/envoy/cas/5667f8c87679bf1644503044802c8f3e1cf67eac83eafd7a9c0abd969bdc1addc7670b39c482a0cacc8a58d9eea6ba734baa8d7fcb82a6cd0bfcf346a5da0aa8 new file mode 100644 index 00000000..1d324499 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/5667f8c87679bf1644503044802c8f3e1cf67eac83eafd7a9c0abd969bdc1addc7670b39c482a0cacc8a58d9eea6ba734baa8d7fcb82a6cd0bfcf346a5da0aa8 @@ -0,0 +1,128 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.mcp_router.v3; + +import "envoy/type/metadata/v3/metadata.proto"; + +import "google/protobuf/duration.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.mcp_router.v3"; +option java_outer_classname = "McpRouterProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/mcp_router/v3;mcp_routerv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: MCP Multiplexer/Demultiplexer] +// [#extension: envoy.filters.http.mcp_router] + +// Configuration for the MCP Multiplexer/Demultiplexer. +// +// This extension aggregates capabilities, tools and resources of remote MCP servers and presents Envoy +// as a singe MCP server to the client. This allows a unified policy to be applied to multiple remote +// servers and abstracts multiple MCP servers as a single one. +// +// This filter must be a terminal filter in the filter chain and replaces the HTTP router filter. +// +// Not all route level policies are applicable to this filter. +// Specifically the following policies are ignored: +// * :ref:`route ` +// * :ref:`redirect ` +// * :ref:`direct_response ` +// + +// Extract identity from a request header. +message HeaderSource { + // Header name to extract (e.g., "x-user-identity"). + string name = 1 [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME}]; +} + +// Extract identity from dynamic metadata (e.g., populated by JWT or ext_authz filter). +message DynamicMetadataSource { + // The metadata key to retrieve the value from. + type.metadata.v3.MetadataKey key = 1 [(validate.rules).message = {required: true}]; +} + +// Defines how the identity (user/principal) is extracted from the request. +// Exactly one of ``header`` or ``dynamic_metadata`` must be set. +message IdentityExtractor { + // Extract identity from a request header. + HeaderSource header = 1; + + // Extract identity from dynamic metadata. + DynamicMetadataSource dynamic_metadata = 2; +} + +// Specifies how to handle requests where the identity is missing or mismatched. +message ValidationPolicy { + enum Mode { + // Not specified. Defaults to DISABLED behavior. + MODE_UNSPECIFIED = 0; + + // Bind identity on Initialize if present, but do not validate subsequent requests. + // If extraction fails, the session proceeds anonymously. + DISABLED = 1; + + // Reject the request (403) if the identity cannot be extracted + // or if the session identity does not match the request identity. + ENFORCE = 2; + } + + Mode mode = 1 [(validate.rules).enum = {defined_only: true}]; +} + +// Session identity configuration. +message SessionIdentity { + // Defines how the identity (user/principal) is extracted from the request. + IdentityExtractor identity = 1 [(validate.rules).message = {required: true}]; + + // Specifies how to handle requests where the subject is missing or invalid. + // Defaults to DISABLED. + ValidationPolicy validation = 2; +} + +message McpRouter { + // Specification of the MCP server. + message McpBackend { + // Unique name for this backend. Used for: + // - Tool name prefixing (e.g., "time__get_current_time") + // - Session ID composition + // - Logging and error messages. + // Default will be the cluster name if not specified. + string name = 1; + + // Backend target specification. + McpCluster mcp_cluster = 2; + } + + // Cluster-based backend configuration. + message McpCluster { + // Cluster name to route requests to. + string cluster = 1 [(validate.rules).string = {min_len: 1}]; + + // Path to use for MCP requests. Defaults to "/mcp". + string path = 2; + + // Request timeout. + // If not set, uses cluster's timeout configuration. + google.protobuf.Duration timeout = 3; + + // Indicates that during forwarding, the host header will be swapped with + // this value. + string host_rewrite_literal = 4; + } + + // A list of remote MCP servers. MCP router aggregates capabilities, tools and resources from remote MCP servers + // and presents itself as single MCP server to the client. All remote MCP servers are sent the same capabilities + // that the client presented to Envoy. + repeated McpBackend servers = 1; + + // If set, extracts a request "subject" and binds it into the MCP session. + // If not set, sessions are created without identity binding. + SessionIdentity session_identity = 2; +} diff --git a/modules/sync/envoyproxy/envoy/cas/56d8ee2a04129ea5371264bb7dc739ee4d45d1cb87be72d92e5e54cee26576222fd08d38538b750ce610516e2abd4c2b0a98e14d55ef73cfdf0b823adc7befcb b/modules/sync/envoyproxy/envoy/cas/56d8ee2a04129ea5371264bb7dc739ee4d45d1cb87be72d92e5e54cee26576222fd08d38538b750ce610516e2abd4c2b0a98e14d55ef73cfdf0b823adc7befcb new file mode 100644 index 00000000..0fcf36c1 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/56d8ee2a04129ea5371264bb7dc739ee4d45d1cb87be72d92e5e54cee26576222fd08d38538b750ce610516e2abd4c2b0a98e14d55ef73cfdf0b823adc7befcb @@ -0,0 +1,411 @@ +syntax = "proto3"; + +package envoy.config.metrics.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/type/matcher/v3/string.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.metrics.v3"; +option java_outer_classname = "StatsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/metrics/v3;metricsv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Stats] +// Statistics :ref:`architecture overview `. + +// Configuration for pluggable stats sinks. +message StatsSink { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.metrics.v2.StatsSink"; + + reserved 2; + + reserved "config"; + + // The name of the stats sink to instantiate. The name must match a supported + // stats sink. + // See the :ref:`extensions listed in typed_config below ` for the default list of available stats sink. + // Sinks optionally support tagged/multiple dimensional metrics. + string name = 1; + + // Stats sink specific configuration which depends on the sink being instantiated. See + // :ref:`StatsdSink ` for an example. + // [#extension-category: envoy.stats_sinks] + oneof config_type { + google.protobuf.Any typed_config = 3; + } +} + +// Statistics configuration such as tagging. +message StatsConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v2.StatsConfig"; + + // Each stat name is independently processed through these tag specifiers. When a tag is + // matched, the first capture group is not immediately removed from the name, so later + // :ref:`TagSpecifiers ` can also match that + // same portion of the match. After all tag matching is complete, a tag-extracted version of + // the name is produced and is used in stats sinks that represent tags, such as Prometheus. + repeated TagSpecifier stats_tags = 1; + + // Use all default tag regexes specified in Envoy. These can be combined with + // custom tags specified in :ref:`stats_tags + // `. They will be processed before + // the custom tags. + // + // See :repo:`well_known_names.h ` for a list of the + // default tags in Envoy. + // + // If not provided, the value is assumed to be true. + google.protobuf.BoolValue use_all_default_tags = 2; + + // Inclusion/exclusion matcher for stat name creation. If not provided, all stats are instantiated + // as normal. Preventing the instantiation of certain families of stats can improve memory + // performance for Envoys running especially large configs. + // + // .. warning:: + // Excluding stats may affect Envoy's behavior in undocumented ways. See + // `issue #8771 `_ for more information. + // If any unexpected behavior changes are observed, please open a new issue immediately. + StatsMatcher stats_matcher = 3; + + // Defines rules for setting the histogram buckets. Rules are evaluated in order, and the first + // match is applied. If no match is found (or if no rules are set), the following default buckets + // are used: + // + // .. code-block:: json + // + // [ + // 0.5, + // 1, + // 5, + // 10, + // 25, + // 50, + // 100, + // 250, + // 500, + // 1000, + // 2500, + // 5000, + // 10000, + // 30000, + // 60000, + // 300000, + // 600000, + // 1800000, + // 3600000 + // ] + repeated HistogramBucketSettings histogram_bucket_settings = 4; +} + +// Configuration for disabling stat instantiation. +message StatsMatcher { + // The instantiation of stats is unrestricted by default. If the goal is to configure Envoy to + // instantiate all stats, there is no need to construct a StatsMatcher. + // + // However, StatsMatcher can be used to limit the creation of families of stats in order to + // conserve memory. Stats can either be disabled entirely, or they can be + // limited by either an exclusion or an inclusion list of :ref:`StringMatcher + // ` protos: + // + // * If ``reject_all`` is set to ``true``, no stats will be instantiated. If ``reject_all`` is set to + // ``false``, all stats will be instantiated. + // + // * If an exclusion list is supplied, any stat name matching *any* of the StringMatchers in the + // list will not instantiate. + // + // * If an inclusion list is supplied, no stats will instantiate, except those matching *any* of + // the StringMatchers in the list. + // + // + // A StringMatcher can be used to match against an exact string, a suffix / prefix, or a regex. + // **NB:** For performance reasons, it is highly recommended to use a prefix- or suffix-based + // matcher rather than a regex-based matcher. + // + // Example 1. Excluding all stats. + // + // .. code-block:: json + // + // { + // "statsMatcher": { + // "rejectAll": "true" + // } + // } + // + // Example 2. Excluding all cluster-specific stats, but not cluster-manager stats: + // + // .. code-block:: json + // + // { + // "statsMatcher": { + // "exclusionList": { + // "patterns": [ + // { + // "prefix": "cluster." + // } + // ] + // } + // } + // } + // + // Example 3. Including only manager-related stats: + // + // .. code-block:: json + // + // { + // "statsMatcher": { + // "inclusionList": { + // "patterns": [ + // { + // "prefix": "cluster_manager." + // }, + // { + // "prefix": "listener_manager." + // } + // ] + // } + // } + // } + // + + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v2.StatsMatcher"; + + oneof stats_matcher { + option (validate.required) = true; + + // If ``reject_all`` is true, then all stats are disabled. If ``reject_all`` is false, then all + // stats are enabled. + bool reject_all = 1; + + // Exclusive match. All stats are enabled except for those matching one of the supplied + // StringMatcher protos. + type.matcher.v3.ListStringMatcher exclusion_list = 2; + + // Inclusive match. No stats are enabled except for those matching one of the supplied + // StringMatcher protos. + type.matcher.v3.ListStringMatcher inclusion_list = 3; + } +} + +// Designates a tag name and value pair. The value may be either a fixed value +// or a regex providing the value via capture groups. The specified tag will be +// unconditionally set if a fixed value, otherwise it will only be set if one +// or more capture groups in the regex match. +message TagSpecifier { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v2.TagSpecifier"; + + // Attaches an identifier to the tag values to identify the tag being in the + // sink. Envoy has a set of default names and regexes to extract dynamic + // portions of existing stats, which can be found in :repo:`well_known_names.h + // ` in the Envoy repository. If a :ref:`tag_name + // ` is provided in the config and + // neither :ref:`regex ` or + // :ref:`fixed_value ` were specified, + // Envoy will attempt to find that name in its set of defaults and use the accompanying regex. + // + // .. note:: + // + // A stat name may be spelled in such a way that it matches two different + // tag extractors for the same tag name. In that case, all but one of the + // tag values will be dropped. It is not specified which tag value will be + // retained. The extraction will only occur for one of the extractors, and + // only the matched extraction will be removed from the tag name. + string tag_name = 1; + + oneof tag_value { + // Designates a tag to strip from the tag extracted name and provide as a named + // tag value for all statistics. This will only occur if any part of the name + // matches the regex provided with one or more capture groups. + // + // The first capture group identifies the portion of the name to remove. The + // second capture group (which will normally be nested inside the first) will + // designate the value of the tag for the statistic. If no second capture + // group is provided, the first will also be used to set the value of the tag. + // All other capture groups will be ignored. + // + // Example 1. a stat name ``cluster.foo_cluster.upstream_rq_timeout`` and + // one tag specifier: + // + // .. code-block:: json + // + // { + // "tag_name": "envoy.cluster_name", + // "regex": "^cluster\\.((.+?)\\.)" + // } + // + // Note that the regex will remove ``foo_cluster.`` making the tag extracted + // name ``cluster.upstream_rq_timeout`` and the tag value for + // ``envoy.cluster_name`` will be ``foo_cluster`` (note: there will be no + // ``.`` character because of the second capture group). + // + // Example 2. a stat name + // ``http.connection_manager_1.user_agent.ios.downstream_cx_total`` and two + // tag specifiers: + // + // .. code-block:: json + // + // [ + // { + // "tag_name": "envoy.http_user_agent", + // "regex": "^http(?=\\.).*?\\.user_agent\\.((.+?)\\.)\\w+?$" + // }, + // { + // "tag_name": "envoy.http_conn_manager_prefix", + // "regex": "^http\\.((.*?)\\.)" + // } + // ] + // + // The two regexes of the specifiers will be processed from the elaborated + // stat name. + // + // The first regex will save ``ios.`` as the tag value for ``envoy.http_user_agent``. It will + // leave it in the name for potential matching with additional tag specifiers. After all tag + // specifiers are processed the tags will be removed from the name. + // + // The second regex will populate tag ``envoy.http_conn_manager_prefix`` with value + // ``connection_manager_1.``, based on the original stat name. + // + // As a final step, the matched tags are removed, leaving + // ``http.user_agent.downstream_cx_total`` as the tag extracted name. + string regex = 2 [(validate.rules).string = {max_bytes: 1024}]; + + // Specifies a fixed tag value for the ``tag_name``. + string fixed_value = 3; + } +} + +// Specifies a matcher for stats and the buckets that matching stats should use. +message HistogramBucketSettings { + // The stats that this rule applies to. The match is applied to the original stat name + // before tag-extraction, for example ``cluster.exampleclustername.upstream_cx_length_ms``. + type.matcher.v3.StringMatcher match = 1 [(validate.rules).message = {required: true}]; + + // Each value is the upper bound of a bucket. Each bucket must be greater than 0 and unique. + // The order of the buckets does not matter. + repeated double buckets = 2 [(validate.rules).repeated = { + unique: true + items {double {gt: 0.0}} + }]; + + // Initial number of bins for the ``circllhist`` thread local histogram per time series. Default value is 100. + google.protobuf.UInt32Value bins = 3 [(validate.rules).uint32 = {lte: 46082 gt: 0}]; +} + +// Stats configuration proto schema for built-in ``envoy.stat_sinks.statsd`` sink. This sink does not support +// tagged metrics. +// [#extension: envoy.stat_sinks.statsd] +message StatsdSink { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.metrics.v2.StatsdSink"; + + oneof statsd_specifier { + option (validate.required) = true; + + // The UDP address of a running `statsd `_ + // compliant listener. If specified, statistics will be flushed to this + // address. + core.v3.Address address = 1; + + // The name of a cluster that is running a TCP `statsd + // `_ compliant listener. If specified, + // Envoy will connect to this cluster to flush statistics. + string tcp_cluster_name = 2; + } + + // Optional custom prefix for StatsdSink. If + // specified, this will override the default prefix. + // For example: + // + // .. code-block:: json + // + // { + // "prefix" : "envoy-prod" + // } + // + // will change emitted stats to + // + // .. code-block:: cpp + // + // envoy-prod.test_counter:1|c + // envoy-prod.test_timer:5|ms + // + // Note that the default prefix, "envoy", will be used if a prefix is not + // specified. + // + // Stats with default prefix: + // + // .. code-block:: cpp + // + // envoy.test_counter:1|c + // envoy.test_timer:5|ms + string prefix = 3; +} + +// Stats configuration proto schema for built-in ``envoy.stat_sinks.dog_statsd`` sink. +// The sink emits stats with `DogStatsD `_ +// compatible tags. Tags are configurable via :ref:`StatsConfig +// `. +// [#extension: envoy.stat_sinks.dog_statsd] +message DogStatsdSink { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v2.DogStatsdSink"; + + reserved 2; + + oneof dog_statsd_specifier { + option (validate.required) = true; + + // The UDP address of a running DogStatsD compliant listener. If specified, + // statistics will be flushed to this address. + core.v3.Address address = 1; + } + + // Optional custom metric name prefix. See :ref:`StatsdSink's prefix field + // ` for more details. + string prefix = 3; + + // Optional max datagram size to use when sending UDP messages. By default Envoy + // will emit one metric per datagram. By specifying a max-size larger than a single + // metric, Envoy will emit multiple, new-line separated metrics. The max datagram + // size should not exceed your network's MTU. + // + // Note that this value may not be respected if smaller than a single metric. + google.protobuf.UInt64Value max_bytes_per_datagram = 4 [(validate.rules).uint64 = {gt: 0}]; +} + +// Stats configuration proto schema for built-in ``envoy.stat_sinks.hystrix`` sink. +// The sink emits stats in `text/event-stream +// `_ +// formatted stream for use by `Hystrix dashboard +// `_. +// +// Note that only a single HystrixSink should be configured. +// +// Streaming is started through an admin endpoint :http:get:`/hystrix_event_stream`. +// [#extension: envoy.stat_sinks.hystrix] +message HystrixSink { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v2.HystrixSink"; + + // The number of buckets the rolling statistical window is divided into. + // + // Each time the sink is flushed, all relevant Envoy statistics are sampled and + // added to the rolling window (removing the oldest samples in the window + // in the process). The sink then outputs the aggregate statistics across the + // current rolling window to the event stream(s). + // + // ``rolling_window(ms)`` = ``stats_flush_interval(ms)`` * ``num_of_buckets`` + // + // More detailed explanation can be found in `Hystrix wiki + // `_. + int64 num_buckets = 1; +} diff --git a/modules/sync/envoyproxy/envoy/cas/5753ad827ada06f3e3f0f98a57a0b70e93a6bbdd8b8b8a969e9c34d99804516e4593ed746c4e132edc3354c404be5ccff2a2f8553dd32667d4a3d6e7db8feaf0 b/modules/sync/envoyproxy/envoy/cas/5753ad827ada06f3e3f0f98a57a0b70e93a6bbdd8b8b8a969e9c34d99804516e4593ed746c4e132edc3354c404be5ccff2a2f8553dd32667d4a3d6e7db8feaf0 new file mode 100644 index 00000000..7f70b700 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/5753ad827ada06f3e3f0f98a57a0b70e93a6bbdd8b8b8a969e9c34d99804516e4593ed746c4e132edc3354c404be5ccff2a2f8553dd32667d4a3d6e7db8feaf0 @@ -0,0 +1,602 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.ext_authz.v3; + +import "envoy/config/common/mutation_rules/v3/mutation_rules.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/grpc_service.proto"; +import "envoy/config/core/v3/http_uri.proto"; +import "envoy/type/matcher/v3/metadata.proto"; +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/v3/http_status.proto"; + +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.ext_authz.v3"; +option java_outer_classname = "ExtAuthzProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_authz/v3;ext_authzv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: External Authorization] +// External Authorization :ref:`configuration overview `. +// [#extension: envoy.filters.http.ext_authz] + +// [#next-free-field: 32] +message ExtAuthz { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v3.ExtAuthz"; + + reserved 4; + + reserved "use_alpha"; + + // External authorization service configuration. + oneof services { + // gRPC service configuration (default timeout: 200ms). + config.core.v3.GrpcService grpc_service = 1; + + // HTTP service configuration (default timeout: 200ms). + HttpService http_service = 3; + } + + // API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and + // version of messages used on the wire. + config.core.v3.ApiVersion transport_api_version = 12 + [(validate.rules).enum = {defined_only: true}]; + + // Changes the filter's behavior on errors: + // + // * When set to ``true``, the filter will ``accept`` the client request even if communication with + // the authorization service has failed, or if the authorization service has returned an HTTP 5xx + // error. + // + // * When set to ``false``, the filter will ``reject`` client requests and return ``Forbidden`` + // if communication with the authorization service has failed, or if the authorization service + // has returned an HTTP 5xx error. + // + // Errors can always be tracked in the :ref:`stats `. + // + // Defaults to ``false``. + bool failure_mode_allow = 2; + + // When ``failure_mode_allow`` and ``failure_mode_allow_header_add`` are both set to ``true``, + // ``x-envoy-auth-failure-mode-allowed: true`` will be added to request headers if the communication + // with the authorization service has failed, or if the authorization service has returned a + // HTTP 5xx error. + bool failure_mode_allow_header_add = 19; + + // Enables the filter to buffer the client request body and send it within the authorization request. + // The ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization + // request indicating whether the body data is partial. + BufferSettings with_request_body = 5; + + // Clears the route cache in order to allow the external authorization service to correctly affect + // routing decisions. The filter clears all cached routes when all of the following holds: + // + // * This field is set to ``true``. + // * The status returned from the authorization service is an HTTP 200 or gRPC 0. + // * At least one ``authorization response header`` is added to the client request, or is used to + // alter another client request header. + // + // Defaults to ``false``. + bool clear_route_cache = 6; + + // Sets the HTTP status that is returned to the client when the authorization server returns an error + // or cannot be reached. + // + // The default status is ``HTTP 403 Forbidden``. + type.v3.HttpStatus status_on_error = 7; + + // When set to ``true``, the filter will check the :ref:`ext_authz response + // ` for invalid header and + // query parameter mutations. If the response is invalid, the filter will send a local reply + // to the downstream request with status ``HTTP 500 Internal Server Error``. + // + // .. note:: + // Both ``headers_to_remove`` and ``query_parameters_to_remove`` are validated, but invalid elements in + // those fields should not affect any headers and thus will not cause the filter to send a local reply. + // + // When set to ``false``, any invalid mutations will be visible to the rest of Envoy and may cause + // unexpected behavior. + // + // If you are using ext_authz with an untrusted ext_authz server, you should set this to ``true``. + // + // Defaults to ``false``. + bool validate_mutations = 24; + + // Specifies a list of metadata namespaces whose values, if present, will be passed to the + // ext_authz service. The :ref:`filter_metadata ` + // is passed as an opaque ``protobuf::Struct``. + // + // .. note:: + // This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service. + // + // For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata + // ` is set, + // then the following will pass the jwt payload to the authorization server. + // + // .. code-block:: yaml + // + // metadata_context_namespaces: + // - envoy.filters.http.jwt_authn + // + repeated string metadata_context_namespaces = 8; + + // Specifies a list of metadata namespaces whose values, if present, will be passed to the + // ext_authz service. :ref:`typed_filter_metadata ` + // is passed as a ``protobuf::Any``. + // + // .. note:: + // This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service. + // + // This works similarly to ``metadata_context_namespaces`` but allows Envoy and the ext_authz server to share + // the protobuf message definition in order to perform safe parsing. + // + repeated string typed_metadata_context_namespaces = 16; + + // Specifies a list of route metadata namespaces whose values, if present, will be passed to the + // ext_authz service at :ref:`route_metadata_context ` in + // :ref:`CheckRequest `. + // :ref:`filter_metadata ` is passed as an opaque ``protobuf::Struct``. + repeated string route_metadata_context_namespaces = 21; + + // Specifies a list of route metadata namespaces whose values, if present, will be passed to the + // ext_authz service at :ref:`route_metadata_context ` in + // :ref:`CheckRequest `. + // :ref:`typed_filter_metadata ` is passed as a ``protobuf::Any``. + repeated string route_typed_metadata_context_namespaces = 22; + + // Specifies if the filter is enabled. + // + // If :ref:`runtime_key ` is specified, + // Envoy will lookup the runtime key to get the percentage of requests to filter. + // + // If this field is not specified, the filter will be enabled for all requests. + config.core.v3.RuntimeFractionalPercent filter_enabled = 9; + + // Specifies if the filter is enabled with metadata matcher. + // If this field is not specified, the filter will be enabled for all requests. + // + // .. note:: + // + // This field is only evaluated if the filter is instantiated. If the filter is marked with + // ``disabled: true`` in the :ref:`HttpFilter + // ` + // configuration or in per-route configuration via :ref:`ExtAuthzPerRoute + // `, + // the filter will not be instantiated and this field will have no effect. + // + // .. tip:: + // + // For dynamic filter activation based on metadata (such as metadata set by a preceding + // filter), consider using :ref:`ExtensionWithMatcher + // ` instead. This + // provides a more flexible matching framework that can evaluate conditions before filter + // instantiation. See the :ref:`ext_authz filter documentation + // ` for examples. + type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14; + + // Specifies whether to deny the requests when the filter is disabled. + // If :ref:`runtime_key ` is specified, + // Envoy will lookup the runtime key to determine whether to deny requests for filter-protected paths + // when the filter is disabled. If the filter is disabled in ``typed_per_filter_config`` for the path, + // requests will not be denied. + // + // If this field is not specified, all requests will be allowed when disabled. + // + // If a request is denied due to this setting, the response code in :ref:`status_on_error + // ` will + // be returned. + config.core.v3.RuntimeFeatureFlag deny_at_disable = 11; + + // Specifies if the peer certificate is sent to the external service. + // + // When this field is ``true``, Envoy will include the peer X.509 certificate, if available, in the + // :ref:`certificate`. + bool include_peer_certificate = 10; + + // Optional additional prefix to use when emitting statistics. This allows distinguishing + // emitted statistics between configured ``ext_authz`` filters in an HTTP filter chain. For example: + // + // .. code-block:: yaml + // + // http_filters: + // - name: envoy.filters.http.ext_authz + // typed_config: + // "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + // stat_prefix: waf # This emits ext_authz.waf.ok, ext_authz.waf.denied, etc. + // - name: envoy.filters.http.ext_authz + // typed_config: + // "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + // stat_prefix: blocker # This emits ext_authz.blocker.ok, ext_authz.blocker.denied, etc. + // + string stat_prefix = 13; + + // Optional labels that will be passed to :ref:`labels` in + // :ref:`destination`. + // The labels will be read from :ref:`metadata` with the specified key. + string bootstrap_metadata_labels_key = 15; + + // Check request to authorization server will include the client request headers that have a correspondent match + // in the list. If this option isn't specified, then + // all client request headers are included in the check request to a gRPC authorization server, whereas no client request headers + // (besides the ones allowed by default - see note below) are included in the check request to an HTTP authorization server. + // This inconsistency between gRPC and HTTP servers is to maintain backwards compatibility with legacy behavior. + // + // .. note:: + // + // For requests to an HTTP authorization server: in addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``, + // ``Content-Length``, and ``Authorization`` are **additionally included** in the list. + // + // .. note:: + // + // For requests to an HTTP authorization server: the value of ``Content-Length`` will be set to ``0`` and the request to the + // authorization server will not have a message body. However, the check request can include the buffered + // client request body (controlled by :ref:`with_request_body + // ` setting); + // consequently, the value of ``Content-Length`` in the authorization request reflects the size of its payload. + // + // .. note:: + // + // This can be overridden by the field ``disallowed_headers`` below. That is, if a header + // matches for both ``allowed_headers`` and ``disallowed_headers``, the header will NOT be sent. + type.matcher.v3.ListStringMatcher allowed_headers = 17; + + // If set, specifically disallow any header in this list to be forwarded to the external + // authentication server. This overrides the above ``allowed_headers`` if a header matches both. + type.matcher.v3.ListStringMatcher disallowed_headers = 25; + + // Specifies if the TLS session level details like SNI are sent to the external service. + // + // When this field is ``true``, Envoy will include the SNI name used for TLSClientHello, if available, in the + // :ref:`tls_session`. + bool include_tls_session = 18; + + // Whether to increment cluster statistics (e.g. cluster..upstream_rq_*) on authorization failure. + // Defaults to ``true``. + google.protobuf.BoolValue charge_cluster_response_stats = 20; + + // Whether to encode the raw headers (i.e., unsanitized values and unconcatenated multi-line headers) + // in the authorization request. Works with both HTTP and gRPC clients. + // + // When this is set to ``true``, header values are not sanitized. Headers with the same key will also + // not be combined into a single, comma-separated header. + // Requests to gRPC services will populate the field + // :ref:`header_map`. + // Requests to HTTP services will be constructed with the unsanitized header values and preserved + // multi-line headers with the same key. + // + // If this field is set to ``false``, header values will be sanitized, with any non-UTF-8-compliant + // bytes replaced with ``'!'``. Headers with the same key will have their values concatenated into a + // single comma-separated header value. + // Requests to gRPC services will populate the field + // :ref:`headers`. + // Requests to HTTP services will have their header values sanitized and will not preserve + // multi-line headers with the same key. + // + // It is recommended to set this to ``true`` unless you rely on the previous behavior. + // + // It is set to ``false`` by default for backwards compatibility. + bool encode_raw_headers = 23; + + // Rules for what modifications an ext_authz server may make to the request headers before + // continuing decoding or forwarding upstream. + // + // If set, enables header mutation checking against the configured rules. Note that + // :ref:`HeaderMutationRules ` + // has defaults that change ext_authz behavior. Also note that if this field is set, + // ext_authz can no longer append to ``:``-prefixed headers. + // + // If unset, header mutation rule checking is completely disabled. + // + // Regardless of what is configured here, ext_authz cannot remove ``:``-prefixed headers. + // + // This field and ``validate_mutations`` have different use cases. ``validate_mutations`` enables + // correctness checks for all header and query parameter mutations (for example, invalid characters). + // This field allows the filter to reject mutations to specific headers. + config.common.mutation_rules.v3.HeaderMutationRules decoder_header_mutation_rules = 26; + + // Enable or disable ingestion of dynamic metadata from the ext_authz service. + // + // If ``false``, the filter will ignore dynamic metadata injected by the ext_authz service. If the + // ext_authz service tries injecting dynamic metadata, the filter will log, increment the + // ``ignored_dynamic_metadata`` stat, then continue handling the response. + // + // If ``true``, the filter will ingest dynamic metadata entries as normal. + // + // If unset, defaults to ``true``. + google.protobuf.BoolValue enable_dynamic_metadata_ingestion = 27; + + // Additional metadata to be added to the filter state for logging purposes. The metadata will be + // added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter + // name. + google.protobuf.Struct filter_metadata = 28; + + // When set to ``true``, the filter will emit per-stream stats for access logging. The filter state + // key will be the same as the filter name. + // + // If using Envoy gRPC, emits latency, bytes sent / received, upstream info, and upstream cluster + // info. If not using Envoy gRPC, emits only latency. + // + // .. note:: + // Stats are ONLY added to filter state if a check request is actually made to an ext_authz service. + // + // If this is ``false`` the filter will not emit stats, but filter_metadata will still be respected if + // it has a value. + // + // Field ``latency_us`` is exposed for CEL and logging when using gRPC or HTTP service. + // Fields ``bytesSent`` and ``bytesReceived`` are exposed for CEL and logging only when using gRPC service. + bool emit_filter_state_stats = 29; + + // Sets the maximum size (in bytes) of the response body that the filter will send downstream + // when a request is denied by the external authorization service. + // + // If the authorization server returns a response body larger than this configured limit, + // the body will be truncated to ``max_denied_response_body_bytes`` before being sent to the + // downstream client. + // + // If this field is not set or is set to 0, no truncation will occur, and the entire + // denied response body will be forwarded. + uint32 max_denied_response_body_bytes = 30; + + // When set to ``true``, the filter will enforce the response header map's count and size limits + // by sending a local reply when those limits are violated. + // + // When set to ``false``, the filter will ignore the response header map's limits and add / set + // all response headers as specified by the external authorization service. + // + // Recommendation: enable if the external authorization service is not trusted. Otherwise, leave + // it ``false``. + // + // Defaults to ``false``. + bool enforce_response_header_limits = 31; +} + +// Configuration for buffering the request data. +message BufferSettings { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v2.BufferSettings"; + + // Sets the maximum size of a message body that the filter will hold in memory. Envoy will return + // ``HTTP 413`` and will *not* initiate the authorization process when the buffer reaches the size + // set in this field. + // + // .. note:: + // This setting will have precedence over :ref:`failure_mode_allow + // `. + uint32 max_request_bytes = 1 [(validate.rules).uint32 = {gt: 0}]; + + // When this field is ``true``, Envoy will buffer the message until ``max_request_bytes`` is reached. + // The authorization request will be dispatched and no 413 HTTP error will be returned by the + // filter. + // + // Defaults to ``false``. + bool allow_partial_message = 2; + + // If ``true``, the body sent to the external authorization service is set as raw bytes and populates + // :ref:`raw_body` + // in the HTTP request attribute context. Otherwise, :ref:`body + // ` will be populated + // with a UTF-8 string request body. + // + // This field only affects configurations using a :ref:`grpc_service + // `. In configurations that use + // an :ref:`http_service `, this + // has no effect. + // + // Defaults to ``false``. + bool pack_as_bytes = 3; +} + +// HttpService is used for raw HTTP communication between the filter and the authorization service. +// When configured, the filter will parse the client request and use these attributes to call the +// authorization server. Depending on the response, the filter may reject or accept the client +// request. +// +// .. note:: +// In any of these events, metadata can be added, removed or overridden by the filter: +// +// On authorization request, a list of allowed request headers may be supplied. See +// :ref:`allowed_headers +// ` +// for details. Additional headers metadata may be added to the authorization request. See +// :ref:`headers_to_add +// ` for +// details. +// +// On authorization response status ``HTTP 200 OK``, the filter will allow traffic to the upstream and +// additional headers metadata may be added to the original client request. See +// :ref:`allowed_upstream_headers +// ` +// for details. Additionally, the filter may add additional headers to the client's response. See +// :ref:`allowed_client_headers_on_success +// ` +// for details. +// +// On other authorization response statuses, the filter will not allow traffic. Additional headers +// metadata as well as body may be added to the client's response. See :ref:`allowed_client_headers +// ` +// for details. +// [#next-free-field: 10] +message HttpService { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v2.HttpService"; + + reserved 3, 4, 5, 6; + + // Sets the HTTP server URI which the authorization requests must be sent to. + config.core.v3.HttpUri server_uri = 1; + + // Sets a prefix to the value of authorization request header ``Path``. + string path_prefix = 2; + + // Settings used for controlling authorization request metadata. + AuthorizationRequest authorization_request = 7; + + // Settings used for controlling authorization response metadata. + AuthorizationResponse authorization_response = 8; + + // Optional retry policy for requests to the authorization server. + // If not set, no retries will be performed. + // + // .. note:: + // When this field is set, the ``ext_authz`` filter will buffer the request body for retry purposes. + config.core.v3.RetryPolicy retry_policy = 9; +} + +message AuthorizationRequest { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v2.AuthorizationRequest"; + + // Authorization request includes the client request headers that have a corresponding match + // in the list. + // This field has been deprecated in favor of :ref:`allowed_headers + // `. + // + // .. note:: + // + // In addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``, + // ``Content-Length``, and ``Authorization`` are **automatically included** in the list. + // + // .. note:: + // + // By default, the ``Content-Length`` header is set to ``0`` and the request to the authorization + // service has no message body. However, the authorization request *may* include the buffered + // client request body (controlled by :ref:`with_request_body + // ` + // setting); hence the value of its ``Content-Length`` reflects the size of its payload. + // + type.matcher.v3.ListStringMatcher allowed_headers = 1 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Sets a list of headers that will be included in the request to the authorization service. + // + // .. note:: + // Client request headers with the same key will be overridden. + repeated config.core.v3.HeaderValue headers_to_add = 2; +} + +// [#next-free-field: 6] +message AuthorizationResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v2.AuthorizationResponse"; + + // When this list is set, authorization + // response headers that have a correspondent match will be added to the original client request. + // + // .. note:: + // Existing headers will be overridden. + type.matcher.v3.ListStringMatcher allowed_upstream_headers = 1; + + // When this list is set, authorization + // response headers that have a correspondent match will be added to the original client request. + // + // .. note:: + // Existing headers will be appended. + type.matcher.v3.ListStringMatcher allowed_upstream_headers_to_append = 3; + + // When this list is set, authorization + // response headers that have a correspondent match will be added to the client's response. + // When a header is included in this list, ``Path``, ``Status``, ``Content-Length``, ``WWW-Authenticate`` and + // ``Location`` are automatically added. + // + // .. note:: + // When this list is *not* set, all the authorization response headers, except + // ``Authority (Host)``, will be in the response to the client. + type.matcher.v3.ListStringMatcher allowed_client_headers = 2; + + // When this list is set, authorization + // response headers that have a correspondent match will be added to the client's response when + // the authorization response itself is successful, i.e. not failed or denied. When this list is + // *not* set, no additional headers will be added to the client's response on success. + type.matcher.v3.ListStringMatcher allowed_client_headers_on_success = 4; + + // When this list is set, authorization + // response headers that have a correspondent match will be emitted as dynamic metadata to be consumed + // by the next filter. This metadata lives in a namespace specified by the canonical name of extension filter + // that requires it: + // + // - :ref:`envoy.filters.http.ext_authz ` for HTTP filter. + // - :ref:`envoy.filters.network.ext_authz ` for network filter. + type.matcher.v3.ListStringMatcher dynamic_metadata_from_headers = 5; +} + +// Extra settings on a per virtualhost/route/weighted-cluster level. +message ExtAuthzPerRoute { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v2.ExtAuthzPerRoute"; + + oneof override { + option (validate.required) = true; + + // Disable the ext auth filter for this particular vhost or route. + // If disabled is specified in multiple per-filter-configs, the most specific one will be used. + // If the filter is disabled by default and this is set to ``false``, the filter will be enabled + // for this vhost or route. + bool disabled = 1; + + // Check request settings for this route. + CheckSettings check_settings = 2 [(validate.rules).message = {required: true}]; + } +} + +// Extra settings for the check request. +// [#next-free-field: 6] +message CheckSettings { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v2.CheckSettings"; + + // Context extensions to set on the CheckRequest's + // :ref:`AttributeContext.context_extensions` + // + // You can use this to provide extra context for the external authorization server on specific + // virtual hosts/routes. For example, adding a context extension on the virtual host level can + // give the ext-authz server information on what virtual host is used without needing to parse the + // host header. If CheckSettings is specified in multiple per-filter-configs, they will be merged + // in order, and the result will be used. + // + // Merge semantics for this field are such that keys from more specific configs override. + // + // .. note:: + // These settings are only applied to a filter configured with a + // :ref:`grpc_service`. + map context_extensions = 1 [(udpa.annotations.sensitive) = true]; + + // When set to ``true``, disable the configured :ref:`with_request_body + // ` for a specific route. + // + // Only one of ``disable_request_body_buffering`` and + // :ref:`with_request_body ` + // may be specified. + bool disable_request_body_buffering = 2; + + // Enable or override request body buffering, which is configured using the + // :ref:`with_request_body ` + // option for a specific route. + // + // Only one of ``with_request_body`` and + // :ref:`disable_request_body_buffering ` + // may be specified. + BufferSettings with_request_body = 3; + + // Override the external authorization service for this route. + // This allows different routes to use different external authorization service backends + // and service types (gRPC or HTTP). If specified, this overrides the filter-level service + // configuration regardless of the original service type. + oneof service_override { + // Override with a gRPC service configuration. + config.core.v3.GrpcService grpc_service = 4; + + // Override with an HTTP service configuration. + HttpService http_service = 5; + } +} diff --git a/modules/sync/envoyproxy/envoy/cas/59527f51b36370ee87eaa093e454df957c4f537e2201e02da2928c072be789221d7850b0773d9772b06e4e6ead2c25e8b7534c4265c5ddd7a888ccb7f0c92c16 b/modules/sync/envoyproxy/envoy/cas/59527f51b36370ee87eaa093e454df957c4f537e2201e02da2928c072be789221d7850b0773d9772b06e4e6ead2c25e8b7534c4265c5ddd7a888ccb7f0c92c16 new file mode 100644 index 00000000..054529c5 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/59527f51b36370ee87eaa093e454df957c4f537e2201e02da2928c072be789221d7850b0773d9772b06e4e6ead2c25e8b7534c4265c5ddd7a888ccb7f0c92c16 @@ -0,0 +1,106 @@ +syntax = "proto3"; + +package envoy.extensions.filters.common.set_filter_state.v3; + +import "envoy/config/core/v3/substitution_format_string.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.common.set_filter_state.v3"; +option java_outer_classname = "ValueProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/common/set_filter_state/v3;set_filter_statev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Set-Filter-State filter state value] + +// A filter state key and value pair. +// [#next-free-field: 7] +message FilterStateValue { + enum SharedWithUpstream { + // Object is not shared with the upstream internal connections. + NONE = 0; + + // Object is shared with the upstream internal connection. + ONCE = 1; + + // Object is shared with the upstream internal connection and any internal connection upstream from it. + TRANSITIVE = 2; + } + + oneof key { + option (validate.required) = true; + + // The name under which the filter state object will be stored and can be retrieved. + // + // When using :ref:`well-known filter state keys ` (e.g., + // ``envoy.network.upstream_server_name``, ``envoy.tcp_proxy.cluster``), the object key serves + // dual purpose where it identifies both where the data is stored and which factory creates the + // object. In this case, :ref:`factory_key + // ` + // is not needed. + // + // When using a custom key name which is not from the well-known list, you must also specify + // :ref:`factory_key + // ` + // to indicate which factory should create the object from your value. + // + // Example using a well-known key where ``factory_key`` is not needed: + // + // .. code-block:: yaml + // + // object_key: envoy.tcp_proxy.cluster + // format_string: + // text_format_source: + // inline_string: "my-cluster" + // + // Example using a custom key which requires a ``factory_key``: + // + // .. code-block:: yaml + // + // object_key: my.custom.key + // factory_key: envoy.string + // format_string: + // text_format_source: + // inline_string: "my-value" + // + string object_key = 1 [(validate.rules).string = {min_len: 1}]; + } + + // Specifies which registered factory should be used to create the filter state object from the + // provided value. This field is required when :ref:`object_key + // ` + // is a custom name not found in the :ref:`well-known filter state keys `. + // + // Each well-known key has a factory registered with the same name (e.g., the key + // ``envoy.tcp_proxy.cluster`` has a factory also named ``envoy.tcp_proxy.cluster``). For custom keys, + // use one of the following generic factories: + // + // * ``envoy.string``: Creates a generic string object. Use this for arbitrary string values that + // will be accessed via ``StringAccessor``. + // + // If not specified, defaults to the value of ``object_key``. + string factory_key = 6; + + oneof value { + option (validate.required) = true; + + // Uses the :ref:`format string ` to + // instantiate the filter state object value. + config.core.v3.SubstitutionFormatString format_string = 2; + } + + // If marked as read-only, the filter state key value is locked, and cannot + // be overridden by any filter, including this filter. + bool read_only = 3; + + // Configures the object to be shared with the upstream internal connections. See :ref:`internal upstream + // transport ` for more details on the filter state sharing with + // the internal connections. + SharedWithUpstream shared_with_upstream = 4; + + // Skip the update if the value evaluates to an empty string. + // This option can be used to supply multiple alternatives for the same filter state object key. + bool skip_if_empty = 5; +} diff --git a/modules/sync/envoyproxy/envoy/cas/59d9350a541de8f92284737869e627928b411fee305ce1c0b4960a60f13f003f6dcf4463bbf658273fe8a974cb1444674c6bc399a146fc138fd5f9a4256c3d4e b/modules/sync/envoyproxy/envoy/cas/59d9350a541de8f92284737869e627928b411fee305ce1c0b4960a60f13f003f6dcf4463bbf658273fe8a974cb1444674c6bc399a146fc138fd5f9a4256c3d4e new file mode 100644 index 00000000..9b013cdb --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/59d9350a541de8f92284737869e627928b411fee305ce1c0b4960a60f13f003f6dcf4463bbf658273fe8a974cb1444674c6bc399a146fc138fd5f9a4256c3d4e @@ -0,0 +1,92 @@ +syntax = "proto3"; + +package envoy.extensions.http.injected_credentials.oauth2.v3; + +import "envoy/config/core/v3/http_uri.proto"; +import "envoy/extensions/transport_sockets/tls/v3/secret.proto"; + +import "google/protobuf/duration.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.http.injected_credentials.oauth2.v3"; +option java_outer_classname = "Oauth2Proto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/http/injected_credentials/oauth2/v3;oauth2v3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: OAuth2 Credential] +// [#extension: envoy.http.injected_credentials.oauth2] + +// OAuth2 extension can be used to retrieve an OAuth2 access token from an authorization server and inject it into the +// proxied requests. +// Currently, only the Client Credentials Grant flow is supported. +// The access token will be injected into the request headers using the ``Authorization`` header as a bearer token. +// [#next-free-field: 6] +message OAuth2 { + enum AuthType { + // The ``client_id`` and ``client_secret`` will be sent using HTTP Basic authentication scheme. + BASIC_AUTH = 0; + + // The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body. + // This type should only be used when Auth server does not support Basic authentication. + URL_ENCODED_BODY = 1; + } + + // Credentials to authenticate client to the authorization server. + // Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-2.3) for details. + message ClientCredentials { + // Client ID. + // Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1) for details. + string client_id = 1 [(validate.rules).string = {min_len: 1}]; + + // Client secret. + // Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1) for details. + transport_sockets.tls.v3.SdsSecretConfig client_secret = 2 + [(validate.rules).message = {required: true}]; + + // The method to use when sending credentials to the authorization server. + // Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-2.3.1) for details. + AuthType auth_type = 3; + } + + // Optional additional parameters to include in the token endpoint request body. + // These parameters will be URL-encoded and added to the request body along with the standard OAuth2 parameters. + // Refer to your authorization server's documentation for supported parameters. + message EndpointParameter { + // Parameter name. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // Parameter value. + string value = 2; + } + + // Endpoint on the authorization server to retrieve the access token from. + // Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-3.2) for details. + config.core.v3.HttpUri token_endpoint = 1 [(validate.rules).message = {required: true}]; + + // Optional list of OAuth scopes to be claimed in the authorization request. + // Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-4.4.2) for details. + repeated string scopes = 2; + + oneof flow_type { + option (validate.required) = true; + + // Client Credentials Grant. + // Refer to [RFC 6749: The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749#section-4.4) for details. + ClientCredentials client_credentials = 3; + } + + // The interval between two successive retries to fetch token from Identity Provider. Default is 2 secs. + // The interval must be at least 1 second. + google.protobuf.Duration token_fetch_retry_interval = 4 + [(validate.rules).duration = {gte {seconds: 1}}]; + + // Optional list of additional parameters to send to the token endpoint. + // These parameters will be URL-encoded and included in the token request body. + repeated EndpointParameter endpoint_params = 5; +} diff --git a/modules/sync/envoyproxy/envoy/cas/5c82678245095a18a9122648576780eb70221f36a71127ab80f6edd19b9c2316831b39b49848b5df74c31c208e4e16220772d4b0d8d47616ec718ed88f7edcab b/modules/sync/envoyproxy/envoy/cas/5c82678245095a18a9122648576780eb70221f36a71127ab80f6edd19b9c2316831b39b49848b5df74c31c208e4e16220772d4b0d8d47616ec718ed88f7edcab new file mode 100644 index 00000000..9756ff5a --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/5c82678245095a18a9122648576780eb70221f36a71127ab80f6edd19b9c2316831b39b49848b5df74c31c208e4e16220772d4b0d8d47616ec718ed88f7edcab @@ -0,0 +1,35 @@ +syntax = "proto3"; + +package envoy.extensions.transport_sockets.quic.v3; + +import "envoy/extensions/transport_sockets/tls/v3/tls.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.quic.v3"; +option java_outer_classname = "QuicTransportProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/quic/v3;quicv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: quic transport] +// [#extension: envoy.transport_sockets.quic] +// The QUIC configurations below provide the transport socket configuration for downstream/upstream QUIC. + +// Configuration for Downstream QUIC transport socket. This provides Google's implementation of Google QUIC and IETF QUIC to Envoy. +message QuicDownstreamTransport { + tls.v3.DownstreamTlsContext downstream_tls_context = 1 + [(validate.rules).message = {required: true}]; + + // If false, QUIC will tell TLS to reject any early data and to stop issuing 0-RTT credentials with resumption session tickets. This will prevent clients from sending 0-RTT requests. + // Default to true. + google.protobuf.BoolValue enable_early_data = 2; +} + +// Configuration for Upstream QUIC transport socket. This provides Google's implementation of Google QUIC and IETF QUIC to Envoy. +message QuicUpstreamTransport { + tls.v3.UpstreamTlsContext upstream_tls_context = 1 [(validate.rules).message = {required: true}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/5d1365c2a15eac67472851d97a23e17d24470ae21d04f87d9daf23a968cf1c85e76bae0aacfbee7e22d0fc57e8d0ab2185c3c3bb797087a5755ec577410483f0 b/modules/sync/envoyproxy/envoy/cas/5d1365c2a15eac67472851d97a23e17d24470ae21d04f87d9daf23a968cf1c85e76bae0aacfbee7e22d0fc57e8d0ab2185c3c3bb797087a5755ec577410483f0 new file mode 100644 index 00000000..cdb42a43 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/5d1365c2a15eac67472851d97a23e17d24470ae21d04f87d9daf23a968cf1c85e76bae0aacfbee7e22d0fc57e8d0ab2185c3c3bb797087a5755ec577410483f0 @@ -0,0 +1,109 @@ +syntax = "proto3"; + +package envoy.type.tracing.v3; + +import "envoy/type/metadata/v3/metadata.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.tracing.v3"; +option java_outer_classname = "CustomTagProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/tracing/v3;tracingv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Custom Tag] + +// Describes custom tags for the active span. +// [#next-free-field: 7] +message CustomTag { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.tracing.v2.CustomTag"; + + // Literal type custom tag with static value for the tag value. + message Literal { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.tracing.v2.CustomTag.Literal"; + + // Static literal value to populate the tag value. + string value = 1 [(validate.rules).string = {min_len: 1}]; + } + + // Environment type custom tag with environment name and default value. + message Environment { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.tracing.v2.CustomTag.Environment"; + + // Environment variable name to obtain the value to populate the tag value. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // When the environment variable is not found, + // the tag value will be populated with this default value if specified, + // otherwise no tag will be populated. + string default_value = 2; + } + + // Header type custom tag with header name and default value. + message Header { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.tracing.v2.CustomTag.Header"; + + // Header name to obtain the value to populate the tag value. + string name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // When the header does not exist, + // the tag value will be populated with this default value if specified, + // otherwise no tag will be populated. + string default_value = 2; + } + + // Metadata type custom tag using + // :ref:`MetadataKey ` to retrieve the protobuf value + // from :ref:`Metadata `, and populate the tag value with + // `the canonical JSON `_ + // representation of it. + message Metadata { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.tracing.v2.CustomTag.Metadata"; + + // Specify what kind of metadata to obtain tag value from. + metadata.v3.MetadataKind kind = 1; + + // Metadata key to define the path to retrieve the tag value. + metadata.v3.MetadataKey metadata_key = 2; + + // When no valid metadata is found, + // the tag value would be populated with this default value if specified, + // otherwise no tag would be populated. + string default_value = 3; + } + + // Used to populate the tag name. + string tag = 1 [(validate.rules).string = {min_len: 1}]; + + // Used to specify what kind of custom tag. + oneof type { + option (validate.required) = true; + + // A literal custom tag. + Literal literal = 2; + + // An environment custom tag. + Environment environment = 3; + + // A request header custom tag. + Header request_header = 4; + + // A custom tag to obtain tag value from the metadata. + Metadata metadata = 5; + + // Custom tag value. + // + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here, however + // unknown specifier values are replaced with the empty string instead of ``-``. + string value = 6; + } +} diff --git a/modules/sync/envoyproxy/envoy/cas/5fe000c8a7be0d8c110a23b7051a145c3bbc3dfb96ebc31f92a4c897bde8e7e6d2d09da8733cc1de3ac0a20f1e3157f3fedd27164de77d1584ad6bfa551a74f4 b/modules/sync/envoyproxy/envoy/cas/5fe000c8a7be0d8c110a23b7051a145c3bbc3dfb96ebc31f92a4c897bde8e7e6d2d09da8733cc1de3ac0a20f1e3157f3fedd27164de77d1584ad6bfa551a74f4 new file mode 100644 index 00000000..621a0ffc --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/5fe000c8a7be0d8c110a23b7051a145c3bbc3dfb96ebc31f92a4c897bde8e7e6d2d09da8733cc1de3ac0a20f1e3157f3fedd27164de77d1584ad6bfa551a74f4 @@ -0,0 +1,126 @@ +syntax = "proto3"; + +package envoy.extensions.filters.udp.dns_filter.v3; + +import "envoy/config/accesslog/v3/accesslog.proto"; +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/resolver.proto"; +import "envoy/data/dns/v3/dns_table.proto"; + +import "google/protobuf/duration.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.udp.dns_filter.v3"; +option java_outer_classname = "DnsFilterProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/udp/dns_filter/v3;dns_filterv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: DNS Filter] +// DNS Filter :ref:`configuration overview `. +// [#extension: envoy.filters.udp.dns_filter] + +// Configuration for the DNS filter. +message DnsFilterConfig { + // This message contains the configuration for the DNS Filter operating + // in a server context. This message will contain the virtual hosts and + // associated addresses with which Envoy will respond to queries + message ServerContextConfig { + oneof config_source { + option (validate.required) = true; + + // Load the configuration specified from the control plane + data.dns.v3.DnsTable inline_dns_table = 1; + + // Seed the filter configuration from an external path. This source + // is a yaml formatted file that contains the DnsTable driving Envoy's + // responses to DNS queries + config.core.v3.DataSource external_dns_table = 2; + } + } + + // This message contains the configuration for the DNS Filter operating + // in a client context. This message will contain the timeouts, retry, + // and forwarding configuration for Envoy to make DNS requests to other + // resolvers + // + // [#next-free-field: 6] + message ClientContextConfig { + // Sets the maximum time we will wait for the upstream query to complete + // We allow 5s for the upstream resolution to complete, so the minimum + // value here is 1. Note that the total latency for a failed query is the + // number of retries multiplied by the resolver_timeout. + google.protobuf.Duration resolver_timeout = 1 [(validate.rules).duration = {gte {seconds: 1}}]; + + // This field was used for `dns_resolution_config` in Envoy 1.19.0 and + // 1.19.1. + // Control planes that need to set this field for Envoy 1.19.0 and + // 1.19.1 clients should fork the protobufs and change the field type + // to `DnsResolutionConfig`. + // Control planes that need to simultaneously support Envoy 1.18.x and + // Envoy 1.19.x should avoid Envoy 1.19.0 and 1.19.1. + // + // [#not-implemented-hide:] + repeated config.core.v3.Address upstream_resolvers = 2 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // DNS resolution configuration which includes the underlying dns resolver addresses and options. + // This field is deprecated in favor of + // :ref:`typed_dns_resolver_config `. + config.core.v3.DnsResolutionConfig dns_resolution_config = 5 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // DNS resolver type configuration extension. This extension can be used to configure c-ares, apple, + // or any other DNS resolver types and the related parameters. + // For example, an object of + // :ref:`CaresDnsResolverConfig ` + // can be packed into this ``typed_dns_resolver_config``. This configuration replaces the + // :ref:`dns_resolution_config ` + // configuration. + // During the transition period when both ``dns_resolution_config`` and ``typed_dns_resolver_config`` exists, + // when ``typed_dns_resolver_config`` is in place, Envoy will use it and ignore ``dns_resolution_config``. + // When ``typed_dns_resolver_config`` is missing, the default behavior is in place. + // [#extension-category: envoy.network.dns_resolver] + config.core.v3.TypedExtensionConfig typed_dns_resolver_config = 4; + + // Controls how many outstanding external lookup contexts the filter tracks. + // The context structure allows the filter to respond to every query even if the external + // resolution times out or is otherwise unsuccessful + uint64 max_pending_lookups = 3 [(validate.rules).uint64 = {gte: 1}]; + } + + // The stat prefix used when emitting DNS filter statistics + string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; + + // Server context configuration contains the data that the filter uses to respond + // to DNS requests. + ServerContextConfig server_config = 2; + + // Client context configuration controls Envoy's behavior when it must use external + // resolvers to answer a query. This object is optional and if omitted instructs + // the filter to resolve queries from the data in the server_config. + // Also, if ``client_config`` is omitted, here is the Envoy's behavior to create DNS resolver: + // + // 1. If :ref:`typed_dns_resolver_config ` + // is not empty, uses it. + // + // 2. Otherwise, uses the default c-ares DNS resolver. + // + ClientContextConfig client_config = 3; + + // Configuration for :ref:`access logs ` + // emitted by the DNS filter for each DNS query received. + // Supports custom format commands for DNS-specific attributes: + // - ``QUERY_NAME``: The DNS query name being resolved + // - ``QUERY_TYPE``: The DNS query type (A, AAAA, SRV, etc.) + // - ``QUERY_CLASS``: The DNS query class + // - ``ANSWER_COUNT``: Number of answers in the response + // - ``RESPONSE_CODE``: DNS response code + // - ``PARSE_STATUS``: Whether the query was successfully parsed + repeated config.accesslog.v3.AccessLog access_log = 4; +} diff --git a/modules/sync/envoyproxy/envoy/cas/619a9180e9bacad6103038fc2244b8239b0d849569f64f226ba8bf506a296f923e2eaf23e2aaa884d68b3d2e4de525d3324ced0436a98f5697ace6c8c77c640b b/modules/sync/envoyproxy/envoy/cas/619a9180e9bacad6103038fc2244b8239b0d849569f64f226ba8bf506a296f923e2eaf23e2aaa884d68b3d2e4de525d3324ced0436a98f5697ace6c8c77c640b new file mode 100644 index 00000000..d1d3b36a --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/619a9180e9bacad6103038fc2244b8239b0d849569f64f226ba8bf506a296f923e2eaf23e2aaa884d68b3d2e4de525d3324ced0436a98f5697ace6c8c77c640b @@ -0,0 +1,39 @@ +syntax = "proto3"; + +package envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3; + +import "envoy/config/core/v3/extension.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3"; +option java_outer_classname = "UpstreamReverseConnectionSocketInterfaceProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3;upstream_socket_interfacev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Upstream reverse connection socket interface] +// [#extension: envoy.bootstrap.reverse_tunnel.upstream_socket_interface] + +// Configuration for the upstream reverse connection socket interface. +message UpstreamReverseConnectionSocketInterface { + // Stat prefix for upstream reverse connection socket interface stats. + string stat_prefix = 1; + + // Number of consecutive ping failures before an idle reverse connection socket is marked dead. + // Defaults to 3 if unset. Must be at least 1. + google.protobuf.UInt32Value ping_failure_threshold = 2 [(validate.rules).uint32 = {gte: 1}]; + + // Enable detailed per-node and per-cluster statistics. + // When enabled, emits hidden statistics for individual nodes and clusters. + // Defaults to false. + bool enable_detailed_stats = 3; + + // Optional configuration for a tunnel reporting extension. When provided, + // the socket interface instantiates a reporter via the configured factory. + // If unset, no reporting is done. + config.core.v3.TypedExtensionConfig reporter_config = 4; +} diff --git a/modules/sync/envoyproxy/envoy/cas/61fa4bc0c15dd4f8db3915ce16d05d830f94e84503ecc3dbe95d45282ffbe1b37f6103c91c139b11893438f0ba0fa806b4a73deabc0e184235739b994264acb0 b/modules/sync/envoyproxy/envoy/cas/61fa4bc0c15dd4f8db3915ce16d05d830f94e84503ecc3dbe95d45282ffbe1b37f6103c91c139b11893438f0ba0fa806b4a73deabc0e184235739b994264acb0 new file mode 100644 index 00000000..07067717 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/61fa4bc0c15dd4f8db3915ce16d05d830f94e84503ecc3dbe95d45282ffbe1b37f6103c91c139b11893438f0ba0fa806b4a73deabc0e184235739b994264acb0 @@ -0,0 +1,274 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.proto_message_extraction.v3; + +import "envoy/config/core/v3/base.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.proto_message_extraction.v3"; +option java_outer_classname = "ConfigProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/proto_message_extraction/v3;proto_message_extractionv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: Proto Message Extraction] +// +// [#extension: envoy.filters.http.proto_message_extraction] +// +// Overview +// -------- +// +// ProtoMessageExtraction filter supports extracting gRPC +// requests/responses(proto messages) into google.protobuf.Struct and storing +// results in the dynamic metadata `envoy.filters.http.proto_message_extraction` +// for later access. +// +// Assumptions +// ----------- +// +// This filter assumes it is only applicable for gRPC with Protobuf as payload. +// +// Process Flow +// ------------ +// +// On the request path, it will check +// +// 1. if the incoming gRPC request is configured, the filter tries to: +// +// a. buffer the incoming data to complete protobuf messages +// b. extract individual protobuf messages according to directives +// c. write the result into the dynamic metadata. +// d. pass through the request data +// +// 2. otherwise, pass through the request. +// +// On the response path, it will check +// +// 1. if the incoming gRPC request is configured, the filter tries to: +// +// a. buffer the incoming data to complete protobuf messages +// b. extract individual protobuf messages according to directives +// c. write the result into the dynamic metadata. +// d. pass through the response data +// +// 2. otherwise, pass through the response. +// +// Config Requirements +// ------------------- + +// Here are config requirements + +// 1. the extracted target field should be among the following primitive types: +// `string`, `uint32`, `uint64`, `int32`, `int64`, `sint32`, `sint64`, +// `fixed32`, `fixed64`, `sfixed32`, `sfixed64`, `float`, `double`. + +// 2. the target field could be repeated. + +// 3. the intermediate type could also be repeated. + +// Output Format +// ------------- + +// The extracted requests and responses will be will be added in the dynamic +// ``metadata`` with the same layout of the message. + +// For the default `FIRST_AND_LAST` mode, it will be like: + +// .. code-block:: json + +// { +// "requests":{ +// "first":{ +// "foo": "val_foo1", +// } +// "last":{ +// "foo": "val_foo3", +// } +// }, +// "responses":{ +// "first":{ +// "baz": "val_baz1", +// } +// "last":{ +// "baz": "val_foo3", +// } +// } +// } + +// Example for `FIRST_AND_LAST` mode +// --------------------------------- +// +// Let's say we have the following definition for the bi-streaming request +// `pkg.svc.Method`. +// +// .. code-block:: proto +// +// message MethodRequest { +// string foo = 1; +// Nested nested = 2; +// Msg redacted = 3; +// ... +// } +// +// message MethodResponse { +// string baz = 1; +// } +// +// message Nested { +// Msg double_nested = 2; +// } +// +// message Msg { +// string bar = 1; +// string not_extracted = 2; +// } +// +// This is the filter config in JSON. +// +// .. code-block:: json +// +// { +// "descriptor_set":{}, +// "mode": "FIRST_AND_LAST", +// "extraction_by_method":{ +// "pkg.svc.Method":{ +// "request_extraction_by_field":{ +// "foo":"EXTRACT", +// "nested.doubled_nested.bar":"EXTRACT", +// "redacted":"EXTRACT_REDACT" +// }, +// "response_extraction_by_field":{ +// "bar":"EXTRACT", +// } +// } +// } +// } +// +// During runtime, the filter receives the following `MethodRequest` message in +// JSON. +// +// .. code-block:: json +// +// { +// "foo": "val_foo1", +// "nested": { "double_nested": {"bar": "val_bar1", "not_extracted": +// "val_not_extracted1"}, "redacted": { "bar": "val_redacted_bar1"} +// } +// { +// "foo": "val_foo2", +// "nested": { "double_nested": {"bar": "val_bar2", "not_extracted": +// "val_not_extracted2"}, "redacted": { "bar": "val_redacted_bar2"} +// } +// { +// "foo": "val_foo3", +// "nested": { "double_nested": {"bar": "val_bar3", "not_extracted": +// "val_not_extracted3"}, "redacted": { "bar": "val_redacted_bar3"} +// } +// +// the filter receives the following `MethodResponse` message in +// JSON. +// +// .. code-block:: json +// +// { +// "baz": "val_baz1", +// } +// { +// "baz": "val_baz2", +// } +// { +// "baz": "val_baz3", +// } +// +// The filter will write the following dynamic +// metadata(`envoy.filters.http.proto_message_extraction`) in JSON. +// +// .. code-block:: json +// +// { +// "requests":{ +// "first":{ +// "foo": "val_foo1", +// "nested": { "double_nested": {"bar": "val_bar1"}}, +// "redacted": {} +// } +// "last":{ +// "foo": "val_foo3", +// "nested": { "double_nested": {"bar": "val_bar3"}}, +// "redacted": {} +// } +// }, +// "responses":{ +// "first":{ +// "baz": "val_baz1" +// } +// "last":{ +// "baz": "val_foo3" +// } +// } +// } + +message ProtoMessageExtractionConfig { + enum ExtractMode { + ExtractMode_UNSPECIFIED = 0; + + // The filter will extract the first and the last message for + // for streaming cases, containing + // client-side streaming, server-side streaming or bi-directional streaming. + FIRST_AND_LAST = 1; + } + + // The proto descriptor set binary for the gRPC services. + oneof descriptor_set { + // It could be passed by a local file through ``Datasource.filename`` or + // embedded in the ``Datasource.inline_bytes``. + config.core.v3.DataSource data_source = 1; + + // Unimplemented, the key of proto descriptor TypedMetadata. + // Among filters depending on the proto descriptor, we can have a + // TypedMetadata for proto descriptors, so that these filters can share one + // copy of proto descriptor in memory. + string proto_descriptor_typed_metadata = 2; + } + + ExtractMode mode = 3; + + // Specify the message extraction info. + // The key is the fully qualified gRPC method name. + // ``${package}.${Service}.${Method}``, like + // ``endpoints.examples.bookstore.BookStore.GetShelf`` + // + // The value is the message extraction information for individual gRPC + // methods. + map extraction_by_method = 4; +} + +// This message can be used to support per route config approach later even +// though the Istio doesn't support that so far. +message MethodExtraction { + enum ExtractDirective { + ExtractDirective_UNSPECIFIED = 0; + + // The value of this field will be extracted. + EXTRACT = 1; + + // It should be only annotated on Message type fields so if the field isn't + // empty, an empty Struct will be extracted. + EXTRACT_REDACT = 2; + + // Extract a repeated top-level field and record its number of entries in + // the extraction result. Can be applied to at most one field in the + // response, and cannot be applied to any fields in the request. + EXTRACT_REPEATED_CARDINALITY = 3; + } + + // The mapping of field path to its ExtractDirective for request messages + map request_extraction_by_field = 2; + + // The mapping of field path to its ExtractDirective for response messages + map response_extraction_by_field = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/678bff6a6a4338b1448420ce629ec7d093dd5ce9c1f11ac247940ca93dbc3a91ef26fc38b8673606c8f52b74e55d5a857878ef3b46e5b3e10a75112450bfbcc3 b/modules/sync/envoyproxy/envoy/cas/678bff6a6a4338b1448420ce629ec7d093dd5ce9c1f11ac247940ca93dbc3a91ef26fc38b8673606c8f52b74e55d5a857878ef3b46e5b3e10a75112450bfbcc3 new file mode 100644 index 00000000..e6c3bfaf --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/678bff6a6a4338b1448420ce629ec7d093dd5ce9c1f11ac247940ca93dbc3a91ef26fc38b8673606c8f52b74e55d5a857878ef3b46e5b3e10a75112450bfbcc3 @@ -0,0 +1,41 @@ +syntax = "proto3"; + +package envoy.extensions.http.injected_credentials.generic.v3; + +import "envoy/extensions/transport_sockets/tls/v3/secret.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.http.injected_credentials.generic.v3"; +option java_outer_classname = "GenericProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/http/injected_credentials/generic/v3;genericv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Generic Credential] +// [#extension: envoy.http.injected_credentials.generic] + +// Generic extension can be used to inject HTTP Basic Auth, Bearer Token, or any arbitrary credential +// into the proxied requests. +// The credential will be injected into the specified HTTP request header. +// Refer to [RFC 6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://www.rfc-editor.org/rfc/rfc6750) for details. +// +message Generic { + // The SDS configuration for the credential that will be injected to the specified HTTP request header. + // It must be a generic secret. + transport_sockets.tls.v3.SdsSecretConfig credential = 1 + [(validate.rules).message = {required: true}]; + + // The header that will be injected to the HTTP request with the provided credential. + // If not set, filter will default to: ``Authorization`` + string header = 2 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // The prefix to prepend to the credential value before injecting it into the header. + // This is useful for adding a scheme such as ``Bearer `` or ``Basic `` to the credential. + // For example, if the credential is ``xyz123`` and the prefix is ``Bearer ``, the + // final header value will be ``Bearer xyz123``. + // If not set, the raw credential value will be injected without any prefix. + string header_value_prefix = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/689c6756c416364b43a239d885aed8e13d410aa5f2efdb60e5240f8e709925c29a1574bd32b3d5f7c4e663581ac0d69b00379cd8e2b29ed880483d0e4f2ac33c b/modules/sync/envoyproxy/envoy/cas/689c6756c416364b43a239d885aed8e13d410aa5f2efdb60e5240f8e709925c29a1574bd32b3d5f7c4e663581ac0d69b00379cd8e2b29ed880483d0e4f2ac33c new file mode 100644 index 00000000..9b29b016 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/689c6756c416364b43a239d885aed8e13d410aa5f2efdb60e5240f8e709925c29a1574bd32b3d5f7c4e663581ac0d69b00379cd8e2b29ed880483d0e4f2ac33c @@ -0,0 +1,85 @@ +syntax = "proto3"; + +package envoy.extensions.stat_sinks.open_telemetry.v3; + +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/grpc_service.proto"; + +import "google/protobuf/wrappers.proto"; + +import "opentelemetry/proto/common/v1/common.proto"; +import "xds/type/matcher/v3/matcher.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.stat_sinks.open_telemetry.v3"; +option java_outer_classname = "OpenTelemetryProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/stat_sinks/open_telemetry/v3;open_telemetryv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Open Telemetry Stats Sink] +// Stats configuration proto schema for ``envoy.stat_sinks.open_telemetry`` sink. +// [#extension: envoy.stat_sinks.open_telemetry] + +// [#next-free-field: 9] +message SinkConfig { + // ConversionAction is used to convert a stat to a metric. If a stat matches, + // the metric_name and static_metric_labels will be + // used to create the metric. This can be used to rename a + // stat, add static labels, and aggregate multiple stats into a single metric. + message ConversionAction { + // The metric name to use for the stat. + string metric_name = 2; + + // Static metric labels to use for the metric. + repeated opentelemetry.proto.common.v1.KeyValue static_metric_labels = 3; + } + + // DropAction is an action that, when matched, will prevent the stat from being converted to an OTLP metric and flushed. + message DropAction { + } + + oneof protocol_specifier { + option (validate.required) = true; + + // The upstream gRPC cluster that implements the OTLP/gRPC collector. + config.core.v3.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}]; + } + + // Attributes to be associated with the resource in the OTLP message. + // [#extension-category: envoy.tracers.opentelemetry.resource_detectors] + repeated config.core.v3.TypedExtensionConfig resource_detectors = 7; + + // If set to true, counters will be emitted as deltas, and the OTLP message will have + // ``AGGREGATION_TEMPORALITY_DELTA`` set as AggregationTemporality. + bool report_counters_as_deltas = 2; + + // If set to true, histograms will be emitted as deltas, and the OTLP message will have + // ``AGGREGATION_TEMPORALITY_DELTA`` set as AggregationTemporality. + bool report_histograms_as_deltas = 3; + + // If set to true, metrics will have their tags emitted as OTLP attributes, which may + // contain values used by the tag extractor or additional tags added during stats creation. + // Otherwise, no attributes will be associated with the export message. Default value is true. + google.protobuf.BoolValue emit_tags_as_attributes = 4; + + // If set to true, metric names will be represented as the tag extracted name instead + // of the full metric name. Default value is true. + google.protobuf.BoolValue use_tag_extracted_name = 5; + + // If set, emitted stats names will be prepended with a prefix, so full stat name will be + // .. For example, if the stat name is "foo.bar" and prefix is + // "pre", the full stat name will be "pre.foo.bar". If this field is not set, there is no + // prefix added. According to the example, the full stat name will remain "foo.bar". + string prefix = 6; + + // The custom conversion from a stat to a metric. Currently, the only supported input is + // ``envoy.extensions.matching.common_inputs.stats.v3.StatFullNameMatchInput``. + // The supported actions are + // - ``envoy.extensions.stat_sinks.open_telemetry.v3.SinkConfig.DropAction``. + // - ``envoy.extensions.stat_sinks.open_telemetry.v3.SinkConfig.ConversionAction``. + // If stats are not matched, they will be directly converted to OTLP metrics as usual. + xds.type.matcher.v3.Matcher custom_metric_conversions = 8; +} diff --git a/modules/sync/envoyproxy/envoy/cas/69807b25c10955f9925955a85ee043e724befa30d498745d5610572efbce5884cbead6c5205a5f4d54b4857a25a5853cdb84983a8e40458729251d87b2f3cd34 b/modules/sync/envoyproxy/envoy/cas/69807b25c10955f9925955a85ee043e724befa30d498745d5610572efbce5884cbead6c5205a5f4d54b4857a25a5853cdb84983a8e40458729251d87b2f3cd34 new file mode 100644 index 00000000..09886bdf --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/69807b25c10955f9925955a85ee043e724befa30d498745d5610572efbce5884cbead6c5205a5f4d54b4857a25a5853cdb84983a8e40458729251d87b2f3cd34 @@ -0,0 +1,100 @@ +syntax = "proto3"; + +package envoy.extensions.load_balancing_policies.peak_ewma.v3alpha; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.load_balancing_policies.peak_ewma.v3alpha"; +option java_outer_classname = "PeakEwmaProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/load_balancing_policies/peak_ewma/v3alpha"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: Peak EWMA Load Balancer Configuration] +// Configuration for the Peak EWMA (Exponentially Weighted Moving Average) load balancing policy. +// +// This policy implements a latency-aware variant of the Power of Two Choices (P2C) algorithm. +// It selects the best host from two randomly chosen candidates based on a cost function: +// `Cost = RTT_peak_ewma * (active_requests + 1)`. +// +// The Peak EWMA algorithm is designed to: +// - Automatically route traffic away from slow or overloaded hosts +// - Adapt to changing host performance without manual configuration +// - Provide low-latency request routing with O(1) host selection complexity +// - Work effectively in heterogeneous environments with varying host capabilities +// +// RTT measurements are automatically collected from HTTP request timing and used to update +// the EWMA for each host. This provides real-time performance feedback for routing decisions. +// +// Important: This load balancer only considers latency and load when selecting hosts. It does +// not handle host health or error responses - these should be managed by Envoy's health checking +// and outlier detection systems. Peak EWMA operates on the pool of healthy hosts as determined +// by these other systems. +// +// [#extension: envoy.load_balancing_policies.peak_ewma] +// [#next-free-field: 6] +message PeakEwma { + option (xds.annotations.v3.message_status).work_in_progress = true; + + // The decay time for the RTT EWMA calculation. This specifies the time window over which + // latency observations are considered relevant. After this duration, older measurements + // have exponentially decayed to half their original weight. + // + // The Peak EWMA algorithm uses this to calculate the EWMA time constant (tau): + // `tau = decay_time_nanos`, and the EWMA reaches its half-life after `tau * ln(2)`. + // + // This parameter is more intuitive than a raw smoothing factor as it directly relates + // to the time duration over which you want to observe latency trends. + // + // If not specified, defaults to 10 seconds (following Finagle's default). + google.protobuf.Duration decay_time = 1; + + // The interval at which EWMA data is aggregated from worker threads to the main thread. + // This controls the frequency of cross-thread synchronization for the per-thread aggregation model. + // + // A shorter interval provides more up-to-date cross-worker information but increases + // synchronization overhead. A longer interval reduces overhead but may cause workers + // to operate with staler information about other workers' latency observations. + // + // If not specified, defaults to 100 milliseconds. + google.protobuf.Duration aggregation_interval = 2; + + // Maximum RTT samples to buffer per host per worker thread before overwriting oldest samples. + // This bounds memory usage while allowing burst traffic handling. + // + // Buffer capacity formula: max_samples_per_host / aggregation_interval = RPS capacity per host per worker + // Memory formula: max_samples_per_host × num_hosts × num_workers × 16 bytes + // Memory usage per worker = max_samples_per_host × num_hosts × 16 bytes + // + // If not specified, defaults to 1,000 samples per host per worker. + google.protobuf.UInt32Value max_samples_per_host = 3; + + // Default RTT value to use for hosts that don't have measured RTT yet. + // This provides a baseline for cost calculations until actual measurements are available. + // + // This value is critical for initial load balancing decisions when hosts first join + // the cluster or when RTT measurements are temporarily unavailable. It should reflect + // the expected baseline latency for your environment: + // + // If not specified, defaults to 10 milliseconds. + google.protobuf.Duration default_rtt = 4; + + // Penalty cost assigned to hosts that cannot provide valid cost calculations. + // This is used when a host has no RTT measurements or is unhealthy, ensuring + // the Power of Two Choices algorithm will prefer hosts with known performance. + // + // You probably should not change this value. + // + // The penalty should be significantly higher than any realistic RTT-based cost + // to ensure hosts with unknown performance are strongly deprioritized while + // still allowing them to receive traffic if no better alternatives exist. + // + // If not specified, defaults to 1,000,000.0 (1 million). + google.protobuf.DoubleValue penalty_value = 5; +} diff --git a/modules/sync/envoyproxy/envoy/cas/6a79c855b6c0be08965931e01925e38b0dd6b550fbf8a89822f2c358fb26fbfda4c2ca08eade15ac926c325d8ccdab9604f26a6e74fcf63928b179f7a5c35443 b/modules/sync/envoyproxy/envoy/cas/6a79c855b6c0be08965931e01925e38b0dd6b550fbf8a89822f2c358fb26fbfda4c2ca08eade15ac926c325d8ccdab9604f26a6e74fcf63928b179f7a5c35443 new file mode 100644 index 00000000..c169fe28 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/6a79c855b6c0be08965931e01925e38b0dd6b550fbf8a89822f2c358fb26fbfda4c2ca08eade15ac926c325d8ccdab9604f26a6e74fcf63928b179f7a5c35443 @@ -0,0 +1,76 @@ +syntax = "proto3"; + +package envoy.extensions.access_loggers.dynamic_modules.v3; + +import "envoy/extensions/dynamic_modules/v3/dynamic_modules.proto"; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.access_loggers.dynamic_modules.v3"; +option java_outer_classname = "DynamicModulesProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/dynamic_modules/v3;dynamic_modulesv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Dynamic Modules Access Logger] +// [#extension: envoy.access_loggers.dynamic_modules] + +// Configuration for the Dynamic Modules Access Logger. This logger allows loading shared object +// files via ``dlopen`` to implement custom access logging behavior. +// +// A module can be loaded by multiple access loggers; the module is loaded only once and shared +// across multiple logger instances. +// +// The access logger receives completed request information including request/response headers, +// stream info (timing, upstream info, response codes), and the log context type. +message DynamicModuleAccessLog { + // Specifies the shared-object level configuration. This field is required. + envoy.extensions.dynamic_modules.v3.DynamicModuleConfig dynamic_module_config = 1 + [(validate.rules).message = {required: true}]; + + // The name for this logger configuration. If not specified, defaults to an empty string. + // + // This can be used to distinguish between different logger implementations inside a dynamic + // module. For example, a module can have completely different logger implementations (e.g., + // file logger, gRPC logger, metrics logger). When Envoy receives this configuration, it passes + // the ``logger_name`` to the dynamic module's access logger config init function together with + // the ``logger_config``. That way a module can decide which in-module logger implementation to + // use based on the name at load time. + string logger_name = 2; + + // The configuration for the logger chosen by ``logger_name``. If not specified, an empty + // configuration is passed to the module. + // + // This is passed to the module's access logger initialization function. Together with the + // ``logger_name``, the module can decide which in-module logger implementation to use and + // fine-tune the behavior of the logger. + // + // For example, if a module has two logger implementations, one for file output and one for + // sending to an external service, ``logger_name`` is used to choose either file or external. + // The ``logger_config`` can be used to configure file paths, service endpoints, batching + // parameters, format strings, etc. + // + // ``google.protobuf.Struct`` is serialized as JSON before passing it to the module. + // ``google.protobuf.BytesValue`` and ``google.protobuf.StringValue`` are passed directly + // without the wrapper. + // + // .. code-block:: yaml + // + // # Passing a JSON struct configuration + // logger_config: + // "@type": "type.googleapis.com/google.protobuf.Struct" + // value: + // output_path: "/var/log/envoy/access.log" + // format: "json" + // buffer_size: 1000 + // + // # Passing a simple string configuration + // logger_config: + // "@type": "type.googleapis.com/google.protobuf.StringValue" + // value: "/var/log/envoy/access.log" + // + google.protobuf.Any logger_config = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/6f83dfd604349538d13f6a172792fad7f9c9fc13a4a66134ad7b0b6a99b17be0552d9c770cacd46f2649dbc2c6808b95ae652f648e31d340279d1242ae80b895 b/modules/sync/envoyproxy/envoy/cas/6f83dfd604349538d13f6a172792fad7f9c9fc13a4a66134ad7b0b6a99b17be0552d9c770cacd46f2649dbc2c6808b95ae652f648e31d340279d1242ae80b895 new file mode 100644 index 00000000..6063d3c9 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/6f83dfd604349538d13f6a172792fad7f9c9fc13a4a66134ad7b0b6a99b17be0552d9c770cacd46f2649dbc2c6808b95ae652f648e31d340279d1242ae80b895 @@ -0,0 +1,57 @@ +syntax = "proto3"; + +package envoy.extensions.filters.listener.postgres_inspector.v3alpha; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.listener.postgres_inspector.v3alpha"; +option java_outer_classname = "PostgresInspectorProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/listener/postgres_inspector/v3alpha"; +option (udpa.annotations.file_status).work_in_progress = true; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Postgres Inspector] +// Postgres Inspector :ref:`configuration overview `. +// [#extension: envoy.filters.listener.postgres_inspector] + +message PostgresInspector { + // Enable extraction of connection metadata (user, database, application name) from + // the startup message. This metadata is made available for access logging and stats. + // + // Defaults to ``true``. + google.protobuf.BoolValue enable_metadata_extraction = 1; + + // The maximum size of the startup message that the postgres inspector will accept. + // Messages larger than this will be rejected. If not specified, defaults to 10KB. + // + // PostgreSQL defines MAX_STARTUP_PACKET_LENGTH as 10KB. + // Valid range is 256 bytes to 10KB. + google.protobuf.UInt32Value max_startup_message_size = 2 + [(validate.rules).uint32 = {lte: 10000 gte: 256}]; + + // Timeout for the inspector to receive and process the startup message. + // The timeout starts when the connection is accepted by the listener. + // If the timeout is reached before the startup message is fully received and processed, + // the connection will be closed. + // + // If not specified, defaults to 10 seconds. Minimum is 1 second. + google.protobuf.Duration startup_timeout = 3 [(validate.rules).duration = {gte {seconds: 1}}]; +} + +// StartupMetadata stores connection attributes extracted from the PostgreSQL startup message. +// This is attached as typed dynamic metadata under the key ``envoy.postgres_inspector``. +message StartupMetadata { + // The username supplied in the startup message. + string user = 1; + + // The database name supplied in the startup message. If not provided, it may default to the user name. + string database = 2; + + // The application name supplied in the startup message. + string application_name = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/6fce554d394bed9723dc38e8dbad13f7ed0b955cff4ef9af3492024133d2241b8097a22109e5bae906b63bf468a58f7cf3b5fbad9a7ba6d9deafb339dae8d9be b/modules/sync/envoyproxy/envoy/cas/6fce554d394bed9723dc38e8dbad13f7ed0b955cff4ef9af3492024133d2241b8097a22109e5bae906b63bf468a58f7cf3b5fbad9a7ba6d9deafb339dae8d9be new file mode 100644 index 00000000..a0c406bd --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/6fce554d394bed9723dc38e8dbad13f7ed0b955cff4ef9af3492024133d2241b8097a22109e5bae906b63bf468a58f7cf3b5fbad9a7ba6d9deafb339dae8d9be @@ -0,0 +1,74 @@ +syntax = "proto3"; + +package envoy.extensions.bootstrap.dynamic_modules.v3; + +import "envoy/extensions/dynamic_modules/v3/dynamic_modules.proto"; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.bootstrap.dynamic_modules.v3"; +option java_outer_classname = "DynamicModulesProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/dynamic_modules/v3;dynamic_modulesv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Dynamic Modules Bootstrap Extension] +// [#extension: envoy.bootstrap.dynamic_modules] + +// Configuration for the Dynamic Modules bootstrap extension. This extension allows loading shared +// object files that can be loaded via ``dlopen`` to extend Envoy's bootstrap behavior. +// +// A module can be loaded by multiple bootstrap extensions; the module is loaded only once and shared +// across multiple extensions. +// +// Bootstrap extensions run on the main thread and are initialized when Envoy starts. They can: +// +// * Perform initialization tasks when the server is initialized. +// * Perform per-worker thread initialization when worker threads start. +// * Access server-level resources like the cluster manager and dispatcher. +// +message DynamicModuleBootstrapExtension { + // Specifies the shared-object level configuration. + envoy.extensions.dynamic_modules.v3.DynamicModuleConfig dynamic_module_config = 1; + + // The name for this extension configuration. + // + // This can be used to distinguish between different extension implementations inside a dynamic + // module. For example, a module can have completely different extension implementations. When Envoy + // receives this configuration, it passes the ``extension_name`` to the dynamic module's bootstrap + // extension config init function together with the ``extension_config``. That way a module can + // decide which in-module extension implementation to use based on the name at load time. + // + // If not specified, defaults to an empty string. + string extension_name = 2; + + // The configuration for the extension chosen by ``extension_name``. + // + // This is passed to the module's bootstrap extension initialization function. Together with the + // ``extension_name``, the module can decide which in-module extension implementation to use and + // fine-tune the behavior of the extension. + // + // For example, if a module has two extension implementations, one for configuration loading and + // one for metric initialization, ``extension_name`` is used to choose the implementation. The + // ``extension_config`` can be used to configure the specific behavior of each implementation. + // + // ``google.protobuf.Struct`` is serialized as JSON before passing it to the module. + // ``google.protobuf.BytesValue`` and ``google.protobuf.StringValue`` are passed directly + // without the wrapper. + // + // .. code-block:: yaml + // + // # Passing a string value + // extension_config: + // "@type": "type.googleapis.com/google.protobuf.StringValue" + // value: hello + // + // # Passing raw bytes + // extension_config: + // "@type": "type.googleapis.com/google.protobuf.BytesValue" + // value: aGVsbG8= # echo -n "hello" | base64 + // + google.protobuf.Any extension_config = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/7019fbab61a8adb1bb613ffc714c741a043d90d5c8fe10f77d87d9e76882e2824bbe92b137736cbf32d17d79051056a7f02e6ccf57ee5e002356c4df121ad6a2 b/modules/sync/envoyproxy/envoy/cas/7019fbab61a8adb1bb613ffc714c741a043d90d5c8fe10f77d87d9e76882e2824bbe92b137736cbf32d17d79051056a7f02e6ccf57ee5e002356c4df121ad6a2 new file mode 100644 index 00000000..dcc594fc --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/7019fbab61a8adb1bb613ffc714c741a043d90d5c8fe10f77d87d9e76882e2824bbe92b137736cbf32d17d79051056a7f02e6ccf57ee5e002356c4df121ad6a2 @@ -0,0 +1,100 @@ +syntax = "proto3"; + +package envoy.extensions.http.original_ip_detection.xff.v3; + +import "envoy/config/core/v3/address.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.http.original_ip_detection.xff.v3"; +option java_outer_classname = "XffProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/http/original_ip_detection/xff/v3;xffv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: XFF original IP detection extension] + +// This extension allows for the original downstream remote IP to be detected +// by reading the :ref:`config_http_conn_man_headers_x-forwarded-for` header. +// +// [#extension: envoy.http.original_ip_detection.xff] +message XffConfig { + // The number of additional ingress proxy hops from the right side of the + // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header to trust when + // determining the origin client's IP address. The default is zero if this option + // is not specified. See the documentation for + // :ref:`config_http_conn_man_headers_x-forwarded-for` for more information. + // + // Only one of ``xff_num_trusted_hops`` and ``xff_trusted_cidrs`` can be set. + uint32 xff_num_trusted_hops = 1; + + // The `CIDR `_ ranges to trust when + // evaluating the remote IP address to determine the original client's IP address. + // This is used instead of + // :ref:`use_remote_address `. + // When the remote IP address matches a trusted CIDR and the + // :ref:`config_http_conn_man_headers_x-forwarded-for` header was sent, each entry + // in the ``x-forwarded-for`` header is evaluated from right to left and the first + // non-trusted address is used as the original client address. If all + // addresses in ``x-forwarded-for`` are within the trusted list, the first (leftmost) + // entry is used. + // + // .. warning:: + // + // Starting with Envoy v1.33.0, private IP address ranges are **not** automatically skipped + // when determining the original client address. We'll return the first address that is not + // in the ``xff_trusted_cidrs`` list, even if it is a private IP address. + // + // If you want to skip private IP addresses, explicitly add them to the ``xff_trusted_cidrs`` + // list. For example: + // + // .. code-block:: yaml + // + // xff_trusted_cidrs: + // cidrs: + // - address_prefix: "10.0.0.0" + // prefix_len: 8 + // - address_prefix: "172.16.0.0" + // prefix_len: 12 + // - address_prefix: "192.168.0.0" + // prefix_len: 16 + // - address_prefix: "127.0.0.0" + // prefix_len: 8 + // - address_prefix: "fc00::" + // prefix_len: 7 + // - address_prefix: "::1" + // prefix_len: 128 + // + // See :ref:`internal_address_config + // ` + // for more information about the v1.33.0 behavior change. + // + // This is typically used when requests are proxied by a + // `CDN `_. + // + // Only one of ``xff_num_trusted_hops`` and ``xff_trusted_cidrs`` can be set. + XffTrustedCidrs xff_trusted_cidrs = 2; + + // If set, Envoy will not append the remote address to the + // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header. + // + // .. attention:: + // + // For proper proxy behaviour it is not recommended to set this option. + // For backwards compatibility, if this option is unset it defaults to true. + // + // This only applies when :ref:`use_remote_address + // ` + // is false, otherwise :ref:`skip_xff_append + // ` + // applies. + google.protobuf.BoolValue skip_xff_append = 3; +} + +message XffTrustedCidrs { + // The list of `CIDRs `_ from which remote + // connections are considered trusted. + repeated config.core.v3.CidrRange cidrs = 1; +} diff --git a/modules/sync/envoyproxy/envoy/cas/70cc88d4aa127a44d8c9f07ff539b0df74e22f68798bad5d4fe6c2204d9291015b7d8ba081b581e7f84d6762c72c7c9a4c4cbf948fc1a9a0a197e665a683c2bb b/modules/sync/envoyproxy/envoy/cas/70cc88d4aa127a44d8c9f07ff539b0df74e22f68798bad5d4fe6c2204d9291015b7d8ba081b581e7f84d6762c72c7c9a4c4cbf948fc1a9a0a197e665a683c2bb new file mode 100644 index 00000000..16b43568 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/70cc88d4aa127a44d8c9f07ff539b0df74e22f68798bad5d4fe6c2204d9291015b7d8ba081b581e7f84d6762c72c7c9a4c4cbf948fc1a9a0a197e665a683c2bb @@ -0,0 +1,353 @@ +syntax = "proto3"; + +package envoy.config.listener.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/type/v3/range.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.listener.v3"; +option java_outer_classname = "ListenerComponentsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3;listenerv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Listener components] +// Listener :ref:`configuration overview ` + +// [#next-free-field: 6] +message Filter { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.listener.Filter"; + + reserved 3, 2; + + reserved "config"; + + // The name of the filter configuration. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + oneof config_type { + // Filter specific configuration which depends on the filter being + // instantiated. See the supported filters for further documentation. + // [#extension-category: envoy.filters.network] + google.protobuf.Any typed_config = 4; + + // Configuration source specifier for an extension configuration discovery + // service. In case of a failure and without the default configuration, the + // listener closes the connections. + core.v3.ExtensionConfigSource config_discovery = 5; + } +} + +// Specifies the match criteria for selecting a specific filter chain for a +// listener. +// +// In order for a filter chain to be selected, *ALL* of its criteria must be +// fulfilled by the incoming connection, properties of which are set by the +// networking stack and/or listener filters. +// +// The following order applies: +// +// 1. Destination port. +// 2. Destination IP address. +// 3. Server name (e.g. SNI for TLS protocol), +// 4. Transport protocol. +// 5. Application protocols (e.g. ALPN for TLS protocol). +// 6. Directly connected source IP address (this will only be different from the source IP address +// when using a listener filter that overrides the source address, such as the :ref:`Proxy Protocol +// listener filter `). +// 7. Source type (e.g. any, local or external network). +// 8. Source IP address. +// 9. Source port. +// +// For criteria that allow ranges or wildcards, the most specific value in any +// of the configured filter chains that matches the incoming connection is going +// to be used (e.g. for SNI ``www.example.com`` the most specific match would be +// ``www.example.com``, then ``*.example.com``, then ``*.com``, then any filter +// chain without ``server_names`` requirements). +// +// A different way to reason about the filter chain matches: +// Suppose there exists N filter chains. Prune the filter chain set using the above 8 steps. +// In each step, filter chains which most specifically matches the attributes continue to the next step. +// The listener guarantees at most 1 filter chain is left after all of the steps. +// +// Example: +// +// For destination port, filter chains specifying the destination port of incoming traffic are the +// most specific match. If none of the filter chains specifies the exact destination port, the filter +// chains which do not specify ports are the most specific match. Filter chains specifying the +// wrong port can never be the most specific match. +// +// [#comment: Implemented rules are kept in the preference order, with deprecated fields +// listed at the end, because that's how we want to list them in the docs. +// +// [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules] +// [#next-free-field: 14] +message FilterChainMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.listener.FilterChainMatch"; + + enum ConnectionSourceType { + // Any connection source matches. + ANY = 0; + + // Match a connection originating from the same host. + SAME_IP_OR_LOOPBACK = 1; + + // Match a connection originating from a different host. + EXTERNAL = 2; + } + + reserved 1; + + // Optional destination port to consider when use_original_dst is set on the + // listener in determining a filter chain match. + google.protobuf.UInt32Value destination_port = 8 [(validate.rules).uint32 = {lte: 65535 gte: 1}]; + + // If non-empty, an IP address and prefix length to match addresses when the + // listener is bound to 0.0.0.0/:: or when use_original_dst is specified. + repeated core.v3.CidrRange prefix_ranges = 3; + + // If non-empty, an IP address and suffix length to match addresses when the + // listener is bound to 0.0.0.0/:: or when use_original_dst is specified. + // [#not-implemented-hide:] + string address_suffix = 4; + + // [#not-implemented-hide:] + google.protobuf.UInt32Value suffix_len = 5; + + // The criteria is satisfied if the directly connected source IP address of the downstream + // connection is contained in at least one of the specified subnets. If the parameter is not + // specified or the list is empty, the directly connected source IP address is ignored. + repeated core.v3.CidrRange direct_source_prefix_ranges = 13; + + // Specifies the connection source IP match type. Can be any, local or external network. + ConnectionSourceType source_type = 12 [(validate.rules).enum = {defined_only: true}]; + + // The criteria is satisfied if the source IP address of the downstream + // connection is contained in at least one of the specified subnets. If the + // parameter is not specified or the list is empty, the source IP address is + // ignored. + repeated core.v3.CidrRange source_prefix_ranges = 6; + + // The criteria is satisfied if the source port of the downstream connection + // is contained in at least one of the specified ports. If the parameter is + // not specified, the source port is ignored. + repeated uint32 source_ports = 7 + [(validate.rules).repeated = {items {uint32 {lte: 65535 gte: 1}}}]; + + // If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining + // a filter chain match. Those values will be compared against the server names of a new + // connection, when detected by one of the listener filters. + // + // The server name will be matched against all wildcard domains, i.e. ``www.example.com`` + // will be first matched against ``www.example.com``, then ``*.example.com``, then ``*.com``. + // + // Note that partial wildcards are not supported, and values like ``*w.example.com`` are invalid. + // The value ``*`` is also not supported, and ``server_names`` should be omitted instead. + // + // .. attention:: + // + // See the :ref:`FAQ entry ` on how to configure SNI for more + // information. + repeated string server_names = 11; + + // If non-empty, a transport protocol to consider when determining a filter chain match. + // This value will be compared against the transport protocol of a new connection, when + // it's detected by one of the listener filters. + // + // Suggested values include: + // + // * ``raw_buffer`` - default, used when no transport protocol is detected, + // * ``tls`` - set by :ref:`envoy.filters.listener.tls_inspector ` + // when TLS protocol is detected. + string transport_protocol = 9; + + // If non-empty, a list of application protocols (e.g. ALPN for TLS protocol) to consider when + // determining a filter chain match. Those values will be compared against the application + // protocols of a new connection, when detected by one of the listener filters. + // + // Suggested values include: + // + // * ``http/1.1`` - set by :ref:`envoy.filters.listener.tls_inspector + // `, + // * ``h2`` - set by :ref:`envoy.filters.listener.tls_inspector ` + // + // .. attention:: + // + // Currently, only :ref:`TLS Inspector ` provides + // application protocol detection based on the requested + // `ALPN `_ values. + // + // However, the use of ALPN is pretty much limited to the HTTP/2 traffic on the Internet, + // and matching on values other than ``h2`` is going to lead to a lot of false negatives, + // unless all connecting clients are known to use ALPN. + repeated string application_protocols = 10; +} + +// A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and +// various other parameters. +// [#next-free-field: 10] +message FilterChain { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.listener.FilterChain"; + + reserved 2, 8; + + reserved "tls_context", "on_demand_configuration"; + + // The criteria to use when matching a connection to this filter chain. + FilterChainMatch filter_chain_match = 1; + + // A list of individual network filters that make up the filter chain for + // connections established with the listener. Order matters as the filters are + // processed sequentially as connection events happen. Note: If the filter + // list is empty, the connection will close by default. + // + // For QUIC listeners, network filters other than HTTP Connection Manager (HCM) + // can be created, but due to differences in the connection implementation compared + // to TCP, the onData() method will never be called. Therefore, network filters + // for QUIC listeners should only expect to do work at the start of a new connection + // (i.e. in onNewConnection()). HCM must be the last (or only) filter in the chain. + repeated Filter filters = 3; + + // Whether the listener should expect a PROXY protocol V1 header on new + // connections. If this option is enabled, the listener will assume that that + // remote address of the connection is the one specified in the header. Some + // load balancers including the AWS ELB support this option. If the option is + // absent or set to false, Envoy will use the physical peer address of the + // connection as the remote address. + // + // This field is deprecated. Add a + // :ref:`PROXY protocol listener filter ` + // explicitly instead. + google.protobuf.BoolValue use_proxy_proto = 4 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Filter chain metadata. + core.v3.Metadata metadata = 5; + + // Optional custom transport socket implementation to use for downstream connections. + // To setup TLS, set a transport socket with name ``envoy.transport_sockets.tls`` and + // :ref:`DownstreamTlsContext ` in the ``typed_config``. + // If no transport socket configuration is specified, new connections + // will be set up with plaintext. + // [#extension-category: envoy.transport_sockets.downstream] + core.v3.TransportSocket transport_socket = 6; + + // If present and nonzero, the amount of time to allow incoming connections to complete any + // transport socket negotiations. If this expires before the transport reports connection + // establishment, the connection is summarily closed. + google.protobuf.Duration transport_socket_connect_timeout = 9; + + // The unique name (or empty) by which this filter chain is known. + // + // .. note:: + // :ref:`filter_chain_matcher + // ` + // requires that filter chains are uniquely named within a listener. + string name = 7; +} + +// Listener filter chain match configuration. This is a recursive structure which allows complex +// nested match configurations to be built using various logical operators. +// +// Examples: +// +// * Matches if the destination port is 3306. +// +// .. code-block:: yaml +// +// destination_port_range: +// start: 3306 +// end: 3307 +// +// * Matches if the destination port is 3306 or 15000. +// +// .. code-block:: yaml +// +// or_match: +// rules: +// - destination_port_range: +// start: 3306 +// end: 3307 +// - destination_port_range: +// start: 15000 +// end: 15001 +// +// [#next-free-field: 6] +message ListenerFilterChainMatchPredicate { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.listener.ListenerFilterChainMatchPredicate"; + + // A set of match configurations used for logical operations. + message MatchSet { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.listener.ListenerFilterChainMatchPredicate.MatchSet"; + + // The list of rules that make up the set. + repeated ListenerFilterChainMatchPredicate rules = 1 + [(validate.rules).repeated = {min_items: 2}]; + } + + oneof rule { + option (validate.required) = true; + + // A set that describes a logical OR. If any member of the set matches, the match configuration + // matches. + MatchSet or_match = 1; + + // A set that describes a logical AND. If all members of the set match, the match configuration + // matches. + MatchSet and_match = 2; + + // A negation match. The match configuration will match if the negated match condition matches. + ListenerFilterChainMatchPredicate not_match = 3; + + // The match configuration will always match. + bool any_match = 4 [(validate.rules).bool = {const: true}]; + + // Match destination port. Particularly, the match evaluation must use the recovered local port if + // the owning listener filter is after :ref:`an original_dst listener filter `. + type.v3.Int32Range destination_port_range = 5; + } +} + +// [#next-free-field: 6] +message ListenerFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.listener.ListenerFilter"; + + reserved 2; + + reserved "config"; + + // The name of the filter configuration. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + oneof config_type { + // Filter specific configuration which depends on the filter being + // instantiated. See the supported filters for further documentation. + // [#extension-category: envoy.filters.listener,envoy.filters.udp_listener] + google.protobuf.Any typed_config = 3; + + // Configuration source specifier for an extension configuration discovery + // service. In case of a failure and without the default configuration, the + // listener closes the connections. + core.v3.ExtensionConfigSource config_discovery = 5; + } + + // Optional match predicate used to disable the filter. The filter is enabled when this field is empty. + // See :ref:`ListenerFilterChainMatchPredicate ` + // for further examples. + ListenerFilterChainMatchPredicate filter_disabled = 4; +} diff --git a/modules/sync/envoyproxy/envoy/cas/748b4a07decc320986f74c63098d0a67eeb9f9f96c9b5f74c93aa338d40dc469bbaeaac10c43a9727ad42533dba9c73398d8db39d5218701936d632524728117 b/modules/sync/envoyproxy/envoy/cas/748b4a07decc320986f74c63098d0a67eeb9f9f96c9b5f74c93aa338d40dc469bbaeaac10c43a9727ad42533dba9c73398d8db39d5218701936d632524728117 new file mode 100644 index 00000000..099daf20 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/748b4a07decc320986f74c63098d0a67eeb9f9f96c9b5f74c93aa338d40dc469bbaeaac10c43a9727ad42533dba9c73398d8db39d5218701936d632524728117 @@ -0,0 +1,83 @@ +syntax = "proto3"; + +package io.istio.http.peer_metadata; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.io.istio.http.peer_metadata"; +option java_outer_classname = "PeerMetadataProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/contrib/io/istio/http/peer_metadata"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Peer metadata HTTP filter] +// +// Peer metadata HTTP filter for deriving and propagating peer telemetry attributes. +// [#extension: envoy.filters.http.peer_metadata] + +// Peer metadata provider filter. This filter encapsulates the discovery of the +// peer telemetry attributes for consumption by the telemetry filters. +// [#next-free-field: 7] +message Config { + // DEPRECATED. + // This method uses ``baggage`` header encoding. + message Baggage { + } + + // This method uses the workload metadata xDS. Requires that the bootstrap extension is enabled. + // For downstream discovery, the remote address is the lookup key in xDS. + // For upstream discovery: + // + // * If the upstream host address is an IP, this IP is used as the lookup key; + // * If the upstream host address is internal, uses the + // ``filter_metadata.tunnel.destination`` dynamic metadata value as the lookup key. + // + message WorkloadDiscovery { + } + + // This method uses Istio HTTP metadata exchange headers, e.g. ``x-envoy-peer-metadata``. Removes these headers if found. + message IstioHeaders { + // Strip ``x-envoy-peer-metadata`` and ``x-envoy-peer-metadata-id`` headers on HTTP requests to services outside the mesh. + // Detects upstream clusters with ``istio`` and ``external`` filter metadata fields + bool skip_external_clusters = 1; + } + + // An exhaustive list of the derivation methods. + message DiscoveryMethod { + oneof method_specifier { + Baggage baggage = 1; + + WorkloadDiscovery workload_discovery = 2; + + IstioHeaders istio_headers = 3; + } + } + + // An exhaustive list of the metadata propagation methods. + message PropagationMethod { + oneof method_specifier { + IstioHeaders istio_headers = 1; + } + } + + // The order of the derivation of the downstream peer metadata, in the precedence order. + // First successful lookup wins. + repeated DiscoveryMethod downstream_discovery = 1; + + // The order of the derivation of the upstream peer metadata, in the precedence order. + // First successful lookup wins. + repeated DiscoveryMethod upstream_discovery = 2; + + // Downstream injection of the metadata via a response header. + repeated PropagationMethod downstream_propagation = 3; + + // Upstream injection of the metadata via a request header. + repeated PropagationMethod upstream_propagation = 4; + + // True to enable sharing with the upstream. + bool shared_with_upstream = 5; + + // Additional labels to be added to the peer metadata to help your understand the traffic. + // e.g. ``role``, ``location`` etc. + repeated string additional_labels = 6; +} diff --git a/modules/sync/envoyproxy/envoy/cas/7612c46eac426d19af9cedcef0dfc3307ddcc0135198548676b789bb15ae69cb0bf62883344bff9c6019492dfce5c03026fff6a317db73f7ce90cb8c4987e722 b/modules/sync/envoyproxy/envoy/cas/7612c46eac426d19af9cedcef0dfc3307ddcc0135198548676b789bb15ae69cb0bf62883344bff9c6019492dfce5c03026fff6a317db73f7ce90cb8c4987e722 new file mode 100644 index 00000000..91e00c1d --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/7612c46eac426d19af9cedcef0dfc3307ddcc0135198548676b789bb15ae69cb0bf62883344bff9c6019492dfce5c03026fff6a317db73f7ce90cb8c4987e722 @@ -0,0 +1,62 @@ +syntax = "proto3"; + +package envoy.extensions.geoip_providers.maxmind.v3; + +import "envoy/extensions/geoip_providers/common/v3/common.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.geoip_providers.maxmind.v3"; +option java_outer_classname = "MaxmindProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/geoip_providers/maxmind/v3;maxmindv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: MaxMind Geolocation Provider] +// MaxMind geolocation provider :ref:`configuration overview `. +// +// At least one geolocation database path must be configured: +// +// * :ref:`city_db_path ` +// * :ref:`isp_db_path ` +// * :ref:`asn_db_path ` +// * :ref:`anon_db_path ` +// * :ref:`country_db_path ` +// [#extension: envoy.geoip_providers.maxmind] + +// [#next-free-field: 7] +message MaxMindConfig { + // Full file path to the MaxMind city database, e.g., ``/etc/GeoLite2-City.mmdb``. + // Database file is expected to have ``.mmdb`` extension. + string city_db_path = 1 [(validate.rules).string = {pattern: "^$|^.*\\.mmdb$"}]; + + // Full file path to the MaxMind ASN database, e.g., ``/etc/GeoLite2-ASN.mmdb``. + // Database file is expected to have ``.mmdb`` extension. + // When this is defined, the ASN information will always be fetched from the ``asn_db``. + string asn_db_path = 2 [(validate.rules).string = {pattern: "^$|^.*\\.mmdb$"}]; + + // Full file path to the MaxMind Anonymous IP database, e.g., ``/etc/GeoIP2-Anonymous-IP.mmdb``. + // Database file is expected to have ``.mmdb`` extension. + string anon_db_path = 3 [(validate.rules).string = {pattern: "^$|^.*\\.mmdb$"}]; + + // Full file path to the MaxMind ISP database, e.g., ``/etc/GeoLite2-ISP.mmdb``. + // Database file is expected to have ``.mmdb`` extension. + // If ``asn_db_path`` is not defined, ASN information will be fetched from + // ``isp_db`` instead. + string isp_db_path = 5 [(validate.rules).string = {pattern: "^$|^.*\\.mmdb$"}]; + + // Full file path to the MaxMind Country database, e.g., ``/etc/GeoLite2-Country.mmdb``. + // Database file is expected to have ``.mmdb`` extension. + // + // If ``country_db_path`` is not specified, country information will be fetched from + // ``city_db`` if ``city_db`` is configured. + string country_db_path = 6 [(validate.rules).string = {pattern: "^$|^.*\\.mmdb$"}]; + + // Common provider configuration that specifies which geolocation headers will be populated with geolocation data. + common.v3.CommonGeoipProviderConfig common_provider_config = 4 + [(validate.rules).message = {required: true}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/781b40a8c70122b1a22be027ac05afb870f68a0d6b90894748005adb032e91f1ef800f0d37afa73677b95e2fdf08965b8b9f08388af4a4737e18d84b0c6f3d31 b/modules/sync/envoyproxy/envoy/cas/781b40a8c70122b1a22be027ac05afb870f68a0d6b90894748005adb032e91f1ef800f0d37afa73677b95e2fdf08965b8b9f08388af4a4737e18d84b0c6f3d31 new file mode 100644 index 00000000..a65bbabc --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/781b40a8c70122b1a22be027ac05afb870f68a0d6b90894748005adb032e91f1ef800f0d37afa73677b95e2fdf08965b8b9f08388af4a4737e18d84b0c6f3d31 @@ -0,0 +1,93 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.rbac.v3; + +import "envoy/config/rbac/v3/rbac.proto"; + +import "google/protobuf/duration.proto"; + +import "xds/type/matcher/v3/matcher.proto"; + +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.rbac.v3"; +option java_outer_classname = "RbacProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/rbac/v3;rbacv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: RBAC] +// Role-Based Access Control :ref:`configuration overview `. +// [#extension: envoy.filters.network.rbac] + +// RBAC network filter config. +// +// Header should not be used in rules/shadow_rules in RBAC network filter as +// this information is only available in :ref:`RBAC http filter `. +// [#next-free-field: 9] +message RBAC { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.rbac.v2.RBAC"; + + enum EnforcementType { + // Apply RBAC policies when the first byte of data arrives on the connection. + ONE_TIME_ON_FIRST_BYTE = 0; + + // Continuously apply RBAC policies as data arrives. Use this mode when + // using RBAC with message oriented protocols such as Mongo, MySQL, Kafka, + // etc. when the protocol decoders emit dynamic metadata such as the + // resources being accessed and the operations on the resources. + CONTINUOUS = 1; + } + + // Specify the RBAC rules to be applied globally. + // If absent, no enforcing RBAC policy will be applied. + // If present and empty, DENY. + // If both rules and matcher are configured, rules will be ignored. + config.rbac.v3.RBAC rules = 1 + [(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier"]; + + // The match tree to use when resolving RBAC action for incoming connections. Connections do + // not match any matcher will be denied. + // If absent, no enforcing RBAC matcher will be applied. + // If present and empty, deny all connections. + xds.type.matcher.v3.Matcher matcher = 6 + [(udpa.annotations.field_migrate).oneof_promotion = "rules_specifier"]; + + // Shadow rules are not enforced by the filter but will emit stats and logs + // and can be used for rule testing. + // If absent, no shadow RBAC policy will be applied. + // If both shadow rules and shadow matcher are configured, shadow rules will be ignored. + config.rbac.v3.RBAC shadow_rules = 2 + [(udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier"]; + + // The match tree to use for emitting stats and logs which can be used for rule testing for + // incoming connections. + // If absent, no shadow matcher will be applied. + xds.type.matcher.v3.Matcher shadow_matcher = 7 + [(udpa.annotations.field_migrate).oneof_promotion = "shadow_rules_specifier"]; + + // If specified, shadow rules will emit stats with the given prefix. + // This is useful to distinguish the stat when there are more than 1 RBAC filter configured with + // shadow rules. + string shadow_rules_stat_prefix = 5; + + // The prefix to use when emitting statistics. + string stat_prefix = 3 [(validate.rules).string = {min_len: 1}]; + + // RBAC enforcement strategy. By default RBAC will be enforced only once + // when the first byte of data arrives from the downstream. When used in + // conjunction with filters that emit dynamic metadata after decoding + // every payload (e.g., Mongo, MySQL, Kafka) set the enforcement type to + // CONTINUOUS to enforce RBAC policies on every message boundary. + EnforcementType enforcement_type = 4; + + // Delay the specified duration before closing the connection when the policy evaluation + // result is ``DENY``. If this is not present, the connection will be closed immediately. + // This is useful to provide a better protection for Envoy against clients that retries + // aggressively when the connection is rejected by the RBAC filter. + google.protobuf.Duration delay_deny = 8; +} diff --git a/modules/sync/envoyproxy/envoy/cas/7a694f7096a90eea01c8587b07066334b4fa525478303ea8a2b78d38185f17b025b1d71070421b8f9ba58f097fc78cb557caae8f16d213080496f934263a378f b/modules/sync/envoyproxy/envoy/cas/7a694f7096a90eea01c8587b07066334b4fa525478303ea8a2b78d38185f17b025b1d71070421b8f9ba58f097fc78cb557caae8f16d213080496f934263a378f new file mode 100644 index 00000000..9a955bdd --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/7a694f7096a90eea01c8587b07066334b4fa525478303ea8a2b78d38185f17b025b1d71070421b8f9ba58f097fc78cb557caae8f16d213080496f934263a378f @@ -0,0 +1,882 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.jwt_authn.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/http_uri.proto"; +import "envoy/config/route/v3/route_components.proto"; +import "envoy/type/matcher/v3/string.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/empty.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.jwt_authn.v3"; +option java_outer_classname = "ConfigProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/jwt_authn/v3;jwt_authnv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: JWT Authentication] +// JWT Authentication :ref:`configuration overview `. +// [#extension: envoy.filters.http.jwt_authn] + +// Please see following for JWT authentication flow: +// +// * `JSON Web Token (JWT) `_ +// * `The OAuth 2.0 Authorization Framework `_ +// * `OpenID Connect `_ +// +// A JwtProvider message specifies how a JSON Web Token (JWT) can be verified. It specifies: +// +// * issuer: the principal that issues the JWT. If specified, it has to match the ``iss`` field in JWT. +// * allowed audiences: the ones in the token have to be listed here. +// * how to fetch public key JWKS to verify the token signature. +// * how to extract the JWT in the request. +// * how to pass successfully verified token payload. +// +// Example: +// +// .. code-block:: yaml +// +// issuer: https://example.com +// audiences: +// - bookstore_android.apps.googleusercontent.com +// - bookstore_web.apps.googleusercontent.com +// remote_jwks: +// http_uri: +// uri: https://example.com/.well-known/jwks.json +// cluster: example_jwks_cluster +// timeout: 1s +// cache_duration: +// seconds: 300 +// +// [#next-free-field: 22] +message JwtProvider { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.jwt_authn.v2alpha.JwtProvider"; + + // Alters the payload representation in the request dynamic metadata to facilitate its use in matching. + message NormalizePayload { + // Each claim in this list will be interpreted as a space-delimited string + // and converted to a list of strings based on the delimited values. + // Example: a token with a claim ``scope: "email profile"`` is translated + // to dynamic metadata ``scope: ["email", "profile"]`` if this field is + // set value ``["scope"]``. This special handling of ``scope`` is + // recommended by `RFC8693 + // `_. + repeated string space_delimited_claims = 1; + } + + // Specify the `principal `_ that issued + // the JWT, usually a URL or an email address. + // + // It is optional. If specified, it has to match the ``iss`` field in JWT, + // otherwise the JWT ``iss`` field is not checked. + // + // .. note:: + // ``JwtRequirement`` :ref:`allow_missing ` + // and :ref:`allow_missing_or_failed ` + // are implemented differently than other ``JwtRequirements``. Hence the usage of this field + // is different as follows if ``allow_missing`` or ``allow_missing_or_failed`` is used: + // + // * If a JWT has ``iss`` field, it needs to be specified by this field in one of ``JwtProviders``. + // * If a JWT doesn't have ``iss`` field, one of ``JwtProviders`` should fill this field empty. + // * Multiple ``JwtProviders`` should not have same value in this field. + // + // Examples: + // + // * https://securetoken.google.com + // * Example: 1234567-compute@developer.gserviceaccount.com + // + string issuer = 1; + + // The list of JWT `audiences `_ are + // allowed to access. A JWT containing any of these audiences will be accepted. If not specified, + // will not check audiences in the token. + // + // Example: + // + // .. code-block:: yaml + // + // audiences: + // - bookstore_android.apps.googleusercontent.com + // - bookstore_web.apps.googleusercontent.com + // + repeated string audiences = 2; + + // Restrict the `subjects `_ + // that the JwtProvider can assert. For instance, this could implement JWT-SVID + // `subject restrictions `_. + // If not specified, will not check subjects in the token. + // + // Example: + // + // .. code-block:: yaml + // + // subjects: + // prefix: spiffe://spiffe.example.com/ + // + type.matcher.v3.StringMatcher subjects = 19; + + // Requires that the credential contains an `expiration `_. + // For instance, this could implement JWT-SVID + // `expiration restrictions `_. + // Unlike ``max_lifetime``, this only requires that expiration is present, where ``max_lifetime`` also checks the value. + // + // Example: + // + // .. code-block:: yaml + // + // require_expiration: true + // + bool require_expiration = 20; + + // Restrict the maximum remaining lifetime of a credential from the JwtProvider. Credential lifetime + // is the difference between the current time and the expiration of the credential. For instance, + // the following example will reject credentials that have a lifetime longer than 24 hours. If not set, + // expiration checking still occurs, but there is no limit on credential lifetime. If set, takes precedence + // over ``require_expiration``. + // + // Example: + // + // .. code-block:: yaml + // + // max_lifetime: + // seconds: 86400 + // + google.protobuf.Duration max_lifetime = 21; + + // `JSON Web Key Set (JWKS) `_ is needed to + // validate signature of a JWT. This field specifies where to fetch JWKS. + oneof jwks_source_specifier { + option (validate.required) = true; + + // JWKS can be fetched from remote server via HTTP/HTTPS. This field specifies the remote HTTP + // URI and how the fetched JWKS should be cached. + // + // Example: + // + // .. code-block:: yaml + // + // remote_jwks: + // http_uri: + // uri: https://www.googleapis.com/oauth2/v1/certs + // cluster: jwt.www.googleapis.com|443 + // timeout: 1s + // cache_duration: + // seconds: 300 + // + RemoteJwks remote_jwks = 3; + + // JWKS is in local data source. It could be either in a local file or embedded in the + // inline_string. + // + // Example: local file + // + // .. code-block:: yaml + // + // local_jwks: + // filename: /etc/envoy/jwks/jwks1.txt + // + // Example: inline_string + // + // .. code-block:: yaml + // + // local_jwks: + // inline_string: ACADADADADA + // + config.core.v3.DataSource local_jwks = 4; + } + + // If false, the JWT is removed in the request after a success verification. If true, the JWT is + // not removed in the request. Default value is false. + // caveat: only works for from_header/from_params & has no effect for JWTs extracted through from_cookies. + bool forward = 5; + + // Two fields below define where to extract the JWT from an HTTP request. + // + // If no explicit location is specified, the following default locations are tried in order: + // + // 1. The Authorization header using the `Bearer schema + // `_. Example:: + // + // Authorization: Bearer . + // + // 2. `access_token `_ query parameter. + // + // Multiple JWTs can be verified for a request. Each JWT has to be extracted from the locations + // its provider specified or from the default locations. + // + // Specify the HTTP headers to extract the JWT. For examples, following config: + // + // .. code-block:: yaml + // + // from_headers: + // - name: x-goog-iap-jwt-assertion + // + // can be used to extract token from header:: + // + // ``x-goog-iap-jwt-assertion: ``. + // + repeated JwtHeader from_headers = 6; + + // JWT is sent in a query parameter. ``jwt_params`` represents the query parameter names. + // + // For example, if config is: + // + // .. code-block:: yaml + // + // from_params: + // - jwt_token + // + // The JWT format in query parameter is:: + // + // /path?jwt_token= + // + repeated string from_params = 7; + + // JWT is sent in a cookie. ``from_cookies`` represents the cookie names to extract from. + // + // For example, if config is: + // + // .. code-block:: yaml + // + // from_cookies: + // - auth-token + // + // Then JWT will be extracted from ``auth-token`` cookie in the request. + // + repeated string from_cookies = 13; + + // This field specifies the header name to forward a successfully verified JWT payload to the + // backend. The forwarded data is:: + // + // base64url_encoded(jwt_payload_in_JSON) + // + // If it is not specified, the payload will not be forwarded. + string forward_payload_header = 8 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // When :ref:`forward_payload_header ` + // is specified, the base64 encoded payload will be added to the headers. + // Normally JWT based64 encode doesn't add padding. If this field is true, + // the header will be padded. + // + // This field is only relevant if :ref:`forward_payload_header ` + // is specified. + bool pad_forward_payload_header = 11; + + // If non empty, successfully verified JWT payloads will be written to StreamInfo DynamicMetadata + // in the format as: ``namespace`` is the jwt_authn filter name as ````envoy.filters.http.jwt_authn```` + // The value is the ``protobuf::Struct``. The value of this field will be the key for its ``fields`` + // and the value is the ``protobuf::Struct`` converted from JWT JSON payload. + // + // For example, if payload_in_metadata is ``my_payload``: + // + // .. code-block:: yaml + // + // envoy.filters.http.jwt_authn: + // my_payload: + // iss: https://example.com + // sub: test@example.com + // aud: https://example.com + // exp: 1501281058 + // + string payload_in_metadata = 9; + + // Normalizes the payload representation in the request metadata. + NormalizePayload normalize_payload_in_metadata = 18; + + // If not empty, similar to :ref:`payload_in_metadata `, + // a successfully verified JWT header will be written to :ref:`Dynamic State ` + // as an entry (``protobuf::Struct``) in ``envoy.filters.http.jwt_authn`` ``namespace`` with the + // value of this field as the key. + // + // For example, if ``header_in_metadata`` is ``my_header``: + // + // .. code-block:: yaml + // + // envoy.filters.http.jwt_authn: + // my_header: + // alg: JWT + // kid: EF71iSaosbC5C4tC6Syq1Gm647M + // alg: PS256 + // + // When the metadata has ``envoy.filters.http.jwt_authn`` entry already (for example if + // :ref:`payload_in_metadata ` + // is not empty), it will be inserted as a new entry in the same ``namespace`` as shown below: + // + // .. code-block:: yaml + // + // envoy.filters.http.jwt_authn: + // my_payload: + // iss: https://example.com + // sub: test@example.com + // aud: https://example.com + // exp: 1501281058 + // my_header: + // alg: JWT + // kid: EF71iSaosbC5C4tC6Syq1Gm647M + // alg: PS256 + // + // .. warning:: + // Using the same key name for :ref:`header_in_metadata ` + // and :ref:`payload_in_metadata ` + // is not suggested due to potential override of existing entry, while it is not enforced during + // config validation. + // + string header_in_metadata = 14; + + // If non empty, the failure status ``::google::jwt_verify::Status`` for a non verified JWT will be written to StreamInfo DynamicMetadata + // in the format as: ``namespace`` is the jwt_authn filter name as ``envoy.filters.http.jwt_authn`` + // The value is the ``protobuf::Struct``. The values of this field will be ``code`` and ``message`` + // and they will contain the JWT authentication failure status code and a message describing the failure. + // + // For example, if failed_status_in_metadata is ``my_auth_failure_status``: + // + // .. code-block:: yaml + // + // envoy.filters.http.jwt_authn: + // my_auth_failure_status: + // code: 3 + // message: Jwt expired + string failed_status_in_metadata = 16; + + // Specify the clock skew in seconds when verifying JWT time constraint, + // such as ``exp``, and ``nbf``. If not specified, default is 60 seconds. + uint32 clock_skew_seconds = 10; + + // Enables JWT cache, its size is specified by ``jwt_cache_size``. + // Only valid JWTs are cached. + JwtCacheConfig jwt_cache_config = 12; + + // Add JWT claim to HTTP Header + // Specify the claim name you want to copy in which HTTP header. For examples, following config: + // The claim must be of type; string, int, double, bool. Array type claims are not supported + // + // .. literalinclude:: /_configs/repo/jwt_authn.yaml + // :language: yaml + // :lines: 44-48 + // :linenos: + // :lineno-start: 44 + // :caption: :download:`jwt_authn.yaml ` + // + // This header is only reserved for jwt claim; any other value will be overwritten. + repeated JwtClaimToHeader claim_to_headers = 15; + + // Clears route cache in order to allow the JWT to correctly affect + // routing decisions. Filter clears all cached routes when: + // + // 1. The field is set to ``true``. + // + // 2. At least one ``claim_to_headers`` header is added to the request OR + // if ``payload_in_metadata`` is set. + // + bool clear_route_cache = 17; +} + +// This message specifies JWT Cache configuration. +message JwtCacheConfig { + // The unit is number of JWTs, default to 100. + uint32 jwt_cache_size = 1; + + // The maximum size of a single cached token in bytes. + // If this field is not set or is set to 0, then the default value 4096 bytes is used. + // The maximum value for a token is inclusive. + uint32 jwt_max_token_size = 2; +} + +// This message specifies how to fetch JWKS from remote and how to cache it. +message RemoteJwks { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.jwt_authn.v2alpha.RemoteJwks"; + + // The HTTP URI to fetch the JWKS. For example: + // + // .. code-block:: yaml + // + // http_uri: + // uri: https://www.googleapis.com/oauth2/v1/certs + // cluster: jwt.www.googleapis.com|443 + // timeout: 1s + // + config.core.v3.HttpUri http_uri = 1 [(validate.rules).message = {required: true}]; + + // Duration after which the cached JWKS should be expired. If not specified, default cache + // duration is 10 minutes. + google.protobuf.Duration cache_duration = 2 [(validate.rules).duration = { + lt {seconds: 9000000000} + gte {nanos: 1000000} + }]; + + // Fetch Jwks asynchronously in the main thread before the listener is activated. + // Fetched Jwks can be used by all worker threads. + // + // If this feature is not enabled: + // + // * The Jwks is fetched on-demand when the requests come. During the fetching, first + // few requests are paused until the Jwks is fetched. + // * Each worker thread fetches its own Jwks since Jwks cache is per worker thread. + // + // If this feature is enabled: + // + // * Fetched Jwks is done in the main thread before the listener is activated. Its fetched + // Jwks can be used by all worker threads. Each worker thread doesn't need to fetch its own. + // * Jwks is ready when the requests come, not need to wait for the Jwks fetching. + // + JwksAsyncFetch async_fetch = 3; + + // Retry policy for fetching Jwks. optional. turned off by default. + // + // For example: + // + // .. code-block:: yaml + // + // retry_policy: + // retry_back_off: + // base_interval: 0.01s + // max_interval: 20s + // num_retries: 10 + // + // will yield a randomized truncated exponential backoff policy with an initial delay of 10ms + // 10 maximum attempts spaced at most 20s seconds. + // + // .. code-block:: yaml + // + // retry_policy: + // num_retries:1 + // + // uses the default :ref:`retry backoff strategy `. + // with the default base interval is 1000 milliseconds. and the default maximum interval of 10 times the base interval. + // + // if num_retries is omitted, the default is to allow only one retry. + // + // + // If enabled, the retry policy will apply to all Jwks fetching approaches, e.g. on demand or asynchronously in background. + // + // + config.core.v3.RetryPolicy retry_policy = 4; +} + +// Fetch Jwks asynchronously in the main thread when the filter config is parsed. +// The listener is activated only after the Jwks is fetched. +// When the Jwks is expired in the cache, it is fetched again in the main thread. +// The fetched Jwks from the main thread can be used by all worker threads. +message JwksAsyncFetch { + // If false, the listener is activated after the initial fetch is completed. + // The initial fetch result can be either successful or failed. + // If true, it is activated without waiting for the initial fetch to complete. + // Default is false. + bool fast_listener = 1; + + // The duration to refetch after a failed fetch. If not specified, default is 1 second. + google.protobuf.Duration failed_refetch_duration = 2; +} + +// This message specifies a header location to extract the JWT. +message JwtHeader { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.jwt_authn.v2alpha.JwtHeader"; + + // The HTTP header name. + string name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // The value prefix. The value format is "value_prefix" + // For example, for "Authorization: Bearer ", value_prefix="Bearer " with a space at the + // end. + string value_prefix = 2 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; +} + +// Specify a required provider with audiences. +message ProviderWithAudiences { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.jwt_authn.v2alpha.ProviderWithAudiences"; + + // Specify a required provider name. + string provider_name = 1; + + // This field overrides the one specified in the JwtProvider. + repeated string audiences = 2; +} + +// This message specifies a Jwt requirement. An empty message means JWT verification is not +// required. Here are some config examples: +// +// .. code-block:: yaml +// +// # Example 1: not required with an empty message +// +// # Example 2: require A +// provider_name: provider-A +// +// # Example 3: require A or B +// requires_any: +// requirements: +// - provider_name: provider-A +// - provider_name: provider-B +// +// # Example 4: require A and B +// requires_all: +// requirements: +// - provider_name: provider-A +// - provider_name: provider-B +// +// # Example 5: require A and (B or C) +// requires_all: +// requirements: +// - provider_name: provider-A +// - requires_any: +// requirements: +// - provider_name: provider-B +// - provider_name: provider-C +// +// # Example 6: require A or (B and C) +// requires_any: +// requirements: +// - provider_name: provider-A +// - requires_all: +// requirements: +// - provider_name: provider-B +// - provider_name: provider-C +// +// # Example 7: A is optional (if token from A is provided, it must be valid, but also allows +// missing token.) +// requires_any: +// requirements: +// - provider_name: provider-A +// - allow_missing: {} +// +// # Example 8: A is optional and B is required. +// requires_all: +// requirements: +// - requires_any: +// requirements: +// - provider_name: provider-A +// - allow_missing: {} +// - provider_name: provider-B +// +// [#next-free-field: 8] +message JwtRequirement { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.jwt_authn.v2alpha.JwtRequirement"; + + oneof requires_type { + // Specify a required provider name. + string provider_name = 1; + + // Specify a required provider with audiences. + ProviderWithAudiences provider_and_audiences = 2; + + // Specify list of JwtRequirement. Their results are OR-ed. + // If any one of them passes, the result is passed. + JwtRequirementOrList requires_any = 3; + + // Specify list of JwtRequirement. Their results are AND-ed. + // All of them must pass, if one of them fails or missing, it fails. + JwtRequirementAndList requires_all = 4; + + // The requirement is always satisfied even if JWT is missing or the JWT + // verification fails. A typical usage is: this filter is used to only verify + // JWTs and pass the verified JWT payloads to another filter, the other filter + // will make decision. In this mode, all JWTs will be verified. + google.protobuf.Empty allow_missing_or_failed = 5; + + // The requirement is satisfied if JWT is missing, but failed if JWT is + // presented but invalid. Similar to allow_missing_or_failed, this is used + // to only verify JWTs and pass the verified payload to another filter. The + // different is this mode will reject requests with invalid tokens. + google.protobuf.Empty allow_missing = 6; + + // Extract JWT claims without performing signature validation. + // This mode will decode the JWT, extract claims, and forward them as + // configured (via claim_to_headers, forward_payload_header, etc.) but + // will NOT verify the JWT signature against JWKS. + // + // .. warning:: + // + // This mode does not verify JWT authenticity. Use only in scenarios where: + // + // - JWTs come from a trusted source (e.g., internal service mesh) + // - Signature verification is performed elsewhere in the request path + // - You are in a testing period and the token issuer doesn't support JWKS yet + // + // This mode will: + // + // * Decode the JWT header and payload + // * Extract claims and forward them as headers + // * Always return success (Status::Ok) regardless of JWT validity + // * Log when extraction occurs + // + // This mode will NOT: + // + // * Verify the JWT signature + // * Validate the (issuer) claim + // * Validate the (audience) claim + // * Check not-before time (nbf claim) + ExtractOnlyWithoutValidation extract_only_without_validation = 7; + } +} + +message ExtractOnlyWithoutValidation { + // Reserved for future extensions (e.g., claim filtering, logging options) +} + +// This message specifies a list of RequiredProvider. +// Their results are OR-ed; if any one of them passes, the result is passed +message JwtRequirementOrList { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.jwt_authn.v2alpha.JwtRequirementOrList"; + + // Specify a list of JwtRequirement. + repeated JwtRequirement requirements = 1 [(validate.rules).repeated = {min_items: 2}]; +} + +// This message specifies a list of RequiredProvider. +// Their results are AND-ed; all of them must pass, if one of them fails or missing, it fails. +message JwtRequirementAndList { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.jwt_authn.v2alpha.JwtRequirementAndList"; + + // Specify a list of JwtRequirement. + repeated JwtRequirement requirements = 1 [(validate.rules).repeated = {min_items: 2}]; +} + +// This message specifies a Jwt requirement for a specific Route condition. +// Example 1: +// +// .. code-block:: yaml +// +// - match: +// prefix: /healthz +// +// In above example, "requires" field is empty for /healthz prefix match, +// it means that requests matching the path prefix don't require JWT authentication. +// +// Example 2: +// +// .. code-block:: yaml +// +// - match: +// prefix: / +// requires: { provider_name: provider-A } +// +// In above example, all requests matched the path prefix require jwt authentication +// from "provider-A". +message RequirementRule { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.jwt_authn.v2alpha.RequirementRule"; + + // The route matching parameter. Only when the match is satisfied, the "requires" field will + // apply. + // + // For example: following match will match all requests. + // + // .. code-block:: yaml + // + // match: + // prefix: / + // + config.route.v3.RouteMatch match = 1 [(validate.rules).message = {required: true}]; + + // Specify a Jwt requirement. + // If not specified, Jwt verification is disabled. + oneof requirement_type { + // Specify a Jwt requirement. Please see detail comment in message JwtRequirement. + JwtRequirement requires = 2; + + // Use requirement_name to specify a Jwt requirement. + // This requirement_name MUST be specified at the + // :ref:`requirement_map ` + // in ``JwtAuthentication``. + string requirement_name = 3 [(validate.rules).string = {min_len: 1}]; + } +} + +// This message specifies Jwt requirements based on stream_info.filterState. +// This FilterState should use ``Router::StringAccessor`` object to set a string value. +// Other HTTP filters can use it to specify Jwt requirements dynamically. +// +// Example: +// +// .. code-block:: yaml +// +// name: jwt_selector +// requires: +// issuer_1: +// provider_name: issuer1 +// issuer_2: +// provider_name: issuer2 +// +// If a filter set "jwt_selector" with "issuer_1" to FilterState for a request, +// jwt_authn filter will use JwtRequirement{"provider_name": "issuer1"} to verify. +message FilterStateRule { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.jwt_authn.v2alpha.FilterStateRule"; + + // The filter state name to retrieve the ``Router::StringAccessor`` object. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // A map of string keys to requirements. The string key is the string value + // in the FilterState with the name specified in the ``name`` field above. + map requires = 3; +} + +// This is the Envoy HTTP filter config for JWT authentication. +// +// For example: +// +// .. code-block:: yaml +// +// providers: +// provider1: +// issuer: issuer1 +// audiences: +// - audience1 +// - audience2 +// remote_jwks: +// http_uri: +// uri: https://example.com/.well-known/jwks.json +// cluster: example_jwks_cluster +// timeout: 1s +// provider2: +// issuer: issuer2 +// local_jwks: +// inline_string: jwks_string +// +// rules: +// # Not jwt verification is required for /health path +// - match: +// prefix: /health +// +// # Jwt verification for provider1 is required for path prefixed with "prefix" +// - match: +// prefix: /prefix +// requires: +// provider_name: provider1 +// +// # Jwt verification for either provider1 or provider2 is required for all other requests. +// - match: +// prefix: / +// requires: +// requires_any: +// requirements: +// - provider_name: provider1 +// - provider_name: provider2 +// +// [#next-free-field: 8] +message JwtAuthentication { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.jwt_authn.v2alpha.JwtAuthentication"; + + // Map of provider names to JwtProviders. + // + // .. code-block:: yaml + // + // providers: + // provider1: + // issuer: issuer1 + // audiences: + // - audience1 + // - audience2 + // remote_jwks: + // http_uri: + // uri: https://example.com/.well-known/jwks.json + // cluster: example_jwks_cluster + // timeout: 1s + // provider2: + // issuer: provider2 + // local_jwks: + // inline_string: jwks_string + // + map providers = 1; + + // Specifies requirements based on the route matches. The first matched requirement will be + // applied. If there are overlapped match conditions, please put the most specific match first. + // + // Examples + // + // .. code-block:: yaml + // + // rules: + // - match: + // prefix: /healthz + // - match: + // prefix: /baz + // requires: + // provider_name: provider1 + // - match: + // prefix: /foo + // requires: + // requires_any: + // requirements: + // - provider_name: provider1 + // - provider_name: provider2 + // - match: + // prefix: /bar + // requires: + // requires_all: + // requirements: + // - provider_name: provider1 + // - provider_name: provider2 + // + repeated RequirementRule rules = 2; + + // This message specifies Jwt requirements based on stream_info.filterState. + // Other HTTP filters can use it to specify Jwt requirements dynamically. + // The ``rules`` field above is checked first, if it could not find any matches, + // check this one. + FilterStateRule filter_state_rules = 3; + + // When set to true, bypass the `CORS preflight request + // `_ regardless of JWT + // requirements specified in the rules. + bool bypass_cors_preflight = 4; + + // A map of unique requirement_names to JwtRequirements. + // :ref:`requirement_name ` + // in ``PerRouteConfig`` uses this map to specify a JwtRequirement. + map requirement_map = 5; + + // A request failing the verification process will receive a 401 downstream with the failure response details + // in the body along with WWWAuthenticate header value set with "invalid token". If this value is set to true, + // the response details will be stripped and only a 401 response code will be returned. Default value is false + bool strip_failure_response = 6; + + // Optional additional prefix to use when emitting statistics. + string stat_prefix = 7; +} + +// Specify per-route config. +message PerRouteConfig { + oneof requirement_specifier { + option (validate.required) = true; + + // Disable Jwt Authentication for this route. + bool disabled = 1 [(validate.rules).bool = {const: true}]; + + // Use requirement_name to specify a JwtRequirement. + // This requirement_name MUST be specified at the + // :ref:`requirement_map ` + // in ``JwtAuthentication``. If no, the requests using this route will be rejected with 403. + string requirement_name = 2 [(validate.rules).string = {min_len: 1}]; + } +} + +// This message specifies a combination of header name and claim name. +message JwtClaimToHeader { + // The HTTP header name to copy the claim to. + // The header name will be sanitized and replaced. + string header_name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // The field name for the JWT Claim : it can be a nested claim of type (eg. "claim.nested.key", "sub") + // String separated with "." in case of nested claims. The nested claim name must use dot "." to separate + // the JSON name path. + string claim_name = 2 [(validate.rules).string = {min_len: 1}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/7ab7551b0c8fc52259981599b1b118ec1aa8abc5692a0d550014d427dc5553c054ccd0c9d0262f7be1cf664e1840f1ea633e4cfc995cab69f3d5b9db44f8888a b/modules/sync/envoyproxy/envoy/cas/7ab7551b0c8fc52259981599b1b118ec1aa8abc5692a0d550014d427dc5553c054ccd0c9d0262f7be1cf664e1840f1ea633e4cfc995cab69f3d5b9db44f8888a new file mode 100644 index 00000000..45ecf9b6 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/7ab7551b0c8fc52259981599b1b118ec1aa8abc5692a0d550014d427dc5553c054ccd0c9d0262f7be1cf664e1840f1ea633e4cfc995cab69f3d5b9db44f8888a @@ -0,0 +1,187 @@ +syntax = "proto3"; + +package envoy.extensions.common.aws.v3; + +import "envoy/config/core/v3/base.proto"; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.common.aws.v3"; +option java_outer_classname = "CredentialProviderProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/common/aws/v3;awsv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: AWS common configuration] + +// Configuration for AWS credential provider. This is optional and the credentials are normally +// retrieved from the environment or AWS configuration files by following the default credential +// provider chain. However, this configuration can be used to override the default behavior. +// [#next-free-field: 11] +message AwsCredentialProvider { + // The option to use `AssumeRoleWithWebIdentity `_. + AssumeRoleWithWebIdentityCredentialProvider assume_role_with_web_identity_provider = 1; + + // The option to use an inline credential. If inline credential is provided, no chain will be created and only the inline credential will be used. + InlineCredentialProvider inline_credential = 2; + + // The option to specify parameters for credential retrieval from an envoy data source, such as a file in AWS credential format. + CredentialsFileCredentialProvider credentials_file_provider = 3; + + // Create a custom credential provider chain instead of the default credential provider chain. + // If set to TRUE, the credential provider chain that is created contains only those set in this credential provider message. + // If set to FALSE, the settings provided here will act as modifiers to the default credential provider chain. + // Defaults to FALSE. + // + // This has no effect if inline_credential is provided. + bool custom_credential_provider_chain = 4; + + // The option to use `IAM Roles Anywhere `_. + IAMRolesAnywhereCredentialProvider iam_roles_anywhere_credential_provider = 5; + + // The option to use credentials sourced from standard `AWS configuration files `_. + ConfigCredentialProvider config_credential_provider = 6; + + // The option to use credentials sourced from `container environment variables `_. + ContainerCredentialProvider container_credential_provider = 7; + + // The option to use credentials sourced from `environment variables `_. + EnvironmentCredentialProvider environment_credential_provider = 8; + + // The option to use credentials sourced from an EC2 `Instance Profile `_. + InstanceProfileCredentialProvider instance_profile_credential_provider = 9; + + // The option to use `STS:AssumeRole aka Role Chaining `_. + AssumeRoleCredentialProvider assume_role_credential_provider = 10; +} + +// Configuration to use an inline AWS credential. This is an equivalent to setting the well-known +// environment variables ``AWS_ACCESS_KEY_ID``, ``AWS_SECRET_ACCESS_KEY``, and the optional ``AWS_SESSION_TOKEN``. +message InlineCredentialProvider { + // The AWS access key ID. + string access_key_id = 1 [(validate.rules).string = {min_len: 1}]; + + // The AWS secret access key. + string secret_access_key = 2 + [(validate.rules).string = {min_len: 1}, (udpa.annotations.sensitive) = true]; + + // The AWS session token. This is optional. + string session_token = 3 [(udpa.annotations.sensitive) = true]; +} + +// Configuration to use `AssumeRoleWithWebIdentity `_ +// to retrieve AWS credentials. +message AssumeRoleWithWebIdentityCredentialProvider { + // Data source for a web identity token that is provided by the identity provider to assume the role. + // If a ``watched_directory`` is not provided, one will be automatically inferred from the directory of the token file. This is to ensure + // that if the token file is rotated, the new token will be picked up. This behaviour differs from the standard envoy data source behavior, which does not + // automatically watch the directory of a file data source. + // Even when file rotation occurs, current credentials will continue to be used until they expire, at which point new credentials will be retrieved using the new token. + config.core.v3.DataSource web_identity_token_data_source = 1 + [(udpa.annotations.sensitive) = true]; + + // The ARN of the role to assume. + string role_arn = 2 [(validate.rules).string = {min_len: 1}]; + + // Optional role session name to use in AssumeRoleWithWebIdentity API call. + string role_session_name = 3; +} + +message CredentialsFileCredentialProvider { + // Data source from which to retrieve AWS credentials + // When using this data source, if a ``watched_directory`` is provided, the credential file will be re-read when a file move is detected. + // See :ref:`watched_directory ` for more information about the ``watched_directory`` field. + config.core.v3.DataSource credentials_data_source = 1 [(udpa.annotations.sensitive) = true]; + + // The profile within the credentials_file data source. If not provided, the default profile will be used. + string profile = 2; +} + +// Configuration to use `IAM Roles Anywhere `_ +// to retrieve AWS credentials. +// [#next-free-field: 9] +message IAMRolesAnywhereCredentialProvider { + // The ARN of the role to assume via the IAM Roles Anywhere sessions API. See `Configure Roles `_ for more details. + string role_arn = 1 [(validate.rules).string = {min_len: 1}]; + + // The certificate used for authenticating to the IAM Roles Anywhere service. + // This certificate must match one configured in the IAM Roles Anywhere profile. See `Configure Roles `_ for more details. + config.core.v3.DataSource certificate = 2 [(validate.rules).message = {required: true}]; + + // The optional certificate chain, required when you are using a subordinate certificate authority for certificate issuance. + // A certificate chain can contain a maximum of 5 elements, see `The IAM Roles Anywhere authentication process `_ for more details. + config.core.v3.DataSource certificate_chain = 3; + + // The TLS private key matching the certificate provided. + config.core.v3.DataSource private_key = 4 + [(validate.rules).message = {required: true}, (udpa.annotations.sensitive) = true]; + + // The arn of the IAM Roles Anywhere trust anchor configured in your AWS account. A trust anchor in IAM Roles anywhere establishes + // trust between your certificate authority (CA) and AWS. See `Establish trust `_ for more details. + string trust_anchor_arn = 5 [(validate.rules).string = {min_len: 1}]; + + // The IAM Roles Anywhere profile ARN configured in your AWS account. + string profile_arn = 6 [(validate.rules).string = {min_len: 1}]; + + // An optional role session name, used when identifying the role in subsequent AWS API calls. + string role_session_name = 7; + + // An optional session duration, used when calculating the maximum time before vended credentials expire. This value cannot exceed the value configured + // in the IAM Roles Anywhere profile and the resultant session duration is calculate by the formula `here `_. + // If no session duration is provided here, the session duration is sourced from the IAM Roles Anywhere profile. + google.protobuf.Duration session_duration = 8 [(validate.rules).duration = { + lte {seconds: 43200} + gte {seconds: 900} + }]; +} + +// The Config Credential Provider has no configurable parameters, but listing it in a custom credential provider chain will enable this +// credential provider. +message ConfigCredentialProvider { +} + +// The Container Credential Provider has no configurable parameters, but listing it in a custom credential provider chain will enable this +// credential provider. +message ContainerCredentialProvider { +} + +// The Environment Credential Provider has no configurable parameters, but listing it in a custom credential provider chain will enable this +// credential provider. +message EnvironmentCredentialProvider { +} + +// The Instance Profile Credential Provider has no configurable parameters, but listing it in a custom credential provider chain will enable this +// credential provider. +message InstanceProfileCredentialProvider { +} + +// Configuration to use `AssumeRole `_ for retrieving new credentials, via role chaining. +// [#next-free-field: 6] +message AssumeRoleCredentialProvider { + // The ARN of the role to assume. + string role_arn = 1 [(validate.rules).string = {min_len: 1}]; + + // An optional role session name, used when identifying the role in subsequent AWS API calls. If not provided, the role session name will default + // to the current timestamp. + string role_session_name = 2; + + // Optional string value to use as the externalId + string external_id = 3; + + // An optional duration, in seconds, of the role session. Minimum role duration is 900s (5 minutes) and maximum is 43200s (12 hours). + // If the session duration is not provided, the default will be determined using the `table described here `_. + google.protobuf.Duration session_duration = 4 [(validate.rules).duration = { + lte {seconds: 43200} + gte {seconds: 900} + }]; + + // The credential provider for signing the AssumeRole request. This is optional and if not set, + // it will be retrieved from the procedure described in :ref:`config_http_filters_aws_request_signing`. + // This list of credential providers cannot include an AssumeRole credential provider and if one is provided + // it will be ignored. + AwsCredentialProvider credential_provider = 5; +} diff --git a/modules/sync/envoyproxy/envoy/cas/7c09a0ec365d6a776cf29ae4ba19c2c4a62acf19b785f418f22ffdaeb017d896faf7216ec5901a22acddd5d792ba0ddcd7376523ce79059ca756d8327fc854c0 b/modules/sync/envoyproxy/envoy/cas/7c09a0ec365d6a776cf29ae4ba19c2c4a62acf19b785f418f22ffdaeb017d896faf7216ec5901a22acddd5d792ba0ddcd7376523ce79059ca756d8327fc854c0 new file mode 100644 index 00000000..4c989b9a --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/7c09a0ec365d6a776cf29ae4ba19c2c4a62acf19b785f418f22ffdaeb017d896faf7216ec5901a22acddd5d792ba0ddcd7376523ce79059ca756d8327fc854c0 @@ -0,0 +1,23 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.peak_ewma.v3alpha; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.peak_ewma.v3alpha"; +option java_outer_classname = "PeakEwmaProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/filters/http/peak_ewma/v3alpha"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: Peak EWMA HTTP Filter] +// Configuration for the Peak EWMA HTTP filter. +// This filter measures request RTT and provides timing data to the Peak EWMA load balancer. + +// [#extension: envoy.filters.http.peak_ewma] +message PeakEwmaConfig { + option (xds.annotations.v3.message_status).work_in_progress = true; +} diff --git a/modules/sync/envoyproxy/envoy/cas/7c47e01e6bd412b0dfa541a4e7337df6e21bafd4e16296091b1481cfafd975ec4c0405cf2262dde4f8dbe2a1227b4d344d54e2cc11f43f5ed7844279dbdd41e1 b/modules/sync/envoyproxy/envoy/cas/7c47e01e6bd412b0dfa541a4e7337df6e21bafd4e16296091b1481cfafd975ec4c0405cf2262dde4f8dbe2a1227b4d344d54e2cc11f43f5ed7844279dbdd41e1 new file mode 100644 index 00000000..e2ec8946 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/7c47e01e6bd412b0dfa541a4e7337df6e21bafd4e16296091b1481cfafd975ec4c0405cf2262dde4f8dbe2a1227b4d344d54e2cc11f43f5ed7844279dbdd41e1 @@ -0,0 +1,152 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.ext_proc.v3; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.ext_proc.v3"; +option java_outer_classname = "ProcessingModeProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3;ext_procv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: External Processing Filter] +// External Processing Filter Processing Mode +// [#extension: envoy.filters.http.ext_proc] + +// This configuration describes which parts of an HTTP request and +// response are sent to a remote server and how they are delivered. + +// [#next-free-field: 7] +message ProcessingMode { + // Control how headers and trailers are handled + enum HeaderSendMode { + // When used to configure the ext_proc filter :ref:`processing_mode + // `, + // the default HeaderSendMode depends on which part of the message is being processed. By + // default, request and response headers are sent, while trailers are skipped. + // + // When used in :ref:`mode_override + // ` or + // :ref:`allowed_override_modes + // `, + // a value of DEFAULT indicates that there is no change from the behavior that is configured for + // the filter in :ref:`processing_mode + // `. + DEFAULT = 0; + + // Send the header or trailer. + SEND = 1; + + // Do not send the header or trailer. + SKIP = 2; + } + + // Control how the request and response bodies are handled + // When body mutation by external processor is enabled, ext_proc filter will always remove + // the content length header in four cases below because content length can not be guaranteed + // to be set correctly: + // 1) STREAMED BodySendMode: header processing completes before body mutation comes back. + // 2) BUFFERED_PARTIAL BodySendMode: body is buffered and could be injected in different phases. + // 3) BUFFERED BodySendMode + SKIP HeaderSendMode: header processing (e.g., update content-length) is skipped. + // 4) FULL_DUPLEX_STREAMED BodySendMode: header processing completes before body mutation comes back. + // + // In Envoy's http1 codec implementation, removing content length will enable chunked transfer + // encoding whenever feasible. The recipient (either client or server) must be able + // to parse and decode the chunked transfer coding. + // (see `details in RFC9112 `_). + // + // In BUFFERED BodySendMode + SEND HeaderSendMode, content length header is allowed but it is + // external processor's responsibility to set the content length correctly matched to the length + // of mutated body. If they don't match, the corresponding body mutation will be rejected and + // local reply will be sent with an error message. + enum BodySendMode { + // Do not send the body at all. This is the default. + NONE = 0; + + // Stream the body to the server in pieces as they are seen. + STREAMED = 1; + + // Buffer the message body in memory and send the entire body at once. + // If the body exceeds the configured buffer limit, then the + // downstream system will receive an error. + BUFFERED = 2; + + // Buffer the message body in memory and send the entire body in one + // chunk. If the body exceeds the configured buffer limit, then the body contents + // up to the buffer limit will be sent. + BUFFERED_PARTIAL = 3; + + // The ext_proc client (the data plane) streams the body to the server in pieces as they arrive. + // + // 1) The server may choose to buffer any number chunks of data before processing them. + // After it finishes buffering, the server processes the buffered data. Then it splits the processed + // data into any number of chunks, and streams them back to the ext_proc client one by one. + // The server may continuously do so until the complete body is processed. + // The individual response chunk size is recommended to be no greater than 64K bytes, or + // :ref:`max_receive_message_length ` + // if EnvoyGrpc is used. + // + // 2) The server may also choose to buffer the entire message, including the headers (if header mode is + // ``SEND``), the entire body, and the trailers (if present), before sending back any response. + // The server response has to maintain the headers-body-trailers ordering. + // + // 3) Note that the server might also choose not to buffer data. That is, upon receiving a + // body request, it could process the data and send back a body response immediately. + // + // In this body mode: + // * The corresponding trailer mode has to be set to ``SEND``. + // * The client will send body and trailers (if present) to the server as they arrive. + // Sending the trailers (if present) is to inform the server the complete body arrives. + // In case there are no trailers, then the client will set + // :ref:`end_of_stream ` + // to true as part of the last body chunk request to notify the server that no other data is to be sent. + // * The server needs to send + // :ref:`StreamedBodyResponse ` + // to the client in the body response. + // * The client will stream the body chunks in the responses from the server to the upstream/downstream as they arrive. + + FULL_DUPLEX_STREAMED = 4; + + // [#not-implemented-hide:] + // A mode for gRPC traffic. This is similar to ``FULL_DUPLEX_STREAMED``, + // except that instead of sending raw chunks of the HTTP/2 DATA frames, + // the ext_proc client will de-frame the individual gRPC messages inside + // the HTTP/2 DATA frames, and as each message is de-framed, it will be + // sent to the ext_proc server as a :ref:`request_body + // ` + // or :ref:`response_body + // `. + // The ext_proc server will stream back individual gRPC messages in the + // :ref:`StreamedBodyResponse ` + // field, but the number of messages sent by the ext_proc server + // does not need to equal the number of messages sent by the data + // plane. This allows the ext_proc server to change the number of + // messages sent on the stream. + // In this mode, the client will send body and trailers to the server as + // they arrive. + GRPC = 5; + } + + // How to handle the request header. Default is "SEND". + // Note this field is ignored in :ref:`mode_override + // `, since mode + // overrides can only affect messages exchanged after the request header is processed. + HeaderSendMode request_header_mode = 1 [(validate.rules).enum = {defined_only: true}]; + + // How to handle the response header. Default is "SEND". + HeaderSendMode response_header_mode = 2 [(validate.rules).enum = {defined_only: true}]; + + // How to handle the request body. Default is "NONE". + BodySendMode request_body_mode = 3 [(validate.rules).enum = {defined_only: true}]; + + // How do handle the response body. Default is "NONE". + BodySendMode response_body_mode = 4 [(validate.rules).enum = {defined_only: true}]; + + // How to handle the request trailers. Default is "SKIP". + HeaderSendMode request_trailer_mode = 5 [(validate.rules).enum = {defined_only: true}]; + + // How to handle the response trailers. Default is "SKIP". + HeaderSendMode response_trailer_mode = 6 [(validate.rules).enum = {defined_only: true}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/820d7943bb9e5754b8275f131b6ecab54f6ab7a3eb9d4276c04973ec75434b8a57cdbb329cbfd83549b7ab4e826c3255eb63b88fef390fb0011e62ed8f736032 b/modules/sync/envoyproxy/envoy/cas/820d7943bb9e5754b8275f131b6ecab54f6ab7a3eb9d4276c04973ec75434b8a57cdbb329cbfd83549b7ab4e826c3255eb63b88fef390fb0011e62ed8f736032 new file mode 100644 index 00000000..520a4ff4 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/820d7943bb9e5754b8275f131b6ecab54f6ab7a3eb9d4276c04973ec75434b8a57cdbb329cbfd83549b7ab4e826c3255eb63b88fef390fb0011e62ed8f736032 @@ -0,0 +1,157 @@ +syntax = "proto3"; + +package envoy.service.auth.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/service/auth/v3/attribute_context.proto"; +import "envoy/type/v3/http_status.proto"; + +import "google/protobuf/struct.proto"; +import "google/rpc/status.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.service.auth.v3"; +option java_outer_classname = "ExternalAuthProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3;authv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Authorization service] + +// The authorization service request messages used by external authorization :ref:`network filter +// ` and :ref:`HTTP filter `. + +// A generic interface for performing authorization check on incoming +// requests to a networked service. +service Authorization { + // Performs authorization check based on the attributes associated with the + // incoming request, and returns status `OK` or not `OK`. + rpc Check(CheckRequest) returns (CheckResponse) { + } +} + +message CheckRequest { + option (udpa.annotations.versioning).previous_message_type = "envoy.service.auth.v2.CheckRequest"; + + // The request attributes. + AttributeContext attributes = 1; +} + +// HTTP attributes for a denied response. +message DeniedHttpResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.auth.v2.DeniedHttpResponse"; + + // This field allows the authorization service to send an HTTP response status code to the + // downstream client. If not set, Envoy sends ``403 Forbidden`` HTTP status code by default. + type.v3.HttpStatus status = 1; + + // This field allows the authorization service to send HTTP response headers + // to the downstream client. Note that the :ref:`append field in HeaderValueOption ` defaults to + // false when used in this message. + repeated config.core.v3.HeaderValueOption headers = 2; + + // This field allows the authorization service to send a response body data + // to the downstream client. + string body = 3; +} + +// HTTP attributes for an OK response. +// [#next-free-field: 9] +message OkHttpResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.auth.v2.OkHttpResponse"; + + // HTTP entity headers in addition to the original request headers. This allows the authorization + // service to append, to add or to override headers from the original request before + // dispatching it to the upstream. Note that the :ref:`append field in HeaderValueOption ` defaults to + // false when used in this message. By setting the ``append`` field to ``true``, + // the filter will append the correspondent header value to the matched request header. + // By leaving ``append`` as false, the filter will either add a new header, or override an existing + // one if there is a match. + repeated config.core.v3.HeaderValueOption headers = 2; + + // HTTP entity headers to remove from the original request before dispatching + // it to the upstream. This allows the authorization service to act on auth + // related headers (like ``Authorization``), process them, and consume them. + // Under this model, the upstream will either receive the request (if it's + // authorized) or not receive it (if it's not), but will not see headers + // containing authorization credentials. + // + // Pseudo headers (such as ``:authority``, ``:method``, ``:path`` etc), as well as + // the header ``Host``, may not be removed as that would make the request + // malformed. If mentioned in ``headers_to_remove`` these special headers will + // be ignored. + // + // When using the HTTP service this must instead be set by the HTTP + // authorization service as a comma separated list like so: + // ``x-envoy-auth-headers-to-remove: one-auth-header, another-auth-header``. + repeated string headers_to_remove = 5; + + // This field has been deprecated in favor of :ref:`CheckResponse.dynamic_metadata + // `. Until it is removed, + // setting this field overrides :ref:`CheckResponse.dynamic_metadata + // `. + google.protobuf.Struct dynamic_metadata = 3 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // This field allows the authorization service to send HTTP response headers + // to the downstream client on success. Note that the :ref:`append field in HeaderValueOption ` + // defaults to false when used in this message. + repeated config.core.v3.HeaderValueOption response_headers_to_add = 6; + + // This field allows the authorization service to set (and overwrite) query + // string parameters on the original request before it is sent upstream. + repeated config.core.v3.QueryParameter query_parameters_to_set = 7; + + // This field allows the authorization service to specify which query parameters + // should be removed from the original request before it is sent upstream. Each + // element in this list is a case-sensitive query parameter name to be removed. + repeated string query_parameters_to_remove = 8; +} + +// Intended for gRPC and Network Authorization servers ``only``. +// [#next-free-field: 6] +message CheckResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.service.auth.v2.CheckResponse"; + + // Status ``OK`` allows the request. Any other status indicates the request should be denied, and + // for HTTP filter, if not overridden by :ref:`denied HTTP response status ` + // Envoy sends ``403 Forbidden`` HTTP status code by default. + google.rpc.Status status = 1; + + // An message that contains HTTP response attributes. This message is + // used when the authorization service needs to send custom responses to the + // downstream client or, to modify/add request headers being dispatched to the upstream. + oneof http_response { + // Supplies http attributes for a denied response. + DeniedHttpResponse denied_response = 2; + + // Supplies http attributes for an ok response. + OkHttpResponse ok_response = 3; + + // Supplies http attributes for an error response. This is used when the authorization + // service encounters an internal error and wants to return custom headers and body to the + // downstream client. When ``error_response`` is set, the ext_authz filter increments the + // ``ext_authz_error`` stat and respects the :ref:`failure_mode_allow + // ` + // configuration. The HTTP status code, headers, and body are taken from the + // :ref:`DeniedHttpResponse ` message. + // If the status field is not set, Envoy sends the status code configured via + // :ref:`status_on_error `, + // which defaults to ``403 Forbidden``. + DeniedHttpResponse error_response = 5; + } + + // Optional response metadata that will be emitted as dynamic metadata to be consumed by the next + // filter. This metadata lives in a namespace specified by the canonical name of extension filter + // that requires it: + // + // - :ref:`envoy.filters.http.ext_authz ` for HTTP filter. + // - :ref:`envoy.filters.network.ext_authz ` for network filter. + google.protobuf.Struct dynamic_metadata = 4; +} diff --git a/modules/sync/envoyproxy/envoy/cas/8279990477d97efaa433be0a4321dc7d2291ee5d8aa833d9a24487786d43ed370fc0e7f1b3a4810025e61d45c0600d5ab4900396c58cd9419b3aa281f69077a3 b/modules/sync/envoyproxy/envoy/cas/8279990477d97efaa433be0a4321dc7d2291ee5d8aa833d9a24487786d43ed370fc0e7f1b3a4810025e61d45c0600d5ab4900396c58cd9419b3aa281f69077a3 new file mode 100644 index 00000000..bcb1296c --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/8279990477d97efaa433be0a4321dc7d2291ee5d8aa833d9a24487786d43ed370fc0e7f1b3a4810025e61d45c0600d5ab4900396c58cd9419b3aa281f69077a3 @@ -0,0 +1,102 @@ +syntax = "proto3"; + +package envoy.extensions.access_loggers.stats.v3; + +import "google/protobuf/wrappers.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.access_loggers.stats.v3"; +option java_outer_classname = "StatsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/stats/v3;statsv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Stats logger] +// Configuration for an access logger that emits custom Envoy stats according to its +// configuration. The stats can have tags and values derived from +// :ref:`command operators `. +// [#extension: envoy.access_loggers.stats] +// +// .. warning:: +// It is easy to configure and use this extension in ways that create very +// large numbers of stats in Envoy, which can cause excessive memory or CPU use +// leading to a denial of service in Envoy, or can overwhelm any configured +// stat sinks by sending too many unique metrics. + +message Config { + option (xds.annotations.v3.message_status).work_in_progress = true; + + // Defines a tag on a stat. + message Tag { + // The name of the tag. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The value of the tag, using :ref:`command operators `. + string value_format = 2 [(validate.rules).string = {min_len: 1}]; + } + + // Defines the name and tags of a stat. + message Stat { + // The name of the stat. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The tags for the stat. + repeated Tag tags = 2; + } + + // Configuration for a histogram stat. + message Histogram { + // The histogram units. The units are needed for some stat sinks. + enum Unit { + Unspecified = 0; + + Bytes = 1; + + Microseconds = 2; + + Milliseconds = 3; + + // Values are scaled to range 0-1.0, indicating 0%-100%. Values can be outside this range, + // but must be positive. Values extremely far out of this range may overflow. + Percent = 4; + } + + // The name and tags of this histogram. + Stat stat = 1 [(validate.rules).message = {required: true}]; + + // The units for this histogram. + Unit unit = 2 [(validate.rules).enum = {defined_only: true}]; + + // The format string for the value of this histogram, using :ref:`command operators `. + // This must evaluate to a positive number. + string value_format = 3 [(validate.rules).string = {min_len: 1 prefix: "%" suffix: "%"}]; + } + + // Configuration for a counter stat. + message Counter { + // The name and tags of this counter. + Stat stat = 1 [(validate.rules).message = {required: true}]; + + // The format string for the value to add to this counter, using :ref:`command operators `. + // One of ``value_format`` or ``value_fixed`` must be configured. + string value_format = 2 + [(validate.rules).string = {prefix: "%" suffix: "%" ignore_empty: true}]; + + // A fixed value to add to this counter. + // One of ``value_format`` or ``value_fixed`` must be configured. + google.protobuf.UInt64Value value_fixed = 3 [(validate.rules).uint64 = {gt: 0}]; + } + + // The stat prefix for the generated stats. + string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; + + // The histograms this logger will emit. + repeated Histogram histograms = 3; + + // The counters this logger will emit. + repeated Counter counters = 4; +} diff --git a/modules/sync/envoyproxy/envoy/cas/882661bb841648d59bb1f2acb187a340814f68ef6185cfa69dfe831ee21a826a7ecd8079ce8e511bf98598402649240a9459a17899ae8434aeed66f2c468e733 b/modules/sync/envoyproxy/envoy/cas/882661bb841648d59bb1f2acb187a340814f68ef6185cfa69dfe831ee21a826a7ecd8079ce8e511bf98598402649240a9459a17899ae8434aeed66f2c468e733 new file mode 100644 index 00000000..97d26e8a --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/882661bb841648d59bb1f2acb187a340814f68ef6185cfa69dfe831ee21a826a7ecd8079ce8e511bf98598402649240a9459a17899ae8434aeed66f2c468e733 @@ -0,0 +1,42 @@ +syntax = "proto3"; + +package envoy.extensions.transport_sockets.tls.cert_selectors.on_demand_secret.v3; + +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/extension.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.cert_selectors.on_demand_secret.v3"; +option java_outer_classname = "ConfigProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/cert_selectors/on_demand_secret/v3;on_demand_secretv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: On-demand secret certificate selector] +// [#extension: envoy.tls.certificate_selectors.on_demand_secret] + +// Fetches the secret on-demand while allowing the parent cluster or listener to accept connections +// without warming. During the handshake, a secret name is derived from the peer hello message, an +// SDS resource request starts, and the handshake is paused. Once an SDS response is received with a +// resource, the handshake is resumed with the provided certificate. If the SDS server indicates the +// resource removal, the handshake is failed, and the SDS subscription to the resource is stopped. +// +// Similar to the regular SDS, the certificate is configured using the outer common TLS context, +// e.g. by setting the FIPS compliance policy on the loaded certificate. +message Config { + // Defines the configuration source of the secrets. + config.core.v3.ConfigSource config_source = 1 [(validate.rules).message = {required: true}]; + + // Extension point to specify a function to compute the secret name. The extension is called + // during the TLS handshake after receiving the "CLIENT HELLO" message from the client. + // [#extension-category: envoy.tls.certificate_mappers] + config.core.v3.TypedExtensionConfig certificate_mapper = 2 + [(validate.rules).message = {required: true}]; + + // A list of secret resource names to start fetching on configuration load (prior to receiving any + // requests). The parent resource initializes immediately without waiting for the fetch to + // complete. + repeated string prefetch_secret_names = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/883c1ea8b63022032112fac2bdb495ae2b5f80041c3d955b3e7f5e7dbf21025fccbdd1d656ebb024ef61220a85e330791f1bc2794bb19a389e65fddfe8ecf9fa b/modules/sync/envoyproxy/envoy/cas/883c1ea8b63022032112fac2bdb495ae2b5f80041c3d955b3e7f5e7dbf21025fccbdd1d656ebb024ef61220a85e330791f1bc2794bb19a389e65fddfe8ecf9fa new file mode 100644 index 00000000..ff215686 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/883c1ea8b63022032112fac2bdb495ae2b5f80041c3d955b3e7f5e7dbf21025fccbdd1d656ebb024ef61220a85e330791f1bc2794bb19a389e65fddfe8ecf9fa @@ -0,0 +1,367 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.tcp_proxy.v3; + +import "envoy/config/accesslog/v3/accesslog.proto"; +import "envoy/config/core/v3/backoff.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/proxy_protocol.proto"; +import "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto"; +import "envoy/type/v3/hash_policy.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.tcp_proxy.v3"; +option java_outer_classname = "TcpProxyProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/tcp_proxy/v3;tcp_proxyv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: TCP Proxy] +// TCP Proxy :ref:`configuration overview `. +// [#extension: envoy.filters.network.tcp_proxy] + +// Specifies when the TCP proxy establishes the upstream connection. +enum UpstreamConnectMode { + // Establish the upstream connection immediately when the downstream connection is accepted. + // This is the default behavior and provides the lowest latency. + IMMEDIATE = 0; + + // Wait for initial data from the downstream connection before establishing the upstream connection. + // This allows preceding filters to inspect the initial data (e.g., extracting SNI from TLS ClientHello) + // before the upstream connection is established. + // + // This mode requires ``max_early_data_bytes`` to be set. + // + // .. warning:: + // This mode is not suitable for server-first protocols (e.g., SMTP, MySQL, POP3) where the + // server sends the initial greeting. For such protocols, use ``IMMEDIATE`` mode. + ON_DOWNSTREAM_DATA = 1; + + // Wait for the downstream TLS handshake to complete before establishing the upstream connection. + // This allows access to the full TLS connection information, including client certificates + // and negotiated parameters, which can be used for routing decisions or passed as metadata + // to the upstream. + // + // .. note:: + // This mode is only effective when the downstream connection uses TLS. For non-TLS + // connections, it behaves the same as ``IMMEDIATE``. + ON_DOWNSTREAM_TLS_HANDSHAKE = 2; +} + +// [#next-free-field: 23] +message TcpProxy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.tcp_proxy.v2.TcpProxy"; + + // Allows specification of multiple upstream clusters along with weights indicating the percentage of + // traffic forwarded to each cluster. The cluster selection is based on these weights. + message WeightedCluster { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.tcp_proxy.v2.TcpProxy.WeightedCluster"; + + message ClusterWeight { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.tcp_proxy.v2.TcpProxy.WeightedCluster.ClusterWeight"; + + // Name of the upstream cluster. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // When a request matches the route, the choice of an upstream cluster is + // determined by its weight. The sum of weights across all entries in the + // clusters array determines the total weight. + uint32 weight = 2 [(validate.rules).uint32 = {gte: 1}]; + + // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints + // in the upstream cluster with metadata matching what is set in this field will be considered + // for load balancing. Note that this will be merged with what's provided in + // :ref:`TcpProxy.metadata_match + // `, with values + // here taking precedence. The filter name should be specified as ``envoy.lb``. + config.core.v3.Metadata metadata_match = 3; + } + + // Specifies the upstream clusters associated with this configuration. + repeated ClusterWeight clusters = 1 [(validate.rules).repeated = {min_items: 1}]; + } + + // Configuration for tunneling TCP over other transports or application layers. + // Tunneling is supported over HTTP/1.1 and HTTP/2. The upstream protocol is + // determined by the cluster configuration. + // [#next-free-field: 10] + message TunnelingConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.tcp_proxy.v2.TcpProxy.TunnelingConfig"; + + // The hostname to send in the synthesized CONNECT headers to the upstream proxy. + // This field evaluates command operators if present; otherwise, the value is used as-is. + // + // For example, dynamically set the hostname using downstream SNI: + // + // .. code-block:: yaml + // + // tunneling_config: + // hostname: "%REQUESTED_SERVER_NAME%:443" + // + // For example, dynamically set the hostname using dynamic metadata: + // + // .. code-block:: yaml + // + // tunneling_config: + // hostname: "%DYNAMIC_METADATA(tunnel:address)%" + // + string hostname = 1 [(validate.rules).string = {min_len: 1}]; + + // Use the ``POST`` method instead of the ``CONNECT`` method to tunnel the TCP stream. + // The ``protocol: bytestream`` header is not set for HTTP/2 to comply with the specification. + // + // The upstream proxy is expected to interpret the POST payload as raw TCP. + bool use_post = 2; + + // Additional request headers to send to the upstream proxy. This is mainly used to + // trigger the upstream to convert POST requests back to CONNECT requests. + // + // Neither ``:``-prefixed pseudo-headers like ``:path`` nor the ``host`` header can be overridden. + repeated config.core.v3.HeaderValueOption headers_to_add = 3 + [(validate.rules).repeated = {max_items: 1000}]; + + // Save response headers to the downstream connection's filter state for consumption + // by network filters. The filter state key is ``envoy.tcp_proxy.propagate_response_headers``. + bool propagate_response_headers = 4; + + // The path used with the POST method. The default path is ``/``. If this field is specified and + // :ref:`use_post field ` + // is not set to true, the configuration will be rejected. + string post_path = 5; + + // Save response trailers to the downstream connection's filter state for consumption + // by network filters. The filter state key is ``envoy.tcp_proxy.propagate_response_trailers``. + bool propagate_response_trailers = 6; + + // The configuration of the request ID extension used for generation, validation, and + // associated tracing operations when tunneling. + // + // If this field is set, a request ID is generated using the specified extension. If + // this field is not set, no request ID is generated. + // + // When a request ID is generated, it is also stored in the downstream connection's + // dynamic metadata under the namespace ``envoy.filters.network.tcp_proxy`` with the key + // ``tunnel_request_id`` to allow emission from TCP proxy access logs via the + // ``%DYNAMIC_METADATA(envoy.filters.network.tcp_proxy:tunnel_request_id)%`` formatter. + // [#extension-category: envoy.request_id] + http_connection_manager.v3.RequestIDExtension request_id_extension = 7; + + // The request header name to use for emitting the generated request ID on the tunneling + // HTTP request. + // + // If not specified or set to an empty string, the default header name ``x-request-id`` is + // used. + // + // .. note:: + // This setting does not alter the internal request ID handling elsewhere in Envoy and + // only controls the header emitted on the tunneling request. + string request_id_header = 8; + + // The dynamic metadata key to use when storing the generated request ID. The metadata is + // stored under the namespace ``envoy.filters.network.tcp_proxy``. + // + // If not specified or set to an empty string, the default key ``tunnel_request_id`` is used. + // This enables customizing the key used by access log formatters such as + // ``%DYNAMIC_METADATA(envoy.filters.network.tcp_proxy:)%``. + string request_id_metadata_key = 9; + } + + message OnDemand { + // Optional configuration for the on-demand cluster discovery service. + // If not specified, on-demand cluster discovery is disabled. When specified, the filter pauses a request + // to an unknown cluster and begins a cluster discovery process. When discovery completes (successfully + // or not), the request is resumed. + config.core.v3.ConfigSource odcds_config = 1; + + // xdstp:// resource locator for on-demand cluster collection. + // [#not-implemented-hide:] + string resources_locator = 2; + + // The timeout for on-demand cluster lookup. If the CDS cannot return the required cluster, + // the downstream request will be closed with the error code detail NO_CLUSTER_FOUND. + // [#not-implemented-hide:] + google.protobuf.Duration timeout = 3; + } + + message TcpAccessLogOptions { + // The interval for flushing access logs. By default, the TCP proxy flushes a single access log when the + // connection is closed. If this field is set, the TCP proxy flushes access logs periodically at the + // specified interval. + // The interval must be at least 1ms. + google.protobuf.Duration access_log_flush_interval = 1 + [(validate.rules).duration = {gte {nanos: 1000000}}]; + + // If set to true, the access log is flushed when the TCP proxy successfully establishes a + // connection with the upstream. If the connection fails, the access log is not flushed. + bool flush_access_log_on_connected = 2; + } + + reserved 6; + + reserved "deprecated_v1"; + + // The prefix to use when emitting :ref:`statistics + // `. + string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; + + oneof cluster_specifier { + option (validate.required) = true; + + // The upstream cluster to connect to. + string cluster = 2; + + // Multiple upstream clusters can be specified. The request is routed to one of the upstream clusters + // based on the weights assigned to each cluster. + WeightedCluster weighted_clusters = 10; + } + + // The on demand policy for the upstream cluster. + // It applies to both + // :ref:`TcpProxy.cluster ` + // and + // :ref:`TcpProxy.weighted_clusters `. + OnDemand on_demand = 14; + + // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints + // in the upstream cluster with metadata matching what is set in this field will be considered + // for load balancing. The filter name should be specified as ``envoy.lb``. + config.core.v3.Metadata metadata_match = 9; + + // The idle timeout for connections managed by the TCP proxy filter. The idle timeout is defined as the + // period in which there are no bytes sent or received on either the upstream or downstream connection. + // If not set, the default idle timeout is 1 hour. If set to ``0s``, the timeout is disabled. + // It is possible to dynamically override this configuration by setting a per-connection filter state + // object for the key ``envoy.tcp_proxy.per_connection_idle_timeout_ms``. + // + // .. warning:: + // Disabling this timeout is likely to yield connection leaks due to lost TCP FIN packets, etc. + google.protobuf.Duration idle_timeout = 8; + + // [#not-implemented-hide:] The idle timeout for connections managed by the TCP proxy + // filter. The idle timeout is defined as the period in which there is no + // active traffic. If not set, there is no idle timeout. When the idle timeout + // is reached the connection will be closed. The distinction between + // downstream_idle_timeout/upstream_idle_timeout provides a means to set + // timeout based on the last byte sent on the downstream/upstream connection. + google.protobuf.Duration downstream_idle_timeout = 3; + + // [#not-implemented-hide:] + google.protobuf.Duration upstream_idle_timeout = 4; + + // Configuration for :ref:`access logs ` emitted by this TCP proxy. + repeated config.accesslog.v3.AccessLog access_log = 5; + + // The maximum number of unsuccessful connection attempts that will be made before + // giving up. If the parameter is not specified, 1 connection attempt will be made. + google.protobuf.UInt32Value max_connect_attempts = 7 [(validate.rules).uint32 = {gte: 1}]; + + // Sets the backoff strategy. If not set, the retries are performed without backoff. + config.core.v3.BackoffStrategy backoff_options = 18; + + // Optional configuration for TCP proxy hash policy. If hash_policy is not set, the hash-based + // load balancing algorithms will select a host randomly. Currently the number of hash policies is + // limited to 1. + repeated type.v3.HashPolicy hash_policy = 11 [(validate.rules).repeated = {max_items: 1}]; + + // If set, this configures tunneling, for example configuration options to tunnel TCP payload over + // HTTP CONNECT. If this message is absent, the payload is proxied upstream as usual. + // It is possible to dynamically override this configuration and disable tunneling per connection by + // setting a per-connection filter state object for the key ``envoy.tcp_proxy.disable_tunneling``. + TunnelingConfig tunneling_config = 12; + + // The maximum duration of a connection. The duration is defined as the period since a connection was + // established. If not set, there is no maximum duration. When ``max_downstream_connection_duration`` is + // reached, the connection is closed. The duration must be at least ``1ms``. + google.protobuf.Duration max_downstream_connection_duration = 13 + [(validate.rules).duration = {gte {nanos: 1000000}}]; + + // Percentage-based jitter for ``max_downstream_connection_duration``. The jitter increases the + // ``max_downstream_connection_duration`` by a random duration up to the provided percentage. + // This field is ignored if ``max_downstream_connection_duration`` is not set. If not set, no jitter + // is added. + type.v3.Percent max_downstream_connection_duration_jitter_percentage = 20; + + // If both this field and :ref:`access_log_flush_interval + // ` + // are specified, the former (deprecated field) is ignored. + // + // .. attention:: + // This field is deprecated in favor of + // :ref:`access_log_flush_interval + // `. + google.protobuf.Duration access_log_flush_interval = 15 [ + deprecated = true, + (validate.rules).duration = {gte {nanos: 1000000}}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If both this field and :ref:`flush_access_log_on_connected + // ` + // are specified, the former (deprecated field) is ignored. + // + // .. attention:: + // This field is deprecated in favor of + // :ref:`flush_access_log_on_connected + // `. + bool flush_access_log_on_connected = 16 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Additional access log options for the TCP proxy. + TcpAccessLogOptions access_log_options = 17; + + // If set, the specified ``PROXY`` protocol TLVs (Type-Length-Value) are added to the ``PROXY`` protocol state + // created by the TCP proxy filter. These TLVs are sent in the PROXY protocol v2 header to the upstream. + // + // This field only takes effect when the TCP proxy filter is creating new ``PROXY`` protocol state and an + // upstream proxy protocol transport socket is configured in the cluster. If the connection already + // contains ``PROXY`` protocol state (including any TLVs) parsed by a downstream proxy protocol listener + // upstream proxy protocol transport socket is configured in the cluster. If the connection already + // contains PROXY protocol state (including any TLVs) parsed by a downstream proxy protocol listener + // filter, the TLVs specified here are ignored. + // + // .. note:: + // To ensure the specified TLVs are allowed in the upstream ``PROXY`` protocol header, you must also + // configure passthrough TLVs on the upstream proxy protocol transport. See + // :ref:`core.v3.ProxyProtocolConfig.pass_through_tlvs ` + // for details. + repeated config.core.v3.TlvEntry proxy_protocol_tlvs = 19; + + // Specifies when to establish the upstream connection. + // + // When not specified, defaults to ``IMMEDIATE`` for backward compatibility. + // + // .. attention:: + // Server-first protocols (e.g., SMTP, MySQL, POP3) require ``IMMEDIATE`` mode. + UpstreamConnectMode upstream_connect_mode = 21 [(validate.rules).enum = {defined_only: true}]; + + // Maximum bytes of early data to buffer from the downstream connection before + // the upstream connection is established. + // + // If not set, the TCP proxy will read-disable the downstream connection until the + // upstream connection is established (legacy behavior). + // + // If set, enables ``receive_before_connect`` mode where the filter allows the filter + // chain to read downstream data before the upstream connection exists. The data is + // buffered and forwarded once the upstream connection is ready. When the buffer exceeds + // this limit, the downstream connection is read-disabled to prevent excessive memory usage. + // + // This field is required when ``upstream_connect_mode`` is ``ON_DOWNSTREAM_DATA``. + // + // .. note:: + // Use this carefully with server-first protocols. The upstream may send data before + // receiving anything from downstream, which could fill the early data buffer. + google.protobuf.UInt32Value max_early_data_bytes = 22 [(validate.rules).uint32 = {lte: 1048576}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/894ee44a49e973f8c2e094bfa3053351c0826c3da87d2f0f54d1d6c907892e49355a9437d0c938581bae75af5da62139bb562d43989ea7af85cc643cff01ac52 b/modules/sync/envoyproxy/envoy/cas/894ee44a49e973f8c2e094bfa3053351c0826c3da87d2f0f54d1d6c907892e49355a9437d0c938581bae75af5da62139bb562d43989ea7af85cc643cff01ac52 new file mode 100644 index 00000000..c55d30b8 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/894ee44a49e973f8c2e094bfa3053351c0826c3da87d2f0f54d1d6c907892e49355a9437d0c938581bae75af5da62139bb562d43989ea7af85cc643cff01ac52 @@ -0,0 +1,91 @@ +syntax = "proto3"; + +package envoy.extensions.load_balancing_policies.client_side_weighted_round_robin.v3; + +import "envoy/extensions/load_balancing_policies/common/v3/common.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.load_balancing_policies.client_side_weighted_round_robin.v3"; +option java_outer_classname = "ClientSideWeightedRoundRobinProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3;client_side_weighted_round_robinv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Client-Side Weighted Round Robin Load Balancing Policy] +// [#extension: envoy.load_balancing_policies.client_side_weighted_round_robin] + +// Configuration for the client_side_weighted_round_robin LB policy. +// +// This policy differs from the built-in ROUND_ROBIN policy in terms of +// how the endpoint weights are determined. In the ROUND_ROBIN policy, +// the endpoint weights are sent by the control plane via EDS. However, +// in this policy, the endpoint weights are instead determined via qps (queries +// per second), eps (errors per second), and utilization metrics sent by the +// endpoint using the Open Request Cost Aggregation (ORCA) protocol. Utilization +// is determined by using the ORCA application_utilization field, if set, or +// else falling back to the cpu_utilization field. All queries count toward qps, +// regardless of result. Only failed queries count toward eps. A config +// parameter error_utilization_penalty controls the penalty to adjust endpoint +// weights using eps and qps. The weight of a given endpoint is computed as: +// ``qps / (utilization + eps/qps * error_utilization_penalty)``. +// +// Note that Envoy will forward the ORCA response headers/trailers from the upstream +// cluster to the downstream client. This means that if the downstream client is also +// configured to use ``client_side_weighted_round_robin`` it will load balance against +// Envoy based on upstream weights. This can happen when Envoy is used as a reverse proxy. +// To avoid this issue you can configure the :ref:`header_mutation filter ` to remove +// the ORCA payload from the response headers/trailers. +// +// See the :ref:`load balancing architecture +// overview` for more information. +// +// [#next-free-field: 9] +message ClientSideWeightedRoundRobin { + // Whether to enable out-of-band utilization reporting collection from + // the endpoints. By default, per-request utilization reporting is used. + google.protobuf.BoolValue enable_oob_load_report = 1; + + // Load reporting interval to request from the server. Note that the + // server may not provide reports as frequently as the client requests. + // Used only when enable_oob_load_report is true. Default is 10 seconds. + google.protobuf.Duration oob_reporting_period = 2; + + // A given endpoint must report load metrics continuously for at least + // this long before the endpoint weight will be used. This avoids + // churn when the set of endpoint addresses changes. Takes effect + // both immediately after we establish a connection to an endpoint and + // after weight_expiration_period has caused us to stop using the most + // recent load metrics. Default is 10 seconds. + google.protobuf.Duration blackout_period = 3; + + // If a given endpoint has not reported load metrics in this long, + // then we stop using the reported weight. This ensures that we do + // not continue to use very stale weights. Once we stop using a stale + // value, if we later start seeing fresh reports again, the + // blackout_period applies. Defaults to 3 minutes. + google.protobuf.Duration weight_expiration_period = 4; + + // How often endpoint weights are recalculated. Values less than 100ms are + // capped at 100ms. Default is 1 second. + google.protobuf.Duration weight_update_period = 5; + + // The multiplier used to adjust endpoint weights with the error rate + // calculated as eps/qps. Configuration is rejected if this value is negative. + // Default is 1.0. + google.protobuf.FloatValue error_utilization_penalty = 6 [(validate.rules).float = {gte: 0.0}]; + + // By default, endpoint weight is computed based on the :ref:`application_utilization ` field reported by the endpoint. + // If that field is not set, then utilization will instead be computed by taking the max of the values of the metrics specified here. + // For map fields in the ORCA proto, the string will be of the form ``.``. For example, the string ``named_metrics.foo`` will mean to look for the key ``foo`` in the ORCA :ref:`named_metrics ` field. + // If none of the specified metrics are present in the load report, then :ref:`cpu_utilization ` is used instead. + repeated string metric_names_for_computing_utilization = 7; + + // Configuration for slow start mode. + // If this configuration is not set, slow start will not be not enabled. + common.v3.SlowStartConfig slow_start_config = 8; +} diff --git a/modules/sync/envoyproxy/envoy/cas/8ca3bb1223bba6ed2a5ca12a2eb40ec4e962299d1723bd841e22535a605358433510aeb8e81faf0fc23bb276f459dcfeddbe8481627829993a1d9bdc25ae48dd b/modules/sync/envoyproxy/envoy/cas/8ca3bb1223bba6ed2a5ca12a2eb40ec4e962299d1723bd841e22535a605358433510aeb8e81faf0fc23bb276f459dcfeddbe8481627829993a1d9bdc25ae48dd new file mode 100644 index 00000000..7b862c10 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/8ca3bb1223bba6ed2a5ca12a2eb40ec4e962299d1723bd841e22535a605358433510aeb8e81faf0fc23bb276f459dcfeddbe8481627829993a1d9bdc25ae48dd @@ -0,0 +1,786 @@ +syntax = "proto3"; + +package envoy.config.bootstrap.v3; + +import "envoy/config/accesslog/v3/accesslog.proto"; +import "envoy/config/cluster/v3/cluster.proto"; +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/event_service_config.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/resolver.proto"; +import "envoy/config/core/v3/socket_option.proto"; +import "envoy/config/listener/v3/listener.proto"; +import "envoy/config/metrics/v3/stats.proto"; +import "envoy/config/overload/v3/overload.proto"; +import "envoy/config/trace/v3/http_tracer.proto"; +import "envoy/extensions/transport_sockets/tls/v3/secret.proto"; +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/security.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.bootstrap.v3"; +option java_outer_classname = "BootstrapProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3;bootstrapv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Bootstrap] +// This proto is supplied via the :option:`-c` CLI flag and acts as the root +// of the Envoy v3 configuration. See the :ref:`v3 configuration overview +// ` for more detail. + +// Bootstrap :ref:`configuration overview `. +// [#next-free-field: 43] +message Bootstrap { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.Bootstrap"; + + message StaticResources { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.Bootstrap.StaticResources"; + + // Static :ref:`Listeners `. These listeners are + // available regardless of LDS configuration. + repeated listener.v3.Listener listeners = 1; + + // If a network based configuration source is specified for :ref:`cds_config + // `, it's necessary + // to have some initial cluster definitions available to allow Envoy to know + // how to speak to the management server. + repeated cluster.v3.Cluster clusters = 2; + + // These static secrets can be used by :ref:`SdsSecretConfig + // ` + repeated envoy.extensions.transport_sockets.tls.v3.Secret secrets = 3; + } + + // [#next-free-field: 7] + message DynamicResources { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.Bootstrap.DynamicResources"; + + reserved 4; + + // All :ref:`Listeners ` are provided by a single + // :ref:`LDS ` configuration source. + core.v3.ConfigSource lds_config = 1; + + // ``xdstp://`` resource locator for listener collection. + // [#not-implemented-hide:] + string lds_resources_locator = 5; + + // All post-bootstrap :ref:`Cluster ` definitions are + // provided by a single :ref:`CDS ` + // configuration source. + core.v3.ConfigSource cds_config = 2; + + // ``xdstp://`` resource locator for cluster collection. + // [#not-implemented-hide:] + string cds_resources_locator = 6; + + // A single :ref:`ADS ` source may be optionally + // specified. This must have :ref:`api_type + // ` :ref:`GRPC + // `. Only + // :ref:`ConfigSources ` that have + // the :ref:`ads ` field set will be + // streamed on the ADS channel. + core.v3.ApiConfigSource ads_config = 3; + } + + message ApplicationLogConfig { + message LogFormat { + oneof log_format { + option (validate.required) = true; + + // Flush application logs in JSON format. The configured JSON struct can + // support all the format flags specified in the :option:`--log-format` + // command line options section, except for the ``%v`` and ``%_`` flags. + google.protobuf.Struct json_format = 1; + + // Flush application log in a format defined by a string. The text format + // can support all the format flags specified in the :option:`--log-format` + // command line option section. + string text_format = 2; + } + } + + // Optional field to set the application logs format. If this field is set, it will override + // the default log format. Setting both this field and :option:`--log-format` command line + // option is not allowed, and will cause a bootstrap error. + LogFormat log_format = 1; + } + + message DeferredStatOptions { + // When the flag is enabled, Envoy will lazily initialize a subset of the stats (see below). + // This will save memory and CPU cycles when creating the objects that own these stats, if those + // stats are never referenced throughout the lifetime of the process. However, it will incur additional + // memory overhead for these objects, and a small increase of CPU usage when at least one of the stats + // is updated for the first time. + // + // Groups of stats that will be lazily initialized: + // + // - Cluster traffic stats: a subgroup of the :ref:`cluster statistics ` + // that are used when requests are routed to the cluster. + bool enable_deferred_creation_stats = 1; + } + + message GrpcAsyncClientManagerConfig { + // Optional field to set the expiration time for the cached gRPC client object. + // The minimal value is ``5s`` and the default is ``50s``. + google.protobuf.Duration max_cached_entry_idle_duration = 1 + [(validate.rules).duration = {gte {seconds: 5}}]; + } + + reserved 10, 11; + + reserved "runtime"; + + // Node identity to present to the management server and for instance + // identification purposes (e.g. in generated headers). + core.v3.Node node = 1; + + // A list of :ref:`Node ` field names + // that will be included in the context parameters of the effective + // ``xdstp://`` URL that is sent in a discovery request when resource + // locators are used for LDS/CDS. Any non-string field will have its JSON + // encoding set as the context parameter value, with the exception of + // metadata, which will be flattened (see example below). The supported field + // names are: + // - ``cluster`` + // - ``id`` + // - ``locality.region`` + // - ``locality.sub_zone`` + // - ``locality.zone`` + // - ``metadata`` + // - ``user_agent_build_version.metadata`` + // - ``user_agent_build_version.version`` + // - ``user_agent_name`` + // - ``user_agent_version`` + // + // The node context parameters act as a base layer dictionary for the context + // parameters (i.e. more specific resource specific context parameters will + // override). Field names will be prefixed with ````"udpa.node."```` when included in + // context parameters. + // + // For example, if node_context_params is ``["user_agent_name", "metadata"]``, + // the implied context parameters might be:: + // + // node.user_agent_name: "envoy" + // node.metadata.foo: "{\"bar\": \"baz\"}" + // node.metadata.some: "42" + // node.metadata.thing: "\"thing\"" + // + // [#not-implemented-hide:] + repeated string node_context_params = 26; + + // Statically specified resources. + StaticResources static_resources = 2; + + // xDS configuration sources. + DynamicResources dynamic_resources = 3; + + // Configuration for the cluster manager which owns all upstream clusters + // within the server. + ClusterManager cluster_manager = 4; + + // Health discovery service config option. + // (:ref:`core.ApiConfigSource `) + core.v3.ApiConfigSource hds_config = 14; + + // Optional file system path to search for startup flag files. + string flags_path = 5; + + // Optional set of stats sinks. + repeated metrics.v3.StatsSink stats_sinks = 6; + + // Options to control behaviors of deferred creation compatible stats. + DeferredStatOptions deferred_stat_options = 39; + + // Configuration for internal processing of stats. + metrics.v3.StatsConfig stats_config = 13; + + // Optional duration between flushes to configured stats sinks. For + // performance reasons Envoy latches counters and only flushes counters and + // gauges at a periodic interval. If not specified the default is ``5000ms`` (``5`` seconds). + // Only one of ``stats_flush_interval`` or ``stats_flush_on_admin`` + // can be set. + // Duration must be at least ``1ms`` and at most ``5 min``. + google.protobuf.Duration stats_flush_interval = 7 [ + (validate.rules).duration = { + lt {seconds: 300} + gte {nanos: 1000000} + }, + (udpa.annotations.field_migrate).oneof_promotion = "stats_flush" + ]; + + oneof stats_flush { + // Flush stats to sinks only when queried for on the admin interface. If set, + // a flush timer is not created. Only one of ``stats_flush_on_admin`` or + // ``stats_flush_interval`` can be set. + bool stats_flush_on_admin = 29 [(validate.rules).bool = {const: true}]; + } + + oneof stats_eviction { + // Optional duration to perform metric eviction. At every interval, during the stats flush + // the unused metrics are removed from the worker caches and the used metrics + // are marked as unused. Must be a multiple of the ``stats_flush_interval``. + google.protobuf.Duration stats_eviction_interval = 42 + [(validate.rules).duration = {gte {nanos: 1000000}}]; + } + + // Optional watchdog configuration. + // This is for a single watchdog configuration for the entire system. + // Deprecated in favor of ``watchdogs`` which has finer granularity. + Watchdog watchdog = 8 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Optional watchdogs configuration. + // This is used for specifying different watchdogs for the different subsystems. + // [#extension-category: envoy.guarddog_actions] + Watchdogs watchdogs = 27; + + // Configuration for an external tracing provider. + // + // .. attention:: + // This field has been deprecated in favor of :ref:`HttpConnectionManager.Tracing.provider + // `. + trace.v3.Tracing tracing = 9 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Configuration for the runtime configuration provider. If not + // specified, a “null” provider will be used which will result in all defaults + // being used. + LayeredRuntime layered_runtime = 17; + + // Configuration for the local administration HTTP server. + Admin admin = 12; + + // Optional overload manager configuration. + overload.v3.OverloadManager overload_manager = 15 [ + (udpa.annotations.security).configure_for_untrusted_downstream = true, + (udpa.annotations.security).configure_for_untrusted_upstream = true + ]; + + // Enable :ref:`stats for event dispatcher `. Defaults to ``false``. + // + // .. note:: + // + // This records a value for each iteration of the event loop on every thread. This + // should normally be minimal overhead, but when using + // :ref:`statsd `, it will send each observed value + // over the wire individually because the statsd protocol doesn't have any way to represent a + // histogram summary. Be aware that this can be a very large volume of data. + bool enable_dispatcher_stats = 16; + + // Optional string which will be used in lieu of ``x-envoy`` in prefixing headers. + // + // For example, if this string is present and set to ``X-Foo``, then ``x-envoy-retry-on`` will be + // transformed into ``x-foo-retry-on`` etc. + // + // .. note:: + // + // This applies to the headers Envoy will generate, the headers Envoy will sanitize, and the + // headers Envoy will trust for core code and core extensions only. Be VERY careful making + // changes to this string, especially in multi-layer Envoy deployments or deployments using + // extensions which are not upstream. + string header_prefix = 18; + + // Optional proxy version which will be used to set the value of :ref:`server.version statistic + // ` if specified. Envoy will not process this value, it will be sent as is to + // :ref:`stats sinks `. + google.protobuf.UInt64Value stats_server_version_override = 19; + + // Always use ``TCP`` queries instead of ``UDP`` queries for DNS lookups. + // This may be overridden on a per-cluster basis in ``cds_config``, + // when :ref:`dns_resolvers ` and + // :ref:`use_tcp_for_dns_lookups ` are + // specified. + // This field is deprecated in favor of ``dns_resolution_config`` + // which aggregates all of the DNS resolver configuration in a single message. + bool use_tcp_for_dns_lookups = 20 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // DNS resolution configuration which includes the underlying DNS resolver addresses and options. + // This may be overridden on a per-cluster basis in ``cds_config``, when + // :ref:`dns_resolution_config ` + // is specified. + // This field is deprecated in favor of + // :ref:`typed_dns_resolver_config `. + core.v3.DnsResolutionConfig dns_resolution_config = 30 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // DNS resolver type configuration extension. This extension can be used to configure ``c-ares``, ``apple``, + // or any other DNS resolver types and the related parameters. + // For example, an object of + // :ref:`CaresDnsResolverConfig ` + // can be packed into this ``typed_dns_resolver_config``. This configuration replaces the + // :ref:`dns_resolution_config ` + // configuration. + // + // During the transition period when both ``dns_resolution_config`` and ``typed_dns_resolver_config`` exist, + // when ``typed_dns_resolver_config`` is in place, Envoy will use it and ignore ``dns_resolution_config``. + // When ``typed_dns_resolver_config`` is missing, the default behavior is in place. + // [#extension-category: envoy.network.dns_resolver] + core.v3.TypedExtensionConfig typed_dns_resolver_config = 31; + + // Specifies optional bootstrap extensions to be instantiated at startup time. + // Each item contains extension specific configuration. + // [#extension-category: envoy.bootstrap] + repeated core.v3.TypedExtensionConfig bootstrap_extensions = 21; + + // Specifies optional extensions instantiated at startup time and + // invoked during crash time on the request that caused the crash. + repeated FatalAction fatal_actions = 28; + + // Configuration sources that will participate in + // ``xdstp://`` URL authority resolution. The algorithm is as + // follows: + // + // 1. The authority field is taken from the ``xdstp://`` URL, call + // this ``resource_authority``. + // 2. ``resource_authority`` is compared against the authorities in any peer + // ``ConfigSource``. The peer ``ConfigSource`` is the configuration source + // message which would have been used unconditionally for resolution + // with opaque resource names. If there is a match with an authority, the + // peer ``ConfigSource`` message is used. + // 3. ``resource_authority`` is compared sequentially with the authorities in + // each configuration source in ``config_sources``. The first ``ConfigSource`` + // to match wins. + // 4. As a fallback, if no configuration source matches, then + // ``default_config_source`` is used. + // 5. If ``default_config_source`` is not specified, resolution fails. + // [#not-implemented-hide:] + repeated core.v3.ConfigSource config_sources = 22; + + // Default configuration source for ``xdstp://`` URLs if all + // other resolution fails. + // [#not-implemented-hide:] + core.v3.ConfigSource default_config_source = 23; + + // Optional overriding of default socket interface. The value must be the name of one of the + // socket interface factories initialized through a bootstrap extension + string default_socket_interface = 24; + + // Global map of CertificateProvider instances. These instances are referred to by name in the + // :ref:`CommonTlsContext.CertificateProviderInstance.instance_name + // ` + // field. + // [#not-implemented-hide:] + map certificate_provider_instances = 25; + + // Specifies a set of headers that need to be registered as inline header. This configuration + // allows users to customize the inline headers on-demand at Envoy startup without modifying + // Envoy's source code. + // + // .. note:: + // + // The ``set-cookie`` header cannot be registered as inline header. + repeated CustomInlineHeader inline_headers = 32; + + // Optional path to a file with performance tracing data created by ``Perfetto`` SDK in binary + // ProtoBuf format. The default value is ``envoy.pftrace``. + string perf_tracing_file_path = 33; + + // Optional overriding of default regex engine. + // If the value is not specified, ``Google RE2`` will be used by default. + // [#extension-category: envoy.regex_engines] + core.v3.TypedExtensionConfig default_regex_engine = 34; + + // Optional XdsResourcesDelegate configuration, which allows plugging custom logic into both + // fetch and load events during xDS processing. + // If a value is not specified, no ``XdsResourcesDelegate`` will be used. + // TODO(abeyad): Add public-facing documentation. + // [#not-implemented-hide:] + core.v3.TypedExtensionConfig xds_delegate_extension = 35; + + // Optional XdsConfigTracker configuration, which allows tracking xDS responses in external components, + // e.g., external tracer or monitor. It provides the process point when receive, ingest, or fail to + // process xDS resources and messages. If a value is not specified, no ``XdsConfigTracker`` will be used. + // + // .. note:: + // + // There are no in-repo extensions currently, and the :repo:`XdsConfigTracker ` + // interface should be implemented before using. + // See :repo:`xds_config_tracker_integration_test ` + // for an example usage of the interface. + core.v3.TypedExtensionConfig xds_config_tracker_extension = 36; + + // [#not-implemented-hide:] + // This controls the type of listener manager configured for Envoy. Currently + // Envoy only supports ``ListenerManager`` for this field and Envoy Mobile + // supports ``ApiListenerManager``. + core.v3.TypedExtensionConfig listener_manager = 37; + + // Optional application log configuration. + ApplicationLogConfig application_log_config = 38; + + // Optional gRPC async client manager config. + GrpcAsyncClientManagerConfig grpc_async_client_manager_config = 40; + + // Optional configuration for memory allocation manager. + // Memory releasing is only supported for `tcmalloc allocator `_. + MemoryAllocatorManager memory_allocator_manager = 41; +} + +// Administration interface :ref:`operations documentation +// `. +// [#next-free-field: 8] +message Admin { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.bootstrap.v2.Admin"; + + // Configuration for :ref:`access logs ` + // emitted by the administration server. + repeated accesslog.v3.AccessLog access_log = 5; + + // The path to write the access log for the administration server. If no + // access log is desired specify ``/dev/null``. This is only required if + // :ref:`address ` is set. + // Deprecated in favor of ``access_log`` which offers more options. + string access_log_path = 1 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // The CPU profiler output path for the administration server. If no profile + // path is specified, the default is ``/var/log/envoy/envoy.prof``. + string profile_path = 2; + + // The TCP address that the administration server will listen on. + // If not specified, Envoy will not start an administration server. + core.v3.Address address = 3; + + // Additional socket options that may not be present in Envoy source code or + // precompiled binaries. + repeated core.v3.SocketOption socket_options = 4; + + // Indicates whether :ref:`global_downstream_max_connections ` + // should apply to the admin interface or not. + bool ignore_global_conn_limit = 6; + + // List of admin paths that are accessible. If not specified, all admin endpoints are accessible. + // + // When specified, only paths in this list will be accessible, all others will return ``HTTP 403 Forbidden``. + // + // Example: + // + // .. code-block:: yaml + // + // allow_paths: + // - exact: /stats + // - exact: /ready + // - prefix: /healthcheck + // + repeated type.matcher.v3.StringMatcher allow_paths = 7; +} + +// Cluster manager :ref:`architecture overview `. +// [#next-free-field: 6] +message ClusterManager { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.ClusterManager"; + + message OutlierDetection { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.ClusterManager.OutlierDetection"; + + // Specifies the path to the outlier event log. + string event_log_path = 1; + + // [#not-implemented-hide:] + // The gRPC service for the outlier detection event service. + // If empty, outlier detection events won't be sent to a remote endpoint. + core.v3.EventServiceConfig event_service = 2; + } + + // Name of the local cluster (i.e., the cluster that owns the Envoy running + // this configuration). In order to enable :ref:`zone aware routing + // ` this option must be set. + // If ``local_cluster_name`` is defined then :ref:`clusters + // ` must be defined in the :ref:`Bootstrap + // static cluster resources + // `. This is unrelated to + // the :option:`--service-cluster` option which does not `affect zone aware + // routing `_. + string local_cluster_name = 1; + + // Optional global configuration for outlier detection. + OutlierDetection outlier_detection = 2; + + // Optional configuration used to bind newly established upstream connections. + // This may be overridden on a per-cluster basis by ``upstream_bind_config`` in the ``cds_config``. + core.v3.BindConfig upstream_bind_config = 3; + + // A management server endpoint to stream load stats to via + // ``StreamLoadStats``. This must have :ref:`api_type + // ` :ref:`GRPC + // `. + core.v3.ApiConfigSource load_stats_config = 4; + + // Whether the ClusterManager will create clusters on the worker threads + // inline during requests. This will save memory and CPU cycles in cases where + // there are lots of inactive clusters and ``> 1`` worker thread. + bool enable_deferred_cluster_creation = 5; +} + +// Allows you to specify different watchdog configs for different subsystems. +// This allows finer tuned policies for the watchdog. If a subsystem is omitted +// the default values for that system will be used. +message Watchdogs { + // Watchdog for the main thread. + Watchdog main_thread_watchdog = 1; + + // Watchdog for the worker threads. + Watchdog worker_watchdog = 2; +} + +// Envoy process watchdog configuration. When configured, this monitors for +// nonresponsive threads and kills the process after the configured thresholds. +// See the :ref:`watchdog documentation ` for more information. +// [#next-free-field: 8] +message Watchdog { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.bootstrap.v2.Watchdog"; + + message WatchdogAction { + // The events are fired in this order: ``KILL``, ``MULTIKILL``, ``MEGAMISS``, ``MISS``. + // Within an event type, actions execute in the order they are configured. + // For ``KILL``/``MULTIKILL`` there is a default ``PANIC`` that will run after the + // registered actions and kills the process if it wasn't already killed. + // It might be useful to specify several debug actions, and possibly an + // alternate ``FATAL`` action. + enum WatchdogEvent { + UNKNOWN = 0; + KILL = 1; + MULTIKILL = 2; + MEGAMISS = 3; + MISS = 4; + } + + // Extension specific configuration for the action. + core.v3.TypedExtensionConfig config = 1; + + WatchdogEvent event = 2 [(validate.rules).enum = {defined_only: true}]; + } + + // Register actions that will fire on given Watchdog events. + // See ``WatchdogAction`` for priority of events. + repeated WatchdogAction actions = 7; + + // The duration after which Envoy counts a nonresponsive thread in the + // ``watchdog_miss`` statistic. If not specified the default is ``200ms``. + google.protobuf.Duration miss_timeout = 1; + + // The duration after which Envoy counts a nonresponsive thread in the + // ``watchdog_mega_miss`` statistic. If not specified the default is ``1000ms``. + google.protobuf.Duration megamiss_timeout = 2; + + // If a watched thread has been nonresponsive for this duration, assume a + // programming error and kill the entire Envoy process. Set to ``0`` to disable + // kill behavior. If not specified the default is ``0`` (disabled). + google.protobuf.Duration kill_timeout = 3; + + // Defines the maximum jitter used to adjust the ``kill_timeout`` if ``kill_timeout`` is + // enabled. Enabling this feature would help to reduce risk of synchronized + // watchdog kill events across proxies due to external triggers. Set to ``0`` to + // disable. If not specified the default is ``0`` (disabled). + google.protobuf.Duration max_kill_timeout_jitter = 6 [(validate.rules).duration = {gte {}}]; + + // If ``max(2, ceil(registered_threads * Fraction(multikill_threshold)))`` + // threads have been nonresponsive for at least this duration kill the entire + // Envoy process. Set to ``0`` to disable this behavior. If not specified the + // default is ``0`` (disabled). + google.protobuf.Duration multikill_timeout = 4; + + // Sets the threshold for ``multikill_timeout`` in terms of the percentage of + // nonresponsive threads required for the ``multikill_timeout``. + // If not specified the default is ``0``. + type.v3.Percent multikill_threshold = 5; +} + +// Fatal actions to run while crashing. Actions can be safe (meaning they are +// async-signal safe) or unsafe. We run all safe actions before we run unsafe actions. +// +// .. note:: +// +// If using an unsafe action that could get stuck or deadlock, it is important to +// have an out of band system to terminate the process. +// +// The interface for the extension is ``Envoy::Server::Configuration::FatalAction``. +// ``FatalAction`` extensions live in the ``envoy.extensions.fatal_actions`` API +// namespace. +message FatalAction { + // Extension specific configuration for the action. It's expected to conform + // to the ``Envoy::Server::Configuration::FatalAction`` interface. + core.v3.TypedExtensionConfig config = 1; +} + +// Runtime :ref:`configuration overview ` (deprecated). +message Runtime { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.bootstrap.v2.Runtime"; + + // The implementation assumes that the file system tree is accessed via a + // symbolic link. An atomic link swap is used when a new tree should be + // switched to. This parameter specifies the path to the symbolic link. Envoy + // will watch the location for changes and reload the file system tree when + // they happen. If this parameter is not set, there will be no disk based + // runtime. + string symlink_root = 1; + + // Specifies the subdirectory to load within the root directory. This is + // useful if multiple systems share the same delivery mechanism. Envoy + // configuration elements can be contained in a dedicated subdirectory. + string subdirectory = 2; + + // Specifies an optional subdirectory to load within the root directory. If + // specified and the directory exists, configuration values within this + // directory will override those found in the primary subdirectory. This is + // useful when Envoy is deployed across many different types of servers. + // Sometimes it is useful to have a per service cluster directory for runtime + // configuration. See below for exactly how the override directory is used. + string override_subdirectory = 3; + + // Static base runtime. This will be :ref:`overridden + // ` by other runtime layers, e.g. + // disk or admin. This follows the :ref:`runtime protobuf JSON representation + // encoding `. + google.protobuf.Struct base = 4; +} + +// [#next-free-field: 6] +message RuntimeLayer { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.RuntimeLayer"; + + // :ref:`Disk runtime ` layer. + message DiskLayer { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.RuntimeLayer.DiskLayer"; + + // The implementation assumes that the file system tree is accessed via a + // symbolic link. An atomic link swap is used when a new tree should be + // switched to. This parameter specifies the path to the symbolic link. + // Envoy will watch the location for changes and reload the file system tree + // when they happen. See documentation on runtime :ref:`atomicity + // ` for further details on how reloads are + // treated. + string symlink_root = 1; + + // Specifies the subdirectory to load within the root directory. This is + // useful if multiple systems share the same delivery mechanism. Envoy + // configuration elements can be contained in a dedicated subdirectory. + string subdirectory = 3; + + // :ref:`Append ` the + // service cluster to the path under symlink root. + bool append_service_cluster = 2; + } + + // :ref:`Admin console runtime ` layer. + message AdminLayer { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.RuntimeLayer.AdminLayer"; + } + + // :ref:`Runtime Discovery Service (RTDS) ` layer. + message RtdsLayer { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.RuntimeLayer.RtdsLayer"; + + // Resource to subscribe to at the ``rtds_config`` for the RTDS layer. + string name = 1; + + // RTDS configuration source. + core.v3.ConfigSource rtds_config = 2; + } + + // Descriptive name for the runtime layer. This is only used for the runtime + // :http:get:`/runtime` output. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + oneof layer_specifier { + option (validate.required) = true; + + // :ref:`Static runtime ` layer. + // This follows the :ref:`runtime protobuf JSON representation encoding + // `. Unlike static xDS resources, this static + // layer is overridable by later layers in the runtime virtual filesystem. + google.protobuf.Struct static_layer = 2; + + DiskLayer disk_layer = 3; + + AdminLayer admin_layer = 4; + + RtdsLayer rtds_layer = 5; + } +} + +// Runtime :ref:`configuration overview `. +message LayeredRuntime { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.LayeredRuntime"; + + // The :ref:`layers ` of the runtime. This is ordered + // such that later layers in the list overlay earlier entries. + repeated RuntimeLayer layers = 1; +} + +// Used to specify the header that needs to be registered as an inline header. +// +// If request or response contain multiple headers with the same name and the header +// name is registered as an inline header, then multiple headers will be folded +// into one, and multiple header values will be concatenated by a suitable delimiter. +// The delimiter is generally a comma. +// +// For example, if ``foo`` is registered as an inline header, and the headers contain +// the following two headers: +// +// .. code-block:: text +// +// foo: bar +// foo: eep +// +// Then they will eventually be folded into: +// +// .. code-block:: text +// +// foo: bar, eep +// +// Inline headers provide O(1) search performance, but each inline header imposes +// an additional memory overhead on all instances of the corresponding type of +// HeaderMap or TrailerMap. +message CustomInlineHeader { + enum InlineHeaderType { + REQUEST_HEADER = 0; + REQUEST_TRAILER = 1; + RESPONSE_HEADER = 2; + RESPONSE_TRAILER = 3; + } + + // The name of the header that is expected to be set as the inline header. + string inline_header_name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // The type of the header that is expected to be set as the inline header. + InlineHeaderType inline_header_type = 2 [(validate.rules).enum = {defined_only: true}]; +} + +message MemoryAllocatorManager { + // Configures tcmalloc to perform background release of free memory in amount of bytes per ``memory_release_interval`` interval. + // If equals to ``0``, no memory release will occur. Defaults to ``0``. + uint64 bytes_to_release = 1; + + // Interval in milliseconds for memory releasing. If specified, during every + // interval Envoy will try to release ``bytes_to_release`` of free memory back to operating system for reuse. + // Defaults to ``1000`` milliseconds. + google.protobuf.Duration memory_release_interval = 2; +} diff --git a/modules/sync/envoyproxy/envoy/cas/8f8bbcdf0c20b8232d78637ccd2a8aca9ce03f25fb56a75fc83d1bdb8fdaae32d0fa7aad4a1d3b41d8a4f6f9564b4c036e396583710cc37e394cf55f5346fc36 b/modules/sync/envoyproxy/envoy/cas/8f8bbcdf0c20b8232d78637ccd2a8aca9ce03f25fb56a75fc83d1bdb8fdaae32d0fa7aad4a1d3b41d8a4f6f9564b4c036e396583710cc37e394cf55f5346fc36 new file mode 100644 index 00000000..bb3ec50e --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/8f8bbcdf0c20b8232d78637ccd2a8aca9ce03f25fb56a75fc83d1bdb8fdaae32d0fa7aad4a1d3b41d8a4f6f9564b4c036e396583710cc37e394cf55f5346fc36 @@ -0,0 +1,38 @@ +syntax = "proto3"; + +package istio.envoy.config.filter.http.alpn.v2alpha1; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.istio.envoy.config.filter.http.alpn.v2alpha1"; +option java_outer_classname = "AlpnProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/contrib/istio/envoy/config/filter/http/alpn/v2alpha1"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: ALPN HTTP filter] +// +// ALPN HTTP filter from Istio. +// +// [#extension: envoy.filters.http.alpn] + +// FilterConfig is the config for Istio-specific filter. +message FilterConfig { + // Upstream protocols + enum Protocol { + HTTP10 = 0; + HTTP11 = 1; + HTTP2 = 2; + } + + message AlpnOverride { + // Upstream protocol + Protocol upstream_protocol = 1; + + // A list of ALPN that will override the ALPN for upstream TLS connections. + repeated string alpn_override = 2; + } + + // Map from upstream protocol to list of ALPN + repeated AlpnOverride alpn_override = 1; +} diff --git a/modules/sync/envoyproxy/envoy/cas/93e4a36d900d8a68ed3b3126513013b82a79bda7e7c244b59a7ec2bd2928b8a7912e856da9075624253437ca50cd3d862db39aae56e8f1c916d7bb35a1be0db9 b/modules/sync/envoyproxy/envoy/cas/93e4a36d900d8a68ed3b3126513013b82a79bda7e7c244b59a7ec2bd2928b8a7912e856da9075624253437ca50cd3d862db39aae56e8f1c916d7bb35a1be0db9 new file mode 100644 index 00000000..17a68269 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/93e4a36d900d8a68ed3b3126513013b82a79bda7e7c244b59a7ec2bd2928b8a7912e856da9075624253437ca50cd3d862db39aae56e8f1c916d7bb35a1be0db9 @@ -0,0 +1,214 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/socket_option.proto"; + +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "AddressProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Network addresses] + +message Pipe { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Pipe"; + + // Unix Domain Socket path. On Linux, paths starting with '@' will use the + // abstract namespace. The starting '@' is replaced by a null byte by Envoy. + // Paths starting with '@' will result in an error in environments other than + // Linux. + string path = 1 [(validate.rules).string = {min_len: 1}]; + + // The mode for the Pipe. Not applicable for abstract sockets. + uint32 mode = 2 [(validate.rules).uint32 = {lte: 511}]; +} + +// The address represents an envoy internal listener. +// [#comment: TODO(asraa): When address available, remove workaround from test/server/server_fuzz_test.cc:30.] +message EnvoyInternalAddress { + oneof address_name_specifier { + option (validate.required) = true; + + // Specifies the :ref:`name ` of the + // internal listener. + string server_listener_name = 1; + } + + // Specifies an endpoint identifier to distinguish between multiple endpoints for the same internal listener in a + // single upstream pool. Only used in the upstream addresses for tracking changes to individual endpoints. This, for + // example, may be set to the final destination IP for the target internal listener. + string endpoint_id = 2; +} + +// [#next-free-field: 8] +message SocketAddress { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.SocketAddress"; + + enum Protocol { + TCP = 0; + UDP = 1; + } + + Protocol protocol = 1 [(validate.rules).enum = {defined_only: true}]; + + // The address for this socket. :ref:`Listeners ` will bind + // to the address. An empty address is not allowed. Specify ``0.0.0.0`` or ``::`` + // to bind to any address. [#comment:TODO(zuercher) reinstate when implemented: + // It is possible to distinguish a Listener address via the prefix/suffix matching + // in :ref:`FilterChainMatch `.] When used + // within an upstream :ref:`BindConfig `, the address + // controls the source address of outbound connections. For :ref:`clusters + // `, the cluster type determines whether the + // address must be an IP (``STATIC`` or ``EDS`` clusters) or a hostname resolved by DNS + // (``STRICT_DNS`` or ``LOGICAL_DNS`` clusters). Address resolution can be customized + // via :ref:`resolver_name `. + string address = 2 [(validate.rules).string = {min_len: 1}]; + + oneof port_specifier { + option (validate.required) = true; + + uint32 port_value = 3 [(validate.rules).uint32 = {lte: 65535}]; + + // This is only valid if :ref:`resolver_name + // ` is specified below and the + // named resolver is capable of named port resolution. + string named_port = 4; + } + + // The name of the custom resolver. This must have been registered with Envoy. If + // this is empty, a context dependent default applies. If the address is a concrete + // IP address, no resolution will occur. If address is a hostname this + // should be set for resolution other than DNS. Specifying a custom resolver with + // ``STRICT_DNS`` or ``LOGICAL_DNS`` will generate an error at runtime. + string resolver_name = 5; + + // When binding to an IPv6 address above, this enables `IPv4 compatibility + // `_. Binding to ``::`` will + // allow both IPv4 and IPv6 connections, with peer IPv4 addresses mapped into + // IPv6 space as ``::FFFF:``. + bool ipv4_compat = 6; + + // Filepath that specifies the Linux network namespace this socket will be created in (see ``man 7 + // network_namespaces``). If this field is set, Envoy will create the socket in the specified + // network namespace. + // + // .. note:: + // Setting this parameter requires Envoy to run with the ``CAP_NET_ADMIN`` capability. + // + // .. attention:: + // Network namespaces are only configurable on Linux. Otherwise, this field has no effect. + string network_namespace_filepath = 7; +} + +message TcpKeepalive { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.TcpKeepalive"; + + // Maximum number of keepalive probes to send without response before deciding + // the connection is dead. Default is to use the OS level configuration (unless + // overridden, Linux defaults to 9.) Setting this to ``0`` disables TCP keepalive. + google.protobuf.UInt32Value keepalive_probes = 1; + + // The number of seconds a connection needs to be idle before keep-alive probes + // start being sent. Default is to use the OS level configuration (unless + // overridden, Linux defaults to 7200s (i.e., 2 hours.) Setting this to ``0`` disables + // TCP keepalive. + google.protobuf.UInt32Value keepalive_time = 2; + + // The number of seconds between keep-alive probes. Default is to use the OS + // level configuration (unless overridden, Linux defaults to 75s.) Setting this to + // ``0`` disables TCP keepalive. + google.protobuf.UInt32Value keepalive_interval = 3; +} + +message ExtraSourceAddress { + // The additional address to bind. + SocketAddress address = 1 [(validate.rules).message = {required: true}]; + + // Additional socket options that may not be present in Envoy source code or + // precompiled binaries. If specified, this will override the + // :ref:`socket_options ` + // in the BindConfig. If specified with no + // :ref:`socket_options ` + // or an empty list of :ref:`socket_options `, + // it means no socket option will apply. + SocketOptionsOverride socket_options = 2; +} + +// [#next-free-field: 7] +message BindConfig { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.BindConfig"; + + // The address to bind to when creating a socket. + SocketAddress source_address = 1; + + // Whether to set the ``IP_FREEBIND`` option when creating the socket. When this + // flag is set to true, allows the :ref:`source_address + // ` to be an IP address + // that is not configured on the system running Envoy. When this flag is set + // to false, the option ``IP_FREEBIND`` is disabled on the socket. When this + // flag is not set (default), the socket is not modified, i.e. the option is + // neither enabled nor disabled. + google.protobuf.BoolValue freebind = 2; + + // Additional socket options that may not be present in Envoy source code or + // precompiled binaries. + repeated SocketOption socket_options = 3; + + // Extra source addresses appended to the address specified in the ``source_address`` + // field. This enables to specify multiple source addresses. + // The source address selection is determined by :ref:`local_address_selector + // `. + repeated ExtraSourceAddress extra_source_addresses = 5; + + // Deprecated by + // :ref:`extra_source_addresses ` + repeated SocketAddress additional_source_addresses = 4 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Custom local address selector to override the default (i.e. + // :ref:`DefaultLocalAddressSelector + // `). + // [#extension-category: envoy.upstream.local_address_selector] + TypedExtensionConfig local_address_selector = 6; +} + +// Addresses specify either a logical or physical address and port, which are +// used to tell Envoy where to bind/listen, connect to upstream and find +// management servers. +message Address { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Address"; + + oneof address { + option (validate.required) = true; + + SocketAddress socket_address = 1; + + Pipe pipe = 2; + + // Specifies a user-space address handled by :ref:`internal listeners + // `. + EnvoyInternalAddress envoy_internal_address = 3; + } +} + +// CidrRange specifies an IP Address and a prefix length to construct +// the subnet mask for a `CIDR `_ range. +message CidrRange { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.CidrRange"; + + // IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``. + string address_prefix = 1 [(validate.rules).string = {min_len: 1}]; + + // Length of prefix, e.g. 0, 32. Defaults to 0 when unset. + google.protobuf.UInt32Value prefix_len = 2 [(validate.rules).uint32 = {lte: 128}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/9807d3ebad080c0acd2fbcc4286e17d94c2ea09233f52c89455ec54d6d1fb13b19b841faa36608cabf8e1e85f9f23fc0bf0f317ea5bf3a03c792c399121e980e b/modules/sync/envoyproxy/envoy/cas/9807d3ebad080c0acd2fbcc4286e17d94c2ea09233f52c89455ec54d6d1fb13b19b841faa36608cabf8e1e85f9f23fc0bf0f317ea5bf3a03c792c399121e980e new file mode 100644 index 00000000..46d44802 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/9807d3ebad080c0acd2fbcc4286e17d94c2ea09233f52c89455ec54d6d1fb13b19b841faa36608cabf8e1e85f9f23fc0bf0f317ea5bf3a03c792c399121e980e @@ -0,0 +1,69 @@ +syntax = "proto3"; + +package envoy.extensions.dynamic_modules.v3; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.dynamic_modules.v3"; +option java_outer_classname = "DynamicModulesProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/dynamic_modules/v3;dynamic_modulesv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Dynamic Modules Common Configuration] + +// Configuration of a dynamic module. A dynamic module is a shared object file that can be loaded via +// ``dlopen`` by various Envoy extension points. +// +// How a module is loaded is determined by the extension point that uses it. For example, the HTTP +// filter loads the module when Envoy receives a configuration that references the module. If loading +// the module fails, the configuration will be rejected. +// +// A module is uniquely identified by its file path and the file's inode, depending on the platform. +// Notably, if the file path and the content of the file are the same, the shared object will be +// reused. +// +// A module must be compatible with the ABI specified in :repo:`abi.h +// `. Currently, compatibility is only guaranteed by an +// exact version match between the Envoy codebase and the dynamic module SDKs. In the future, after +// the ABI is stabilized, this restriction will be revisited. Until then, Envoy checks the hash of +// the ABI header files to ensure that the dynamic modules are built against the same version of the +// ABI. +message DynamicModuleConfig { + // The name of the dynamic module. + // + // The client is expected to have some configuration indicating where to search for the module. In + // Envoy, the search path can only be configured via the environment variable + // ``ENVOY_DYNAMIC_MODULES_SEARCH_PATH``. The actual search path is + // ``${ENVOY_DYNAMIC_MODULES_SEARCH_PATH}/lib${name}.so``. + // + // .. note:: + // There is some remaining work to make the search path configurable via command line options. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // If true, prevents the module from being unloaded with ``dlclose``. + // + // This is useful for modules that have global state that should not be unloaded. A module is + // closed when no more references to it exist in the process. For example, no HTTP filters are + // using the module (e.g. after configuration update). + // + // Defaults to ``false``. + bool do_not_close = 3; + + // If true, the dynamic module is loaded with the ``RTLD_GLOBAL`` flag. + // + // The dynamic module is loaded with the ``RTLD_LOCAL`` flag by default to avoid symbol conflicts + // when multiple modules are loaded. Set this to ``true`` to load the module with the + // ``RTLD_GLOBAL`` flag. This is useful for modules that need to share symbols with other dynamic + // libraries. For example, a module X may load another shared library Y that depends on some + // symbols defined in module X. In this case, module X must be loaded with the ``RTLD_GLOBAL`` + // flag so that the symbols defined in module X are visible to library Y. + // + // .. warning:: + // Use this option with caution as it may lead to symbol conflicts and undefined behavior if + // multiple modules define the same symbols and are loaded globally. + // + // Defaults to ``false``. + bool load_globally = 4; +} diff --git a/modules/sync/envoyproxy/envoy/cas/98893684c42a2e2520895a664623c59426eec1edc6b04ae90296ef27eb47fe1f12574a0c196d0979a001628aad4d85208c73897c8ea130ff31aa621b8284df26 b/modules/sync/envoyproxy/envoy/cas/98893684c42a2e2520895a664623c59426eec1edc6b04ae90296ef27eb47fe1f12574a0c196d0979a001628aad4d85208c73897c8ea130ff31aa621b8284df26 new file mode 100644 index 00000000..ccb1ac47 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/98893684c42a2e2520895a664623c59426eec1edc6b04ae90296ef27eb47fe1f12574a0c196d0979a001628aad4d85208c73897c8ea130ff31aa621b8284df26 @@ -0,0 +1,101 @@ +syntax = "proto3"; + +package envoy.extensions.access_loggers.open_telemetry.v3; + +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/grpc_service.proto"; +import "envoy/config/core/v3/http_service.proto"; +import "envoy/extensions/access_loggers/grpc/v3/als.proto"; +import "envoy/type/tracing/v3/custom_tag.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "opentelemetry/proto/common/v1/common.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.access_loggers.open_telemetry.v3"; +option java_outer_classname = "LogsServiceProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/open_telemetry/v3;open_telemetryv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: OpenTelemetry Access Log] + +// Configuration for the built-in ``envoy.access_loggers.open_telemetry`` +// :ref:`AccessLog `. This configuration will +// populate `opentelemetry.proto.collector.v1.logs.ExportLogsServiceRequest.resource_logs `_. +// In addition, the request start time is set in the dedicated field. +// [#extension: envoy.access_loggers.open_telemetry] +// [#next-free-field: 15] +message OpenTelemetryAccessLogConfig { + // [#comment:TODO(itamarkam): add 'filter_state_objects_to_log' to logs.] + // Deprecated. Use ``grpc_service`` or ``http_service`` instead. + grpc.v3.CommonGrpcAccessLogConfig common_config = 1 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // The upstream HTTP cluster that will receive OTLP logs via + // `OTLP/HTTP `_. + // Note: Only one of ``common_config``, ``grpc_service``, or ``http_service`` may be used. + // + // .. note:: + // + // The ``request_headers_to_add`` property in the OTLP HTTP exporter service + // does not support the :ref:`format specifier ` as used for + // :ref:`HTTP access logging `. + // The values configured are added as HTTP headers on the OTLP export request + // without any formatting applied. + config.core.v3.HttpService http_service = 8; + + // The upstream gRPC cluster that will receive OTLP logs. + // Note: Only one of ``common_config``, ``grpc_service``, or ``http_service`` may be used. + // This field is preferred over ``common_config.grpc_service``. + config.core.v3.GrpcService grpc_service = 9; + + // If specified, Envoy will not generate built-in resource labels + // like ``log_name``, ``zone_name``, ``cluster_name``, ``node_name``. + bool disable_builtin_labels = 5; + + // OpenTelemetry `Resource `_ + // attributes are filled with Envoy node info. + // Example: ``resource_attributes { values { key: "region" value { string_value: "cn-north-7" } } }``. + opentelemetry.proto.common.v1.KeyValueList resource_attributes = 4; + + // OpenTelemetry `LogResource `_ + // fields, following `Envoy access logging formatting `_. + // + // See 'body' in the LogResource proto for more details. + // Example: ``body { string_value: "%PROTOCOL%" }``. + opentelemetry.proto.common.v1.AnyValue body = 2; + + // See 'attributes' in the LogResource proto for more details. + // Example: ``attributes { values { key: "user_agent" value { string_value: "%REQ(USER-AGENT)%" } } }``. + opentelemetry.proto.common.v1.KeyValueList attributes = 3; + + // Optional. Additional prefix to use on OpenTelemetry access logger stats. If empty, the stats will be rooted at + // ``access_logs.open_telemetry_access_log.``. If non-empty, stats will be rooted at + // ``access_logs.open_telemetry_access_log..``. + string stat_prefix = 6; + + // Specifies a collection of Formatter plugins that can be called from the access log configuration. + // See the formatters extensions documentation for details. + // [#extension-category: envoy.formatter] + repeated config.core.v3.TypedExtensionConfig formatters = 7; + + string log_name = 10; + + // The interval for flushing access logs to the transport. Default: 1 second. + google.protobuf.Duration buffer_flush_interval = 11; + + // Soft size limit in bytes for the access log buffer. When the buffer exceeds + // this limit, logs will be flushed. Default: 16KB. + google.protobuf.UInt32Value buffer_size_bytes = 12; + + // Additional filter state objects to log as attributes. + repeated string filter_state_objects_to_log = 13; + + // Custom tags to include as log attributes. + repeated type.tracing.v3.CustomTag custom_tags = 14; +} diff --git a/modules/sync/envoyproxy/envoy/cas/996a34816af91109a4fac98e114e7c5640f583ca8f46be8567f654ca73c42d77fd53ad3f069872ecf94e5cb968d826f17381445d38c68e84f1ad91118b3baab7 b/modules/sync/envoyproxy/envoy/cas/996a34816af91109a4fac98e114e7c5640f583ca8f46be8567f654ca73c42d77fd53ad3f069872ecf94e5cb968d826f17381445d38c68e84f1ad91118b3baab7 new file mode 100644 index 00000000..63e189e6 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/996a34816af91109a4fac98e114e7c5640f583ca8f46be8567f654ca73c42d77fd53ad3f069872ecf94e5cb968d826f17381445d38c68e84f1ad91118b3baab7 @@ -0,0 +1,807 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/extension.proto"; +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/annotations/v3/status.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "ProtocolProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Protocol options] + +// [#not-implemented-hide:] +message TcpProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.TcpProtocolOptions"; +} + +// Config for keepalive probes in a QUIC connection. +// +// .. note:: +// +// QUIC keep-alive probing packets work differently from HTTP/2 keep-alive PINGs in a sense that the probing packet +// itself doesn't timeout waiting for a probing response. QUIC has a shorter idle timeout than TCP, so it doesn't rely on such probing to discover dead connections. If the peer fails to respond, the connection will idle timeout eventually. Thus, they are configured differently from :ref:`connection_keepalive `. +message QuicKeepAliveSettings { + // The max interval for a connection to send keep-alive probing packets (with ``PING`` or ``PATH_RESPONSE``). The value should be smaller than :ref:`connection idle_timeout ` to prevent idle timeout while not less than ``1s`` to avoid throttling the connection or flooding the peer with probes. + // + // If :ref:`initial_interval ` is absent or zero, a client connection will use this value to start probing. + // + // If zero, disable keepalive probing. + // If absent, use the QUICHE default interval to probe. + google.protobuf.Duration max_interval = 1; + + // The interval to send the first few keep-alive probing packets to prevent connection from hitting the idle timeout. Subsequent probes will be sent, each one with an interval exponentially longer than previous one, till it reaches :ref:`max_interval `. And the probes afterwards will always use :ref:`max_interval `. + // + // The value should be smaller than :ref:`connection idle_timeout ` to prevent idle timeout and smaller than max_interval to take effect. + // + // If absent, disable keepalive probing for a server connection. For a client connection, if :ref:`max_interval ` is zero, do not keepalive, otherwise use max_interval or QUICHE default to probe all the time. + google.protobuf.Duration initial_interval = 2 [(validate.rules).duration = { + lte {} + gte {nanos: 1000000} + }]; +} + +// QUIC protocol options which apply to both downstream and upstream connections. +// [#next-free-field: 12] +message QuicProtocolOptions { + // Config for QUIC connection migration across network interfaces, i.e. cellular to WIFI, upon + // network change events from the platform, i.e. the current network gets + // disconnected, or upon the QUIC detecting a bad connection. After migration, the + // connection may be on a different network other than the default network + // picked by the platform. Both iOS and Android will use a default network to interact with the internet, usually prefer unmetered network (WIFI) + // over metered ones (cellular). And users can specify which network to be used as the default. A connection on non-default network is only allowed to + // serve new requests for a certain period of time before being drained, and + // meanwhile, QUIC will try to migrate to the default network if possible. + message ConnectionMigrationSettings { + // Config for options to migrate idle connections which aren't serving any requests. + message MigrateIdleConnectionSettings { + // If idle connections are allowed to be migrated, only migrate the connection + // if it hasn't been idle for longer than this idle period. Otherwise, the + // connection will be closed instead. + // Default to 30s. + google.protobuf.Duration max_idle_time_before_migration = 1 + [(validate.rules).duration = {gte {seconds: 1}}]; + } + + // Config whether and how to migrate idle connections. + // If absent, idle connections will not be migrated but be closed upon + // migration signals. + MigrateIdleConnectionSettings migrate_idle_connections = 1; + + // After migrating to a non-default network interface, the connection will + // only be allowed to stay on that network for up to this period of time before + // being drained unless it migrates to the default network or that network + // gets picked as the default by the device by then. + // Default to 128s. + google.protobuf.Duration max_time_on_non_default_network = 2 + [(validate.rules).duration = {gte {seconds: 1}}]; + } + + // Maximum number of streams that the client can negotiate per connection. ``100`` + // if not specified. + google.protobuf.UInt32Value max_concurrent_streams = 1 [(validate.rules).uint32 = {gte: 1}]; + + // `Initial stream-level flow-control receive window + // `_ size. Valid values range from + // ``1`` to ``16777216`` (``2^24``, maximum supported by QUICHE) and defaults to ``16777216`` (``16 * 1024 * 1024``). + // + // .. note:: + // + // ``16384`` (``2^14``) is the minimum window size supported in Google QUIC. If configured smaller than it, we will use + // ``16384`` instead. QUICHE IETF QUIC implementation supports ``1`` byte window. We only support increasing the default + // window size now, so it's also the minimum. + // + // This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the + // QUIC stream send and receive buffers. Once the buffer reaches this pointer, watermark callbacks will fire to + // stop the flow of data to the stream buffers. + google.protobuf.UInt32Value initial_stream_window_size = 2 + [(validate.rules).uint32 = {lte: 16777216 gte: 1}]; + + // Similar to ``initial_stream_window_size``, but for connection-level + // flow-control. Valid values range from ``1`` to ``25165824`` (``24MB``, maximum supported by QUICHE) and defaults + // to ``25165824`` (``24 * 1024 * 1024``). + // + // .. note:: + // + // ``16384`` (``2^14``) is the minimum window size supported in Google QUIC. We only support increasing the default + // window size now, so it's also the minimum. + // + google.protobuf.UInt32Value initial_connection_window_size = 3 + [(validate.rules).uint32 = {lte: 25165824 gte: 1}]; + + // The number of timeouts that can occur before port migration is triggered for QUIC clients. + // This defaults to ``4``. If set to ``0``, port migration will not occur on path degrading. + // Timeout here refers to QUIC internal path degrading timeout mechanism, such as ``PTO``. + // This has no effect on server sessions. + google.protobuf.UInt32Value num_timeouts_to_trigger_port_migration = 4 + [(validate.rules).uint32 = {lte: 5 gte: 0}]; + + // Probes the peer at the configured interval to solicit traffic, i.e. ``ACK`` or ``PATH_RESPONSE``, from the peer to push back connection idle timeout. + // If absent, use the default keepalive behavior of which a client connection sends ``PING``s every ``15s``, and a server connection doesn't do anything. + QuicKeepAliveSettings connection_keepalive = 5; + + // A comma-separated list of strings representing QUIC connection options defined in + // `QUICHE `_ and to be sent by upstream connections. + string connection_options = 6; + + // A comma-separated list of strings representing QUIC client connection options defined in + // `QUICHE `_ and to be sent by upstream connections. + string client_connection_options = 7; + + // The duration that a QUIC connection stays idle before it closes itself. If this field is not present, QUICHE + // default ``600s`` will be applied. + // For internal corporate network, a long timeout is often fine. + // But for client facing network, ``30s`` is usually a good choice. + // Do not add an upper bound here. A long idle timeout is useful for maintaining warm connections at non-front-line proxy for low QPS services. + google.protobuf.Duration idle_network_timeout = 8 + [(validate.rules).duration = {gte {seconds: 1}}]; + + // Maximum packet length for QUIC connections. It refers to the largest size of a QUIC packet that can be transmitted over the connection. + // If not specified, one of the `default values in QUICHE `_ is used. + google.protobuf.UInt64Value max_packet_length = 9; + + // A customized UDP socket and a QUIC packet writer using the socket for + // client connections. i.e. Mobile uses its own implementation to interact + // with platform socket APIs. + // If not present, the default platform-independent socket and writer will be used. + // [#extension-category: envoy.quic.client_packet_writer] + TypedExtensionConfig client_packet_writer = 10; + + // Enable QUIC `connection migration + // ` + // to a different network interface when the current network is degrading or + // has become bad. + // In order to use a different network interface other than the platform's default one, + // a customized :ref:`client_packet_writer ` needs to be configured to + // create UDP sockets on non-default networks. + // Only takes effect when runtime key ``envoy.reloadable_features.use_migration_in_quiche`` is true. + // If absent, the feature will be disabled. + // [#not-implemented-hide:] + ConnectionMigrationSettings connection_migration = 11; +} + +message UpstreamHttpProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.UpstreamHttpProtocolOptions"; + + // Set transport socket `SNI `_ for new + // upstream connections based on the downstream HTTP host/authority header or any other arbitrary + // header when :ref:`override_auto_sni_header ` + // is set, as seen by the :ref:`router filter `. + // Does nothing if a filter before the http router filter sets the corresponding metadata. + // + // See :ref:`SNI configuration ` for details on how this + // interacts with other validation options. + bool auto_sni = 1; + + // Automatic validate upstream presented certificate for new upstream connections based on the + // downstream HTTP host/authority header or any other arbitrary header when :ref:`override_auto_sni_header ` + // is set, as seen by the :ref:`router filter `. + // This field is intended to be set with ``auto_sni`` field. + // Does nothing if a filter before the http router filter sets the corresponding metadata. + // + // See :ref:`validation configuration ` for how this interacts with + // other validation options. + bool auto_san_validation = 2; + + // An optional alternative to the host/authority header to be used for setting the SNI value. + // It should be a valid downstream HTTP header, as seen by the + // :ref:`router filter `. + // If unset, host/authority header will be used for populating the SNI. If the specified header + // is not found or the value is empty, host/authority header will be used instead. + // This field is intended to be set with ``auto_sni`` and/or ``auto_san_validation`` fields. + // If none of these fields are set then setting this would be a no-op. + // Does nothing if a filter before the http router filter sets the corresponding metadata. + string override_auto_sni_header = 3 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; +} + +// Configures the alternate protocols cache which tracks alternate protocols that can be used to +// make an HTTP connection to an origin server. See https://tools.ietf.org/html/rfc7838 for +// HTTP Alternative Services and https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-04 +// for the "HTTPS" DNS resource record. +// [#next-free-field: 6] +message AlternateProtocolsCacheOptions { + // Allows pre-populating the cache with HTTP/3 alternate protocols entries with a 7 day lifetime. + // This will cause Envoy to attempt HTTP/3 to those upstreams, even if the upstreams have not + // advertised HTTP/3 support. These entries will be overwritten by alt-svc + // response headers or cached values. + // As with regular cached entries, if the origin response would result in clearing an existing + // alternate protocol cache entry, pre-populated entries will also be cleared. + // Adding a cache entry with hostname=foo.com port=123 is the equivalent of getting + // response headers + // alt-svc: h3=:"123"; ma=86400" in a response to a request to foo.com:123 + message AlternateProtocolsCacheEntry { + // The host name for the alternate protocol entry. + string hostname = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // The port for the alternate protocol entry. + uint32 port = 2 [(validate.rules).uint32 = {lt: 65535 gt: 0}]; + } + + // The name of the cache. Multiple named caches allow independent alternate protocols cache + // configurations to operate within a single Envoy process using different configurations. All + // alternate protocols cache options with the same name *must* be equal in all fields when + // referenced from different configuration components. Configuration will fail to load if this is + // not the case. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The maximum number of entries that the cache will hold. If not specified defaults to ``1024``. + // + // .. note:: + // + // The implementation is approximate and enforced independently on each worker thread, thus + // it is possible for the maximum entries in the cache to go slightly above the configured + // value depending on timing. This is similar to how other circuit breakers work. + google.protobuf.UInt32Value max_entries = 2 [(validate.rules).uint32 = {gt: 0}]; + + // Allows configuring a persistent + // :ref:`key value store ` to flush + // alternate protocols entries to disk. + // This function is currently only supported if concurrency is 1 + // Cached entries will take precedence over pre-populated entries below. + TypedExtensionConfig key_value_store_config = 3; + + // Allows pre-populating the cache with entries, as described above. + repeated AlternateProtocolsCacheEntry prepopulated_entries = 4; + + // Optional list of hostnames suffixes for which Alt-Svc entries can be shared. For example, if + // this list contained the value ``.c.example.com``, then an Alt-Svc entry for ``foo.c.example.com`` + // could be shared with ``bar.c.example.com`` but would not be shared with ``baz.example.com``. On + // the other hand, if the list contained the value ``.example.com`` then all three hosts could share + // Alt-Svc entries. Each entry must start with ``.``. If a hostname matches multiple suffixes, the + // first listed suffix will be used. + // + // Since lookup in this list is O(n), it is recommended that the number of suffixes be limited. + // [#not-implemented-hide:] + repeated string canonical_suffixes = 5; +} + +// [#next-free-field: 8] +message HttpProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HttpProtocolOptions"; + + // Action to take when Envoy receives client request with header names containing underscore + // characters. + // Underscore character is allowed in header names by the RFC-7230 and this behavior is implemented + // as a security measure due to systems that treat '_' and '-' as interchangeable. Envoy by default allows client request headers with underscore + // characters. + enum HeadersWithUnderscoresAction { + // Allow headers with underscores. This is the default behavior. + ALLOW = 0; + + // Reject client request. HTTP/1 requests are rejected with ``HTTP 400`` status. HTTP/2 requests + // end with the stream reset. The ``httpN.requests_rejected_with_underscores_in_headers`` counter + // is incremented for each rejected request. + REJECT_REQUEST = 1; + + // Drop the client header with name containing underscores. The header is dropped before the filter chain is + // invoked and as such filters will not see dropped headers. The + // ``httpN.dropped_headers_with_underscores`` is incremented for each dropped header. + DROP_HEADER = 2; + } + + // The idle timeout for connections. The idle timeout is defined as the + // period in which there are no active requests. When the + // idle timeout is reached the connection will be closed. If the connection is an HTTP/2 + // downstream connection a drain sequence will occur prior to closing the connection, see + // :ref:`drain_timeout + // `. + // + // .. note:: + // + // Request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. + // + // If not specified, this defaults to ``1 hour``. To disable idle timeouts explicitly set this to ``0``. + // + // .. warning:: + // Disabling this timeout has a highly likelihood of yielding connection leaks due to lost TCP + // FIN packets, etc. + // + // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" + // is configured, this timeout is scaled for downstream connections according to the value for + // :ref:`HTTP_DOWNSTREAM_CONNECTION_IDLE `. + google.protobuf.Duration idle_timeout = 1; + + // The maximum duration of a connection. The duration is defined as a period since a connection + // was established. If not set, there is no max duration. When max_connection_duration is reached, + // the drain sequence will kick-in. The connection will be closed after the drain timeout period + // if there are no active streams. See :ref:`drain_timeout + // `. + google.protobuf.Duration max_connection_duration = 3; + + // The maximum number of headers (request headers if configured on HttpConnectionManager, + // response headers when configured on a cluster). + // If unconfigured, the default maximum number of headers allowed is ``100``. + // The default value for requests can be overridden by setting runtime key ``envoy.reloadable_features.max_request_headers_count``. + // The default value for responses can be overridden by setting runtime key ``envoy.reloadable_features.max_response_headers_count``. + // Downstream requests that exceed this limit will receive a ``HTTP 431`` response for HTTP/1.x and cause a stream + // reset for HTTP/2. + // Upstream responses that exceed this limit will result in a ``HTTP 502`` response. + google.protobuf.UInt32Value max_headers_count = 2 [(validate.rules).uint32 = {gte: 1}]; + + // The maximum size of response headers. + // If unconfigured, the default is ``60 KiB``, except for HTTP/1 response headers which have a default + // of ``80 KiB``. + // The default value can be overridden by setting runtime key ``envoy.reloadable_features.max_response_headers_size_kb``. + // Responses that exceed this limit will result in a ``HTTP 503`` response. + // In Envoy, this setting is only valid when configured on an upstream cluster, not on the + // :ref:`HTTP Connection Manager + // `. + // + // .. note:: + // + // Currently some protocol codecs impose limits on the maximum size of a single header. + // + // * HTTP/2 (when using ``nghttp2``) limits a single header to around ``100kb``. + // * HTTP/3 limits a single header to around ``1024kb``. + // + google.protobuf.UInt32Value max_response_headers_kb = 7 + [(validate.rules).uint32 = {lte: 8192 gt: 0}]; + + // Total duration to keep alive an HTTP request/response stream. If the time limit is reached the stream will be + // reset independent of any other timeouts. If not specified, this value is not set. + google.protobuf.Duration max_stream_duration = 4; + + // Action to take when a client request with a header name containing underscore characters is received. + // If this setting is not specified, the value defaults to ``ALLOW``. + // + // .. note:: + // + // Upstream responses are not affected by this setting. + // + // .. note:: + // + // This only affects client headers. It does not affect headers added by Envoy filters and does not have any + // impact if added to cluster config. + HeadersWithUnderscoresAction headers_with_underscores_action = 5; + + // Optional maximum requests for both upstream and downstream connections. + // If not specified, there is no limit. + // Setting this parameter to ``1`` will effectively disable keep alive. + // For HTTP/2 and HTTP/3, due to concurrent stream processing, the limit is approximate. + google.protobuf.UInt32Value max_requests_per_connection = 6; +} + +// [#next-free-field: 12] +message Http1ProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.Http1ProtocolOptions"; + + // [#next-free-field: 9] + message HeaderKeyFormat { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.Http1ProtocolOptions.HeaderKeyFormat"; + + message ProperCaseWords { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.Http1ProtocolOptions.HeaderKeyFormat.ProperCaseWords"; + } + + oneof header_format { + option (validate.required) = true; + + // Formats the header by proper casing words: the first character and any character following + // a special character will be capitalized if it's an alpha character. For example, + // ``"content-type"`` becomes ``"Content-Type"``, and ``"foo$b#$are"`` becomes ``"Foo$B#$Are"``. + // + // .. note:: + // + // While this results in most headers following conventional casing, certain headers + // are not covered. For example, the ``"TE"`` header will be formatted as ``"Te"``. + ProperCaseWords proper_case_words = 1; + + // Configuration for stateful formatter extensions that allow using received headers to + // affect the output of encoding headers. E.g., preserving case during proxying. + // [#extension-category: envoy.http.stateful_header_formatters] + TypedExtensionConfig stateful_formatter = 8; + } + } + + // Handle HTTP requests with absolute URLs in the requests. These requests + // are generally sent by clients to forward/explicit proxies. This allows clients to configure + // envoy as their HTTP proxy. In Unix, for example, this is typically done by setting the + // ``http_proxy`` environment variable. + google.protobuf.BoolValue allow_absolute_url = 1; + + // Handle incoming HTTP/1.0 and HTTP/0.9 requests. + // This is off by default, and not fully standards compliant. There is support for pre-HTTP/1.1 + // style connect logic, dechunking, and handling lack of client host iff + // ``default_host_for_http_10`` is configured. + bool accept_http_10 = 2; + + // A default host for HTTP/1.0 requests. This is highly suggested if ``accept_http_10`` is true as + // Envoy does not otherwise support HTTP/1.0 without a Host header. + // This is a no-op if ``accept_http_10`` is not true. + string default_host_for_http_10 = 3; + + // Describes how the keys for response headers should be formatted. By default, all header keys + // are lower cased. + HeaderKeyFormat header_key_format = 4; + + // Enables trailers for HTTP/1. By default the HTTP/1 codec drops proxied trailers. + // + // .. attention:: + // + // This only happens when Envoy is chunk encoding which occurs when: + // - The request is HTTP/1.1. + // - Is neither a ``HEAD`` only request nor a HTTP Upgrade. + // - Not a response to a ``HEAD`` request. + // - The ``Content-Length`` header is not present. + bool enable_trailers = 5; + + // Allows Envoy to process requests/responses with both ``Content-Length`` and ``Transfer-Encoding`` + // headers set. By default such messages are rejected, but if option is enabled - Envoy will + // remove ``Content-Length`` header and process message. + // See `RFC7230, sec. 3.3.3 `_ for details. + // + // .. attention:: + // + // Enabling this option might lead to request smuggling vulnerability, especially if traffic + // is proxied via multiple layers of proxies. + // [#comment:TODO: This field is ignored when the + // :ref:`header validation configuration ` + // is present.] + bool allow_chunked_length = 6; + + // Allows invalid HTTP messaging. When this option is false, then Envoy will terminate + // HTTP/1.1 connections upon receiving an invalid HTTP message. However, + // when this option is true, then Envoy will leave the HTTP/1.1 connection + // open where possible. + // If set, this overrides any HCM :ref:`stream_error_on_invalid_http_messaging + // `. + google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 7; + + // Allows sending fully qualified URLs when proxying the first line of the + // response. By default, Envoy will only send the path components in the first line. + // If this is true, Envoy will create a fully qualified URI composing scheme + // (inferred if not present), host (from the host/:authority header) and path + // (from first line or :path header). + bool send_fully_qualified_url = 8; + + // [#not-implemented-hide:] Hiding so that field can be removed after BalsaParser is rolled out. + // If set, force HTTP/1 parser: BalsaParser if true, http-parser if false. + // If unset, HTTP/1 parser is selected based on + // envoy.reloadable_features.http1_use_balsa_parser. + // See issue #21245. + google.protobuf.BoolValue use_balsa_parser = 9 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // [#not-implemented-hide:] Hiding so that field can be removed. + // If true, and BalsaParser is used (either `use_balsa_parser` above is true, + // or `envoy.reloadable_features.http1_use_balsa_parser` is true and + // `use_balsa_parser` is unset), then every non-empty method with only valid + // characters is accepted. Otherwise, methods not on the hard-coded list are + // rejected. + // Once UHV is enabled, this field should be removed, and BalsaParser should + // allow any method. UHV validates the method, rejecting empty string or + // invalid characters, and provides :ref:`restrict_http_methods + // ` + // to reject custom methods. + bool allow_custom_methods = 10 [(xds.annotations.v3.field_status).work_in_progress = true]; + + // Ignore HTTP/1.1 upgrade values matching any of the supplied matchers. + // + // .. note:: + // + // ``h2c`` upgrades are always removed for backwards compatibility, regardless of the + // value in this setting. + repeated type.matcher.v3.StringMatcher ignore_http_11_upgrade = 11; +} + +message KeepaliveSettings { + // Send HTTP/2 PING frames at this period, in order to test that the connection is still alive. + // If this is zero, interval PINGs will not be sent. + google.protobuf.Duration interval = 1 [(validate.rules).duration = {gte {nanos: 1000000}}]; + + // How long to wait for a response to a keepalive PING. If a response is not received within this + // time period, the connection will be aborted. + // + // .. note:: + // + // In order to prevent the influence of Head-of-line (HOL) blocking the timeout period is extended when *any* frame is received on + // the connection, under the assumption that if a frame is received the connection is healthy. + google.protobuf.Duration timeout = 2 [(validate.rules).duration = { + required: true + gte {nanos: 1000000} + }]; + + // A random jitter amount as a percentage of interval that will be added to each interval. + // A value of zero means there will be no jitter. + // The default value is ``15%``. + type.v3.Percent interval_jitter = 3; + + // If the connection has been idle for this duration, send a HTTP/2 ping ahead + // of new stream creation, to quickly detect dead connections. + // If this is zero, this type of PING will not be sent. + // If an interval ping is outstanding, a second ping will not be sent as the + // interval ping will determine if the connection is dead. + // + // The same feature for HTTP/3 is given by inheritance from QUICHE which uses :ref:`connection idle_timeout ` and the current PTO of the connection to decide whether to probe before sending a new request. + google.protobuf.Duration connection_idle_interval = 4 + [(validate.rules).duration = {gte {nanos: 1000000}}]; +} + +// [#next-free-field: 19] +message Http2ProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.Http2ProtocolOptions"; + + // Defines a parameter to be sent in the SETTINGS frame. + // See `RFC7540, sec. 6.5.1 `_ for details. + message SettingsParameter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.Http2ProtocolOptions.SettingsParameter"; + + // The 16 bit parameter identifier. + google.protobuf.UInt32Value identifier = 1 [ + (validate.rules).uint32 = {lte: 65535 gte: 0}, + (validate.rules).message = {required: true} + ]; + + // The 32 bit parameter value. + google.protobuf.UInt32Value value = 2 [(validate.rules).message = {required: true}]; + } + + // `Maximum table size `_ + // (in octets) that the encoder is permitted to use for the dynamic HPACK table. Valid values + // range from ``0`` to ``4294967295`` (``2^32 - 1``) and defaults to ``4096``. ``0`` effectively disables header + // compression. + google.protobuf.UInt32Value hpack_table_size = 1; + + // `Maximum concurrent streams `_ + // allowed for peer on one HTTP/2 connection. Valid values range from ``1`` to ``2147483647`` (``2^31 - 1``) + // and defaults to ``1024`` for safety and should be sufficient for most use cases. + // + // For upstream connections, this also limits how many streams Envoy will initiate concurrently + // on a single connection. If the limit is reached, Envoy may queue requests or establish + // additional connections (as allowed per circuit breaker limits). + // + // This acts as an upper bound: Envoy will lower the max concurrent streams allowed on a given + // connection based on upstream settings. Config dumps will reflect the configured upper bound, + // not the per-connection negotiated limits. + google.protobuf.UInt32Value max_concurrent_streams = 2 + [(validate.rules).uint32 = {lte: 2147483647 gte: 1}]; + + // `Initial stream-level flow-control window + // `_ size. Valid values range from ``65535`` + // (``2^16 - 1``, HTTP/2 default) to ``2147483647`` (``2^31 - 1``, HTTP/2 maximum) and defaults to + // ``16MiB`` (``16 * 1024 * 1024``). + // + // .. note:: + // + // ``65535`` is the initial window size from HTTP/2 spec. We only support increasing the default window size now, + // so it's also the minimum. + // + // This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the + // HTTP/2 codec buffers. Once the buffer reaches this pointer, watermark callbacks will fire to + // stop the flow of data to the codec buffers. + google.protobuf.UInt32Value initial_stream_window_size = 3 + [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}]; + + // Similar to ``initial_stream_window_size``, but for connection-level flow-control + // window. The default is ``24MiB`` (``24 * 1024 * 1024``). + google.protobuf.UInt32Value initial_connection_window_size = 4 + [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}]; + + // Allows proxying Websocket and other upgrades over H2 connect. + bool allow_connect = 5; + + // [#not-implemented-hide:] Hiding until Envoy has full metadata support. + // Still under implementation. DO NOT USE. + // + // Allows sending and receiving HTTP/2 METADATA frames. See [metadata + // docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more + // information. + bool allow_metadata = 6; + + // Limit the number of pending outbound downstream frames of all types (frames that are waiting to + // be written into the socket). Exceeding this limit triggers flood mitigation and connection is + // terminated. The ``http2.outbound_flood`` stat tracks the number of terminated connections due + // to flood mitigation. The default limit is ``10000``. + google.protobuf.UInt32Value max_outbound_frames = 7 [(validate.rules).uint32 = {gte: 1}]; + + // Limit the number of pending outbound downstream frames of types ``PING``, ``SETTINGS`` and ``RST_STREAM``, + // preventing high memory utilization when receiving continuous stream of these frames. Exceeding + // this limit triggers flood mitigation and connection is terminated. The + // ``http2.outbound_control_flood`` stat tracks the number of terminated connections due to flood + // mitigation. The default limit is ``1000``. + google.protobuf.UInt32Value max_outbound_control_frames = 8 [(validate.rules).uint32 = {gte: 1}]; + + // Limit the number of consecutive inbound frames of types ``HEADERS``, ``CONTINUATION`` and ``DATA`` with an + // empty payload and no end stream flag. Those frames have no legitimate use and are abusive, but + // might be a result of a broken HTTP/2 implementation. The ``http2.inbound_empty_frames_flood`` + // stat tracks the number of connections terminated due to flood mitigation. + // Setting this to ``0`` will terminate connection upon receiving first frame with an empty payload + // and no end stream flag. The default limit is ``1``. + google.protobuf.UInt32Value max_consecutive_inbound_frames_with_empty_payload = 9; + + // Limit the number of inbound ``PRIORITY`` frames allowed per each opened stream. If the number + // of ``PRIORITY`` frames received over the lifetime of connection exceeds the value calculated + // using this formula:: + // + // ``max_inbound_priority_frames_per_stream`` * (1 + ``opened_streams``) + // + // the connection is terminated. For downstream connections the ``opened_streams`` is incremented when + // Envoy receives complete response headers from the upstream server. For upstream connection the + // ``opened_streams`` is incremented when Envoy sends the ``HEADERS`` frame for a new stream. The + // ``http2.inbound_priority_frames_flood`` stat tracks + // the number of connections terminated due to flood mitigation. The default limit is ``100``. + google.protobuf.UInt32Value max_inbound_priority_frames_per_stream = 10; + + // Limit the number of inbound ``WINDOW_UPDATE`` frames allowed per ``DATA`` frame sent. If the number + // of ``WINDOW_UPDATE`` frames received over the lifetime of connection exceeds the value calculated + // using this formula:: + // + // ``5 + 2 * (opened_streams + + // max_inbound_window_update_frames_per_data_frame_sent * outbound_data_frames)`` + // + // the connection is terminated. For downstream connections the ``opened_streams`` is incremented when + // Envoy receives complete response headers from the upstream server. For upstream connections the + // ``opened_streams`` is incremented when Envoy sends the ``HEADERS`` frame for a new stream. The + // ``http2.inbound_priority_frames_flood`` stat tracks the number of connections terminated due to + // flood mitigation. The default ``max_inbound_window_update_frames_per_data_frame_sent`` value is ``10``. + // Setting this to ``1`` should be enough to support HTTP/2 implementations with basic flow control, + // but more complex implementations that try to estimate available bandwidth require at least ``2``. + google.protobuf.UInt32Value max_inbound_window_update_frames_per_data_frame_sent = 11 + [(validate.rules).uint32 = {gte: 1}]; + + // Allows invalid HTTP messaging and headers. When this option is disabled (default), then + // the whole HTTP/2 connection is terminated upon receiving invalid HEADERS frame. However, + // when this option is enabled, only the offending stream is terminated. + // + // This is overridden by HCM :ref:`stream_error_on_invalid_http_messaging + // ` + // iff present. + // + // This is deprecated in favor of :ref:`override_stream_error_on_invalid_http_message + // ` + // + // See `RFC7540, sec. 8.1 `_ for details. + bool stream_error_on_invalid_http_messaging = 12 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Allows invalid HTTP messaging and headers. When this option is disabled (default), then + // the whole HTTP/2 connection is terminated upon receiving invalid HEADERS frame. However, + // when this option is enabled, only the offending stream is terminated. + // + // This overrides any HCM :ref:`stream_error_on_invalid_http_messaging + // ` + // + // See `RFC7540, sec. 8.1 `_ for details. + google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 14; + + // [#not-implemented-hide:] + // Specifies SETTINGS frame parameters to be sent to the peer, with two exceptions: + // + // 1. SETTINGS_ENABLE_PUSH (0x2) is not configurable as HTTP/2 server push is not supported by + // Envoy. + // + // 2. SETTINGS_ENABLE_CONNECT_PROTOCOL (0x8) is only configurable through the named field + // 'allow_connect'. + // + // .. note:: + // + // Custom parameters specified through this field can not also be set in the + // corresponding named parameters: + // + // .. code-block:: text + // + // ID Field Name + // ---------------- + // 0x1 hpack_table_size + // 0x3 max_concurrent_streams + // 0x4 initial_stream_window_size + // + // Collisions will trigger config validation failure on load/update. Likewise, inconsistencies + // between custom parameters with the same identifier will trigger a failure. + // + // See `IANA HTTP/2 Settings + // `_ for + // standardized identifiers. + repeated SettingsParameter custom_settings_parameters = 13; + + // Send HTTP/2 PING frames to verify that the connection is still healthy. If the remote peer + // does not respond within the configured timeout, the connection will be aborted. + KeepaliveSettings connection_keepalive = 15; + + // [#not-implemented-hide:] Hiding so that the field can be removed after oghttp2 is rolled out. + // If set, force use of a particular HTTP/2 codec: oghttp2 if true, nghttp2 if false. + // If unset, HTTP/2 codec is selected based on envoy.reloadable_features.http2_use_oghttp2. + google.protobuf.BoolValue use_oghttp2_codec = 16 + [(xds.annotations.v3.field_status).work_in_progress = true]; + + // Configure the maximum amount of metadata than can be handled per stream. Defaults to ``1 MB``. + google.protobuf.UInt64Value max_metadata_size = 17; + + // Controls whether to encode headers using huffman encoding. + // This can be useful in cases where the cpu spent encoding the headers isn't + // worth the network bandwidth saved e.g. for localhost. + // If unset, uses the data plane's default value. + google.protobuf.BoolValue enable_huffman_encoding = 18; +} + +// [#not-implemented-hide:] +message GrpcProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcProtocolOptions"; + + Http2ProtocolOptions http2_protocol_options = 1; +} + +// A message which allows using HTTP/3. +// [#next-free-field: 9] +message Http3ProtocolOptions { + QuicProtocolOptions quic_protocol_options = 1; + + // Allows invalid HTTP messaging and headers. When this option is disabled (default), then + // the whole HTTP/3 connection is terminated upon receiving invalid HEADERS frame. However, + // when this option is enabled, only the offending stream is terminated. + // + // If set, this overrides any HCM :ref:`stream_error_on_invalid_http_messaging + // `. + google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 2; + + // Allows proxying Websocket and other upgrades over HTTP/3 CONNECT using + // the header mechanisms from the `HTTP/2 extended connect RFC + // `_ + // and settings `proposed for HTTP/3 + // `_ + // + // .. note:: + // + // HTTP/3 CONNECT is not yet an RFC. + bool allow_extended_connect = 5 [(xds.annotations.v3.field_status).work_in_progress = true]; + + // [#not-implemented-hide:] Hiding until Envoy has full metadata support. + // Still under implementation. DO NOT USE. + // + // Allows sending and receiving HTTP/3 METADATA frames. See [metadata + // docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more + // information. + bool allow_metadata = 6; + + // [#not-implemented-hide:] Hiding until Envoy has full HTTP/3 upstream support. + // Still under implementation. DO NOT USE. + // + // Disables QPACK compression related features for HTTP/3 including: + // No huffman encoding, zero dynamic table capacity and no cookie crumbling. + // This can be useful for trading off CPU vs bandwidth when an upstream HTTP/3 connection multiplexes multiple downstream connections. + bool disable_qpack = 7; + + // Disables connection level flow control for HTTP/3 streams. This is useful in situations where the streams share the same connection + // but originate from different end-clients, so that each stream can make progress independently at non-front-line proxies. + bool disable_connection_flow_control_for_streams = 8; +} + +// A message to control transformations to the :scheme header +message SchemeHeaderTransformation { + oneof transformation { + // Overwrite any Scheme header with the contents of this string. + // If set, takes precedence over ``match_upstream``. + string scheme_to_overwrite = 1 [(validate.rules).string = {in: "http" in: "https"}]; + } + + // Set the Scheme header to match the upstream transport protocol. For example, should a + // request be sent to the upstream over TLS, the scheme header will be set to ``"https"``. Should the + // request be sent over plaintext, the scheme header will be set to ``"http"``. + // If ``scheme_to_overwrite`` is set, this field is not used. + bool match_upstream = 2; +} diff --git a/modules/sync/envoyproxy/envoy/cas/9e76a22c9cdead3f586feeec0952f4809fe77c613adbaea2ffc25d357cdea64c3468f7b960227208a372f53ac5a25345af4db2bfd9a93a1562efb0e2d4e8323b b/modules/sync/envoyproxy/envoy/cas/9e76a22c9cdead3f586feeec0952f4809fe77c613adbaea2ffc25d357cdea64c3468f7b960227208a372f53ac5a25345af4db2bfd9a93a1562efb0e2d4e8323b new file mode 100644 index 00000000..e4e88161 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/9e76a22c9cdead3f586feeec0952f4809fe77c613adbaea2ffc25d357cdea64c3468f7b960227208a372f53ac5a25345af4db2bfd9a93a1562efb0e2d4e8323b @@ -0,0 +1,123 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.dynamic_modules.v3; + +import "envoy/extensions/dynamic_modules/v3/dynamic_modules.proto"; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.dynamic_modules.v3"; +option java_outer_classname = "DynamicModulesProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/dynamic_modules/v3;dynamic_modulesv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Dynamic Modules HTTP Filter] +// [#extension: envoy.filters.http.dynamic_modules] + +// Configuration for the Dynamic Modules HTTP filter. This filter allows loading shared object files +// that can be loaded via ``dlopen`` to extend the HTTP filter chain. +// +// A module can be loaded by multiple HTTP filters; the module is loaded only once and shared across +// multiple filters. +// +// A dynamic module HTTP filter can opt into being a terminal filter with no upstream by setting +// :ref:`terminal_filter +// ` +// to ``true``. A terminal dynamic module can use ``send_`` ABI methods to send response headers, +// body, and trailers to the downstream. +message DynamicModuleFilter { + // Specifies the shared-object level configuration. + envoy.extensions.dynamic_modules.v3.DynamicModuleConfig dynamic_module_config = 1; + + // The name for this filter configuration. + // + // This can be used to distinguish between different filter implementations inside a dynamic + // module. For example, a module can have completely different filter implementations. When Envoy + // receives this configuration, it passes the ``filter_name`` to the dynamic module's HTTP filter + // config init function together with the ``filter_config``. That way a module can decide which + // in-module filter implementation to use based on the name at load time. + string filter_name = 2; + + // The configuration for the filter chosen by ``filter_name``. + // + // This is passed to the module's HTTP filter initialization function. Together with the + // ``filter_name``, the module can decide which in-module filter implementation to use and + // fine-tune the behavior of the filter. + // + // For example, if a module has two filter implementations, one for logging and one for header + // manipulation, ``filter_name`` is used to choose either logging or header manipulation. The + // ``filter_config`` can be used to configure the logging level or the header manipulation + // behavior. + // + // ``google.protobuf.Struct`` is serialized as JSON before passing it to the plugin. + // ``google.protobuf.BytesValue`` and ``google.protobuf.StringValue`` are passed directly without + // the wrapper. + // + // .. code-block:: yaml + // + // # Passing in a string + // filter_config: + // "@type": "type.googleapis.com/google.protobuf.StringValue" + // value: hello + // + // # Passing in raw bytes + // filter_config: + // "@type": "type.googleapis.com/google.protobuf.BytesValue" + // value: aGVsbG8= # echo -n "hello" | base64 + // + google.protobuf.Any filter_config = 3; + + // If ``true``, the dynamic module is a terminal filter to use without an upstream. + // + // The dynamic module is responsible for creating and sending the response to downstream. + // + // Defaults to ``false``. + bool terminal_filter = 4; +} + +// Configuration of the HTTP per-route filter for dynamic modules. +message DynamicModuleFilterPerRoute { + // Specifies the shared-object level configuration. + envoy.extensions.dynamic_modules.v3.DynamicModuleConfig dynamic_module_config = 1; + + // The name for this filter configuration. + // + // This can be used to distinguish between different filter implementations inside a dynamic + // module. For example, a module can have completely different filter implementations. When Envoy + // receives this configuration, it passes the ``per_route_config_name`` to the dynamic module's + // HTTP per-route filter config init function together with the ``filter_config``. That way a + // module can decide which in-module filter implementation to use based on the name at load time. + string per_route_config_name = 2; + + // The configuration for the filter chosen by ``per_route_config_name``. + // + // This is passed to the module's HTTP per-route filter initialization function. Together with + // the ``per_route_config_name``, the module can decide which in-module filter implementation to + // use and fine-tune the behavior of the filter on a specific route. + // + // For example, if a module has two filter implementations, one for logging and one for header + // manipulation, ``per_route_config_name`` is used to choose either logging or header + // manipulation. The ``filter_config`` can be used to configure the logging level or the header + // manipulation behavior. + // + // ``google.protobuf.Struct`` is serialized as JSON before passing it to the plugin. + // ``google.protobuf.BytesValue`` and ``google.protobuf.StringValue`` are passed directly without + // the wrapper. + // + // .. code-block:: yaml + // + // # Passing in a string + // filter_config: + // "@type": "type.googleapis.com/google.protobuf.StringValue" + // value: hello + // + // # Passing in raw bytes + // filter_config: + // "@type": "type.googleapis.com/google.protobuf.BytesValue" + // value: aGVsbG8= # echo -n "hello" | base64 + // + google.protobuf.Any filter_config = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/9e8d88f559a8724f64cdb259bb06d5d79dcc40430a2c190ceb6be8ad2bc989409748fc5f4d6d1b6f2dfd1deeb4804b13568d2a664d74554b431480d5a275535b b/modules/sync/envoyproxy/envoy/cas/9e8d88f559a8724f64cdb259bb06d5d79dcc40430a2c190ceb6be8ad2bc989409748fc5f4d6d1b6f2dfd1deeb4804b13568d2a664d74554b431480d5a275535b new file mode 100644 index 00000000..5bd909f3 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/9e8d88f559a8724f64cdb259bb06d5d79dcc40430a2c190ceb6be8ad2bc989409748fc5f4d6d1b6f2dfd1deeb4804b13568d2a664d74554b431480d5a275535b @@ -0,0 +1,172 @@ +syntax = "proto3"; + +package envoy.config.route.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/route/v3/route_components.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.route.v3"; +option java_outer_classname = "RouteProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/route/v3;routev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP route configuration] +// * Routing :ref:`architecture overview ` +// * HTTP :ref:`router filter ` + +// [#next-free-field: 19] +message RouteConfiguration { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.RouteConfiguration"; + + // The name of the route configuration. For example, it might match + // :ref:`route_config_name + // ` in + // :ref:`envoy_v3_api_msg_extensions.filters.network.http_connection_manager.v3.Rds`. + string name = 1; + + // An array of virtual hosts that make up the route table. + repeated VirtualHost virtual_hosts = 2; + + // An array of virtual hosts will be dynamically loaded via the VHDS API. + // Both ``virtual_hosts`` and ``vhds`` fields will be used when present. ``virtual_hosts`` can be used + // for a base routing table or for infrequently changing virtual hosts. ``vhds`` is used for + // on-demand discovery of virtual hosts. The contents of these two fields will be merged to + // generate a routing table for a given RouteConfiguration, with ``vhds`` derived configuration + // taking precedence. + Vhds vhds = 9; + + // Optionally specifies a list of HTTP headers that the connection manager + // will consider to be internal only. If they are found on external requests they will be cleaned + // prior to filter invocation. See :ref:`config_http_conn_man_headers_x-envoy-internal` for more + // information. + repeated string internal_only_headers = 3 [ + (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}} + ]; + + // Specifies a list of HTTP headers that should be added to each response that + // the connection manager encodes. Headers specified at this level are applied + // after headers from any enclosed :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` or + // :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. For more information, including details on + // header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption response_headers_to_add = 4 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each response + // that the connection manager encodes. + repeated string response_headers_to_remove = 5 [ + (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}} + ]; + + // Specifies a list of HTTP headers that should be added to each request + // routed by the HTTP connection manager. Headers specified at this level are + // applied after headers from any enclosed :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` or + // :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. For more information, including details on + // header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption request_headers_to_add = 6 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each request + // routed by the HTTP connection manager. + repeated string request_headers_to_remove = 8 [ + (validate.rules).repeated = {items {string {well_known_regex: HTTP_HEADER_NAME strict: false}}} + ]; + + // Headers mutations at all levels are evaluated, if specified. By default, the order is from most + // specific (i.e. route entry level) to least specific (i.e. route configuration level). Later header + // mutations may override earlier mutations. + // This order can be reversed by setting this field to true. In other words, most specific level mutation + // is evaluated last. + // + bool most_specific_header_mutations_wins = 10; + + // An optional boolean that specifies whether the clusters that the route + // table refers to will be validated by the cluster manager. If set to true + // and a route refers to a non-existent cluster, the route table will not + // load. If set to false and a route refers to a non-existent cluster, the + // route table will load and the router filter will return a 404 if the route + // is selected at runtime. This setting defaults to true if the route table + // is statically defined via the :ref:`route_config + // ` + // option. This setting default to false if the route table is loaded dynamically via the + // :ref:`rds + // ` + // option. Users may wish to override the default behavior in certain cases (for example when + // using CDS with a static route table). + google.protobuf.BoolValue validate_clusters = 7; + + // The maximum bytes of the response :ref:`direct response body + // ` size. If not specified the default + // is 4096. + // + // .. warning:: + // + // Envoy currently holds the content of :ref:`direct response body + // ` in memory. Be careful setting + // this to be larger than the default 4KB, since the allocated memory for direct response body + // is not subject to data plane buffering controls. + // + google.protobuf.UInt32Value max_direct_response_body_size_bytes = 11; + + // A list of plugins and their configurations which may be used by a + // :ref:`cluster specifier plugin name ` + // within the route. All ``extension.name`` fields in this list must be unique. + repeated ClusterSpecifierPlugin cluster_specifier_plugins = 12; + + // Specify a set of default request mirroring policies which apply to all routes under its virtual hosts. + // Note that policies are not merged, the most specific non-empty one becomes the mirror policies. + repeated RouteAction.RequestMirrorPolicy request_mirror_policies = 13; + + // By default, port in :authority header (if any) is used in host matching. + // With this option enabled, Envoy will ignore the port number in the :authority header (if any) when picking VirtualHost. + // + // .. note:: + // This option will not strip the port number (if any) contained in route config + // :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`.domains field. + bool ignore_port_in_host_matching = 14; + + // Normally, virtual host matching is done using the :authority (or + // Host: in HTTP < 2) HTTP header. Setting this will instead, use a + // different HTTP header for this purpose. + string vhost_header = 18; + + // Ignore path-parameters in path-matching. + // Before RFC3986, URI were like(RFC1808): :///;?# + // Envoy by default takes ":path" as ";". + // For users who want to only match path on the "" portion, this option should be true. + bool ignore_path_parameters_in_path_matching = 15; + + // This field can be used to provide RouteConfiguration level per filter config. The key should match the + // :ref:`filter config name + // `. + // See :ref:`Http filter route specific config ` + // for details. + // [#comment: An entry's value may be wrapped in a + // :ref:`FilterConfig` + // message to specify additional options.] + map typed_per_filter_config = 16; + + // The metadata field can be used to provide additional information + // about the route configuration. It can be used for configuration, stats, and logging. + // The metadata should go under the filter namespace that will need it. + // For instance, if the metadata is intended for the Router filter, + // the filter name should be specified as ``envoy.filters.http.router``. + core.v3.Metadata metadata = 17; +} + +message Vhds { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Vhds"; + + // Configuration source specifier for VHDS. + core.v3.ConfigSource config_source = 1 [(validate.rules).message = {required: true}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/9ee0b29aed3777812c8d5348bdc7ba125d07c57cec49e831873382c2cdf523b4b5e83788c4ab5ff7d68154d00ba17f627fb92ddfb625c6cecf43b1b3ce9860aa b/modules/sync/envoyproxy/envoy/cas/9ee0b29aed3777812c8d5348bdc7ba125d07c57cec49e831873382c2cdf523b4b5e83788c4ab5ff7d68154d00ba17f627fb92ddfb625c6cecf43b1b3ce9860aa new file mode 100644 index 00000000..365af523 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/9ee0b29aed3777812c8d5348bdc7ba125d07c57cec49e831873382c2cdf523b4b5e83788c4ab5ff7d68154d00ba17f627fb92ddfb625c6cecf43b1b3ce9860aa @@ -0,0 +1,59 @@ +syntax = "proto3"; + +package envoy.extensions.filters.listener.tls_inspector.v3; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.listener.tls_inspector.v3"; +option java_outer_classname = "TlsInspectorProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/tls_inspector/v3;tls_inspectorv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: TLS Inspector Filter] +// Allows detecting whether the transport appears to be TLS or plaintext. +// [#extension: envoy.filters.listener.tls_inspector] + +// [#next-free-field: 6] +message TlsInspector { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.listener.tls_inspector.v2.TlsInspector"; + + // Populate ``JA3`` fingerprint hash using data from the TLS Client Hello packet. Default is false. + google.protobuf.BoolValue enable_ja3_fingerprinting = 1; + + // Populate ``JA4`` fingerprint hash using data from the TLS Client Hello packet. + // ``JA4`` is an improved version of ``JA3`` that includes TLS version, ciphers, extensions, + // and ALPN information in a hex format. Default is false. + google.protobuf.BoolValue enable_ja4_fingerprinting = 3; + + // The size in bytes of the initial buffer requested by the tls_inspector. + // If the filter needs to read additional bytes from the socket, the + // filter will double the buffer up to it's default maximum of 16KiB. + // If this size is not defined, defaults to maximum 16KiB that the + // tls inspector will consume. + google.protobuf.UInt32Value initial_read_buffer_size = 2 + [(validate.rules).uint32 = {lt: 65537 gt: 255}]; + + // Close connection when TLS ClientHello message could not be parsed. + // This flag should be enabled only if it is known that incoming connections are expected to use + // TLS protocol, as Envoy does not distinguish between a plain text message or a malformed TLS + // ClientHello message. + // By default this flag is false and TLS ClientHello parsing errors are interpreted as a + // plain text connection. + // Setting this to true will cause connections to be terminated and the ``client_hello_too_large`` + // counter to be incremented if the ClientHello message is over implementation defined limit + // (currently 16Kb). + bool close_connection_on_client_hello_parsing_errors = 4; + + // The maximum size in bytes of the ClientHello that the tls_inspector will + // process. If the ClientHello is larger than this size, the tls_inspector + // will stop processing and indicate failure. If not defined, defaults to + // 16KiB. + google.protobuf.UInt32Value max_client_hello_size = 5 + [(validate.rules).uint32 = {lte: 16384 gt: 255}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/9f939fda4e1780444a5842e1b5a8c49ea62094afc0b6d83dbfd7479bfa3623be6a5c876538f9e4f7494fce932d88b9f04169da5ff732e44b87b8b318e85a7841 b/modules/sync/envoyproxy/envoy/cas/9f939fda4e1780444a5842e1b5a8c49ea62094afc0b6d83dbfd7479bfa3623be6a5c876538f9e4f7494fce932d88b9f04169da5ff732e44b87b8b318e85a7841 new file mode 100644 index 00000000..285578fd --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/9f939fda4e1780444a5842e1b5a8c49ea62094afc0b6d83dbfd7479bfa3623be6a5c876538f9e4f7494fce932d88b9f04169da5ff732e44b87b8b318e85a7841 @@ -0,0 +1,292 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.oauth2.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/http_uri.proto"; +import "envoy/config/route/v3/route_components.proto"; +import "envoy/extensions/transport_sockets/tls/v3/secret.proto"; +import "envoy/type/matcher/v3/path.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.oauth2.v3"; +option java_outer_classname = "OauthProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/oauth2/v3;oauth2v3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: OAuth] +// OAuth :ref:`configuration overview `. +// [#extension: envoy.filters.http.oauth2] +// + +// OAuth cookie configuration attributes. +// +message CookieConfig { + enum SameSite { + DISABLED = 0; + STRICT = 1; + LAX = 2; + NONE = 3; + } + + // The value used for the SameSite cookie attribute. + SameSite same_site = 1 [(validate.rules).enum = {defined_only: true}]; + + // The path attribute for the cookie. + // + // This controls the scope of the cookie and is useful for path-based routing scenarios + // where different logical boundaries or applications may operate with different OAuth2 clients. + // The CSRF cookie (nonce cookie) can be configured with a different path than session cookies + // to support flows where the callback URL is on a different path. + // + // If not specified, defaults to ``/``. + string path = 2 [(validate.rules).string = {pattern: "^$|^/[^\\x00-\\x1f\\x7f \",;<>\\\\]*$"}]; + + // If true, the ``Partitioned`` attribute will be set on the cookie. + // + // Modern browsers (Firefox, Chrome with third-party cookie deprecation) warn or block + // "foreign" cookies unless they carry the ``Partitioned`` attribute alongside ``SameSite=None; Secure``. + // When Envoy is used in a gateway/IdP flow that sets OAuth/OIDC cookies for a parent domain + // (e.g., ``Domain=.example.com``) while running on a different host, those cookies are + // considered third-party and will be rejected without ``Partitioned``. + // + // See `CHIPS `_ for more information. + // + // Default is false. + bool partitioned = 3; +} + +// [#next-free-field: 8] +message CookieConfigs { + // Configuration for the bearer token cookie. + CookieConfig bearer_token_cookie_config = 1; + + // Configuration for the OAuth HMAC cookie. + CookieConfig oauth_hmac_cookie_config = 2; + + // Configuration for the OAuth expires cookie. + CookieConfig oauth_expires_cookie_config = 3; + + // Configuration for the ID token cookie. + CookieConfig id_token_cookie_config = 4; + + // Configuration for the refresh token cookie. + CookieConfig refresh_token_cookie_config = 5; + + // Configuration for the OAuth nonce cookie. + CookieConfig oauth_nonce_cookie_config = 6; + + // Configuration for the code verifier cookie. + CookieConfig code_verifier_cookie_config = 7; +} + +// [#next-free-field: 6] +message OAuth2Credentials { + // [#next-free-field: 8] + message CookieNames { + // Cookie name to hold OAuth bearer token value. When the authentication server validates the + // client and returns an authorization token back to the OAuth filter, no matter what format + // that token is, if :ref:`forward_bearer_token ` + // is set to true the filter will send over the bearer token as a cookie with this name to the + // upstream. Defaults to ``BearerToken``. + string bearer_token = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // Cookie name to hold OAuth HMAC value. Defaults to ``OauthHMAC``. + string oauth_hmac = 2 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // Cookie name to hold OAuth expiry value. Defaults to ``OauthExpires``. + string oauth_expires = 3 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // Cookie name to hold the id token. Defaults to ``IdToken``. + string id_token = 4 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // Cookie name to hold the refresh token. Defaults to ``RefreshToken``. + string refresh_token = 5 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // Cookie name to hold the nonce value. Defaults to ``OauthNonce``. + string oauth_nonce = 6 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // Cookie name to hold the PKCE code verifier. Defaults to ``OauthCodeVerifier``. + string code_verifier = 7 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + } + + // The client_id to be used in the authorize calls. This value will be URL encoded when sent to the OAuth server. + string client_id = 1 [(validate.rules).string = {min_len: 1}]; + + // The secret used to retrieve the access token. This value will be URL encoded when sent to the OAuth server. + transport_sockets.tls.v3.SdsSecretConfig token_secret = 2 + [(validate.rules).message = {required: true}]; + + // Configures how the secret token should be created. + oneof token_formation { + option (validate.required) = true; + + // If present, the secret token will be a HMAC using the provided secret. + transport_sockets.tls.v3.SdsSecretConfig hmac_secret = 3 + [(validate.rules).message = {required: true}]; + } + + // The cookie names used in OAuth filters flow. + CookieNames cookie_names = 4; + + // The domain to set the cookie on. If not set, the cookie will default to the host of the request, not including the subdomains. + // This is useful when token cookies need to be shared across multiple subdomains. + string cookie_domain = 5 + [(validate.rules).string = {pattern: "^$|^[^\\x00-\\x1f\\x7f \",;<>\\\\]+$"}]; +} + +// OAuth config +// +// [#next-free-field: 27] +message OAuth2Config { + enum AuthType { + // The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body. + // This type should only be used when Auth server does not support Basic authentication. + URL_ENCODED_BODY = 0; + + // The ``client_id`` and ``client_secret`` will be sent using HTTP Basic authentication scheme. + BASIC_AUTH = 1; + } + + // Endpoint on the authorization server to retrieve the access token from. + config.core.v3.HttpUri token_endpoint = 1; + + // Specifies the retry policy for requests to the OAuth server. If not specified, then no retries will be performed. + config.core.v3.RetryPolicy retry_policy = 18; + + // The endpoint redirect to for authorization in response to unauthorized requests. + string authorization_endpoint = 2 [(validate.rules).string = {min_len: 1}]; + + // The endpoint at the authorization server to request the user be logged out of the Authorization server. + // This field is optional and should be set only if openid is in the auth_scopes and the authorization server + // supports the OpenID Connect RP-Initiated Logout specification. + // For more information, see https://openid.net/specs/openid-connect-rpinitiated-1_0.html + // + // If configured, the OAuth2 filter will redirect users to this endpoint when they access the signout_path. + string end_session_endpoint = 23; + + // Credentials used for OAuth. + OAuth2Credentials credentials = 3 [(validate.rules).message = {required: true}]; + + // The redirect URI passed to the authorization endpoint. Supports header formatting + // tokens. For more information, including details on header value syntax, see the + // documentation on :ref:`custom request headers `. + // + // This URI should not contain any query parameters. + string redirect_uri = 4 [(validate.rules).string = {min_len: 1}]; + + // Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. + type.matcher.v3.PathMatcher redirect_path_matcher = 5 + [(validate.rules).message = {required: true}]; + + // The path to sign a user out, clearing their credential cookies. + type.matcher.v3.PathMatcher signout_path = 6 [(validate.rules).message = {required: true}]; + + // Forward the OAuth token as a Bearer to upstream web service. + bool forward_bearer_token = 7; + + // If set to true, preserve the existing authorization header. + // By default the client strips the existing authorization header before forwarding upstream. + // Can not be set to true if forward_bearer_token is already set to true. + // Default value is false. + bool preserve_authorization_header = 16; + + // Any request that matches any of the provided matchers will be passed through without OAuth validation. + repeated config.route.v3.HeaderMatcher pass_through_matcher = 8; + + // Optional list of OAuth scopes to be claimed in the authorization request. If not specified, + // defaults to "user" scope. + // OAuth RFC https://tools.ietf.org/html/rfc6749#section-3.3 + repeated string auth_scopes = 9; + + // Optional resource parameter for authorization request + // RFC: https://tools.ietf.org/html/rfc8707 + repeated string resources = 10; + + // Defines how ``client_id`` and ``client_secret`` are sent in OAuth client to OAuth server requests. + // RFC https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1 + AuthType auth_type = 11 [(validate.rules).enum = {defined_only: true}]; + + // If set to true, allows automatic access token refresh using the associated refresh token (see + // `RFC 6749 section 6 `_), provided that the OAuth server supports that. + // Default value is true. + google.protobuf.BoolValue use_refresh_token = 12; + + // The default lifetime in seconds of the access token, if omitted by the authorization server. + // + // If this value is not set, it will default to ``0s``. In this case, the expiry must be set by + // the authorization server or the OAuth flow will fail. + google.protobuf.Duration default_expires_in = 13; + + // Any request that matches any of the provided matchers won't be redirected to OAuth server when tokens are not valid. + // Automatic access token refresh will be performed for these requests, if enabled. + // This behavior can be useful for AJAX requests. + repeated config.route.v3.HeaderMatcher deny_redirect_matcher = 14; + + // The default lifetime in seconds of the refresh token, if the exp (expiration time) claim is omitted in the refresh token or the refresh token is not JWT. + // + // If this value is not set, it will default to ``604800s``. In this case, the cookie with the refresh token will be expired + // in a week. + // This setting is only considered if ``use_refresh_token`` is set to true, otherwise the authorization server expiration or ``default_expires_in`` is used. + google.protobuf.Duration default_refresh_token_expires_in = 15; + + // If set to true, the client will not set a cookie for ID Token even if one is received from the Identity Provider. This may be useful in cases where the ID + // Token is too large for HTTP cookies (longer than 4096 characters). Enabling this option will only disable setting the cookie response header, the filter + // will still process incoming ID Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future + // sessions would not set the IdToken cookie header. + bool disable_id_token_set_cookie = 17; + + // If set to true, the client will not set a cookie for Access Token even if one is received from the Identity Provider. + // Enabling this option will only disable setting the cookie response header, the filter + // will still process incoming Access Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future + // sessions would not set the Access Token cookie header. + bool disable_access_token_set_cookie = 19; + + // If set to true, the client will not set a cookie for Refresh Token even if one is received from the Identity Provider. + // Enabling this option will only disable setting the cookie response header, the filter + // will still process incoming Refresh Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future + // sessions would not set the Refresh Token cookie header. + bool disable_refresh_token_set_cookie = 20; + + // Controls for attributes that can be set on the cookies. + CookieConfigs cookie_configs = 21; + + // Optional additional prefix to use when emitting statistics. + string stat_prefix = 22; + + // Optional expiration time for the CSRF protection token cookie. + // The CSRF token prevents cross-site request forgery attacks during the OAuth2 flow. + // If not specified, defaults to ``600s`` (10 minutes), which should provide sufficient time + // for users to complete the OAuth2 authorization flow. + google.protobuf.Duration csrf_token_expires_in = 24; + + // Optional expiration time for the code verifier cookie. + // The code verifier is stored in a secure, HTTP-only cookie during the OAuth2 authorization process. + // If not specified, defaults to ``600s`` (10 minutes), which should provide sufficient time + // for users to complete the OAuth2 authorization flow. + google.protobuf.Duration code_verifier_token_expires_in = 25; + + // Disable token encryption. When set to true, both the access token and the ID token will be stored in plain text. + // This option should only be used in secure environments where token encryption is not required. + // Default is false (tokens are encrypted). + bool disable_token_encryption = 26; +} + +// Filter config. +message OAuth2 { + // Leave this empty to disable OAuth2 for a specific route, using per filter config. + OAuth2Config config = 1; +} diff --git a/modules/sync/envoyproxy/envoy/cas/a042cae93d024d6bcecdde67e0c856f445cb18ab4555c6f38eb17d049272b6216f1c566b58ee5eb42d649d1bb80e04f9b62fa3a9a6ba3d9c369980eca2214154 b/modules/sync/envoyproxy/envoy/cas/a042cae93d024d6bcecdde67e0c856f445cb18ab4555c6f38eb17d049272b6216f1c566b58ee5eb42d649d1bb80e04f9b62fa3a9a6ba3d9c369980eca2214154 new file mode 100644 index 00000000..1b6c1140 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/a042cae93d024d6bcecdde67e0c856f445cb18ab4555c6f38eb17d049272b6216f1c566b58ee5eb42d649d1bb80e04f9b62fa3a9a6ba3d9c369980eca2214154 @@ -0,0 +1,17 @@ +syntax = "proto3"; + +package istio.workload; + +import "envoy/config/core/v3/config_source.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.istio.workload"; +option java_outer_classname = "ExtensionProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/contrib/istio/workload"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +message BootstrapExtension { + envoy.config.core.v3.ConfigSource config_source = 1; +} diff --git a/modules/sync/envoyproxy/envoy/cas/a57d27a8b05774d301f856d2f82d3f94ab03fbcd8b9d188f3edd115325f9054463979c76015c671ebd4cc35c960fd035c8a5049716f71abc97bd332996de3bd2 b/modules/sync/envoyproxy/envoy/cas/a57d27a8b05774d301f856d2f82d3f94ab03fbcd8b9d188f3edd115325f9054463979c76015c671ebd4cc35c960fd035c8a5049716f71abc97bd332996de3bd2 new file mode 100644 index 00000000..808acc6c --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/a57d27a8b05774d301f856d2f82d3f94ab03fbcd8b9d188f3edd115325f9054463979c76015c671ebd4cc35c960fd035c8a5049716f71abc97bd332996de3bd2 @@ -0,0 +1,79 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.dynamic_modules.v3; + +import "envoy/extensions/dynamic_modules/v3/dynamic_modules.proto"; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.dynamic_modules.v3"; +option java_outer_classname = "DynamicModulesProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/dynamic_modules/v3;dynamic_modulesv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Dynamic Modules Network Filter] +// [#extension: envoy.filters.network.dynamic_modules] + +// Configuration for the Dynamic Modules network filter. This filter allows loading shared object +// files that can be loaded via ``dlopen`` to extend the network filter chain. +// +// A module can be loaded by multiple network filters; the module is loaded only once and shared +// across multiple filters. +// +// Unlike HTTP filters which operate on structured headers, body, and trailers, network filters work +// with raw TCP byte streams. The filter can: +// +// * Inspect, modify, or inject data into the downstream connection. +// * Access connection-level information such as addresses and TLS status. +// * Control connection lifecycle (e.g., close the connection). +message DynamicModuleNetworkFilter { + // Specifies the shared-object level configuration. + envoy.extensions.dynamic_modules.v3.DynamicModuleConfig dynamic_module_config = 1; + + // The name for this filter configuration. + // + // This can be used to distinguish between different filter implementations inside a dynamic + // module. For example, a module can have completely different filter implementations. When Envoy + // receives this configuration, it passes the ``filter_name`` to the dynamic module's network + // filter config init function together with the ``filter_config``. That way a module can decide + // which in-module filter implementation to use based on the name at load time. + string filter_name = 2; + + // The configuration for the filter chosen by ``filter_name``. + // + // This is passed to the module's network filter initialization function. Together with the + // ``filter_name``, the module can decide which in-module filter implementation to use and + // fine-tune the behavior of the filter. + // + // For example, if a module has two filter implementations, one for echo and one for rate + // limiting, ``filter_name`` is used to choose either echo or rate limiting. The + // ``filter_config`` can be used to configure the echo behavior or the rate limiting parameters. + // + // ``google.protobuf.Struct`` is serialized as JSON before passing it to the module. + // ``google.protobuf.BytesValue`` and ``google.protobuf.StringValue`` are passed directly + // without the wrapper. + // + // .. code-block:: yaml + // + // # Passing a string value + // filter_config: + // "@type": "type.googleapis.com/google.protobuf.StringValue" + // value: hello + // + // # Passing raw bytes + // filter_config: + // "@type": "type.googleapis.com/google.protobuf.BytesValue" + // value: aGVsbG8= # echo -n "hello" | base64 + // + google.protobuf.Any filter_config = 3; + + // If ``true``, the dynamic module is a terminal filter to use without an upstream connection. + // + // The dynamic module is responsible for creating and sending the response to downstream. + // + // Defaults to ``false``. + bool terminal_filter = 4; +} diff --git a/modules/sync/envoyproxy/envoy/cas/a5b9356c8ef2aa3c78941be61e47dbf667813c0a9d73f36aa221543f88d82f7e2e3ee366d2bc81f86874832629ed25e92ada0afa531e8273e930bc46ca4ba02a b/modules/sync/envoyproxy/envoy/cas/a5b9356c8ef2aa3c78941be61e47dbf667813c0a9d73f36aa221543f88d82f7e2e3ee366d2bc81f86874832629ed25e92ada0afa531e8273e930bc46ca4ba02a new file mode 100644 index 00000000..ef153ad1 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/a5b9356c8ef2aa3c78941be61e47dbf667813c0a9d73f36aa221543f88d82f7e2e3ee366d2bc81f86874832629ed25e92ada0afa531e8273e930bc46ca4ba02a @@ -0,0 +1,470 @@ +syntax = "proto3"; + +package envoy.config.rbac.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/cel.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/route/v3/route_components.proto"; +import "envoy/type/matcher/v3/filter_state.proto"; +import "envoy/type/matcher/v3/metadata.proto"; +import "envoy/type/matcher/v3/path.proto"; +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/v3/range.proto"; + +import "google/api/expr/v1alpha1/checked.proto"; +import "google/api/expr/v1alpha1/syntax.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.rbac.v3"; +option java_outer_classname = "RbacProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/rbac/v3;rbacv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Role Based Access Control (RBAC)] + +enum MetadataSource { + // Query :ref:`dynamic metadata ` + DYNAMIC = 0; + + // Query :ref:`route metadata ` + ROUTE = 1; +} + +// Role Based Access Control (RBAC) provides service-level and method-level access control for a +// service. Requests are allowed or denied based on the ``action`` and whether a matching policy is +// found. For instance, if the action is ALLOW and a matching policy is found the request should be +// allowed. +// +// RBAC can also be used to make access logging decisions by communicating with access loggers +// through dynamic metadata. When the action is LOG and at least one policy matches, the +// ``access_log_hint`` value in the shared key namespace 'envoy.common' is set to ``true`` indicating +// the request should be logged. +// +// Here is an example of RBAC configuration. It has two policies: +// +// * Service account ``cluster.local/ns/default/sa/admin`` has full access to the service, and so +// does "cluster.local/ns/default/sa/superuser". +// +// * Any user can read (``GET``) the service at paths with prefix ``/products``, so long as the +// destination port is either 80 or 443. +// +// .. code-block:: yaml +// +// action: ALLOW +// policies: +// "service-admin": +// permissions: +// - any: true +// principals: +// - authenticated: +// principal_name: +// exact: "cluster.local/ns/default/sa/admin" +// - authenticated: +// principal_name: +// exact: "cluster.local/ns/default/sa/superuser" +// "product-viewer": +// permissions: +// - and_rules: +// rules: +// - header: +// name: ":method" +// string_match: +// exact: "GET" +// - url_path: +// path: { prefix: "/products" } +// - or_rules: +// rules: +// - destination_port: 80 +// - destination_port: 443 +// principals: +// - any: true +// +message RBAC { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.RBAC"; + + // Should we do safe-list or block-list style access control? + enum Action { + // The policies grant access to principals. The rest are denied. This is safe-list style + // access control. This is the default type. + ALLOW = 0; + + // The policies deny access to principals. The rest are allowed. This is block-list style + // access control. + DENY = 1; + + // The policies set the ``access_log_hint`` dynamic metadata key based on if requests match. + // All requests are allowed. + LOG = 2; + } + + message AuditLoggingOptions { + // Deny and allow here refer to RBAC decisions, not actions. + enum AuditCondition { + // Never audit. + NONE = 0; + + // Audit when RBAC denies the request. + ON_DENY = 1; + + // Audit when RBAC allows the request. + ON_ALLOW = 2; + + // Audit whether RBAC allows or denies the request. + ON_DENY_AND_ALLOW = 3; + } + + // [#not-implemented-hide:] + message AuditLoggerConfig { + // Typed logger configuration. + // + // [#extension-category: envoy.rbac.audit_loggers] + core.v3.TypedExtensionConfig audit_logger = 1; + + // If true, when the logger is not supported, the data plane will not NACK but simply ignore it. + bool is_optional = 2; + } + + // Condition for the audit logging to happen. + // If this condition is met, all the audit loggers configured here will be invoked. + // + // [#not-implemented-hide:] + AuditCondition audit_condition = 1 [(validate.rules).enum = {defined_only: true}]; + + // Configurations for RBAC-based authorization audit loggers. + // + // [#not-implemented-hide:] + repeated AuditLoggerConfig logger_configs = 2; + } + + // The action to take if a policy matches. Every action either allows or denies a request, + // and can also carry out action-specific operations. + // + // Actions: + // + // * ``ALLOW``: Allows the request if and only if there is a policy that matches + // the request. + // * ``DENY``: Allows the request if and only if there are no policies that + // match the request. + // * ``LOG``: Allows all requests. If at least one policy matches, the dynamic + // metadata key ``access_log_hint`` is set to the value ``true`` under the shared + // key namespace ``envoy.common``. If no policies match, it is set to ``false``. + // Other actions do not modify this key. + // + Action action = 1 [(validate.rules).enum = {defined_only: true}]; + + // Maps from policy name to policy. A match occurs when at least one policy matches the request. + // The policies are evaluated in lexicographic order of the policy name. + map policies = 2; + + // Audit logging options that include the condition for audit logging to happen + // and audit logger configurations. + // + // [#not-implemented-hide:] + AuditLoggingOptions audit_logging_options = 3; +} + +// Policy specifies a role and the principals that are assigned/denied the role. +// A policy matches if and only if at least one of its permissions match the +// action taking place AND at least one of its principals match the downstream +// AND the condition is true if specified. +// [#next-free-field: 6] +message Policy { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Policy"; + + // Required. The set of permissions that define a role. Each permission is + // matched with OR semantics. To match all actions for this policy, a single + // Permission with the ``any`` field set to true should be used. + repeated Permission permissions = 1 [(validate.rules).repeated = {min_items: 1}]; + + // Required. The set of principals that are assigned/denied the role based on + // “action”. Each principal is matched with OR semantics. To match all + // downstreams for this policy, a single Principal with the ``any`` field set to + // true should be used. + repeated Principal principals = 2 [(validate.rules).repeated = {min_items: 1}]; + + // An optional symbolic expression specifying an access control + // :ref:`condition `. The condition is combined + // with the permissions and the principals as a clause with AND semantics. + // Only be used when checked_condition is not used. + google.api.expr.v1alpha1.Expr condition = 3 + [(udpa.annotations.field_migrate).oneof_promotion = "expression_specifier"]; + + // [#not-implemented-hide:] + // An optional symbolic expression that has been successfully type checked. + // Only be used when condition is not used. + google.api.expr.v1alpha1.CheckedExpr checked_condition = 4 + [(udpa.annotations.field_migrate).oneof_promotion = "expression_specifier"]; + + // CEL expression configuration that modifies the evaluation behavior of the ``condition`` field. + // If specified, string conversion, concatenation, and manipulation functions may be enabled + // for the CEL expression. See :ref:`CelExpressionConfig ` + // for more details. + core.v3.CelExpressionConfig cel_config = 5; +} + +// SourcedMetadata enables matching against metadata from different sources in the request processing +// pipeline. It extends the base MetadataMatcher functionality by allowing specification of where the +// metadata should be sourced from, rather than only matching against dynamic metadata. +// +// The matcher can be configured to look up metadata from: +// +// * Dynamic metadata: Runtime metadata added by filters during request processing +// * Route metadata: Static metadata configured on the route entry +// +message SourcedMetadata { + // Metadata matcher configuration that defines what metadata to match against. This includes the filter name, + // metadata key path, and expected value. + type.matcher.v3.MetadataMatcher metadata_matcher = 1 + [(validate.rules).message = {required: true}]; + + // Specifies which metadata source should be used for matching. If not set, + // defaults to DYNAMIC (dynamic metadata). Set to ROUTE to match against + // static metadata configured on the route entry. + MetadataSource metadata_source = 2 [(validate.rules).enum = {defined_only: true}]; +} + +// Permission defines an action (or actions) that a principal can take. +// [#next-free-field: 15] +message Permission { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Permission"; + + // Used in the ``and_rules`` and ``or_rules`` fields in the ``rule`` oneof. Depending on the context, + // each are applied with the associated behavior. + message Set { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.rbac.v2.Permission.Set"; + + repeated Permission rules = 1 [(validate.rules).repeated = {min_items: 1}]; + } + + oneof rule { + option (validate.required) = true; + + // A set of rules that all must match in order to define the action. + Set and_rules = 1; + + // A set of rules where at least one must match in order to define the action. + Set or_rules = 2; + + // When any is set, it matches any action. + bool any = 3 [(validate.rules).bool = {const: true}]; + + // A header (or pseudo-header such as ``:path`` or ``:method``) on the incoming HTTP request. Only available + // for HTTP request. + // + // .. note:: + // + // The pseudo-header ``:path`` includes the query and fragment string. Use the ``url_path`` field if you + // want to match the URL path without the query and fragment string. + // + route.v3.HeaderMatcher header = 4; + + // A URL path on the incoming HTTP request. Only available for HTTP. + type.matcher.v3.PathMatcher url_path = 10; + + // A CIDR block that describes the destination IP. + core.v3.CidrRange destination_ip = 5; + + // A port number that describes the destination port connecting to. + uint32 destination_port = 6 [(validate.rules).uint32 = {lte: 65535}]; + + // A port number range that describes a range of destination ports connecting to. + type.v3.Int32Range destination_port_range = 11; + + // Metadata that describes additional information about the action. This field is deprecated; please use + // :ref:`sourced_metadata` instead. + type.matcher.v3.MetadataMatcher metadata = 7 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Negates matching the provided permission. For instance, if the value of + // ``not_rule`` would match, this permission would not match. Conversely, if + // the value of ``not_rule`` would not match, this permission would match. + Permission not_rule = 8; + + // The request server from the client's connection request. This is typically TLS SNI. + // + // .. attention:: + // + // The behavior of this field may be affected by how Envoy is configured + // as explained below. + // + // * If the :ref:`TLS Inspector ` + // filter is not added, and if a ``FilterChainMatch`` is not defined for + // the :ref:`server name + // `, + // a TLS connection's requested SNI server name will be treated as if it + // wasn't present. + // + // * A :ref:`listener filter ` may + // overwrite a connection's requested server name within Envoy. + // + // Please refer to :ref:`this FAQ entry ` to learn how to setup SNI. + type.matcher.v3.StringMatcher requested_server_name = 9; + + // Extension for configuring custom matchers for RBAC. + // [#extension-category: envoy.rbac.matchers] + core.v3.TypedExtensionConfig matcher = 12; + + // URI template path matching. + // [#extension-category: envoy.path.match] + core.v3.TypedExtensionConfig uri_template = 13; + + // Matches against metadata from either dynamic state or route configuration. Preferred over the + // ``metadata`` field as it provides more flexibility in metadata source selection. + SourcedMetadata sourced_metadata = 14; + } +} + +// Principal defines an identity or a group of identities for a downstream +// subject. +// [#next-free-field: 15] +message Principal { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Principal"; + + // Used in the ``and_ids`` and ``or_ids`` fields in the ``identifier`` oneof. + // Depending on the context, each are applied with the associated behavior. + message Set { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.rbac.v2.Principal.Set"; + + repeated Principal ids = 1 [(validate.rules).repeated = {min_items: 1}]; + } + + // Authentication attributes for a downstream. + // It is recommended to NOT use this type, but instead use + // :ref:`MTlsAuthenticated `, + // configured via :ref:`custom `, + // which should be used for most use cases due to its improved security. + message Authenticated { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.rbac.v2.Principal.Authenticated"; + + reserved 1; + + // The name of the principal. If set, The URI SAN or DNS SAN in that order + // is used from the certificate, otherwise the subject field is used. If + // unset, it applies to any user that is allowed by the downstream TLS configuration. + // If :ref:`require_client_certificate ` + // is false or :ref:`trust_chain_verification ` + // is set to :ref:`ACCEPT_UNTRUSTED `, + // then no authentication is required. + type.matcher.v3.StringMatcher principal_name = 2; + } + + oneof identifier { + option (validate.required) = true; + + // A set of identifiers that all must match in order to define the downstream. + Set and_ids = 1; + + // A set of identifiers at least one must match in order to define the downstream. + Set or_ids = 2; + + // When any is set, it matches any downstream. + bool any = 3 [(validate.rules).bool = {const: true}]; + + // Authenticated attributes that identify the downstream. + // It is recommended to NOT use this field, but instead use + // :ref:`MTlsAuthenticated `, + // configured via :ref:`custom `, + // which should be used for most use cases due to its improved security. + Authenticated authenticated = 4; + + // A CIDR block that describes the downstream IP. + // This address will honor proxy protocol, but will not honor XFF. + // + // This field is deprecated; either use :ref:`remote_ip + // ` for the same + // behavior, or use + // :ref:`direct_remote_ip `. + core.v3.CidrRange source_ip = 5 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // A CIDR block that describes the downstream remote/origin address. + // + // .. note:: + // + // This is always the physical peer even if the + // :ref:`remote_ip ` is inferred from the + // x-forwarder-for header, the proxy protocol, etc. + // + core.v3.CidrRange direct_remote_ip = 10; + + // A CIDR block that describes the downstream remote/origin address. + // + // .. note:: + // + // This may not be the physical peer and could be different from the :ref:`direct_remote_ip + // `. E.g, if the remote ip is inferred from + // the x-forwarder-for header, the proxy protocol, etc. + // + core.v3.CidrRange remote_ip = 11; + + // A header (or pseudo-header such as ``:path`` or ``:method``) on the incoming HTTP request. Only available + // for HTTP request. + // + // .. note:: + // + // The pseudo-header ``:path`` includes the query and fragment string. Use the ``url_path`` field if you + // want to match the URL path without the query and fragment string. + // + route.v3.HeaderMatcher header = 6; + + // A URL path on the incoming HTTP request. Only available for HTTP. + type.matcher.v3.PathMatcher url_path = 9; + + // Metadata that describes additional information about the principal. This field is deprecated; please use + // :ref:`sourced_metadata` instead. + type.matcher.v3.MetadataMatcher metadata = 7 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Identifies the principal using a filter state object. + type.matcher.v3.FilterStateMatcher filter_state = 12; + + // Negates matching the provided principal. For instance, if the value of + // ``not_id`` would match, this principal would not match. Conversely, if the + // value of ``not_id`` would not match, this principal would match. + Principal not_id = 8; + + // Matches against metadata from either dynamic state or route configuration. Preferred over the + // ``metadata`` field as it provides more flexibility in metadata source selection. + SourcedMetadata sourced_metadata = 13; + + // Extension for configuring custom principals for RBAC. + // [#extension-category: envoy.rbac.principals] + core.v3.TypedExtensionConfig custom = 14; + } +} + +// Action defines the result of allowance or denial when a request matches the matcher. +message Action { + // The name indicates the policy name. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The action to take if the matcher matches. Every action either allows or denies a request, + // and can also carry out action-specific operations. + // + // **Actions:** + // + // * ``ALLOW``: If the request gets matched on ALLOW, it is permitted. + // * ``DENY``: If the request gets matched on DENY, it is not permitted. + // * ``LOG``: If the request gets matched on LOG, it is permitted. Besides, the + // dynamic metadata key ``access_log_hint`` under the shared key namespace + // ``envoy.common`` will be set to the value ``true``. + // * If the request cannot get matched, it will fallback to ``DENY``. + // + // **Log behavior:** + // + // If the RBAC matcher contains at least one LOG action, the dynamic + // metadata key ``access_log_hint`` will be set based on if the request + // get matched on the LOG action. + // + RBAC.Action action = 2; +} diff --git a/modules/sync/envoyproxy/envoy/cas/ab4879612ab6ac4cd7e0baeda3622cda45273b419ad9bd1d79bdc707aaf11f9cca1b5fbecc5c290cb93e63d7396d6d0fbe9c1beee5d3305f72252035f8604fd4 b/modules/sync/envoyproxy/envoy/cas/ab4879612ab6ac4cd7e0baeda3622cda45273b419ad9bd1d79bdc707aaf11f9cca1b5fbecc5c290cb93e63d7396d6d0fbe9c1beee5d3305f72252035f8604fd4 new file mode 100644 index 00000000..9d8cf8bf --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/ab4879612ab6ac4cd7e0baeda3622cda45273b419ad9bd1d79bdc707aaf11f9cca1b5fbecc5c290cb93e63d7396d6d0fbe9c1beee5d3305f72252035f8604fd4 @@ -0,0 +1,1357 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.http_connection_manager.v3; + +import "envoy/config/accesslog/v3/accesslog.proto"; +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/protocol.proto"; +import "envoy/config/core/v3/substitution_format_string.proto"; +import "envoy/config/route/v3/route.proto"; +import "envoy/config/route/v3/scoped_route.proto"; +import "envoy/config/trace/v3/http_tracer.proto"; +import "envoy/type/http/v3/path_transformation.proto"; +import "envoy/type/tracing/v3/custom_tag.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/type/matcher/v3/matcher.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/security.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.http_connection_manager.v3"; +option java_outer_classname = "HttpConnectionManagerProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3;http_connection_managerv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP connection manager] +// HTTP connection manager :ref:`configuration overview `. +// [#extension: envoy.filters.network.http_connection_manager] + +// [#next-free-field: 61] +message HttpConnectionManager { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"; + + enum CodecType { + // For every new connection, the connection manager will determine which + // codec to use. This mode supports both ALPN for TLS listeners as well as + // protocol inference for plaintext listeners. If ALPN data is available, it + // is preferred, otherwise protocol inference is used. In almost all cases, + // this is the right option to choose for this setting. + AUTO = 0; + + // The connection manager will assume that the client is speaking HTTP/1.1. + HTTP1 = 1; + + // The connection manager will assume that the client is speaking HTTP/2 + // (Envoy does not require HTTP/2 to take place over TLS or to use ALPN. + // Prior knowledge is allowed). + HTTP2 = 2; + + // The connection manager will assume that the client is speaking HTTP/3. + // This needs to be consistent with listener and transport socket config. + HTTP3 = 3; + } + + enum ServerHeaderTransformation { + // Overwrite any Server header with the contents of server_name. + OVERWRITE = 0; + + // If no Server header is present, append Server server_name + // If a Server header is present, pass it through. + APPEND_IF_ABSENT = 1; + + // Pass through the value of the server header, and do not append a header + // if none is present. + PASS_THROUGH = 2; + } + + // How to handle the :ref:`config_http_conn_man_headers_x-forwarded-client-cert` (XFCC) HTTP + // header. + enum ForwardClientCertDetails { + // Do not send the XFCC header to the next hop. This is the default value. + SANITIZE = 0; + + // When the client connection is mTLS (Mutual TLS), forward the XFCC header + // in the request. + FORWARD_ONLY = 1; + + // When the client connection is mTLS, append the client certificate + // information to the request’s XFCC header and forward it. + APPEND_FORWARD = 2; + + // When the client connection is mTLS, reset the XFCC header with the client + // certificate information and send it to the next hop. + SANITIZE_SET = 3; + + // Always forward the XFCC header in the request, regardless of whether the + // client connection is mTLS. + ALWAYS_FORWARD_ONLY = 4; + } + + // Determines the action for request that contain ``%2F``, ``%2f``, ``%5C`` or ``%5c`` sequences in the URI path. + // This operation occurs before URL normalization and the merge slashes transformations if they were enabled. + enum PathWithEscapedSlashesAction { + // Default behavior specific to implementation (i.e. Envoy) of this configuration option. + // Envoy, by default, takes the KEEP_UNCHANGED action. + // + // .. note:: + // + // The implementation may change the default behavior at-will. + IMPLEMENTATION_SPECIFIC_DEFAULT = 0; + + // Keep escaped slashes. + KEEP_UNCHANGED = 1; + + // Reject client request with the 400 status. gRPC requests will be rejected with the INTERNAL (13) error code. + // The ``httpN.downstream_rq_failed_path_normalization`` counter is incremented for each rejected request. + REJECT_REQUEST = 2; + + // Unescape ``%2F`` and ``%5C`` sequences and redirect request to the new path if these sequences were present. + // Redirect occurs after path normalization and merge slashes transformations if they were configured. + // + // .. note:: + // + // gRPC requests will be rejected with the INTERNAL (13) error code. This option minimizes possibility of path + // confusion exploits by forcing request with unescaped slashes to traverse all parties: downstream client, + // intermediate proxies, Envoy and upstream server. The ``httpN.downstream_rq_redirected_with_normalized_path`` + // counter is incremented for each redirected request. + // + UNESCAPE_AND_REDIRECT = 3; + + // Unescape ``%2F`` and ``%5C`` sequences. + // + // .. note:: + // + // This option should not be enabled if intermediaries perform path based access control as it may lead to path + // confusion vulnerabilities. + // + UNESCAPE_AND_FORWARD = 4; + } + + // [#next-free-field: 13] + message Tracing { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager.Tracing"; + + // This OperationName makes no sense and is unnecessary in the current tracing API. + // [#not-implemented-hide:] + enum OperationName { + // The HTTP listener is used for ingress/incoming requests. + INGRESS = 0; + + // The HTTP listener is used for egress/outgoing requests. + EGRESS = 1; + } + + reserved 1, 2; + + reserved "operation_name", "request_headers_for_tags"; + + // Target percentage of requests managed by this HTTP connection manager that will be force + // traced if the :ref:`x-client-trace-id ` + // header is set. This field is a direct analog for the runtime variable + // 'tracing.client_enabled' in the :ref:`HTTP Connection Manager + // `. + // Default: 100% + type.v3.Percent client_sampling = 3; + + // Target percentage of requests managed by this HTTP connection manager that will be randomly + // selected for trace generation, if not requested by the client or not forced. This field is + // a direct analog for the runtime variable 'tracing.random_sampling' in the + // :ref:`HTTP Connection Manager `. + // Default: 100% + type.v3.Percent random_sampling = 4; + + // Target percentage of requests managed by this HTTP connection manager that will be traced + // after all other sampling checks have been applied (client-directed, force tracing, random + // sampling). This field functions as an upper limit on the total configured sampling rate. For + // instance, setting client_sampling to 100% but overall_sampling to 1% will result in only 1% + // of client requests with the appropriate headers to be force traced. This field is a direct + // analog for the runtime variable 'tracing.global_enabled' in the + // :ref:`HTTP Connection Manager `. + // Default: 100% + type.v3.Percent overall_sampling = 5; + + // Whether to annotate spans with additional data. If true, spans will include logs for stream + // events. + bool verbose = 6; + + // Maximum length of the request path to extract and include in the HttpUrl tag. Used to + // truncate lengthy request paths to meet the needs of a tracing backend. + // Default: 256 + google.protobuf.UInt32Value max_path_tag_length = 7; + + // A list of custom tags with unique tag name to create tags for the active span. + repeated type.tracing.v3.CustomTag custom_tags = 8; + + // Configuration for an external tracing provider. + // If not specified, no tracing will be performed. + config.trace.v3.Tracing.Http provider = 9; + + // Create separate tracing span for each upstream request if true. And if this flag is set to true, + // the tracing provider will assume that Envoy will be independent hop in the trace chain and may + // set span type to client or server based on this flag. + // This will deprecate the + // :ref:`start_child_span ` + // in the router. + // + // Users should set appropriate value based on their tracing provider and actual scenario: + // + // * If Envoy is used as sidecar and users want to make the sidecar and its application as only one + // hop in the trace chain, this flag should be set to false. And please also make sure the + // :ref:`start_child_span ` + // in the router is not set to true. + // * If Envoy is used as gateway or independent proxy, or users want to make the sidecar and its + // application as different hops in the trace chain, this flag should be set to true. + // * If tracing provider that has explicit requirements on span creation (like SkyWalking), + // this flag should be set to true. + // + // The default value is false for now for backward compatibility. + google.protobuf.BoolValue spawn_upstream_span = 10; + + // The operation name of the span which will be used for tracing. + // + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here, however + // unknown specifier values are replaced with the empty string instead of ``-``. + // + // This field will take precedence over and make following settings ineffective: + // + // * :ref:`route decorator ` and + // * :ref:`x-envoy-decorator-operation ` + // header will be ignored. + string operation = 11; + + // The operation name of the upstream span which will be used for tracing. + // This only takes effect when ``spawn_upstream_span`` is set to true and the upstream + // span is created. + // + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here, however + // unknown specifier values are replaced with the empty string instead of ``-``. + string upstream_operation = 12; + } + + message InternalAddressConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager." + "InternalAddressConfig"; + + // Whether unix socket addresses should be considered internal. + bool unix_sockets = 1; + + // List of CIDR ranges that are treated as internal. If unset, then RFC1918 / RFC4193 + // IP addresses will be considered internal. + repeated config.core.v3.CidrRange cidr_ranges = 2; + } + + // [#next-free-field: 7] + message SetCurrentClientCertDetails { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager." + "SetCurrentClientCertDetails"; + + reserved 2; + + // Whether to forward the subject of the client cert. Defaults to false. + google.protobuf.BoolValue subject = 1; + + // Whether to forward the entire client cert in URL encoded PEM format. This will appear in the + // XFCC header comma separated from other values with the value Cert="PEM". + // Defaults to false. + bool cert = 3; + + // Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM + // format. This will appear in the XFCC header comma separated from other values with the value + // Chain="PEM". + // Defaults to false. + bool chain = 6; + + // Whether to forward the DNS type Subject Alternative Names of the client cert. + // Defaults to false. + bool dns = 4; + + // Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to + // false. + bool uri = 5; + } + + // The configuration for forwarding client cert details. + message ForwardClientCertConfig { + // How to handle the XFCC header. + ForwardClientCertDetails forward_client_cert_details = 1; + + // How to set the current client cert details. + SetCurrentClientCertDetails set_current_client_cert_details = 2; + } + + // The configuration for HTTP upgrades. + // For each upgrade type desired, an UpgradeConfig must be added. + // + // .. warning:: + // + // The current implementation of upgrade headers does not handle multi-valued upgrade headers. Support for + // multi-valued headers may be added in the future if needed. + // + // .. warning:: + // The current implementation of upgrade headers does not work with HTTP/2 upstreams. + // + message UpgradeConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager." + "UpgradeConfig"; + + // The case-insensitive name of this upgrade, e.g. "websocket". + // For each upgrade type present in upgrade_configs, requests with + // Upgrade: [upgrade_type] + // will be proxied upstream. + string upgrade_type = 1; + + // If present, this represents the filter chain which will be created for + // this type of upgrade. If no filters are present, the filter chain for + // HTTP connections will be used for this upgrade type. + repeated HttpFilter filters = 2; + + // Determines if upgrades are enabled or disabled by default. Defaults to true. + // This can be overridden on a per-route basis with :ref:`cluster + // ` as documented in the + // :ref:`upgrade documentation `. + google.protobuf.BoolValue enabled = 3; + } + + // [#not-implemented-hide:] Transformations that apply to path headers. Transformations are applied + // before any processing of requests by HTTP filters, routing, and matching. Only the normalized + // path will be visible internally if a transformation is enabled. Any path rewrites that the + // router performs (e.g. :ref:`regex_rewrite + // ` or :ref:`prefix_rewrite + // `) will apply to the ``:path`` header + // destined for the upstream. + // + // .. note:: + // + // Access logging and tracing will show the original ``:path`` header. + // + message PathNormalizationOptions { + // [#not-implemented-hide:] Normalization applies internally before any processing of requests by + // HTTP filters, routing, and matching *and* will affect the forwarded ``:path`` header. Defaults + // to :ref:`NormalizePathRFC3986 + // `. When not + // specified, this value may be overridden by the runtime variable + // :ref:`http_connection_manager.normalize_path`. + // Envoy will respond with 400 to paths that are malformed (e.g. for paths that fail RFC 3986 + // normalization due to disallowed characters.) + type.http.v3.PathTransformation forwarding_transformation = 1; + + // [#not-implemented-hide:] Normalization only applies internally before any processing of + // requests by HTTP filters, routing, and matching. These will be applied after full + // transformation is applied. The ``:path`` header before this transformation will be restored in + // the router filter and sent upstream unless it was mutated by a filter. Defaults to no + // transformations. + // Multiple actions can be applied in the same Transformation, forming a sequential + // pipeline. The transformations will be performed in the order that they appear. Envoy will + // respond with 400 to paths that are malformed (e.g. for paths that fail RFC 3986 + // normalization due to disallowed characters.) + type.http.v3.PathTransformation http_filter_transformation = 2; + } + + // Configures the manner in which the Proxy-Status HTTP response header is + // populated. + // + // See the [Proxy-Status + // RFC](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-proxy-status-08). + // [#comment:TODO: Update this with the non-draft URL when finalized.] + // + // The Proxy-Status header is a string of the form: + // + // "; error=; details=
" + // [#next-free-field: 7] + message ProxyStatusConfig { + // If true, the details field of the Proxy-Status header is not populated with stream_info.response_code_details. + // This value defaults to ``false``, i.e. the ``details`` field is populated by default. + bool remove_details = 1; + + // If true, the details field of the Proxy-Status header will not contain + // connection termination details. This value defaults to ``false``, i.e. the + // ``details`` field will contain connection termination details by default. + bool remove_connection_termination_details = 2; + + // If true, the details field of the Proxy-Status header will not contain an + // enumeration of the Envoy ResponseFlags. This value defaults to ``false``, + // i.e. the ``details`` field will contain a list of ResponseFlags by default. + bool remove_response_flags = 3; + + // If true, overwrites the existing Status header with the response code + // recommended by the Proxy-Status spec. + // This value defaults to ``false``, i.e. the HTTP response code is not + // overwritten. + bool set_recommended_response_code = 4; + + // The name of the proxy as it appears at the start of the Proxy-Status + // header. + // + // If neither of these values are set, this value defaults to ``server_name``, + // which itself defaults to "envoy". + oneof proxy_name { + // If ``use_node_id`` is set, Proxy-Status headers will use the Envoy's node + // ID as the name of the proxy. + bool use_node_id = 5; + + // If ``literal_proxy_name`` is set, Proxy-Status headers will use this + // value as the name of the proxy. + string literal_proxy_name = 6; + } + } + + message HcmAccessLogOptions { + // The interval to flush the above access logs. By default, the HCM will flush exactly one access log + // on stream close, when the HTTP request is complete. If this field is set, the HCM will flush access + // logs periodically at the specified interval. This is especially useful in the case of long-lived + // requests, such as CONNECT and Websockets. Final access logs can be detected via the + // ``requestComplete()`` method of ``StreamInfo`` in access log filters, or through the ``%DURATION%`` substitution + // string. + // The interval must be at least 1 millisecond. + google.protobuf.Duration access_log_flush_interval = 1 + [(validate.rules).duration = {gte {nanos: 1000000}}]; + + // If set to true, HCM will flush an access log when a new HTTP request is received, after request + // headers have been evaluated, before iterating through the HTTP filter chain. + // This log record, if enabled, does not depend on periodic log records or request completion log. + // Details related to upstream cluster, such as upstream host, will not be available for this log. + bool flush_access_log_on_new_request = 2; + + // If true, the HCM will flush an access log when a tunnel is successfully established. For example, + // this could be when an upstream has successfully returned 101 Switching Protocols, or when the proxy + // has returned 200 to a CONNECT request. + bool flush_log_on_tunnel_successfully_established = 3; + } + + reserved 27, 11; + + reserved "idle_timeout"; + + // Supplies the type of codec that the connection manager should use. + CodecType codec_type = 1 [(validate.rules).enum = {defined_only: true}]; + + // The human readable prefix to use when emitting statistics for the + // connection manager. See the :ref:`statistics documentation ` for + // more information. + string stat_prefix = 2 [(validate.rules).string = {min_len: 1}]; + + oneof route_specifier { + option (validate.required) = true; + + // The connection manager’s route table will be dynamically loaded via the RDS API. + Rds rds = 3; + + // The route table for the connection manager is static and is specified in this property. + config.route.v3.RouteConfiguration route_config = 4; + + // A route table will be dynamically assigned to each request based on request attributes + // (e.g., the value of a header). The "routing scopes" (i.e., route tables) and "scope keys" are + // specified in this message. + ScopedRoutes scoped_routes = 31; + } + + // A list of individual HTTP filters that make up the filter chain for + // requests made to the connection manager. :ref:`Order matters ` + // as the filters are processed sequentially as request events happen. + repeated HttpFilter http_filters = 5; + + // Whether the connection manager manipulates the :ref:`config_http_conn_man_headers_user-agent` + // and :ref:`config_http_conn_man_headers_downstream-service-cluster` headers. See the linked + // documentation for more information. Defaults to false. + google.protobuf.BoolValue add_user_agent = 6; + + // Presence of the object defines whether the connection manager + // emits :ref:`tracing ` data to the :ref:`configured tracing provider + // `. + Tracing tracing = 7; + + // Additional settings for HTTP requests handled by the connection manager. These will be + // applicable to both HTTP/1.1 and HTTP/2 requests. + config.core.v3.HttpProtocolOptions common_http_protocol_options = 35 + [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + + // If set to ``true``, Envoy will not initiate an immediate drain timer for downstream HTTP/1 connections + // once :ref:`common_http_protocol_options.max_connection_duration + // ` is exceeded. + // Instead, Envoy will wait until the next downstream request arrives, add a ``connection: close`` header + // to the response, and then gracefully close the connection once the stream has completed. + // + // This behavior adheres to `RFC 9112, Section 9.6 `_. + // + // If set to ``false``, exceeding ``max_connection_duration`` triggers Envoy's default drain behavior for HTTP/1, + // where the connection is eventually closed after all active streams finish. + // + // This option has no effect if ``max_connection_duration`` is not configured. + // Defaults to ``false``. + bool http1_safe_max_connection_duration = 58; + + // Additional HTTP/1 settings that are passed to the HTTP/1 codec. + // [#comment:TODO: The following fields are ignored when the + // :ref:`header validation configuration ` + // is present: + // 1. :ref:`allow_chunked_length `] + config.core.v3.Http1ProtocolOptions http_protocol_options = 8; + + // Additional HTTP/2 settings that are passed directly to the HTTP/2 codec. + config.core.v3.Http2ProtocolOptions http2_protocol_options = 9 + [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + + // Additional HTTP/3 settings that are passed directly to the HTTP/3 codec. + config.core.v3.Http3ProtocolOptions http3_protocol_options = 44; + + // An optional override that the connection manager will write to the server + // header in responses. If not set, the default is ``envoy``. + string server_name = 10 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Defines the action to be applied to the Server header on the response path. + // By default, Envoy will overwrite the header with the value specified in + // server_name. + ServerHeaderTransformation server_header_transformation = 34 + [(validate.rules).enum = {defined_only: true}]; + + // Allows for explicit transformation of the :scheme header on the request path. + // If not set, Envoy's default :ref:`scheme ` + // handling applies. + config.core.v3.SchemeHeaderTransformation scheme_header_transformation = 48; + + // The maximum request headers size for incoming connections. + // If unconfigured, the default max request headers allowed is 60 KiB. + // The default value can be overridden by setting runtime key ``envoy.reloadable_features.max_request_headers_size_kb``. + // Requests that exceed this limit will receive a 431 response. + // + // .. note:: + // + // Currently some protocol codecs impose limits on the maximum size of a single header. + // + // * HTTP/2 (when using nghttp2) limits a single header to around 100kb. + // * HTTP/3 limits a single header to around 1024kb. + // + google.protobuf.UInt32Value max_request_headers_kb = 29 + [(validate.rules).uint32 = {lte: 8192 gt: 0}]; + + // The stream idle timeout for connections managed by the connection manager. + // If not specified, this defaults to 5 minutes. The default value was selected + // so as not to interfere with any smaller configured timeouts that may have + // existed in configurations prior to the introduction of this feature, while + // introducing robustness to TCP connections that terminate without a FIN. + // + // This idle timeout applies to new streams and is overridable by the + // :ref:`route-level idle_timeout + // `. Even on a stream in + // which the override applies, prior to receipt of the initial request + // headers, the :ref:`stream_idle_timeout + // ` + // applies. Each time an encode/decode event for headers or data is processed + // for the stream, the timer will be reset. If the timeout fires, the stream + // is terminated with a 408 Request Timeout error code if no upstream response + // header has been received, otherwise a stream reset occurs. + // + // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" + // is configured, this timeout is scaled according to the value for + // :ref:`HTTP_DOWNSTREAM_STREAM_IDLE `. + // + // Note that it is possible to idle timeout even if the wire traffic for a stream is non-idle, due + // to the granularity of events presented to the connection manager. For example, while receiving + // very large request headers, it may be the case that there is traffic regularly arriving on the + // wire while the connection manage is only able to observe the end-of-headers event, hence the + // stream may still idle timeout. + // + // A value of 0 will completely disable the connection manager stream idle + // timeout, although per-route idle timeout overrides will continue to apply. + // + // This timeout is also used as the default value for :ref:`stream_flush_timeout + // `. + google.protobuf.Duration stream_idle_timeout = 24 + [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + + // The stream flush timeout for connections managed by the connection manager. + // + // If not specified, the value of stream_idle_timeout is used. This is for backwards compatibility + // since this was the original behavior. In essence this timeout is an override for the + // stream_idle_timeout that applies specifically to the end of stream flush case. + // + // This timeout specifies the amount of time that Envoy will wait for the peer to open enough + // window to write any remaining stream data once the entirety of stream data (local end stream is + // true) has been buffered pending available window. In other words, this timeout defends against + // a peer that does not release enough window to completely write the stream, even though all + // data has been proxied within available flow control windows. If the timeout is hit in this + // case, the :ref:`tx_flush_timeout ` counter will be + // incremented. Note that :ref:`max_stream_duration + // ` does not apply to + // this corner case. + google.protobuf.Duration stream_flush_timeout = 59; + + // The amount of time that Envoy will wait for the entire request to be received. + // The timer is activated when the request is initiated, and is disarmed when the last byte of the + // request is sent upstream (i.e. all decoding filters have processed the request), OR when the + // response is initiated. If not specified or set to 0, this timeout is disabled. + google.protobuf.Duration request_timeout = 28 + [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + + // The amount of time that Envoy will wait for the request headers to be received. The timer is + // activated when the first byte of the headers is received, and is disarmed when the last byte of + // the headers has been received. If not specified or set to 0, this timeout is disabled. + google.protobuf.Duration request_headers_timeout = 41 [ + (validate.rules).duration = {gte {}}, + (udpa.annotations.security).configure_for_untrusted_downstream = true + ]; + + // The time that Envoy will wait between sending an HTTP/2 “shutdown + // notification” (GOAWAY frame with max stream ID) and a final GOAWAY frame. + // This is used so that Envoy provides a grace period for new streams that + // race with the final GOAWAY frame. During this grace period, Envoy will + // continue to accept new streams. After the grace period, a final GOAWAY + // frame is sent and Envoy will start refusing new streams. Draining occurs + // either when a connection hits the idle timeout, when :ref:`max_connection_duration + // ` + // is reached, or during general server draining. The default grace period is + // 5000 milliseconds (5 seconds) if this option is not specified. + google.protobuf.Duration drain_timeout = 12; + + // The delayed close timeout is for downstream connections managed by the HTTP connection manager. + // It is defined as a grace period after connection close processing has been locally initiated + // during which Envoy will wait for the peer to close (i.e., a TCP FIN/RST is received by Envoy + // from the downstream connection) prior to Envoy closing the socket associated with that + // connection. + // + // .. note:: + // + // This timeout is enforced even when the socket associated with the downstream connection is pending a flush of + // the write buffer. However, any progress made writing data to the socket will restart the timer associated with + // this timeout. This means that the total grace period for a socket in this state will be + // +. + // + // Delaying Envoy's connection close and giving the peer the opportunity to initiate the close + // sequence mitigates a race condition that exists when downstream clients do not drain/process + // data in a connection's receive buffer after a remote close has been detected via a socket + // ``write()``. This race leads to such clients failing to process the response code sent by Envoy, + // which could result in erroneous downstream processing. + // + // If the timeout triggers, Envoy will close the connection's socket. + // + // The default timeout is 1000 ms if this option is not specified. + // + // .. note:: + // To be useful in avoiding the race condition described above, this timeout must be set + // to *at least* +<100ms to account for + // a reasonable "worst" case processing time for a full iteration of Envoy's event loop>. + // + // .. warning:: + // A value of ``0`` will completely disable delayed close processing. When disabled, the downstream + // connection's socket will be closed immediately after the write flush is completed or will + // never close if the write flush does not complete. + // + google.protobuf.Duration delayed_close_timeout = 26; + + // Configuration for :ref:`HTTP access logs ` + // emitted by the connection manager. + repeated config.accesslog.v3.AccessLog access_log = 13; + + // The interval to flush the above access logs. + // + // .. attention:: + // + // This field is deprecated in favor of + // :ref:`access_log_flush_interval + // `. + // Note that if both this field and :ref:`access_log_flush_interval + // ` + // are specified, the former (deprecated field) is ignored. + google.protobuf.Duration access_log_flush_interval = 54 [ + deprecated = true, + (validate.rules).duration = {gte {nanos: 1000000}}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If set to true, HCM will flush an access log once when a new HTTP request is received, after the request + // headers have been evaluated, and before iterating through the HTTP filter chain. + // + // .. attention:: + // + // This field is deprecated in favor of + // :ref:`flush_access_log_on_new_request + // `. + // Note that if both this field and :ref:`flush_access_log_on_new_request + // ` + // are specified, the former (deprecated field) is ignored. + bool flush_access_log_on_new_request = 55 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Additional access log options for HTTP connection manager. + HcmAccessLogOptions access_log_options = 56; + + // If set to true, the connection manager will use the real remote address + // of the client connection when determining internal versus external origin and manipulating + // various headers. If set to false or absent, the connection manager will use the + // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header. See the documentation for + // :ref:`config_http_conn_man_headers_x-forwarded-for`, + // :ref:`config_http_conn_man_headers_x-envoy-internal`, and + // :ref:`config_http_conn_man_headers_x-envoy-external-address` for more information. + google.protobuf.BoolValue use_remote_address = 14 + [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + + // The number of additional ingress proxy hops from the right side of the + // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header to trust when + // determining the origin client's IP address. The default is zero if this option + // is not specified. See the documentation for + // :ref:`config_http_conn_man_headers_x-forwarded-for` for more information. + uint32 xff_num_trusted_hops = 19; + + // Configuration for original IP detection extensions. + // + // When these extensions are configured, Envoy will invoke them with the incoming request headers and + // details about the downstream connection, including the directly connected address. Each extension uses + // this information to determine the effective remote IP address for the request. If an extension cannot + // identify the original IP address and isn't set to reject the request, Envoy will sequentially attempt + // the remaining extensions until one successfully determines the IP or explicitly rejects the request. + // If all extensions fail without rejection, Envoy defaults to using the directly connected remote address. + // + // .. warning:: + // These extensions cannot be configured simultaneously with :ref:`use_remote_address + // ` + // or :ref:`xff_num_trusted_hops + // `. + // + // [#extension-category: envoy.http.original_ip_detection] + repeated config.core.v3.TypedExtensionConfig original_ip_detection_extensions = 46; + + // The configuration for the early header mutation extensions. + // + // When configured the extensions will be called before any routing, tracing, or any filter processing. + // Each extension will be applied in the order they are configured. + // If the same header is mutated by multiple extensions, then the last extension will win. + // + // [#extension-category: envoy.http.early_header_mutation] + repeated config.core.v3.TypedExtensionConfig early_header_mutation_extensions = 52; + + // Configures what network addresses are considered internal for stats and header sanitation + // purposes. If unspecified, only RFC1918 IP addresses will be considered internal. + // See the documentation for :ref:`config_http_conn_man_headers_x-envoy-internal` for more + // information about internal/external addresses. + // + // .. warning:: + // As of Envoy 1.33.0 no IP addresses will be considered trusted. If you have tooling such as probes + // on your private network which need to be treated as trusted (e.g. changing arbitrary x-envoy headers) + // you will have to manually include those addresses or CIDR ranges like: + // + // .. validated-code-block:: yaml + // :type-name: envoy.extensions.filters.network.http_connection_manager.v3.InternalAddressConfig + // + // cidr_ranges: + // address_prefix: 10.0.0.0 + // prefix_len: 8 + // cidr_ranges: + // address_prefix: 192.168.0.0 + // prefix_len: 16 + // cidr_ranges: + // address_prefix: 172.16.0.0 + // prefix_len: 12 + // cidr_ranges: + // address_prefix: 127.0.0.1 + // prefix_len: 32 + // cidr_ranges: + // address_prefix: fd00:: + // prefix_len: 8 + // cidr_ranges: + // address_prefix: ::1 + // prefix_len: 128 + // + InternalAddressConfig internal_address_config = 25; + + // If set, Envoy will not append the remote address to the + // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header. This may be used in + // conjunction with HTTP filters that explicitly manipulate XFF after the HTTP connection manager + // has mutated the request headers. While :ref:`use_remote_address + // ` + // will also suppress XFF addition, it has consequences for logging and other + // Envoy uses of the remote address, so ``skip_xff_append`` should be used + // when only an elision of XFF addition is intended. + bool skip_xff_append = 21; + + // Via header value to append to request and response headers. If this is + // empty, no via header will be appended. + string via = 22 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Whether the connection manager will generate the :ref:`x-request-id + // ` header if it does not exist. This defaults to + // true. Generating a random UUID4 is expensive so in high throughput scenarios where this feature + // is not desired it can be disabled. + google.protobuf.BoolValue generate_request_id = 15; + + // Whether the connection manager will keep the :ref:`x-request-id + // ` header if passed for a request that is edge + // (Edge request is the request from external clients to front Envoy) and not reset it, which + // is the current Envoy behaviour. This defaults to false. + bool preserve_external_request_id = 32; + + // If set, Envoy will always set :ref:`x-request-id ` header in response. + // If this is false or not set, the request ID is returned in responses only if tracing is forced using + // :ref:`x-envoy-force-trace ` header. + bool always_set_request_id_in_response = 37; + + // How to handle the :ref:`config_http_conn_man_headers_x-forwarded-client-cert` (XFCC) HTTP + // header. + ForwardClientCertDetails forward_client_cert_details = 16 + [(validate.rules).enum = {defined_only: true}]; + + // This field is valid only when :ref:`forward_client_cert_details + // ` + // is APPEND_FORWARD or SANITIZE_SET and the client connection is mTLS. It specifies the fields in + // the client certificate to be forwarded. Note that in the + // :ref:`config_http_conn_man_headers_x-forwarded-client-cert` header, ``Hash`` is always set, and + // ``By`` is always set when the client certificate presents the URI type Subject Alternative Name + // value. + SetCurrentClientCertDetails set_current_client_cert_details = 17; + + // The matcher for forwarding client cert details. This allows per-request configuration + // of forward client cert behavior based on request properties. If a matcher is configured + // and matches a request, the matched action's forward client cert config will be used. + // If the matcher is not configured or doesn't match, the static + // :ref:`forward_client_cert_details + // ` + // and + // :ref:`set_current_client_cert_details + // ` + // config will be used as fallback. + // + // Example: If the x-forwarded-client-cert header contains "trusted-client", use APPEND_FORWARD, + // otherwise use SANITIZE_SET: + // + // .. code-block:: yaml + // + // forward_client_cert_matcher: + // matcher_list: + // matchers: + // - predicate: + // single_predicate: + // input: + // name: envoy.matching.inputs.request_headers + // typed_config: + // "@type": type.googleapis.com/envoy.type.matcher.v3.HttpRequestHeaderMatchInput + // header_name: "x-forwarded-client-cert" + // value_match: + // string_match: + // contains: "trusted-client" + // on_match: + // action: + // name: forward_client_cert + // typed_config: + // "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ForwardClientCertConfig + // forward_client_cert_details: APPEND_FORWARD + // set_current_client_cert_details: + // uri: true + // on_no_match: + // action: + // name: forward_client_cert + // typed_config: + // "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.ForwardClientCertConfig + // forward_client_cert_details: SANITIZE_SET + // set_current_client_cert_details: + // uri: true + xds.type.matcher.v3.Matcher forward_client_cert_matcher = 60; + + // If proxy_100_continue is true, Envoy will proxy incoming "Expect: + // 100-continue" headers upstream, and forward "100 Continue" responses + // downstream. If this is false or not set, Envoy will instead strip the + // "Expect: 100-continue" header, and send a "100 Continue" response itself. + bool proxy_100_continue = 18; + + // If + // :ref:`use_remote_address + // ` + // is true and represent_ipv4_remote_address_as_ipv4_mapped_ipv6 is true and the remote address is + // an IPv4 address, the address will be mapped to IPv6 before it is appended to ``x-forwarded-for``. + // This is useful for testing compatibility of upstream services that parse the header value. For + // example, 50.0.0.1 is represented as ::FFFF:50.0.0.1. See `IPv4-Mapped IPv6 Addresses + // `_ for details. This will also affect the + // :ref:`config_http_conn_man_headers_x-envoy-external-address` header. See + // :ref:`http_connection_manager.represent_ipv4_remote_address_as_ipv4_mapped_ipv6 + // ` for runtime + // control. + // [#not-implemented-hide:] + bool represent_ipv4_remote_address_as_ipv4_mapped_ipv6 = 20; + + repeated UpgradeConfig upgrade_configs = 23; + + // Should paths be normalized according to RFC 3986 before any processing of + // requests by HTTP filters or routing? This affects the upstream ``:path`` header + // as well. For paths that fail this check, Envoy will respond with 400 to + // paths that are malformed. This defaults to false currently but will default + // true in the future. When not specified, this value may be overridden by the + // runtime variable + // :ref:`http_connection_manager.normalize_path`. + // See `Normalization and Comparison `_ + // for details of normalization. + // Note that Envoy does not perform + // `case normalization `_ + // [#comment:TODO: This field is ignored when the + // :ref:`header validation configuration ` + // is present.] + google.protobuf.BoolValue normalize_path = 30; + + // Determines if adjacent slashes in the path are merged into one before any processing of + // requests by HTTP filters or routing. This affects the upstream ``:path`` header as well. Without + // setting this option, incoming requests with path ``//dir///file`` will not match against route + // with ``prefix`` match set to ``/dir``. Defaults to ``false``. Note that slash merging is not part of + // `HTTP spec `_ and is provided for convenience. + // [#comment:TODO: This field is ignored when the + // :ref:`header validation configuration ` + // is present.] + bool merge_slashes = 33; + + // Action to take when request URL path contains escaped slash sequences (%2F, %2f, %5C and %5c). + // The default value can be overridden by the :ref:`http_connection_manager.path_with_escaped_slashes_action` + // runtime variable. + // The :ref:`http_connection_manager.path_with_escaped_slashes_action_sampling` runtime + // variable can be used to apply the action to a portion of all requests. + // [#comment:TODO: This field is ignored when the + // :ref:`header validation configuration ` + // is present.] + PathWithEscapedSlashesAction path_with_escaped_slashes_action = 45; + + // The configuration of the request ID extension. This includes operations such as + // generation, validation, and associated tracing operations. If empty, the + // :ref:`UuidRequestIdConfig ` + // default extension is used with default parameters. See the documentation for that extension + // for details on what it does. Customizing the configuration for the default extension can be + // achieved by configuring it explicitly here. For example, to disable trace reason packing, + // the following configuration can be used: + // + // .. validated-code-block:: yaml + // :type-name: envoy.extensions.filters.network.http_connection_manager.v3.RequestIDExtension + // + // typed_config: + // "@type": type.googleapis.com/envoy.extensions.request_id.uuid.v3.UuidRequestIdConfig + // pack_trace_reason: false + // + // [#extension-category: envoy.request_id] + RequestIDExtension request_id_extension = 36; + + // The configuration to customize local reply returned by Envoy. It can customize status code, + // body text and response content type. If not specified, status code and text body are hard + // coded in Envoy, the response content type is plain text. + LocalReplyConfig local_reply_config = 38; + + // Determines if the port part should be removed from host/authority header before any processing + // of request by HTTP filters or routing. The port would be removed only if it is equal to the :ref:`listener's` + // local port. This affects the upstream host header unless the method is + // CONNECT in which case if no filter adds a port the original port will be restored before headers are + // sent upstream. + // Without setting this option, incoming requests with host ``example:443`` will not match against + // route with :ref:`domains` match set to ``example``. Defaults to ``false``. Note that port removal is not part + // of `HTTP spec `_ and is provided for convenience. + // Only one of ``strip_matching_host_port`` or ``strip_any_host_port`` can be set. + bool strip_matching_host_port = 39 + [(udpa.annotations.field_migrate).oneof_promotion = "strip_port_mode"]; + + oneof strip_port_mode { + // Determines if the port part should be removed from host/authority header before any processing + // of request by HTTP filters or routing. + // This affects the upstream host header unless the method is CONNECT in + // which case if no filter adds a port the original port will be restored before headers are sent upstream. + // Without setting this option, incoming requests with host ``example:443`` will not match against + // route with :ref:`domains` match set to ``example``. Defaults to ``false``. Note that port removal is not part + // of `HTTP spec `_ and is provided for convenience. + // Only one of ``strip_matching_host_port`` or ``strip_any_host_port`` can be set. + bool strip_any_host_port = 42; + } + + // Governs Envoy's behavior when receiving invalid HTTP from downstream. + // If this option is false (default), Envoy will err on the conservative side handling HTTP + // errors, terminating both HTTP/1.1 and HTTP/2 connections when receiving an invalid request. + // If this option is set to true, Envoy will be more permissive, only resetting the invalid + // stream in the case of HTTP/2 and leaving the connection open where possible (if the entire + // request is read for HTTP/1.1) + // In general this should be true for deployments receiving trusted traffic (L2 Envoys, + // company-internal mesh) and false when receiving untrusted traffic (edge deployments). + // + // If different behaviors for invalid_http_message for HTTP/1 and HTTP/2 are + // desired, one should use the new HTTP/1 option :ref:`override_stream_error_on_invalid_http_message + // ` or the new HTTP/2 option + // :ref:`override_stream_error_on_invalid_http_message + // ` + // ``not`` the deprecated but similarly named :ref:`stream_error_on_invalid_http_messaging + // ` + google.protobuf.BoolValue stream_error_on_invalid_http_message = 40; + + // [#not-implemented-hide:] Path normalization configuration. This includes + // configurations for transformations (e.g. RFC 3986 normalization or merge + // adjacent slashes) and the policy to apply them. The policy determines + // whether transformations affect the forwarded ``:path`` header. RFC 3986 path + // normalization is enabled by default and the default policy is that the + // normalized header will be forwarded. See :ref:`PathNormalizationOptions + // ` + // for details. + PathNormalizationOptions path_normalization_options = 43; + + // Determines if trailing dot of the host should be removed from host/authority header before any + // processing of request by HTTP filters or routing. + // This affects the upstream host header. + // Without setting this option, incoming requests with host ``example.com.`` will not match against + // route with :ref:`domains` match set to ``example.com``. Defaults to ``false``. + // When the incoming request contains a host/authority header that includes a port number, + // setting this option will strip a trailing dot, if present, from the host section, + // leaving the port as is (e.g. host value ``example.com.:443`` will be updated to ``example.com:443``). + bool strip_trailing_host_dot = 47; + + // Proxy-Status HTTP response header configuration. + // If this config is set, the Proxy-Status HTTP response header field is + // populated. By default, it is not. + ProxyStatusConfig proxy_status_config = 49; + + // Configuration options for Header Validation (UHV). + // UHV is an extensible mechanism for checking validity of HTTP requests as well as providing + // normalization for request attributes, such as URI path. + // If the typed_header_validation_config is present it overrides the following options: + // ``normalize_path``, ``merge_slashes``, ``path_with_escaped_slashes_action`` + // ``http_protocol_options.allow_chunked_length``, ``common_http_protocol_options.headers_with_underscores_action``. + // + // The default UHV checks the following: + // + // #. HTTP/1 header map validity according to `RFC 7230 section 3.2`_ + // #. Syntax of HTTP/1 request target URI and response status + // #. HTTP/2 header map validity according to `RFC 7540 section 8.1.2`_ + // #. Syntax of HTTP/3 pseudo headers + // #. Syntax of ``Content-Length`` and ``Transfer-Encoding`` + // #. Validation of HTTP/1 requests with both ``Content-Length`` and ``Transfer-Encoding`` headers + // #. Normalization of the URI path according to `Normalization and Comparison `_ + // without `case normalization `_ + // + // [#not-implemented-hide:] + // [#extension-category: envoy.http.header_validators] + config.core.v3.TypedExtensionConfig typed_header_validation_config = 50; + + // Append the ``x-forwarded-port`` header with the port value client used to connect to Envoy. It + // will be ignored if the ``x-forwarded-port`` header has been set by any trusted proxy in front of Envoy. + bool append_x_forwarded_port = 51; + + // Append the :ref:`config_http_conn_man_headers_x-envoy-local-overloaded` HTTP header in the scenario where + // the Overload Manager has been triggered. + bool append_local_overload = 57; + + // Whether the HCM will add ProxyProtocolFilterState to the Connection lifetime filter state. Defaults to ``true``. + // This should be set to ``false`` in cases where Envoy's view of the downstream address may not correspond to the + // actual client address, for example, if there's another proxy in front of the Envoy. + google.protobuf.BoolValue add_proxy_protocol_connection_state = 53; +} + +// The configuration to customize local reply returned by Envoy. +message LocalReplyConfig { + // Configuration of list of mappers which allows to filter and change local response. + // The mappers will be checked by the specified order until one is matched. + repeated ResponseMapper mappers = 1; + + // The configuration to form response body from the :ref:`command operators ` + // and to specify response content type as one of: plain/text or application/json. + // + // Example one: "plain/text" ``body_format``. + // + // .. validated-code-block:: yaml + // :type-name: envoy.config.core.v3.SubstitutionFormatString + // + // text_format: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%\n" + // + // The following response body in "plain/text" format will be generated for a request with + // local reply body of "upstream connection error", response_code=503 and path=/foo. + // + // .. code-block:: text + // + // upstream connect error:503:path=/foo + // + // Example two: "application/json" ``body_format``. + // + // .. validated-code-block:: yaml + // :type-name: envoy.config.core.v3.SubstitutionFormatString + // + // json_format: + // status: "%RESPONSE_CODE%" + // message: "%LOCAL_REPLY_BODY%" + // path: "%REQ(:path)%" + // + // The following response body in "application/json" format would be generated for a request with + // local reply body of "upstream connection error", response_code=503 and path=/foo. + // + // .. code-block:: json + // + // { + // "status": 503, + // "message": "upstream connection error", + // "path": "/foo" + // } + // + config.core.v3.SubstitutionFormatString body_format = 2; +} + +// The configuration to filter and change local response. +// [#next-free-field: 6] +message ResponseMapper { + // Filter to determine if this mapper should apply. + config.accesslog.v3.AccessLogFilter filter = 1 [(validate.rules).message = {required: true}]; + + // The new response status code if specified. + google.protobuf.UInt32Value status_code = 2 [(validate.rules).uint32 = {lt: 600 gte: 200}]; + + // The new local reply body text if specified. It will be used in the ``%LOCAL_REPLY_BODY%`` + // command operator in the ``body_format``. + config.core.v3.DataSource body = 3; + + // A per mapper ``body_format`` to override the :ref:`body_format `. + // It will be used when this mapper is matched. + config.core.v3.SubstitutionFormatString body_format_override = 4; + + // HTTP headers to add to a local reply. This allows the response mapper to append, to add + // or to override headers of any local reply before it is sent to a downstream client. + repeated config.core.v3.HeaderValueOption headers_to_add = 5 + [(validate.rules).repeated = {max_items: 1000}]; +} + +message Rds { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.Rds"; + + // Configuration source specifier for RDS. + config.core.v3.ConfigSource config_source = 1; + + // The name of the route configuration. This name will be passed to the RDS + // API. This allows an Envoy configuration with multiple HTTP listeners (and + // associated HTTP connection manager filters) to use different route + // configurations. + string route_config_name = 2; +} + +// This message is used to work around the limitations with 'oneof' and repeated fields. +message ScopedRouteConfigurationsList { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRouteConfigurationsList"; + + repeated config.route.v3.ScopedRouteConfiguration scoped_route_configurations = 1 + [(validate.rules).repeated = {min_items: 1}]; +} + +// [#next-free-field: 6] +message ScopedRoutes { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes"; + + // Specifies the mechanism for constructing "scope keys" based on HTTP request attributes. These + // keys are matched against a set of :ref:`Key` + // objects assembled from :ref:`ScopedRouteConfiguration` + // messages distributed via SRDS (the Scoped Route Discovery Service) or assigned statically via + // :ref:`scoped_route_configurations_list`. + // + // Upon receiving a request's headers, the Router will build a key using the algorithm specified + // by this message. This key will be used to look up the routing table (i.e., the + // :ref:`RouteConfiguration`) to use for the request. + message ScopeKeyBuilder { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder"; + + // Specifies the mechanism for constructing key fragments which are composed into scope keys. + message FragmentBuilder { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder." + "FragmentBuilder"; + + // Specifies how the value of a header should be extracted. + // The following example maps the structure of a header to the fields in this message. + // + // .. code:: + // + // <0> <1> <-- index + // X-Header: a=b;c=d + // | || | + // | || \----> + // | || + // | |\----> + // | | + // | \----> + // | + // \----> + // + // Each 'a=b' key-value pair constitutes an 'element' of the header field. + message HeaderValueExtractor { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder." + "FragmentBuilder.HeaderValueExtractor"; + + // Specifies a header field's key value pair to match on. + message KvElement { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder." + "FragmentBuilder.HeaderValueExtractor.KvElement"; + + // The separator between key and value (e.g., '=' separates 'k=v;...'). + // If an element is an empty string, the element is ignored. + // If an element contains no separator, the whole element is parsed as key and the + // fragment value is an empty string. + // If there are multiple values for a matched key, the first value is returned. + string separator = 1 [(validate.rules).string = {min_len: 1}]; + + // The key to match on. + string key = 2 [(validate.rules).string = {min_len: 1}]; + } + + // The name of the header field to extract the value from. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string name = 1 [ + (validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false} + ]; + + // The element separator (e.g., ';' separates 'a;b;c;d'). + // Default: empty string. This causes the entirety of the header field to be extracted. + // If this field is set to an empty string and 'index' is used in the oneof below, 'index' + // must be set to 0. + string element_separator = 2; + + oneof extract_type { + // Specifies the zero based index of the element to extract. + // Note Envoy concatenates multiple values of the same header key into a comma separated + // string, the splitting always happens after the concatenation. + uint32 index = 3; + + // Specifies the key value pair to extract the value from. + KvElement element = 4; + } + } + + oneof type { + option (validate.required) = true; + + // Specifies how a header field's value should be extracted. + HeaderValueExtractor header_value_extractor = 1; + } + } + + // The final(built) scope key consists of the ordered union of these fragments, which are compared in order with the + // fragments of a :ref:`ScopedRouteConfiguration`. + // A missing fragment during comparison will make the key invalid, i.e., the computed key doesn't match any key. + repeated FragmentBuilder fragments = 1 [(validate.rules).repeated = {min_items: 1}]; + } + + // The name assigned to the scoped routing configuration. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The algorithm to use for constructing a scope key for each request. + ScopeKeyBuilder scope_key_builder = 2 [(validate.rules).message = {required: true}]; + + // Configuration source specifier for RDS. + // This config source is used to subscribe to RouteConfiguration resources specified in + // ScopedRouteConfiguration messages. + config.core.v3.ConfigSource rds_config_source = 3; + + oneof config_specifier { + option (validate.required) = true; + + // The set of routing scopes corresponding to the HCM. A scope is assigned to a request by + // matching a key constructed from the request's attributes according to the algorithm specified + // by the + // :ref:`ScopeKeyBuilder` + // in this message. + ScopedRouteConfigurationsList scoped_route_configurations_list = 4; + + // The set of routing scopes associated with the HCM will be dynamically loaded via the SRDS + // API. A scope is assigned to a request by matching a key constructed from the request's + // attributes according to the algorithm specified by the + // :ref:`ScopeKeyBuilder` + // in this message. + ScopedRds scoped_rds = 5; + } +} + +message ScopedRds { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRds"; + + // Configuration source specifier for scoped RDS. + config.core.v3.ConfigSource scoped_rds_config_source = 1 + [(validate.rules).message = {required: true}]; + + // xdstp:// resource locator for scoped RDS collection. + // [#not-implemented-hide:] + string srds_resources_locator = 2; +} + +// [#next-free-field: 8] +message HttpFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.HttpFilter"; + + reserved 3, 2; + + reserved "config"; + + // The name of the filter configuration. It also serves as a resource name in ExtensionConfigDS. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + oneof config_type { + // Filter specific configuration which depends on the filter being instantiated. See the supported + // filters for further documentation. + // + // To support configuring a :ref:`match tree `, use an + // :ref:`ExtensionWithMatcher ` + // with the desired HTTP filter. + // [#extension-category: envoy.filters.http] + google.protobuf.Any typed_config = 4; + + // Configuration source specifier for an extension configuration discovery service. + // In case of a failure and without the default configuration, the HTTP listener responds with code 500. + // Extension configs delivered through this mechanism are not expected to require warming (see https://github.com/envoyproxy/envoy/issues/12061). + // + // To support configuring a :ref:`match tree `, use an + // :ref:`ExtensionWithMatcher ` + // with the desired HTTP filter. This works for both the default filter configuration as well + // as for filters provided via the API. + config.core.v3.ExtensionConfigSource config_discovery = 5; + } + + // If true, clients that do not support this filter may ignore the + // filter but otherwise accept the config. + // Otherwise, clients that do not support this filter must reject the config. + bool is_optional = 6; + + // If true, the filter is disabled by default and must be explicitly enabled by setting + // per filter configuration in the route configuration. + // See :ref:`route based filter chain ` + // for more details. + // + // Terminal filters (e.g. ``envoy.filters.http.router``) cannot be marked as disabled. + bool disabled = 7; +} + +message RequestIDExtension { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.RequestIDExtension"; + + // Request ID extension specific configuration. + google.protobuf.Any typed_config = 1; +} + +// [#protodoc-title: Envoy Mobile HTTP connection manager] +// HTTP connection manager for use in Envoy mobile. +// [#extension: envoy.filters.network.envoy_mobile_http_connection_manager] +message EnvoyMobileHttpConnectionManager { + // The configuration for the underlying HttpConnectionManager which will be + // instantiated for Envoy mobile. + HttpConnectionManager config = 1; +} diff --git a/modules/sync/envoyproxy/envoy/cas/abfd42b3e363fbe849273f3400b4557ff8c511986893e362f7a3c524a33f10bc770a0e54e3160a7e02ad187d67b3d9fd38ae158946b5b38277065a2d0bfde960 b/modules/sync/envoyproxy/envoy/cas/abfd42b3e363fbe849273f3400b4557ff8c511986893e362f7a3c524a33f10bc770a0e54e3160a7e02ad187d67b3d9fd38ae158946b5b38277065a2d0bfde960 new file mode 100644 index 00000000..64668a76 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/abfd42b3e363fbe849273f3400b4557ff8c511986893e362f7a3c524a33f10bc770a0e54e3160a7e02ad187d67b3d9fd38ae158946b5b38277065a2d0bfde960 @@ -0,0 +1,103 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.ext_authz.v3; + +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/grpc_service.proto"; +import "envoy/type/matcher/v3/metadata.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.ext_authz.v3"; +option java_outer_classname = "ExtAuthzProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/ext_authz/v3;ext_authzv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Network External Authorization ] +// The network layer external authorization service configuration +// :ref:`configuration overview `. +// [#extension: envoy.filters.network.ext_authz] + +// External Authorization filter calls out to an external service over the +// gRPC Authorization API defined by +// :ref:`CheckRequest `. +// A failed check will cause this filter to close the TCP connection. +// [#next-free-field: 12] +message ExtAuthz { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.ext_authz.v2.ExtAuthz"; + + // The prefix to use when emitting statistics. + string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; + + // The external authorization gRPC service configuration. + // The default timeout is set to 200ms by this filter. + config.core.v3.GrpcService grpc_service = 2; + + // The filter's behaviour in case the external authorization service does + // not respond back. When it is set to true, Envoy will also allow traffic in case of + // communication failure between authorization service and the proxy. + // Defaults to false. + bool failure_mode_allow = 3; + + // Specifies if the peer certificate is sent to the external service. + // + // When this field is true, Envoy will include the peer X.509 certificate, if available, in the + // :ref:`certificate`. + bool include_peer_certificate = 4; + + // API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and + // version of Check{Request,Response} used on the wire. + config.core.v3.ApiVersion transport_api_version = 5 + [(validate.rules).enum = {defined_only: true}]; + + // Specifies if the filter is enabled with metadata matcher. + // If this field is not specified, the filter will be enabled for all requests. + type.matcher.v3.MetadataMatcher filter_enabled_metadata = 6; + + // Optional labels that will be passed to :ref:`labels` in + // :ref:`destination`. + // The labels will be read from :ref:`metadata` with the specified key. + string bootstrap_metadata_labels_key = 7; + + // Specifies if the TLS session level details like SNI are sent to the external service. + // + // When this field is true, Envoy will include the SNI name used for TLSClientHello, if available, in the + // :ref:`tls_session`. + bool include_tls_session = 8; + + // When set to ``true``, the filter will send a TLS ``access_denied(49)`` alert before closing + // the connection when authorization is denied. This provides better visibility to TLS clients + // about the reason for connection closure. This alert is only sent for TLS connections. The + // non-TLS connections will be closed without sending an alert. + // + // Defaults to ``false``. + bool send_tls_alert_on_denial = 9; + + // Specifies a list of metadata namespaces whose values, if present, will be passed to the + // ext_authz service. The :ref:`filter_metadata ` + // is passed as an opaque ``protobuf::Struct``. + // + // For example, if the ``proxy_protocol`` listener filter is used and populates TLV metadata, + // then the following will pass that metadata to the authorization server for making decisions + // based on proxy protocol information. + // + // .. code-block:: yaml + // + // metadata_context_namespaces: + // - envoy.filters.listener.proxy_protocol + // + repeated string metadata_context_namespaces = 10; + + // Specifies a list of metadata namespaces whose values, if present, will be passed to the + // ext_authz service. :ref:`typed_filter_metadata ` + // is passed as a ``protobuf::Any``. + // + // This works similarly to ``metadata_context_namespaces`` but allows Envoy and the ext_authz server to share + // the protobuf message definition in order to perform safe parsing. + // + repeated string typed_metadata_context_namespaces = 11; +} diff --git a/modules/sync/envoyproxy/envoy/cas/b01b9c08ea0d0da34c23042bd8da58ca40d92f1f7346b2a922c78409fa0e51d0b0acd6787de220b4b32397f96bb0acf7edd8ee83131d7b27524cf538b96c7bf2 b/modules/sync/envoyproxy/envoy/cas/b01b9c08ea0d0da34c23042bd8da58ca40d92f1f7346b2a922c78409fa0e51d0b0acd6787de220b4b32397f96bb0acf7edd8ee83131d7b27524cf538b96c7bf2 new file mode 100644 index 00000000..ccde766e --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/b01b9c08ea0d0da34c23042bd8da58ca40d92f1f7346b2a922c78409fa0e51d0b0acd6787de220b4b32397f96bb0acf7edd8ee83131d7b27524cf538b96c7bf2 @@ -0,0 +1,65 @@ +syntax = "proto3"; + +package envoy.extensions.formatter.metadata.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.formatter.metadata.v3"; +option java_outer_classname = "MetadataProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/formatter/metadata/v3;metadatav3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Formatter extension for printing various types of metadata] +// [#extension: envoy.formatter.metadata] + +// Metadata formatter extension implements METADATA command operator that +// prints all types of metadata. The first parameter taken by METADATA operator defines +// type of metadata. The following types of metadata are supported (case sensitive): +// +// * DYNAMIC +// * CLUSTER +// * ROUTE +// * UPSTREAM_HOST +// * LISTENER +// * LISTENER_FILTER_CHAIN +// * VIRTUAL_HOST +// +// See :ref:`here ` for more information on access log configuration. + +// %METADATA(TYPE:NAMESPACE:KEY):Z% +// :ref:`Metadata ` info, +// where TYPE is type of metadata (see above for supported types), +// NAMESPACE is the filter namespace used when setting the metadata, KEY is an optional +// lookup key in the namespace with the option of specifying nested keys separated by ':', +// and Z is an optional parameter denoting string truncation up to Z characters long. +// The data will be logged as a JSON string. For example, for the following ROUTE metadata: +// +// ``com.test.my_filter: {"test_key": "foo", "test_object": {"inner_key": "bar"}}`` +// +// * %METADATA(ROUTE:com.test.my_filter)% will log: ``{"test_key": "foo", "test_object": {"inner_key": "bar"}}`` +// * %METADATA(ROUTE:com.test.my_filter:test_key)% will log: ``foo`` +// * %METADATA(ROUTE:com.test.my_filter:test_object)% will log: ``{"inner_key": "bar"}`` +// * %METADATA(ROUTE:com.test.my_filter:test_object:inner_key)% will log: ``bar`` +// * %METADATA(ROUTE:com.unknown_filter)% will log: ``-`` +// * %METADATA(ROUTE:com.test.my_filter:unknown_key)% will log: ``-`` +// * %METADATA(ROUTE:com.test.my_filter):25% will log (truncation at 25 characters): ``{"test_key": "foo", "test`` +// +// .. note:: +// +// For typed JSON logs, this operator renders a single value with string, numeric, or boolean type +// when the referenced key is a simple value. If the referenced key is a struct or list value, a +// JSON struct or list is rendered. Structs and lists may be nested. In any event, the maximum +// length is ignored. +// +// .. note:: +// +// METADATA(DYNAMIC:NAMESPACE:KEY):Z is equivalent to :ref:`DYNAMIC_METADATA(NAMESPACE:KEY):Z` +// METADATA(CLUSTER:NAMESPACE:KEY):Z is equivalent to :ref:`CLUSTER_METADATA(NAMESPACE:KEY):Z` +// METADATA(UPSTREAM_HOST:NAMESPACE:KEY):Z is equivalent to :ref:`UPSTREAM_METADATA(NAMESPACE:KEY):Z` +// +// .. warning:: +// This extension is treated as built-in extension and will be enabled by default now. +// It is unnecessary to configure this extension. +message Metadata { +} diff --git a/modules/sync/envoyproxy/envoy/cas/b5d9ec9f7834d656e6f73dd7ac2b1ac4765c8888d02fb3e42d51f9447008c8d52f40bebafca0ffeb7326e238dd44a3d0cd59c9aa67748e5dfc36ee8766bb58b8 b/modules/sync/envoyproxy/envoy/cas/b5d9ec9f7834d656e6f73dd7ac2b1ac4765c8888d02fb3e42d51f9447008c8d52f40bebafca0ffeb7326e238dd44a3d0cd59c9aa67748e5dfc36ee8766bb58b8 new file mode 100644 index 00000000..72251c6b --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/b5d9ec9f7834d656e6f73dd7ac2b1ac4765c8888d02fb3e42d51f9447008c8d52f40bebafca0ffeb7326e238dd44a3d0cd59c9aa67748e5dfc36ee8766bb58b8 @@ -0,0 +1,36 @@ +syntax = "proto3"; + +package envoy.extensions.access_loggers.filters.cel.v3; + +import "envoy/config/core/v3/cel.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.access_loggers.filters.cel.v3"; +option java_outer_classname = "CelProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/filters/cel/v3;celv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: ExpressionFilter] +// [#extension: envoy.access_loggers.extension_filters.cel] + +// ExpressionFilter is an access logging filter that evaluates configured +// symbolic Common Expression Language expressions to inform the decision +// to generate an access log. +message ExpressionFilter { + // Expression that, when evaluated, will be used to filter access logs. + // Expressions are based on the set of Envoy :ref:`attributes `. + // The provided expression must evaluate to true for logging (expression errors are considered false). + // Examples: + // + // * ``response.code >= 400`` + // * ``(connection.mtls && request.headers['x-log-mtls'] == 'true') || request.url_path.contains('v1beta3')`` + string expression = 1; + + // CEL expression configuration that modifies the evaluation behavior of the ``expression`` field. + // If specified, string conversion, concatenation, and manipulation functions may be enabled + // for the filter expression. See :ref:`CelExpressionConfig ` + // for more details. + config.core.v3.CelExpressionConfig cel_config = 2; +} diff --git a/modules/sync/envoyproxy/envoy/cas/bb668849b33a7391d165b6b1e36b7049fc3ec26026d0e968c9398a8c2b56f1b2c3b5926bfe0d17ab81683a5454c0a99d36c28a61aac13b7d46dd3e754d04dd10 b/modules/sync/envoyproxy/envoy/cas/bb668849b33a7391d165b6b1e36b7049fc3ec26026d0e968c9398a8c2b56f1b2c3b5926bfe0d17ab81683a5454c0a99d36c28a61aac13b7d46dd3e754d04dd10 new file mode 100644 index 00000000..b07811d5 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/bb668849b33a7391d165b6b1e36b7049fc3ec26026d0e968c9398a8c2b56f1b2c3b5926bfe0d17ab81683a5454c0a99d36c28a61aac13b7d46dd3e754d04dd10 @@ -0,0 +1,500 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.ext_proc.v3; + +import "envoy/config/common/mutation_rules/v3/mutation_rules.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/grpc_service.proto"; +import "envoy/config/core/v3/http_service.proto"; +import "envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto"; +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/v3/http_status.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/annotations/v3/status.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.ext_proc.v3"; +option java_outer_classname = "ExtProcProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3;ext_procv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: External Processing Filter] +// External Processing Filter +// [#extension: envoy.filters.http.ext_proc] + +// The External Processing filter allows an external service to act on HTTP traffic in a flexible way. + +// The filter communicates with an external gRPC service called an "external processor" +// that can do a variety of things with the request and response: +// +// * Access and modify the HTTP headers on the request, response, or both. +// * Access and modify the HTTP request and response bodies. +// * Access and modify the dynamic stream metadata. +// * Immediately send an HTTP response downstream and terminate other processing. +// +// The filter communicates with the server using a gRPC bidirectional stream. After the initial +// request, the external server is in control over what additional data is sent to it +// and how it should be processed. +// +// By implementing the protocol specified by the stream, the external server can choose: +// +// * Whether it receives the response message at all. +// * Whether it receives the message body at all, in separate chunks, or as a single buffer. +// * To modify request or response trailers if they already exist. +// +// The filter supports up to six different processing steps. Each is represented by +// a gRPC stream message that is sent to the external processor. For each message, the +// processor must send a matching response. +// +// * Request headers: Contains the headers from the original HTTP request. +// * Request body: If the body is present, the behavior depends on the +// body send mode. In ``BUFFERED`` or ``BUFFERED_PARTIAL`` mode, the body is sent to the external +// processor in a single message. In ``STREAMED`` or ``FULL_DUPLEX_STREAMED`` mode, the body will +// be split across multiple messages sent to the external processor. In ``GRPC`` mode, as each +// gRPC message arrives, it will be sent to the external processor (there will be exactly one +// gRPC message in each message sent to the external processor). In ``NONE`` mode, the body will +// not be sent to the external processor. +// * Request trailers: Delivered if they are present and if the trailer mode is set +// to ``SEND``. +// * Response headers: Contains the headers from the HTTP response. Keep in mind +// that if the upstream system sends them before processing the request body that +// this message may arrive before the complete body. +// * Response body: Sent according to the processing mode like the request body. +// * Response trailers: Delivered according to the processing mode like the +// request trailers. +// +// By default, the processor sends only the request and response headers messages. +// This may be changed to include any of the six steps by changing the ``processing_mode`` +// setting of the filter configuration, or by setting the ``mode_override`` of any response +// from the external processor. The latter is only enabled if ``allow_mode_override`` is +// set to true. This way, a processor may, for example, use information +// in the request header to determine whether the message body must be examined, or whether +// the data plane should simply stream it straight through. +// +// All of this together allows a server to process the filter traffic in fairly +// sophisticated ways. For example: +// +// * A server may choose to examine all or part of the HTTP message bodies depending +// on the content of the headers. +// * A server may choose to immediately reject some messages based on their HTTP +// headers (or other dynamic metadata) and more carefully examine others. +// +// The protocol itself is based on a bidirectional gRPC stream. The data plane will send the server +// :ref:`ProcessingRequest ` +// messages, and the server must reply with +// :ref:`ProcessingResponse `. +// +// Stats about each gRPC call are recorded in a :ref:`dynamic filter state +// ` object in a namespace matching the filter +// name. +// +// [#next-free-field: 26] +message ExternalProcessor { + // Describes the route cache action to be taken when an external processor response + // is received in response to request headers. + enum RouteCacheAction { + // The default behavior is to clear the route cache only when the + // :ref:`clear_route_cache ` + // field is set in an external processor response. + DEFAULT = 0; + + // Always clear the route cache irrespective of the ``clear_route_cache`` bit in + // the external processor response. + CLEAR = 1; + + // Do not clear the route cache irrespective of the ``clear_route_cache`` bit in + // the external processor response. Setting to ``RETAIN`` is equivalent to setting the + // :ref:`disable_clear_route_cache ` + // to true. + RETAIN = 2; + } + + reserved 4; + + reserved "async_mode"; + + // Configuration for the gRPC service that the filter will communicate with. + // Only one of ``grpc_service`` or ``http_service`` can be set. + // It is required that one of them must be set. + config.core.v3.GrpcService grpc_service = 1 + [(udpa.annotations.field_migrate).oneof_promotion = "ext_proc_service_type"]; + + // Configuration for the HTTP service that the filter will communicate with. + // Only one of ``http_service`` or + // :ref:`grpc_service ` + // can be set. It is required that one of them must be set. + // + // If ``http_service`` is set, the + // :ref:`processing_mode ` + // cannot be configured to send any body or trailers. i.e., ``http_service`` only supports + // sending request or response headers to the side stream server. + // + // With this configuration, the data plane behavior is: + // + // 1. The headers are first put in a proto message + // :ref:`ProcessingRequest `. + // + // 2. This proto message is then transcoded into a JSON text. + // + // 3. The data plane then sends an HTTP POST message with content-type as "application/json", + // and this JSON text as body to the side stream server. + // + // After the side-stream receives this HTTP request message, it is expected to do as follows: + // + // 1. It converts the body, which is a JSON string, into a ``ProcessingRequest`` + // proto message to examine and mutate the headers. + // + // 2. It then sets the mutated headers into a new proto message + // :ref:`ProcessingResponse `. + // + // 3. It converts the ``ProcessingResponse`` proto message into a JSON text. + // + // 4. It then sends an HTTP response back to the data plane with status code as ``"200"``, + // ``content-type`` as ``"application/json"`` and sets the JSON text as the body. + // + ExtProcHttpService http_service = 20 [ + (udpa.annotations.field_migrate).oneof_promotion = "ext_proc_service_type", + (xds.annotations.v3.field_status).work_in_progress = true + ]; + + // By default, if in the following cases: + // + // 1. The gRPC stream cannot be established. + // + // 2. The gRPC stream is closed prematurely with an error. + // + // 3. The external processing timeouts. + // + // 4. The ext_proc server sends back spurious response messages. + // + // The filter will fail and a local reply with error code + // 504(for timeout case) or 500(for all other cases), will be sent to the downstream. + // + // However, with this parameter set to true and if the above cases happen, the processing + // continues without error. + // + bool failure_mode_allow = 2; + + // Specifies default options for how HTTP headers, trailers, and bodies are + // sent. See ``ProcessingMode`` for details. + ProcessingMode processing_mode = 3; + + // The data plane provides a number of :ref:`attributes ` + // for expressive policies. Each attribute name provided in this field will be + // matched against that list and populated in the + // :ref:`ProcessingRequest.attributes ` field. + // See the :ref:`attribute documentation ` + // for the list of supported attributes and their types. + repeated string request_attributes = 5; + + // The data plane provides a number of :ref:`attributes ` + // for expressive policies. Each attribute name provided in this field will be + // matched against that list and populated in the + // :ref:`ProcessingRequest.attributes ` field. + // See the :ref:`attribute documentation ` + // for the list of supported attributes and their types. + repeated string response_attributes = 6; + + // Specifies the timeout for each individual message sent on the stream. + // Whenever the data plane sends a message on the stream that requires a + // response, it will reset this timer, and will stop processing and return + // an error (subject to the processing mode) if the timer expires before a + // matching response is received. There is no timeout when the filter is + // running in observability mode or when the body send mode is + // ``FULL_DUPLEX_STREAMED`` or ``GRPC``. Zero is a valid config which means + // the timer will be triggered immediately. If not configured, default is + // 200 milliseconds. + google.protobuf.Duration message_timeout = 7 [(validate.rules).duration = { + lte {seconds: 3600} + gte {} + }]; + + // Optional additional prefix to use when emitting statistics. This allows to distinguish + // emitted statistics between configured ``ext_proc`` filters in an HTTP filter chain. + string stat_prefix = 8; + + // Rules that determine what modifications an external processing server may + // make to message headers. If not set, all headers may be modified except + // for "host", ":authority", ":scheme", ":method", and headers that start + // with the header prefix set via + // :ref:`header_prefix ` + // (which is usually "x-envoy"). + // Note that changing headers such as "host" or ":authority" may not in itself + // change the data plane's routing decision, as routes can be cached. To also force the + // route to be recomputed, set the + // :ref:`clear_route_cache ` + // field to true in the same response. + config.common.mutation_rules.v3.HeaderMutationRules mutation_rules = 9; + + // Specify the upper bound of + // :ref:`override_message_timeout ` + // If not specified, by default it is 0, which will effectively disable the ``override_message_timeout`` API. + google.protobuf.Duration max_message_timeout = 10 [(validate.rules).duration = { + lte {seconds: 3600} + gte {} + }]; + + // Allow headers matching the ``forward_rules`` to be forwarded to the external processing server. + // If not set, all headers are forwarded to the external processing server. + HeaderForwardingRules forward_rules = 12; + + // Additional metadata to be added to the filter state for logging purposes. The metadata + // will be added to StreamInfo's filter state under the namespace corresponding to the + // ext_proc filter name. + google.protobuf.Struct filter_metadata = 13; + + // If ``allow_mode_override`` is set to true, the filter config :ref:`processing_mode + // ` + // can be overridden by the response message from the external processing server + // :ref:`mode_override `. + // If not set, ``mode_override`` API in the response message will be ignored. + // Mode override is not supported if the body send mode is ``FULL_DUPLEX_STREAMED``. + bool allow_mode_override = 14; + + // If set to true, ignore the + // :ref:`immediate_response ` + // message in an external processor response. In such case, no local reply will be sent. + // Instead, the stream to the external processor will be closed. There will be no + // more external processing for this stream from now on. + bool disable_immediate_response = 15; + + // Options related to the sending and receiving of dynamic metadata. + MetadataOptions metadata_options = 16; + + // If true, send each part of the HTTP request or response specified by ``ProcessingMode`` + // without pausing on filter chain iteration. It is "Send and Go" mode that can be used + // by external processor to observe the request's data and status. In this mode: + // + // 1. Only ``STREAMED``, ``GRPC``, and ``NONE`` body processing modes are supported; for any + // other body processing mode, the body will not be sent. + // + // 2. External processor should not send back processing response, as any responses will be ignored. + // This also means that + // :ref:`message_timeout ` + // restriction doesn't apply to this mode. + // + // 3. External processor may still close the stream to indicate that no more messages are needed. + // + // .. warning:: + // + // Flow control is a necessary mechanism to prevent the fast sender (either downstream client or upstream server) + // from overwhelming the external processor when its processing speed is slower. + // This protective measure is being explored and developed but has not been ready yet, so please use your own + // discretion when enabling this feature. + // This work is currently tracked under https://github.com/envoyproxy/envoy/issues/33319. + // + bool observability_mode = 17; + + // Prevents clearing the route-cache when the + // :ref:`clear_route_cache ` + // field is set in an external processor response. + // Only one of ``disable_clear_route_cache`` or ``route_cache_action`` can be set. + // It is recommended to set ``route_cache_action`` which supersedes ``disable_clear_route_cache``. + bool disable_clear_route_cache = 11 + [(udpa.annotations.field_migrate).oneof_promotion = "clear_route_cache_type"]; + + // Specifies the action to be taken when an external processor response is + // received in response to request headers. It is recommended to set this field rather than set + // :ref:`disable_clear_route_cache `. + // Only one of ``disable_clear_route_cache`` or ``route_cache_action`` can be set. + RouteCacheAction route_cache_action = 18 + [(udpa.annotations.field_migrate).oneof_promotion = "clear_route_cache_type"]; + + // Specifies the deferred closure timeout for gRPC stream that connects to external processor. Currently, the deferred stream closure + // is only used in :ref:`observability_mode `. + // In observability mode, gRPC streams may be held open to the external processor longer than the lifetime of the regular client to + // backend stream lifetime. In this case, the data plane will eventually timeout the external processor stream according to this time limit. + // The default value is 5000 milliseconds (5 seconds) if not specified. + google.protobuf.Duration deferred_close_timeout = 19; + + // Send body to the side stream server once it arrives without waiting for the header response from that server. + // It only works for ``STREAMED`` body processing mode. For any other body + // processing modes, it is ignored. + // The server has two options upon receiving a header request: + // + // 1. Instant Response: send the header response as soon as the header request is received. + // + // 2. Delayed Response: wait for the body before sending any response. + // + // In all scenarios, the header-body ordering must always be maintained. + // + // If enabled the data plane will ignore the + // :ref:`mode_override ` + // value that the server sends in the header response. This is because the data plane may have already + // sent the body to the server, prior to processing the header response. + bool send_body_without_waiting_for_header_response = 21; + + // When :ref:`allow_mode_override + // ` is enabled and + // ``allowed_override_modes`` is configured, the filter config :ref:`processing_mode + // ` + // can only be overridden by the response message from the external processing server iff the + // :ref:`mode_override ` is allowed by + // the ``allowed_override_modes`` allow-list below. + // Since ``request_header_mode`` is not applicable in any way, it's ignored in comparison. + repeated ProcessingMode allowed_override_modes = 22; + + // Decorator to introduce custom logic that runs after the ``ProcessingRequest`` is constructed, but + // before it is sent to the External Processor. The ``ProcessingRequest`` may be modified. + // + // .. note:: + // Processing request modifiers are currently in alpha. + // + // [#extension-category: envoy.http.ext_proc.processing_request_modifiers] + config.core.v3.TypedExtensionConfig processing_request_modifier = 25 + [(xds.annotations.v3.field_status).work_in_progress = true]; + + // Decorator to introduce custom logic that runs after a message received from + // the External Processor is processed, but before continuing filter chain iteration. + // + // .. note:: + // Response processors are currently in alpha. + // + // [#extension-category: envoy.http.ext_proc.response_processors] + config.core.v3.TypedExtensionConfig on_processing_response = 23 + [(xds.annotations.v3.field_status).work_in_progress = true]; + + // Sets the HTTP status code that is returned to the client when the external processing server returns + // an error, fails to respond, or cannot be reached. + // + // The default status is ``HTTP 500 Internal Server Error``. + type.v3.HttpStatus status_on_error = 24; +} + +// ExtProcHttpService is used for HTTP communication between the filter and the external processing service. +message ExtProcHttpService { + // Sets the HTTP service which the external processing requests must be sent to. + config.core.v3.HttpService http_service = 1; +} + +// The MetadataOptions structure defines options for the sending and receiving of +// dynamic metadata. Specifically, which namespaces to send to the server, whether +// metadata returned by the server may be written, and how that metadata may be written. +message MetadataOptions { + message MetadataNamespaces { + // Specifies a list of metadata namespaces whose values, if present, + // will be passed to the ``ext_proc`` service as an opaque ``protobuf::Struct``. + repeated string untyped = 1; + + // Specifies a list of metadata namespaces whose values, if present, + // will be passed to the ``ext_proc`` service as a ``protobuf::Any``. This allows + // envoy and the external processing server to share the protobuf message + // definition for safe parsing. + repeated string typed = 2; + } + + // Describes which typed or untyped filter dynamic metadata namespaces to forward to + // the external processing server. + MetadataNamespaces forwarding_namespaces = 1; + + // Describes which typed or untyped filter dynamic metadata namespaces to accept from + // the external processing server. Set to empty or leave unset to disallow writing + // any received dynamic metadata. Receiving of typed metadata is not supported. + MetadataNamespaces receiving_namespaces = 2; + + // Describes which cluster metadata namespaces to forward to + // the external processing server. + // .. note:: + // This is the least specific metadata. Should there be any namespace collision, + // cluster level metadata can be overridden by filter metadata. + MetadataNamespaces cluster_metadata_forwarding_namespaces = 3; +} + +// The HeaderForwardingRules structure specifies what headers are +// allowed to be forwarded to the external processing server. +// +// This works as below: +// +// 1. If neither ``allowed_headers`` nor ``disallowed_headers`` is set, all headers are forwarded. +// 2. If both ``allowed_headers`` and ``disallowed_headers`` are set, only headers in the +// ``allowed_headers`` but not in the ``disallowed_headers`` are forwarded. +// 3. If ``allowed_headers`` is set, and ``disallowed_headers`` is not set, only headers in +// the ``allowed_headers`` are forwarded. +// 4. If ``disallowed_headers`` is set, and ``allowed_headers`` is not set, all headers except +// headers in the ``disallowed_headers`` are forwarded. +message HeaderForwardingRules { + // If set, specifically allow any header in this list to be forwarded to the external + // processing server. This can be overridden by the below ``disallowed_headers``. + type.matcher.v3.ListStringMatcher allowed_headers = 1; + + // If set, specifically disallow any header in this list to be forwarded to the external + // processing server. This overrides the above ``allowed_headers`` if a header matches both. + type.matcher.v3.ListStringMatcher disallowed_headers = 2; +} + +// Extra settings that may be added to per-route configuration for a +// virtual host or cluster. +message ExtProcPerRoute { + oneof override { + option (validate.required) = true; + + // Disable the filter for this particular vhost or route. + // If disabled is specified in multiple per-filter-configs, the most specific one will be used. + bool disabled = 1 [(validate.rules).bool = {const: true}]; + + // Override aspects of the configuration for this route. A set of + // overrides in a more specific configuration will override a "disabled" + // flag set in a less-specific one. + ExtProcOverrides overrides = 2; + } +} + +// Overrides that may be set on a per-route basis +// [#next-free-field: 10] +message ExtProcOverrides { + // Set a different processing mode for this route than the default. + ProcessingMode processing_mode = 1; + + // [#not-implemented-hide:] + // Set a different asynchronous processing option than the default. + // Deprecated and not implemented. + bool async_mode = 2 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // [#not-implemented-hide:] + // Set different optional attributes than the default setting of the + // ``request_attributes`` field. + repeated string request_attributes = 3; + + // [#not-implemented-hide:] + // Set different optional properties than the default setting of the + // ``response_attributes`` field. + repeated string response_attributes = 4; + + // Set a different gRPC service for this route than the default. + config.core.v3.GrpcService grpc_service = 5; + + // Options related to the sending and receiving of dynamic metadata. + // Lists of forwarding and receiving namespaces will be overridden in their entirety, + // meaning the most-specific config that specifies this override will be the final + // config used. It is the prerogative of the control plane to ensure this + // most-specific config contains the correct final overrides. + MetadataOptions metadata_options = 6; + + // Additional metadata to include into streams initiated to the ``ext_proc`` gRPC + // service. This can be used for scenarios in which additional ad hoc + // authorization headers (e.g. ``x-foo-bar: baz-key``) are to be injected or + // when a route needs to partially override inherited metadata. + repeated config.core.v3.HeaderValue grpc_initial_metadata = 7; + + // If true, the filter will not fail closed if the gRPC stream is prematurely closed + // or could not be opened. This field is the per-route override of + // :ref:`failure_mode_allow `. + google.protobuf.BoolValue failure_mode_allow = 8; + + // Decorator to introduce custom logic that runs after the ``ProcessingRequest`` is constructed, but + // before it is sent to the External Processor. The ``ProcessingRequest`` may be modified. + // This is a per-route override of + // :ref:`processing_request_modifier `. + config.core.v3.TypedExtensionConfig processing_request_modifier = 9 + [(xds.annotations.v3.field_status).work_in_progress = true]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/bd93ad0724db9b3840188ee614b6a8fe094dacba594e4d989cc33169c3b9ac373fd95ce9c201089b70bdd91a9a9fdd1bea3d2140f524eb8156273e1716684621 b/modules/sync/envoyproxy/envoy/cas/bd93ad0724db9b3840188ee614b6a8fe094dacba594e4d989cc33169c3b9ac373fd95ce9c201089b70bdd91a9a9fdd1bea3d2140f524eb8156273e1716684621 new file mode 100644 index 00000000..54ef2cfe --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/bd93ad0724db9b3840188ee614b6a8fe094dacba594e4d989cc33169c3b9ac373fd95ce9c201089b70bdd91a9a9fdd1bea3d2140f524eb8156273e1716684621 @@ -0,0 +1,455 @@ +syntax = "proto3"; + +package envoy.config.listener.v3; + +import "envoy/config/accesslog/v3/accesslog.proto"; +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/socket_option.proto"; +import "envoy/config/listener/v3/api_listener.proto"; +import "envoy/config/listener/v3/listener_components.proto"; +import "envoy/config/listener/v3/udp_listener_config.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/core/v3/collection_entry.proto"; +import "xds/type/matcher/v3/matcher.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/security.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.listener.v3"; +option java_outer_classname = "ListenerProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3;listenerv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Listener configuration] +// Listener :ref:`configuration overview ` + +// The additional address the listener is listening on. +message AdditionalAddress { + core.v3.Address address = 1; + + // Additional socket options that may not be present in Envoy source code or + // precompiled binaries. If specified, this will override the + // :ref:`socket_options ` + // in the listener. If specified with no + // :ref:`socket_options ` + // or an empty list of :ref:`socket_options `, + // it means no socket option will apply. + core.v3.SocketOptionsOverride socket_options = 2; + + // Configures TCP keepalive settings for the additional address. + // If not set, the listener :ref:`tcp_keepalive ` + // configuration is inherited. You can explicitly disable TCP keepalive for the additional address by setting any keepalive field + // (:ref:`keepalive_probes `, + // :ref:`keepalive_time `, or + // :ref:`keepalive_interval `) to ``0``. + core.v3.TcpKeepalive tcp_keepalive = 3; +} + +// Listener list collections. Entries are ``Listener`` resources or references. +// [#not-implemented-hide:] +message ListenerCollection { + repeated xds.core.v3.CollectionEntry entries = 1; +} + +// [#next-free-field: 38] +message Listener { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Listener"; + + enum DrainType { + // Drain in response to calling /healthcheck/fail admin endpoint (along with the health check + // filter), listener removal/modification, and hot restart. + DEFAULT = 0; + + // Drain in response to listener removal/modification and hot restart. This setting does not + // include /healthcheck/fail. This setting may be desirable if Envoy is hosting both ingress + // and egress listeners. + MODIFY_ONLY = 1; + } + + // [#not-implemented-hide:] + message DeprecatedV1 { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Listener.DeprecatedV1"; + + // Whether the listener should bind to the port. A listener that doesn't + // bind can only receive connections redirected from other listeners that + // set use_original_dst parameter to true. Default is true. + // + // This is deprecated. Use :ref:`Listener.bind_to_port + // ` + google.protobuf.BoolValue bind_to_port = 1; + } + + // Configuration for listener connection balancing. + message ConnectionBalanceConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Listener.ConnectionBalanceConfig"; + + // A connection balancer implementation that does exact balancing. This means that a lock is + // held during balancing so that connection counts are nearly exactly balanced between worker + // threads. This is "nearly" exact in the sense that a connection might close in parallel thus + // making the counts incorrect, but this should be rectified on the next accept. This balancer + // sacrifices accept throughput for accuracy and should be used when there are a small number of + // connections that rarely cycle (e.g., service mesh gRPC egress). + message ExactBalance { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.Listener.ConnectionBalanceConfig.ExactBalance"; + } + + oneof balance_type { + option (validate.required) = true; + + // If specified, the listener will use the exact connection balancer. + ExactBalance exact_balance = 1; + + // The listener will use the connection balancer according to ``type_url``. If ``type_url`` is invalid, + // Envoy will not attempt to balance active connections between worker threads. + // [#extension-category: envoy.network.connection_balance] + core.v3.TypedExtensionConfig extend_balance = 2; + } + } + + // Configuration for envoy internal listener. All the future internal listener features should be added here. + message InternalListenerConfig { + } + + // Configuration for filter chains discovery. + // [#not-implemented-hide:] + message FcdsConfig { + // Optional name to present to the filter chain discovery service. This may be an arbitrary name with arbitrary + // length. If a name is not provided, the listener's name is used. Refer to :ref:`filter_chains `. + // for details on how listener name is determined if unspecified. In addition, this may be a xdstp:// URL. + string name = 1; + + // Configuration for the source of FCDS updates for this listener. + // .. note:: + // This discovery service only supports ``AGGREGATED_GRPC`` API type. + core.v3.ConfigSource config_source = 2; + } + + reserved 14, 23; + + // The unique name by which this listener is known. If no name is provided, + // Envoy will allocate an internal UUID for the listener. If the listener is to be dynamically + // updated or removed via :ref:`LDS ` a unique name must be provided. + string name = 1; + + // The address that the listener should listen on. In general, the address must be unique, though + // that is governed by the bind rules of the OS. E.g., multiple listeners can listen on port 0 on + // Linux as the actual port will be allocated by the OS. + // Required unless ``api_listener`` or ``listener_specifier`` is populated. + // + // When the address contains a network namespace filepath (via + // :ref:`network_namespace_filepath `), + // Envoy automatically populates the filter state with key ``envoy.network.network_namespace`` + // when a connection is accepted. This provides read-only access to the network namespace for + // filters, access logs, and other components. + core.v3.Address address = 2; + + // The additional addresses the listener should listen on. The addresses must be unique across all + // listeners. Multiple addresses with port 0 can be supplied. When using multiple addresses in a single listener, + // all addresses use the same protocol, and multiple internal addresses are not supported. + repeated AdditionalAddress additional_addresses = 33; + + // Optional prefix to use on listener stats. If empty, the stats will be rooted at + // ``listener.
.``. If non-empty, stats will be rooted at + // ``listener..``. + string stat_prefix = 28; + + // A list of filter chains to consider for this listener. The + // :ref:`FilterChain ` with the most specific + // :ref:`FilterChainMatch ` criteria is used on a + // connection. + // + // Example using SNI for filter chain selection can be found in the + // :ref:`FAQ entry `. + repeated FilterChain filter_chains = 3; + + // Discover filter chains configurations by external service. Dynamic discovery of filter chains is allowed + // while having statically configured filter chains, however, a filter chain name must be unique within a + // listener. If a discovered filter chain matches a name of an existing filter chain, it is discarded. + // [#not-implemented-hide:] + FcdsConfig fcds_config = 36; + + // :ref:`Matcher API ` resolving the filter chain name from the + // network properties. This matcher is used as a replacement for the filter chain match condition + // :ref:`filter_chain_match + // `. If specified, all + // :ref:`filter_chains ` must have a + // non-empty and unique :ref:`name ` field + // and not specify :ref:`filter_chain_match + // ` field. + // + // .. note:: + // + // Once matched, each connection is permanently bound to its filter chain. + // If the matcher changes but the filter chain remains the same, the + // connections bound to the filter chain are not drained. If, however, the + // filter chain is removed or structurally modified, then the drain for its + // connections is initiated. + xds.type.matcher.v3.Matcher filter_chain_matcher = 32; + + // If a connection is redirected using ``iptables``, the port on which the proxy + // receives it might be different from the original destination address. When this flag is set to + // true, the listener hands off redirected connections to the listener associated with the + // original destination address. If there is no listener associated with the original destination + // address, the connection is handled by the listener that receives it. Defaults to false. + google.protobuf.BoolValue use_original_dst = 4; + + // The default filter chain if none of the filter chain matches. If no default filter chain is supplied, + // the connection will be closed. The filter chain match is ignored in this field. + FilterChain default_filter_chain = 25; + + // Soft limit on size of the listener’s new connection read and write buffers. + // If unspecified, an implementation defined default is applied (1MiB). + google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5 + [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + + // Listener metadata. + core.v3.Metadata metadata = 6; + + // [#not-implemented-hide:] + DeprecatedV1 deprecated_v1 = 7 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // The type of draining to perform at a listener-wide level. + DrainType drain_type = 8; + + // Listener filters have the opportunity to manipulate and augment the connection metadata that + // is used in connection filter chain matching, for example. These filters are run before any in + // :ref:`filter_chains `. Order matters as the + // filters are processed sequentially right after a socket has been accepted by the listener, and + // before a connection is created. + // UDP Listener filters can be specified when the protocol in the listener socket address in + // :ref:`protocol ` is :ref:`UDP + // ` and no + // :ref:`quic_options ` is specified in :ref:`udp_listener_config `. + // QUIC listener filters can be specified when :ref:`quic_options + // ` is + // specified in :ref:`udp_listener_config `. + // They are processed sequentially right before connection creation. And like TCP Listener filters, they can be used to manipulate the connection metadata and socket. But the difference is that they can't be used to pause connection creation. + repeated ListenerFilter listener_filters = 9; + + // The timeout to wait for all listener filters to complete operation. If the timeout is reached, + // the accepted socket is closed without a connection being created unless + // ``continue_on_listener_filters_timeout`` is set to true. Specify 0 to disable the + // timeout. If not specified, a default timeout of 15s is used. + google.protobuf.Duration listener_filters_timeout = 15; + + // Whether a connection should be created when listener filters timeout. Default is false. + // + // .. attention:: + // + // Some listener filters, such as :ref:`Proxy Protocol filter + // `, should not be used with this option. It will cause + // unexpected behavior when a connection is created. + bool continue_on_listener_filters_timeout = 17; + + // Whether the listener should be set as a transparent socket. + // When this flag is set to true, connections can be redirected to the listener using an + // ``iptables`` ``TPROXY`` target, in which case the original source and destination addresses and + // ports are preserved on accepted connections. This flag should be used in combination with + // :ref:`an original_dst ` :ref:`listener filter + // ` to mark the connections' local addresses as + // "restored." This can be used to hand off each redirected connection to another listener + // associated with the connection's destination address. Direct connections to the socket without + // using ``TPROXY`` cannot be distinguished from connections redirected using ``TPROXY`` and are + // therefore treated as if they were redirected. + // When this flag is set to false, the listener's socket is explicitly reset as non-transparent. + // Setting this flag requires Envoy to run with the ``CAP_NET_ADMIN`` capability. + // When this flag is not set (default), the socket is not modified, i.e. the transparent option + // is neither set nor reset. + google.protobuf.BoolValue transparent = 10; + + // Whether the listener should set the ``IP_FREEBIND`` socket option. When this + // flag is set to true, listeners can be bound to an IP address that is not + // configured on the system running Envoy. When this flag is set to false, the + // option ``IP_FREEBIND`` is disabled on the socket. When this flag is not set + // (default), the socket is not modified, i.e. the option is neither enabled + // nor disabled. + google.protobuf.BoolValue freebind = 11; + + // Additional socket options that may not be present in Envoy source code or + // precompiled binaries. + // It is not allowed to update the socket options for any existing address if + // :ref:`enable_reuse_port ` + // is ``false`` to avoid the conflict when creating new sockets for the listener. + repeated core.v3.SocketOption socket_options = 13; + + // Whether the listener should accept TCP Fast Open (TFO) connections. + // When this flag is set to a value greater than 0, the option TCP_FASTOPEN is enabled on + // the socket, with a queue length of the specified size + // (see `details in RFC7413 `_). + // When this flag is set to 0, the option TCP_FASTOPEN is disabled on the socket. + // When this flag is not set (default), the socket is not modified, + // i.e. the option is neither enabled nor disabled. + // + // On Linux, the net.ipv4.tcp_fastopen kernel parameter must include flag 0x2 to enable + // TCP_FASTOPEN. + // See `ip-sysctl.txt `_. + // + // On macOS, only values of 0, 1, and unset are valid; other values may result in an error. + // To set the queue length on macOS, set the net.inet.tcp.fastopen_backlog kernel parameter. + google.protobuf.UInt32Value tcp_fast_open_queue_length = 12; + + // Specifies the intended direction of the traffic relative to the local Envoy. + // This property is required on Windows for listeners using the original destination filter, + // see :ref:`Original Destination `. + core.v3.TrafficDirection traffic_direction = 16; + + // If the protocol in the listener socket address in :ref:`protocol + // ` is :ref:`UDP + // `, this field specifies UDP + // listener specific configuration. + UdpListenerConfig udp_listener_config = 18; + + // Used to represent an API listener, which is used in non-proxy clients. The type of API + // exposed to the non-proxy application depends on the type of API listener. + // When this field is set, no other field except for :ref:`name` + // should be set. + // + // .. note:: + // + // Currently only one ApiListener can be installed; and it can only be done via bootstrap config, + // not LDS. + // + // [#next-major-version: In the v3 API, instead of this messy approach where the socket + // listener fields are directly in the top-level Listener message and the API listener types + // are in the ApiListener message, the socket listener messages should be in their own message, + // and the top-level Listener should essentially be a oneof that selects between the + // socket listener and the various types of API listener. That way, a given Listener message + // can structurally only contain the fields of the relevant type.] + ApiListener api_listener = 19; + + // The listener's connection balancer configuration, currently only applicable to TCP listeners. + // If no configuration is specified, Envoy will not attempt to balance active connections between + // worker threads. + // + // In the scenario that the listener X redirects all the connections to the listeners Y1 and Y2 + // by setting :ref:`use_original_dst ` in X + // and :ref:`bind_to_port ` to false in Y1 and Y2, + // it is recommended to disable the balance config in listener X to avoid the cost of balancing, and + // enable the balance config in Y1 and Y2 to balance the connections among the workers. + ConnectionBalanceConfig connection_balance_config = 20; + + // Deprecated. Use ``enable_reuse_port`` instead. + bool reuse_port = 21 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // When this flag is set to true, listeners set the ``SO_REUSEPORT`` socket option and + // create one socket for each worker thread. This makes inbound connections + // distribute among worker threads roughly evenly in cases where there are a high number + // of connections. When this flag is set to false, all worker threads share one socket. This field + // defaults to true. The change of field will be rejected during an listener update when the + // runtime flag ``envoy.reloadable_features.enable_update_listener_socket_options`` is enabled. + // Otherwise, the update of this field will be ignored quietly. + // + // .. attention:: + // + // Although this field defaults to true, it has different behavior on different platforms. See + // the following text for more information. + // + // * On Linux, reuse_port is respected for both TCP and UDP listeners. It also works correctly + // with hot restart. + // * On macOS, reuse_port for TCP does not do what it does on Linux. Instead of load balancing, + // the last socket wins and receives all connections/packets. For TCP, reuse_port is force + // disabled and the user is warned. For UDP, it is enabled, but only one worker will receive + // packets. For QUIC/H3, SW routing will send packets to other workers. For "raw" UDP, only + // a single worker will currently receive packets. + // * On Windows, reuse_port for TCP has undefined behavior. It is force disabled and the user + // is warned similar to macOS. It is left enabled for UDP with undefined behavior currently. + google.protobuf.BoolValue enable_reuse_port = 29; + + // Configuration for :ref:`access logs ` + // emitted by this listener. + repeated accesslog.v3.AccessLog access_log = 22; + + // The maximum length a tcp listener's pending connections queue can grow to. If no value is + // provided net.core.somaxconn will be used on Linux and 128 otherwise. + google.protobuf.UInt32Value tcp_backlog_size = 24; + + // The maximum number of connections to accept from the kernel per socket + // event. Envoy may decide to close these connections after accepting them + // from the kernel e.g. due to load shedding, or other policies. + // If there are more than max_connections_to_accept_per_socket_event + // connections pending accept, connections over this threshold will be + // accepted in later event loop iterations. + // If no value is provided Envoy will accept all connections pending accept + // from the kernel. + // + // .. note:: + // + // It is recommended to lower this value for better overload management and reduced per-event cost. + // Setting it to 1 is a viable option with no noticeable impact on performance. + google.protobuf.UInt32Value max_connections_to_accept_per_socket_event = 34 + [(validate.rules).uint32 = {gt: 0}]; + + // Whether the listener should bind to the port. A listener that doesn't + // bind can only receive connections redirected from other listeners that set + // :ref:`use_original_dst ` + // to true. Default is true. + google.protobuf.BoolValue bind_to_port = 26; + + // The exclusive listener type and the corresponding config. + oneof listener_specifier { + // Used to represent an internal listener which does not listen on OSI L4 address but can be used by the + // :ref:`envoy cluster ` to create a user space connection to. + // The internal listener acts as a TCP listener. It supports listener filters and network filter chains. + // Upstream clusters refer to the internal listeners by their :ref:`name + // `. :ref:`Address + // ` must not be set on the internal listeners. + // + // There are some limitations that are derived from the implementation. The known limitations include: + // + // * :ref:`ConnectionBalanceConfig ` is not + // allowed because both the cluster connection and the listener connection must be owned by the same dispatcher. + // * :ref:`tcp_backlog_size ` + // * :ref:`freebind ` + // * :ref:`transparent ` + InternalListenerConfig internal_listener = 27; + } + + // Enable MPTCP (multi-path TCP) on this listener. Clients will be allowed to establish + // MPTCP connections. Non-MPTCP clients will fall back to regular TCP. + bool enable_mptcp = 30; + + // Whether the listener should limit connections based upon the value of + // :ref:`global_downstream_max_connections `. + bool ignore_global_conn_limit = 31; + + // Whether the listener bypasses configured overload manager actions. + bool bypass_overload_manager = 35; + + // If set, TCP keepalive settings are configured for the listener address and inherited by + // additional addresses. If not set, TCP keepalive settings are not configured for the + // listener address and additional addresses by default. See :ref:`tcp_keepalive ` + // to explicitly configure TCP keepalive settings for individual additional addresses. + core.v3.TcpKeepalive tcp_keepalive = 37; +} + +// A placeholder proto so that users can explicitly configure the standard +// Listener Manager via the bootstrap's :ref:`listener_manager `. +// [#not-implemented-hide:] +message ListenerManager { +} + +// A placeholder proto so that users can explicitly configure the standard +// Validation Listener Manager via the bootstrap's :ref:`listener_manager `. +// [#not-implemented-hide:] +message ValidationListenerManager { +} + +// A placeholder proto so that users can explicitly configure the API +// Listener Manager via the bootstrap's :ref:`listener_manager `. +// [#not-implemented-hide:] +message ApiListenerManager { +} diff --git a/modules/sync/envoyproxy/envoy/cas/c0db1853e908e8135812c85e8a3a1a62c5c85e470976c46d8e9664b930f4c4aac87e4c4a81c4a8c514190efef87e2a92d80b763512663bbddcc13f5af9bd8608 b/modules/sync/envoyproxy/envoy/cas/c0db1853e908e8135812c85e8a3a1a62c5c85e470976c46d8e9664b930f4c4aac87e4c4a81c4a8c514190efef87e2a92d80b763512663bbddcc13f5af9bd8608 new file mode 100644 index 00000000..86dc67b9 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/c0db1853e908e8135812c85e8a3a1a62c5c85e470976c46d8e9664b930f4c4aac87e4c4a81c4a8c514190efef87e2a92d80b763512663bbddcc13f5af9bd8608 @@ -0,0 +1,22 @@ +syntax = "proto3"; + +package envoy.extensions.local_address_selectors.filter_state_override.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.local_address_selectors.filter_state_override.v3"; +option java_outer_classname = "ConfigProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/local_address_selectors/filter_state_override/v3;filter_state_overridev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Linux Network Namespace Local Address Selector] +// [#extension: envoy.upstream.local_address_selector.filter_state_override] + +// Overrides the upstream bind address Linux network namespace using a filter +// state object with the key ``envoy.network.upstream_bind_override.network_namespace`` +// passed from the downstream. The override applies over the :ref:`default +// address selector +// ` +message Config { +} diff --git a/modules/sync/envoyproxy/envoy/cas/c533295400884a2028aebefc3c33e91ac5f04292175bbe92f403d268e72f956da90fa837cf7427f0b7b195ae4ac6d8b20b2f26fefbccfbf38f82f0b4d10bc3ef b/modules/sync/envoyproxy/envoy/cas/c533295400884a2028aebefc3c33e91ac5f04292175bbe92f403d268e72f956da90fa837cf7427f0b7b195ae4ac6d8b20b2f26fefbccfbf38f82f0b4d10bc3ef new file mode 100644 index 00000000..f24ee639 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/c533295400884a2028aebefc3c33e91ac5f04292175bbe92f403d268e72f956da90fa837cf7427f0b7b195ae4ac6d8b20b2f26fefbccfbf38f82f0b4d10bc3ef @@ -0,0 +1,461 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.redis_proxy.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/grpc_service.proto"; +import "envoy/extensions/common/aws/v3/credential_provider.proto"; +import "envoy/extensions/common/dynamic_forward_proxy/v3/dns_cache.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.redis_proxy.v3"; +option java_outer_classname = "RedisProxyProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/redis_proxy/v3;redis_proxyv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Redis Proxy] +// Redis Proxy :ref:`configuration overview `. +// [#extension: envoy.filters.network.redis_proxy] + +// [#next-free-field: 12] +message RedisProxy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.redis_proxy.v2.RedisProxy"; + + // Redis connection pool settings. + // [#next-free-field: 11] + message ConnPoolSettings { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.redis_proxy.v2.RedisProxy.ConnPoolSettings"; + + // ReadPolicy controls how Envoy routes read commands to Redis nodes. This is currently + // supported for Redis Cluster. All ReadPolicy settings except MASTER may return stale data + // because replication is asynchronous and requires some delay. You need to ensure that your + // application can tolerate stale data. + enum ReadPolicy { + // Default mode. Read from the current primary node. + MASTER = 0 [(udpa.annotations.enum_value_migrate).rename = "PRIMARY"]; + + // Read from the primary, but if it is unavailable, read from replica nodes. + PREFER_MASTER = 1 [(udpa.annotations.enum_value_migrate).rename = "PREFER_PRIMARY"]; + + // Read from replica nodes. If multiple replica nodes are present within a shard, a random + // node is selected. Healthy nodes have precedent over unhealthy nodes. + REPLICA = 2; + + // Read from the replica nodes (similar to REPLICA), but if all replicas are unavailable (not + // present or unhealthy), read from the primary. + PREFER_REPLICA = 3; + + // Read from any node of the cluster. A random node is selected among the primary and + // replicas, healthy nodes have precedent over unhealthy nodes. + ANY = 4; + } + + // Per-operation timeout in milliseconds. The timer starts when the first + // command of a pipeline is written to the backend connection. Each response received from Redis + // resets the timer since it signifies that the next command is being processed by the backend. + // The only exception to this behavior is when a connection to a backend is not yet established. + // In that case, the connect timeout on the cluster will govern the timeout until the connection + // is ready. + google.protobuf.Duration op_timeout = 1 [(validate.rules).duration = {required: true}]; + + // Use hash tagging on every redis key to guarantee that keys with the same hash tag will be + // forwarded to the same upstream. The hash key used for determining the upstream in a + // consistent hash ring configuration will be computed from the hash tagged key instead of the + // whole key. The algorithm used to compute the hash tag is identical to the `redis-cluster + // implementation `_. + // + // Examples: + // + // * '{user1000}.following' and '{user1000}.followers' **will** be sent to the same upstream + // * '{user1000}.following' and '{user1001}.following' **might** be sent to the same upstream + bool enable_hashtagging = 2; + + // Accept `moved and ask redirection + // `_ errors from upstream + // redis servers, and retry commands to the specified target server. The target server does not + // need to be known to the cluster manager. If the command cannot be redirected, then the + // original error is passed downstream unchanged. By default, this support is not enabled. + bool enable_redirection = 3; + + // If ``enable_redirection`` is set to true this option configures the DNS cache that the + // connection pool will use to resolve hostnames that are returned with MOVED and ASK responses. + // If no configuration is provided, DNS lookups will not be performed (and thus the MOVED/ASK errors + // will be propagated verbatim to the user). + common.dynamic_forward_proxy.v3.DnsCacheConfig dns_cache_config = 9; + + // Maximum size of encoded request buffer before flush is triggered and encoded requests + // are sent upstream. If this is unset, the buffer flushes whenever it receives data + // and performs no batching. + // This feature makes it possible for multiple clients to send requests to Envoy and have + // them batched- for example if one is running several worker processes, each with its own + // Redis connection. There is no benefit to using this with a single downstream process. + // Recommended size (if enabled) is 1024 bytes. + uint32 max_buffer_size_before_flush = 4; + + // The encoded request buffer is flushed N milliseconds after the first request has been + // encoded, unless the buffer size has already exceeded ``max_buffer_size_before_flush``. + // If ``max_buffer_size_before_flush`` is not set, this flush timer is not used. Otherwise, + // the timer should be set according to the number of clients, overall request rate and + // desired maximum latency for a single command. For example, if there are many requests + // being batched together at a high rate, the buffer will likely be filled before the timer + // fires. Alternatively, if the request rate is lower the buffer will not be filled as often + // before the timer fires. + // If ``max_buffer_size_before_flush`` is set, but ``buffer_flush_timeout`` is not, the latter + // defaults to 3ms. + google.protobuf.Duration buffer_flush_timeout = 5; + + // ``max_upstream_unknown_connections`` controls how many upstream connections to unknown hosts + // can be created at any given time by any given worker thread (see ``enable_redirection`` for + // more details). If the host is unknown and a connection cannot be created due to enforcing + // this limit, then redirection will fail and the original redirection error will be passed + // downstream unchanged. This limit defaults to 100. + google.protobuf.UInt32Value max_upstream_unknown_connections = 6; + + // Enable per-command statistics per upstream cluster, in addition to the filter level aggregate + // count. These commands are measured in microseconds. + bool enable_command_stats = 8; + + // Read policy. The default is to read from the primary. + ReadPolicy read_policy = 7 [(validate.rules).enum = {defined_only: true}]; + + // Ops or connection timeout triggers reconnection to redis server which could result in reconnection + // storm to busy redis server. This config is a protection to rate limit reconnection rate. + // If not set, there will be no rate limiting on the reconnection. + ConnectionRateLimit connection_rate_limit = 10; + } + + message PrefixRoutes { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.redis_proxy.v2.RedisProxy.PrefixRoutes"; + + // [#next-free-field: 7] + message Route { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.redis_proxy.v2.RedisProxy.PrefixRoutes.Route"; + + // The router is capable of shadowing traffic from one cluster to another. The current + // implementation is "fire and forget," meaning Envoy will not wait for the shadow cluster to + // respond before returning the response from the primary cluster. All normal statistics are + // collected for the shadow cluster making this feature useful for testing. + message RequestMirrorPolicy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.redis_proxy.v2.RedisProxy.PrefixRoutes.Route." + "RequestMirrorPolicy"; + + // Specifies the cluster that requests will be mirrored to. The cluster must + // exist in the cluster manager configuration. + string cluster = 1 [(validate.rules).string = {min_len: 1}]; + + // If not specified or the runtime key is not present, all requests to the target cluster + // will be mirrored. + // + // If specified, Envoy will lookup the runtime key to get the percentage of requests to the + // mirror. + config.core.v3.RuntimeFractionalPercent runtime_fraction = 2; + + // Set this to TRUE to only mirror write commands, this is effectively replicating the + // writes in a "fire and forget" manner. + bool exclude_read_commands = 3; + } + + // ReadCommandPolicy specifies that Envoy should route read commands to another cluster. + message ReadCommandPolicy { + string cluster = 1 [(validate.rules).string = {min_len: 1}]; + } + + // String prefix that must match the beginning of the keys. Envoy will always favor the + // longest match. + string prefix = 1 [(validate.rules).string = {max_bytes: 1000}]; + + // Indicates if the prefix needs to be removed from the key when forwarded. + bool remove_prefix = 2; + + // Upstream cluster to forward the command to. + string cluster = 3 [(validate.rules).string = {min_len: 1}]; + + // Indicates that the route has a request mirroring policy. + repeated RequestMirrorPolicy request_mirror_policy = 4; + + // Indicates how redis key should be formatted. To substitute redis key into the formatting + // expression, use %KEY% as a string replacement command. + string key_formatter = 5; + + // Indicates that the route has a read command policy + ReadCommandPolicy read_command_policy = 6; + } + + reserved 3; + + reserved "catch_all_cluster"; + + // List of prefix routes. + repeated Route routes = 1; + + // Indicates that prefix matching should be case insensitive. + bool case_insensitive = 2; + + // Optional catch-all route to forward commands that doesn't match any of the routes. The + // catch-all route becomes required when no routes are specified. + Route catch_all_route = 4; + } + + // RedisFault defines faults used for fault injection. + message RedisFault { + enum RedisFaultType { + // Delays requests. This is the base fault; other faults can have delays added. + DELAY = 0; + + // Returns errors on requests. + ERROR = 1; + } + + // Fault type. + RedisFaultType fault_type = 1 [(validate.rules).enum = {defined_only: true}]; + + // Percentage of requests fault applies to. + config.core.v3.RuntimeFractionalPercent fault_enabled = 2 + [(validate.rules).message = {required: true}]; + + // Delay for all faults. If not set, defaults to zero + google.protobuf.Duration delay = 3; + + // Commands fault is restricted to, if any. If not set, fault applies to all commands + // other than auth and ping (due to special handling of those commands in Envoy). + repeated string commands = 4; + } + + // Configuration to limit reconnection rate to redis server to protect redis server + // from client reconnection storm. + message ConnectionRateLimit { + // Reconnection rate per sec. Rate limiting is implemented with TokenBucket. + uint32 connection_rate_limit_per_sec = 1 [(validate.rules).uint32 = {gt: 0}]; + } + + reserved 2; + + reserved "cluster"; + + // The prefix to use when emitting :ref:`statistics `. + string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; + + // Network settings for the connection pool to the upstream clusters. + ConnPoolSettings settings = 3 [(validate.rules).message = {required: true}]; + + // Indicates that latency stat should be computed in microseconds. By default it is computed in + // milliseconds. This does not apply to upstream command stats currently. + bool latency_in_micros = 4; + + // List of **unique** prefixes used to separate keys from different workloads to different + // clusters. Envoy will always favor the longest match first in case of overlap. A catch-all + // cluster can be used to forward commands when there is no match. Time complexity of the + // lookups are in O(min(longest key prefix, key length)). + // + // Example: + // + // .. code-block:: yaml + // + // prefix_routes: + // routes: + // - prefix: "ab" + // cluster: "cluster_a" + // - prefix: "abc" + // cluster: "cluster_b" + // + // When using the above routes, the following prefixes would be sent to: + // + // * ``get abc:users`` would retrieve the key 'abc:users' from cluster_b. + // * ``get ab:users`` would retrieve the key 'ab:users' from cluster_a. + // * ``get z:users`` would return a NoUpstreamHost error. A :ref:`catch-all + // route` + // would have retrieved the key from that cluster instead. + // + // See the :ref:`configuration section + // ` of the architecture overview for recommendations on + // configuring the backing clusters. + PrefixRoutes prefix_routes = 5; + + // Authenticate Redis client connections locally by forcing downstream clients to issue a `Redis + // AUTH command `_ with this password before enabling any other + // command. If an AUTH command's password matches this password, an "OK" response will be returned + // to the client. If the AUTH command password does not match this password, then an "ERR invalid + // password" error will be returned. If any other command is received before AUTH when this + // password is set, then a "NOAUTH Authentication required." error response will be sent to the + // client. If an AUTH command is received when the password is not set, then an "ERR Client sent + // AUTH, but no password is set" error will be returned. + // + // .. attention:: + // This field is deprecated. Use :ref:`downstream_auth_passwords + // `. + config.core.v3.DataSource downstream_auth_password = 6 [ + deprecated = true, + (udpa.annotations.sensitive) = true, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // Authenticate Redis client connections locally by forcing downstream clients to issue a `Redis + // AUTH command `_ with one of these passwords before enabling any other + // command. If an AUTH command's password matches one of these passwords, an "OK" response will be returned + // to the client. If the AUTH command password does not match, then an "ERR invalid + // password" error will be returned. If any other command is received before AUTH when the + // password(s) are set, then a "NOAUTH Authentication required." error response will be sent to the + // client. If an AUTH command is received when the password is not set, then an "ERR Client sent + // AUTH, but no password is set" error will be returned. + repeated config.core.v3.DataSource downstream_auth_passwords = 9 + [(udpa.annotations.sensitive) = true]; + + // List of faults to inject. Faults currently come in two flavors: + // - Delay, which delays a request. + // - Error, which responds to a request with an error. Errors can also have delays attached. + // + // Example: + // + // .. code-block:: yaml + // + // faults: + // - fault_type: ERROR + // fault_enabled: + // default_value: + // numerator: 10 + // denominator: HUNDRED + // runtime_key: "bogus_key" + // commands: + // - GET + // - fault_type: DELAY + // fault_enabled: + // default_value: + // numerator: 10 + // denominator: HUNDRED + // runtime_key: "bogus_key" + // delay: 2s + // + // See the :ref:`fault injection section + // ` for more information on how to configure this. + repeated RedisFault faults = 8; + + // If a username is provided an ACL style AUTH command will be required with a username and password. + // Authenticate Redis client connections locally by forcing downstream clients to issue a `Redis + // AUTH command `_ with this username and the ``downstream_auth_password`` + // before enabling any other command. If an AUTH command's username and password matches this username + // and the ``downstream_auth_password`` , an "OK" response will be returned to the client. If the AUTH + // command username or password does not match this username or the ``downstream_auth_password``, then an + // "WRONGPASS invalid username-password pair" error will be returned. If any other command is received before AUTH when this + // password is set, then a "NOAUTH Authentication required." error response will be sent to the + // client. If an AUTH command is received when the password is not set, then an "ERR Client sent + // AUTH, but no ACL is set" error will be returned. + config.core.v3.DataSource downstream_auth_username = 7 [(udpa.annotations.sensitive) = true]; + + // External authentication configuration. If set, instead of validating username and password against ``downstream_auth_username`` and ``downstream_auth_password``, + // the filter will call an external gRPC service to authenticate the client. + // A typical usage of this feature is for situations where the password is a one-time token that needs to be validated against a remote service, like a sidecar. + // Expiration is also supported, which will disable any further commands from the client after the expiration time, unless a new AUTH command is received and the external auth service returns a new expiration time. + // If the external auth service returns an error, authentication is considered failed. + // If this setting is set together with ``downstream_auth_username`` and ``downstream_auth_password``, the external auth service will be source of truth, but those fields will still be used for downstream authentication to the cluster. + // The API is defined by :ref:`RedisProxyExternalAuthRequest `. + RedisExternalAuthProvider external_auth_provider = 10; + + // Optional configure redis custom commands for the proxy, eg -> ["my_custom_cmd1", "my_custom_cmd2"] + // + // .. note:: + // The is to support redis's feature wherein new commands can be added using redis' modules api: + // https://redis.io/docs/latest/develop/reference/modules/ + repeated string custom_commands = 11; +} + +// RedisProtocolOptions specifies Redis upstream protocol options. This object is used in +// :ref:`typed_extension_protocol_options`, +// keyed by the name ``envoy.filters.network.redis_proxy``. +message RedisProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.redis_proxy.v2.RedisProtocolOptions"; + + message Credential { + // The address to which this username and password applies. + config.core.v3.Address address = 1; + + // Upstream server password as defined by the ``requirepass`` directive + // ``_ in the server's configuration file. + config.core.v3.DataSource auth_password = 2 [(udpa.annotations.sensitive) = true]; + + // Upstream server username as defined by the ``user`` directive + // ``_ in the server's configuration file. + config.core.v3.DataSource auth_username = 3 [(udpa.annotations.sensitive) = true]; + } + + // Upstream server password as defined by the ``requirepass`` directive + // ``_ in the server's configuration file. + // If ``aws_iam`` is set, this field is ignored. + config.core.v3.DataSource auth_password = 1 [(udpa.annotations.sensitive) = true]; + + // Upstream server username as defined by the ``user`` directive + // ``_ in the server's configuration file. + // If ``aws_iam``` is set, this field will be used as the authenticating user for redis IAM authentication. + // See ``Create a new IAM-enabled user`` under `Setup `_ for more details. + config.core.v3.DataSource auth_username = 2 [(udpa.annotations.sensitive) = true]; + + // The cluster level configuration for AWS IAM authentication + AwsIam aws_iam = 3; + + // If specified, these credentials are used when connecting to upstream endpoints. Which + // credential is used is determined by matching the resolved ``address`` field here with each + // endpoint's resolved ``address`` field. The first entry for a given ``address`` here takes precedence. + // If no entry in ``credentials`` matches, then the ``auth_password`` and ``auth_username`` fields + // are used as defaults. + repeated Credential credentials = 4; +} + +// [#next-free-field: 6] +message AwsIam { + // An AwsCredentialProvider, allowing the use of a specific credential provider chain or specific provider settings + common.aws.v3.AwsCredentialProvider credential_provider = 1; + + // The name of the cache, used when generating the authentication token. + string cache_name = 2 [(validate.rules).string = {min_len: 1}]; + + // The optional service name to be used in AWS IAM authentication. If not provided, the service name will be set to ``elasticache``. For Amazon MemoryDB + // the service name should be set to ``memorydb``. + string service_name = 3; + + // The optional AWS region that your cache is located in. If not provided, the region will be deduced using the region provider chain + // as described in :ref:`config_http_filters_aws_request_signing_region`. + string region = 4; + + // Number of seconds before the IAM authentication token will expire. If not set, defaults to 60s (1 minute). Maximum of 900s (15 minutes) + // Expiration of the current authentication token will automatically trigger generation of a new token. + // As envoy will automatically continue to generate new tokens as required, there is no substantial benefit to using a long expiration value here. + google.protobuf.Duration expiration_time = 5 [(validate.rules).duration = { + lte {seconds: 900} + gte {} + }]; +} + +// RedisExternalAuthProvider specifies a gRPC service that can be used to authenticate Redis clients. +// This service will be called every time an AUTH command is received from a client. +// If the service returns an error, authentication is considered failed. +// If the service returns a success, the client is considered authenticated. +// The service can also return an expiration timestamp, which will be used to disable any further +// commands from the client after it passes, unless a new AUTH command is received and the +// external auth service returns a new expiration timestamp. +message RedisExternalAuthProvider { + // External auth gRPC service configuration. + // It will be called every time an AUTH command is received from a client. + config.core.v3.GrpcService grpc_service = 1; + + // If set to true, the filter will expect an expiration timestamp in the response from the external + // auth service. This timestamp will be used to disable any further commands from the client after + // the expiration time, unless a new AUTH command is received and the external auth service returns + // a new expiration timestamp. + bool enable_auth_expiration = 2; +} diff --git a/modules/sync/envoyproxy/envoy/cas/c866183a84e3031e4a37288a46498f7e38bb7b544267a8ccdcd7c4ba4e9f498aba720e36f94819ffa6d72fdf785aa4f7d16b3a5a4262a697634624976f92d793 b/modules/sync/envoyproxy/envoy/cas/c866183a84e3031e4a37288a46498f7e38bb7b544267a8ccdcd7c4ba4e9f498aba720e36f94819ffa6d72fdf785aa4f7d16b3a5a4262a697634624976f92d793 new file mode 100644 index 00000000..e2e4ade8 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/c866183a84e3031e4a37288a46498f7e38bb7b544267a8ccdcd7c4ba4e9f498aba720e36f94819ffa6d72fdf785aa4f7d16b3a5a4262a697634624976f92d793 @@ -0,0 +1,25 @@ +syntax = "proto3"; + +package envoy.extensions.load_balancing_policies.wrr_locality.v3; + +import "envoy/config/cluster/v3/cluster.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.load_balancing_policies.wrr_locality.v3"; +option java_outer_classname = "WrrLocalityProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/wrr_locality/v3;wrr_localityv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Weighted Round Robin Locality-Picking Load Balancing Policy] +// [#extension: envoy.load_balancing_policies.wrr_locality] + +// Configuration for the wrr_locality LB policy. See the :ref:`load balancing architecture overview +// ` for more information. +message WrrLocality { + // The child LB policy to create for endpoint-picking within the chosen locality. + config.cluster.v3.LoadBalancingPolicy endpoint_picking_policy = 1 + [(validate.rules).message = {required: true}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/ce8ca31393368bbd835e656a59ab152cfb4adccc0aae45660c8faa6b27a26ea45bd38647acce9aa7fd5262919c20243a962cfc2e691ebcda0c631a03688fe76d b/modules/sync/envoyproxy/envoy/cas/ce8ca31393368bbd835e656a59ab152cfb4adccc0aae45660c8faa6b27a26ea45bd38647acce9aa7fd5262919c20243a962cfc2e691ebcda0c631a03688fe76d new file mode 100644 index 00000000..9c44006b --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/ce8ca31393368bbd835e656a59ab152cfb4adccc0aae45660c8faa6b27a26ea45bd38647acce9aa7fd5262919c20243a962cfc2e691ebcda0c631a03688fe76d @@ -0,0 +1,355 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/base.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/empty.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "GrpcServiceProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC services] + +// gRPC service configuration. This is used by :ref:`ApiConfigSource +// ` and filter configurations. +// [#next-free-field: 7] +message GrpcService { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.GrpcService"; + + // [#next-free-field: 6] + message EnvoyGrpc { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.EnvoyGrpc"; + + // The name of the upstream gRPC cluster. SSL credentials will be supplied + // in the :ref:`Cluster ` :ref:`transport_socket + // `. + string cluster_name = 1 [(validate.rules).string = {min_len: 1}]; + + // The ``:authority`` header in the grpc request. If this field is not set, the authority header value will be ``cluster_name``. + // Note that this authority does not override the SNI. The SNI is provided by the transport socket of the cluster. + string authority = 2 + [(validate.rules).string = + {min_len: 0 max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Specifies the retry backoff policy for re-establishing long‑lived xDS gRPC streams. + // + // This field is optional. If ``retry_back_off.max_interval`` is not provided, it will be set to + // ten times the configured ``retry_back_off.base_interval``. + // + // .. note:: + // + // This field is only honored for management‑plane xDS gRPC streams created from + // :ref:`ApiConfigSource ` that use + // ``envoy_grpc``. Data‑plane gRPC clients (for example external authorization or external + // processing filters) must use :ref:`GrpcService.retry_policy + // ` instead. + // + // If not set, xDS gRPC streams default to a base interval of 500ms and a maximum interval of 30s. + RetryPolicy retry_policy = 3; + + // Maximum gRPC message size that is allowed to be received. + // If a message over this limit is received, the gRPC stream is terminated with the RESOURCE_EXHAUSTED error. + // This limit is applied to individual messages in the streaming response and not the total size of streaming response. + // Defaults to 0, which means unlimited. + google.protobuf.UInt32Value max_receive_message_length = 4; + + // This provides gRPC client level control over envoy generated headers. + // If false, the header will be sent but it can be overridden by per stream option. + // If true, the header will be removed and can not be overridden by per stream option. + // Default to false. + bool skip_envoy_headers = 5; + } + + // [#next-free-field: 11] + message GoogleGrpc { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc"; + + // See https://grpc.io/grpc/cpp/structgrpc_1_1_ssl_credentials_options.html. + message SslCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.SslCredentials"; + + // PEM encoded server root certificates. + DataSource root_certs = 1; + + // PEM encoded client private key. + DataSource private_key = 2 [(udpa.annotations.sensitive) = true]; + + // PEM encoded client certificate chain. + DataSource cert_chain = 3; + } + + // Local channel credentials. Only UDS is supported for now. + // See https://github.com/grpc/grpc/pull/15909. + message GoogleLocalCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.GoogleLocalCredentials"; + } + + // See https://grpc.io/docs/guides/auth.html#credential-types to understand Channel and Call + // credential types. + message ChannelCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.ChannelCredentials"; + + oneof credential_specifier { + option (validate.required) = true; + + SslCredentials ssl_credentials = 1; + + // https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61 + google.protobuf.Empty google_default = 2; + + GoogleLocalCredentials local_credentials = 3; + } + } + + // [#next-free-field: 8] + message CallCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials"; + + message ServiceAccountJWTAccessCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials." + "ServiceAccountJWTAccessCredentials"; + + string json_key = 1; + + uint64 token_lifetime_seconds = 2; + } + + message GoogleIAMCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.GoogleIAMCredentials"; + + string authorization_token = 1; + + string authority_selector = 2; + } + + message MetadataCredentialsFromPlugin { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials." + "MetadataCredentialsFromPlugin"; + + reserved 2; + + reserved "config"; + + string name = 1; + + // [#extension-category: envoy.grpc_credentials] + oneof config_type { + google.protobuf.Any typed_config = 3; + } + } + + // Security token service configuration that allows Google gRPC to + // fetch security token from an OAuth 2.0 authorization server. + // See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 and + // https://github.com/grpc/grpc/pull/19587. + // [#next-free-field: 10] + message StsService { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.StsService"; + + // URI of the token exchange service that handles token exchange requests. + // [#comment:TODO(asraa): Add URI validation when implemented. Tracked by + // https://github.com/bufbuild/protoc-gen-validate/issues/303] + string token_exchange_service_uri = 1; + + // Location of the target service or resource where the client + // intends to use the requested security token. + string resource = 2; + + // Logical name of the target service where the client intends to + // use the requested security token. + string audience = 3; + + // The desired scope of the requested security token in the + // context of the service or resource where the token will be used. + string scope = 4; + + // Type of the requested security token. + string requested_token_type = 5; + + // The path of subject token, a security token that represents the + // identity of the party on behalf of whom the request is being made. + string subject_token_path = 6 [(validate.rules).string = {min_len: 1}]; + + // Type of the subject token. + string subject_token_type = 7 [(validate.rules).string = {min_len: 1}]; + + // The path of actor token, a security token that represents the identity + // of the acting party. The acting party is authorized to use the + // requested security token and act on behalf of the subject. + string actor_token_path = 8; + + // Type of the actor token. + string actor_token_type = 9; + } + + oneof credential_specifier { + option (validate.required) = true; + + // Access token credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#ad3a80da696ffdaea943f0f858d7a360d. + string access_token = 1; + + // Google Compute Engine credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61 + google.protobuf.Empty google_compute_engine = 2; + + // Google refresh token credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#a96901c997b91bc6513b08491e0dca37c. + string google_refresh_token = 3; + + // Service Account JWT Access credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#a92a9f959d6102461f66ee973d8e9d3aa. + ServiceAccountJWTAccessCredentials service_account_jwt_access = 4; + + // Google IAM credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#a9fc1fc101b41e680d47028166e76f9d0. + GoogleIAMCredentials google_iam = 5; + + // Custom authenticator credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#a823c6a4b19ffc71fb33e90154ee2ad07. + // https://grpc.io/docs/guides/auth.html#extending-grpc-to-support-other-authentication-mechanisms. + MetadataCredentialsFromPlugin from_plugin = 6; + + // Custom security token service which implements OAuth 2.0 token exchange. + // https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 + // See https://github.com/grpc/grpc/pull/19587. + StsService sts_service = 7; + } + } + + // Channel arguments. + message ChannelArgs { + message Value { + // Pointer values are not supported, since they don't make any sense when + // delivered via the API. + oneof value_specifier { + option (validate.required) = true; + + string string_value = 1; + + int64 int_value = 2; + } + } + + // See grpc_types.h GRPC_ARG #defines for keys that work here. + map args = 1; + } + + // The target URI when using the `Google C++ gRPC client + // `_. + string target_uri = 1 [(validate.rules).string = {min_len: 1}]; + + // The channel credentials to use. See `channel credentials + // `_. + // Ignored if ``channel_credentials_plugin`` is set. + ChannelCredentials channel_credentials = 2; + + // A list of channel credentials plugins. + // The data plane will iterate over the list in order and stop at the first credential type + // that it supports. This provides a mechanism for starting to use new credential types that + // are not yet supported by all data planes. + // [#not-implemented-hide:] + repeated google.protobuf.Any channel_credentials_plugin = 9; + + // The call credentials to use. See `channel credentials + // `_. + // Ignored if ``call_credentials_plugin`` is set. + repeated CallCredentials call_credentials = 3; + + // A list of call credentials plugins. All supported plugins will be used. + // Unsupported plugin types will be ignored. + // [#not-implemented-hide:] + repeated google.protobuf.Any call_credentials_plugin = 10; + + // The human readable prefix to use when emitting statistics for the gRPC + // service. + // + // .. csv-table:: + // :header: Name, Type, Description + // :widths: 1, 1, 2 + // + // streams_total, Counter, Total number of streams opened + // streams_closed_, Counter, Total streams closed with + string stat_prefix = 4 [(validate.rules).string = {min_len: 1}]; + + // The name of the Google gRPC credentials factory to use. This must have been registered with + // Envoy. If this is empty, a default credentials factory will be used that sets up channel + // credentials based on other configuration parameters. + string credentials_factory_name = 5; + + // Additional configuration for site-specific customizations of the Google + // gRPC library. + google.protobuf.Struct config = 6; + + // How many bytes each stream can buffer internally. + // If not set an implementation defined default is applied (1MiB). + google.protobuf.UInt32Value per_stream_buffer_limit_bytes = 7; + + // Custom channels args. + ChannelArgs channel_args = 8; + } + + reserved 4; + + oneof target_specifier { + option (validate.required) = true; + + // Envoy's in-built gRPC client. + // See the :ref:`gRPC services overview ` + // documentation for discussion on gRPC client selection. + EnvoyGrpc envoy_grpc = 1; + + // `Google C++ gRPC client `_ + // See the :ref:`gRPC services overview ` + // documentation for discussion on gRPC client selection. + GoogleGrpc google_grpc = 2; + } + + // The timeout for the gRPC request. This is the timeout for a specific + // request. + google.protobuf.Duration timeout = 3; + + // Additional metadata to include in streams initiated to the GrpcService. This can be used for + // scenarios in which additional ad hoc authorization headers (e.g. ``x-foo-bar: baz-key``) are to + // be injected. For more information, including details on header value syntax, see the + // documentation on :ref:`custom request headers + // `. + repeated HeaderValue initial_metadata = 5; + + // Optional default retry policy for RPCs or streams initiated toward this gRPC service. + // + // If an async stream does not have a retry policy configured in its per‑stream options, this + // policy is used as the default. + // + // .. note:: + // + // This field is only applied by Envoy gRPC (``envoy_grpc``) clients. Google gRPC + // (``google_grpc``) clients currently ignore this field. + // + // If not specified, no default retry policy is applied at the client level and retries only occur + // when explicitly configured in per‑stream options. + RetryPolicy retry_policy = 6; +} diff --git a/modules/sync/envoyproxy/envoy/cas/cffb4b03c2cdaf87e95ae70b72ee7afa4952783c02b23cd850bc658223cf7b635a6ae46a4457fe5cc69daa957dbedc9f09477828b46cc0d40c4cc85c42414e80 b/modules/sync/envoyproxy/envoy/cas/cffb4b03c2cdaf87e95ae70b72ee7afa4952783c02b23cd850bc658223cf7b635a6ae46a4457fe5cc69daa957dbedc9f09477828b46cc0d40c4cc85c42414e80 new file mode 100644 index 00000000..5f929bcf --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/cffb4b03c2cdaf87e95ae70b72ee7afa4952783c02b23cd850bc658223cf7b635a6ae46a4457fe5cc69daa957dbedc9f09477828b46cc0d40c4cc85c42414e80 @@ -0,0 +1,126 @@ +syntax = "proto3"; + +package envoy.data.tap.v3; + +import "envoy/data/tap/v3/common.proto"; + +import "google/protobuf/timestamp.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.data.tap.v3"; +option java_outer_classname = "TransportProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/data/tap/v3;tapv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Transport tap data] +// Trace format for the tap transport socket extension. This dumps plain text read/write +// sequences on a socket. + +// Event in a socket trace. +// [#next-free-field: 7] +message SocketEvent { + option (udpa.annotations.versioning).previous_message_type = "envoy.data.tap.v2alpha.SocketEvent"; + + // Data read by Envoy from the transport socket. + message Read { + // TODO(htuch): Half-close for reads. + + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.tap.v2alpha.SocketEvent.Read"; + + // Binary data read. + Body data = 1; + } + + // Data written by Envoy to the transport socket. + message Write { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.tap.v2alpha.SocketEvent.Write"; + + // Binary data written. + Body data = 1; + + // Stream was half closed after this write. + bool end_stream = 2; + } + + // The connection was closed. + message Closed { + // TODO(mattklein123): Close event type. + + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.tap.v2alpha.SocketEvent.Closed"; + } + + // Timestamp for event. + google.protobuf.Timestamp timestamp = 1; + + // Read or write with content as bytes string. + oneof event_selector { + Read read = 2; + + Write write = 3; + + Closed closed = 4; + } + + // Connection information per event + Connection connection = 5; + + // Data sequence number + uint64 seq_num = 6; +} + +// Sequence of read/write events that constitute a buffered trace on a socket. +// [#next-free-field: 6] +message SocketBufferedTrace { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.tap.v2alpha.SocketBufferedTrace"; + + // Trace ID unique to the originating Envoy only. Trace IDs can repeat and should not be used + // for long term stable uniqueness. Matches connection IDs used in Envoy logs. + uint64 trace_id = 1; + + // Connection properties. + Connection connection = 2; + + // Sequence of observed events. + repeated SocketEvent events = 3; + + // Set to true if read events were truncated due to the :ref:`max_buffered_rx_bytes + // ` setting. + bool read_truncated = 4; + + // Set to true if write events were truncated due to the :ref:`max_buffered_tx_bytes + // ` setting. + bool write_truncated = 5; +} + +// A message for the sequence of observed events +message SocketEvents { + repeated SocketEvent events = 1; +} + +// A streamed socket trace segment. Multiple segments make up a full trace. +message SocketStreamedTraceSegment { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.tap.v2alpha.SocketStreamedTraceSegment"; + + // Trace ID unique to the originating Envoy only. Trace IDs can repeat and should not be used + // for long term stable uniqueness. Matches connection IDs used in Envoy logs. + uint64 trace_id = 1; + + oneof message_piece { + // Connection properties. + Connection connection = 2; + + // Socket event. + SocketEvent event = 3; + + // Sequence of observed events. + SocketEvents events = 4; + } +} diff --git a/modules/sync/envoyproxy/envoy/cas/d24f80ec625ca4a34589ee26dc9092322920a57c5c68562f26c7a6438922039682f2dbc66d9e212c41657197446184f9acfd684ff12de00b492b04fd8a49e2e6 b/modules/sync/envoyproxy/envoy/cas/d24f80ec625ca4a34589ee26dc9092322920a57c5c68562f26c7a6438922039682f2dbc66d9e212c41657197446184f9acfd684ff12de00b492b04fd8a49e2e6 new file mode 100644 index 00000000..6b60a691 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/d24f80ec625ca4a34589ee26dc9092322920a57c5c68562f26c7a6438922039682f2dbc66d9e212c41657197446184f9acfd684ff12de00b492b04fd8a49e2e6 @@ -0,0 +1,32 @@ +syntax = "proto3"; + +package envoy.extensions.access_loggers.filters.process_ratelimit.v3; + +import "envoy/config/core/v3/config_source.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.access_loggers.filters.process_ratelimit.v3"; +option java_outer_classname = "ProcessRatelimitProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/access_loggers/filters/process_ratelimit/v3;process_ratelimitv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: ProcessRateLimiter] +// [#extension: envoy.access_loggers.extension_filters.process_ratelimit] + +// Filters for rate limiting the access log emission using global token buckets per process and shared across all listeners. +message ProcessRateLimitFilter { + // The dynamic config for the token bucket. + DynamicTokenBucket dynamic_config = 1; +} + +message DynamicTokenBucket { + // the key used to find the token bucket in the singleton map. + string resource_name = 1 [(validate.rules).string = {min_len: 1}]; + + // The configuration source for the :ref:`token_bucket `. + // It should stay the same through the process lifetime. + config.core.v3.ConfigSource config_source = 2 [(validate.rules).message = {required: true}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/d77cca717af1b36b3af64c7621f965ee6eb7288b95939fe5c280e564f38faf46bbcd539a0eb8f535314f9cd2900e2db4b599e94bafacabc6dc4adf0618f3e548 b/modules/sync/envoyproxy/envoy/cas/d77cca717af1b36b3af64c7621f965ee6eb7288b95939fe5c280e564f38faf46bbcd539a0eb8f535314f9cd2900e2db4b599e94bafacabc6dc4adf0618f3e548 new file mode 100644 index 00000000..c43160e5 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/d77cca717af1b36b3af64c7621f965ee6eb7288b95939fe5c280e564f38faf46bbcd539a0eb8f535314f9cd2900e2db4b599e94bafacabc6dc4adf0618f3e548 @@ -0,0 +1,18 @@ +syntax = "proto3"; + +package envoy.extensions.quic.client_writer_factory.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.quic.client_writer_factory.v3"; +option java_outer_classname = "DefaultClientWriterProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/quic/client_writer_factory/v3;client_writer_factoryv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Default QUIC Client Packet Writer] +// [#extension: envoy.quic.packet_writer.default] + +// The default QUIC packet writer used for QUIC upstream connections which is platform independent. +message DefaultClientWriter { +} diff --git a/modules/sync/envoyproxy/envoy/cas/da3d8f11bc83acc05f23de19e6eb9192dc8c0a438d35b3fdfd0a96eccc0e50fa5a0854b023ada3335d3ad65ecbbb3d4b9130cf8c7827880a339beb089451b51f b/modules/sync/envoyproxy/envoy/cas/da3d8f11bc83acc05f23de19e6eb9192dc8c0a438d35b3fdfd0a96eccc0e50fa5a0854b023ada3335d3ad65ecbbb3d4b9130cf8c7827880a339beb089451b51f new file mode 100644 index 00000000..24b44b08 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/da3d8f11bc83acc05f23de19e6eb9192dc8c0a438d35b3fdfd0a96eccc0e50fa5a0854b023ada3335d3ad65ecbbb3d4b9130cf8c7827880a339beb089451b51f @@ -0,0 +1,80 @@ +syntax = "proto3"; + +package envoy.config.metrics.v3; + +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/grpc_service.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.metrics.v3"; +option java_outer_classname = "MetricsServiceProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/metrics/v3;metricsv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Metrics service] + +// HistogramEmitMode is used to configure which metric types should be emitted for histograms. +enum HistogramEmitMode { + // Emit Histogram and Summary metric types. + SUMMARY_AND_HISTOGRAM = 0; + + // Emit only Summary metric types. + SUMMARY = 1; + + // Emit only Histogram metric types. + HISTOGRAM = 2; +} + +// Metrics Service is configured as a built-in ``envoy.stat_sinks.metrics_service`` :ref:`StatsSink +// `. This opaque configuration will be used to create +// Metrics Service. +// +// Example: +// +// .. code-block:: yaml +// +// stats_sinks: +// - name: envoy.stat_sinks.metrics_service +// typed_config: +// "@type": type.googleapis.com/envoy.config.metrics.v3.MetricsServiceConfig +// +// [#extension: envoy.stat_sinks.metrics_service] +// [#next-free-field: 7] +message MetricsServiceConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v2.MetricsServiceConfig"; + + // The upstream gRPC cluster that hosts the metrics service. + core.v3.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}]; + + // API version for metric service transport protocol. This describes the metric service gRPC + // endpoint and version of messages used on the wire. + core.v3.ApiVersion transport_api_version = 3 [(validate.rules).enum = {defined_only: true}]; + + // If true, counters are reported as the delta between flushing intervals. Otherwise, the current + // counter value is reported. Defaults to false. + // Eventually (https://github.com/envoyproxy/envoy/issues/10968) if this value is not set, the + // sink will take updates from the :ref:`MetricsResponse `. + google.protobuf.BoolValue report_counters_as_deltas = 2; + + // If true, metrics will have their tags emitted as labels on the metrics objects sent to the MetricsService, + // and the tag extracted name will be used instead of the full name, which may contain values used by the tag + // extractor or additional tags added during stats creation. + bool emit_tags_as_labels = 4; + + // Specify which metrics types to emit for histograms. Defaults to SUMMARY_AND_HISTOGRAM. + HistogramEmitMode histogram_emit_mode = 5 [(validate.rules).enum = {defined_only: true}]; + + // The maximum number of metrics to send in a single gRPC message. If not set or set to 0, + // all metrics will be sent in a single message (current behavior). When set to a positive value, + // metrics will be batched into multiple messages, with each message containing at most batch_size + // metric families. This helps avoid hitting gRPC message size limits (typically 4MB) when sending + // large numbers of metrics. + uint32 batch_size = 6 [(validate.rules).uint32 = {gte: 0}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/db215158abc795f16af911490b416d119eccc3ec6d16fe9d6a094f76db6ea54c007d28d77ae1b70529f7ba12ea94df50f80c49bfdcdd5267e9de43bda3b58b47 b/modules/sync/envoyproxy/envoy/cas/db215158abc795f16af911490b416d119eccc3ec6d16fe9d6a094f76db6ea54c007d28d77ae1b70529f7ba12ea94df50f80c49bfdcdd5267e9de43bda3b58b47 new file mode 100644 index 00000000..f2a4eca7 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/db215158abc795f16af911490b416d119eccc3ec6d16fe9d6a094f76db6ea54c007d28d77ae1b70529f7ba12ea94df50f80c49bfdcdd5267e9de43bda3b58b47 @@ -0,0 +1,73 @@ +syntax = "proto3"; + +package envoy.extensions.filters.listener.dynamic_modules.v3; + +import "envoy/extensions/dynamic_modules/v3/dynamic_modules.proto"; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.listener.dynamic_modules.v3"; +option java_outer_classname = "DynamicModulesProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/dynamic_modules/v3;dynamic_modulesv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Listener filter for dynamic modules] +// [#extension: envoy.filters.listener.dynamic_modules] + +// Configuration of the listener filter for dynamic modules. This filter allows loading shared object +// files that can be loaded via dlopen by the listener filter. +// +// A module can be loaded by multiple listener filters, hence the program can be structured in a way +// that the module is loaded only once and shared across multiple filters providing multiple +// functionalities. +// +// Unlike network filters which operate on established TCP connections, listener filters +// work with raw accepted sockets BEFORE a Connection object is created. The filter can: +// +// * Inspect initial bytes to detect protocols (TLS, HTTP, PostgreSQL, etc.). +// * Set socket properties (SNI, ALPN, transport protocol, fingerprints). +// * Modify connection addresses (original destination restoration). +// * Set dynamic metadata and filter state for downstream filters. +// * Rate limit incoming connections. +// +message DynamicModuleListenerFilter { + // Specifies the shared-object level configuration. + envoy.extensions.dynamic_modules.v3.DynamicModuleConfig dynamic_module_config = 1; + + // The name for this filter configuration. This can be used to distinguish between different + // filter implementations inside a dynamic module. For example, a module can have completely + // different filter implementations (TLS inspector, rate limiter, proxy protocol parser). + // When Envoy receives this configuration, it passes the ``filter_name`` to the dynamic module's + // listener filter config init function together with the ``filter_config``. That way a module + // can decide which in-module filter implementation to use based on the name at load time. + string filter_name = 2; + + // The configuration for the filter chosen by ``filter_name``. This is passed to the module's + // listener filter initialization function. Together with the ``filter_name``, the module can + // decide which in-module filter implementation to use and fine-tune the behavior of the filter. + // + // For example, if a module has two filter implementations, one for TLS inspection and one for + // rate limiting, ``filter_name`` is used to choose either TLS or rate limiting. The ``filter_config`` + // can be used to configure the TLS inspection options or the rate limiting parameters. + // + // ``google.protobuf.Struct`` is serialized as JSON before passing it to the module. + // ``google.protobuf.BytesValue`` and ``google.protobuf.StringValue`` are passed directly + // without the wrapper. + // + // .. code-block:: yaml + // + // # Passing a string value + // filter_config: + // "@type": "type.googleapis.com/google.protobuf.StringValue" + // value: hello + // + // # Passing raw bytes + // filter_config: + // "@type": "type.googleapis.com/google.protobuf.BytesValue" + // value: aGVsbG8= # echo -n "hello" | base64 + // + google.protobuf.Any filter_config = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/dc63fcce9d1ed50b4322387791cddf8c021412eb8dc5cb27e63eaa51cb5aa48ccd055477b338e95e007371d79d994f3839140015015bbd8ace57ea993261494f b/modules/sync/envoyproxy/envoy/cas/dc63fcce9d1ed50b4322387791cddf8c021412eb8dc5cb27e63eaa51cb5aa48ccd055477b338e95e007371d79d994f3839140015015bbd8ace57ea993261494f new file mode 100644 index 00000000..7da658bc --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/dc63fcce9d1ed50b4322387791cddf8c021412eb8dc5cb27e63eaa51cb5aa48ccd055477b338e95e007371d79d994f3839140015015bbd8ace57ea993261494f @@ -0,0 +1,143 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.router.v3; + +import "envoy/config/accesslog/v3/accesslog.proto"; +import "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.router.v3"; +option java_outer_classname = "RouterProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/router/v3;routerv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Router] +// Router :ref:`configuration overview `. +// [#extension: envoy.filters.http.router] + +// [#next-free-field: 11] +message Router { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.router.v2.Router"; + + message UpstreamAccessLogOptions { + // If set to true, an upstream access log will be recorded when an upstream stream is + // associated to an http request. Note: Each HTTP request received for an already established + // connection will result in an upstream access log record. This includes, for example, + // consecutive HTTP requests over the same connection or a request that is retried. + // In case a retry is applied, an upstream access log will be recorded for each retry. + bool flush_upstream_log_on_upstream_stream = 1; + + // The interval to flush the upstream access logs. By default, the router will flush an upstream + // access log on stream close, when the HTTP request is complete. If this field is set, the router + // will flush access logs periodically at the specified interval. This is especially useful in the + // case of long-lived requests, such as CONNECT and Websockets. + // The interval must be at least 1 millisecond. + google.protobuf.Duration upstream_log_flush_interval = 2 + [(validate.rules).duration = {gte {nanos: 1000000}}]; + } + + // Whether the router generates dynamic cluster statistics. Defaults to + // true. Can be disabled in high performance scenarios. + google.protobuf.BoolValue dynamic_stats = 1; + + // Whether to start a child span for egress routed calls. This can be + // useful in scenarios where other filters (auth, ratelimit, etc.) make + // outbound calls and have child spans rooted at the same ingress + // parent. Defaults to false. + // + // .. attention:: + // This field is deprecated by the + // :ref:`spawn_upstream_span `. + // Please use that ``spawn_upstream_span`` field to control the span creation. + bool start_child_span = 2 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Configuration for HTTP upstream logs emitted by the router. Upstream logs + // are configured in the same way as access logs, but each log entry represents + // an upstream request. Presuming retries are configured, multiple upstream + // requests may be made for each downstream (inbound) request. + repeated config.accesslog.v3.AccessLog upstream_log = 3; + + // Additional upstream access log options. + UpstreamAccessLogOptions upstream_log_options = 9; + + // Do not add any additional ``x-envoy-`` headers to requests or responses. This + // only affects the :ref:`router filter generated x-envoy- headers + // `, other Envoy filters and the HTTP + // connection manager may continue to set ``x-envoy-`` headers. + bool suppress_envoy_headers = 4; + + // Specifies a list of HTTP headers to strictly validate. Envoy will reject a + // request and respond with HTTP status 400 if the request contains an invalid + // value for any of the headers listed in this field. Strict header checking + // is only supported for the following headers: + // + // Value must be a ','-delimited list (i.e. no spaces) of supported retry + // policy values: + // + // * :ref:`config_http_filters_router_x-envoy-retry-grpc-on` + // * :ref:`config_http_filters_router_x-envoy-retry-on` + // + // Value must be an integer: + // + // * :ref:`config_http_filters_router_x-envoy-max-retries` + // * :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms` + // * :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms` + repeated string strict_check_headers = 5 [(validate.rules).repeated = { + items { + string { + in: "x-envoy-upstream-rq-timeout-ms" + in: "x-envoy-upstream-rq-per-try-timeout-ms" + in: "x-envoy-max-retries" + in: "x-envoy-retry-grpc-on" + in: "x-envoy-retry-on" + } + } + }]; + + // If not set, ingress Envoy will ignore + // :ref:`config_http_filters_router_x-envoy-expected-rq-timeout-ms` header, populated by egress + // Envoy, when deriving timeout for upstream cluster. + bool respect_expected_rq_timeout = 6; + + // If set, Envoy will avoid incrementing HTTP failure code stats + // on gRPC requests. This includes the individual status code value + // (e.g. upstream_rq_504) and group stats (e.g. upstream_rq_5xx). + // This field is useful if interested in relying only on the gRPC + // stats filter to define success and failure metrics for gRPC requests + // as not all failed gRPC requests charge HTTP status code metrics. See + // :ref:`gRPC stats filter` documentation + // for more details. + bool suppress_grpc_request_failure_code_stats = 7; + + // Optional HTTP filters for the upstream HTTP filter chain. + // + // .. note:: + // Upstream HTTP filters are currently in alpha. + // + // These filters will be applied for all requests that pass through the router. + // They will also be applied to shadowed requests. + // Upstream HTTP filters cannot change route or cluster. + // Upstream HTTP filters specified on the cluster will override these filters. + // + // If using upstream HTTP filters, please be aware that local errors sent by + // upstream HTTP filters will not trigger retries, and local errors sent by + // upstream HTTP filters will count as a final response if hedging is configured. + // [#extension-category: envoy.filters.http.upstream] + repeated network.http_connection_manager.v3.HttpFilter upstream_http_filters = 8; + + // If set to true, Envoy will reject ``CONNECT`` requests that send data before + // receiving a ``200`` response from the upstream. This early data behavior + // is common for latency reduction but can cause issues with some upstreams. + // Defaults to false to allow early data and be compatible with common behavior. + google.protobuf.BoolValue reject_connect_request_early_data = 10; +} diff --git a/modules/sync/envoyproxy/envoy/cas/e1ef5c6288164e96ad75f885a9de2fe652bbbdfdd8a7f007ebee1983286e2b9efdd7028b76c68ba529d2783956b5e79730a868ace2c4c115c1e7107f9fefa993 b/modules/sync/envoyproxy/envoy/cas/e1ef5c6288164e96ad75f885a9de2fe652bbbdfdd8a7f007ebee1983286e2b9efdd7028b76c68ba529d2783956b5e79730a868ace2c4c115c1e7107f9fefa993 new file mode 100644 index 00000000..72994c07 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/e1ef5c6288164e96ad75f885a9de2fe652bbbdfdd8a7f007ebee1983286e2b9efdd7028b76c68ba529d2783956b5e79730a868ace2c4c115c1e7107f9fefa993 @@ -0,0 +1,38 @@ +syntax = "proto3"; + +package envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3"; +option java_outer_classname = "DownstreamReverseConnectionSocketInterfaceProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3;downstream_socket_interfacev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Bootstrap settings for downstream reverse connection socket interface] +// [#extension: envoy.bootstrap.reverse_tunnel.downstream_socket_interface] + +// Configuration for the downstream reverse connection socket interface. +// This interface initiates reverse connections to upstream Envoys and provides +// them as socket connections for downstream requests. +message DownstreamReverseConnectionSocketInterface { + // HTTP handshake settings for initiator envoy initiated reverse tunnels. + message HttpHandshakeConfig { + // Request path used when issuing the HTTP reverse-connection handshake. Defaults to + // "/reverse_connections/request". + string request_path = 1; + } + + // Stat prefix to be used for downstream reverse connection socket interface stats. + string stat_prefix = 1; + + // Enable detailed per-host and per-cluster statistics. + // When enabled, emits hidden statistics for individual hosts and clusters. + // Defaults to ``false``. + bool enable_detailed_stats = 2; + + // Optional HTTP handshake configuration. When unset, the initiator envoy uses the defaults + // provided by ``HttpHandshakeConfig``. + HttpHandshakeConfig http_handshake = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/ec87b6ead92bdf9a5dc242a21f782d7a0f82a292522cbe59b802292b21e03f891b40218ed283b5a5c7c6d5f8196f00e8e3685cf49677ccd616077b68a956180e b/modules/sync/envoyproxy/envoy/cas/ec87b6ead92bdf9a5dc242a21f782d7a0f82a292522cbe59b802292b21e03f891b40218ed283b5a5c7c6d5f8196f00e8e3685cf49677ccd616077b68a956180e new file mode 100644 index 00000000..64678be2 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/ec87b6ead92bdf9a5dc242a21f782d7a0f82a292522cbe59b802292b21e03f891b40218ed283b5a5c7c6d5f8196f00e8e3685cf49677ccd616077b68a956180e @@ -0,0 +1,146 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.aws_request_signing.v3; + +import "envoy/extensions/common/aws/v3/credential_provider.proto"; +import "envoy/type/matcher/v3/string.proto"; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.aws_request_signing.v3"; +option java_outer_classname = "AwsRequestSigningProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/aws_request_signing/v3;aws_request_signingv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: AwsRequestSigning] +// AwsRequestSigning :ref:`configuration overview `. +// [#extension: envoy.filters.http.aws_request_signing] + +// Top level configuration for the AWS request signing filter. +// [#next-free-field: 10] +message AwsRequestSigning { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.aws_request_signing.v2alpha.AwsRequestSigning"; + + enum SigningAlgorithm { + // Use SigV4 for signing + AWS_SIGV4 = 0; + + // Use SigV4A for signing + AWS_SIGV4A = 1; + } + + message QueryString { + // Optional expiration time for the query string parameters. As query string parameter based requests are replayable, in effect representing + // an API call that has already been authenticated, it is recommended to keep this expiration time as short as feasible. + // This value will default to 5 seconds and has a maximum value of 3600 seconds (1 hour). + google.protobuf.Duration expiration_time = 1 [(validate.rules).duration = { + lte {seconds: 3600} + gte {seconds: 1} + }]; + } + + // The `service namespace + // `_ + // of the HTTP endpoint. + // + // Example: s3 + string service_name = 1 [(validate.rules).string = {min_len: 1}]; + + // Optional region string. If region is not provided, the region will be retrieved from the environment + // or AWS configuration files. See :ref:`config_http_filters_aws_request_signing_region` for more details. + // + // When signing_algorithm is set to ``AWS_SIGV4`` the region is a standard AWS `region `_ string for the service + // hosting the HTTP endpoint. + // + // Example: ``us-west-2`` + // + // When signing_algorithm is set to ``AWS_SIGV4A`` the region is used as a region set. + // + // A region set is a comma separated list of AWS regions, such as ``us-east-1,us-east-2`` or wildcard ``*`` + // or even region strings containing wildcards such as ``us-east-*`` + // + // Example: ``'*'`` + // + // By configuring a region set, a SigV4A signed request can be sent to multiple regions, rather than being + // valid for only a single region destination. + string region = 2; + + // Indicates that before signing headers, the host header will be swapped with + // this value. If not set or empty, the original host header value + // will be used and no rewrite will happen. + // + // .. note:: + // This rewrite affects both signing and host header forwarding. However, this + // option shouldn't be used with + // :ref:`HCM host rewrite ` given that the + // value set here would be used for signing whereas the value set in the HCM would be used + // for host header forwarding which is not the desired outcome. + string host_rewrite = 3; + + // Instead of buffering the request to calculate the payload hash, use the literal string ``UNSIGNED-PAYLOAD`` + // to calculate the payload hash. Not all services support this option. See the `S3 + // `_ policy for details. + bool use_unsigned_payload = 4; + + // A list of request header string matchers that will be excluded from signing. The excluded header can be matched by + // any patterns defined in the StringMatcher proto (e.g. exact string, prefix, regex, etc). + // + // Example: + // + // .. code-block:: yaml + // + // match_excluded_headers: + // - prefix: x-envoy + // - exact: foo + // - exact: bar + // + // When applied, all headers that start with ``x-envoy`` and headers ``foo`` and ``bar`` will not be signed. + repeated type.matcher.v3.StringMatcher match_excluded_headers = 5; + + // Optional Signing algorithm specifier, either ``AWS_SIGV4`` or ``AWS_SIGV4A``, defaulting to ``AWS_SIGV4``. + SigningAlgorithm signing_algorithm = 6; + + // If set, use the query string to store output of SigV4 or SigV4A calculation, rather than HTTP headers. The ``Authorization`` header will not be modified if ``query_string`` + // is configured. + // + // Example: + // query_string: {} + // + QueryString query_string = 7; + + // The credential provider for signing the request. This is optional and if not set, + // it will be retrieved using the procedure described in :ref:`config_http_filters_aws_request_signing`. + common.aws.v3.AwsCredentialProvider credential_provider = 8; + + // A list of request header string matchers that will be included during signing. The included header can be matched by + // any patterns defined in the StringMatcher proto (e.g. exact string, prefix, regex, etc). + // match_included_headers takes precedence over match_excluded_headers - if match_included_headers is set, only those headers will be signed and match_excluded_headers will be ignored. + // Required headers for signing such as ``host`` will always be signed regardless of this setting. The required headers are determined via ``CanonicalHeaders`` section in the AWS documentation `here `_. + // + // Example: + // + // .. code-block:: yaml + // + // match_included_headers: + // - prefix: x-envoy + // - exact: foo + // - exact: bar + // + // When applied, all headers that start with ``x-envoy`` and headers ``foo`` and ``bar`` will be signed and all other headers will be excluded from signing except required headers. + repeated type.matcher.v3.StringMatcher match_included_headers = 9; +} + +message AwsRequestSigningPerRoute { + // Override the global configuration of the filter with this new config. + // This overrides the entire message of AwsRequestSigning and not at field level. + AwsRequestSigning aws_request_signing = 1; + + // The human readable prefix to use when emitting stats. + string stat_prefix = 2 [(validate.rules).string = {min_len: 1}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/f0a4d81196f500745a531f588d89c7622fe7d394cb4b967d4a12de27a8b9b9cbc84bfd0ba97446abf7d556c15a5071830c1599a7fe37028e9b5149c85afd7cce b/modules/sync/envoyproxy/envoy/cas/f0a4d81196f500745a531f588d89c7622fe7d394cb4b967d4a12de27a8b9b9cbc84bfd0ba97446abf7d556c15a5071830c1599a7fe37028e9b5149c85afd7cce new file mode 100644 index 00000000..d05d073d --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/f0a4d81196f500745a531f588d89c7622fe7d394cb4b967d4a12de27a8b9b9cbc84bfd0ba97446abf7d556c15a5071830c1599a7fe37028e9b5149c85afd7cce @@ -0,0 +1,116 @@ +syntax = "proto3"; + +package envoy.extensions.network.dns_resolver.cares.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/resolver.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.network.dns_resolver.cares.v3"; +option java_outer_classname = "CaresDnsResolverProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/network/dns_resolver/cares/v3;caresv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: c-ares DNS resolver] +// [#extension: envoy.network.dns_resolver.cares] + +// Configuration for c-ares DNS resolver. +// [#next-free-field: 12] +message CaresDnsResolverConfig { + // A list of DNS resolver addresses. + // :ref:`use_resolvers_as_fallback ` + // below dictates if the DNS client should override system defaults or only use the provided + // resolvers if the system defaults are not available, i.e., as a fallback. + repeated config.core.v3.Address resolvers = 1; + + // If true use the resolvers listed in the + // :ref:`resolvers ` + // field only if c-ares is unable to obtain a + // nameserver from the system (e.g., ``/etc/resolv.conf``). + // Otherwise, the resolvers listed in the resolvers list will override the default system + // resolvers. Defaults to false. + bool use_resolvers_as_fallback = 3; + + // The resolver will query available network interfaces and determine if there are no available + // interfaces for a given IP family. It will then filter these addresses from the results it + // presents. e.g., if there are no available IPv4 network interfaces, the resolver will not + // provide IPv4 addresses. + bool filter_unroutable_families = 4; + + // Configuration of DNS resolver option flags which control the behavior of the DNS resolver. + config.core.v3.DnsResolverOptions dns_resolver_options = 2; + + // This option allows the number of UDP based DNS queries to be capped. + // + // .. note:: + // This is only applicable to c-ares DNS resolver currently. + // + google.protobuf.UInt32Value udp_max_queries = 5; + + // The number of seconds each name server is given to respond to a query on the first try of any given server. + // + // .. note:: + // While the c-ares library defaults to 2 seconds, Envoy's default (if this field is unset) is 5 seconds. + // This adjustment was made to maintain the previous behavior after users reported an increase in DNS resolution times. + // + google.protobuf.UInt64Value query_timeout_seconds = 6 [(validate.rules).uint64 = {gte: 1}]; + + // The maximum number of query attempts the resolver will make before giving up. + // Each attempt may use a different name server. + // + // .. note:: + // While the c-ares library defaults to 3 attempts, Envoy's default (if this field is unset) is 4 attempts. + // This adjustment was made to maintain the previous behavior after users reported an increase in DNS resolution times. + // + google.protobuf.UInt32Value query_tries = 7 [(validate.rules).uint32 = {gte: 1}]; + + // Enable round-robin selection of name servers for DNS resolution. When enabled, the resolver will cycle through the + // list of name servers for each resolution request. This can help distribute the query load across multiple name + // servers. If disabled (default), the resolver will try name servers in the order they are configured. + // + // .. note:: + // This setting overrides any system configuration for name server rotation. + // + bool rotate_nameservers = 8; + + // Maximum EDNS0 UDP payload size in bytes. + // If set, c-ares will include EDNS0 in DNS queries and use this value as the maximum UDP response size. + // + // Recommended values: + // + // * **1232**: Safe default (avoids fragmentation). + // * **4096**: Maximum allowed. + // + // If unset, c-ares uses its internal default (usually 1232). + google.protobuf.UInt32Value edns0_max_payload_size = 9 + [(validate.rules).uint32 = {lte: 4096 gte: 512}]; + + // The maximum duration for which a UDP channel will be kept alive before being refreshed. + // + // If set, the DNS resolver will periodically reinitialize its c-ares channel after the + // specified duration. This can help with avoiding stale socket states, and providing + // better load distribution across UDP ports. + // + // If not specified, no periodic refresh will be performed. + google.protobuf.Duration max_udp_channel_duration = 10 [(validate.rules).duration = {gte {}}]; + + // If true, reinitialize the c-ares channel when a DNS query fails with ``ARES_ETIMEOUT``. + // + // This can help recover from rare cases where the UDP sockets held by the c-ares + // channel become unusable after timeouts, causing subsequent queries to fail or + // Envoy to keep serving stale DNS results. When enabled, a timeout-triggered + // reinitialization attempts to restore healthy state quickly. In environments + // where timeouts are caused by intermittent network issues, enabling this may + // increase channel churn; consider using + // :ref:`max_udp_channel_duration ` + // for periodic refresh instead. + // + // Default is false. + bool reinit_channel_on_timeout = 11; +} diff --git a/modules/sync/envoyproxy/envoy/cas/f1ce76dc162b62f57898c3f089e2afdd5c6543e14fed6ad02a2ebbc220d55f53378ee6e19f05eb1a2cb4c5b6836ebcd125d3abbc26012190cf544c9ce97717ce b/modules/sync/envoyproxy/envoy/cas/f1ce76dc162b62f57898c3f089e2afdd5c6543e14fed6ad02a2ebbc220d55f53378ee6e19f05eb1a2cb4c5b6836ebcd125d3abbc26012190cf544c9ce97717ce new file mode 100644 index 00000000..77035447 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/f1ce76dc162b62f57898c3f089e2afdd5c6543e14fed6ad02a2ebbc220d55f53378ee6e19f05eb1a2cb4c5b6836ebcd125d3abbc26012190cf544c9ce97717ce @@ -0,0 +1,71 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.geoip.v3; + +import "envoy/config/core/v3/extension.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.geoip.v3"; +option java_outer_classname = "GeoipProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/geoip/v3;geoipv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: Geoip] +// Geoip :ref:`configuration overview `. +// [#extension: envoy.filters.http.geoip] + +message Geoip { + message XffConfig { + // The number of additional ingress proxy hops from the right side of the + // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header to trust when + // determining the origin client's IP address. See the documentation for + // :ref:`config_http_conn_man_headers_x-forwarded-for` for more information. + // + // Defaults to ``0``. + uint32 xff_num_trusted_hops = 1; + } + + message CustomHeaderConfig { + // The name of the request header to extract the client IP address from. + // The header value must contain a valid IP address (IPv4 or IPv6). + // + // If the header is missing or contains an invalid IP address, the filter will fall back + // to using the immediate downstream connection source address. + string header_name = 1 [(validate.rules).string = {min_len: 1}]; + } + + // Configuration for extracting the client IP address from the + // ``x-forwarded-for`` header. If set, the + // :ref:`xff_num_trusted_hops ` + // field will be used to determine the trusted client address from the ``x-forwarded-for`` header. + // If not set, the immediate downstream connection source address will be used. + // + // Only one of ``xff_config`` or + // :ref:`custom_header_config ` + // can be set. + XffConfig xff_config = 1; + + // Configuration for extracting the client IP address from a custom request header. + // + // If set, the + // :ref:`header_name ` + // field will be used to extract the client IP address from the specified request header. + // + // Only one of ``custom_header_config`` or + // :ref:`xff_config ` + // can be set. + CustomHeaderConfig custom_header_config = 4; + + // Geoip driver specific configuration which depends on the driver being instantiated. + // See the geoip drivers for examples: + // + // - :ref:`MaxMindConfig ` + // [#extension-category: envoy.geoip_providers] + config.core.v3.TypedExtensionConfig provider = 3 [(validate.rules).message = {required: true}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/f31af87cde6202d9e68ca042f27da6dba4d65bdeb94065ce789d59f85dda5eaddc12d4060979422f571ed9dcc382ad1d83d018238ca8b810ff91eeace4dc8123 b/modules/sync/envoyproxy/envoy/cas/f31af87cde6202d9e68ca042f27da6dba4d65bdeb94065ce789d59f85dda5eaddc12d4060979422f571ed9dcc382ad1d83d018238ca8b810ff91eeace4dc8123 new file mode 100644 index 00000000..940a66d0 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/f31af87cde6202d9e68ca042f27da6dba4d65bdeb94065ce789d59f85dda5eaddc12d4060979422f571ed9dcc382ad1d83d018238ca8b810ff91eeace4dc8123 @@ -0,0 +1,63 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "CelProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: CEL Expression Configuration] + +// CEL expression evaluation configuration. +// These options control the behavior of the Common Expression Language runtime for +// individual CEL expressions. +message CelExpressionConfig { + // Enable string conversion functions for CEL expressions. When enabled, CEL expressions + // can convert values to strings using the ``string()`` function. + // + // .. attention:: + // + // This option is disabled by default to avoid unbounded memory allocation. + // CEL evaluation cost is typically bounded by the expression size, but converting + // arbitrary values (e.g., large messages, lists, or maps) to strings may allocate + // memory proportional to input data size, which can be unbounded and lead to + // memory exhaustion. + bool enable_string_conversion = 1; + + // Enable string concatenation for CEL expressions. When enabled, CEL expressions + // can concatenate strings using the ``+`` operator. + // + // .. attention:: + // + // This option is disabled by default to avoid unbounded memory allocation. + // While CEL normally bounds evaluation by expression size, enabling string + // concatenation allows building outputs whose size depends on input data, + // potentially causing large intermediate allocations and memory exhaustion. + bool enable_string_concat = 2; + + // Enable string manipulation functions for CEL expressions. When enabled, CEL + // expressions can use additional string functions: + // + // * ``replace(old, new)`` - Replaces all occurrences of ``old`` with ``new``. + // * ``split(separator)`` - Splits a string into a list of substrings. + // * ``lowerAscii()`` - Converts ASCII characters to lowercase. + // * ``upperAscii()`` - Converts ASCII characters to uppercase. + // + // .. note:: + // + // Standard CEL string functions like ``contains()``, ``startsWith()``, and + // ``endsWith()`` are always available regardless of this setting. + // + // .. attention:: + // + // This option is disabled by default to avoid unbounded memory allocation. + // Although CEL generally bounds evaluation by expression size, functions such as + // ``replace``, ``split``, ``lowerAscii()``, and ``upperAscii()`` can allocate memory + // proportional to input data size. Under adversarial inputs this can lead to + // unbounded allocations and memory exhaustion. + bool enable_string_functions = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/f4b676ef5840cc1e1d8e3fe0c4082b16c423ac1a7b25f9e58f1a3f43733cf51bb7902519dc780939132ae3287dc5c00b99d6894a6da03ad841517d12e072d5e9 b/modules/sync/envoyproxy/envoy/cas/f4b676ef5840cc1e1d8e3fe0c4082b16c423ac1a7b25f9e58f1a3f43733cf51bb7902519dc780939132ae3287dc5c00b99d6894a6da03ad841517d12e072d5e9 new file mode 100644 index 00000000..475f8d1c --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/f4b676ef5840cc1e1d8e3fe0c4082b16c423ac1a7b25f9e58f1a3f43733cf51bb7902519dc780939132ae3287dc5c00b99d6894a6da03ad841517d12e072d5e9 @@ -0,0 +1,55 @@ +syntax = "proto3"; + +package envoy.extensions.clusters.composite.v3; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.clusters.composite.v3"; +option java_outer_classname = "ClusterProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/clusters/composite/v3;compositev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Composite cluster configuration] + +// Configuration for the composite cluster. See the :ref:`architecture overview +// ` for more information. This cluster type enables retry-aware +// cluster selection, allowing different retry attempts to automatically target +// different upstream clusters. Unlike the standard aggregate cluster which uses +// health-based selection, the composite cluster uses the retry attempt count to +// deterministically select which sub-cluster to route to. +// +// When retry attempts exceed the number of configured clusters, requests will fail with no +// host available. +// +// Example configuration: +// +// .. code-block:: yaml +// +// name: composite_cluster +// connect_timeout: 0.25s +// lb_policy: CLUSTER_PROVIDED +// cluster_type: +// name: envoy.clusters.composite +// typed_config: +// "@type": type.googleapis.com/envoy.extensions.clusters.composite.v3.ClusterConfig +// clusters: +// - name: primary_cluster +// - name: secondary_cluster +// - name: fallback_cluster +// +// [#extension: envoy.clusters.composite] +message ClusterConfig { + // Configuration for an individual cluster entry. + message ClusterEntry { + // Name of the cluster. This cluster must be defined elsewhere in the configuration. + string name = 1 [(validate.rules).string = {min_len: 1}]; + } + + // List of clusters to use for request routing. The first cluster is used for the + // initial request (attempt 1), the second cluster for the first retry (attempt 2), + // and so on. Must contain at least one cluster. When retry attempts exceed the number + // of configured clusters, requests will fail with no host available. + repeated ClusterEntry clusters = 1 [(validate.rules).repeated = {min_items: 1}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/f6879fdc241bb8413bd7a7d7a11ebd2605f85f399e70444bd392d8040ed29e6d7599caa614e64bfa6c37c940606f7688b74628cf43a026a0d64b46e937b02976 b/modules/sync/envoyproxy/envoy/cas/f6879fdc241bb8413bd7a7d7a11ebd2605f85f399e70444bd392d8040ed29e6d7599caa614e64bfa6c37c940606f7688b74628cf43a026a0d64b46e937b02976 new file mode 100644 index 00000000..f273f2e6 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/f6879fdc241bb8413bd7a7d7a11ebd2605f85f399e70444bd392d8040ed29e6d7599caa614e64bfa6c37c940606f7688b74628cf43a026a0d64b46e937b02976 @@ -0,0 +1,355 @@ +syntax = "proto3"; + +package envoy.config.accesslog.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/route/v3/route_components.proto"; +import "envoy/data/accesslog/v3/accesslog.proto"; +import "envoy/type/matcher/v3/metadata.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.accesslog.v3"; +option java_outer_classname = "AccesslogProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/accesslog/v3;accesslogv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Common access log types] + +message AccessLog { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.AccessLog"; + + reserved 3; + + reserved "config"; + + // The name of the access log extension configuration. + string name = 1; + + // Filter which is used to determine if the access log needs to be written. + AccessLogFilter filter = 2; + + // Custom configuration that must be set according to the access logger extension being instantiated. + // [#extension-category: envoy.access_loggers] + oneof config_type { + google.protobuf.Any typed_config = 4; + } +} + +// [#next-free-field: 14] +message AccessLogFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.AccessLogFilter"; + + oneof filter_specifier { + option (validate.required) = true; + + // Status code filter. + StatusCodeFilter status_code_filter = 1; + + // Duration filter. + DurationFilter duration_filter = 2; + + // Not health check filter. + NotHealthCheckFilter not_health_check_filter = 3; + + // Traceable filter. + TraceableFilter traceable_filter = 4; + + // Runtime filter. + RuntimeFilter runtime_filter = 5; + + // And filter. + AndFilter and_filter = 6; + + // Or filter. + OrFilter or_filter = 7; + + // Header filter. + HeaderFilter header_filter = 8; + + // Response flag filter. + ResponseFlagFilter response_flag_filter = 9; + + // gRPC status filter. + GrpcStatusFilter grpc_status_filter = 10; + + // Extension filter. + // [#extension-category: envoy.access_loggers.extension_filters] + ExtensionFilter extension_filter = 11; + + // Metadata Filter + MetadataFilter metadata_filter = 12; + + // Log Type Filter + LogTypeFilter log_type_filter = 13; + } +} + +// Filter on an integer comparison. +message ComparisonFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.ComparisonFilter"; + + enum Op { + // = + EQ = 0; + + // >= + GE = 1; + + // <= + LE = 2; + + // != + NE = 3; + } + + // Comparison operator. + Op op = 1 [(validate.rules).enum = {defined_only: true}]; + + // Value to compare against. + core.v3.RuntimeUInt32 value = 2 [(validate.rules).message = {required: true}]; +} + +// Filters on HTTP response/status code. +message StatusCodeFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.StatusCodeFilter"; + + // Comparison. + ComparisonFilter comparison = 1 [(validate.rules).message = {required: true}]; +} + +// Filters based on the duration of the request or stream, in milliseconds. +// For end of stream access logs, the total duration of the stream will be used. +// For :ref:`periodic access logs`, +// the duration of the stream at the time of log recording will be used. +message DurationFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.DurationFilter"; + + // Comparison. + ComparisonFilter comparison = 1 [(validate.rules).message = {required: true}]; +} + +// Filters for requests that are not health check requests. A health check +// request is marked by the health check filter. +message NotHealthCheckFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.NotHealthCheckFilter"; +} + +// Filters for requests that are traceable. See the tracing overview for more +// information on how a request becomes traceable. +message TraceableFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.TraceableFilter"; +} + +// Filters requests based on runtime-configurable sampling rates. +message RuntimeFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.RuntimeFilter"; + + // Specifies a key used to look up a custom sampling rate from the runtime configuration. If a value is found for this + // key, it will override the default sampling rate specified in ``percent_sampled``. + string runtime_key = 1 [(validate.rules).string = {min_len: 1}]; + + // Defines the default sampling percentage when no runtime override is present. If not specified, the default is + // **0%** (with a denominator of 100). + type.v3.FractionalPercent percent_sampled = 2; + + // Controls how sampling decisions are made. + // + // - Default behavior (``false``): + // + // * Uses the :ref:`x-request-id` as a consistent sampling pivot. + // * When :ref:`x-request-id` is present, sampling will be consistent + // across multiple hosts based on both the ``runtime_key`` and + // :ref:`x-request-id`. + // * Useful for tracking related requests across a distributed system. + // + // - When set to ``true`` or :ref:`x-request-id` is missing: + // + // * Sampling decisions are made randomly based only on the ``runtime_key``. + // * Useful in complex filter configurations (like nested + // :ref:`AndFilter`/ + // :ref:`OrFilter` blocks) where independent probability + // calculations are desired. + // * Can be used to implement logging kill switches with predictable probability distributions. + // + bool use_independent_randomness = 3; +} + +// Performs a logical “and” operation on the result of each filter in filters. +// Filters are evaluated sequentially and if one of them returns false, the +// filter returns false immediately. +message AndFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.AndFilter"; + + repeated AccessLogFilter filters = 1 [(validate.rules).repeated = {min_items: 2}]; +} + +// Performs a logical “or” operation on the result of each individual filter. +// Filters are evaluated sequentially and if one of them returns true, the +// filter returns true immediately. +message OrFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.OrFilter"; + + repeated AccessLogFilter filters = 2 [(validate.rules).repeated = {min_items: 2}]; +} + +// Filters requests based on the presence or value of a request header. +message HeaderFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.HeaderFilter"; + + // Only requests with a header which matches the specified HeaderMatcher will + // pass the filter check. + route.v3.HeaderMatcher header = 1 [(validate.rules).message = {required: true}]; +} + +// Filters requests that received responses with an Envoy response flag set. +// A list of the response flags can be found +// in the access log formatter +// :ref:`documentation`. +message ResponseFlagFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.ResponseFlagFilter"; + + // Only responses with the any of the flags listed in this field will be + // logged. This field is optional. If it is not specified, then any response + // flag will pass the filter check. + repeated string flags = 1 [(validate.rules).repeated = { + items { + string { + in: "LH" + in: "UH" + in: "UT" + in: "LR" + in: "UR" + in: "UF" + in: "UC" + in: "UO" + in: "NR" + in: "DI" + in: "FI" + in: "RL" + in: "UAEX" + in: "RLSE" + in: "DC" + in: "URX" + in: "SI" + in: "IH" + in: "DPE" + in: "UMSDR" + in: "RFCF" + in: "NFCF" + in: "DT" + in: "UPE" + in: "NC" + in: "OM" + in: "DF" + in: "DO" + in: "DR" + in: "UDO" + } + } + }]; +} + +// Filters gRPC requests based on their response status. If a gRPC status is not +// provided, the filter will infer the status from the HTTP status code. +message GrpcStatusFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.GrpcStatusFilter"; + + enum Status { + OK = 0; + CANCELED = 1; + UNKNOWN = 2; + INVALID_ARGUMENT = 3; + DEADLINE_EXCEEDED = 4; + NOT_FOUND = 5; + ALREADY_EXISTS = 6; + PERMISSION_DENIED = 7; + RESOURCE_EXHAUSTED = 8; + FAILED_PRECONDITION = 9; + ABORTED = 10; + OUT_OF_RANGE = 11; + UNIMPLEMENTED = 12; + INTERNAL = 13; + UNAVAILABLE = 14; + DATA_LOSS = 15; + UNAUTHENTICATED = 16; + } + + // Logs only responses that have any one of the gRPC statuses in this field. + repeated Status statuses = 1 [(validate.rules).repeated = {items {enum {defined_only: true}}}]; + + // If included and set to true, the filter will instead block all responses + // with a gRPC status or inferred gRPC status enumerated in statuses, and + // allow all other responses. + bool exclude = 2; +} + +// Filters based on matching dynamic metadata. +// If the matcher path and key correspond to an existing key in dynamic +// metadata, the request is logged only if the matcher value is equal to the +// metadata value. If the matcher path and key *do not* correspond to an +// existing key in dynamic metadata, the request is logged only if +// match_if_key_not_found is "true" or unset. +message MetadataFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.MetadataFilter"; + + // Matcher to check metadata for specified value. For example, to match on the + // access_log_hint metadata, set the filter to "envoy.common" and the path to + // "access_log_hint", and the value to "true". + type.matcher.v3.MetadataMatcher matcher = 1; + + // Default result if the key does not exist in dynamic metadata: if unset or + // true, then log; if false, then don't log. + google.protobuf.BoolValue match_if_key_not_found = 2; +} + +// Filters based on access log type. +message LogTypeFilter { + // Logs only records which their type is one of the types defined in this field. + repeated data.accesslog.v3.AccessLogType types = 1 + [(validate.rules).repeated = {items {enum {defined_only: true}}}]; + + // If this field is set to true, the filter will instead block all records + // with a access log type in types field, and allow all other records. + bool exclude = 2; +} + +// Extension filter is statically registered at runtime. +message ExtensionFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.accesslog.v2.ExtensionFilter"; + + reserved 2; + + reserved "config"; + + // The name of the filter implementation to instantiate. The name must + // match a statically registered filter. + string name = 1; + + // Custom configuration that depends on the filter being instantiated. + oneof config_type { + google.protobuf.Any typed_config = 3; + } +} diff --git a/modules/sync/envoyproxy/envoy/cas/f6ab25059c8421c806ba9672ecac55c6d74fc37d4b102962632c85a088cfc621f4953537f7605b8fd27ddfd4d842d6ebdf6b6ade161ded40e9d625f94773c69e b/modules/sync/envoyproxy/envoy/cas/f6ab25059c8421c806ba9672ecac55c6d74fc37d4b102962632c85a088cfc621f4953537f7605b8fd27ddfd4d842d6ebdf6b6ade161ded40e9d625f94773c69e new file mode 100644 index 00000000..d656c66b --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/f6ab25059c8421c806ba9672ecac55c6d74fc37d4b102962632c85a088cfc621f4953537f7605b8fd27ddfd4d842d6ebdf6b6ade161ded40e9d625f94773c69e @@ -0,0 +1,366 @@ +syntax = "proto3"; + +package envoy.extensions.transport_sockets.tls.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/extensions/transport_sockets/tls/v3/common.proto"; +import "envoy/extensions/transport_sockets/tls/v3/secret.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.tls.v3"; +option java_outer_classname = "TlsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/transport_sockets/tls/v3;tlsv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: TLS transport socket] +// [#extension: envoy.transport_sockets.tls] +// The TLS contexts below provide the transport socket configuration for upstream/downstream TLS. + +// [#next-free-field: 8] +message UpstreamTlsContext { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.auth.UpstreamTlsContext"; + + // Common TLS context settings. + // + // .. attention:: + // + // Server certificate verification is not enabled by default. To enable verification, configure + // :ref:`trusted_ca`. + CommonTlsContext common_tls_context = 1; + + // SNI string to use when creating TLS backend connections. + string sni = 2 [(validate.rules).string = {max_bytes: 255}]; + + // If true, replaces the SNI for the connection with the hostname of the upstream host, if + // the hostname is known due to either a DNS cluster type or the + // :ref:`hostname ` is set on + // the host. + // + // See :ref:`SNI configuration ` for details on how this + // interacts with other validation options. + bool auto_host_sni = 6; + + // If true, replaces any Subject Alternative Name (SAN) validations with a validation for a DNS SAN matching + // the SNI value sent. The validation uses the actual requested SNI, regardless of how the SNI is configured. + // + // For common cases where an SNI value is present and the server certificate should include a corresponding SAN, + // this option ensures the SAN is properly validated. + // + // See the :ref:`validation configuration ` for how this interacts with + // other validation options. + bool auto_sni_san_validation = 7; + + // If true, server-initiated TLS renegotiation will be allowed. + // + // .. attention:: + // + // TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary. + bool allow_renegotiation = 3; + + // Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets + // for TLSv1.2 and older) to be stored for session resumption. + // + // Defaults to 1, setting this to 0 disables session resumption. + google.protobuf.UInt32Value max_session_keys = 4; + + // Controls enforcement of the ``keyUsage`` extension in peer certificates. If set to ``true``, the handshake will fail if + // the ``keyUsage`` is incompatible with TLS usage. + // + // .. note:: + // The default value is ``false`` (i.e., enforcement off). It is expected to change to ``true`` in a future release. + // + // The ``ssl.was_key_usage_invalid`` in :ref:`listener metrics ` metric will be incremented + // for configurations that would fail if this option were enabled. + google.protobuf.BoolValue enforce_rsa_key_usage = 5; +} + +// [#next-free-field: 12] +message DownstreamTlsContext { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.auth.DownstreamTlsContext"; + + enum OcspStaplePolicy { + // OCSP responses are optional. If absent or expired, the certificate is used without stapling. + LENIENT_STAPLING = 0; + + // OCSP responses are optional. If absent, the certificate is used without stapling. If present but expired, + // the certificate is not used for subsequent connections. Connections are rejected if no suitable certificate + // is found. + STRICT_STAPLING = 1; + + // OCSP responses are required. Connections fail if a certificate lacks a valid OCSP response. Expired responses + // prevent certificate use in new connections, and connections are rejected if no suitable certificate is available. + MUST_STAPLE = 2; + } + + // Common TLS context settings. + CommonTlsContext common_tls_context = 1; + + // If specified, Envoy will reject connections without a valid client + // certificate. + google.protobuf.BoolValue require_client_certificate = 2; + + // If specified, Envoy will reject connections without a valid and matching SNI. + // [#not-implemented-hide:] + google.protobuf.BoolValue require_sni = 3; + + oneof session_ticket_keys_type { + // TLS session ticket key settings. + TlsSessionTicketKeys session_ticket_keys = 4; + + // Config for fetching TLS session ticket keys via SDS API. + SdsSecretConfig session_ticket_keys_sds_secret_config = 5; + + // Config for controlling stateless TLS session resumption: setting this to true will cause the TLS + // server to not issue TLS session tickets for the purposes of stateless TLS session resumption. + // If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using + // the keys specified through either :ref:`session_ticket_keys ` + // or :ref:`session_ticket_keys_sds_secret_config `. + // If this config is set to false and no keys are explicitly configured, the TLS server will issue + // TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the + // implication that sessions cannot be resumed across hot restarts or on different hosts. + bool disable_stateless_session_resumption = 7; + } + + // If ``true``, the TLS server will not maintain a session cache of TLS sessions. + // + // .. note:: + // This applies only to TLSv1.2 and earlier. + // + bool disable_stateful_session_resumption = 10; + + // Maximum lifetime of TLS sessions. If specified, ``session_timeout`` will change the maximum lifetime + // of the TLS session. + // + // This serves as a hint for the `TLS session ticket lifetime (for TLSv1.2) `_. + // Only whole seconds are considered; fractional seconds are ignored. + google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = { + lt {seconds: 4294967296} + gte {} + }]; + + // Configuration for handling certificates without an OCSP response or with expired responses. + // + // Defaults to ``LENIENT_STAPLING`` + OcspStaplePolicy ocsp_staple_policy = 8 [(validate.rules).enum = {defined_only: true}]; + + // Multiple certificates are allowed in Downstream transport socket to serve different SNI. + // This option controls the behavior when no matching certificate is found for the received SNI value, + // or no SNI value was sent. If enabled, all certificates will be evaluated for a match for non-SNI criteria + // such as key type and OCSP settings. If disabled, the first provided certificate will be used. + // Defaults to ``false``. See more details in :ref:`Multiple TLS certificates `. + google.protobuf.BoolValue full_scan_certs_on_sni_mismatch = 9; + + // If ``true``, the downstream client's preferred cipher is used during the handshake. If ``false``, Envoy + // uses its preferred cipher. + // + // .. note:: + // This has no effect when using TLSv1_3. + // + bool prefer_client_ciphers = 11; +} + +// TLS key log configuration. +// The key log file format is "format used by NSS for its SSLKEYLOGFILE debugging output" (text taken from openssl man page) +message TlsKeyLog { + // Path to save the TLS key log. + string path = 1 [(validate.rules).string = {min_len: 1}]; + + // Local IP address ranges to filter connections for TLS key logging. If not set, matches any local IP address. + repeated config.core.v3.CidrRange local_address_range = 2; + + // Remote IP address ranges to filter connections for TLS key logging. If not set, matches any remote IP address. + repeated config.core.v3.CidrRange remote_address_range = 3; +} + +// TLS context shared by both client and server TLS contexts. +// [#next-free-field: 17] +message CommonTlsContext { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext"; + + // Config for the Certificate Provider to fetch certificates. Certificates are fetched/refreshed asynchronously over + // the network relative to the TLS handshake. + // + // DEPRECATED: This message is not currently used, but if we ever do need it, we will want to + // move it out of CommonTlsContext and into common.proto, similar to the existing + // CertificateProviderPluginInstance message. + // + // [#not-implemented-hide:] + message CertificateProvider { + // opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify + // a root-certificate (validation context) or "TLS" to specify a new tls-certificate. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // Provider specific config. + // Note: an implementation is expected to dedup multiple instances of the same config + // to maintain a single certificate-provider instance. The sharing can happen, for + // example, among multiple clusters or between the tls_certificate and validation_context + // certificate providers of a cluster. + // This config could be supplied inline or (in future) a named xDS resource. + oneof config { + option (validate.required) = true; + + config.core.v3.TypedExtensionConfig typed_config = 2; + } + } + + // Similar to CertificateProvider above, but allows the provider instances to be configured on + // the client side instead of being sent from the control plane. + // + // DEPRECATED: This message was moved outside of CommonTlsContext + // and now lives in common.proto. + // + // [#not-implemented-hide:] + message CertificateProviderInstance { + // Provider instance name. This name must be defined in the client's configuration (e.g., a + // bootstrap file) to correspond to a provider instance (i.e., the same data in the typed_config + // field that would be sent in the CertificateProvider message if the config was sent by the + // control plane). If not present, defaults to "default". + // + // Instance names should generally be defined not in terms of the underlying provider + // implementation (e.g., "file_watcher") but rather in terms of the function of the + // certificates (e.g., "foo_deployment_identity"). + string instance_name = 1; + + // Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify + // a root-certificate (validation context) or "example.com" to specify a certificate for a + // particular domain. Not all provider instances will actually use this field, so the value + // defaults to the empty string. + string certificate_name = 2; + } + + message CombinedCertificateValidationContext { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.auth.CommonTlsContext.CombinedCertificateValidationContext"; + + // How to validate peer certificates. + CertificateValidationContext default_validation_context = 1 + [(validate.rules).message = {required: true}]; + + // Config for fetching validation context via SDS API. Note SDS API allows certificates to be + // fetched/refreshed over the network asynchronously with respect to the TLS handshake. + SdsSecretConfig validation_context_sds_secret_config = 2 + [(validate.rules).message = {required: true}]; + + // Certificate provider for fetching CA certs. This will populate the + // ``default_validation_context.trusted_ca`` field. + // [#not-implemented-hide:] + CertificateProvider validation_context_certificate_provider = 3 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Certificate provider instance for fetching CA certs. This will populate the + // ``default_validation_context.trusted_ca`` field. + // [#not-implemented-hide:] + CertificateProviderInstance validation_context_certificate_provider_instance = 4 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + } + + reserved 5; + + // TLS protocol versions, cipher suites etc. + TlsParameters tls_params = 1; + + // Only a single TLS certificate is supported in client contexts. In server contexts, + // :ref:`Multiple TLS certificates ` can be associated with the + // same context to allow both RSA and ECDSA certificates and support SNI-based selection. + // + // If ``tls_certificate_provider_instance`` is set, this field is ignored. + // If this field is set, ``tls_certificate_sds_secret_configs`` is ignored. + repeated TlsCertificate tls_certificates = 2; + + // Configs for fetching TLS certificates via SDS API. Note SDS API allows certificates to be + // fetched/refreshed over the network asynchronously with respect to the TLS handshake. + // + // The same number and types of certificates as :ref:`tls_certificates ` + // are valid in the certificates fetched through this setting. + // + // If ``tls_certificates`` or ``tls_certificate_provider_instance`` are set, this field + // is ignored. + repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6; + + // Certificate provider instance for fetching TLS certs. + // + // If this field is set, ``tls_certificates`` and ``tls_certificate_provider_instance`` + // are ignored. + // [#not-implemented-hide:] + CertificateProviderPluginInstance tls_certificate_provider_instance = 14; + + // Custom TLS certificate selector. + // + // Select TLS certificate based on TLS client hello. + // If empty, defaults to native TLS certificate selection behavior: + // DNS SANs or Subject Common Name in TLS certificates is extracted as server name pattern to match SNI. + // [#extension-category: envoy.tls.certificate_selectors] + config.core.v3.TypedExtensionConfig custom_tls_certificate_selector = 16; + + // Certificate provider for fetching TLS certificates. + // [#not-implemented-hide:] + CertificateProvider tls_certificate_certificate_provider = 9 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Certificate provider instance for fetching TLS certificates. + // [#not-implemented-hide:] + CertificateProviderInstance tls_certificate_certificate_provider_instance = 11 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + oneof validation_context_type { + // How to validate peer certificates. + CertificateValidationContext validation_context = 3; + + // Config for fetching validation context via SDS API. Note SDS API allows certificates to be + // fetched/refreshed over the network asynchronously with respect to the TLS handshake. + SdsSecretConfig validation_context_sds_secret_config = 7; + + // Combines the default ``CertificateValidationContext`` with the SDS-provided dynamic context for certificate + // validation. + // + // When the SDS server returns a dynamic ``CertificateValidationContext``, it is merged + // with the default context using ``Message::MergeFrom()``. The merging rules are as follows: + // + // * **Singular Fields:** Dynamic fields override the default singular fields. + // * **Repeated Fields:** Dynamic repeated fields are concatenated with the default repeated fields. + // * **Boolean Fields:** Boolean fields are combined using a logical OR operation. + // + // The resulting ``CertificateValidationContext`` is used to perform certificate validation. + CombinedCertificateValidationContext combined_validation_context = 8; + + // Certificate provider for fetching validation context. + // [#not-implemented-hide:] + CertificateProvider validation_context_certificate_provider = 10 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Certificate provider instance for fetching validation context. + // [#not-implemented-hide:] + CertificateProviderInstance validation_context_certificate_provider_instance = 12 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + } + + // Supplies the list of ALPN protocols that the listener should expose. In + // practice this is likely to be set to one of two values (see the + // :ref:`codec_type + // ` + // parameter in the HTTP connection manager for more information): + // + // * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1. + // * "http/1.1" If the listener is only going to support HTTP/1.1. + // + // There is no default for this parameter. If empty, Envoy will not expose ALPN. + repeated string alpn_protocols = 4; + + // Custom TLS handshaker. If empty, defaults to native TLS handshaking + // behavior. + config.core.v3.TypedExtensionConfig custom_handshaker = 13; + + // TLS key log configuration + TlsKeyLog key_log = 15; +} diff --git a/modules/sync/envoyproxy/envoy/cas/ffd5b6efba152ae8c135ff89f8c569e21f584379f1047a3dba7e53bbcd62880dc8e0ab883ae66bd8dc69d665a58affa6a2c29dd376fc21da66b09a0194d50b59 b/modules/sync/envoyproxy/envoy/cas/ffd5b6efba152ae8c135ff89f8c569e21f584379f1047a3dba7e53bbcd62880dc8e0ab883ae66bd8dc69d665a58affa6a2c29dd376fc21da66b09a0194d50b59 new file mode 100644 index 00000000..2da5fe5f --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/ffd5b6efba152ae8c135ff89f8c569e21f584379f1047a3dba7e53bbcd62880dc8e0ab883ae66bd8dc69d665a58affa6a2c29dd376fc21da66b09a0194d50b59 @@ -0,0 +1,114 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/substitution_format_string.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "ProxyProtocolProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Proxy protocol] + +message ProxyProtocolPassThroughTLVs { + enum PassTLVsMatchType { + // Pass all TLVs. + INCLUDE_ALL = 0; + + // Pass specific TLVs defined in tlv_type. + INCLUDE = 1; + } + + // The strategy to pass through TLVs. Default is INCLUDE_ALL. + // If INCLUDE_ALL is set, all TLVs will be passed through no matter the tlv_type field. + PassTLVsMatchType match_type = 1; + + // The TLV types that are applied based on match_type. + // TLV type is defined as uint8_t in proxy protocol. See `the spec + // `_ for details. + repeated uint32 tlv_type = 2 [(validate.rules).repeated = {items {uint32 {lt: 256}}}]; +} + +// Represents a single Type-Length-Value (TLV) entry. +message TlvEntry { + // The type of the TLV. Must be a uint8 (0-255) as per the Proxy Protocol v2 specification. + uint32 type = 1 [(validate.rules).uint32 = {lt: 256}]; + + // The static value of the TLV. + // Only one of ``value`` or ``format_string`` may be set. + bytes value = 2; + + // Uses the :ref:`format string ` to dynamically + // populate the TLV value from stream information. This allows dynamic values + // such as metadata, filter state, or other stream properties to be included in + // the TLV. + // + // For example: + // + // .. code-block:: yaml + // + // type: 0xF0 + // format_string: + // text_format_source: + // inline_string: "%DYNAMIC_METADATA(envoy.filters.network:key)%" + // + // The formatted string will be used directly as the TLV value. + // Only one of ``value`` or ``format_string`` may be set. + SubstitutionFormatString format_string = 3; +} + +message ProxyProtocolConfig { + enum Version { + // PROXY protocol version 1. Human readable format. + V1 = 0; + + // PROXY protocol version 2. Binary format. + V2 = 1; + } + + // The PROXY protocol version to use. See https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt for details + Version version = 1; + + // This config controls which TLVs can be passed to upstream if it is Proxy Protocol + // V2 header. If there is no setting for this field, no TLVs will be passed through. + ProxyProtocolPassThroughTLVs pass_through_tlvs = 2; + + // This config allows additional TLVs to be included in the upstream PROXY protocol + // V2 header. Unlike ``pass_through_tlvs``, which passes TLVs from the downstream request, + // ``added_tlvs`` provides an extension mechanism for defining new TLVs that are included + // with the upstream request. These TLVs may not be present in the downstream request and + // can be defined at either the transport socket level or the host level to provide more + // granular control over the TLVs that are included in the upstream request. + // + // Host-level TLVs are specified in the ``metadata.typed_filter_metadata`` field under the + // ``envoy.transport_sockets.proxy_protocol`` namespace. + // + // .. literalinclude:: /_configs/repo/proxy_protocol.yaml + // :language: yaml + // :lines: 49-57 + // :linenos: + // :lineno-start: 49 + // :caption: :download:`proxy_protocol.yaml ` + // + // **Precedence behavior**: + // + // - When a TLV is defined at both the host level and the transport socket level, the value + // from the host level configuration takes precedence. This allows users to define default TLVs + // at the transport socket level and override them at the host level. + // - Any TLV defined in the ``pass_through_tlvs`` field will be overridden by either the host-level + // or transport socket-level TLV. + // + // If there are multiple TLVs with the same type, only the TLVs from the highest precedence level + // will be used. + repeated TlvEntry added_tlvs = 3; +} + +message PerHostConfig { + // Enables per-host configuration for Proxy Protocol. + repeated TlvEntry added_tlvs = 1; +} diff --git a/modules/sync/envoyproxy/envoy/state.json b/modules/sync/envoyproxy/envoy/state.json index d89cd064..3e35eb78 100644 --- a/modules/sync/envoyproxy/envoy/state.json +++ b/modules/sync/envoyproxy/envoy/state.json @@ -103,6 +103,10 @@ { "name": "v1.36.4", "digest": "b1087822a6832d5a5c1a89c76f714e5386391872b88095aa20bc4389e41d899609a92da3db2f31dd5e4bbd347cc446a0512d4dde17e1495be69a02627dbf218b" + }, + { + "name": "v1.37.0", + "digest": "1df85d6b2e4538bf21786d82c70b53e0683f6d87b2f8ab87f5c2b0e50f39dd952b14fdb58c7d0e5548d7912ccb7b068e3dde6ce4203d7c8de1491c7f15b2dc95" } ] } \ No newline at end of file diff --git a/modules/sync/envoyproxy/ratelimit/state.json b/modules/sync/envoyproxy/ratelimit/state.json index 1b45c422..f6921383 100644 --- a/modules/sync/envoyproxy/ratelimit/state.json +++ b/modules/sync/envoyproxy/ratelimit/state.json @@ -299,6 +299,10 @@ { "name": "e9ce92ccdc4333abe77c3f55f3baa5fdddd8f0f2", "digest": "e5d46e06ebe64630de4d45a6de4ef6dab86d2a9feae086455fbfb6288d8e20bdc649cce7d22de18d156a062d0bcf4bba03463c16b434541c59942a89dababc39" + }, + { + "name": "a28b84d049ba23d15eba3191b1a72057ed40969f", + "digest": "e5d46e06ebe64630de4d45a6de4ef6dab86d2a9feae086455fbfb6288d8e20bdc649cce7d22de18d156a062d0bcf4bba03463c16b434541c59942a89dababc39" } ] } \ No newline at end of file diff --git a/modules/sync/googleapis/cloud-run/state.json b/modules/sync/googleapis/cloud-run/state.json index b54134a8..915e76fb 100644 --- a/modules/sync/googleapis/cloud-run/state.json +++ b/modules/sync/googleapis/cloud-run/state.json @@ -367,6 +367,42 @@ { "name": "50d3d7b7a9f8435ef80cf2ac0bab549e637fd6ac", "digest": "e5a69c31a5b16a18227e6db3bb9f50d17e5c2c804ffda111ff01e276f3e9bd5c2eb5c2721e9d5adbc261ed406c45ddc2902af0a1cb3da02672efcc2bfc005b0a" + }, + { + "name": "1b55977eec0f8641c2067739aaaca0c750d070ee", + "digest": "e5a69c31a5b16a18227e6db3bb9f50d17e5c2c804ffda111ff01e276f3e9bd5c2eb5c2721e9d5adbc261ed406c45ddc2902af0a1cb3da02672efcc2bfc005b0a" + }, + { + "name": "e006e1c8b69c0594e6f872316a3543b3b37ad81b", + "digest": "e5a69c31a5b16a18227e6db3bb9f50d17e5c2c804ffda111ff01e276f3e9bd5c2eb5c2721e9d5adbc261ed406c45ddc2902af0a1cb3da02672efcc2bfc005b0a" + }, + { + "name": "94aa4f5ae672addf00e7970ecc47699e34989e90", + "digest": "e5a69c31a5b16a18227e6db3bb9f50d17e5c2c804ffda111ff01e276f3e9bd5c2eb5c2721e9d5adbc261ed406c45ddc2902af0a1cb3da02672efcc2bfc005b0a" + }, + { + "name": "34f9acf250e1663b9765ee496faf7e3db4e0872e", + "digest": "e5a69c31a5b16a18227e6db3bb9f50d17e5c2c804ffda111ff01e276f3e9bd5c2eb5c2721e9d5adbc261ed406c45ddc2902af0a1cb3da02672efcc2bfc005b0a" + }, + { + "name": "741fcad21410da930e586e6b1ff0f591b7900747", + "digest": "e5a69c31a5b16a18227e6db3bb9f50d17e5c2c804ffda111ff01e276f3e9bd5c2eb5c2721e9d5adbc261ed406c45ddc2902af0a1cb3da02672efcc2bfc005b0a" + }, + { + "name": "59405cfb9442c29b7326c0ee4d373fd6b8073096", + "digest": "e5a69c31a5b16a18227e6db3bb9f50d17e5c2c804ffda111ff01e276f3e9bd5c2eb5c2721e9d5adbc261ed406c45ddc2902af0a1cb3da02672efcc2bfc005b0a" + }, + { + "name": "fe3d7591b8367857cb98ece8aba22b8f8cf03e10", + "digest": "e5a69c31a5b16a18227e6db3bb9f50d17e5c2c804ffda111ff01e276f3e9bd5c2eb5c2721e9d5adbc261ed406c45ddc2902af0a1cb3da02672efcc2bfc005b0a" + }, + { + "name": "415914bd49d41beaae8a9adb348ee2587c93aa70", + "digest": "e5a69c31a5b16a18227e6db3bb9f50d17e5c2c804ffda111ff01e276f3e9bd5c2eb5c2721e9d5adbc261ed406c45ddc2902af0a1cb3da02672efcc2bfc005b0a" + }, + { + "name": "615bb9acb1d978c497cf2268450c6e6c3e8be049", + "digest": "e5a69c31a5b16a18227e6db3bb9f50d17e5c2c804ffda111ff01e276f3e9bd5c2eb5c2721e9d5adbc261ed406c45ddc2902af0a1cb3da02672efcc2bfc005b0a" } ] } \ No newline at end of file diff --git a/modules/sync/googleapis/googleapis/state.json b/modules/sync/googleapis/googleapis/state.json index 58ad2ed2..feb69a38 100644 --- a/modules/sync/googleapis/googleapis/state.json +++ b/modules/sync/googleapis/googleapis/state.json @@ -21279,6 +21279,42 @@ { "name": "50d3d7b7a9f8435ef80cf2ac0bab549e637fd6ac", "digest": "d26c7c2fd95f0873761af33ca4a0c0d92c8577122b6feb74eb3b0a57ebe47a98ab24a209a0e91945ac4c77204e9da0c2de0020b2cedc27bdbcdea6c431eec69b" + }, + { + "name": "1b55977eec0f8641c2067739aaaca0c750d070ee", + "digest": "d26c7c2fd95f0873761af33ca4a0c0d92c8577122b6feb74eb3b0a57ebe47a98ab24a209a0e91945ac4c77204e9da0c2de0020b2cedc27bdbcdea6c431eec69b" + }, + { + "name": "e006e1c8b69c0594e6f872316a3543b3b37ad81b", + "digest": "d26c7c2fd95f0873761af33ca4a0c0d92c8577122b6feb74eb3b0a57ebe47a98ab24a209a0e91945ac4c77204e9da0c2de0020b2cedc27bdbcdea6c431eec69b" + }, + { + "name": "94aa4f5ae672addf00e7970ecc47699e34989e90", + "digest": "d26c7c2fd95f0873761af33ca4a0c0d92c8577122b6feb74eb3b0a57ebe47a98ab24a209a0e91945ac4c77204e9da0c2de0020b2cedc27bdbcdea6c431eec69b" + }, + { + "name": "34f9acf250e1663b9765ee496faf7e3db4e0872e", + "digest": "d26c7c2fd95f0873761af33ca4a0c0d92c8577122b6feb74eb3b0a57ebe47a98ab24a209a0e91945ac4c77204e9da0c2de0020b2cedc27bdbcdea6c431eec69b" + }, + { + "name": "741fcad21410da930e586e6b1ff0f591b7900747", + "digest": "d26c7c2fd95f0873761af33ca4a0c0d92c8577122b6feb74eb3b0a57ebe47a98ab24a209a0e91945ac4c77204e9da0c2de0020b2cedc27bdbcdea6c431eec69b" + }, + { + "name": "59405cfb9442c29b7326c0ee4d373fd6b8073096", + "digest": "d26c7c2fd95f0873761af33ca4a0c0d92c8577122b6feb74eb3b0a57ebe47a98ab24a209a0e91945ac4c77204e9da0c2de0020b2cedc27bdbcdea6c431eec69b" + }, + { + "name": "fe3d7591b8367857cb98ece8aba22b8f8cf03e10", + "digest": "d26c7c2fd95f0873761af33ca4a0c0d92c8577122b6feb74eb3b0a57ebe47a98ab24a209a0e91945ac4c77204e9da0c2de0020b2cedc27bdbcdea6c431eec69b" + }, + { + "name": "415914bd49d41beaae8a9adb348ee2587c93aa70", + "digest": "d26c7c2fd95f0873761af33ca4a0c0d92c8577122b6feb74eb3b0a57ebe47a98ab24a209a0e91945ac4c77204e9da0c2de0020b2cedc27bdbcdea6c431eec69b" + }, + { + "name": "615bb9acb1d978c497cf2268450c6e6c3e8be049", + "digest": "d26c7c2fd95f0873761af33ca4a0c0d92c8577122b6feb74eb3b0a57ebe47a98ab24a209a0e91945ac4c77204e9da0c2de0020b2cedc27bdbcdea6c431eec69b" } ] } \ No newline at end of file diff --git a/modules/sync/state.json b/modules/sync/state.json index 0e7872b0..7159f7e1 100644 --- a/modules/sync/state.json +++ b/modules/sync/state.json @@ -22,7 +22,7 @@ }, { "module_name": "envoyproxy/envoy", - "latest_reference": "v1.36.4" + "latest_reference": "v1.37.0" }, { "module_name": "envoyproxy/protoc-gen-validate", @@ -30,7 +30,7 @@ }, { "module_name": "envoyproxy/ratelimit", - "latest_reference": "e9ce92ccdc4333abe77c3f55f3baa5fdddd8f0f2" + "latest_reference": "a28b84d049ba23d15eba3191b1a72057ed40969f" }, { "module_name": "gogo/protobuf", @@ -42,11 +42,11 @@ }, { "module_name": "googleapis/cloud-run", - "latest_reference": "50d3d7b7a9f8435ef80cf2ac0bab549e637fd6ac" + "latest_reference": "615bb9acb1d978c497cf2268450c6e6c3e8be049" }, { "module_name": "googleapis/googleapis", - "latest_reference": "50d3d7b7a9f8435ef80cf2ac0bab549e637fd6ac" + "latest_reference": "615bb9acb1d978c497cf2268450c6e6c3e8be049" }, { "module_name": "googlechrome/lighthouse",