Found new managed modules references by app-token-modules[bot] · Pull Request #1073 · bufbuild/modules

app-token-modules · 2025-10-10T12:07:00Z

New managed modules references found. Please review.

unmultimedio

Changes in envoy, lighthouse, and WKT. Substantial changes in envoy; looks like mostly additions to me, although in envoy there are a lot of new files being synced.

FYI @pkwarren @jhump would love your input in here to see if there's anything we're syncing that we should exclude, or if we're may be missing something.

unmultimedio · 2025-10-17T15:02:48Z

+    },
+    {
+      "name": "v1.35.4",
+      "digest": "3f412b3191f2a03f0e2ffffc9f45803b3db58bd1e6842a7ec18d509f3623096a4ff7bc8fb2c2305d22d8dc403f4c0b4eca7e4e88c0a8475f952e405525d9ccb7"


cd modules/sync/envoyproxy/envoy casdiff v1.35.3 v1.35.4 --format=markdown

1 files changed: 0 removed, 0 renamed, 0 added, 1 changed content

Files changed content:

envoy/extensions/filters/listener/tls_inspector/v3/tls_inspector.proto:

--- shake256:7dd152626a195fafea372ab20390e4b8979fe28ef22621d899b0aa0cbf48e02a996a6505e28da12e0dccee4bfad4e965ebe861117fa66d135c8fb78f7ce8ec4c envoy/extensions/filters/listener/tls_inspector/v3/tls_inspector.proto +++ shake256:cfa0377e1e757d077ba5ce2367ce376d2e02fa8af8e9d17081ce3501c15672485aae78a5096e34615fde5d4c26f3e7074e17e16de774ac82e240d9da8c4cf97b envoy/extensions/filters/listener/tls_inspector/v3/tls_inspector.proto @@ -37,4 +37,15 @@ // tls inspector will consume. google.protobuf.UInt32Value initial_read_buffer_size = 2 [(validate.rules).uint32 = {lt: 65537 gt: 255}]; + + // Close connection when TLS ClientHello message could not be parsed. + // This flag should be enabled only if it is known that incoming connections are expected to use + // TLS protocol, as Envoy does not distinguish between a plain text message or a malformed TLS + // ClientHello message. + // By default this flag is false and TLS ClientHello parsing errors are interpreted as a + // plain text connection. + // Setting this to true will cause connections to be terminated and the ``client_hello_too_large`` + // counter to be incremented if the ClientHello message is over implementation defined limit + // (currently 16Kb). + bool close_connection_on_client_hello_parsing_errors = 4; }

unmultimedio · 2025-10-17T15:03:48Z

+    },
+    {
+      "name": "v1.36.0",
+      "digest": "7f087cb09cf323d4b7a6618148870959c3affaded64b3510afbf484eee19791cf12caf80aa4d5721809b6bfef662053913aeff0e8aa92b3f57774d6ed3f86253"


casdiff v1.35.5 v1.36.0 --format=markdown

71 files changed: 0 removed, 0 renamed, 22 added, 49 changed content

Files added:

+ shake256:2d8529937573b5af22c4a01154056d54c8e1b7ce7b96511d19f6109749f9f4053a143a206cf1d298d2ff688e67608f03ea18d80dba10cece6f6dae33e25a8122 envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.proto + shake256:8b7b3951df953ac62dfacfadbdb599faeb1072f96527f5ed8455463046d8a62c2ea0932dd5a3bd9feaabfd4812de4c0bf0515be825714cdfa27e1e934e736692 envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto + shake256:713d411cee39f04b628ebfc3532d4a8af422cfb8885f372599ed0d86dd4011f743d160c66485159be9dee939ecf66de5c323cd1fc4523f1c3be62bde4e3bbbac envoy/extensions/clusters/reverse_connection/v3/reverse_connection.proto + shake256:32ec3f8854e5a6ceed6ac53d62142d707ea1c335da41359d8d57cfd3cff4edd5afbe1fd1d7a40057a17ae0f20c106756d7d29480007969dcd4b1845fb2e3ad6b envoy/extensions/filters/http/cache_v2/v3/cache.proto + shake256:2974d42d6aca9cc1d92da59d423f3a9a7e490c887716b5b3a018962cc0390463580cc5dd7cf1634fda75a07894ef32650dd7bd24c68a39f5e322193f7437621b envoy/extensions/filters/http/mcp/v3/mcp.proto + shake256:3e60681753f480f9fc7da5503210259f2d9043fe030621bf444b81df7bd222fd56927f3e1a307b5a237e8272405afa8919779b67b8632c6bc77479c483e8272d envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.proto + shake256:7f89d816c9b3dd99415e179c26bc1a20c9404b6bfeee89f0e0f6449ecfe84964676d13b594b72f0ae8a8506128500e1e16f933ce8df9d394d1c0c4b45813aa17 envoy/extensions/grpc_service/call_credentials/access_token/v3/access_token_credentials.proto + shake256:738f54621e145760f7b19dfd49f2a1b93f3e7e906e90b0d10d8020dfb60671ba007e5a16ad49b43c0f17c26263ad7b75037096c0d099ab9b3766a134b967f4ec envoy/extensions/grpc_service/call_credentials/file_based_metadata/v3/file_based_metadata_credentials.proto + shake256:9b994b424db196e4024393e9773eb91d6c04f40ff51d62ddc3c5be89bf43a44361f944a70c2a1ef8c60e03fd31bf84b4f94a86b60f0ebadc2c8693a8d50bda2b envoy/extensions/grpc_service/call_credentials/google_compute_engine/v3/google_compute_engine_credentials.proto + shake256:3a4bba752e25fbe98c5decf5fb7cef33f26d62cb772a1090a70f52d120f0649f2dd7597c650b360e5b8cb94c73127bc4218ea40d973b391377fe723e65f0297b envoy/extensions/grpc_service/call_credentials/google_iam/v3/google_iam_credentials.proto + shake256:287739521df4ccf47e2466a84022be6911d45006c26e28da2adadf3c8de7173b3d1677c66ca4b77e17a9fb1b672f484df217e1b4611c93488d60245e6e44e1ad envoy/extensions/grpc_service/call_credentials/google_refresh_token/v3/google_refresh_token_credentials.proto + shake256:c4f207e0dd455917f2d2ff262738b2251f0ad9e2089ee7eede8bb1db6616c30ab66a50aefa73b453651d3354aff71bb825481afce3d128202e1e1df32242e949 envoy/extensions/grpc_service/call_credentials/service_account_jwt_access/v3/service_account_jwt_access_credentials.proto + shake256:e15b227bff5203ad4e5f26f97f15b19a8737d04089d7548c23a541220080f846ad5c4417fd874560786f53863bc4c76a04dca54138758749257029360097bac3 envoy/extensions/grpc_service/call_credentials/sts_service/v3/sts_service_credentials.proto + shake256:baaa05a38dbd4935506087fa463cfc3a8835aa79213b713885956c4176beea297948117e5ed8dc6a3d1dbb56730ee3f9af5dd3e452dcbc366fc9ef4bb1387570 envoy/extensions/grpc_service/channel_credentials/google_default/v3/google_default_credentials.proto + shake256:4bcf0fe81cddf339e3add76e432b404823cee937521b87cfa3d3062cccc6737ea842028dab050f99f4aeb2e8950ed82e359707125e6093916f8fdcc6a879f8e5 envoy/extensions/grpc_service/channel_credentials/insecure/v3/insecure_credentials.proto + shake256:bb28c723bc3100a46e0f6df343066f7360925ecf2fc8e6c85b07bf99d452c1777085d39e189ebc8c38142048aa9b0881481de9b10ce0c667c18fc0f12a6dfefc envoy/extensions/grpc_service/channel_credentials/local/v3/local_credentials.proto + shake256:7215f9898193b8af53eb913822e4a62030a22efcd12ab8b10e268e0a04ed5c2c6e5c827f445c7948a594fc9baaeb9dac34dc6cf9bfa1e76d4e1d4273bd9b1b87 envoy/extensions/grpc_service/channel_credentials/tls/v3/tls_credentials.proto + shake256:ac5ba8062d33e4d5aa748d0361c4432c67fc338e29d9e413c1477e57967de535e1f79f135a7ac836cfbc32678b2ee1862b0d14315c6faa0912e542d24be2c20f envoy/extensions/grpc_service/channel_credentials/xds/v3/xds_credentials.proto + shake256:df1206e2109fc9b8c5709f4ca2b97bee1b542246208dfade5d301f75f7c2465784191d253bfd96459324e467aed1de28e7af8b1940363ebce406534008fbd60a envoy/extensions/http/cache_v2/file_system_http_cache/v3/file_system_http_cache.proto + shake256:7a766c160b8106c34fe067b54d44f89736dc070bc115d8fe475172b262c98d33b717fe58c1561bfbe44f3fdd5856120c2583c7fc1b38d0099acc3dd6d5ef76c8 envoy/extensions/http/cache_v2/simple_http_cache/v3/config.proto + shake256:01f1be6da291eaba77746eb09c1837f51354726aa6f0c9aed1fe958b66d8298193826d0f4b33c97054c053f1e7860980f67ea074e897f405bd50d8d79279d8e4 envoy/extensions/http/ext_proc/processing_request_modifiers/mapped_attribute_builder/v3/mapped_attribute_builder.proto + shake256:5be0d34d2448031378eb44f676a6f51827f9d2d2546ab6df3b67c5c3da1011face37d508a8a0b95bdc4cce3abd94ea5f1fa591428646ff478a153466eae1494f envoy/extensions/matching/common_inputs/stats/v3/stats.proto

Files changed content:

envoy/config/bootstrap/v3/bootstrap.proto:

--- shake256:c33fcfa432a6a1ddfaa759db672f56be0eec4f9a45705bc88a83c2775a23db2eb0824ba6af4bccf082c58bb304f58968f08f7f39e238581c2ec0337b35b30145 envoy/config/bootstrap/v3/bootstrap.proto +++ shake256:012964f6302f1be544858bbdec9638aa5eea252b22d0226c3213917a2b03d2682c1b9393486b4810938f211a045c9130bed7e1b91c2fa583b7ef894db1eb4905 envoy/config/bootstrap/v3/bootstrap.proto @@ -41,7 +41,7 @@ // <config_overview_bootstrap>` for more detail. // Bootstrap :ref:`configuration overview <config_overview_bootstrap>`. -// [#next-free-field: 42] +// [#next-free-field: 43] message Bootstrap { option (udpa.annotations.versioning).previous_message_type = "envoy.config.bootstrap.v2.Bootstrap"; @@ -228,6 +228,14 @@ // a flush timer is not created. Only one of ``stats_flush_on_admin`` or // ``stats_flush_interval`` can be set. bool stats_flush_on_admin = 29 [(validate.rules).bool = {const: true}]; + } + + oneof stats_eviction { + // Optional duration to perform metric eviction. At every interval, during the stats flush + // the unused metrics are removed from the worker caches and the used metrics + // are marked as unused. Must be a multiple of the ``stats_flush_interval``. + google.protobuf.Duration stats_eviction_interval = 42 + [(validate.rules).duration = {gte {nanos: 1000000}}]; } // Optional watchdog configuration.

envoy/config/common/mutation_rules/v3/mutation_rules.proto:

--- shake256:bb688fa3d164e48efde9a75f15dd7b27477008fecdf1de1507fd0b230418349e51045dbb409c39c07bab2ecd1be4f85c044dcaad213c998b59e0c3a22b04d3b0 envoy/config/common/mutation_rules/v3/mutation_rules.proto +++ shake256:175d2f7896be8a9a86b2eecf8cab4cf5c8e5c5361842335f8c607f3a1ce908a57419a79822d110b334254694bc67e6bd67dfcf0ef08de910b898a8a617eadd4f envoy/config/common/mutation_rules/v3/mutation_rules.proto @@ -4,6 +4,7 @@ import "envoy/config/core/v3/base.proto"; import "envoy/type/matcher/v3/regex.proto"; +import "envoy/type/matcher/v3/string.proto"; import "google/protobuf/wrappers.proto"; @@ -90,6 +91,12 @@ // The HeaderMutation structure specifies an action that may be taken on HTTP // headers. message HeaderMutation { + message RemoveOnMatch { + // A string matcher that will be applied to the header key. If the header key + // matches, the header will be removed. + type.matcher.v3.StringMatcher key_matcher = 1 [(validate.rules).message = {required: true}]; + } + oneof action { option (validate.required) = true; @@ -99,5 +106,8 @@ // Append new header by the specified HeaderValueOption. core.v3.HeaderValueOption append = 2; + + // Remove the header if the key matches the specified string matcher. + RemoveOnMatch remove_on_match = 3; } }

envoy/config/core/v3/address.proto:

--- shake256:9bdcea3eb88a11101bd929c0023324fd3f4de83be267d8221eb85c279ff885ed115bc5ba0dfbad50b8bec34ee582181b57556d3c982e3f488bd07282c2a916df envoy/config/core/v3/address.proto +++ shake256:1a9db550014817a7ab0e397006fefed890a2cf80bf6d895c4d348ae8e4bc84349175ceb206e972fbc9b152908c9ecc65cc91b00a785c04fc7cd5b9c5c7de4284 envoy/config/core/v3/address.proto @@ -105,9 +105,6 @@ // .. note:: // Setting this parameter requires Envoy to run with the ``CAP_NET_ADMIN`` capability. // - // .. note:: - // Currently only used for Listener sockets. - // // .. attention:: // Network namespaces are only configurable on Linux. Otherwise, this field has no effect. string network_namespace_filepath = 7;

envoy/config/core/v3/config_source.proto:

--- shake256:8226bbfb813cffa2b928184a6eeb04043ff9e554c0b097c2b1fb3c607f3c5b873d628dc9a171f594af63315d155845e947db3a4790c636975e51ed0b8a629579 envoy/config/core/v3/config_source.proto +++ shake256:f3cb7e88d65a8b2d19c1255815c37f61b708887327f5b3a58fe5b6bf8c0c1607d12b7bcabf156947db5c9108c041599af9f6a25ac22d0225326cc1c4418a343d envoy/config/core/v3/config_source.proto @@ -276,7 +276,8 @@ // to be supplied. bool apply_default_config_without_warming = 3; - // A set of permitted extension type URLs. Extension configuration updates are rejected - // if they do not match any type URL in the set. + // A set of permitted extension type URLs for the type encoded inside of the + // :ref:`TypedExtensionConfig <envoy_v3_api_msg_config.core.v3.TypedExtensionConfig>`. Extension + // configuration updates are rejected if they do not match any type URL in the set. repeated string type_urls = 4 [(validate.rules).repeated = {min_items: 1}]; }

envoy/config/core/v3/grpc_service.proto:

--- shake256:d2f80ca130b2ec005d4200041e4df633e76c95e48f55a7c431ebdcc68fac696c44c030d03b7e46852bf16e474662ecf75a3889c66769ccbb8cec0676a54c27ba envoy/config/core/v3/grpc_service.proto +++ shake256:8c73bfaf4c0aa348a088e9c432b16703dca8ebd6e0227c4301076f7c64cb1af98bd0a1e395b05f2d4c311d10f57baf851dba7c19dca1e5e447dee7b4b6f9fd81 envoy/config/core/v3/grpc_service.proto @@ -64,7 +64,7 @@ bool skip_envoy_headers = 5; } - // [#next-free-field: 9] + // [#next-free-field: 11] message GoogleGrpc { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.GrpcService.GoogleGrpc"; @@ -249,16 +249,31 @@ } // The target URI when using the `Google C++ gRPC client - // <https://github.com/grpc/grpc>`_. SSL credentials will be supplied in - // :ref:`channel_credentials <envoy_v3_api_field_config.core.v3.GrpcService.GoogleGrpc.channel_credentials>`. + // <https://github.com/grpc/grpc>`_. string target_uri = 1 [(validate.rules).string = {min_len: 1}]; + // The channel credentials to use. See `channel credentials + // <https://grpc.io/docs/guides/auth.html#credential-types>`_. + // Ignored if ``channel_credentials_plugin`` is set. ChannelCredentials channel_credentials = 2; - // A set of call credentials that can be composed with `channel credentials + // A list of channel credentials plugins. + // The data plane will iterate over the list in order and stop at the first credential type + // that it supports. This provides a mechanism for starting to use new credential types that + // are not yet supported by all data planes. + // [#not-implemented-hide:] + repeated google.protobuf.Any channel_credentials_plugin = 9; + + // The call credentials to use. See `channel credentials // <https://grpc.io/docs/guides/auth.html#credential-types>`_. + // Ignored if ``call_credentials_plugin`` is set. repeated CallCredentials call_credentials = 3; + // A list of call credentials plugins. All supported plugins will be used. + // Unsupported plugin types will be ignored. + // [#not-implemented-hide:] + repeated google.protobuf.Any call_credentials_plugin = 10; + // The human readable prefix to use when emitting statistics for the gRPC // service. //

envoy/config/core/v3/health_check.proto:

--- shake256:e6f9d1ab3b04678a52f9383851a25489155a01b86ff5b7908b82367d9d39373c2376014c0714c54d23e2eb705a9886c2eaf873ba6e2404a3a441a0301125fe17 envoy/config/core/v3/health_check.proto +++ shake256:6a4880727a18c76c27422fb04451cb0c08cb6acc712b2ba3b3a68c81cb00feb401d2d4f8d666cbaaa787331838d3b8b8a9cf3a0ec609f9cb00c9f97574edae2a envoy/config/core/v3/health_check.proto @@ -102,7 +102,8 @@ // ``/healthcheck``. string path = 2 [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE}]; - // [#not-implemented-hide:] HTTP specific payload. + // HTTP specific payload to be sent as the request body during health checking. + // If specified, the method should support a request body (POST, PUT, PATCH, etc.). Payload send = 3; // Specifies a list of HTTP expected responses to match in the first ``response_buffer_size`` bytes of the response body. @@ -161,7 +162,8 @@ type.matcher.v3.StringMatcher service_name_matcher = 11; // HTTP Method that will be used for health checking, default is "GET". - // GET, HEAD, POST, PUT, DELETE, OPTIONS, TRACE, PATCH methods are supported, but making request body is not supported. + // GET, HEAD, POST, PUT, DELETE, OPTIONS, TRACE, PATCH methods are supported. + // Request body payloads are supported for POST, PUT, PATCH, and OPTIONS methods only. // CONNECT method is disallowed because it is not appropriate for health check request. // If a non-200 response is expected by the method, it needs to be set in :ref:`expected_statuses <envoy_v3_api_field_config.core.v3.HealthCheck.HttpHealthCheck.expected_statuses>`. RequestMethod method = 13 [(validate.rules).enum = {defined_only: true not_in: 6}];

envoy/config/core/v3/protocol.proto:

--- shake256:a104e128142e280ddde124ddabbb90593a61c69ed8ffce733194dc23331c9ad15acd54abf9acd8d9135e3ae9412f2c08cc60f0094cf3cd026cd8fc0a5eb3062f envoy/config/core/v3/protocol.proto +++ shake256:1580679222615a4c489cfd5f311a2ceb66378020ac353ee807f791abe9dc9c4d3994c5ca5ebd8ddf509382e7b6a55c1d3954a03a9917702659ccaaef7acbc5f9 envoy/config/core/v3/protocol.proto @@ -77,7 +77,7 @@ [(validate.rules).uint32 = {lte: 16777216 gte: 1}]; // Similar to ``initial_stream_window_size``, but for connection-level - // flow-control. Valid values rage from 1 to 25165824 (24MB, maximum supported by QUICHE) and defaults + // flow-control. Valid values range from 1 to 25165824 (24MB, maximum supported by QUICHE) and defaults // to 25165824 (24 * 1024 * 1024). // // .. note:: @@ -111,10 +111,9 @@ // default 600s will be applied. // For internal corporate network, a long timeout is often fine. // But for client facing network, 30s is usually a good choice. - google.protobuf.Duration idle_network_timeout = 8 [(validate.rules).duration = { - lte {seconds: 600} - gte {seconds: 1} - }]; + // Do not add an upper bound here. A long idle timeout is useful for maintaining warm connections at non-front-line proxy for low QPS services." + google.protobuf.Duration idle_network_timeout = 8 + [(validate.rules).duration = {gte {seconds: 1}}]; // Maximum packet length for QUIC connections. It refers to the largest size of a QUIC packet that can be transmitted over the connection. // If not specified, one of the `default values in QUICHE <https://github.com/google/quiche/blob/main/quiche/quic/core/quic_constants.h>`_ is used. @@ -503,7 +502,7 @@ // `Maximum concurrent streams <https://httpwg.org/specs/rfc7540.html#rfc.section.5.1.2>`_ // allowed for peer on one HTTP/2 connection. Valid values range from 1 to 2147483647 (2^31 - 1) - // and defaults to 2147483647. + // and defaults to 1024 for safety and should be sufficient for most use cases. // // For upstream connections, this also limits how many streams Envoy will initiate concurrently // on a single connection. If the limit is reached, Envoy may queue requests or establish @@ -517,8 +516,8 @@ // `Initial stream-level flow-control window // <https://httpwg.org/specs/rfc7540.html#rfc.section.6.9.2>`_ size. Valid values range from 65535 - // (2^16 - 1, HTTP/2 default) to 2147483647 (2^31 - 1, HTTP/2 maximum) and defaults to 268435456 - // (256 * 1024 * 1024). + // (2^16 - 1, HTTP/2 default) to 2147483647 (2^31 - 1, HTTP/2 maximum) and defaults to + // 16MiB (16 * 1024 * 1024). // // .. note:: // @@ -532,7 +531,7 @@ [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}]; // Similar to ``initial_stream_window_size``, but for connection-level flow-control - // window. Currently, this has the same minimum/maximum/default as ``initial_stream_window_size``. + // window. The default is 24MiB (24 * 1024 * 1024). google.protobuf.UInt32Value initial_connection_window_size = 4 [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}];

envoy/config/core/v3/proxy_protocol.proto:

--- shake256:5288e856c742176528181b2cc2feb6432f4384e24e600fcd5191dbc7180b7a939e8ec2417d2f8124852ba0b03110217013a847cb3e8b5343eeecd198677b9345 envoy/config/core/v3/proxy_protocol.proto +++ shake256:228b44c84ee8b6c130b4a061960ac1fd5a222d903f100caeed5206441656d9692892a7c5c29a604df6c0c4130560fc8766a377cbdf9bd2f7fc804cc9eddf09af envoy/config/core/v3/proxy_protocol.proto @@ -2,6 +2,8 @@ package envoy.config.core.v3; +import "envoy/config/core/v3/substitution_format_string.proto"; + import "udpa/annotations/status.proto"; import "validate/validate.proto"; @@ -37,8 +39,27 @@ // The type of the TLV. Must be a uint8 (0-255) as per the Proxy Protocol v2 specification. uint32 type = 1 [(validate.rules).uint32 = {lt: 256}]; - // The value of the TLV. Must be at least one byte long. - bytes value = 2 [(validate.rules).bytes = {min_len: 1}]; + // The static value of the TLV. + // Only one of ``value`` or ``format_string`` may be set. + bytes value = 2; + + // Uses the :ref:`format string <config_access_log_format_strings>` to dynamically + // populate the TLV value from stream information. This allows dynamic values + // such as metadata, filter state, or other stream properties to be included in + // the TLV. + // + // For example: + // + // .. code-block:: yaml + // + // type: 0xF0 + // format_string: + // text_format_source: + // inline_string: "%DYNAMIC_METADATA(envoy.filters.network:key)%" + // + // The formatted string will be used directly as the TLV value. + // Only one of ``value`` or ``format_string`` may be set. + SubstitutionFormatString format_string = 3; } message ProxyProtocolConfig {

envoy/config/endpoint/v3/load_report.proto:

--- shake256:ab22092143f11a2bb940fd0a240fc9730e3441ce6c9fa0b9655877da59372d2fc1c3fa36aa9f9b68f7659b27ac66d617255d3810f869b5bba5ab41ab4107792b envoy/config/endpoint/v3/load_report.proto +++ shake256:37544485154fc1be701779188515c219db0415ee12110f40fd75e51cf5ac61275914ac75f9c349c711215d45c2a1a525cd589738d1f2d119aa56ee3aec2a234a envoy/config/endpoint/v3/load_report.proto @@ -38,7 +38,8 @@ // locality. uint64 total_successful_requests = 2; - // The total number of unfinished requests + // The total number of unfinished requests. A request can be an HTTP request + // or a TCP connection for a TCP connection pool. uint64 total_requests_in_progress = 3; // The total number of requests that failed due to errors at the endpoint, @@ -47,7 +48,8 @@ // The total number of requests that were issued by this Envoy since // the last report. This information is aggregated over all the - // upstream endpoints in the locality. + // upstream endpoints in the locality. A request can be an HTTP request + // or a TCP connection for a TCP connection pool. uint64 total_issued_requests = 8; // The total number of connections in an established state at the time of the

envoy/config/listener/v3/listener_components.proto:

--- shake256:898dcb73232fc67a2cdd1d61309a81f12c1da724cc3e5c9877e2a1c8f8c4b9f6d170383f7dff706ffc19dca6e09c9cd558136dc75a9cf507c7e1d341c497a293 envoy/config/listener/v3/listener_components.proto +++ shake256:1f3f879c54b1a2d224518fd83a0102d0d2773bc6ec191cc330efa19ebbfed6040cbfa7cafce5ef133402fd1455954aa17c7938f765340f34603adda028d14a82 envoy/config/listener/v3/listener_components.proto @@ -233,7 +233,7 @@ google.protobuf.BoolValue use_proxy_proto = 4 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - // [#not-implemented-hide:] filter chain metadata. + // Filter chain metadata. core.v3.Metadata metadata = 5; // Optional custom transport socket implementation to use for downstream connections.

envoy/config/metrics/v3/stats.proto:

--- shake256:a8554de3c086b2484470c8e4034fdc0e830708d90a38e319b28f9cacbc5cd39328f36abee0ef4d7cc378be2cde369b0ec69925e6836eb6c23c3b82fd4dd3c783 envoy/config/metrics/v3/stats.proto +++ shake256:0ab7a51526349d17204ee9d8ea113d3786daa4820362b5f6343919aab1ce08622c5831302b043b080ef74ad38101100f25f807b50ab19b8fa4f825fac23d292b envoy/config/metrics/v3/stats.proto @@ -298,10 +298,12 @@ // Each value is the upper bound of a bucket. Each bucket must be greater than 0 and unique. // The order of the buckets does not matter. repeated double buckets = 2 [(validate.rules).repeated = { - min_items: 1 unique: true items {double {gt: 0.0}} }]; + + // Initial number of bins for the ``circllhist`` thread local histogram per time series. Default value is 100. + google.protobuf.UInt32Value bins = 3 [(validate.rules).uint32 = {lte: 46082 gt: 0}]; } // Stats configuration proto schema for built-in ``envoy.stat_sinks.statsd`` sink. This sink does not support

envoy/config/overload/v3/overload.proto:

--- shake256:b1b80519ed10cd644f155c72798d6d0f8a55d4657fb61d2de8aab8c821865aa7b60be401f52e6b04157c806772428ea368d36791ded9328940fe980b70e42f8f envoy/config/overload/v3/overload.proto +++ shake256:e2127d379ca4b3095227bfca37afce4626c1f19c0f12fb5750cb96e102ad44a4b69ef87a9ffe1871025355f89b4c2a4ac2c099ff53da65237672a923c2625006 envoy/config/overload/v3/overload.proto @@ -109,6 +109,13 @@ // :ref:`HttpConnectionManager.common_http_protocol_options.max_connection_duration // <envoy_v3_api_field_config.core.v3.HttpProtocolOptions.max_connection_duration>`. HTTP_DOWNSTREAM_CONNECTION_MAX = 4; + + // Adjusts the timeout for the downstream codec to flush an ended stream. + // This affects the value of :ref:`RouteAction.flush_timeout + // <envoy_v3_api_field_config.route.v3.RouteAction.flush_timeout>` and + // :ref:`HttpConnectionManager.stream_flush_timeout + // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_flush_timeout>` + HTTP_DOWNSTREAM_STREAM_FLUSH = 5; } message ScaleTimer { @@ -134,9 +141,16 @@ option (udpa.annotations.versioning).previous_message_type = "envoy.config.overload.v2alpha.OverloadAction"; - // The name of the overload action. This is just a well-known string that listeners can - // use for registering callbacks. Custom overload actions should be named using reverse - // DNS to ensure uniqueness. + // The name of the overload action. This is just a well-known string that + // listeners can use for registering callbacks. + // Valid known overload actions include: + // - envoy.overload_actions.stop_accepting_requests + // - envoy.overload_actions.disable_http_keepalive + // - envoy.overload_actions.stop_accepting_connections + // - envoy.overload_actions.reject_incoming_connections + // - envoy.overload_actions.shrink_heap + // - envoy.overload_actions.reduce_timeouts + // - envoy.overload_actions.reset_high_memory_stream string name = 1 [(validate.rules).string = {min_len: 1}]; // A set of triggers for this action. The state of the action is the maximum @@ -148,7 +162,7 @@ // in this list. repeated Trigger triggers = 2 [(validate.rules).repeated = {min_items: 1}]; - // Configuration for the action being instantiated. + // Configuration for the action being instantiated if applicable. google.protobuf.Any typed_config = 3; }

envoy/config/route/v3/route_components.proto:

--- shake256:18f31908af63584b6662711f451e843f2b2c3b70b9270820704e4e73979af564b12c00cf59fbd38498485747c9b95ecbcf7714a24b2d379d897d7f37dcc2d733 envoy/config/route/v3/route_components.proto +++ shake256:4e306b1098b447470219676e0a3cc95a4819d2a694fd58ec4349b803bd907396fddca5e3edad7a8ce919d818a27a84e9e68cc0a2a0a5fe1ce547418b30e49132 envoy/config/route/v3/route_components.proto @@ -2,6 +2,7 @@ package envoy.config.route.v3; +import "envoy/config/common/mutation_rules/v3/mutation_rules.proto"; import "envoy/config/core/v3/base.proto"; import "envoy/config/core/v3/extension.proto"; import "envoy/config/core/v3/proxy_protocol.proto"; @@ -41,7 +42,7 @@ // host header. This allows a single listener to service multiple top level domain path trees. Once // a virtual host is selected based on the domain, the routes are processed in order to see which // upstream cluster to route to or whether to perform a redirect. -// [#next-free-field: 25] +// [#next-free-field: 26] message VirtualHost { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.VirtualHost"; @@ -78,7 +79,7 @@ // .. note:: // // The wildcard will not match the empty string. - // e.g. ``*-bar.foo.com`` will match ``baz-bar.foo.com`` but not ``-bar.foo.com``. + // For example, ``*-bar.foo.com`` will match ``baz-bar.foo.com`` but not ``-bar.foo.com``. // The longest wildcards match first. // Only a single virtual host in the entire route configuration can match on ``*``. A domain // must be unique across all virtual hosts or the config will fail to load. @@ -155,7 +156,7 @@ // This field can be used to provide virtual host level per filter config. The key should match the // :ref:`filter config name // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpFilter.name>`. - // See :ref:`Http filter route specific config <arch_overview_http_filters_per_filter_config>` + // See :ref:`HTTP filter route-specific config <arch_overview_http_filters_per_filter_config>` // for details. // [#comment: An entry's value may be wrapped in a // :ref:`FilterConfig<envoy_v3_api_msg_config.route.v3.FilterConfig>` @@ -166,7 +167,10 @@ // <config_http_filters_router_x-envoy-attempt-count>` header should be included // in the upstream request. Setting this option will cause it to override any existing header // value, so in the case of two Envoys on the request path with this option enabled, the upstream - // will see the attempt count as perceived by the second Envoy. Defaults to false. + // will see the attempt count as perceived by the second Envoy. + // + // Defaults to ``false``. + // // This header is unaffected by the // :ref:`suppress_envoy_headers // <envoy_v3_api_field_extensions.filters.http.router.v3.Router.suppress_envoy_headers>` flag. @@ -178,7 +182,10 @@ // <config_http_filters_router_x-envoy-attempt-count>` header should be included // in the downstream response. Setting this option will cause the router to override any existing header // value, so in the case of two Envoys on the request path with this option enabled, the downstream - // will see the attempt count as perceived by the Envoy closest upstream from itself. Defaults to false. + // will see the attempt count as perceived by the Envoy closest upstream from itself. + // + // Defaults to ``false``. + // // This header is unaffected by the // :ref:`suppress_envoy_headers // <envoy_v3_api_field_extensions.filters.http.router.v3.Router.suppress_envoy_headers>` flag. @@ -186,30 +193,57 @@ // Indicates the retry policy for all routes in this virtual host. Note that setting a // route level entry will take precedence over this config and it'll be treated - // independently (e.g.: values are not inherited). + // independently (e.g., values are not inherited). RetryPolicy retry_policy = 16; // [#not-implemented-hide:] // Specifies the configuration for retry policy extension. Note that setting a route level entry - // will take precedence over this config and it'll be treated independently (e.g.: values are not + // will take precedence over this config and it'll be treated independently (e.g., values are not // inherited). :ref:`Retry policy <envoy_v3_api_field_config.route.v3.VirtualHost.retry_policy>` should not be // set if this field is used. google.protobuf.Any retry_policy_typed_config = 20; // Indicates the hedge policy for all routes in this virtual host. Note that setting a // route level entry will take precedence over this config and it'll be treated - // independently (e.g.: values are not inherited). + // independently (e.g., values are not inherited). HedgePolicy hedge_policy = 17; // Decides whether to include the :ref:`x-envoy-is-timeout-retry <config_http_filters_router_x-envoy-is-timeout-retry>` - // request header in retries initiated by per try timeouts. + // request header in retries initiated by per-try timeouts. bool include_is_timeout_retry_header = 23; - // The maximum bytes which will be buffered for retries and shadowing. - // If set and a route-specific limit is not set, the bytes actually buffered will be the minimum - // value of this and the listener per_connection_buffer_limit_bytes. - google.protobuf.UInt32Value per_request_buffer_limit_bytes = 18; + // The maximum bytes which will be buffered for retries and shadowing. If set, the bytes actually buffered will be + // the minimum value of this and the listener ``per_connection_buffer_limit_bytes``. + // + // .. attention:: + // + // This field has been deprecated. Please use :ref:`request_body_buffer_limit + // <envoy_v3_api_field_config.route.v3.VirtualHost.request_body_buffer_limit>` instead. + // Only one of ``per_request_buffer_limit_bytes`` and ``request_body_buffer_limit`` could be set. + google.protobuf.UInt32Value per_request_buffer_limit_bytes = 18 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + // The maximum bytes which will be buffered for request bodies to support large request body + // buffering beyond the ``per_connection_buffer_limit_bytes``. + // + // This limit is specifically for the request body buffering and allows buffering larger payloads while maintaining + // flow control. + // + // Buffer limit precedence (from highest to lowest priority): + // + // 1. If ``request_body_buffer_limit`` is set, then ``request_body_buffer_limit`` will be used. + // 2. If :ref:`per_request_buffer_limit_bytes <envoy_v3_api_field_config.route.v3.VirtualHost.per_request_buffer_limit_bytes>` + // is set but ``request_body_buffer_limit`` is not, then ``min(per_request_buffer_limit_bytes, per_connection_buffer_limit_bytes)`` + // will be used. + // 3. If neither is set, then ``per_connection_buffer_limit_bytes`` will be used. + // + // For flow control chunk sizes, ``min(per_connection_buffer_limit_bytes, 16KB)`` will be used. + // + // Only one of :ref:`per_request_buffer_limit_bytes <envoy_v3_api_field_config.route.v3.VirtualHost.per_request_buffer_limit_bytes>` + // and ``request_body_buffer_limit`` could be set. + google.protobuf.UInt64Value request_body_buffer_limit = 25 + [(validate.rules).message = {required: false}]; + // Specify a set of default request mirroring policies for every route under this virtual host. // It takes precedence over the route config mirror policy entirely. // That is, policies are not merged, the most specific non-empty one becomes the mirror policies. @@ -244,7 +278,7 @@ // // Envoy supports routing on HTTP method via :ref:`header matching // <envoy_v3_api_msg_config.route.v3.HeaderMatcher>`. -// [#next-free-field: 20] +// [#next-free-field: 21] message Route { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.Route"; @@ -297,7 +331,7 @@ // This field can be used to provide route specific per filter config. The key should match the // :ref:`filter config name // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpFilter.name>`. - // See :ref:`Http filter route specific config <arch_overview_http_filters_per_filter_config>` + // See :ref:`HTTP filter route-specific config <arch_overview_http_filters_per_filter_config>` // for details. // [#comment: An entry's value may be wrapped in a // :ref:`FilterConfig<envoy_v3_api_msg_config.route.v3.FilterConfig>` @@ -341,7 +375,14 @@ // The maximum bytes which will be buffered for retries and shadowing. // If set, the bytes actually buffered will be the minimum value of this and the // listener per_connection_buffer_limit_bytes. - google.protobuf.UInt32Value per_request_buffer_limit_bytes = 16; + // + // .. attention:: + // + // This field has been deprecated. Please use :ref:`request_body_buffer_limit + // <envoy_v3_api_field_config.route.v3.Route.request_body_buffer_limit>` instead. + // Only one of ``per_request_buffer_limit_bytes`` and ``request_body_buffer_limit`` may be set. + google.protobuf.UInt32Value per_request_buffer_limit_bytes = 16 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; // The human readable prefix to use when emitting statistics for this endpoint. // The statistics are rooted at vhost.<virtual host name>.route.<stat_prefix>. @@ -355,8 +396,27 @@ // // We do not recommend setting up a stat prefix for // every application endpoint. This is both not easily maintainable and - // statistics use a non-trivial amount of memory(approximately 1KiB per route). + // statistics use a non-trivial amount of memory (approximately 1KiB per route). string stat_prefix = 19; + + // The maximum bytes which will be buffered for request bodies to support large request body + // buffering beyond the ``per_connection_buffer_limit_bytes``. + // + // This limit is specifically for the request body buffering and allows buffering larger payloads while maintaining + // flow control. + // + // Buffer limit precedence (from highest to lowest priority): + // + // 1. If ``request_body_buffer_limit`` is set: use ``request_body_buffer_limit`` + // 2. If :ref:`per_request_buffer_limit_bytes <envoy_v3_api_field_config.route.v3.Route.per_request_buffer_limit_bytes>` + // is set but ``request_body_buffer_limit`` is not: use ``min(per_request_buffer_limit_bytes, per_connection_buffer_limit_bytes)`` + // 3. If neither is set: use ``per_connection_buffer_limit_bytes`` + // + // For flow control chunk sizes, use ``min(per_connection_buffer_limit_bytes, 16KB)``. + // + // Only one of :ref:`per_request_buffer_limit_bytes <envoy_v3_api_field_config.route.v3.Route.per_request_buffer_limit_bytes>` + // and ``request_body_buffer_limit`` may be set. + google.protobuf.UInt64Value request_body_buffer_limit = 20; } // Compared to the :ref:`cluster <envoy_v3_api_field_config.route.v3.RouteAction.cluster>` field that specifies a @@ -365,6 +425,7 @@ // multiple upstream clusters along with weights that indicate the percentage of // traffic to be forwarded to each cluster. The router selects an upstream cluster based on the // weights. +// [#next-free-field: 6] message WeightedCluster { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.WeightedCluster"; @@ -452,7 +513,7 @@ // This field can be used to provide weighted cluster specific per filter config. The key should match the // :ref:`filter config name // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpFilter.name>`. - // See :ref:`Http filter route specific config <arch_overview_http_filters_per_filter_config>` + // See :ref:`HTTP filter route-specific config <arch_overview_http_filters_per_filter_config>` // for details. // [#comment: An entry's value may be wrapped in a // :ref:`FilterConfig<envoy_v3_api_msg_config.route.v3.FilterConfig>` @@ -495,6 +556,10 @@ // the process for the consistency. And the value is a unsigned number between 0 and UINT64_MAX. string header_name = 4 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // When set to true, the hash policies will be used to generate the random value for weighted cluster selection. + // This could ensure consistent cluster picking across multiple proxy levels for weighted traffic. + google.protobuf.BoolValue use_hash_policy = 5; } } @@ -571,7 +636,7 @@ // // [#next-major-version: In the v3 API we should redo how path specification works such // that we utilize StringMatcher, and additionally have consistent options around whether we - // strip query strings, do a case sensitive match, etc. In the interim it will be too disruptive + // strip query strings, do a case-sensitive match, etc. In the interim it will be too disruptive // to deprecate the existing options. We should even consider whether we want to do away with // path_specifier entirely and just rely on a set of header matchers which can already match // on :path, etc. The issue with that is it is unclear how to generically deal with query string @@ -603,7 +668,7 @@ core.v3.TypedExtensionConfig path_match_policy = 15; } - // Indicates that prefix/path matching should be case sensitive. The default + // Indicates that prefix/path matching should be case-sensitive. The default // is true. Ignored for safe_regex matching. google.protobuf.BoolValue case_sensitive = 4; @@ -643,14 +708,14 @@ // // If query parameters are used to pass request message fields when // `grpc_json_transcoder <https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/grpc_json_transcoder_filter>`_ - // is used, the transcoded message fields maybe different. The query parameters are - // url encoded, but the message fields are not. For example, if a query + // is used, the transcoded message fields may be different. The query parameters are + // URL-encoded, but the message fields are not. For example, if a query // parameter is "foo%20bar", the message field will be "foo bar". repeated QueryParameterMatcher query_parameters = 7; // If specified, only gRPC requests will be matched. The router will check - // that the content-type header has a application/grpc or one of the various - // application/grpc+ values. + // that the ``Content-Type`` header has ``application/grpc`` or one of the various + // ``application/grpc+`` values. GrpcRouteMatchOptions grpc = 8; // If specified, the client tls context will be matched against the defined @@ -736,11 +801,11 @@ google.protobuf.BoolValue allow_private_network_access = 12; // Specifies if preflight requests not matching the configured allowed origin should be forwarded - // to the upstream. Default is true. + // to the upstream. Default is ``true``. google.protobuf.BoolValue forward_not_matching_preflights = 13; } -// [#next-free-field: 42] +// [#next-free-field: 43] message RouteAction { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteAction"; @@ -779,8 +844,8 @@ // // .. note:: // - // Shadowing doesn't support Http CONNECT and upgrades. - // [#next-free-field: 7] + // Shadowing doesn't support HTTP CONNECT and upgrades. + // [#next-free-field: 9] message RequestMirrorPolicy { option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteAction.RequestMirrorPolicy"; @@ -830,8 +895,24 @@ // is disabled. google.protobuf.BoolValue trace_sampled = 4; - // Disables appending the ``-shadow`` suffix to the shadowed ``Host`` header. Defaults to ``false``. + // Disables appending the ``-shadow`` suffix to the shadowed ``Host`` header. + // + // Defaults to ``false``. bool disable_shadow_host_suffix_append = 6; + + // Specifies a list of header mutations that should be applied to each mirrored request. + // Header mutations are applied in the order they are specified. For more information, including + // details on header value syntax, see the documentation on :ref:`custom request headers + // <config_http_conn_man_headers_custom_request_headers>`. + repeated common.mutation_rules.v3.HeaderMutation request_headers_mutations = 7 + [(validate.rules).repeated = {max_items: 1000}]; + + // Indicates that during mirroring, the host header will be swapped with this value. + // :ref:`disable_shadow_host_suffix_append + // <envoy_v3_api_field_config.route.v3.RouteAction.RequestMirrorPolicy.disable_shadow_host_suffix_append>` + // is implicitly enabled if this field is set. + string host_rewrite_literal = 8 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; } // Specifies the route's hashing policy if the upstream cluster uses a hashing :ref:`load balancer @@ -993,13 +1074,15 @@ bool allow_post = 2; } - // The case-insensitive name of this upgrade, e.g. "websocket". + // The case-insensitive name of this upgrade, for example, "websocket". // For each upgrade type present in upgrade_configs, requests with // Upgrade: [upgrade_type] will be proxied upstream. string upgrade_type = 1 [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}]; - // Determines if upgrades are available on this route. Defaults to true. + // Determines if upgrades are available on this route. + // + // Defaults to ``true``. google.protobuf.BoolValue enabled = 2; // Configuration for sending data upstream as a raw data payload. This is used for @@ -1265,8 +1348,28 @@ // If the :ref:`overload action <config_overload_manager_overload_actions>` "envoy.overload_actions.reduce_timeouts" // is configured, this timeout is scaled according to the value for // :ref:`HTTP_DOWNSTREAM_STREAM_IDLE <envoy_v3_api_enum_value_config.overload.v3.ScaleTimersOverloadActionConfig.TimerType.HTTP_DOWNSTREAM_STREAM_IDLE>`. + // + // This timeout may also be used in place of ``flush_timeout`` in very specific cases. See the + // documentation for ``flush_timeout`` for more details. google.protobuf.Duration idle_timeout = 24; + // Specifies the codec stream flush timeout for the route. + // + // If not specified, the first preference is the global :ref:`stream_flush_timeout + // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_flush_timeout>`, + // but only if explicitly configured. + // + // If neither the explicit HCM-wide flush timeout nor this route-specific flush timeout is configured, + // the route's stream idle timeout is reused for this timeout. This is for + // backwards compatibility since both behaviors were historically controlled by the one timeout. + // + // If the route also does not have an idle timeout configured, the global :ref:`stream_idle_timeout + // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_idle_timeout>`. used, again + // for backwards compatibility. That timeout defaults to 5 minutes. + // + // A value of 0 via any of the above paths will completely disable the timeout for a given route. + google.protobuf.Duration flush_timeout = 42; + // Specifies how to send request over TLS early data. // If absent, allows `safe HTTP requests <https://www.rfc-editor.org/rfc/rfc7231#section-4.2.1>`_ to be sent on early data. // [#extension-category: envoy.route.early_data_policy] @@ -1274,13 +1377,13 @@ // Indicates that the route has a retry policy. Note that if this is set, // it'll take precedence over the virtual host level retry policy entirely - // (e.g.: policies are not merged, most internal one becomes the enforced policy). + // (e.g., policies are not merged, the most internal one becomes the enforced policy). RetryPolicy retry_policy = 9; // [#not-implemented-hide:] // Specifies the configuration for retry policy extension. Note that if this is set, it'll take - // precedence over the virtual host level retry policy entirely (e.g.: policies are not merged, - // most internal one becomes the enforced policy). :ref:`Retry policy <envoy_v3_api_field_config.route.v3.VirtualHost.retry_policy>` + // precedence over the virtual host level retry policy entirely (e.g., policies are not merged, + // the most internal one becomes the enforced policy). :ref:`Retry policy <envoy_v3_api_field_config.route.v3.VirtualHost.retry_policy>` // should not be set if this field is used. google.protobuf.Any retry_policy_typed_config = 33; @@ -1301,7 +1404,9 @@ // :ref:`rate_limits <envoy_v3_api_field_config.route.v3.VirtualHost.rate_limits>` are not applied to the // request. // - // This field is deprecated. Please use :ref:`vh_rate_limits <envoy_v3_api_field_extensions.filters.http.ratelimit.v3.RateLimitPerRoute.vh_rate_limits>` + // .. attention:: + // + // This field is deprecated. Please use :ref:`vh_rate_limits <envoy_v3_api_field_extensions.filters.http.ratelimit.v3.RateLimitPerRoute.vh_rate_limits>` google.protobuf.BoolValue include_vh_rate_limits = 14 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; @@ -1395,7 +1500,7 @@ // Indicates that the route has a hedge policy. Note that if this is set, // it'll take precedence over the virtual host level hedge policy entirely - // (e.g.: policies are not merged, most internal one becomes the enforced policy). + // (e.g., policies are not merged, the most internal one becomes the enforced policy). HedgePolicy hedge_policy = 27; // Specifies the maximum stream duration for this route. @@ -1529,7 +1634,9 @@ // Specifies the maximum back off interval that Envoy will allow. If a reset // header contains an interval longer than this then it will be discarded and - // the next header will be tried. Defaults to 300 seconds. + // the next header will be tried. + // + // Defaults to 300 seconds. google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}]; } @@ -1558,7 +1665,7 @@ google.protobuf.Duration per_try_timeout = 3; // Specifies an upstream idle timeout per retry attempt (including the initial attempt). This - // parameter is optional and if absent there is no per try idle timeout. The semantics of the per + // parameter is optional and if absent there is no per-try idle timeout. The semantics of the per- // try idle timeout are similar to the // :ref:`route idle timeout <envoy_v3_api_field_config.route.v3.RouteAction.timeout>` and // :ref:`stream idle timeout @@ -1633,12 +1740,14 @@ // Specifies the number of initial requests that should be sent upstream. // Must be at least 1. + // // Defaults to 1. // [#not-implemented-hide:] google.protobuf.UInt32Value initial_requests = 1 [(validate.rules).uint32 = {gte: 1}]; // Specifies a probability that an additional upstream request should be sent // on top of what is specified by initial_requests. + // // Defaults to 0. // [#not-implemented-hide:] type.v3.FractionalPercent additional_request_chance = 2; @@ -1648,14 +1757,16 @@ // The first request to complete successfully will be the one returned to the caller. // // * At any time, a successful response (i.e. not triggering any of the retry-on conditions) would be returned to the client. - // * Before per-try timeout, an error response (per retry-on conditions) would be retried immediately or returned ot the client + // * Before per-try timeout, an error response (per retry-on conditions) would be retried immediately or returned to the client // if there are no more retries left. // * After per-try timeout, an error response would be discarded, as a retry in the form of a hedged request is already in progress. // - // Note: For this to have effect, you must have a :ref:`RetryPolicy <envoy_v3_api_msg_config.route.v3.RetryPolicy>` that retries at least - // one error code and specifies a maximum number of retries. + // .. note:: // - // Defaults to false. + // For this to have effect, you must have a :ref:`RetryPolicy <envoy_v3_api_msg_config.route.v3.RetryPolicy>` that retries at least + // one error code and specifies a maximum number of retries. + // + // Defaults to ``false``. bool hedge_on_per_try_timeout = 3; } @@ -1801,7 +1912,7 @@ // <config_http_filters_router_x-envoy-decorator-operation>` header. string operation = 1 [(validate.rules).string = {min_len: 1}]; - // Whether the decorated details should be propagated to the other party. The default is true. + // Whether the decorated details should be propagated to the other party. The default is ``true``. google.protobuf.BoolValue propagate = 2; } @@ -1966,7 +2077,7 @@ // the value of the descriptor entry for the descriptor_key. string query_parameter_name = 1 [(validate.rules).string = {min_len: 1}]; - // The key to use when creating the rate limit descriptor entry. his descriptor key will be used to identify the + // The key to use when creating the rate limit descriptor entry. This descriptor key will be used to identify the // rate limit rule in the rate limiting service. string descriptor_key = 2 [(validate.rules).string = {min_len: 1}]; @@ -2004,14 +2115,18 @@ // ("masked_remote_address", "<masked address from x-forwarded-for>") message MaskedRemoteAddress { // Length of prefix mask len for IPv4 (e.g. 0, 32). + // // Defaults to 32 when unset. + // // For example, trusted address from x-forwarded-for is ``192.168.1.1``, // the descriptor entry is ("masked_remote_address", "192.168.1.1/32"); // if mask len is 24, the descriptor entry is ("masked_remote_address", "192.168.1.0/24"). google.protobuf.UInt32Value v4_prefix_mask_len = 1 [(validate.rules).uint32 = {lte: 32}]; // Length of prefix mask len for IPv6 (e.g. 0, 128). + // // Defaults to 128 when unset. + // // For example, trusted address from x-forwarded-for is ``2001:abcd:ef01:2345:6789:abcd:ef01:234``, // the descriptor entry is ("masked_remote_address", "2001:abcd:ef01:2345:6789:abcd:ef01:234/128"); // if mask len is 64, the descriptor entry is ("masked_remote_address", "2001:abcd:ef01:2345::/64"). @@ -2044,7 +2159,9 @@ option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RateLimit.Action.HeaderValueMatch"; - // The key to use in the descriptor entry. Defaults to ``header_match``. + // The key to use in the descriptor entry. + // + // Defaults to ``header_match``. string descriptor_key = 4; // The value to use in the descriptor entry. @@ -2138,7 +2255,9 @@ // // ("query_match", "<descriptor_value>") message QueryParameterValueMatch { - // The key to use in the descriptor entry. Defaults to ``query_match``. + // The key to use in the descriptor entry. + // + // Defaults to ``query_match``. string descriptor_key = 4; // The value to use in the descriptor entry. @@ -2368,14 +2487,20 @@ // Specifies how the header match will be performed to route the request. oneof header_match_specifier { // If specified, header match will be performed based on the value of the header. - // This field is deprecated. Please use :ref:`string_match <envoy_v3_api_field_config.route.v3.HeaderMatcher.string_match>`. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`string_match <envoy_v3_api_field_config.route.v3.HeaderMatcher.string_match>`. string exact_match = 4 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; // If specified, this regex string is a regular expression rule which implies the entire request // header value must match the regex. The rule will not match if only a subsequence of the // request header value matches the regex. - // This field is deprecated. Please use :ref:`string_match <envoy_v3_api_field_config.route.v3.HeaderMatcher.string_match>`. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`string_match <envoy_v3_api_field_config.route.v3.HeaderMatcher.string_match>`. type.matcher.v3.RegexMatcher safe_regex_match = 11 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; @@ -2397,8 +2522,14 @@ bool present_match = 7; // If specified, header match will be performed based on the prefix of the header value. - // Note: empty prefix is not allowed, please use present_match instead. - // This field is deprecated. Please use :ref:`string_match <envoy_v3_api_field_config.route.v3.HeaderMatcher.string_match>`. + // + // .. note:: + // + // Empty prefix is not allowed. Please use ``present_match`` instead. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`string_match <envoy_v3_api_field_config.route.v3.HeaderMatcher.string_match>`. // // Examples: // @@ -2410,9 +2541,15 @@ ]; // If specified, header match will be performed based on the suffix of the header value. - // Note: empty suffix is not allowed, please use present_match instead. - // This field is deprecated. Please use :ref:`string_match <envoy_v3_api_field_config.route.v3.HeaderMatcher.string_match>`. // + // .. note:: + // + // Empty suffix is not allowed. Please use ``present_match`` instead. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`string_match <envoy_v3_api_field_config.route.v3.HeaderMatcher.string_match>`. + // // Examples: // // * The suffix ``abcd`` matches the value ``xyzabcd``, but not for ``xyzbcd``. @@ -2424,9 +2561,15 @@ // If specified, header match will be performed based on whether the header value contains // the given value or not. - // Note: empty contains match is not allowed, please use present_match instead. - // This field is deprecated. Please use :ref:`string_match <envoy_v3_api_field_config.route.v3.HeaderMatcher.string_match>`. // + // .. note:: + // + // Empty contains match is not allowed. Please use ``present_match`` instead. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`string_match <envoy_v3_api_field_config.route.v3.HeaderMatcher.string_match>`. + // // Examples: // // * The value ``abcd`` matches the value ``xyzabcdpqr``, but not for ``xyzbcdpqr``. @@ -2440,8 +2583,10 @@ type.matcher.v3.StringMatcher string_match = 13; } - // If specified, the match result will be inverted before checking. Defaults to false. + // If specified, the match result will be inverted before checking. // + // Defaults to ``false``. + // // Examples: // // * The regex ``\d{3}`` does not match the value ``1234``, so it will match when inverted. @@ -2449,8 +2594,10 @@ bool invert_match = 8; // If specified, for any header match rule, if the header match rule specified header - // does not exist, this header value will be treated as empty. Defaults to false. + // does not exist, this header value will be treated as empty. // + // Defaults to ``false``. + // // Examples: // // * The header match rule specified header "header1" to range match of [0, 10], @@ -2526,7 +2673,7 @@ repeated core.v3.TypedExtensionConfig predicates = 3; // Allow internal redirect to follow a target URI with a different scheme than the value of - // x-forwarded-proto. The default is false. + // x-forwarded-proto. The default is ``false``. bool allow_cross_scheme_redirect = 4; // Specifies a list of headers, by name, to copy from the internal redirect into the subsequent

envoy/config/trace/v3/zipkin.proto:

--- shake256:c8c66d1ff533c2b66cacc300d07c03d7e3d2fba6f98204a7b19739bb3411d64de521b48fa071bb30b49b74105a0d848e14bd8c8cc6117b8af917fb4c7ff8155d envoy/config/trace/v3/zipkin.proto +++ shake256:18d90b067529f445ae790449e2f0c58111103fc49d3206e1e6e453e4fde8a1e95038f89fc272ced56ebb1fd2246852cf3afb275885d34c14d2b7185a6d3cb6c5 envoy/config/trace/v3/zipkin.proto @@ -2,13 +2,14 @@ package envoy.config.trace.v3; +import "envoy/config/core/v3/http_service.proto"; + import "google/protobuf/wrappers.proto"; import "envoy/annotations/deprecation.proto"; import "udpa/annotations/migrate.proto"; import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.config.trace.v3"; option java_outer_classname = "ZipkinProto"; @@ -21,10 +22,22 @@ // Configuration for the Zipkin tracer. // [#extension: envoy.tracers.zipkin] -// [#next-free-field: 8] +// [#next-free-field: 10] message ZipkinConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.config.trace.v2.ZipkinConfig"; + // Available trace context options for handling different trace header formats. + enum TraceContextOption { + // Use B3 headers only (default behavior). + USE_B3 = 0; + + // Enable B3 and W3C dual header support: + // - For downstream: Extract from B3 headers first, fallback to W3C traceparent if B3 is unavailable. + // - For upstream: Inject both B3 and W3C traceparent headers. + // When this option is NOT set, only B3 headers are used for both extraction and injection. + USE_B3_WITH_W3C_PROPAGATION = 1; + } + // Available Zipkin collector endpoint versions. enum CollectorEndpointVersion { // Zipkin API v1, JSON over HTTP. @@ -48,11 +61,17 @@ } // The cluster manager cluster that hosts the Zipkin collectors. - string collector_cluster = 1 [(validate.rules).string = {min_len: 1}]; + // Note: This field will be deprecated in future releases in favor of + // :ref:`collector_service <envoy_v3_api_field_config.trace.v3.ZipkinConfig.collector_service>`. + // Either this field or collector_service must be specified. + string collector_cluster = 1; // The API endpoint of the Zipkin service where the spans will be sent. When // using a standard Zipkin installation. - string collector_endpoint = 2 [(validate.rules).string = {min_len: 1}]; + // Note: This field will be deprecated in future releases in favor of + // :ref:`collector_service <envoy_v3_api_field_config.trace.v3.ZipkinConfig.collector_service>`. + // Required when using collector_cluster. + string collector_endpoint = 2; // Determines whether a 128bit trace id will be used when creating a new // trace instance. The default value is false, which will result in a 64 bit trace id being used. @@ -67,6 +86,8 @@ // Optional hostname to use when sending spans to the collector_cluster. Useful for collectors // that require a specific hostname. Defaults to :ref:`collector_cluster <envoy_v3_api_field_config.trace.v3.ZipkinConfig.collector_cluster>` above. + // Note: This field will be deprecated in future releases in favor of + // :ref:`collector_service <envoy_v3_api_field_config.trace.v3.ZipkinConfig.collector_service>`. string collector_hostname = 6; // If this is set to true, then Envoy will be treated as an independent hop in trace chain. A complete span pair will be created for a single @@ -88,4 +109,60 @@ // Please use that ``spawn_upstream_span`` field to control the span creation. bool split_spans_for_request = 7 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Determines which trace context format to use for trace header extraction and propagation. + // This controls both downstream request header extraction and upstream request header injection. + // Here is the spec for W3C trace headers: https://www.w3.org/TR/trace-context/ + // The default value is USE_B3 to maintain backward compatibility. + TraceContextOption trace_context_option = 8; + + // HTTP service configuration for the Zipkin collector. + // When specified, this configuration takes precedence over the legacy fields: + // collector_cluster, collector_endpoint, and collector_hostname. + // This provides a complete HTTP service configuration including cluster, URI, timeout, and headers. + // If not specified, the legacy fields above will be used for backward compatibility. + // + // Required fields when using collector_service: + // + // * ``http_uri.cluster`` - Must be specified and non-empty + // * ``http_uri.uri`` - Must be specified and non-empty + // * ``http_uri.timeout`` - Optional + // + // Full URI Support with Automatic Parsing: + // + // The ``uri`` field supports both path-only and full URI formats: + // + // .. code-block:: yaml + // + // tracing: + // provider: + // name: envoy.tracers.zipkin + // typed_config: + // "@type": type.googleapis.com/envoy.config.trace.v3.ZipkinConfig + // collector_service: + // http_uri: + // # Full URI format - hostname and path are extracted automatically + // uri: "https://zipkin-collector.example.com/api/v2/spans" + // cluster: zipkin + // timeout: 5s + // request_headers_to_add: + // - header: + // key: "X-Custom-Token" + // value: "your-custom-token" + // - header: + // key: "X-Service-ID" + // value: "your-service-id" + // + // URI Parsing Behavior: + // + // * Full URI: ``"https://zipkin-collector.example.com/api/v2/spans"`` + // + // * Hostname: ``zipkin-collector.example.com`` (sets HTTP ``Host`` header) + // * Path: ``/api/v2/spans`` (sets HTTP request path) + // + // * Path only: ``"/api/v2/spans"`` + // + // * Hostname: Uses cluster name as fallback + // * Path: ``/api/v2/spans`` + core.v3.HttpService collector_service = 9; }

envoy/data/core/v3/tlv_metadata.proto:

--- shake256:fb22be3c902578521d77ca8769f88ced976e03612efe4299fbde79e62c57e8bbcdc79e27621afe121dc1f22e53eb3e681a3c64090a4ece6e88851d90c464ccf8 envoy/data/core/v3/tlv_metadata.proto +++ shake256:688fce59f3ffa1578320bdf4c261ed966f3cd468c076768aa0c5ec3b470978850bc3a353fed1e88b648366e52555c0c2c6f85d659ba7438a58d552376ba4c89d envoy/data/core/v3/tlv_metadata.proto @@ -17,8 +17,7 @@ // Typed metadata for :ref:`Proxy protocol filter <envoy_v3_api_msg_extensions.filters.listener.proxy_protocol.v3.ProxyProtocol>`, that represents a map of TLVs. // Each entry in the map consists of a key which corresponds to a configured // :ref:`rule key <envoy_v3_api_field_extensions.filters.listener.proxy_protocol.v3.ProxyProtocol.KeyValuePair.key>` and a value (TLV value in bytes). - // When runtime flag ``envoy.reloadable_features.use_typed_metadata_in_proxy_protocol_listener`` is enabled, // :ref:`Proxy protocol filter <envoy_v3_api_msg_extensions.filters.listener.proxy_protocol.v3.ProxyProtocol>` - // will populate typed metadata and regular metadata. By default filter will populate typed and untyped metadata. + // populates both typed and untyped metadata. map<string, bytes> typed_metadata = 1; }

envoy/data/tap/v3/http.proto:

--- shake256:c82a19f7ce291208de13a789ed6d20354a890d763d8abf84c61240efa3dd470ec08ad91ad03621c45314c492b5a01d696db1b6f522863109bf779f5060b865bd envoy/data/tap/v3/http.proto +++ shake256:fb758aa0b36e31dccf24f3a64b1621e97ef5d8c80f86e6dfa0844df109d719209dbb6a15d74536f66fcefda9fee5154462dbf640963243a2641b84d17b0a4502 envoy/data/tap/v3/http.proto @@ -49,6 +49,9 @@ // downstream connection Connection downstream_connection = 3; + + // upstream connection + Connection upstream_connection = 4; } // A streamed HTTP trace segment. Multiple segments make up a full trace.

envoy/extensions/common/aws/v3/credential_provider.proto:

--- shake256:d3843eb1cfd3580ee2ee865f9f8dc55a4cd5d2ecc6bca5eb658ed9a4ec86ed85bd90355ded72a5cf38ebcbbf7990bb72fe6387604f8560b3d2e111590524014b envoy/extensions/common/aws/v3/credential_provider.proto +++ shake256:3fa1741eaccaa0bb0c970910df1df48c1e90f504e27325a5d235c5f46da0ee621d04b6581c24aa93ed88d96170d64ea150e5499a709308659500c9a2293eb364 envoy/extensions/common/aws/v3/credential_provider.proto @@ -163,7 +163,8 @@ // The ARN of the role to assume. string role_arn = 1 [(validate.rules).string = {min_len: 1}]; - // Optional string value to use as the role session name + // An optional role session name, used when identifying the role in subsequent AWS API calls. If not provided, the role session name will default + // to the current timestamp. string role_session_name = 2; // Optional string value to use as the externalId

envoy/extensions/filters/http/composite/v3/composite.proto:

--- shake256:6742503496a716373df6642db049f7c4ccf30b75f97798dca06efcc7a9eddd675beaf4fe997d6efe8a89085706cbd997e005800e9e4c4ce80dc1dfecc310c070 envoy/extensions/filters/http/composite/v3/composite.proto +++ shake256:42f2592de4fbebcf7e63d68365509a95284fcc01f0ac09b9ad467d6e2d43aec209478d614cec99be11a5f33fa9033e1d0ac86a91504b123fb272df9bac55d74d envoy/extensions/filters/http/composite/v3/composite.proto @@ -33,9 +33,21 @@ message Composite { } +// A list of filter configurations to be called in order. Note that this can be used as the type +// inside of an ECDS :ref:`TypedExtensionConfig +// <envoy_v3_api_msg_config.core.v3.TypedExtensionConfig>` extension, which allows a chain of +// filters to be configured dynamically. In that case, the types of all filters in the chain must +// be present in the :ref:`ExtensionConfigSource.type_urls +// <envoy_v3_api_field_config.core.v3.ExtensionConfigSource.type_urls>` field. +message FilterChainConfiguration { + repeated config.core.v3.TypedExtensionConfig typed_config = 1; +} + // Configuration for an extension configuration discovery service with name. message DynamicConfig { // The name of the extension configuration. It also serves as a resource name in ExtensionConfigDS. + // The resource type in the ``DiscoveryRequest`` will be :ref:`TypedExtensionConfig + // <envoy_v3_api_msg_config.core.v3.TypedExtensionConfig>`. string name = 1 [(validate.rules).string = {min_len: 1}]; // Configuration source specifier for an extension configuration discovery @@ -50,15 +62,21 @@ // Filter specific configuration which depends on the filter being // instantiated. See the supported filters for further documentation. // Only one of ``typed_config`` or ``dynamic_config`` can be set. + // Ignored if ``filter_chain`` is set. // [#extension-category: envoy.filters.http] config.core.v3.TypedExtensionConfig typed_config = 1 [(udpa.annotations.field_migrate).oneof_promotion = "config_type"]; // Dynamic configuration of filter obtained via extension configuration discovery service. // Only one of ``typed_config`` or ``dynamic_config`` can be set. + // Ignored if ``filter_chain`` is set. DynamicConfig dynamic_config = 2 [(udpa.annotations.field_migrate).oneof_promotion = "config_type"]; + // An inlined list of filter configurations. The specified filters will be executed in order. + // [#not-implemented-hide:] + FilterChainConfiguration filter_chain = 4; + // Probability of the action execution. If not specified, this is 100%. // This allows sampling behavior for the configured actions. // For example, if

envoy/extensions/filters/http/compressor/v3/compressor.proto:

--- shake256:5dcbac65153f622e39d47cd0e5cdfde3d23d927678bfc76390edb4bb34db280c6f4bc3d9288d9b39e449c552f4a5e82c4d5d4f5277364f1f30f1b1dfa64897ca envoy/extensions/filters/http/compressor/v3/compressor.proto +++ shake256:81791ad5ea2a3098874b479dccc17f83f0c81af3589b0c1edc99b99fef85ff69ee544e25b234ba6a3dc717e49df5a45f0adba27df13f5d1d56a6c8a4c7e6246f envoy/extensions/filters/http/compressor/v3/compressor.proto @@ -28,21 +28,31 @@ "envoy.config.filter.http.compressor.v2.Compressor"; message CommonDirectionConfig { - // Runtime flag that controls whether compression is enabled or not for the direction this - // common config is put in. If set to false, the filter will operate as a pass-through filter - // in the chosen direction, unless overridden by CompressorPerRoute. - // If the field is omitted, the filter will be enabled. + // Runtime flag that controls whether compression is enabled for the direction this + // common config is applied to. When this field is ``false``, the filter will operate as a + // pass-through filter in the chosen direction, unless overridden by ``CompressorPerRoute``. + // If this field is not specified, the filter will be enabled. config.core.v3.RuntimeFeatureFlag enabled = 1; - // Minimum value of Content-Length header of request or response messages (depending on the direction - // this common config is put in), in bytes, which will trigger compression. The default value is 30. + // Minimum value of the ``Content-Length`` header in request or response messages (depending on the + // direction this common config is applied to), in bytes, that will trigger compression. Defaults to 30. google.protobuf.UInt32Value min_content_length = 2; // Set of strings that allows specifying which mime-types yield compression; e.g., - // application/json, text/html, etc. When this field is not defined, compression will be applied - // to the following mime-types: "application/javascript", "application/json", - // "application/xhtml+xml", "image/svg+xml", "text/css", "text/html", "text/plain", "text/xml" - // and their synonyms. + // ``application/json``, ``text/html``, etc. + // + // When this field is not specified, compression will be applied to these following mime-types + // and their synonyms: + // + // * ``application/javascript`` + // * ``application/json`` + // * ``application/xhtml+xml`` + // * ``image/svg+xml`` + // * ``text/css`` + // * ``text/html`` + // * ``text/plain`` + // * ``text/xml`` + // repeated string content_type = 3; } @@ -52,28 +62,40 @@ } // Configuration for filter behavior on the response direction. + // [#next-free-field: 6] message ResponseDirectionConfig { CommonDirectionConfig common_config = 1; - // If true, disables compression when the response contains an etag header. When it is false, the - // filter will preserve weak etags and remove the ones that require strong validation. + // When this field is ``true``, disables compression when the response contains an ``ETag`` header. + // When this field is ``false``, the filter will preserve weak ``ETag`` values and remove those that + // require strong validation. bool disable_on_etag_header = 2; - // If true, removes accept-encoding from the request headers before dispatching it to the upstream - // so that responses do not get compressed before reaching the filter. + // When this field is ``true``, removes ``Accept-Encoding`` from the request headers before dispatching + // the request to the upstream so that responses do not get compressed before reaching the filter. // // .. attention:: // - // To avoid interfering with other compression filters in the same chain use this option in + // To avoid interfering with other compression filters in the same chain, use this option in // the filter closest to the upstream. bool remove_accept_encoding_header = 3; - // Set of response codes for which compression is disabled, e.g. 206 Partial Content should not + // Set of response codes for which compression is disabled; e.g., 206 Partial Content should not // be compressed. repeated uint32 uncompressible_response_codes = 4 [(validate.rules).repeated = { unique: true items {uint32 {lt: 600 gte: 200}} }]; + + // If true, the filter adds the ``x-envoy-compression-status`` response + // header to indicate whether the compression occurred and, if not, provide + // the reason why. The header's value format is + // ``<encoder-type>;<status>[;<additional-params>]``, where ``<status>`` is + // ``Compressed`` or the reason compression was skipped (e.g., + // ``ContentLengthTooSmall``). When this field is enabled, the compressor + // filter alters the order of the compression eligibility checks to report + // the most valid reason for skipping the compression. + bool status_header_enabled = 5; } // Minimum response length, in bytes, which will trigger compression. The default value is 30. @@ -81,60 +103,69 @@ [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; // Set of strings that allows specifying which mime-types yield compression; e.g., - // application/json, text/html, etc. When this field is not defined, compression will be applied - // to the following mime-types: "application/javascript", "application/json", - // "application/xhtml+xml", "image/svg+xml", "text/css", "text/html", "text/plain", "text/xml" - // and their synonyms. + // ``application/json``, ``text/html``, etc. + // + // When this field is not specified, compression will be applied to these following mime-types + // and their synonyms: + // + // * ``application/javascript`` + // * ``application/json`` + // * ``application/xhtml+xml`` + // * ``image/svg+xml`` + // * ``text/css`` + // * ``text/html`` + // * ``text/plain`` + // * ``text/xml`` + // repeated string content_type = 2 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - // If true, disables compression when the response contains an etag header. When it is false, the - // filter will preserve weak etags and remove the ones that require strong validation. + // When this field is ``true``, disables compression when the response contains an ``ETag`` header. + // When this field is ``false``, the filter will preserve weak ``ETag`` values and remove those that + // require strong validation. bool disable_on_etag_header = 3 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - // If true, removes accept-encoding from the request headers before dispatching it to the upstream - // so that responses do not get compressed before reaching the filter. + // When this field is ``true``, removes ``Accept-Encoding`` from the request headers before dispatching + // the request to the upstream so that responses do not get compressed before reaching the filter. // // .. attention:: // - // To avoid interfering with other compression filters in the same chain use this option in + // To avoid interfering with other compression filters in the same chain, use this option in // the filter closest to the upstream. bool remove_accept_encoding_header = 4 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - // Runtime flag that controls whether the filter is enabled or not. If set to false, the - // filter will operate as a pass-through filter, unless overridden by - // CompressorPerRoute. If not specified, defaults to enabled. + // Runtime flag that controls whether the filter is enabled. When this field is ``false``, the + // filter will operate as a pass-through filter, unless overridden by ``CompressorPerRoute``. + // If this field is not specified, the filter is enabled by default. config.core.v3.RuntimeFeatureFlag runtime_enabled = 5 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - // A compressor library to use for compression. Currently only - // :ref:`envoy.compression.gzip.compressor<envoy_v3_api_msg_extensions.compression.gzip.compressor.v3.Gzip>` - // is included in Envoy. + // A compressor library to use for compression. // [#extension-category: envoy.compression.compressor] config.core.v3.TypedExtensionConfig compressor_library = 6 [(validate.rules).message = {required: true}]; - // Configuration for request compression. Compression is disabled by default if left empty. + // Configuration for request compression. If this field is not specified, request compression is disabled. RequestDirectionConfig request_direction_config = 7; - // Configuration for response compression. Compression is enabled by default if left empty. + // Configuration for response compression. If this field is not specified, response compression is enabled. // // .. attention:: // - // If the field is not empty then the duplicate deprecated fields of the ``Compressor`` message, + // When this field is set, duplicate deprecated fields of the ``Compressor`` message, // such as ``content_length``, ``content_type``, ``disable_on_etag_header``, - // ``remove_accept_encoding_header`` and ``runtime_enabled``, are ignored. + // ``remove_accept_encoding_header``, and ``runtime_enabled``, are ignored. // - // Also all the statistics related to response compression will be rooted in + // Additionally, all statistics related to response compression will be rooted in // ``<stat_prefix>.compressor.<compressor_library.name>.<compressor_library_stat_prefix>.response.*`` // instead of // ``<stat_prefix>.compressor.<compressor_library.name>.<compressor_library_stat_prefix>.*``. ResponseDirectionConfig response_direction_config = 8; - // If true, chooses this compressor first to do compression when the q-values in ``Accept-Encoding`` are same. - // The last compressor which enables choose_first will be chosen if multiple compressor filters in the chain have choose_first as true. + // When this field is ``true``, this compressor is preferred when q-values in ``Accept-Encoding`` are equal. + // If multiple compressor filters set ``choose_first`` to ``true``, the last one in the filter chain is chosen. bool choose_first = 9; } @@ -152,6 +183,10 @@ message CompressorOverrides { // If present, response compression is enabled. ResponseDirectionOverrides response_direction_config = 1; + + // A compressor library to use for compression. If specified, this overrides + // the filter-level ``compressor_library`` configuration for this route. + config.core.v3.TypedExtensionConfig compressor_library = 2; } message CompressorPerRoute { @@ -159,7 +194,7 @@ option (validate.required) = true; // If set, the filter will operate as a pass-through filter. - // Overrides Compressor.runtime_enabled and CommonDirectionConfig.enabled. + // Overrides ``Compressor.runtime_enabled`` and ``CommonDirectionConfig.enabled``. bool disabled = 1 [(validate.rules).bool = {const: true}]; // Per-route overrides. Fields set here will override corresponding fields in ``Compressor``.

envoy/extensions/filters/http/dynamic_modules/v3/dynamic_modules.proto:

--- shake256:aa0c08cc3ad8ff6bdf2f27745d0cb83dbaed18dde30fdfb8d887922d5d5de8cb3a39e73c5ddd866a85a872bb32d695a78aa5f821eeca4e6794de182a57e02489 envoy/extensions/filters/http/dynamic_modules/v3/dynamic_modules.proto +++ shake256:8fb944b54d8d218ce03755d1846a59dfafc5969a1895651ddb83ae80ed0e8ea08d80d06f55e7c7127cfc90da531d1aef6d6a4c3a17e6d5efcf2e63882c36bcbe envoy/extensions/filters/http/dynamic_modules/v3/dynamic_modules.proto @@ -22,6 +22,10 @@ // // A module can be loaded by multiple HTTP filters, hence the program can be structured in a way that // the module is loaded only once and shared across multiple filters providing multiple functionalities. +// +// A dynamic module HTTP filter can opt into being a terminal filter with no upstream by setting ``terminal_filter`` to +// true in the configuration. A terminal dynamic module can use ``send_`` ABI methods to send response headers, +// body and trailers to the downstream. message DynamicModuleFilter { // Specifies the shared-object level configuration. envoy.extensions.dynamic_modules.v3.DynamicModuleConfig dynamic_module_config = 1; @@ -58,6 +62,10 @@ // value: aGVsbG8= # echo -n "hello" | base64 // google.protobuf.Any filter_config = 3; + + // Set true if the dynamic module is a terminal filter to use without an upstream. + // The dynamic module is responsible for creating and sending the response to downstream. + bool terminal_filter = 4; } // Configuration of the HTTP per-route filter for dynamic modules. This filter allows loading shared object files

envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto:

--- shake256:aac4aa7873f5d3faf853263f8e437f86326f5e0c7226ab1347226d31e8d976c1434f62613182c5b611049f829e5d97c2ac347a34846f150a187b5f02d628044d envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto +++ shake256:37b7ca8ce578dd30f08da36eb7137ff90f977f058a71a2fc4b2fb1e1304d4fbf09fd02ed26d0041d8f5812d75b358ea17b60c1016953cf328da053ec30ba8f27 envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto @@ -30,7 +30,7 @@ // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`. // [#extension: envoy.filters.http.ext_authz] -// [#next-free-field: 30] +// [#next-free-field: 31] message ExtAuthz { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.ext_authz.v3.ExtAuthz"; @@ -53,40 +53,39 @@ config.core.v3.ApiVersion transport_api_version = 12 [(validate.rules).enum = {defined_only: true}]; - // Changes filter's behavior on errors: + // Changes the filter's behavior on errors: // - // 1. When set to true, the filter will ``accept`` client request even if the communication with - // the authorization service has failed, or if the authorization service has returned a HTTP 5xx - // error. + // #. When set to ``true``, the filter will ``accept`` the client request even if communication with + // the authorization service has failed, or if the authorization service has returned an HTTP 5xx + // error. // - // 2. When set to false, ext-authz will ``reject`` client requests and return a ``Forbidden`` - // response if the communication with the authorization service has failed, or if the - // authorization service has returned a HTTP 5xx error. + // #. When set to ``false``, the filter will ``reject`` client requests and return ``Forbidden`` + // if communication with the authorization service has failed, or if the authorization service + // has returned an HTTP 5xx error. // - // Note that errors can be ``always`` tracked in the :ref:`stats - // <config_http_filters_ext_authz_stats>`. + // Errors can always be tracked in the :ref:`stats <config_http_filters_ext_authz_stats>`. bool failure_mode_allow = 2; - // When ``failure_mode_allow`` and ``failure_mode_allow_header_add`` are both set to true, + // When ``failure_mode_allow`` and ``failure_mode_allow_header_add`` are both set to ``true``, // ``x-envoy-auth-failure-mode-allowed: true`` will be added to request headers if the communication // with the authorization service has failed, or if the authorization service has returned a // HTTP 5xx error. bool failure_mode_allow_header_add = 19; - // Enables filter to buffer the client request body and send it within the authorization request. - // A ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization - // request message indicating if the body data is partial. + // Enables the filter to buffer the client request body and send it within the authorization request. + // The ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization + // request indicating whether the body data is partial. BufferSettings with_request_body = 5; - // Clears route cache in order to allow the external authorization service to correctly affect - // routing decisions. Filter clears all cached routes when: + // Clears the route cache in order to allow the external authorization service to correctly affect + // routing decisions. The filter clears all cached routes when: // - // 1. The field is set to ``true``. + // #. The field is set to ``true``. // - // 2. The status returned from the authorization service is a HTTP 200 or gRPC 0. + // #. The status returned from the authorization service is an HTTP 200 or gRPC 0. // - // 3. At least one ``authorization response header`` is added to the client request, or is used for - // altering another client request header. + // #. At least one ``authorization response header`` is added to the client request, or is used to + // alter another client request header. // bool clear_route_cache = 6; @@ -94,26 +93,27 @@ // or cannot be reached. The default status is HTTP 403 Forbidden. type.v3.HttpStatus status_on_error = 7; - // When this is set to true, the filter will check the :ref:`ext_authz response - // <envoy_v3_api_msg_service.auth.v3.CheckResponse>` for invalid header & + // When this is set to ``true``, the filter will check the :ref:`ext_authz response + // <envoy_v3_api_msg_service.auth.v3.CheckResponse>` for invalid header and // query parameter mutations. If the side stream response is invalid, it will send a local reply // to the downstream request with status HTTP 500 Internal Server Error. // - // Note that headers_to_remove & query_parameters_to_remove are validated, but invalid elements in - // those fields should not affect any headers & thus will not cause the filter to send a local - // reply. + // .. note:: + // Both ``headers_to_remove`` and ``query_parameters_to_remove`` are validated, but invalid elements in + // those fields should not affect any headers and thus will not cause the filter to send a local reply. // - // When set to false, any invalid mutations will be visible to the rest of envoy and may cause + // When set to ``false``, any invalid mutations will be visible to the rest of Envoy and may cause // unexpected behavior. // - // If you are using ext_authz with an untrusted ext_authz server, you should set this to true. + // If you are using ext_authz with an untrusted ext_authz server, you should set this to ``true``. bool validate_mutations = 24; // Specifies a list of metadata namespaces whose values, if present, will be passed to the // ext_authz service. The :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>` // is passed as an opaque ``protobuf::Struct``. // - // Please note that this field exclusively applies to the gRPC ext_authz service and has no effect on the HTTP service. + // .. note:: + // This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service. // // For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata // <envoy_v3_api_field_extensions.filters.http.jwt_authn.v3.JwtProvider.payload_in_metadata>` is set, @@ -130,10 +130,11 @@ // ext_authz service. :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` // is passed as a ``protobuf::Any``. // - // Please note that this field exclusively applies to the gRPC ext_authz service and has no effect on the HTTP service. + // .. note:: + // This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service. // - // It works in a way similar to ``metadata_context_namespaces`` but allows Envoy and ext_authz server to share - // the protobuf message definition in order to do a safe parsing. + // This works similarly to ``metadata_context_namespaces`` but allows Envoy and the ext_authz server to share + // the protobuf message definition in order to perform safe parsing. // repeated string typed_metadata_context_namespaces = 16; @@ -146,7 +147,7 @@ // Specifies a list of route metadata namespaces whose values, if present, will be passed to the // ext_authz service at :ref:`route_metadata_context <envoy_v3_api_field_service.auth.v3.AttributeContext.route_metadata_context>` in // :ref:`CheckRequest <envoy_v3_api_field_service.auth.v3.CheckRequest.attributes>`. - // :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as an ``protobuf::Any``. + // :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>` is passed as a ``protobuf::Any``. repeated string route_typed_metadata_context_namespaces = 22; // Specifies if the filter is enabled. @@ -161,11 +162,11 @@ // If this field is not specified, the filter will be enabled for all requests. type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14; - // Specifies whether to deny the requests, when the filter is disabled. + // Specifies whether to deny the requests when the filter is disabled. // If :ref:`runtime_key <envoy_v3_api_field_config.core.v3.RuntimeFeatureFlag.runtime_key>` is specified, - // Envoy will lookup the runtime key to determine whether to deny request for - // filter protected path at filter disabling. If filter is disabled in - // typed_per_filter_config for the path, requests will not be denied. + // Envoy will lookup the runtime key to determine whether to deny requests for filter-protected paths + // when the filter is disabled. If the filter is disabled in ``typed_per_filter_config`` for the path, + // requests will not be denied. // // If this field is not specified, all requests will be allowed when disabled. // @@ -176,11 +177,11 @@ // Specifies if the peer certificate is sent to the external service. // - // When this field is true, Envoy will include the peer X.509 certificate, if available, in the + // When this field is ``true``, Envoy will include the peer X.509 certificate, if available, in the // :ref:`certificate<envoy_v3_api_field_service.auth.v3.AttributeContext.Peer.certificate>`. bool include_peer_certificate = 10; - // Optional additional prefix to use when emitting statistics. This allows to distinguish + // Optional additional prefix to use when emitting statistics. This allows distinguishing // emitted statistics between configured ``ext_authz`` filters in an HTTP filter chain. For example: // // .. code-block:: yaml @@ -210,21 +211,20 @@ // // .. note:: // - // 1. For requests to an HTTP authorization server: in addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``, - // ``Content-Length``, and ``Authorization`` are **additionally included** in the list. + // For requests to an HTTP authorization server: in addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``, + // ``Content-Length``, and ``Authorization`` are **additionally included** in the list. // // .. note:: // - // 2. For requests to an HTTP authorization server: value of ``Content-Length`` will be set to 0 and the request to the + // For requests to an HTTP authorization server: the value of ``Content-Length`` will be set to ``0`` and the request to the // authorization server will not have a message body. However, the check request can include the buffered // client request body (controlled by :ref:`with_request_body - // <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` setting), - // consequently the value of *Content-Length* of the authorization request reflects the size of - // its payload size. + // <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` setting); + // consequently, the value of ``Content-Length`` in the authorization request reflects the size of its payload. // // .. note:: // - // 3. This can be overridden by the field ``disallowed_headers`` below. That is, if a header + // This can be overridden by the field ``disallowed_headers`` below. That is, if a header // matches for both ``allowed_headers`` and ``disallowed_headers``, the header will NOT be sent. type.matcher.v3.ListStringMatcher allowed_headers = 17; @@ -234,34 +234,35 @@ // Specifies if the TLS session level details like SNI are sent to the external service. // - // When this field is true, Envoy will include the SNI name used for TLSClientHello, if available, in the + // When this field is ``true``, Envoy will include the SNI name used for TLSClientHello, if available, in the // :ref:`tls_session<envoy_v3_api_field_service.auth.v3.AttributeContext.tls_session>`. bool include_tls_session = 18; // Whether to increment cluster statistics (e.g. cluster.<cluster_name>.upstream_rq_*) on authorization failure. - // Defaults to true. + // Defaults to ``true``. google.protobuf.BoolValue charge_cluster_response_stats = 20; - // Whether to encode the raw headers (i.e. unsanitized values & unconcatenated multi-line headers) - // in authentication request. Works with both HTTP and gRPC clients. + // Whether to encode the raw headers (i.e., unsanitized values and unconcatenated multi-line headers) + // in the authorization request. Works with both HTTP and gRPC clients. // - // When this is set to true, header values are not sanitized. Headers with the same key will also + // When this is set to ``true``, header values are not sanitized. Headers with the same key will also // not be combined into a single, comma-separated header. // Requests to gRPC services will populate the field // :ref:`header_map<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.header_map>`. // Requests to HTTP services will be constructed with the unsanitized header values and preserved // multi-line headers with the same key. // - // If this field is set to false, header values will be sanitized, with any non-UTF-8-compliant - // bytes replaced with '!'. Headers with the same key will have their values concatenated into a + // If this field is set to ``false``, header values will be sanitized, with any non-UTF-8-compliant + // bytes replaced with ``'!'``. Headers with the same key will have their values concatenated into a // single comma-separated header value. // Requests to gRPC services will populate the field // :ref:`headers<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.headers>`. // Requests to HTTP services will have their header values sanitized and will not preserve // multi-line headers with the same key. // - // It's recommended you set this to true unless you already rely on the old behavior. False is the - // default only for backwards compatibility. + // It is recommended to set this to ``true`` unless you rely on the previous behavior. + // + // It is set to ``false`` by default for backwards compatibility. bool encode_raw_headers = 23; // Rules for what modifications an ext_authz server may make to the request headers before @@ -281,15 +282,15 @@ // This field allows the filter to reject mutations to specific headers. config.common.mutation_rules.v3.HeaderMutationRules decoder_header_mutation_rules = 26; - // Enable / disable ingestion of dynamic metadata from ext_authz service. + // Enable or disable ingestion of dynamic metadata from the ext_authz service. // - // If false, the filter will ignore dynamic metadata injected by the ext_authz service. If the + // If ``false``, the filter will ignore dynamic metadata injected by the ext_authz service. If the // ext_authz service tries injecting dynamic metadata, the filter will log, increment the // ``ignored_dynamic_metadata`` stat, then continue handling the response. // - // If true, the filter will ingest dynamic metadata entries as normal. + // If ``true``, the filter will ingest dynamic metadata entries as normal. // - // If unset, defaults to true. + // If unset, defaults to ``true``. google.protobuf.BoolValue enable_dynamic_metadata_ingestion = 27; // Additional metadata to be added to the filter state for logging purposes. The metadata will be @@ -297,19 +298,30 @@ // name. google.protobuf.Struct filter_metadata = 28; - // When set to true, the filter will emit per-stream stats for access logging. The filter state + // When set to ``true``, the filter will emit per-stream stats for access logging. The filter state // key will be the same as the filter name. // // If using Envoy gRPC, emits latency, bytes sent / received, upstream info, and upstream cluster // info. If not using Envoy gRPC, emits only latency. Note that stats are ONLY added to filter // state if a check request is actually made to an ext_authz service. // - // If this is false the filter will not emit stats, but filter_metadata will still be respected if + // If this is ``false`` the filter will not emit stats, but filter_metadata will still be respected if // it has a value. // // Field ``latency_us`` is exposed for CEL and logging when using gRPC or HTTP service. // Fields ``bytesSent`` and ``bytesReceived`` are exposed for CEL and logging only when using gRPC service. bool emit_filter_state_stats = 29; + + // Sets the maximum size (in bytes) of the response body that the filter will send downstream + // when a request is denied by the external authorization service. + // + // If the authorization server returns a response body larger than this configured limit, + // the body will be truncated to ``max_denied_response_body_bytes`` before being sent to the + // downstream client. + // + // If this field is not set or is set to 0, no truncation will occur, and the entire + // denied response body will be forwarded. + uint32 max_denied_response_body_bytes = 30; } // Configuration for buffering the request data. @@ -318,21 +330,21 @@ "envoy.config.filter.http.ext_authz.v2.BufferSettings"; // Sets the maximum size of a message body that the filter will hold in memory. Envoy will return - // ``HTTP 413`` and will *not* initiate the authorization process when buffer reaches the number + // ``HTTP 413`` and will *not* initiate the authorization process when the buffer reaches the size // set in this field. Note that this setting will have precedence over :ref:`failure_mode_allow // <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.failure_mode_allow>`. uint32 max_request_bytes = 1 [(validate.rules).uint32 = {gt: 0}]; - // When this field is true, Envoy will buffer the message until ``max_request_bytes`` is reached. + // When this field is ``true``, Envoy will buffer the message until ``max_request_bytes`` is reached. // The authorization request will be dispatched and no 413 HTTP error will be returned by the // filter. bool allow_partial_message = 2; - // If true, the body sent to the external authorization service is set with raw bytes, it sets - // the :ref:`raw_body<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.raw_body>` - // field of HTTP request attribute context. Otherwise, :ref:`body - // <envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.body>` will be filled - // with UTF-8 string request body. + // If ``true``, the body sent to the external authorization service is set as raw bytes and populates + // :ref:`raw_body<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.raw_body>` + // in the HTTP request attribute context. Otherwise, :ref:`body + // <envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.body>` will be populated + // with a UTF-8 string request body. // // This field only affects configurations using a :ref:`grpc_service // <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.grpc_service>`. In configurations that use @@ -347,7 +359,7 @@ // request. Note that in any of these events, metadata can be added, removed or overridden by the // filter: // -// *On authorization request*, a list of allowed request headers may be supplied. See +// On authorization request, a list of allowed request headers may be supplied. See // :ref:`allowed_headers // <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.AuthorizationRequest.allowed_headers>` // for details. Additional headers metadata may be added to the authorization request. See @@ -355,7 +367,7 @@ // <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.AuthorizationRequest.headers_to_add>` for // details. // -// On authorization response status HTTP 200 OK, the filter will allow traffic to the upstream and +// On authorization response status ``HTTP 200 OK``, the filter will allow traffic to the upstream and // additional headers metadata may be added to the original client request. See // :ref:`allowed_upstream_headers // <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.AuthorizationResponse.allowed_upstream_headers>` @@ -368,7 +380,7 @@ // metadata as well as body may be added to the client's response. See :ref:`allowed_client_headers // <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.AuthorizationResponse.allowed_client_headers>` // for details. -// [#next-free-field: 9] +// [#next-free-field: 10] message HttpService { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.ext_authz.v2.HttpService"; @@ -386,13 +398,20 @@ // Settings used for controlling authorization response metadata. AuthorizationResponse authorization_response = 8; + + // Optional retry policy for requests to the authorization server. + // If not set, no retries will be performed. + // + // .. note:: + // When this field is set, the ``ext_authz`` filter will buffer the request body for retry purposes. + config.core.v3.RetryPolicy retry_policy = 9; } message AuthorizationRequest { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.ext_authz.v2.AuthorizationRequest"; - // Authorization request includes the client request headers that have a correspondent match + // Authorization request includes the client request headers that have a corresponding match // in the :ref:`list <envoy_v3_api_msg_type.matcher.v3.ListStringMatcher>`. // This field has been deprecated in favor of :ref:`allowed_headers // <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.allowed_headers>`. @@ -404,17 +423,17 @@ // // .. note:: // - // By default, ``Content-Length`` header is set to ``0`` and the request to the authorization + // By default, the ``Content-Length`` header is set to ``0`` and the request to the authorization // service has no message body. However, the authorization request *may* include the buffered // client request body (controlled by :ref:`with_request_body // <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` - // setting) hence the value of its ``Content-Length`` reflects the size of its payload size. + // setting); hence the value of its ``Content-Length`` reflects the size of its payload. // type.matcher.v3.ListStringMatcher allowed_headers = 1 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - // Sets a list of headers that will be included to the request to authorization service. Note that - // client request of the same key will be overridden. + // Sets a list of headers that will be included in the request to the authorization service. Note that + // client request headers with the same key will be overridden. repeated config.core.v3.HeaderValue headers_to_add = 2; } @@ -466,7 +485,7 @@ // Disable the ext auth filter for this particular vhost or route. // If disabled is specified in multiple per-filter-configs, the most specific one will be used. - // If the filter is disabled by default and this is set to false, the filter will be enabled + // If the filter is disabled by default and this is set to ``false``, the filter will be enabled // for this vhost or route. bool disabled = 1; @@ -476,6 +495,7 @@ } // Extra settings for the check request. +// [#next-free-field: 6] message CheckSettings { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.ext_authz.v2.CheckSettings"; @@ -492,15 +512,14 @@ // Merge semantics for this field are such that keys from more specific configs override. // // .. note:: - // // These settings are only applied to a filter configured with a // :ref:`grpc_service<envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.grpc_service>`. map<string, string> context_extensions = 1 [(udpa.annotations.sensitive) = true]; - // When set to true, disable the configured :ref:`with_request_body + // When set to ``true``, disable the configured :ref:`with_request_body // <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` for a specific route. // - // Please note that only one of *disable_request_body_buffering* or + // Only one of ``disable_request_body_buffering`` and // :ref:`with_request_body <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.CheckSettings.with_request_body>` // may be specified. bool disable_request_body_buffering = 2; @@ -509,8 +528,20 @@ // :ref:`with_request_body <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` // option for a specific route. // - // Please note that only one of ``with_request_body`` or + // Only one of ``with_request_body`` and // :ref:`disable_request_body_buffering <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.CheckSettings.disable_request_body_buffering>` // may be specified. BufferSettings with_request_body = 3; + + // Override the external authorization service for this route. + // This allows different routes to use different external authorization service backends + // and service types (gRPC or HTTP). If specified, this overrides the filter-level service + // configuration regardless of the original service type. + oneof service_override { + // Override with a gRPC service configuration. + config.core.v3.GrpcService grpc_service = 4; + + // Override with an HTTP service configuration. + HttpService http_service = 5; + } }

envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto:

--- shake256:46aadb2e4c6efee85e68e74e1e38cd8f51255f7d2aee27afd2cd5f4be9b7fe6b42907b229195b7457f56f4d0e1ca5aeae53f067d9d16130b22a77cc6ab9fe72a envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto +++ shake256:8a596f09ecb0f753602be53fa65fd5f2ed09ec10e1e420f9d13439170a94a16c005769fb5784a80d12f834bdd8bc22043f448c8872b1df65fefa22bde57f8cb9 envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto @@ -9,6 +9,7 @@ import "envoy/config/core/v3/http_service.proto"; import "envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto"; import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/v3/http_status.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/struct.proto"; @@ -16,6 +17,7 @@ import "xds/annotations/v3/status.proto"; +import "envoy/annotations/deprecation.proto"; import "udpa/annotations/migrate.proto"; import "udpa/annotations/status.proto"; import "validate/validate.proto"; @@ -48,8 +50,6 @@ // // * Whether it receives the response message at all. // * Whether it receives the message body at all, in separate chunks, or as a single buffer. -// * Whether subsequent HTTP requests are transmitted synchronously or whether they are -// sent asynchronously. // * To modify request or response trailers if they already exist. // // The filter supports up to six different processing steps. Each is represented by @@ -57,9 +57,11 @@ // processor must send a matching response. // // * Request headers: Contains the headers from the original HTTP request. -// * Request body: Delivered if they are present and sent in a single message if -// the ``BUFFERED`` or ``BUFFERED_PARTIAL`` mode is chosen, in multiple messages if the -// ``STREAMED`` mode is chosen, and not at all otherwise. +// * Request body: If the body is present, the behavior depends on the +// body send mode. In ``BUFFERED`` or ``BUFFERED_PARTIAL`` mode, the body is sent to the external +// processor in a single message. In ``STREAMED`` or ``FULL_DUPLEX_STREAMED`` mode, the body will +// be split across multiple messages sent to the external processor. In ``NONE`` mode, the body +// will not be sent to the external processor. // * Request trailers: Delivered if they are present and if the trailer mode is set // to ``SEND``. // * Response headers: Contains the headers from the HTTP response. Keep in mind @@ -75,7 +77,7 @@ // from the external processor. The latter is only enabled if ``allow_mode_override`` is // set to true. This way, a processor may, for example, use information // in the request header to determine whether the message body must be examined, or whether -// the proxy should simply stream it straight through. +// the data plane should simply stream it straight through. // // All of this together allows a server to process the filter traffic in fairly // sophisticated ways. For example: @@ -84,12 +86,8 @@ // on the content of the headers. // * A server may choose to immediately reject some messages based on their HTTP // headers (or other dynamic metadata) and more carefully examine others. -// * A server may asynchronously monitor traffic coming through the filter by inspecting -// headers, bodies, or both, and then decide to switch to a synchronous processing -// mode, either permanently or temporarily. // -// The protocol itself is based on a bidirectional gRPC stream. Envoy will send the -// server +// The protocol itself is based on a bidirectional gRPC stream. The data plane will send the server // :ref:`ProcessingRequest <envoy_v3_api_msg_service.ext_proc.v3.ProcessingRequest>` // messages, and the server must reply with // :ref:`ProcessingResponse <envoy_v3_api_msg_service.ext_proc.v3.ProcessingResponse>`. @@ -98,7 +96,7 @@ // <arch_overview_advanced_filter_state_sharing>` object in a namespace matching the filter // name. // -// [#next-free-field: 24] +// [#next-free-field: 26] message ExternalProcessor { // Describes the route cache action to be taken when an external processor response // is received in response to request headers. @@ -124,7 +122,6 @@ reserved "async_mode"; // Configuration for the gRPC service that the filter will communicate with. - // The filter supports both the "Envoy" and "Google" gRPC clients. // Only one of ``grpc_service`` or ``http_service`` can be set. // It is required that one of them must be set. config.core.v3.GrpcService grpc_service = 1 @@ -140,14 +137,14 @@ // cannot be configured to send any body or trailers. i.e., ``http_service`` only supports // sending request or response headers to the side stream server. // - // With this configuration, Envoy behavior: + // With this configuration, the data plane behavior is: // // 1. The headers are first put in a proto message // :ref:`ProcessingRequest <envoy_v3_api_msg_service.ext_proc.v3.ProcessingRequest>`. // // 2. This proto message is then transcoded into a JSON text. // - // 3. Envoy then sends an HTTP POST message with content-type as "application/json", + // 3. The data plane then sends an HTTP POST message with content-type as "application/json", // and this JSON text as body to the side stream server. // // After the side-stream receives this HTTP request message, it is expected to do as follows: @@ -160,7 +157,7 @@ // // 3. It converts the ``ProcessingResponse`` proto message into a JSON text. // - // 4. It then sends an HTTP response back to Envoy with status code as ``"200"``, + // 4. It then sends an HTTP response back to the data plane with status code as ``"200"``, // ``content-type`` as ``"application/json"`` and sets the JSON text as the body. // ExtProcHttpService http_service = 20 [ @@ -190,28 +187,31 @@ // sent. See ``ProcessingMode`` for details. ProcessingMode processing_mode = 3; - // Envoy provides a number of :ref:`attributes <arch_overview_attributes>` + // The data plane provides a number of :ref:`attributes <arch_overview_attributes>` // for expressive policies. Each attribute name provided in this field will be - // matched against that list and populated in the ``request_headers`` message. + // matched against that list and populated in the + // :ref:`ProcessingRequest.attributes <envoy_v3_api_field_service.ext_proc.v3.ProcessingRequest.attributes>` field. // See the :ref:`attribute documentation <arch_overview_request_attributes>` // for the list of supported attributes and their types. repeated string request_attributes = 5; - // Envoy provides a number of :ref:`attributes <arch_overview_attributes>` + // The data plane provides a number of :ref:`attributes <arch_overview_attributes>` // for expressive policies. Each attribute name provided in this field will be - // matched against that list and populated in the ``response_headers`` message. + // matched against that list and populated in the + // :ref:`ProcessingRequest.attributes <envoy_v3_api_field_service.ext_proc.v3.ProcessingRequest.attributes>` field. // See the :ref:`attribute documentation <arch_overview_attributes>` // for the list of supported attributes and their types. repeated string response_attributes = 6; - // Specifies the timeout for each individual message sent on the stream and - // when the filter is running in synchronous mode. Whenever the proxy sends - // a message on the stream that requires a response, it will reset this timer, - // and will stop processing and return an error (subject to the processing mode) - // if the timer expires before a matching response is received. There is no - // timeout when the filter is running in asynchronous mode. Zero is a valid - // config which means the timer will be triggered immediately. If not - // configured, default is 200 milliseconds. + // Specifies the timeout for each individual message sent on the stream. + // Whenever the data plane sends a message on the stream that requires a + // response, it will reset this timer, and will stop processing and return + // an error (subject to the processing mode) if the timer expires before a + // matching response is received. There is no timeout when the filter is + // running in observability mode or when the body send mode is + // ``FULL_DUPLEX_STREAMED``. Zero is a valid config which means the timer + // will be triggered immediately. If not configured, default is 200 + // milliseconds. google.protobuf.Duration message_timeout = 7 [(validate.rules).duration = { lte {seconds: 3600} gte {} @@ -228,7 +228,7 @@ // :ref:`header_prefix <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.header_prefix>` // (which is usually "x-envoy"). // Note that changing headers such as "host" or ":authority" may not in itself - // change Envoy's routing decision, as routes can be cached. To also force the + // change the data plane's routing decision, as routes can be cached. To also force the // route to be recomputed, set the // :ref:`clear_route_cache <envoy_v3_api_field_service.ext_proc.v3.CommonResponse.clear_route_cache>` // field to true in the same response. @@ -256,6 +256,7 @@ // can be overridden by the response message from the external processing server // :ref:`mode_override <envoy_v3_api_field_service.ext_proc.v3.ProcessingResponse.mode_override>`. // If not set, ``mode_override`` API in the response message will be ignored. + // Mode override is not supported if the body send mode is ``FULL_DUPLEX_STREAMED``. bool allow_mode_override = 14; // If set to true, ignore the @@ -270,10 +271,10 @@ // If true, send each part of the HTTP request or response specified by ``ProcessingMode`` // without pausing on filter chain iteration. It is "Send and Go" mode that can be used - // by external processor to observe Envoy data and status. In this mode: + // by external processor to observe the request's data and status. In this mode: // - // 1. Only ``STREAMED`` body processing mode is supported and any other body processing modes will be - // ignored. ``NONE`` mode (i.e., skip body processing) will still work as expected. + // 1. Only ``STREAMED`` and ``NONE`` body processing modes are supported; for any other body + // processing mode, the body will not be sent. // // 2. External processor should not send back processing response, as any responses will be ignored. // This also means that @@ -310,12 +311,13 @@ // Specifies the deferred closure timeout for gRPC stream that connects to external processor. Currently, the deferred stream closure // is only used in :ref:`observability_mode <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.observability_mode>`. // In observability mode, gRPC streams may be held open to the external processor longer than the lifetime of the regular client to - // backend stream lifetime. In this case, Envoy will eventually timeout the external processor stream according to this time limit. + // backend stream lifetime. In this case, the data plane will eventually timeout the external processor stream according to this time limit. // The default value is 5000 milliseconds (5 seconds) if not specified. google.protobuf.Duration deferred_close_timeout = 19; // Send body to the side stream server once it arrives without waiting for the header response from that server. - // It only works for ``STREAMED`` body processing mode. For any other body processing modes, it is ignored. + // It only works for ``STREAMED`` body processing mode. For any other body + // processing modes, it is ignored. // The server has two options upon receiving a header request: // // 1. Instant Response: send the header response as soon as the header request is received. @@ -324,9 +326,9 @@ // // In all scenarios, the header-body ordering must always be maintained. // - // If enabled Envoy will ignore the + // If enabled the data plane will ignore the // :ref:`mode_override <envoy_v3_api_field_service.ext_proc.v3.ProcessingResponse.mode_override>` - // value that the server sends in the header response. This is because Envoy may have already + // value that the server sends in the header response. This is because the data plane may have already // sent the body to the server, prior to processing the header response. bool send_body_without_waiting_for_header_response = 21; @@ -339,6 +341,16 @@ // the ``allowed_override_modes`` allow-list below. // Since ``request_header_mode`` is not applicable in any way, it's ignored in comparison. repeated ProcessingMode allowed_override_modes = 22; + + // Decorator to introduce custom logic that runs after the ``ProcessingRequest`` is constructed, but + // before it is sent to the External Processor. The ``ProcessingRequest`` may be modified. + // + // .. note:: + // Processing request modifiers are currently in alpha. + // + // [#extension-category: envoy.http.ext_proc.processing_request_modifiers] + config.core.v3.TypedExtensionConfig processing_request_modifier = 25 + [(xds.annotations.v3.field_status).work_in_progress = true]; // Decorator to introduce custom logic that runs after a message received from // the External Processor is processed, but before continuing filter chain iteration. @@ -349,6 +361,12 @@ // [#extension-category: envoy.http.ext_proc.response_processors] config.core.v3.TypedExtensionConfig on_processing_response = 23 [(xds.annotations.v3.field_status).work_in_progress = true]; + + // Sets the HTTP status code that is returned to the client when the external processing server returns + // an error, fails to respond, or cannot be reached. + // + // The default status is ``HTTP 500 Internal Server Error``. + type.v3.HttpStatus status_on_error = 24; } // ExtProcHttpService is used for HTTP communication between the filter and the external processing service. @@ -423,14 +441,15 @@ } // Overrides that may be set on a per-route basis -// [#next-free-field: 9] +// [#next-free-field: 10] message ExtProcOverrides { // Set a different processing mode for this route than the default. ProcessingMode processing_mode = 1; // [#not-implemented-hide:] // Set a different asynchronous processing option than the default. - bool async_mode = 2; + // Deprecated and not implemented. + bool async_mode = 2 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; // [#not-implemented-hide:] // Set different optional attributes than the default setting of the @@ -462,4 +481,11 @@ // or could not be opened. This field is the per-route override of // :ref:`failure_mode_allow <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.failure_mode_allow>`. google.protobuf.BoolValue failure_mode_allow = 8; + + // Decorator to introduce custom logic that runs after the ``ProcessingRequest`` is constructed, but + // before it is sent to the External Processor. The ``ProcessingRequest`` may be modified. + // This is a per-route override of + // :ref:`processing_request_modifier <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.processing_request_modifier>`. + config.core.v3.TypedExtensionConfig processing_request_modifier = 9 + [(xds.annotations.v3.field_status).work_in_progress = true]; }

envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto:

--- shake256:11fcc4809401b50ceb84666b5d7dde3531baa2527bedea9f380e6034ac442db429168f63cc9fd25a059c3798663b1b7d70de33337c6c40693ebe971673a0a59a envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto +++ shake256:288e891984b853d364c541615d3cd487a5f48e82d756c8f75b949f954ce000669155b5603fd34e19a29c176d19829cfb1f796be1dbc7480917733bdd43844aa3 envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto @@ -65,8 +65,7 @@ // Do not send the body at all. This is the default. NONE = 0; - // Stream the body to the server in pieces as they arrive at the - // proxy. + // Stream the body to the server in pieces as they are seen. STREAMED = 1; // Buffer the message body in memory and send the entire body at once. @@ -79,11 +78,11 @@ // up to the buffer limit will be sent. BUFFERED_PARTIAL = 3; - // Envoy streams the body to the server in pieces as they arrive. + // The ext_proc client (the data plane) streams the body to the server in pieces as they arrive. // // 1) The server may choose to buffer any number chunks of data before processing them. // After it finishes buffering, the server processes the buffered data. Then it splits the processed - // data into any number of chunks, and streams them back to Envoy one by one. + // data into any number of chunks, and streams them back to the ext_proc client one by one. // The server may continuously do so until the complete body is processed. // The individual response chunk size is recommended to be no greater than 64K bytes, or // :ref:`max_receive_message_length <envoy_v3_api_field_config.core.v3.GrpcService.EnvoyGrpc.max_receive_message_length>` @@ -98,15 +97,15 @@ // // In this body mode: // * The corresponding trailer mode has to be set to ``SEND``. - // * Envoy will send body and trailers (if present) to the server as they arrive. + // * The client will send body and trailers (if present) to the server as they arrive. // Sending the trailers (if present) is to inform the server the complete body arrives. - // In case there are no trailers, then Envoy will set + // In case there are no trailers, then the client will set // :ref:`end_of_stream <envoy_v3_api_field_service.ext_proc.v3.HttpBody.end_of_stream>` // to true as part of the last body chunk request to notify the server that no other data is to be sent. // * The server needs to send // :ref:`StreamedBodyResponse <envoy_v3_api_msg_service.ext_proc.v3.StreamedBodyResponse>` - // to Envoy in the body response. - // * Envoy will stream the body chunks in the responses from the server to the upstream/downstream as they arrive. + // to the client in the body response. + // * The client will stream the body chunks in the responses from the server to the upstream/downstream as they arrive. FULL_DUPLEX_STREAMED = 4; }

envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto:

--- shake256:9820dba39ead15a6e5d67d9424be4c793ea6a035c70ebd1ddf88b4e12d7215c893e3250093ceefbb25bef9588d343e0ee0aaeef87c364bc978079e6747bdeb49 envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto +++ shake256:47a85b1ba384f1512d854424c1f56d8b385ea6444b86df61c1c4710c3e1ad7f3a33fa02802e7c75a49654da1427a0efba7764bc5916bf6de58428cd63693ded1 envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto @@ -27,6 +27,7 @@ option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.header_to_metadata.v2.Config"; + // Specifies the value type to use in metadata. enum ValueType { STRING = 0; @@ -37,14 +38,18 @@ PROTOBUF_VALUE = 2; } - // ValueEncode defines the encoding algorithm. + // Specifies the encoding scheme for the value. enum ValueEncode { - // The value is not encoded. + // No encoding is applied. NONE = 0; // The value is encoded in `Base64 <https://tools.ietf.org/html/rfc4648#section-4>`_. - // Note: this is mostly used for STRING and PROTOBUF_VALUE to escape the - // non-ASCII characters in the header. + // + // .. note:: + // + // This is mostly used for ``STRING`` and ``PROTOBUF_VALUE`` to escape the + // non-ASCII characters in the header. + // BASE64 = 1; } @@ -74,7 +79,10 @@ // // This is only used for :ref:`on_header_present <envoy_v3_api_field_extensions.filters.http.header_to_metadata.v3.Config.Rule.on_header_present>`. // - // Note: if the ``value`` field is non-empty this field should be empty. + // .. note:: + // + // If the ``value`` field is non-empty this field should be empty. + // type.matcher.v3.RegexMatchAndSubstitute regex_value_rewrite = 6 [(udpa.annotations.field_migrate).oneof_promotion = "value_type"]; @@ -106,15 +114,15 @@ (udpa.annotations.field_migrate).oneof_promotion = "header_cookie_specifier" ]; - // If the header or cookie is present, apply this metadata KeyValuePair. + // If the header or cookie is present, apply this metadata ``KeyValuePair``. // - // If the value in the KeyValuePair is non-empty, it'll be used instead + // If the value in the ``KeyValuePair`` is non-empty, it'll be used instead // of the header or cookie value. KeyValuePair on_header_present = 2 [(udpa.annotations.field_migrate).rename = "on_present"]; - // If the header or cookie is not present, apply this metadata KeyValuePair. + // If the header or cookie is not present, apply this metadata ``KeyValuePair``. // - // The value in the KeyValuePair must be set, since it'll be used in lieu + // The value in the ``KeyValuePair`` must be set, since it'll be used in lieu // of the missing header or cookie value. KeyValuePair on_header_missing = 3 [(udpa.annotations.field_migrate).rename = "on_missing"]; @@ -130,4 +138,15 @@ // The list of rules to apply to responses. repeated Rule response_rules = 2; + + // Optional prefix to use when emitting filter statistics. When configured, + // statistics are emitted with the prefix ``http_filter_name.<stat_prefix>``. + // + // This emits statistics such as: + // + // - ``http_filter_name.my_header_converter.rules_processed`` + // - ``http_filter_name.my_header_converter.metadata_added`` + // + // If not configured, no statistics are emitted. + string stat_prefix = 3; }

envoy/extensions/filters/http/oauth2/v3/oauth.proto:

--- shake256:eb0736ac1eaf9f2c5910ca6ba32b3f9195a12fc020aef36eb10294be01dc188ef14b6b0627557ac851f3eab1d7434764b65fbaa268f727a0372ce4d7d653ca77 envoy/extensions/filters/http/oauth2/v3/oauth.proto +++ shake256:128aa5a627b73673aa916bb0212ebc79da8333a669146775901af0ac3b97a60267968c918eede06673d64852613fd9f0af7a0b7f3ea0be3e6c6646d928d5dd09 envoy/extensions/filters/http/oauth2/v3/oauth.proto @@ -126,7 +126,7 @@ // OAuth config // -// [#next-free-field: 26] +// [#next-free-field: 27] message OAuth2Config { enum AuthType { // The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body. @@ -254,6 +254,11 @@ // If not specified, defaults to ``600s`` (10 minutes), which should provide sufficient time // for users to complete the OAuth2 authorization flow. google.protobuf.Duration code_verifier_token_expires_in = 25; + + // Disable token encryption. When set to true, both the access token and the ID token will be stored in plain text. + // This option should only be used in secure environments where token encryption is not required. + // Default is false (tokens are encrypted). + bool disable_token_encryption = 26; } // Filter config.

envoy/extensions/filters/http/on_demand/v3/on_demand.proto:

--- shake256:b2b81e43eb2abcb265d8f8eefaa3ed528c6ce42a02874adc5ccabe5ee7a70d4a59de073a20d939910b815abeaf0bbc001c4b97d6c73a3732301589b8c4711980 envoy/extensions/filters/http/on_demand/v3/on_demand.proto +++ shake256:fd2c273b62f3393a47ba7268781f55343d960d6d73d11f37fadb455f1dd4c1d4180fa119a5599ba3434e1032314cc1bf08482ade1ec956fdde963c996aacdb10 envoy/extensions/filters/http/on_demand/v3/on_demand.proto @@ -8,7 +8,6 @@ import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; -import "validate/validate.proto"; option java_package = "io.envoyproxy.envoy.extensions.filters.http.on_demand.v3"; option java_outer_classname = "OnDemandProto"; @@ -29,7 +28,7 @@ message OnDemandCds { // A configuration source for the service that will be used for // on-demand cluster discovery. - config.core.v3.ConfigSource source = 1 [(validate.rules).message = {required: true}]; + config.core.v3.ConfigSource source = 1; // xdstp:// resource locator for on-demand cluster collection. string resources_locator = 2;

envoy/extensions/filters/http/ratelimit/v3/rate_limit.proto:

--- shake256:595b3c1e7ea15d538d8dd9a6384df4ab047f160e0216bc483d6295e6ce590f229be2dd9ade8e165bc128ba73d10f89abfcae65e8696aae970589c728b08477d0 envoy/extensions/filters/http/ratelimit/v3/rate_limit.proto +++ shake256:f6b9dcc9dfb1e6fbaa6b7a84c89c621eb79ec5c7341c179bbe08c3382de9aa3ed34fb549aa090e2c770693b966b3ca9851caf6746064d71c82909c549b2961d7 envoy/extensions/filters/http/ratelimit/v3/rate_limit.proto @@ -23,7 +23,7 @@ // Rate limit :ref:`configuration overview <config_http_filters_rate_limit>`. // [#extension: envoy.filters.http.ratelimit] -// [#next-free-field: 17] +// [#next-free-field: 18] message RateLimit { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.http.rate_limit.v2.RateLimit"; @@ -167,6 +167,25 @@ // This means that when the rate limit service is unavailable, 50% of requests will be denied // (fail closed) and 50% will be allowed (fail open). config.core.v3.RuntimeFractionalPercent failure_mode_deny_percent = 16; + + // Rate limit configuration that is used to generate a list of descriptor entries based on + // the request context. The generated entries will be sent to the rate limit service. + // If this is set, then + // :ref:`VirtualHost.rate_limits<envoy_v3_api_field_config.route.v3.VirtualHost.rate_limits>` or + // :ref:`RouteAction.rate_limits<envoy_v3_api_field_config.route.v3.RouteAction.rate_limits>` fields + // will be ignored. However, :ref:`RateLimitPerRoute.rate_limits<envoy_v3_api_field_extensions.filters.http.ratelimit.v3.RateLimitPerRoute.rate_limits>` + // will take precedence over this field. + // + // .. note:: + // Not all configuration fields of + // :ref:`rate limit config <envoy_v3_api_msg_config.route.v3.RateLimit>` is supported at here. + // Following fields are not supported: + // + // 1. :ref:`rate limit stage <envoy_v3_api_field_config.route.v3.RateLimit.stage>`. + // 2. :ref:`dynamic metadata <envoy_v3_api_field_config.route.v3.RateLimit.Action.dynamic_metadata>`. + // 3. :ref:`disable_key <envoy_v3_api_field_config.route.v3.RateLimit.disable_key>`. + // 4. :ref:`override limit <envoy_v3_api_field_config.route.v3.RateLimit.limit>`. + repeated config.route.v3.RateLimit rate_limits = 17; } message RateLimitPerRoute { @@ -210,8 +229,9 @@ // the request context. The generated entries will be used to find one or multiple matched rate // limit rule from the ``descriptors``. // If this is set, then - // :ref:`VirtualHost.rate_limits<envoy_v3_api_field_config.route.v3.VirtualHost.rate_limits>` or - // :ref:`RouteAction.rate_limits<envoy_v3_api_field_config.route.v3.RouteAction.rate_limits>` fields + // :ref:`VirtualHost.rate_limits<envoy_v3_api_field_config.route.v3.VirtualHost.rate_limits>`, + // :ref:`RouteAction.rate_limits<envoy_v3_api_field_config.route.v3.RouteAction.rate_limits>` and + // :ref:`RateLimit.rate_limits<envoy_v3_api_field_extensions.filters.http.ratelimit.v3.RateLimit.rate_limits>` fields // will be ignored. // // .. note::

envoy/extensions/filters/http/stateful_session/v3/stateful_session.proto:

--- shake256:c29c6d22b41d00bd1a0c1ef267637fc69e8e43dcbe035dca36946ca152031f28cc5fb3773ece8c10b5051c9bf41f183abe458845d060c5b154c34265cf5368bf envoy/extensions/filters/http/stateful_session/v3/stateful_session.proto +++ shake256:da97c315f9061cb3ed2e89bd696f2f6adc39416b878ae97e5727af3f7b85523eb976d0ff80b28d93cd51923fb49113b14fd54ea90861caed40e570ae541899da envoy/extensions/filters/http/stateful_session/v3/stateful_session.proto @@ -29,6 +29,15 @@ // which allows Envoy to fall back to its load balancing mechanism. In this case, if the requested destination is not // found, the request will be routed according to the load balancing algorithm. bool strict = 2; + + // Optional stat prefix. If specified, the filter will emit statistics in the + // ``http.<stat_prefix>.stateful_session.<stat_prefix>.`` namespace. If not specified, no statistics will be emitted. + // + // .. note:: + // + // Per-route configuration overrides do not support statistics and will not emit stats even if this field is set + // in the per-route config. + string stat_prefix = 3; } message StatefulSessionPerRoute {

envoy/extensions/filters/http/tap/v3/tap.proto:

--- shake256:b952bd81dd83e9e92746b3115b433f59177125187778bae5ce268e5d74fa54116c38560118b2d3f2d9ac2526ebd34b372d1311728e0b21ce2aec9bf9b4df7069 envoy/extensions/filters/http/tap/v3/tap.proto +++ shake256:7cf78e9c1627775630db0c853ca3602c21b43a5d2abae605e1e15ae338498104787d3a8ccebeb93e93ed60f546c1ba3734c4201e9093e245b02b6fb65e6efe86 envoy/extensions/filters/http/tap/v3/tap.proto @@ -34,4 +34,7 @@ // Indicates whether report downstream connection info bool record_downstream_connection = 3; + + // If enabled, upstream connection information will be reported. + bool record_upstream_connection = 4; }

envoy/extensions/filters/http/thrift_to_metadata/v3/thrift_to_metadata.proto:

--- shake256:3fece685b44ed055e4973a2c99d778057b4b9afcfda5994363a78c6576d336dd2b3de619bd2ed79b8e075a93e9448962a8d7e1bd053bee8cecb3bad9288c32a3 envoy/extensions/filters/http/thrift_to_metadata/v3/thrift_to_metadata.proto +++ shake256:43e45fb3e4a545ad85e52c78ab7a51420e9394fd1f861c4dabd90a19c084721263ae2e4aba91ea48fb9d1f0c1a8ba626850d45cfbcac18042ef50581fafaae9a envoy/extensions/filters/http/thrift_to_metadata/v3/thrift_to_metadata.proto @@ -69,8 +69,6 @@ } message FieldSelector { - option (xds.annotations.v3.message_status).work_in_progress = true; - // field name to log string name = 1 [(validate.rules).string = {min_len: 1}]; @@ -83,7 +81,9 @@ // [#next-free-field: 6] message Rule { - // The field to match on. If set, takes precedence over field_selector. + // The field to match on. + // :ref:`field_selector<envoy_v3_api_field_extensions.filters.http.thrift_to_metadata.v3.Rule.field_selector>` + // takes precedence if both are set. Field field = 1; // Specifies that a match will be performed on the value of a field in the thrift body. @@ -123,11 +123,11 @@ // bool bar(1: i32 id, 2: Info info); // } // - FieldSelector field_selector = 2 [(xds.annotations.v3.field_status).work_in_progress = true]; + FieldSelector field_selector = 2; // If specified, :ref:`field_selector<envoy_v3_api_field_extensions.filters.http.thrift_to_metadata.v3.Rule.field_selector>` // will be used to extract the field value *only* on the thrift message with method name. - string method_name = 3 [(xds.annotations.v3.field_status).work_in_progress = true]; + string method_name = 3; // The key-value pair to set in the *filter metadata* if the field is present // in *thrift metadata*.

envoy/extensions/filters/listener/tls_inspector/v3/tls_inspector.proto:

--- shake256:cfa0377e1e757d077ba5ce2367ce376d2e02fa8af8e9d17081ce3501c15672485aae78a5096e34615fde5d4c26f3e7074e17e16de774ac82e240d9da8c4cf97b envoy/extensions/filters/listener/tls_inspector/v3/tls_inspector.proto +++ shake256:99340ca1d2b3bf1eecd55bc3e8512fcf36122a457d52627fac20b274a804c12a75057f95d1f06098fe53e1020007197bc09309bf6c8222a9906662b76bcd024e envoy/extensions/filters/listener/tls_inspector/v3/tls_inspector.proto @@ -32,8 +32,8 @@ // The size in bytes of the initial buffer requested by the tls_inspector. // If the filter needs to read additional bytes from the socket, the - // filter will double the buffer up to it's default maximum of 64KiB. - // If this size is not defined, defaults to maximum 64KiB that the + // filter will double the buffer up to it's default maximum of 16KiB. + // If this size is not defined, defaults to maximum 16KiB that the // tls inspector will consume. google.protobuf.UInt32Value initial_read_buffer_size = 2 [(validate.rules).uint32 = {lt: 65537 gt: 255}];

envoy/extensions/filters/network/ext_authz/v3/ext_authz.proto:

--- shake256:3064cddb46019f51a271eb488c705ff3749ca535b63b2769f8cb2ca9b76df9cd71b20eba79479a7682e9c5339bf8761c03e801888f64ac305444fb056170f713 envoy/extensions/filters/network/ext_authz/v3/ext_authz.proto +++ shake256:8ec4fe05b983a78569c3685a50e6b3b64124c431c608c880a3b3af5b0a8b568f131ae9e4edddfc7eaa84ec91097f43aa07587560f2f574bca7a35609a4214a06 envoy/extensions/filters/network/ext_authz/v3/ext_authz.proto @@ -25,7 +25,7 @@ // gRPC Authorization API defined by // :ref:`CheckRequest <envoy_v3_api_msg_service.auth.v3.CheckRequest>`. // A failed check will cause this filter to close the TCP connection. -// [#next-free-field: 9] +// [#next-free-field: 10] message ExtAuthz { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.network.ext_authz.v2.ExtAuthz"; @@ -68,4 +68,12 @@ // When this field is true, Envoy will include the SNI name used for TLSClientHello, if available, in the // :ref:`tls_session<envoy_v3_api_field_service.auth.v3.AttributeContext.tls_session>`. bool include_tls_session = 8; + + // When set to ``true``, the filter will send a TLS ``access_denied(49)`` alert before closing + // the connection when authorization is denied. This provides better visibility to TLS clients + // about the reason for connection closure. This alert is only sent for TLS connections. The + // non-TLS connections will be closed without sending an alert. + // + // Defaults to ``false``. + bool send_tls_alert_on_denial = 9; }

envoy/extensions/filters/network/ext_proc/v3/ext_proc.proto:

--- shake256:8685d02bff664dfe96b7990912e40660d3e9945a9107152de7364a487a6f886c20d6af61cbd803bb7d93b1a3b1fd78e8f2e1d6d70c5424dadcf7727fedbe9aab envoy/extensions/filters/network/ext_proc/v3/ext_proc.proto +++ shake256:8118f88a7d299a9b7a57a7a94aa210aca62d813d5e4d64cca7c913cbe8334daa5bf391ae923972f6abbbee1e223d62dcb39d823d26c5a1d487d1730c552bc10c envoy/extensions/filters/network/ext_proc/v3/ext_proc.proto @@ -45,11 +45,9 @@ // prematurely with an error, the filter will fail, leading to the close of connection. // With this parameter set to true, however, then if the gRPC stream is prematurely closed // or could not be opened, processing continues without error. - // [#not-implemented-hide:] bool failure_mode_allow = 2; // Options for controlling processing behavior. - // [#not-implemented-hide:] ProcessingMode processing_mode = 3; // Specifies the timeout for each individual message sent on the stream and @@ -57,7 +55,6 @@ // the proxy sends a message on the stream that requires a response, it will // reset this timer, and will stop processing and return an error (subject // to the processing mode) if the timer expires. Default is 200 ms. - // [#not-implemented-hide:] google.protobuf.Duration message_timeout = 4 [(validate.rules).duration = { lte {seconds: 3600} gte {}

envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto:

--- shake256:b3d867b0a9c2e20cb73635d31678949447f24b6476822b96a7954b70f8e0c3630fa44b542dfcc6c8beb76af5308aba3a8cf4810a976ed0ff307a2db48e39b775 envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto +++ shake256:75c59a779d426c636bff95bfe400b99da0138fc3e3949fd2d06425cdb77fb732a1d3454a48661100941d1895d79d17e38f335418d04cf9bd85f511219d196974 envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto @@ -37,7 +37,7 @@ // HTTP connection manager :ref:`configuration overview <config_http_conn_man>`. // [#extension: envoy.filters.network.http_connection_manager] -// [#next-free-field: 59] +// [#next-free-field: 60] message HttpConnectionManager { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"; @@ -527,16 +527,6 @@ // is terminated with a 408 Request Timeout error code if no upstream response // header has been received, otherwise a stream reset occurs. // - // This timeout also specifies the amount of time that Envoy will wait for the peer to open enough - // window to write any remaining stream data once the entirety of stream data (local end stream is - // true) has been buffered pending available window. In other words, this timeout defends against - // a peer that does not release enough window to completely write the stream, even though all - // data has been proxied within available flow control windows. If the timeout is hit in this - // case, the :ref:`tx_flush_timeout <config_http_conn_man_stats_per_codec>` counter will be - // incremented. Note that :ref:`max_stream_duration - // <envoy_v3_api_field_config.core.v3.HttpProtocolOptions.max_stream_duration>` does not apply to - // this corner case. - // // If the :ref:`overload action <config_overload_manager_overload_actions>` "envoy.overload_actions.reduce_timeouts" // is configured, this timeout is scaled according to the value for // :ref:`HTTP_DOWNSTREAM_STREAM_IDLE <envoy_v3_api_enum_value_config.overload.v3.ScaleTimersOverloadActionConfig.TimerType.HTTP_DOWNSTREAM_STREAM_IDLE>`. @@ -549,8 +539,28 @@ // // A value of 0 will completely disable the connection manager stream idle // timeout, although per-route idle timeout overrides will continue to apply. + // + // This timeout is also used as the default value for :ref:`stream_flush_timeout + // <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_flush_timeout>`. google.protobuf.Duration stream_idle_timeout = 24 [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + + // The stream flush timeout for connections managed by the connection manager. + // + // If not specified, the value of stream_idle_timeout is used. This is for backwards compatibility + // since this was the original behavior. In essence this timeout is an override for the + // stream_idle_timeout that applies specifically to the end of stream flush case. + // + // This timeout specifies the amount of time that Envoy will wait for the peer to open enough + // window to write any remaining stream data once the entirety of stream data (local end stream is + // true) has been buffered pending available window. In other words, this timeout defends against + // a peer that does not release enough window to completely write the stream, even though all + // data has been proxied within available flow control windows. If the timeout is hit in this + // case, the :ref:`tx_flush_timeout <config_http_conn_man_stats_per_codec>` counter will be + // incremented. Note that :ref:`max_stream_duration + // <envoy_v3_api_field_config.core.v3.HttpProtocolOptions.max_stream_duration>` does not apply to + // this corner case. + google.protobuf.Duration stream_flush_timeout = 59; // The amount of time that Envoy will wait for the entire request to be received. // The timer is activated when the request is initiated, and is disarmed when the last byte of the @@ -1036,7 +1046,7 @@ "envoy.config.filter.network.http_connection_manager.v2.Rds"; // Configuration source specifier for RDS. - config.core.v3.ConfigSource config_source = 1 [(validate.rules).message = {required: true}]; + config.core.v3.ConfigSource config_source = 1; // The name of the route configuration. This name will be passed to the RDS // API. This allows an Envoy configuration with multiple HTTP listeners (and

envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto:

--- shake256:5e38beface5c951d3cc4a05c15a220101e1a51a5c298f07dc7dfb6e0a4eae782350b496828a814086e8840eb0161203de08fcb9f6fcfffd62b038c9064d801e8 envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto +++ shake256:3a48c8154c692475e6a12b5e8766e4e07895405dc852686b736ecef833b1131261e0feee837354e2f395557d8607802386168ada138656c8099f95cb23ab42d3 envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto @@ -7,7 +7,9 @@ import "envoy/config/core/v3/base.proto"; import "envoy/config/core/v3/config_source.proto"; import "envoy/config/core/v3/proxy_protocol.proto"; +import "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto"; import "envoy/type/v3/hash_policy.proto"; +import "envoy/type/v3/percent.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; @@ -27,14 +29,13 @@ // TCP Proxy :ref:`configuration overview <config_network_filters_tcp_proxy>`. // [#extension: envoy.filters.network.tcp_proxy] -// [#next-free-field: 20] +// [#next-free-field: 21] message TcpProxy { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.network.tcp_proxy.v2.TcpProxy"; - // Allows for specification of multiple upstream clusters along with weights - // that indicate the percentage of traffic to be forwarded to each cluster. - // The router selects an upstream cluster based on these weights. + // Allows specification of multiple upstream clusters along with weights indicating the percentage of + // traffic forwarded to each cluster. The cluster selection is based on these weights. message WeightedCluster { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.network.tcp_proxy.v2.TcpProxy.WeightedCluster"; @@ -60,29 +61,29 @@ config.core.v3.Metadata metadata_match = 3; } - // Specifies one or more upstream clusters associated with the route. + // Specifies the upstream clusters associated with this configuration. repeated ClusterWeight clusters = 1 [(validate.rules).repeated = {min_items: 1}]; } // Configuration for tunneling TCP over other transports or application layers. - // Tunneling is supported over both HTTP/1.1 and HTTP/2. Upstream protocol is + // Tunneling is supported over HTTP/1.1 and HTTP/2. The upstream protocol is // determined by the cluster configuration. - // [#next-free-field: 7] + // [#next-free-field: 10] message TunnelingConfig { option (udpa.annotations.versioning).previous_message_type = "envoy.config.filter.network.tcp_proxy.v2.TcpProxy.TunnelingConfig"; // The hostname to send in the synthesized CONNECT headers to the upstream proxy. - // This field evaluates command operators if set, otherwise returns hostname as is. + // This field evaluates command operators if present; otherwise, the value is used as-is. // - // Example: dynamically set hostname using downstream SNI + // For example, dynamically set the hostname using downstream SNI: // // .. code-block:: yaml // // tunneling_config: // hostname: "%REQUESTED_SERVER_NAME%:443" // - // Example: dynamically set hostname using dynamic metadata + // For example, dynamically set the hostname using dynamic metadata: // // .. code-block:: yaml // @@ -91,62 +92,92 @@ // string hostname = 1 [(validate.rules).string = {min_len: 1}]; - // Use POST method instead of CONNECT method to tunnel the TCP stream. - // The 'protocol: bytestream' header is also NOT set for HTTP/2 to comply with the spec. + // Use the ``POST`` method instead of the ``CONNECT`` method to tunnel the TCP stream. + // The ``protocol: bytestream`` header is not set for HTTP/2 to comply with the specification. // - // The upstream proxy is expected to convert POST payload as raw TCP. + // The upstream proxy is expected to interpret the POST payload as raw TCP. bool use_post = 2; - // Additional request headers to upstream proxy. This is mainly used to - // trigger upstream to convert POST requests back to CONNECT requests. + // Additional request headers to send to the upstream proxy. This is mainly used to + // trigger the upstream to convert POST requests back to CONNECT requests. // - // Neither ``:-prefixed`` pseudo-headers nor the Host: header can be overridden. + // Neither ``:``-prefixed pseudo-headers like ``:path`` nor the ``host`` header can be overridden. repeated config.core.v3.HeaderValueOption headers_to_add = 3 [(validate.rules).repeated = {max_items: 1000}]; - // Save the response headers to the downstream info filter state for consumption - // by the network filters. The filter state key is ``envoy.tcp_proxy.propagate_response_headers``. + // Save response headers to the downstream connection's filter state for consumption + // by network filters. The filter state key is ``envoy.tcp_proxy.propagate_response_headers``. bool propagate_response_headers = 4; - // The path used with POST method. Default path is ``/``. If post path is specified and + // The path used with the POST method. The default path is ``/``. If this field is specified and // :ref:`use_post field <envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.TunnelingConfig.use_post>` - // isn't true, it will be rejected. + // is not set to true, the configuration will be rejected. string post_path = 5; - // Save the response trailers to the downstream info filter state for consumption - // by the network filters. The filter state key is ``envoy.tcp_proxy.propagate_response_trailers``. + // Save response trailers to the downstream connection's filter state for consumption + // by network filters. The filter state key is ``envoy.tcp_proxy.propagate_response_trailers``. bool propagate_response_trailers = 6; + + // The configuration of the request ID extension used for generation, validation, and + // associated tracing operations when tunneling. + // + // If this field is set, a request ID is generated using the specified extension. If + // this field is not set, no request ID is generated. + // + // When a request ID is generated, it is also stored in the downstream connection's + // dynamic metadata under the namespace ``envoy.filters.network.tcp_proxy`` with the key + // ``tunnel_request_id`` to allow emission from TCP proxy access logs via the + // ``%DYNAMIC_METADATA(envoy.filters.network.tcp_proxy:tunnel_request_id)%`` formatter. + // [#extension-category: envoy.request_id] + http_connection_manager.v3.RequestIDExtension request_id_extension = 7; + + // The request header name to use for emitting the generated request ID on the tunneling + // HTTP request. + // + // If not specified or set to an empty string, the default header name ``x-request-id`` is + // used. + // + // .. note:: + // This setting does not alter the internal request ID handling elsewhere in Envoy and + // only controls the header emitted on the tunneling request. + string request_id_header = 8; + + // The dynamic metadata key to use when storing the generated request ID. The metadata is + // stored under the namespace ``envoy.filters.network.tcp_proxy``. + // + // If not specified or set to an empty string, the default key ``tunnel_request_id`` is used. + // This enables customizing the key used by access log formatters such as + // ``%DYNAMIC_METADATA(envoy.filters.network.tcp_proxy:<key>)%``. + string request_id_metadata_key = 9; } message OnDemand { - // An optional configuration for on-demand cluster discovery - // service. If not specified, the on-demand cluster discovery will - // be disabled. When it's specified, the filter will pause a request - // to an unknown cluster and will begin a cluster discovery - // process. When the discovery is finished (successfully or not), - // the request will be resumed. + // Optional configuration for the on-demand cluster discovery service. + // If not specified, on-demand cluster discovery is disabled. When specified, the filter pauses a request + // to an unknown cluster and begins a cluster discovery process. When discovery completes (successfully + // or not), the request is resumed. config.core.v3.ConfigSource odcds_config = 1; // xdstp:// resource locator for on-demand cluster collection. // [#not-implemented-hide:] string resources_locator = 2; - // The timeout for on demand cluster lookup. If the CDS cannot return the required cluster, + // The timeout for on-demand cluster lookup. If the CDS cannot return the required cluster, // the downstream request will be closed with the error code detail NO_CLUSTER_FOUND. // [#not-implemented-hide:] google.protobuf.Duration timeout = 3; } message TcpAccessLogOptions { - // The interval to flush access log. The TCP proxy will flush only one access log when the connection - // is closed by default. If this field is set, the TCP proxy will flush access log periodically with - // the specified interval. + // The interval for flushing access logs. By default, the TCP proxy flushes a single access log when the + // connection is closed. If this field is set, the TCP proxy flushes access logs periodically at the + // specified interval. // The interval must be at least 1ms. google.protobuf.Duration access_log_flush_interval = 1 [(validate.rules).duration = {gte {nanos: 1000000}}]; - // If set to true, access log will be flushed when the TCP proxy has successfully established a - // connection with the upstream. If the connection failed, the access log will not be flushed. + // If set to true, the access log is flushed when the TCP proxy successfully establishes a + // connection with the upstream. If the connection fails, the access log is not flushed. bool flush_access_log_on_connected = 2; } @@ -164,9 +195,8 @@ // The upstream cluster to connect to. string cluster = 2; - // Multiple upstream clusters can be specified for a given route. The - // request is routed to one of the upstream clusters based on weights - // assigned to each cluster. + // Multiple upstream clusters can be specified. The request is routed to one of the upstream clusters + // based on the weights assigned to each cluster. WeightedCluster weighted_clusters = 10; } @@ -182,16 +212,14 @@ // for load balancing. The filter name should be specified as ``envoy.lb``. config.core.v3.Metadata metadata_match = 9; - // The idle timeout for connections managed by the TCP proxy filter. The idle timeout - // is defined as the period in which there are no bytes sent or received on either - // the upstream or downstream connection. If not set, the default idle timeout is 1 hour. If set - // to 0s, the timeout will be disabled. - // It is possible to dynamically override this configuration by setting a per-connection filter - // state object for the key ``envoy.tcp_proxy.per_connection_idle_timeout_ms``. + // The idle timeout for connections managed by the TCP proxy filter. The idle timeout is defined as the + // period in which there are no bytes sent or received on either the upstream or downstream connection. + // If not set, the default idle timeout is 1 hour. If set to ``0s``, the timeout is disabled. + // It is possible to dynamically override this configuration by setting a per-connection filter state + // object for the key ``envoy.tcp_proxy.per_connection_idle_timeout_ms``. // // .. warning:: - // Disabling this timeout has a highly likelihood of yielding connection leaks due to lost TCP - // FIN packets, etc. + // Disabling this timeout is likely to yield connection leaks due to lost TCP FIN packets, etc. google.protobuf.Duration idle_timeout = 8; // [#not-implemented-hide:] The idle timeout for connections managed by the TCP proxy @@ -205,8 +233,7 @@ // [#not-implemented-hide:] google.protobuf.Duration upstream_idle_timeout = 4; - // Configuration for :ref:`access logs <arch_overview_access_logs>` - // emitted by the this tcp_proxy. + // Configuration for :ref:`access logs <arch_overview_access_logs>` emitted by this TCP proxy. repeated config.accesslog.v3.AccessLog access_log = 5; // The maximum number of unsuccessful connection attempts that will be made before @@ -221,19 +248,25 @@ // limited to 1. repeated type.v3.HashPolicy hash_policy = 11 [(validate.rules).repeated = {max_items: 1}]; - // If set, this configures tunneling, e.g. configuration options to tunnel TCP payload over - // HTTP CONNECT. If this message is absent, the payload will be proxied upstream as per usual. - // It is possible to dynamically override this configuration and disable tunneling per connection, - // by setting a per-connection filter state object for the key ``envoy.tcp_proxy.disable_tunneling``. + // If set, this configures tunneling, for example configuration options to tunnel TCP payload over + // HTTP CONNECT. If this message is absent, the payload is proxied upstream as usual. + // It is possible to dynamically override this configuration and disable tunneling per connection by + // setting a per-connection filter state object for the key ``envoy.tcp_proxy.disable_tunneling``. TunnelingConfig tunneling_config = 12; - // The maximum duration of a connection. The duration is defined as the period since a connection - // was established. If not set, there is no max duration. When max_downstream_connection_duration - // is reached the connection will be closed. Duration must be at least 1ms. + // The maximum duration of a connection. The duration is defined as the period since a connection was + // established. If not set, there is no maximum duration. When ``max_downstream_connection_duration`` is + // reached, the connection is closed. The duration must be at least ``1ms``. google.protobuf.Duration max_downstream_connection_duration = 13 [(validate.rules).duration = {gte {nanos: 1000000}}]; - // Note that if both this field and :ref:`access_log_flush_interval + // Percentage-based jitter for ``max_downstream_connection_duration``. The jitter increases the + // ``max_downstream_connection_duration`` by a random duration up to the provided percentage. + // This field is ignored if ``max_downstream_connection_duration`` is not set. If not set, no jitter + // is added. + type.v3.Percent max_downstream_connection_duration_jitter_percentage = 20; + + // If both this field and :ref:`access_log_flush_interval // <envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.TcpAccessLogOptions.access_log_flush_interval>` // are specified, the former (deprecated field) is ignored. // @@ -247,7 +280,7 @@ (envoy.annotations.deprecated_at_minor_version) = "3.0" ]; - // Note that if both this field and :ref:`flush_access_log_on_connected + // If both this field and :ref:`flush_access_log_on_connected // <envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.TcpAccessLogOptions.flush_access_log_on_connected>` // are specified, the former (deprecated field) is ignored. // @@ -258,21 +291,22 @@ bool flush_access_log_on_connected = 16 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; - // Additional access log options for TCP Proxy. + // Additional access log options for the TCP proxy. TcpAccessLogOptions access_log_options = 17; - // If set, the specified PROXY protocol TLVs (Type-Length-Value) will be added to the PROXY protocol - // state created by the TCP proxy filter. These TLVs will be sent in the PROXY protocol v2 header - // to upstream. + // If set, the specified ``PROXY`` protocol TLVs (Type-Length-Value) are added to the ``PROXY`` protocol state + // created by the TCP proxy filter. These TLVs are sent in the PROXY protocol v2 header to the upstream. // - // This field only takes effect when the TCP proxy filter is creating new PROXY protocol - // state and there is an upstream proxy protocol transport socket configured in the cluster. - // If the connection already contains PROXY protocol state (including any TLVs) parsed by a - // downstream proxy protocol listener filter, the TLVs specified here are ignored. + // This field only takes effect when the TCP proxy filter is creating new ``PROXY`` protocol state and an + // upstream proxy protocol transport socket is configured in the cluster. If the connection already + // contains ``PROXY`` protocol state (including any TLVs) parsed by a downstream proxy protocol listener + // upstream proxy protocol transport socket is configured in the cluster. If the connection already + // contains PROXY protocol state (including any TLVs) parsed by a downstream proxy protocol listener + // filter, the TLVs specified here are ignored. // // .. note:: - // To ensure specified TLVs are allowed in the upstream PROXY protocol header, you must also - // configure the passthrough TLVs on the upstream proxy protocol transport. See + // To ensure the specified TLVs are allowed in the upstream ``PROXY`` protocol header, you must also + // configure passthrough TLVs on the upstream proxy protocol transport. See // :ref:`core.v3.ProxyProtocolConfig.pass_through_tlvs <envoy_v3_api_field_config.core.v3.ProxyProtocolConfig.pass_through_tlvs>` // for details. repeated config.core.v3.TlvEntry proxy_protocol_tlvs = 19;

envoy/extensions/filters/udp/dns_filter/v3/dns_filter.proto:

--- shake256:da97414bfcf74c6437aa405054365fa1d89e56778fab0510a672df7847771316083bc00c0cece2ce3ddfe828425bef3b9c19ead7089067ab2e7c9d93e54ead74 envoy/extensions/filters/udp/dns_filter/v3/dns_filter.proto +++ shake256:636af6b3bc6d3dc404d5e6e812088126624b82cfcd0c5bb5922e242e7a5f6e449ca990dbab2614e0130d88377efdce6d075bd1911731fca11e14eaf7b945150e envoy/extensions/filters/udp/dns_filter/v3/dns_filter.proto @@ -102,6 +102,13 @@ // Client context configuration controls Envoy's behavior when it must use external // resolvers to answer a query. This object is optional and if omitted instructs - // the filter to resolve queries from the data in the server_config + // the filter to resolve queries from the data in the server_config. + // Also, if ``client_config`` is omitted, here is the Envoy's behavior to create DNS resolver: + // + // 1. If :ref:`typed_dns_resolver_config <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.typed_dns_resolver_config>` + // is not empty, uses it. + // + // 2. Otherwise, uses the default c-ares DNS resolver. + // ClientContextConfig client_config = 3; }

envoy/extensions/formatter/cel/v3/cel.proto:

--- shake256:418871dbaadf7051a0d5b1e65711dd249b7f8f9b3c4bbd58c156f7f1349fdc791879ac3a09ed762e2449b67f146c5b2a0a357f55bc1e2e236bd0ad0affc757ba envoy/extensions/formatter/cel/v3/cel.proto +++ shake256:98b4491dad61ce1a62c98a1e229268e712489637a1dbc034c37dc031d42039921071f4396bf583fdebbc731db21196e192bd4c90f847caf51a90c8c54b84775a envoy/extensions/formatter/cel/v3/cel.proto @@ -30,6 +30,23 @@ // * ``%CEL(request.headers['x-envoy-original-path']):10%`` // * ``%CEL(request.headers['x-log-mtls'] || request.url_path.contains('v1beta3'))%`` +// Alternatively: %TYPED_CEL(EXPRESSION):Z% +// When using a non-text access log format like JSON, this format command is +// able to emit values of non-string types, like number, boolean, and null, +// based on the output of the CEL expression. It otherwise functions the same as +// %CEL%. CEL types not native to JSON are coerced as follows: +// +// * Bytes are base64 encoded to produce a string. +// * Durations are stringified as a count of seconds, e.g. `duration("1h30m")` +// becomes "5400s". +// * Timestamps are formatted to UTC, e.g. +// `timestamp("2023-08-26T12:39:00-07:00")` becomes +// "2023-08-26T19:39:00+00:00" +// * Maps become objects, provided all keys can be coerced to strings and that +// all values can coerce to types representable in JSON. +// * Lists become lists, provided all values can coerce to types representable +// in JSON. + // Configuration for the CEL formatter. // // .. warning::

envoy/extensions/geoip_providers/common/v3/common.proto:

--- shake256:69f743422dc263f7520519b4e10ea48e40859bfd6e1b9316344849c5fc1110aaa0bb867b75a612d049a56f6c5c605a3f7050e18a9809bf01088f1650fa17bdf3 envoy/extensions/geoip_providers/common/v3/common.proto +++ shake256:4b3dff76008b54711f1fb62db1ef09f079ed3da6d6ec89f546594bd1ea01b638ba3b6bec705e16639a755b19007d2377010c7e7d006579e3d1395aee983756cc envoy/extensions/geoip_providers/common/v3/common.proto @@ -17,8 +17,8 @@ // Common configuration shared across geolocation providers. message CommonGeoipProviderConfig { - // The set of geolocation headers to add to request. If any of the configured headers is present - // in the incoming request, it will be overridden by the :ref:`Geoip filter <config_http_filters_geoip>`. + // The set of geolocation headers to add to the request. If any of the configured headers is present + // in the incoming request, it will be overridden by the :ref:`GeoIP filter <config_http_filters_geoip>`. // [#next-free-field: 13] message GeolocationHeadersToAdd { // If set, the header will be used to populate the country ISO code associated with the IP address. @@ -30,7 +30,7 @@ [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; // If set, the header will be used to populate the region ISO code associated with the IP address. - // The least specific subdivision will be selected as region value. + // The least specific subdivision will be selected as the region value. string region = 3 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; @@ -38,35 +38,35 @@ string asn = 4 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - // This field is being deprecated, use ``anon`` instead. + // This field is deprecated; use ``anon`` instead. string is_anon = 5 [ deprecated = true, (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}, (envoy.annotations.deprecated_at_minor_version) = "3.0" ]; - // If set, the IP address will be checked if it belongs to any type of anonymization network (e.g. VPN, public proxy etc) - // and header will be populated with the check result. Header value will be set to either "true" or "false" depending on the check result. + // If set, the IP address will be checked if it belongs to any type of anonymization network (e.g., VPN, public proxy). + // The header will be populated with the check result. Header value will be set to either ``true`` or ``false`` depending on the check result. string anon = 12 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - // If set, the IP address will be checked if it belongs to a VPN and header will be populated with the check result. - // Header value will be set to either "true" or "false" depending on the check result. + // If set, the IP address will be checked if it belongs to a VPN and the header will be populated with the check result. + // Header value will be set to either ``true`` or ``false`` depending on the check result. string anon_vpn = 6 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - // If set, the IP address will be checked if it belongs to a hosting provider and header will be populated with the check result. - // Header value will be set to either "true" or "false" depending on the check result. + // If set, the IP address will be checked if it belongs to a hosting provider and the header will be populated with the check result. + // Header value will be set to either ``true`` or ``false`` depending on the check result. string anon_hosting = 7 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - // If set, the IP address will be checked if it belongs to a TOR exit node and header will be populated with the check result. - // Header value will be set to either "true" or "false" depending on the check result. + // If set, the IP address will be checked if it belongs to a TOR exit node and the header will be populated with the check result. + // Header value will be set to either ``true`` or ``false`` depending on the check result. string anon_tor = 8 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - // If set, the IP address will be checked if it belongs to a public proxy and header will be populated with the check result. - // Header value will be set to either "true" or "false" depending on the check result. + // If set, the IP address will be checked if it belongs to a public proxy and the header will be populated with the check result. + // Header value will be set to either ``true`` or ``false`` depending on the check result. string anon_proxy = 9 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; @@ -74,12 +74,12 @@ string isp = 10 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; - // If set, the IP address will be checked if it belongs to the ISP named iCloud Private Relay and header will be populated with the check result. - // Header value will be set to either "true" or "false" depending on the check result. + // If set, the IP address will be checked if it belongs to the ISP named iCloud Private Relay and the header will be populated with the check result. + // Header value will be set to either ``true`` or ``false`` depending on the check result. string apple_private_relay = 11 [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; } - // Configuration for geolocation headers to add to request. + // Configuration for geolocation headers to add to the request. GeolocationHeadersToAdd geo_headers_to_add = 1 [(validate.rules).message = {required: true}]; }

envoy/extensions/geoip_providers/maxmind/v3/maxmind.proto:

--- shake256:c66f7492b5ff90e01f72acfdb18eeacf91491956c177c9b9c6b8620623741bf1d068e74ec01d5dfb7ef4b7897b09ac84265893f7b19c271d25c52fc5a3e36fd6 envoy/extensions/geoip_providers/maxmind/v3/maxmind.proto +++ shake256:022c490b3a9aecb67218c125d84b38611bb0a95736ca7ee0bd1fd59b14f9b28da3391b06a0e790a495a559c209b680a2869bc5cd042fa9c4de9afc26385b7bd8 envoy/extensions/geoip_providers/maxmind/v3/maxmind.proto @@ -18,29 +18,32 @@ // [#protodoc-title: MaxMind Geolocation Provider] // MaxMind geolocation provider :ref:`configuration overview <config_geoip_providers_maxmind>`. -// At least one geolocation database path :ref:`city_db_path <envoy_v3_api_field_extensions.geoip_providers.maxmind.v3.MaxMindConfig.city_db_path>`, -// :ref:`isp_db_path <envoy_v3_api_field_extensions.geoip_providers.maxmind.v3.MaxMindConfig.isp_db_path>` or -// :ref:`asn_db_path <envoy_v3_api_field_extensions.geoip_providers.maxmind.v3.MaxMindConfig.asn_db_path>` or -// :ref:`anon_db_path <envoy_v3_api_field_extensions.geoip_providers.maxmind.v3.MaxMindConfig.anon_db_path>` must be configured. +// +// At least one geolocation database path must be configured: +// +// * :ref:`city_db_path <envoy_v3_api_field_extensions.geoip_providers.maxmind.v3.MaxMindConfig.city_db_path>` +// * :ref:`isp_db_path <envoy_v3_api_field_extensions.geoip_providers.maxmind.v3.MaxMindConfig.isp_db_path>` +// * :ref:`asn_db_path <envoy_v3_api_field_extensions.geoip_providers.maxmind.v3.MaxMindConfig.asn_db_path>` +// * :ref:`anon_db_path <envoy_v3_api_field_extensions.geoip_providers.maxmind.v3.MaxMindConfig.anon_db_path>` // [#extension: envoy.geoip_providers.maxmind] // [#next-free-field: 6] message MaxMindConfig { - // Full file path to the Maxmind city database, e.g. /etc/GeoLite2-City.mmdb. - // Database file is expected to have .mmdb extension. + // Full file path to the MaxMind city database, e.g., ``/etc/GeoLite2-City.mmdb``. + // Database file is expected to have ``.mmdb`` extension. string city_db_path = 1 [(validate.rules).string = {pattern: "^$|^.*\\.mmdb$"}]; - // Full file path to the Maxmind ASN database, e.g. /etc/GeoLite2-ASN.mmdb. - // Database file is expected to have .mmdb extension. - // When is defined the ASN information will always be fetched from the ``asn_db``. + // Full file path to the MaxMind ASN database, e.g., ``/etc/GeoLite2-ASN.mmdb``. + // Database file is expected to have ``.mmdb`` extension. + // When this is defined, the ASN information will always be fetched from the ``asn_db``. string asn_db_path = 2 [(validate.rules).string = {pattern: "^$|^.*\\.mmdb$"}]; - // Full file path to the Maxmind anonymous IP database, e.g. /etc/GeoIP2-Anonymous-IP.mmdb. - // Database file is expected to have .mmdb extension. + // Full file path to the MaxMind Anonymous IP database, e.g., ``/etc/GeoIP2-Anonymous-IP.mmdb``. + // Database file is expected to have ``.mmdb`` extension. string anon_db_path = 3 [(validate.rules).string = {pattern: "^$|^.*\\.mmdb$"}]; - // Full file path to the Maxmind ISP database, e.g. /etc/GeoLite2-ISP.mmdb. - // Database file is expected to have .mmdb extension. + // Full file path to the MaxMind ISP database, e.g., ``/etc/GeoLite2-ISP.mmdb``. + // Database file is expected to have ``.mmdb`` extension. // If ``asn_db_path`` is not defined, ASN information will be fetched from // ``isp_db`` instead. string isp_db_path = 5 [(validate.rules).string = {pattern: "^$|^.*\\.mmdb$"}];

envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.proto:

--- shake256:a20c4a200c6302e69f163f49bca671cff457b677b76b30bbfe44cfe78888121056a6a85e956d905a18a4d71b2b25eee6e3ef74536af90685036ed9ebbc918bdc envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.proto +++ shake256:746fb58032fe1f28ddc17510e1aff7da41b73a76970c9e30dd6efe749ffe94572c8752280fd6fd70bc32623bb6e284ff852c95d8e0beb6706e0512b3252c786b envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.proto @@ -2,6 +2,8 @@ package envoy.extensions.load_balancing_policies.client_side_weighted_round_robin.v3; +import "envoy/extensions/load_balancing_policies/common/v3/common.proto"; + import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; @@ -42,7 +44,7 @@ // See the :ref:`load balancing architecture // overview<arch_overview_load_balancing_types>` for more information. // -// [#next-free-field: 8] +// [#next-free-field: 9] message ClientSideWeightedRoundRobin { // Whether to enable out-of-band utilization reporting collection from // the endpoints. By default, per-request utilization reporting is used. @@ -82,4 +84,9 @@ // For map fields in the ORCA proto, the string will be of the form ``<map_field_name>.<map_key>``. For example, the string ``named_metrics.foo`` will mean to look for the key ``foo`` in the ORCA :ref:`named_metrics <envoy_v3_api_field_.xds.data.orca.v3.OrcaLoadReport.named_metrics>` field. // If none of the specified metrics are present in the load report, then :ref:`cpu_utilization <envoy_v3_api_field_.xds.data.orca.v3.OrcaLoadReport.cpu_utilization>` is used instead. repeated string metric_names_for_computing_utilization = 7; + + // Configuration for slow start mode. + // If this configuration is not set, slow start will not be not enabled. + // [#not-implemented-hide:] + common.v3.SlowStartConfig slow_start_config = 8; }

envoy/extensions/load_balancing_policies/common/v3/common.proto:

--- shake256:f842e3464bae55134e484e29ee6901253c784d885e6bc62d4f906a147c91d3affb11f5ab7ca9ccfa24b5fb08efa11e3ee838f452faec2e6c1f20acb9269993dc envoy/extensions/load_balancing_policies/common/v3/common.proto +++ shake256:87692495bfc4ebe3af7e717827ef318d02ea70d14321bdb6a752efb7b21fb7ea727e7c085cfbac1b698eab1506a9ac73b97ba663a8ddb5d1a24eea0dc07fd5c4 envoy/extensions/load_balancing_policies/common/v3/common.proto @@ -24,8 +24,17 @@ message LocalityLbConfig { // Configuration for :ref:`zone aware routing // <arch_overview_load_balancing_zone_aware_routing>`. - // [#next-free-field: 6] + // [#next-free-field: 7] message ZoneAwareLbConfig { + // Basis for computing per-locality percentages in zone-aware routing. + enum LocalityBasis { + // Use the number of healthy hosts in each locality. + HEALTHY_HOSTS_NUM = 0; + + // Use the weights of healthy hosts in each locality. + HEALTHY_HOSTS_WEIGHT = 1; + } + // Configures Envoy to always route requests to the local zone regardless of the // upstream zone structure. In Envoy's default configuration, traffic is distributed proportionally // across all upstream hosts while trying to maximize local routing when possible. The approach @@ -67,6 +76,12 @@ [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; ForceLocalZone force_local_zone = 5; + + // Determines how locality percentages are computed: + // - HEALTHY_HOSTS_NUM: proportional to the count of healthy hosts. + // - HEALTHY_HOSTS_WEIGHT: proportional to the weights of healthy hosts. + // Default value is HEALTHY_HOSTS_NUM if unset. + LocalityBasis locality_basis = 6; } // Configuration for :ref:`locality weighted load balancing

envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto:

--- shake256:dc915eb998e7b51ba653e5669cb4ddfdf3b0beaae3e7911a8688d8b7b30522120e761a951d967fade0f78afe88d3730a38f53f148178c78ed8e942327f5100c2 envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto +++ shake256:b22fb32e8f220cb821a316a53743bd76e1b451f2cd1ee36a8ddb9f3ff52f1f6d3ea9512edd7df45bba24f80b6af8b23de34793e48672ff2d384b675883aa5a7c envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto @@ -148,3 +148,17 @@ // The path to retrieve the Value from the Struct. repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; } + +// Input that matches by the network namespace of the listener address. +// This input returns the network namespace filepath that was used to create the listening socket. +// On Linux systems, this corresponds to the ``network_namespace_filepath`` field in the +// :ref:`SocketAddress <envoy_v3_api_msg_config.core.v3.SocketAddress>` configuration. +// +// .. note:: +// +// This input is only meaningful on Linux systems where network namespaces are supported. +// On other platforms, this input will always return an empty value. +// +// [#extension: envoy.matching.inputs.network_namespace] +message NetworkNamespaceInput { +}

envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto:

--- shake256:79334ac047e2b07007131cf121df1fb2dd4056b7018785d2a0c4cc1b5dd0ff3624f8178240bb430d54cc448d89ef878834c29b824ae376694cd989ccd0cd7918 envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto +++ shake256:6e08a950c353824af726fd5f4162d3b21a2107b2264106a8b10a1b119950a0f27a21ef97ec32bce738db040a25e561dddc70bb569861b67eb2ef434159d44462 envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto @@ -5,6 +5,7 @@ import "envoy/config/core/v3/address.proto"; import "envoy/config/core/v3/resolver.proto"; +import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; import "udpa/annotations/status.proto"; @@ -20,7 +21,7 @@ // [#extension: envoy.network.dns_resolver.cares] // Configuration for c-ares DNS resolver. -// [#next-free-field: 9] +// [#next-free-field: 11] message CaresDnsResolverConfig { // A list of DNS resolver addresses. // :ref:`use_resolvers_as_fallback <envoy_v3_api_field_extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig.use_resolvers_as_fallback>` @@ -77,4 +78,25 @@ // This setting overrides any system configuration for name server rotation. // bool rotate_nameservers = 8; + + // Maximum EDNS0 UDP payload size in bytes. + // If set, c-ares will include EDNS0 in DNS queries and use this value as the maximum UDP response size. + // + // Recommended values: + // + // * **1232**: Safe default (avoids fragmentation). + // * **4096**: Maximum allowed. + // + // If unset, c-ares uses its internal default (usually 1232). + google.protobuf.UInt32Value edns0_max_payload_size = 9 + [(validate.rules).uint32 = {lte: 4096 gte: 512}]; + + // The maximum duration for which a UDP channel will be kept alive before being refreshed. + // + // If set, the DNS resolver will periodically reinitialize its c-ares channel after the + // specified duration. This can help with avoiding stale socket states, and providing + // better load distribution across UDP ports. + // + // If not specified, no periodic refresh will be performed. + google.protobuf.Duration max_udp_channel_duration = 10 [(validate.rules).duration = {gte {}}]; }

envoy/extensions/quic/connection_id_generator/quic_lb/v3/quic_lb.proto:

--- shake256:8fdfdf3e80e32c8390ba4c4102963331fd68d4e4d7ba16b00cd92111659dd118cf968b654434b822c5844c3e5583f0ab13b1f6311016bbf0276d08e06e48feef envoy/extensions/quic/connection_id_generator/quic_lb/v3/quic_lb.proto +++ shake256:8a58afa18cfd1cbde48136072f331fe02420900d28cff068cca484cb2dff09f3b12409f8ba400ddd9452a4b355431eb52a493c17b870ddf9bd539c0ebd29de0e envoy/extensions/quic/connection_id_generator/quic_lb/v3/quic_lb.proto @@ -29,22 +29,23 @@ // // .. warning:: // -// This is still a work in progress. Performance is expected to be poor. Interoperability testing -// has not yet been performed. -// [#next-free-field: 6] +// This is still a work in progress. Interoperability testing has not yet been performed. +// [#next-free-field: 7] message Config { option (xds.annotations.v3.message_status).work_in_progress = true; - // Use the unencrypted mode. This is useful for testing, but allows for linking different CIDs - // for the same connection, and leaks information about the valid server IDs in use. This should - // only be used for testing. - bool unsafe_unencrypted_testing_mode = 1; - // Must be at least 1 octet. // The length of server_id and nonce_length_bytes must be 18 or less. // See https://datatracker.ietf.org/doc/html/draft-ietf-quic-load-balancers#name-server-id-allocation. config.core.v3.DataSource server_id = 2 [(validate.rules).message = {required: true}]; + // If true, indicates that the :ref:`server_id + // <envoy_v3_api_field_extensions.quic.connection_id_generator.quic_lb.v3.Config.server_id>` is base64 encoded. + // + // This can be useful if the ID may contain binary data and must be transmitted as a string, for example in + // an environment variable. + bool server_id_base64_encoded = 6; + // Optional validation of the expected server ID length. If this is non-zero and the value in ``server_id`` // does not have a matching length, a configuration error is generated. This can be useful for validating // that the server ID is valid. @@ -65,4 +66,14 @@ // See https://datatracker.ietf.org/doc/html/draft-ietf-quic-load-balancers#name-config-rotation. transport_sockets.tls.v3.SdsSecretConfig encryption_parameters = 5 [(validate.rules).message = {required: true}]; + + // Use the unencrypted mode. This is useful for testing or a simplified implementation of the + // downstream load balancer, but allows for linking different CIDs for the same connection, and + // leaks information about the valid server IDs in use. This mode does not comply with the RFC. + // + // Note that in this mode, :ref:`encryption_parameters + // <envoy_v3_api_field_extensions.quic.connection_id_generator.quic_lb.v3.Config.encryption_parameters>` + // is still required because it contains ``configuration_version``, which is still + // needed. ``encryption_key`` can be set to ``inline_string: '0000000000000000'``. + bool unencrypted_mode = 1; }

envoy/extensions/stat_sinks/open_telemetry/v3/open_telemetry.proto:

--- shake256:f4ffbd13c1469d72b79196a50468dab6abcec6746b806d7ad07ad727fef7c0c4c043c8b063c30abc8a4c350ee1e0a032cfe188eed994e693b5426b02832046e8 envoy/extensions/stat_sinks/open_telemetry/v3/open_telemetry.proto +++ shake256:b9baf36cbd39c8e4c3a3b4699a19240971d6076ceda83fe3dabebaa96f691c352be85d73dfd0fe9f2e3af7b6a75d4e22dfd9ded65e58c2122537dde25c74ae8d envoy/extensions/stat_sinks/open_telemetry/v3/open_telemetry.proto @@ -2,10 +2,14 @@ package envoy.extensions.stat_sinks.open_telemetry.v3; +import "envoy/config/core/v3/extension.proto"; import "envoy/config/core/v3/grpc_service.proto"; import "google/protobuf/wrappers.proto"; +import "opentelemetry/proto/common/v1/common.proto"; +import "xds/type/matcher/v3/matcher.proto"; + import "udpa/annotations/status.proto"; import "validate/validate.proto"; @@ -19,8 +23,20 @@ // Stats configuration proto schema for ``envoy.stat_sinks.open_telemetry`` sink. // [#extension: envoy.stat_sinks.open_telemetry] -// [#next-free-field: 7] +// [#next-free-field: 9] message SinkConfig { + // ConversionAction is used to convert a stat to a metric. If a stat matches, + // the metric_name and static_metric_labels will be + // used to create the metric. This can be used to rename a + // stat, add static labels, and aggregate multiple stats into a single metric. + message ConversionAction { + // The metric name to use for the stat. + string metric_name = 2; + + // Static metric labels to use for the metric. + repeated opentelemetry.proto.common.v1.KeyValue static_metric_labels = 3; + } + oneof protocol_specifier { option (validate.required) = true; @@ -28,6 +44,10 @@ config.core.v3.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}]; } + // Attributes to be associated with the resource in the OTLP message. + // [#extension-category: envoy.tracers.opentelemetry.resource_detectors] + repeated config.core.v3.TypedExtensionConfig resource_detectors = 7; + // If set to true, counters will be emitted as deltas, and the OTLP message will have // ``AGGREGATION_TEMPORALITY_DELTA`` set as AggregationTemporality. bool report_counters_as_deltas = 2; @@ -50,4 +70,9 @@ // "pre", the full stat name will be "pre.foo.bar". If this field is not set, there is no // prefix added. According to the example, the full stat name will remain "foo.bar". string prefix = 6; + + // The custom conversion from a stat to a metric. Currently, the only supported input is + // ``envoy.extensions.matching.common_inputs.stats.v3.StatFullNameMatchInput`` and the only support action is + // ``envoy.extensions.stat_sinks.open_telemetry.v3.SinkConfig.ConversionAction``. + xds.type.matcher.v3.Matcher custom_metric_conversions = 8; }

envoy/extensions/upstreams/http/v3/http_protocol_options.proto:

--- shake256:67f8c22322b3279e63a6afd72715b52f4621719de35ee92362525013c51e365cf066d2b47734d3326597db5ebc353accab57ec8097f69d0bbaea2170f6de3434 envoy/extensions/upstreams/http/v3/http_protocol_options.proto +++ shake256:d6f4e5d1f41fc974dd3c4e1da68df1cb72b8479132c0e5c469c22658c20bb64000b74a159e7662bd33f6fa597be541cbde8e6bc687823c1854ca56c1253dc34b envoy/extensions/upstreams/http/v3/http_protocol_options.proto @@ -2,6 +2,7 @@ package envoy.extensions.upstreams.http.v3; +import "envoy/config/common/matcher/v3/matcher.proto"; import "envoy/config/core/v3/extension.proto"; import "envoy/config/core/v3/protocol.proto"; import "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto"; @@ -59,7 +60,7 @@ // http2_protocol_options: // max_concurrent_streams: 100 // .... [further cluster config] -// [#next-free-field: 8] +// [#next-free-field: 9] message HttpProtocolOptions { // If this is used, the cluster will only operate on one of the possible upstream protocols. // Note that HTTP/2 or above should generally be used for upstream gRPC clusters. @@ -129,6 +130,13 @@ config.core.v3.AlternateProtocolsCacheOptions alternate_protocols_cache_options = 4; } + message OutlierDetection { + // If specified, only responses matching the matcher will be treated by outlier detection as errors. + // If not specified, only 5xx codes are treated by outlier detection as errors. + config.common.matcher.v3.MatchPredicate error_matcher = 1 + [(validate.rules).message = {required: true}]; + } + // This contains options common across HTTP/1 and HTTP/2 config.core.v3.HttpProtocolOptions common_http_protocol_options = 1; @@ -174,4 +182,7 @@ // [#not-implemented-hide:] // [#extension-category: envoy.http.header_validators] config.core.v3.TypedExtensionConfig header_validation_config = 7; + + // Defines http specific outlier detection parameters. + OutlierDetection outlier_detection = 8; }

envoy/service/ext_proc/v3/external_processor.proto:

--- shake256:a0edcf6dd39882ac26ff14ac91358f007f677326661c1c7e90316d2911754ddfe115367f7d0be190960933316ebb7a1b3e98a20335848a1189778cdff85c282e envoy/service/ext_proc/v3/external_processor.proto +++ shake256:1c25d514b7c22ff54c3b590dd512b90fb7e147db1935a90a27467f2745a5364e5ca1a4ac4a144525438ac7252a5aaba6f14f2fc8926e38f52f9bc61705edae3a envoy/service/ext_proc/v3/external_processor.proto @@ -27,29 +27,31 @@ // as part of a filter chain. // The overall external processing protocol works like this: // -// 1. Envoy sends to the service information about the HTTP request. -// 2. The service sends back a ProcessingResponse message that directs Envoy -// to either stop processing, continue without it, or send it the -// next chunk of the message body. -// 3. If so requested, Envoy sends the server the message body in chunks, -// or the entire body at once. In either case, the server may send back -// a ProcessingResponse for each message it receives, or wait for certain amount -// of body chunks received before streams back the ProcessingResponse messages. -// 4. If so requested, Envoy sends the server the HTTP trailers, +// 1. The data plane sends to the service information about the HTTP request. +// 2. The service sends back a ProcessingResponse message that directs +// the data plane to either stop processing, continue without it, or send +// it the next chunk of the message body. +// 3. If so requested, the data plane sends the server the message body in +// chunks, or the entire body at once. In either case, the server may send +// back a ProcessingResponse for each message it receives, or wait for +// a certain amount of body chunks received before streaming back the +// ProcessingResponse messages. +// 4. If so requested, the data plane sends the server the HTTP trailers, // and the server sends back a ProcessingResponse. // 5. At this point, request processing is done, and we pick up again -// at step 1 when Envoy receives a response from the upstream server. +// at step 1 when the data plane receives a response from the upstream +// server. // 6. At any point above, if the server closes the gRPC stream cleanly, -// then Envoy proceeds without consulting the server. +// then the data plane proceeds without consulting the server. // 7. At any point above, if the server closes the gRPC stream with an error, -// then Envoy returns a 500 error to the client, unless the filter +// then the data plane returns a 500 error to the client, unless the filter // was configured to ignore errors. // // In other words, the process is a request/response conversation, but // using a gRPC stream to make it easier for the server to // maintain state. service ExternalProcessor { - // This begins the bidirectional stream that Envoy will use to + // This begins the bidirectional stream that the data plane will use to // give the server control over what the filter does. The actual // protocol is described by the ProcessingRequest and ProcessingResponse // messages below. @@ -79,7 +81,7 @@ bool send_body_without_waiting_for_header_response = 3; } -// This represents the different types of messages that Envoy can send +// This represents the different types of messages that the data plane can send // to an external processing server. // [#next-free-field: 12] message ProcessingRequest { @@ -132,7 +134,7 @@ // The values of properties selected by the ``request_attributes`` // or ``response_attributes`` list in the configuration. Each entry // in the list is populated from the standard - // :ref:`attributes <arch_overview_attributes>` supported across Envoy. + // :ref:`attributes <arch_overview_attributes>` supported in the data plane. map<string, google.protobuf.Struct> attributes = 9; // Specify whether the filter that sent this request is running in :ref:`observability_mode @@ -153,7 +155,7 @@ ProtocolConfiguration protocol_config = 11; } -// This represents the different types of messages the server may send back to Envoy +// This represents the different types of messages the server may send back to the data plane // when the ``observability_mode`` field in the received ProcessingRequest is set to false. // // * If the corresponding ``BodySendMode`` in the @@ -212,8 +214,8 @@ // may use this to intelligently control how requests are processed // based on the headers and other metadata that they see. // This field is only applicable when servers responding to the header requests. - // If it is set in the response to the body or trailer requests, it will be ignored by Envoy. - // It is also ignored by Envoy when the ext_proc filter config + // If it is set in the response to the body or trailer requests, it will be ignored by the data plane. + // It is also ignored by the data plane when the ext_proc filter config // :ref:`allow_mode_override // <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.allow_mode_override>` // is set to false, or @@ -224,16 +226,16 @@ // When ext_proc server receives a request message, in case it needs more // time to process the message, it sends back a ProcessingResponse message - // with a new timeout value. When Envoy receives this response message, - // it ignores other fields in the response, just stop the original timer, - // which has the timeout value specified in + // with a new timeout value. When the data plane receives this response + // message, it ignores other fields in the response, just stop the original + // timer, which has the timeout value specified in // :ref:`message_timeout // <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.message_timeout>` // and start a new timer with this ``override_message_timeout`` value and keep the - // Envoy ext_proc filter state machine intact. + // data plane ext_proc filter state machine intact. // Has to be >= 1ms and <= // :ref:`max_message_timeout <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.max_message_timeout>` - // Such message can be sent at most once in a particular Envoy ext_proc filter processing state. + // Such message can be sent at most once in a particular data plane ext_proc filter processing state. // To enable this API, one has to set ``max_message_timeout`` to a number >= 1ms. google.protobuf.Duration override_message_timeout = 10; } @@ -283,26 +285,26 @@ // The following are messages that may be sent back by the server. -// This message is sent by the external server to Envoy after ``HttpHeaders`` was +// This message is sent by the external server to the data plane after ``HttpHeaders`` was // sent to it. message HeadersResponse { - // Details the modifications (if any) to be made by Envoy to the current + // Details the modifications (if any) to be made by the data plane to the current // request/response. CommonResponse response = 1; } -// This message is sent by the external server to Envoy after ``HttpBody`` was +// This message is sent by the external server to the data plane after ``HttpBody`` was // sent to it. message BodyResponse { - // Details the modifications (if any) to be made by Envoy to the current + // Details the modifications (if any) to be made by the data plane to the current // request/response. CommonResponse response = 1; } -// This message is sent by the external server to Envoy after ``HttpTrailers`` was +// This message is sent by the external server to the data plane after ``HttpTrailers`` was // sent to it. message TrailersResponse { - // Details the modifications (if any) to be made by Envoy to the current + // Details the modifications (if any) to be made by the data plane to the current // request/response trailers. HeaderMutation header_mutation = 1; } @@ -332,7 +334,7 @@ CONTINUE_AND_REPLACE = 1; } - // If set, provide additional direction on how the Envoy proxy should + // If set, provide additional direction on how the data plane should // handle the rest of the HTTP filter chain. ResponseStatus status = 1 [(validate.rules).enum = {defined_only: true}]; @@ -361,7 +363,7 @@ // Clear the route cache for the current client request. This is necessary // if the remote server modified headers that are used to calculate the route. // This field is ignored in the response direction. This field is also ignored - // if the Envoy ext_proc filter is in the upstream filter chain. + // if the data plane ext_proc filter is in the upstream filter chain. bool clear_route_cache = 5; } @@ -415,7 +417,7 @@ // The body response message corresponding to FULL_DUPLEX_STREAMED body mode. message StreamedBodyResponse { - // The body response chunk that will be passed to the upstream/downstream by Envoy. + // The body response chunk that will be passed to the upstream/downstream by the data plane. bytes body = 1; // The server sets this flag to true if it has received a body request with @@ -424,7 +426,7 @@ bool end_of_stream = 2; } -// This message specifies the body mutation the server sends to Envoy. +// This message specifies the body mutation the server sends to the data plane. message BodyMutation { // The type of mutation for the body. oneof mutation {

envoy/type/matcher/v3/value.proto:

--- shake256:914b167bc0d15d4a96649c05ac568368e28cbe04d346a46526a07ef17f5b14944149c389a0a03a2a2b05de151940b8b459b7811cafa35d525a94a02d12a22618 envoy/type/matcher/v3/value.proto +++ shake256:ad88cc2e97d5cd12d8392a43fa42460b65a2a3b23825c4e14ef43fa2f559eba6fb9fa12e9d07072fb67fd3c15db9339ce70bcdd1e88476a0864441e122395bab envoy/type/matcher/v3/value.proto @@ -17,7 +17,7 @@ // [#protodoc-title: Value matcher] -// Specifies the way to match a ProtobufWkt::Value. Primitive values and ListValue are supported. +// Specifies the way to match a Protobuf::Value. Primitive values and ListValue are supported. // StructValue is not supported and is always not matched. // [#next-free-field: 8] message ValueMatcher {

envoy/type/matcher/value.proto:

--- shake256:a8dce06687fff254822d8665c7e5ac5633646822f786dca35d9dbe625a3fc3cf0d688220893dad91774493e1eb16226741fdbfd9e650b378742908324c4cf41b envoy/type/matcher/value.proto +++ shake256:2894818b159d82e436454b897303459c693593507e5ddfd71291a3aafd6f5e5ff829b72738d56910423f1f06c8712d6c0968db606d275420b4ff2d333d7e8b34 envoy/type/matcher/value.proto @@ -16,7 +16,7 @@ // [#protodoc-title: Value matcher] -// Specifies the way to match a ProtobufWkt::Value. Primitive values and ListValue are supported. +// Specifies the way to match a Protobuf::Value. Primitive values and ListValue are supported. // StructValue is not supported and is always not matched. // [#next-free-field: 7] message ValueMatcher {

unmultimedio · 2025-10-17T15:05:30Z

+    },
+    {
+      "name": "v13.0.0",
+      "digest": "57c88dfb9c8994262426a3278d9e5d41f2b998b28a4c2858564aa67a235a8c5fce21bed2ffa85bcb09224a6b928f58e421b96a70db98774154f1036717455ac9"


cd modules/sync/googlechrome/lighthouse casdiff v12.8.2 v13.0.0 --format=markdown

1 files changed: 0 removed, 0 renamed, 0 added, 1 changed content

Files changed content:

lighthouse-result.proto:

--- shake256:e66ff010abd796c731c113ce9dd0778df4776e0edeef134a30724bdbdd94d2d8cbbf55242f50d0ddc7e40c6e3797cf97bd69610a8b745fecae9e639ebb95b1ee lighthouse-result.proto +++ shake256:a9787064905e7bd489b965d12d788ade794891f1c5ab2cd16c0183d125faec86051fc1c068914b4ca6242ab945631fca9e57b445a534d697b14553ce977e048f lighthouse-result.proto @@ -132,7 +132,7 @@ map<string, CategoryGroup> category_groups = 11; // Message containing the configuration settings for the LH run - // Next ID: 11 + // Next ID: 33 message ConfigSettings { // The possible form factors an audit can be run in. // This enum served the emulated_form_factor field, but in v7, that field @@ -193,11 +193,11 @@ string throttling_method = 8; message ScreenEmulation { - // Overriding width value in pixels (minimum 0, maximum 10000000). 0 - // disables the override. + // Overriding width value in pixels (minimum 0, maximum 10000000). + // 0 disables the override. double width = 1; - // Overriding height value in pixels (minimum 0, maximum 10000000). 0 - // disables the override. + // Overriding height value in pixels (minimum 0, maximum 10000000). + // 0 disables the override. double height = 2; // Overriding device scale factor value. 0 disables the override. double deviceScaleFactor = 3; @@ -217,8 +217,85 @@ // screen emulation. ScreenEmulation screen_emulation = 9; + // Indicating whether Lighthouse should ignore status codes. bool ignore_status_code = 10; + + // The type(s) of report output to be produced. + // Can be a string of 'json' | 'html' | 'csv' + // Or an array of those strings + google.protobuf.Value output = 11; + + // The maximum amount of time to wait for a page content render, in ms. If + // no content is rendered within this limit, the run is aborted with an + // error. + int32 max_wait_for_fcp = 12; + // The maximum amount of time to wait for a page to load, in ms. + int32 max_wait_for_load = 13; + // The number of milliseconds to wait after FCP until the page should be + // considered loaded. + int32 pause_after_fcp_ms = 14; + // The number of milliseconds to wait after the load event until the page + // should be considered loaded. + int32 pause_after_load_ms = 15; + // The number of milliseconds to wait between high priority network requests + // or 3 simultaneous requests before the page should be considered loaded. + int32 network_quiet_threshold_ms = 16; + // The number of milliseconds to wait between long tasks until the page + // should be considered loaded. + int32 cpu_quiet_threshold_ms = 17; + + // User Agent string to apply, `false` to not change the host's UA string, + // or `true` to use Lighthouse's default UA string. + string emulated_user_agent = 18; + + // audit_mode and gather_mode are excluded from the proto, as they are boolean/string and niche enough that we don't want to deal with them. + + // Flag indicating that the browser storage should not be reset for the + // audit. + bool disable_storage_reset = 19; + // Flag indicating that Lighthouse should pause after page load to wait for + // the user's permission to continue the audit. + bool debug_navigation = 20; + // If set to true, gatherers should avoid any behavior that may be + // destructive to the page state. (e.g. extra navigations, resizing the + // viewport) + bool use_passive_gathering = 21; + // Disables collection of the full page screenshot, which can be rather + // large and possibly leave the page in an undesirable state. + bool disable_full_page_screenshot = 22; + // If set to true, will skip the initial navigation to about:blank. + bool skip_about_blank = 23; + // The URL to use for the "blank" neutral page in between navigations. + // Defaults to `about:blank`. + string blank_page = 24; + + // List of URL patterns to block. + repeated string blocked_url_patterns = 25; + + // Comma-delimited list of trace categories to include. + string additional_trace_categories = 26; + + // If present, the run should only conduct this list of audits. + repeated string only_audits = 27; + // If present, the run should skip this list of audits. + repeated string skip_audits = 28; + + // Flag indicating which kinds of browser storage should be reset for the audit. + // Cookies are not cleared by default, so the user isn't logged out. + // indexeddb, websql, and localstorage are not cleared by default to prevent + // loss of potentially important data. + // https://chromedevtools.github.io/debugger-protocol-viewer/tot/Storage/#type-StorageType + repeated string clear_storage_types = 29; + + // List of extra HTTP Headers to include + map<string, string> extra_headers = 30; + + // The budget.json object for LightWallet + repeated google.protobuf.Struct budgets = 31 [deprecated = true]; + + // Precomputed lantern estimates to use instead of observed analysis. + google.protobuf.Struct precomputed_lantern_data = 32; } // The settings that were used to run this audit @@ -298,7 +375,7 @@ // This value is nullable, so is a `Value` type google.protobuf.Value score = 4; - // An description for manual audits within this category. + // A description for manual audits within this category. string manual_description = 5; // A Category's reference to an AuditResult, with a weight for category @@ -721,6 +798,12 @@ // using the new set of performance insight audits that will replace performance // audits. string go_back_to_audits = 71; + + // Descriptive explanation used when an audit is not part of the calculated score. + string unscored_label = 72; + + // Descriptive explanation used when an audit is not part of the calculated score. + string unscored_title = 73; } // The message holding all formatted strings used in the renderer.

unmultimedio · 2025-10-17T15:07:10Z

+    },
+    {
+      "name": "v33.0",
+      "digest": "49b3059e6608c257ea7cf60926a16fb8bb1f3d37f39862e66db55338a4ebf59a4aebff39fdfd1f6d4e66ece567db327ff5846a09b51762574b857a27e77a2b55"


cd modules/sync/protocolbuffers/wellknowntypes casdiff v32.1 v33.0 --format=markdown

2 files changed: 0 removed, 0 renamed, 0 added, 2 changed content

Files changed content:

google/protobuf/descriptor.proto:

--- shake256:2b6fb491b5832e4c381224372998dc7bfae2cb557c40e5132884c1eef68b31570ed1d2b902fde0cf19739dfc5140f79dc628be40f268c523c3e5a923038fa8e1 google/protobuf/descriptor.proto +++ shake256:7e550defb267c9883ff6dcba8508103a6afa788695de0b3344103ab8f233e3dc457792a9d6f8dd439107e66a3439cd87b7c138f53a16432216a465cffab6720a google/protobuf/descriptor.proto @@ -398,6 +398,9 @@ repeated MethodDescriptorProto method = 2; optional ServiceOptions options = 3; + + reserved 4; + reserved "stream"; } // Describes a method of a service.

google/protobuf/timestamp.proto:

--- shake256:52440b4bfea02829f855c8fe9ecb6ec2b00f0b34e5ef371c6f14aaddc1d5873eb115f3fb6f96078fbc1059bda4a8a5f41a5808817817c0bddab94f31f3ba022a google/protobuf/timestamp.proto +++ shake256:93a810721dfe089dd61b6a954cbab842c3c6cb9c814cb6286589f66fd148151151847291fd5668bcb8002f6f298364721e1c7c474e1be5d0d184ff37a635d8ce google/protobuf/timestamp.proto @@ -131,14 +131,15 @@ // ) to obtain a formatter capable of generating timestamps in this format. // message Timestamp { - // Represents seconds of UTC time since Unix epoch - // 1970-01-01T00:00:00Z. Must be from 0001-01-01T00:00:00Z to - // 9999-12-31T23:59:59Z inclusive. + // Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must + // be between -315576000000 and 315576000000 inclusive (which corresponds to + // 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z). int64 seconds = 1; - // Non-negative fractions of a second at nanosecond resolution. Negative - // second values with fractions must still have non-negative nanos values - // that count forward in time. Must be from 0 to 999,999,999 + // Non-negative fractions of a second at nanosecond resolution. This field is + // the nanosecond portion of the duration, not an alternative to seconds. + // Negative second values with fractions must still have non-negative nanos + // values that count forward in time. Must be between 0 and 999,999,999 // inclusive. int32 nanos = 2; }

app-token-modules Bot requested a review from a team October 10, 2025 12:07

app-token-modules Bot force-pushed the fetch-modules branch 4 times, most recently from c7500e8 to 62b5588 Compare October 16, 2025 12:07

app-token-modules Bot requested review from jhump, pkwarren and unmultimedio as code owners October 16, 2025 12:07

app-token-modules Bot force-pushed the fetch-modules branch from 62b5588 to 05885ce Compare October 17, 2025 12:07

unmultimedio reviewed Oct 17, 2025

View reviewed changes

pkwarren approved these changes Oct 18, 2025

View reviewed changes

Detected new managed modules references

0c8ca45

app-token-modules Bot force-pushed the fetch-modules branch from 05885ce to 0c8ca45 Compare October 20, 2025 12:07

app-token-modules Bot requested a review from a team October 20, 2025 12:07

unmultimedio approved these changes Oct 20, 2025

View reviewed changes

unmultimedio merged commit a8e8ee9 into main Oct 20, 2025
4 checks passed

unmultimedio deleted the fetch-modules branch October 20, 2025 16:07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Found new managed modules references#1073

Found new managed modules references#1073
unmultimedio merged 1 commit into
mainfrom
fetch-modules

app-token-modules Bot commented Oct 10, 2025

Uh oh!

unmultimedio left a comment •

edited

Loading

Uh oh!

unmultimedio Oct 17, 2025

Uh oh!

unmultimedio Oct 17, 2025

Uh oh!

unmultimedio Oct 17, 2025

Uh oh!

unmultimedio Oct 17, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

app-token-modules Bot commented Oct 10, 2025

Uh oh!

unmultimedio left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

unmultimedio Oct 17, 2025

Choose a reason for hiding this comment

Files changed content:

envoy/extensions/filters/listener/tls_inspector/v3/tls_inspector.proto:

Uh oh!

unmultimedio Oct 17, 2025

Choose a reason for hiding this comment

Files added:

Files changed content:

envoy/config/bootstrap/v3/bootstrap.proto:

envoy/config/common/mutation_rules/v3/mutation_rules.proto:

envoy/config/core/v3/address.proto:

envoy/config/core/v3/config_source.proto:

envoy/config/core/v3/grpc_service.proto:

envoy/config/core/v3/health_check.proto:

envoy/config/core/v3/protocol.proto:

envoy/config/core/v3/proxy_protocol.proto:

envoy/config/endpoint/v3/load_report.proto:

envoy/config/listener/v3/listener_components.proto:

envoy/config/metrics/v3/stats.proto:

envoy/config/overload/v3/overload.proto:

envoy/config/route/v3/route_components.proto:

envoy/config/trace/v3/zipkin.proto:

envoy/data/core/v3/tlv_metadata.proto:

envoy/data/tap/v3/http.proto:

envoy/extensions/common/aws/v3/credential_provider.proto:

envoy/extensions/filters/http/composite/v3/composite.proto:

envoy/extensions/filters/http/compressor/v3/compressor.proto:

envoy/extensions/filters/http/dynamic_modules/v3/dynamic_modules.proto:

envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto:

envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto:

envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto:

envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto:

envoy/extensions/filters/http/oauth2/v3/oauth.proto:

envoy/extensions/filters/http/on_demand/v3/on_demand.proto:

envoy/extensions/filters/http/ratelimit/v3/rate_limit.proto:

envoy/extensions/filters/http/stateful_session/v3/stateful_session.proto:

envoy/extensions/filters/http/tap/v3/tap.proto:

envoy/extensions/filters/http/thrift_to_metadata/v3/thrift_to_metadata.proto:

envoy/extensions/filters/listener/tls_inspector/v3/tls_inspector.proto:

envoy/extensions/filters/network/ext_authz/v3/ext_authz.proto:

envoy/extensions/filters/network/ext_proc/v3/ext_proc.proto:

envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto:

envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto:

envoy/extensions/filters/udp/dns_filter/v3/dns_filter.proto:

envoy/extensions/formatter/cel/v3/cel.proto:

envoy/extensions/geoip_providers/common/v3/common.proto:

envoy/extensions/geoip_providers/maxmind/v3/maxmind.proto:

envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.proto:

envoy/extensions/load_balancing_policies/common/v3/common.proto:

envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto:

envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto:

envoy/extensions/quic/connection_id_generator/quic_lb/v3/quic_lb.proto:

envoy/extensions/stat_sinks/open_telemetry/v3/open_telemetry.proto:

envoy/extensions/upstreams/http/v3/http_protocol_options.proto:

envoy/service/ext_proc/v3/external_processor.proto:

envoy/type/matcher/v3/value.proto:

envoy/type/matcher/value.proto:

Uh oh!

unmultimedio Oct 17, 2025

Choose a reason for hiding this comment

Files changed content:

lighthouse-result.proto:

Uh oh!

unmultimedio Oct 17, 2025

Choose a reason for hiding this comment

Files changed content:

google/protobuf/descriptor.proto:

google/protobuf/timestamp.proto:

Uh oh!

Uh oh!

Reviewers

Assignees

unmultimedio left a comment •

edited

Loading

`envoy/extensions/filters/listener/tls_inspector/v3/tls_inspector.proto`:

`envoy/config/bootstrap/v3/bootstrap.proto`:

`envoy/config/common/mutation_rules/v3/mutation_rules.proto`:

`envoy/config/core/v3/address.proto`:

`envoy/config/core/v3/config_source.proto`:

`envoy/config/core/v3/grpc_service.proto`:

`envoy/config/core/v3/health_check.proto`:

`envoy/config/core/v3/protocol.proto`:

`envoy/config/core/v3/proxy_protocol.proto`:

`envoy/config/endpoint/v3/load_report.proto`:

`envoy/config/listener/v3/listener_components.proto`:

`envoy/config/metrics/v3/stats.proto`:

`envoy/config/overload/v3/overload.proto`:

`envoy/config/route/v3/route_components.proto`:

`envoy/config/trace/v3/zipkin.proto`:

`envoy/data/core/v3/tlv_metadata.proto`:

`envoy/data/tap/v3/http.proto`:

`envoy/extensions/common/aws/v3/credential_provider.proto`:

`envoy/extensions/filters/http/composite/v3/composite.proto`:

`envoy/extensions/filters/http/compressor/v3/compressor.proto`:

`envoy/extensions/filters/http/dynamic_modules/v3/dynamic_modules.proto`:

`envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto`:

`envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto`:

`envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto`:

`envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto`:

`envoy/extensions/filters/http/oauth2/v3/oauth.proto`:

`envoy/extensions/filters/http/on_demand/v3/on_demand.proto`:

`envoy/extensions/filters/http/ratelimit/v3/rate_limit.proto`:

`envoy/extensions/filters/http/stateful_session/v3/stateful_session.proto`:

`envoy/extensions/filters/http/tap/v3/tap.proto`:

`envoy/extensions/filters/http/thrift_to_metadata/v3/thrift_to_metadata.proto`:

`envoy/extensions/filters/listener/tls_inspector/v3/tls_inspector.proto`:

`envoy/extensions/filters/network/ext_authz/v3/ext_authz.proto`:

`envoy/extensions/filters/network/ext_proc/v3/ext_proc.proto`:

`envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto`:

`envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto`:

`envoy/extensions/filters/udp/dns_filter/v3/dns_filter.proto`:

`envoy/extensions/formatter/cel/v3/cel.proto`:

`envoy/extensions/geoip_providers/common/v3/common.proto`:

`envoy/extensions/geoip_providers/maxmind/v3/maxmind.proto`:

`envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.proto`:

`envoy/extensions/load_balancing_policies/common/v3/common.proto`:

`envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto`:

`envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto`:

`envoy/extensions/quic/connection_id_generator/quic_lb/v3/quic_lb.proto`:

`envoy/extensions/stat_sinks/open_telemetry/v3/open_telemetry.proto`:

`envoy/extensions/upstreams/http/v3/http_protocol_options.proto`:

`envoy/service/ext_proc/v3/external_processor.proto`:

`envoy/type/matcher/v3/value.proto`:

`envoy/type/matcher/value.proto`:

`lighthouse-result.proto`:

`google/protobuf/descriptor.proto`:

`google/protobuf/timestamp.proto`: