diff --git a/modules/sync/cncf/xds/state.json b/modules/sync/cncf/xds/state.json index f924a214..823f5821 100644 --- a/modules/sync/cncf/xds/state.json +++ b/modules/sync/cncf/xds/state.json @@ -131,6 +131,10 @@ { "name": "2ac532fd44436293585084f8d94c6bdb17835af0", "digest": "2a5d2cce987de374cf765ec5ec2f2435fe9fdc3d8a638dd26d92ce3130b7971d38894e406d8b42504890afafb45a277f492dad91f16ae5114e6486876fbff2c2" + }, + { + "name": "2ee22ca5838277e4cff0f0219b1c62e5c0cd3cc1", + "digest": "2a5d2cce987de374cf765ec5ec2f2435fe9fdc3d8a638dd26d92ce3130b7971d38894e406d8b42504890afafb45a277f492dad91f16ae5114e6486876fbff2c2" } ] } \ No newline at end of file diff --git a/modules/sync/envoyproxy/envoy/cas/012964f6302f1be544858bbdec9638aa5eea252b22d0226c3213917a2b03d2682c1b9393486b4810938f211a045c9130bed7e1b91c2fa583b7ef894db1eb4905 b/modules/sync/envoyproxy/envoy/cas/012964f6302f1be544858bbdec9638aa5eea252b22d0226c3213917a2b03d2682c1b9393486b4810938f211a045c9130bed7e1b91c2fa583b7ef894db1eb4905 new file mode 100644 index 00000000..28b1eba6 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/012964f6302f1be544858bbdec9638aa5eea252b22d0226c3213917a2b03d2682c1b9393486b4810938f211a045c9130bed7e1b91c2fa583b7ef894db1eb4905 @@ -0,0 +1,757 @@ +syntax = "proto3"; + +package envoy.config.bootstrap.v3; + +import "envoy/config/accesslog/v3/accesslog.proto"; +import "envoy/config/cluster/v3/cluster.proto"; +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/event_service_config.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/resolver.proto"; +import "envoy/config/core/v3/socket_option.proto"; +import "envoy/config/listener/v3/listener.proto"; +import "envoy/config/metrics/v3/stats.proto"; +import "envoy/config/overload/v3/overload.proto"; +import "envoy/config/trace/v3/http_tracer.proto"; +import "envoy/extensions/transport_sockets/tls/v3/secret.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/security.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.bootstrap.v3"; +option java_outer_classname = "BootstrapProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/bootstrap/v3;bootstrapv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Bootstrap] +// This proto is supplied via the :option:`-c` CLI flag and acts as the root +// of the Envoy v3 configuration. See the :ref:`v3 configuration overview +// ` for more detail. + +// Bootstrap :ref:`configuration overview `. +// [#next-free-field: 43] +message Bootstrap { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.Bootstrap"; + + message StaticResources { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.Bootstrap.StaticResources"; + + // Static :ref:`Listeners `. These listeners are + // available regardless of LDS configuration. + repeated listener.v3.Listener listeners = 1; + + // If a network based configuration source is specified for :ref:`cds_config + // `, it's necessary + // to have some initial cluster definitions available to allow Envoy to know + // how to speak to the management server. + repeated cluster.v3.Cluster clusters = 2; + + // These static secrets can be used by :ref:`SdsSecretConfig + // ` + repeated envoy.extensions.transport_sockets.tls.v3.Secret secrets = 3; + } + + // [#next-free-field: 7] + message DynamicResources { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.Bootstrap.DynamicResources"; + + reserved 4; + + // All :ref:`Listeners ` are provided by a single + // :ref:`LDS ` configuration source. + core.v3.ConfigSource lds_config = 1; + + // xdstp:// resource locator for listener collection. + // [#not-implemented-hide:] + string lds_resources_locator = 5; + + // All post-bootstrap :ref:`Cluster ` definitions are + // provided by a single :ref:`CDS ` + // configuration source. + core.v3.ConfigSource cds_config = 2; + + // xdstp:// resource locator for cluster collection. + // [#not-implemented-hide:] + string cds_resources_locator = 6; + + // A single :ref:`ADS ` source may be optionally + // specified. This must have :ref:`api_type + // ` :ref:`GRPC + // `. Only + // :ref:`ConfigSources ` that have + // the :ref:`ads ` field set will be + // streamed on the ADS channel. + core.v3.ApiConfigSource ads_config = 3; + } + + message ApplicationLogConfig { + message LogFormat { + oneof log_format { + option (validate.required) = true; + + // Flush application logs in JSON format. The configured JSON struct can + // support all the format flags specified in the :option:`--log-format` + // command line options section, except for the ``%v`` and ``%_`` flags. + google.protobuf.Struct json_format = 1; + + // Flush application log in a format defined by a string. The text format + // can support all the format flags specified in the :option:`--log-format` + // command line option section. + string text_format = 2; + } + } + + // Optional field to set the application logs format. If this field is set, it will override + // the default log format. Setting both this field and :option:`--log-format` command line + // option is not allowed, and will cause a bootstrap error. + LogFormat log_format = 1; + } + + message DeferredStatOptions { + // When the flag is enabled, Envoy will lazily initialize a subset of the stats (see below). + // This will save memory and CPU cycles when creating the objects that own these stats, if those + // stats are never referenced throughout the lifetime of the process. However, it will incur additional + // memory overhead for these objects, and a small increase of CPU usage when a at least one of the stats + // is updated for the first time. + // Groups of stats that will be lazily initialized: + // - Cluster traffic stats: a subgroup of the :ref:`cluster statistics ` + // that are used when requests are routed to the cluster. + bool enable_deferred_creation_stats = 1; + } + + message GrpcAsyncClientManagerConfig { + // Optional field to set the expiration time for the cached gRPC client object. + // The minimal value is 5s and the default is 50s. + google.protobuf.Duration max_cached_entry_idle_duration = 1 + [(validate.rules).duration = {gte {seconds: 5}}]; + } + + reserved 10, 11; + + reserved "runtime"; + + // Node identity to present to the management server and for instance + // identification purposes (e.g. in generated headers). + core.v3.Node node = 1; + + // A list of :ref:`Node ` field names + // that will be included in the context parameters of the effective + // xdstp:// URL that is sent in a discovery request when resource + // locators are used for LDS/CDS. Any non-string field will have its JSON + // encoding set as the context parameter value, with the exception of + // metadata, which will be flattened (see example below). The supported field + // names are: + // - "cluster" + // - "id" + // - "locality.region" + // - "locality.sub_zone" + // - "locality.zone" + // - "metadata" + // - "user_agent_build_version.metadata" + // - "user_agent_build_version.version" + // - "user_agent_name" + // - "user_agent_version" + // + // The node context parameters act as a base layer dictionary for the context + // parameters (i.e. more specific resource specific context parameters will + // override). Field names will be prefixed with “udpa.node.” when included in + // context parameters. + // + // For example, if node_context_params is ``["user_agent_name", "metadata"]``, + // the implied context parameters might be:: + // + // node.user_agent_name: "envoy" + // node.metadata.foo: "{\"bar\": \"baz\"}" + // node.metadata.some: "42" + // node.metadata.thing: "\"thing\"" + // + // [#not-implemented-hide:] + repeated string node_context_params = 26; + + // Statically specified resources. + StaticResources static_resources = 2; + + // xDS configuration sources. + DynamicResources dynamic_resources = 3; + + // Configuration for the cluster manager which owns all upstream clusters + // within the server. + ClusterManager cluster_manager = 4; + + // Health discovery service config option. + // (:ref:`core.ApiConfigSource `) + core.v3.ApiConfigSource hds_config = 14; + + // Optional file system path to search for startup flag files. + string flags_path = 5; + + // Optional set of stats sinks. + repeated metrics.v3.StatsSink stats_sinks = 6; + + // Options to control behaviors of deferred creation compatible stats. + DeferredStatOptions deferred_stat_options = 39; + + // Configuration for internal processing of stats. + metrics.v3.StatsConfig stats_config = 13; + + // Optional duration between flushes to configured stats sinks. For + // performance reasons Envoy latches counters and only flushes counters and + // gauges at a periodic interval. If not specified the default is 5000ms (5 + // seconds). Only one of ``stats_flush_interval`` or ``stats_flush_on_admin`` + // can be set. + // Duration must be at least 1ms and at most 5 min. + google.protobuf.Duration stats_flush_interval = 7 [ + (validate.rules).duration = { + lt {seconds: 300} + gte {nanos: 1000000} + }, + (udpa.annotations.field_migrate).oneof_promotion = "stats_flush" + ]; + + oneof stats_flush { + // Flush stats to sinks only when queried for on the admin interface. If set, + // a flush timer is not created. Only one of ``stats_flush_on_admin`` or + // ``stats_flush_interval`` can be set. + bool stats_flush_on_admin = 29 [(validate.rules).bool = {const: true}]; + } + + oneof stats_eviction { + // Optional duration to perform metric eviction. At every interval, during the stats flush + // the unused metrics are removed from the worker caches and the used metrics + // are marked as unused. Must be a multiple of the ``stats_flush_interval``. + google.protobuf.Duration stats_eviction_interval = 42 + [(validate.rules).duration = {gte {nanos: 1000000}}]; + } + + // Optional watchdog configuration. + // This is for a single watchdog configuration for the entire system. + // Deprecated in favor of ``watchdogs`` which has finer granularity. + Watchdog watchdog = 8 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Optional watchdogs configuration. + // This is used for specifying different watchdogs for the different subsystems. + // [#extension-category: envoy.guarddog_actions] + Watchdogs watchdogs = 27; + + // Configuration for an external tracing provider. + // + // .. attention:: + // This field has been deprecated in favor of :ref:`HttpConnectionManager.Tracing.provider + // `. + trace.v3.Tracing tracing = 9 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Configuration for the runtime configuration provider. If not + // specified, a “null” provider will be used which will result in all defaults + // being used. + LayeredRuntime layered_runtime = 17; + + // Configuration for the local administration HTTP server. + Admin admin = 12; + + // Optional overload manager configuration. + overload.v3.OverloadManager overload_manager = 15 [ + (udpa.annotations.security).configure_for_untrusted_downstream = true, + (udpa.annotations.security).configure_for_untrusted_upstream = true + ]; + + // Enable :ref:`stats for event dispatcher `, defaults to false. + // Note that this records a value for each iteration of the event loop on every thread. This + // should normally be minimal overhead, but when using + // :ref:`statsd `, it will send each observed value + // over the wire individually because the statsd protocol doesn't have any way to represent a + // histogram summary. Be aware that this can be a very large volume of data. + bool enable_dispatcher_stats = 16; + + // Optional string which will be used in lieu of x-envoy in prefixing headers. + // + // For example, if this string is present and set to X-Foo, then x-envoy-retry-on will be + // transformed into x-foo-retry-on etc. + // + // Note this applies to the headers Envoy will generate, the headers Envoy will sanitize, and the + // headers Envoy will trust for core code and core extensions only. Be VERY careful making + // changes to this string, especially in multi-layer Envoy deployments or deployments using + // extensions which are not upstream. + string header_prefix = 18; + + // Optional proxy version which will be used to set the value of :ref:`server.version statistic + // ` if specified. Envoy will not process this value, it will be sent as is to + // :ref:`stats sinks `. + google.protobuf.UInt64Value stats_server_version_override = 19; + + // Always use TCP queries instead of UDP queries for DNS lookups. + // This may be overridden on a per-cluster basis in cds_config, + // when :ref:`dns_resolvers ` and + // :ref:`use_tcp_for_dns_lookups ` are + // specified. + // This field is deprecated in favor of ``dns_resolution_config`` + // which aggregates all of the DNS resolver configuration in a single message. + bool use_tcp_for_dns_lookups = 20 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // DNS resolution configuration which includes the underlying dns resolver addresses and options. + // This may be overridden on a per-cluster basis in cds_config, when + // :ref:`dns_resolution_config ` + // is specified. + // This field is deprecated in favor of + // :ref:`typed_dns_resolver_config `. + core.v3.DnsResolutionConfig dns_resolution_config = 30 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // DNS resolver type configuration extension. This extension can be used to configure c-ares, apple, + // or any other DNS resolver types and the related parameters. + // For example, an object of + // :ref:`CaresDnsResolverConfig ` + // can be packed into this ``typed_dns_resolver_config``. This configuration replaces the + // :ref:`dns_resolution_config ` + // configuration. + // During the transition period when both ``dns_resolution_config`` and ``typed_dns_resolver_config`` exists, + // when ``typed_dns_resolver_config`` is in place, Envoy will use it and ignore ``dns_resolution_config``. + // When ``typed_dns_resolver_config`` is missing, the default behavior is in place. + // [#extension-category: envoy.network.dns_resolver] + core.v3.TypedExtensionConfig typed_dns_resolver_config = 31; + + // Specifies optional bootstrap extensions to be instantiated at startup time. + // Each item contains extension specific configuration. + // [#extension-category: envoy.bootstrap] + repeated core.v3.TypedExtensionConfig bootstrap_extensions = 21; + + // Specifies optional extensions instantiated at startup time and + // invoked during crash time on the request that caused the crash. + repeated FatalAction fatal_actions = 28; + + // Configuration sources that will participate in + // xdstp:// URL authority resolution. The algorithm is as + // follows: + // 1. The authority field is taken from the xdstp:// URL, call + // this ``resource_authority``. + // 2. ``resource_authority`` is compared against the authorities in any peer + // ``ConfigSource``. The peer ``ConfigSource`` is the configuration source + // message which would have been used unconditionally for resolution + // with opaque resource names. If there is a match with an authority, the + // peer ``ConfigSource`` message is used. + // 3. ``resource_authority`` is compared sequentially with the authorities in + // each configuration source in ``config_sources``. The first ``ConfigSource`` + // to match wins. + // 4. As a fallback, if no configuration source matches, then + // ``default_config_source`` is used. + // 5. If ``default_config_source`` is not specified, resolution fails. + // [#not-implemented-hide:] + repeated core.v3.ConfigSource config_sources = 22; + + // Default configuration source for xdstp:// URLs if all + // other resolution fails. + // [#not-implemented-hide:] + core.v3.ConfigSource default_config_source = 23; + + // Optional overriding of default socket interface. The value must be the name of one of the + // socket interface factories initialized through a bootstrap extension + string default_socket_interface = 24; + + // Global map of CertificateProvider instances. These instances are referred to by name in the + // :ref:`CommonTlsContext.CertificateProviderInstance.instance_name + // ` + // field. + // [#not-implemented-hide:] + map certificate_provider_instances = 25; + + // Specifies a set of headers that need to be registered as inline header. This configuration + // allows users to customize the inline headers on-demand at Envoy startup without modifying + // Envoy's source code. + // + // Note that the 'set-cookie' header cannot be registered as inline header. + repeated CustomInlineHeader inline_headers = 32; + + // Optional path to a file with performance tracing data created by "Perfetto" SDK in binary + // ProtoBuf format. The default value is "envoy.pftrace". + string perf_tracing_file_path = 33; + + // Optional overriding of default regex engine. + // If the value is not specified, Google RE2 will be used by default. + // [#extension-category: envoy.regex_engines] + core.v3.TypedExtensionConfig default_regex_engine = 34; + + // Optional XdsResourcesDelegate configuration, which allows plugging custom logic into both + // fetch and load events during xDS processing. + // If a value is not specified, no XdsResourcesDelegate will be used. + // TODO(abeyad): Add public-facing documentation. + // [#not-implemented-hide:] + core.v3.TypedExtensionConfig xds_delegate_extension = 35; + + // Optional XdsConfigTracker configuration, which allows tracking xDS responses in external components, + // e.g., external tracer or monitor. It provides the process point when receive, ingest, or fail to + // process xDS resources and messages. If a value is not specified, no XdsConfigTracker will be used. + // + // .. note:: + // + // There are no in-repo extensions currently, and the :repo:`XdsConfigTracker ` + // interface should be implemented before using. + // See :repo:`xds_config_tracker_integration_test ` + // for an example usage of the interface. + core.v3.TypedExtensionConfig xds_config_tracker_extension = 36; + + // [#not-implemented-hide:] + // This controls the type of listener manager configured for Envoy. Currently + // Envoy only supports ListenerManager for this field and Envoy Mobile + // supports ApiListenerManager. + core.v3.TypedExtensionConfig listener_manager = 37; + + // Optional application log configuration. + ApplicationLogConfig application_log_config = 38; + + // Optional gRPC async manager config. + GrpcAsyncClientManagerConfig grpc_async_client_manager_config = 40; + + // Optional configuration for memory allocation manager. + // Memory releasing is only supported for `tcmalloc allocator `_. + MemoryAllocatorManager memory_allocator_manager = 41; +} + +// Administration interface :ref:`operations documentation +// `. +// [#next-free-field: 7] +message Admin { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.bootstrap.v2.Admin"; + + // Configuration for :ref:`access logs ` + // emitted by the administration server. + repeated accesslog.v3.AccessLog access_log = 5; + + // The path to write the access log for the administration server. If no + // access log is desired specify ‘/dev/null’. This is only required if + // :ref:`address ` is set. + // Deprecated in favor of ``access_log`` which offers more options. + string access_log_path = 1 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // The cpu profiler output path for the administration server. If no profile + // path is specified, the default is ‘/var/log/envoy/envoy.prof’. + string profile_path = 2; + + // The TCP address that the administration server will listen on. + // If not specified, Envoy will not start an administration server. + core.v3.Address address = 3; + + // Additional socket options that may not be present in Envoy source code or + // precompiled binaries. + repeated core.v3.SocketOption socket_options = 4; + + // Indicates whether :ref:`global_downstream_max_connections ` + // should apply to the admin interface or not. + bool ignore_global_conn_limit = 6; +} + +// Cluster manager :ref:`architecture overview `. +// [#next-free-field: 6] +message ClusterManager { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.ClusterManager"; + + message OutlierDetection { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.ClusterManager.OutlierDetection"; + + // Specifies the path to the outlier event log. + string event_log_path = 1; + + // [#not-implemented-hide:] + // The gRPC service for the outlier detection event service. + // If empty, outlier detection events won't be sent to a remote endpoint. + core.v3.EventServiceConfig event_service = 2; + } + + // Name of the local cluster (i.e., the cluster that owns the Envoy running + // this configuration). In order to enable :ref:`zone aware routing + // ` this option must be set. + // If ``local_cluster_name`` is defined then :ref:`clusters + // ` must be defined in the :ref:`Bootstrap + // static cluster resources + // `. This is unrelated to + // the :option:`--service-cluster` option which does not `affect zone aware + // routing `_. + string local_cluster_name = 1; + + // Optional global configuration for outlier detection. + OutlierDetection outlier_detection = 2; + + // Optional configuration used to bind newly established upstream connections. + // This may be overridden on a per-cluster basis by upstream_bind_config in the cds_config. + core.v3.BindConfig upstream_bind_config = 3; + + // A management server endpoint to stream load stats to via + // ``StreamLoadStats``. This must have :ref:`api_type + // ` :ref:`GRPC + // `. + core.v3.ApiConfigSource load_stats_config = 4; + + // Whether the ClusterManager will create clusters on the worker threads + // inline during requests. This will save memory and CPU cycles in cases where + // there are lots of inactive clusters and > 1 worker thread. + bool enable_deferred_cluster_creation = 5; +} + +// Allows you to specify different watchdog configs for different subsystems. +// This allows finer tuned policies for the watchdog. If a subsystem is omitted +// the default values for that system will be used. +message Watchdogs { + // Watchdog for the main thread. + Watchdog main_thread_watchdog = 1; + + // Watchdog for the worker threads. + Watchdog worker_watchdog = 2; +} + +// Envoy process watchdog configuration. When configured, this monitors for +// nonresponsive threads and kills the process after the configured thresholds. +// See the :ref:`watchdog documentation ` for more information. +// [#next-free-field: 8] +message Watchdog { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.bootstrap.v2.Watchdog"; + + message WatchdogAction { + // The events are fired in this order: KILL, MULTIKILL, MEGAMISS, MISS. + // Within an event type, actions execute in the order they are configured. + // For KILL/MULTIKILL there is a default PANIC that will run after the + // registered actions and kills the process if it wasn't already killed. + // It might be useful to specify several debug actions, and possibly an + // alternate FATAL action. + enum WatchdogEvent { + UNKNOWN = 0; + KILL = 1; + MULTIKILL = 2; + MEGAMISS = 3; + MISS = 4; + } + + // Extension specific configuration for the action. + core.v3.TypedExtensionConfig config = 1; + + WatchdogEvent event = 2 [(validate.rules).enum = {defined_only: true}]; + } + + // Register actions that will fire on given WatchDog events. + // See ``WatchDogAction`` for priority of events. + repeated WatchdogAction actions = 7; + + // The duration after which Envoy counts a nonresponsive thread in the + // ``watchdog_miss`` statistic. If not specified the default is 200ms. + google.protobuf.Duration miss_timeout = 1; + + // The duration after which Envoy counts a nonresponsive thread in the + // ``watchdog_mega_miss`` statistic. If not specified the default is + // 1000ms. + google.protobuf.Duration megamiss_timeout = 2; + + // If a watched thread has been nonresponsive for this duration, assume a + // programming error and kill the entire Envoy process. Set to 0 to disable + // kill behavior. If not specified the default is 0 (disabled). + google.protobuf.Duration kill_timeout = 3; + + // Defines the maximum jitter used to adjust the ``kill_timeout`` if ``kill_timeout`` is + // enabled. Enabling this feature would help to reduce risk of synchronized + // watchdog kill events across proxies due to external triggers. Set to 0 to + // disable. If not specified the default is 0 (disabled). + google.protobuf.Duration max_kill_timeout_jitter = 6 [(validate.rules).duration = {gte {}}]; + + // If ``max(2, ceil(registered_threads * Fraction(*multikill_threshold*)))`` + // threads have been nonresponsive for at least this duration kill the entire + // Envoy process. Set to 0 to disable this behavior. If not specified the + // default is 0 (disabled). + google.protobuf.Duration multikill_timeout = 4; + + // Sets the threshold for ``multikill_timeout`` in terms of the percentage of + // nonresponsive threads required for the ``multikill_timeout``. + // If not specified the default is 0. + type.v3.Percent multikill_threshold = 5; +} + +// Fatal actions to run while crashing. Actions can be safe (meaning they are +// async-signal safe) or unsafe. We run all safe actions before we run unsafe actions. +// If using an unsafe action that could get stuck or deadlock, it important to +// have an out of band system to terminate the process. +// +// The interface for the extension is ``Envoy::Server::Configuration::FatalAction``. +// ``FatalAction`` extensions live in the ``envoy.extensions.fatal_actions`` API +// namespace. +message FatalAction { + // Extension specific configuration for the action. It's expected to conform + // to the ``Envoy::Server::Configuration::FatalAction`` interface. + core.v3.TypedExtensionConfig config = 1; +} + +// Runtime :ref:`configuration overview ` (deprecated). +message Runtime { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.bootstrap.v2.Runtime"; + + // The implementation assumes that the file system tree is accessed via a + // symbolic link. An atomic link swap is used when a new tree should be + // switched to. This parameter specifies the path to the symbolic link. Envoy + // will watch the location for changes and reload the file system tree when + // they happen. If this parameter is not set, there will be no disk based + // runtime. + string symlink_root = 1; + + // Specifies the subdirectory to load within the root directory. This is + // useful if multiple systems share the same delivery mechanism. Envoy + // configuration elements can be contained in a dedicated subdirectory. + string subdirectory = 2; + + // Specifies an optional subdirectory to load within the root directory. If + // specified and the directory exists, configuration values within this + // directory will override those found in the primary subdirectory. This is + // useful when Envoy is deployed across many different types of servers. + // Sometimes it is useful to have a per service cluster directory for runtime + // configuration. See below for exactly how the override directory is used. + string override_subdirectory = 3; + + // Static base runtime. This will be :ref:`overridden + // ` by other runtime layers, e.g. + // disk or admin. This follows the :ref:`runtime protobuf JSON representation + // encoding `. + google.protobuf.Struct base = 4; +} + +// [#next-free-field: 6] +message RuntimeLayer { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.RuntimeLayer"; + + // :ref:`Disk runtime ` layer. + message DiskLayer { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.RuntimeLayer.DiskLayer"; + + // The implementation assumes that the file system tree is accessed via a + // symbolic link. An atomic link swap is used when a new tree should be + // switched to. This parameter specifies the path to the symbolic link. + // Envoy will watch the location for changes and reload the file system tree + // when they happen. See documentation on runtime :ref:`atomicity + // ` for further details on how reloads are + // treated. + string symlink_root = 1; + + // Specifies the subdirectory to load within the root directory. This is + // useful if multiple systems share the same delivery mechanism. Envoy + // configuration elements can be contained in a dedicated subdirectory. + string subdirectory = 3; + + // :ref:`Append ` the + // service cluster to the path under symlink root. + bool append_service_cluster = 2; + } + + // :ref:`Admin console runtime ` layer. + message AdminLayer { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.RuntimeLayer.AdminLayer"; + } + + // :ref:`Runtime Discovery Service (RTDS) ` layer. + message RtdsLayer { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.RuntimeLayer.RtdsLayer"; + + // Resource to subscribe to at ``rtds_config`` for the RTDS layer. + string name = 1; + + // RTDS configuration source. + core.v3.ConfigSource rtds_config = 2; + } + + // Descriptive name for the runtime layer. This is only used for the runtime + // :http:get:`/runtime` output. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + oneof layer_specifier { + option (validate.required) = true; + + // :ref:`Static runtime ` layer. + // This follows the :ref:`runtime protobuf JSON representation encoding + // `. Unlike static xDS resources, this static + // layer is overridable by later layers in the runtime virtual filesystem. + google.protobuf.Struct static_layer = 2; + + DiskLayer disk_layer = 3; + + AdminLayer admin_layer = 4; + + RtdsLayer rtds_layer = 5; + } +} + +// Runtime :ref:`configuration overview `. +message LayeredRuntime { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.bootstrap.v2.LayeredRuntime"; + + // The :ref:`layers ` of the runtime. This is ordered + // such that later layers in the list overlay earlier entries. + repeated RuntimeLayer layers = 1; +} + +// Used to specify the header that needs to be registered as an inline header. +// +// If request or response contain multiple headers with the same name and the header +// name is registered as an inline header. Then multiple headers will be folded +// into one, and multiple header values will be concatenated by a suitable delimiter. +// The delimiter is generally a comma. +// +// For example, if 'foo' is registered as an inline header, and the headers contains +// the following two headers: +// +// .. code-block:: text +// +// foo: bar +// foo: eep +// +// Then they will eventually be folded into: +// +// .. code-block:: text +// +// foo: bar, eep +// +// Inline headers provide O(1) search performance, but each inline header imposes +// an additional memory overhead on all instances of the corresponding type of +// HeaderMap or TrailerMap. +message CustomInlineHeader { + enum InlineHeaderType { + REQUEST_HEADER = 0; + REQUEST_TRAILER = 1; + RESPONSE_HEADER = 2; + RESPONSE_TRAILER = 3; + } + + // The name of the header that is expected to be set as the inline header. + string inline_header_name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // The type of the header that is expected to be set as the inline header. + InlineHeaderType inline_header_type = 2 [(validate.rules).enum = {defined_only: true}]; +} + +message MemoryAllocatorManager { + // Configures tcmalloc to perform background release of free memory in amount of bytes per ``memory_release_interval`` interval. + // If equals to ``0``, no memory release will occur. Defaults to ``0``. + uint64 bytes_to_release = 1; + + // Interval in milliseconds for memory releasing. If specified, during every + // interval Envoy will try to release ``bytes_to_release`` of free memory back to operating system for reuse. + // Defaults to 1000 milliseconds. + google.protobuf.Duration memory_release_interval = 2; +} diff --git a/modules/sync/envoyproxy/envoy/cas/01f1be6da291eaba77746eb09c1837f51354726aa6f0c9aed1fe958b66d8298193826d0f4b33c97054c053f1e7860980f67ea074e897f405bd50d8d79279d8e4 b/modules/sync/envoyproxy/envoy/cas/01f1be6da291eaba77746eb09c1837f51354726aa6f0c9aed1fe958b66d8298193826d0f4b33c97054c053f1e7860980f67ea074e897f405bd50d8d79279d8e4 new file mode 100644 index 00000000..699dc357 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/01f1be6da291eaba77746eb09c1837f51354726aa6f0c9aed1fe958b66d8298193826d0f4b33c97054c053f1e7860980f67ea074e897f405bd50d8d79279d8e4 @@ -0,0 +1,71 @@ +syntax = "proto3"; + +package envoy.extensions.http.ext_proc.processing_request_modifiers.mapped_attribute_builder.v3; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.http.ext_proc.processing_request_modifiers.mapped_attribute_builder.v3"; +option java_outer_classname = "MappedAttributeBuilderProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/http/ext_proc/processing_request_modifiers/mapped_attribute_builder/v3;mapped_attribute_builderv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: Mapped Attribute Builder for the external processor] +// [#extension: envoy.http.ext_proc.processing_request_modifiers.mapped_attribute_builder] + +// Extension to build custom attributes in the :ref:`request +// ` based on a configurable mapping. The +// native implementation uses the CEL expression as the key, which is not always desirable. Using this +// extension, one can re-map a CEL expression that references internal filter state into a more +// user-friendly key that decouples the value from the underlying filter implementation. +// +// If a given CEL expression fails to eval, it will not be present in the attributes struct. +// +// If this extension is configured, then the original :ref:`ProcessingRequest +// `'s ``request_attributes`` are ignored, +// and all attributes should be explicitly set via this extension. +// +// An example configuration may look like so: +// +// .. code-block:: yaml +// +// mapped_request_attributes: +// "request.path": "request.path" +// "source.country": "metadata.filter_metadata['com.example.location_filter']['country_code']" +// +// In the above example, the complex filter_metadata expression is evaluated via CEL, and the value +// is stored under the friendlier ``source.country`` key. ``The ProcessingRequest`` would look like: +// +// .. code-block:: text +// +// attributes { +// key: "envoy.filters.http.ext_proc" +// value { +// fields { +// key: "request.path" +// value { +// string_value: "/profile" +// } +// } +// fields { +// key: "source.country" +// value { +// string_value: "US" +// } +// } +// } +// } +// +// .. note:: +// Processing request modifiers are currently in alpha. +// +message MappedAttributeBuilder { + // A map of request attributes to set in the attributes struct. + // The key is the attribute name, the value is the attribute value, + // interpretable by CEL. This allows for the re-mapping of attributes, which is not supported + // by the native attribute building logic. + map mapped_request_attributes = 1; +} diff --git a/modules/sync/envoyproxy/envoy/cas/022c490b3a9aecb67218c125d84b38611bb0a95736ca7ee0bd1fd59b14f9b28da3391b06a0e790a495a559c209b680a2869bc5cd042fa9c4de9afc26385b7bd8 b/modules/sync/envoyproxy/envoy/cas/022c490b3a9aecb67218c125d84b38611bb0a95736ca7ee0bd1fd59b14f9b28da3391b06a0e790a495a559c209b680a2869bc5cd042fa9c4de9afc26385b7bd8 new file mode 100644 index 00000000..c1d7a248 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/022c490b3a9aecb67218c125d84b38611bb0a95736ca7ee0bd1fd59b14f9b28da3391b06a0e790a495a559c209b680a2869bc5cd042fa9c4de9afc26385b7bd8 @@ -0,0 +1,54 @@ +syntax = "proto3"; + +package envoy.extensions.geoip_providers.maxmind.v3; + +import "envoy/extensions/geoip_providers/common/v3/common.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.geoip_providers.maxmind.v3"; +option java_outer_classname = "MaxmindProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/geoip_providers/maxmind/v3;maxmindv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: MaxMind Geolocation Provider] +// MaxMind geolocation provider :ref:`configuration overview `. +// +// At least one geolocation database path must be configured: +// +// * :ref:`city_db_path ` +// * :ref:`isp_db_path ` +// * :ref:`asn_db_path ` +// * :ref:`anon_db_path ` +// [#extension: envoy.geoip_providers.maxmind] + +// [#next-free-field: 6] +message MaxMindConfig { + // Full file path to the MaxMind city database, e.g., ``/etc/GeoLite2-City.mmdb``. + // Database file is expected to have ``.mmdb`` extension. + string city_db_path = 1 [(validate.rules).string = {pattern: "^$|^.*\\.mmdb$"}]; + + // Full file path to the MaxMind ASN database, e.g., ``/etc/GeoLite2-ASN.mmdb``. + // Database file is expected to have ``.mmdb`` extension. + // When this is defined, the ASN information will always be fetched from the ``asn_db``. + string asn_db_path = 2 [(validate.rules).string = {pattern: "^$|^.*\\.mmdb$"}]; + + // Full file path to the MaxMind Anonymous IP database, e.g., ``/etc/GeoIP2-Anonymous-IP.mmdb``. + // Database file is expected to have ``.mmdb`` extension. + string anon_db_path = 3 [(validate.rules).string = {pattern: "^$|^.*\\.mmdb$"}]; + + // Full file path to the MaxMind ISP database, e.g., ``/etc/GeoLite2-ISP.mmdb``. + // Database file is expected to have ``.mmdb`` extension. + // If ``asn_db_path`` is not defined, ASN information will be fetched from + // ``isp_db`` instead. + string isp_db_path = 5 [(validate.rules).string = {pattern: "^$|^.*\\.mmdb$"}]; + + // Common provider configuration that specifies which geolocation headers will be populated with geolocation data. + common.v3.CommonGeoipProviderConfig common_provider_config = 4 + [(validate.rules).message = {required: true}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/0ab7a51526349d17204ee9d8ea113d3786daa4820362b5f6343919aab1ce08622c5831302b043b080ef74ad38101100f25f807b50ab19b8fa4f825fac23d292b b/modules/sync/envoyproxy/envoy/cas/0ab7a51526349d17204ee9d8ea113d3786daa4820362b5f6343919aab1ce08622c5831302b043b080ef74ad38101100f25f807b50ab19b8fa4f825fac23d292b new file mode 100644 index 00000000..02bb23ae --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/0ab7a51526349d17204ee9d8ea113d3786daa4820362b5f6343919aab1ce08622c5831302b043b080ef74ad38101100f25f807b50ab19b8fa4f825fac23d292b @@ -0,0 +1,416 @@ +syntax = "proto3"; + +package envoy.config.metrics.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/type/matcher/v3/string.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.metrics.v3"; +option java_outer_classname = "StatsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/metrics/v3;metricsv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Stats] +// Statistics :ref:`architecture overview `. + +// Configuration for pluggable stats sinks. +message StatsSink { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.metrics.v2.StatsSink"; + + reserved 2; + + reserved "config"; + + // The name of the stats sink to instantiate. The name must match a supported + // stats sink. + // See the :ref:`extensions listed in typed_config below ` for the default list of available stats sink. + // Sinks optionally support tagged/multiple dimensional metrics. + string name = 1; + + // Stats sink specific configuration which depends on the sink being instantiated. See + // :ref:`StatsdSink ` for an example. + // [#extension-category: envoy.stats_sinks] + oneof config_type { + google.protobuf.Any typed_config = 3; + } +} + +// Statistics configuration such as tagging. +message StatsConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v2.StatsConfig"; + + // Each stat name is independently processed through these tag specifiers. When a tag is + // matched, the first capture group is not immediately removed from the name, so later + // :ref:`TagSpecifiers ` can also match that + // same portion of the match. After all tag matching is complete, a tag-extracted version of + // the name is produced and is used in stats sinks that represent tags, such as Prometheus. + repeated TagSpecifier stats_tags = 1; + + // Use all default tag regexes specified in Envoy. These can be combined with + // custom tags specified in :ref:`stats_tags + // `. They will be processed before + // the custom tags. + // + // .. note:: + // + // If any default tags are specified twice, the config will be considered + // invalid. + // + // See :repo:`well_known_names.h ` for a list of the + // default tags in Envoy. + // + // If not provided, the value is assumed to be true. + google.protobuf.BoolValue use_all_default_tags = 2; + + // Inclusion/exclusion matcher for stat name creation. If not provided, all stats are instantiated + // as normal. Preventing the instantiation of certain families of stats can improve memory + // performance for Envoys running especially large configs. + // + // .. warning:: + // Excluding stats may affect Envoy's behavior in undocumented ways. See + // `issue #8771 `_ for more information. + // If any unexpected behavior changes are observed, please open a new issue immediately. + StatsMatcher stats_matcher = 3; + + // Defines rules for setting the histogram buckets. Rules are evaluated in order, and the first + // match is applied. If no match is found (or if no rules are set), the following default buckets + // are used: + // + // .. code-block:: json + // + // [ + // 0.5, + // 1, + // 5, + // 10, + // 25, + // 50, + // 100, + // 250, + // 500, + // 1000, + // 2500, + // 5000, + // 10000, + // 30000, + // 60000, + // 300000, + // 600000, + // 1800000, + // 3600000 + // ] + repeated HistogramBucketSettings histogram_bucket_settings = 4; +} + +// Configuration for disabling stat instantiation. +message StatsMatcher { + // The instantiation of stats is unrestricted by default. If the goal is to configure Envoy to + // instantiate all stats, there is no need to construct a StatsMatcher. + // + // However, StatsMatcher can be used to limit the creation of families of stats in order to + // conserve memory. Stats can either be disabled entirely, or they can be + // limited by either an exclusion or an inclusion list of :ref:`StringMatcher + // ` protos: + // + // * If ``reject_all`` is set to ``true``, no stats will be instantiated. If ``reject_all`` is set to + // ``false``, all stats will be instantiated. + // + // * If an exclusion list is supplied, any stat name matching *any* of the StringMatchers in the + // list will not instantiate. + // + // * If an inclusion list is supplied, no stats will instantiate, except those matching *any* of + // the StringMatchers in the list. + // + // + // A StringMatcher can be used to match against an exact string, a suffix / prefix, or a regex. + // **NB:** For performance reasons, it is highly recommended to use a prefix- or suffix-based + // matcher rather than a regex-based matcher. + // + // Example 1. Excluding all stats. + // + // .. code-block:: json + // + // { + // "statsMatcher": { + // "rejectAll": "true" + // } + // } + // + // Example 2. Excluding all cluster-specific stats, but not cluster-manager stats: + // + // .. code-block:: json + // + // { + // "statsMatcher": { + // "exclusionList": { + // "patterns": [ + // { + // "prefix": "cluster." + // } + // ] + // } + // } + // } + // + // Example 3. Including only manager-related stats: + // + // .. code-block:: json + // + // { + // "statsMatcher": { + // "inclusionList": { + // "patterns": [ + // { + // "prefix": "cluster_manager." + // }, + // { + // "prefix": "listener_manager." + // } + // ] + // } + // } + // } + // + + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v2.StatsMatcher"; + + oneof stats_matcher { + option (validate.required) = true; + + // If ``reject_all`` is true, then all stats are disabled. If ``reject_all`` is false, then all + // stats are enabled. + bool reject_all = 1; + + // Exclusive match. All stats are enabled except for those matching one of the supplied + // StringMatcher protos. + type.matcher.v3.ListStringMatcher exclusion_list = 2; + + // Inclusive match. No stats are enabled except for those matching one of the supplied + // StringMatcher protos. + type.matcher.v3.ListStringMatcher inclusion_list = 3; + } +} + +// Designates a tag name and value pair. The value may be either a fixed value +// or a regex providing the value via capture groups. The specified tag will be +// unconditionally set if a fixed value, otherwise it will only be set if one +// or more capture groups in the regex match. +message TagSpecifier { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v2.TagSpecifier"; + + // Attaches an identifier to the tag values to identify the tag being in the + // sink. Envoy has a set of default names and regexes to extract dynamic + // portions of existing stats, which can be found in :repo:`well_known_names.h + // ` in the Envoy repository. If a :ref:`tag_name + // ` is provided in the config and + // neither :ref:`regex ` or + // :ref:`fixed_value ` were specified, + // Envoy will attempt to find that name in its set of defaults and use the accompanying regex. + // + // .. note:: + // + // A stat name may be spelled in such a way that it matches two different + // tag extractors for the same tag name. In that case, all but one of the + // tag values will be dropped. It is not specified which tag value will be + // retained. The extraction will only occur for one of the extractors, and + // only the matched extraction will be removed from the tag name. + string tag_name = 1; + + oneof tag_value { + // Designates a tag to strip from the tag extracted name and provide as a named + // tag value for all statistics. This will only occur if any part of the name + // matches the regex provided with one or more capture groups. + // + // The first capture group identifies the portion of the name to remove. The + // second capture group (which will normally be nested inside the first) will + // designate the value of the tag for the statistic. If no second capture + // group is provided, the first will also be used to set the value of the tag. + // All other capture groups will be ignored. + // + // Example 1. a stat name ``cluster.foo_cluster.upstream_rq_timeout`` and + // one tag specifier: + // + // .. code-block:: json + // + // { + // "tag_name": "envoy.cluster_name", + // "regex": "^cluster\\.((.+?)\\.)" + // } + // + // Note that the regex will remove ``foo_cluster.`` making the tag extracted + // name ``cluster.upstream_rq_timeout`` and the tag value for + // ``envoy.cluster_name`` will be ``foo_cluster`` (note: there will be no + // ``.`` character because of the second capture group). + // + // Example 2. a stat name + // ``http.connection_manager_1.user_agent.ios.downstream_cx_total`` and two + // tag specifiers: + // + // .. code-block:: json + // + // [ + // { + // "tag_name": "envoy.http_user_agent", + // "regex": "^http(?=\\.).*?\\.user_agent\\.((.+?)\\.)\\w+?$" + // }, + // { + // "tag_name": "envoy.http_conn_manager_prefix", + // "regex": "^http\\.((.*?)\\.)" + // } + // ] + // + // The two regexes of the specifiers will be processed from the elaborated + // stat name. + // + // The first regex will save ``ios.`` as the tag value for ``envoy.http_user_agent``. It will + // leave it in the name for potential matching with additional tag specifiers. After all tag + // specifiers are processed the tags will be removed from the name. + // + // The second regex will populate tag ``envoy.http_conn_manager_prefix`` with value + // ``connection_manager_1.``, based on the original stat name. + // + // As a final step, the matched tags are removed, leaving + // ``http.user_agent.downstream_cx_total`` as the tag extracted name. + string regex = 2 [(validate.rules).string = {max_bytes: 1024}]; + + // Specifies a fixed tag value for the ``tag_name``. + string fixed_value = 3; + } +} + +// Specifies a matcher for stats and the buckets that matching stats should use. +message HistogramBucketSettings { + // The stats that this rule applies to. The match is applied to the original stat name + // before tag-extraction, for example ``cluster.exampleclustername.upstream_cx_length_ms``. + type.matcher.v3.StringMatcher match = 1 [(validate.rules).message = {required: true}]; + + // Each value is the upper bound of a bucket. Each bucket must be greater than 0 and unique. + // The order of the buckets does not matter. + repeated double buckets = 2 [(validate.rules).repeated = { + unique: true + items {double {gt: 0.0}} + }]; + + // Initial number of bins for the ``circllhist`` thread local histogram per time series. Default value is 100. + google.protobuf.UInt32Value bins = 3 [(validate.rules).uint32 = {lte: 46082 gt: 0}]; +} + +// Stats configuration proto schema for built-in ``envoy.stat_sinks.statsd`` sink. This sink does not support +// tagged metrics. +// [#extension: envoy.stat_sinks.statsd] +message StatsdSink { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.metrics.v2.StatsdSink"; + + oneof statsd_specifier { + option (validate.required) = true; + + // The UDP address of a running `statsd `_ + // compliant listener. If specified, statistics will be flushed to this + // address. + core.v3.Address address = 1; + + // The name of a cluster that is running a TCP `statsd + // `_ compliant listener. If specified, + // Envoy will connect to this cluster to flush statistics. + string tcp_cluster_name = 2; + } + + // Optional custom prefix for StatsdSink. If + // specified, this will override the default prefix. + // For example: + // + // .. code-block:: json + // + // { + // "prefix" : "envoy-prod" + // } + // + // will change emitted stats to + // + // .. code-block:: cpp + // + // envoy-prod.test_counter:1|c + // envoy-prod.test_timer:5|ms + // + // Note that the default prefix, "envoy", will be used if a prefix is not + // specified. + // + // Stats with default prefix: + // + // .. code-block:: cpp + // + // envoy.test_counter:1|c + // envoy.test_timer:5|ms + string prefix = 3; +} + +// Stats configuration proto schema for built-in ``envoy.stat_sinks.dog_statsd`` sink. +// The sink emits stats with `DogStatsD `_ +// compatible tags. Tags are configurable via :ref:`StatsConfig +// `. +// [#extension: envoy.stat_sinks.dog_statsd] +message DogStatsdSink { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v2.DogStatsdSink"; + + reserved 2; + + oneof dog_statsd_specifier { + option (validate.required) = true; + + // The UDP address of a running DogStatsD compliant listener. If specified, + // statistics will be flushed to this address. + core.v3.Address address = 1; + } + + // Optional custom metric name prefix. See :ref:`StatsdSink's prefix field + // ` for more details. + string prefix = 3; + + // Optional max datagram size to use when sending UDP messages. By default Envoy + // will emit one metric per datagram. By specifying a max-size larger than a single + // metric, Envoy will emit multiple, new-line separated metrics. The max datagram + // size should not exceed your network's MTU. + // + // Note that this value may not be respected if smaller than a single metric. + google.protobuf.UInt64Value max_bytes_per_datagram = 4 [(validate.rules).uint64 = {gt: 0}]; +} + +// Stats configuration proto schema for built-in ``envoy.stat_sinks.hystrix`` sink. +// The sink emits stats in `text/event-stream +// `_ +// formatted stream for use by `Hystrix dashboard +// `_. +// +// Note that only a single HystrixSink should be configured. +// +// Streaming is started through an admin endpoint :http:get:`/hystrix_event_stream`. +// [#extension: envoy.stat_sinks.hystrix] +message HystrixSink { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.metrics.v2.HystrixSink"; + + // The number of buckets the rolling statistical window is divided into. + // + // Each time the sink is flushed, all relevant Envoy statistics are sampled and + // added to the rolling window (removing the oldest samples in the window + // in the process). The sink then outputs the aggregate statistics across the + // current rolling window to the event stream(s). + // + // ``rolling_window(ms)`` = ``stats_flush_interval(ms)`` * ``num_of_buckets`` + // + // More detailed explanation can be found in `Hystrix wiki + // `_. + int64 num_buckets = 1; +} diff --git a/modules/sync/envoyproxy/envoy/cas/128aa5a627b73673aa916bb0212ebc79da8333a669146775901af0ac3b97a60267968c918eede06673d64852613fd9f0af7a0b7f3ea0be3e6c6646d928d5dd09 b/modules/sync/envoyproxy/envoy/cas/128aa5a627b73673aa916bb0212ebc79da8333a669146775901af0ac3b97a60267968c918eede06673d64852613fd9f0af7a0b7f3ea0be3e6c6646d928d5dd09 new file mode 100644 index 00000000..2354f2b9 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/128aa5a627b73673aa916bb0212ebc79da8333a669146775901af0ac3b97a60267968c918eede06673d64852613fd9f0af7a0b7f3ea0be3e6c6646d928d5dd09 @@ -0,0 +1,268 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.oauth2.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/http_uri.proto"; +import "envoy/config/route/v3/route_components.proto"; +import "envoy/extensions/transport_sockets/tls/v3/secret.proto"; +import "envoy/type/matcher/v3/path.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.oauth2.v3"; +option java_outer_classname = "OauthProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/oauth2/v3;oauth2v3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: OAuth] +// OAuth :ref:`configuration overview `. +// [#extension: envoy.filters.http.oauth2] +// + +// OAuth cookie configuration attributes. +// +message CookieConfig { + enum SameSite { + DISABLED = 0; + STRICT = 1; + LAX = 2; + NONE = 3; + } + + // The value used for the SameSite cookie attribute. + SameSite same_site = 1 [(validate.rules).enum = {defined_only: true}]; +} + +// [#next-free-field: 8] +message CookieConfigs { + // Configuration for the bearer token cookie. + CookieConfig bearer_token_cookie_config = 1; + + // Configuration for the OAuth HMAC cookie. + CookieConfig oauth_hmac_cookie_config = 2; + + // Configuration for the OAuth expires cookie. + CookieConfig oauth_expires_cookie_config = 3; + + // Configuration for the ID token cookie. + CookieConfig id_token_cookie_config = 4; + + // Configuration for the refresh token cookie. + CookieConfig refresh_token_cookie_config = 5; + + // Configuration for the OAuth nonce cookie. + CookieConfig oauth_nonce_cookie_config = 6; + + // Configuration for the code verifier cookie. + CookieConfig code_verifier_cookie_config = 7; +} + +// [#next-free-field: 6] +message OAuth2Credentials { + // [#next-free-field: 8] + message CookieNames { + // Cookie name to hold OAuth bearer token value. When the authentication server validates the + // client and returns an authorization token back to the OAuth filter, no matter what format + // that token is, if :ref:`forward_bearer_token ` + // is set to true the filter will send over the bearer token as a cookie with this name to the + // upstream. Defaults to ``BearerToken``. + string bearer_token = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // Cookie name to hold OAuth HMAC value. Defaults to ``OauthHMAC``. + string oauth_hmac = 2 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // Cookie name to hold OAuth expiry value. Defaults to ``OauthExpires``. + string oauth_expires = 3 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // Cookie name to hold the id token. Defaults to ``IdToken``. + string id_token = 4 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // Cookie name to hold the refresh token. Defaults to ``RefreshToken``. + string refresh_token = 5 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // Cookie name to hold the nonce value. Defaults to ``OauthNonce``. + string oauth_nonce = 6 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // Cookie name to hold the PKCE code verifier. Defaults to ``OauthCodeVerifier``. + string code_verifier = 7 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + } + + // The client_id to be used in the authorize calls. This value will be URL encoded when sent to the OAuth server. + string client_id = 1 [(validate.rules).string = {min_len: 1}]; + + // The secret used to retrieve the access token. This value will be URL encoded when sent to the OAuth server. + transport_sockets.tls.v3.SdsSecretConfig token_secret = 2 + [(validate.rules).message = {required: true}]; + + // Configures how the secret token should be created. + oneof token_formation { + option (validate.required) = true; + + // If present, the secret token will be a HMAC using the provided secret. + transport_sockets.tls.v3.SdsSecretConfig hmac_secret = 3 + [(validate.rules).message = {required: true}]; + } + + // The cookie names used in OAuth filters flow. + CookieNames cookie_names = 4; + + // The domain to set the cookie on. If not set, the cookie will default to the host of the request, not including the subdomains. + // This is useful when token cookies need to be shared across multiple subdomains. + string cookie_domain = 5; +} + +// OAuth config +// +// [#next-free-field: 27] +message OAuth2Config { + enum AuthType { + // The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body. + // This type should only be used when Auth server does not support Basic authentication. + URL_ENCODED_BODY = 0; + + // The ``client_id`` and ``client_secret`` will be sent using HTTP Basic authentication scheme. + BASIC_AUTH = 1; + } + + // Endpoint on the authorization server to retrieve the access token from. + config.core.v3.HttpUri token_endpoint = 1; + + // Specifies the retry policy for requests to the OAuth server. If not specified, then no retries will be performed. + config.core.v3.RetryPolicy retry_policy = 18; + + // The endpoint redirect to for authorization in response to unauthorized requests. + string authorization_endpoint = 2 [(validate.rules).string = {min_len: 1}]; + + // The endpoint at the authorization server to request the user be logged out of the Authorization server. + // This field is optional and should be set only if openid is in the auth_scopes and the authorization server + // supports the OpenID Connect RP-Initiated Logout specification. + // For more information, see https://openid.net/specs/openid-connect-rpinitiated-1_0.html + // + // If configured, the OAuth2 filter will redirect users to this endpoint when they access the signout_path. + string end_session_endpoint = 23; + + // Credentials used for OAuth. + OAuth2Credentials credentials = 3 [(validate.rules).message = {required: true}]; + + // The redirect URI passed to the authorization endpoint. Supports header formatting + // tokens. For more information, including details on header value syntax, see the + // documentation on :ref:`custom request headers `. + // + // This URI should not contain any query parameters. + string redirect_uri = 4 [(validate.rules).string = {min_len: 1}]; + + // Matching criteria used to determine whether a path appears to be the result of a redirect from the authorization server. + type.matcher.v3.PathMatcher redirect_path_matcher = 5 + [(validate.rules).message = {required: true}]; + + // The path to sign a user out, clearing their credential cookies. + type.matcher.v3.PathMatcher signout_path = 6 [(validate.rules).message = {required: true}]; + + // Forward the OAuth token as a Bearer to upstream web service. + bool forward_bearer_token = 7; + + // If set to true, preserve the existing authorization header. + // By default the client strips the existing authorization header before forwarding upstream. + // Can not be set to true if forward_bearer_token is already set to true. + // Default value is false. + bool preserve_authorization_header = 16; + + // Any request that matches any of the provided matchers will be passed through without OAuth validation. + repeated config.route.v3.HeaderMatcher pass_through_matcher = 8; + + // Optional list of OAuth scopes to be claimed in the authorization request. If not specified, + // defaults to "user" scope. + // OAuth RFC https://tools.ietf.org/html/rfc6749#section-3.3 + repeated string auth_scopes = 9; + + // Optional resource parameter for authorization request + // RFC: https://tools.ietf.org/html/rfc8707 + repeated string resources = 10; + + // Defines how ``client_id`` and ``client_secret`` are sent in OAuth client to OAuth server requests. + // RFC https://datatracker.ietf.org/doc/html/rfc6749#section-2.3.1 + AuthType auth_type = 11 [(validate.rules).enum = {defined_only: true}]; + + // If set to true, allows automatic access token refresh using the associated refresh token (see + // `RFC 6749 section 6 `_), provided that the OAuth server supports that. + // Default value is true. + google.protobuf.BoolValue use_refresh_token = 12; + + // The default lifetime in seconds of the access token, if omitted by the authorization server. + // + // If this value is not set, it will default to ``0s``. In this case, the expiry must be set by + // the authorization server or the OAuth flow will fail. + google.protobuf.Duration default_expires_in = 13; + + // Any request that matches any of the provided matchers won't be redirected to OAuth server when tokens are not valid. + // Automatic access token refresh will be performed for these requests, if enabled. + // This behavior can be useful for AJAX requests. + repeated config.route.v3.HeaderMatcher deny_redirect_matcher = 14; + + // The default lifetime in seconds of the refresh token, if the exp (expiration time) claim is omitted in the refresh token or the refresh token is not JWT. + // + // If this value is not set, it will default to ``604800s``. In this case, the cookie with the refresh token will be expired + // in a week. + // This setting is only considered if ``use_refresh_token`` is set to true, otherwise the authorization server expiration or ``default_expires_in`` is used. + google.protobuf.Duration default_refresh_token_expires_in = 15; + + // If set to true, the client will not set a cookie for ID Token even if one is received from the Identity Provider. This may be useful in cases where the ID + // Token is too large for HTTP cookies (longer than 4096 characters). Enabling this option will only disable setting the cookie response header, the filter + // will still process incoming ID Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future + // sessions would not set the IdToken cookie header. + bool disable_id_token_set_cookie = 17; + + // If set to true, the client will not set a cookie for Access Token even if one is received from the Identity Provider. + // Enabling this option will only disable setting the cookie response header, the filter + // will still process incoming Access Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future + // sessions would not set the Access Token cookie header. + bool disable_access_token_set_cookie = 19; + + // If set to true, the client will not set a cookie for Refresh Token even if one is received from the Identity Provider. + // Enabling this option will only disable setting the cookie response header, the filter + // will still process incoming Refresh Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future + // sessions would not set the Refresh Token cookie header. + bool disable_refresh_token_set_cookie = 20; + + // Controls for attributes that can be set on the cookies. + CookieConfigs cookie_configs = 21; + + // Optional additional prefix to use when emitting statistics. + string stat_prefix = 22; + + // Optional expiration time for the CSRF protection token cookie. + // The CSRF token prevents cross-site request forgery attacks during the OAuth2 flow. + // If not specified, defaults to ``600s`` (10 minutes), which should provide sufficient time + // for users to complete the OAuth2 authorization flow. + google.protobuf.Duration csrf_token_expires_in = 24; + + // Optional expiration time for the code verifier cookie. + // The code verifier is stored in a secure, HTTP-only cookie during the OAuth2 authorization process. + // If not specified, defaults to ``600s`` (10 minutes), which should provide sufficient time + // for users to complete the OAuth2 authorization flow. + google.protobuf.Duration code_verifier_token_expires_in = 25; + + // Disable token encryption. When set to true, both the access token and the ID token will be stored in plain text. + // This option should only be used in secure environments where token encryption is not required. + // Default is false (tokens are encrypted). + bool disable_token_encryption = 26; +} + +// Filter config. +message OAuth2 { + // Leave this empty to disable OAuth2 for a specific route, using per filter config. + OAuth2Config config = 1; +} diff --git a/modules/sync/envoyproxy/envoy/cas/1580679222615a4c489cfd5f311a2ceb66378020ac353ee807f791abe9dc9c4d3994c5ca5ebd8ddf509382e7b6a55c1d3954a03a9917702659ccaaef7acbc5f9 b/modules/sync/envoyproxy/envoy/cas/1580679222615a4c489cfd5f311a2ceb66378020ac353ee807f791abe9dc9c4d3994c5ca5ebd8ddf509382e7b6a55c1d3954a03a9917702659ccaaef7acbc5f9 new file mode 100644 index 00000000..74fe641f --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/1580679222615a4c489cfd5f311a2ceb66378020ac353ee807f791abe9dc9c4d3994c5ca5ebd8ddf509382e7b6a55c1d3954a03a9917702659ccaaef7acbc5f9 @@ -0,0 +1,730 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/extension.proto"; +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/annotations/v3/status.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "ProtocolProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Protocol options] + +// [#not-implemented-hide:] +message TcpProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.TcpProtocolOptions"; +} + +// Config for keepalive probes in a QUIC connection. +// Note that QUIC keep-alive probing packets work differently from HTTP/2 keep-alive PINGs in a sense that the probing packet +// itself doesn't timeout waiting for a probing response. Quic has a shorter idle timeout than TCP, so it doesn't rely on such probing to discover dead connections. If the peer fails to respond, the connection will idle timeout eventually. Thus, they are configured differently from :ref:`connection_keepalive `. +message QuicKeepAliveSettings { + // The max interval for a connection to send keep-alive probing packets (with PING or PATH_RESPONSE). The value should be smaller than :ref:`connection idle_timeout ` to prevent idle timeout while not less than 1s to avoid throttling the connection or flooding the peer with probes. + // + // If :ref:`initial_interval ` is absent or zero, a client connection will use this value to start probing. + // + // If zero, disable keepalive probing. + // If absent, use the QUICHE default interval to probe. + google.protobuf.Duration max_interval = 1; + + // The interval to send the first few keep-alive probing packets to prevent connection from hitting the idle timeout. Subsequent probes will be sent, each one with an interval exponentially longer than previous one, till it reaches :ref:`max_interval `. And the probes afterwards will always use :ref:`max_interval `. + // + // The value should be smaller than :ref:`connection idle_timeout ` to prevent idle timeout and smaller than max_interval to take effect. + // + // If absent, disable keepalive probing for a server connection. For a client connection, if :ref:`max_interval ` is zero, do not keepalive, otherwise use max_interval or QUICHE default to probe all the time. + google.protobuf.Duration initial_interval = 2 [(validate.rules).duration = { + lte {} + gte {nanos: 1000000} + }]; +} + +// QUIC protocol options which apply to both downstream and upstream connections. +// [#next-free-field: 10] +message QuicProtocolOptions { + // Maximum number of streams that the client can negotiate per connection. 100 + // if not specified. + google.protobuf.UInt32Value max_concurrent_streams = 1 [(validate.rules).uint32 = {gte: 1}]; + + // `Initial stream-level flow-control receive window + // `_ size. Valid values range from + // 1 to 16777216 (2^24, maximum supported by QUICHE) and defaults to 16777216 (16 * 1024 * 1024). + // + // .. note:: + // + // 16384 (2^14) is the minimum window size supported in Google QUIC. If configured smaller than it, we will use + // 16384 instead. QUICHE IETF Quic implementation supports 1 bytes window. We only support increasing the default + // window size now, so it's also the minimum. + // + // This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the + // QUIC stream send and receive buffers. Once the buffer reaches this pointer, watermark callbacks will fire to + // stop the flow of data to the stream buffers. + google.protobuf.UInt32Value initial_stream_window_size = 2 + [(validate.rules).uint32 = {lte: 16777216 gte: 1}]; + + // Similar to ``initial_stream_window_size``, but for connection-level + // flow-control. Valid values range from 1 to 25165824 (24MB, maximum supported by QUICHE) and defaults + // to 25165824 (24 * 1024 * 1024). + // + // .. note:: + // + // 16384 (2^14) is the minimum window size supported in Google QUIC. We only support increasing the default + // window size now, so it's also the minimum. + // + google.protobuf.UInt32Value initial_connection_window_size = 3 + [(validate.rules).uint32 = {lte: 25165824 gte: 1}]; + + // The number of timeouts that can occur before port migration is triggered for QUIC clients. + // This defaults to 4. If set to 0, port migration will not occur on path degrading. + // Timeout here refers to QUIC internal path degrading timeout mechanism, such as PTO. + // This has no effect on server sessions. + google.protobuf.UInt32Value num_timeouts_to_trigger_port_migration = 4 + [(validate.rules).uint32 = {lte: 5 gte: 0}]; + + // Probes the peer at the configured interval to solicit traffic, i.e. ACK or PATH_RESPONSE, from the peer to push back connection idle timeout. + // If absent, use the default keepalive behavior of which a client connection sends PINGs every 15s, and a server connection doesn't do anything. + QuicKeepAliveSettings connection_keepalive = 5; + + // A comma-separated list of strings representing QUIC connection options defined in + // `QUICHE `_ and to be sent by upstream connections. + string connection_options = 6; + + // A comma-separated list of strings representing QUIC client connection options defined in + // `QUICHE `_ and to be sent by upstream connections. + string client_connection_options = 7; + + // The duration that a QUIC connection stays idle before it closes itself. If this field is not present, QUICHE + // default 600s will be applied. + // For internal corporate network, a long timeout is often fine. + // But for client facing network, 30s is usually a good choice. + // Do not add an upper bound here. A long idle timeout is useful for maintaining warm connections at non-front-line proxy for low QPS services." + google.protobuf.Duration idle_network_timeout = 8 + [(validate.rules).duration = {gte {seconds: 1}}]; + + // Maximum packet length for QUIC connections. It refers to the largest size of a QUIC packet that can be transmitted over the connection. + // If not specified, one of the `default values in QUICHE `_ is used. + google.protobuf.UInt64Value max_packet_length = 9; +} + +message UpstreamHttpProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.UpstreamHttpProtocolOptions"; + + // Set transport socket `SNI `_ for new + // upstream connections based on the downstream HTTP host/authority header or any other arbitrary + // header when :ref:`override_auto_sni_header ` + // is set, as seen by the :ref:`router filter `. + // Does nothing if a filter before the http router filter sets the corresponding metadata. + // + // See :ref:`SNI configuration ` for details on how this + // interacts with other validation options. + bool auto_sni = 1; + + // Automatic validate upstream presented certificate for new upstream connections based on the + // downstream HTTP host/authority header or any other arbitrary header when :ref:`override_auto_sni_header ` + // is set, as seen by the :ref:`router filter `. + // This field is intended to be set with ``auto_sni`` field. + // Does nothing if a filter before the http router filter sets the corresponding metadata. + // + // See :ref:`validation configuration ` for how this interacts with + // other validation options. + bool auto_san_validation = 2; + + // An optional alternative to the host/authority header to be used for setting the SNI value. + // It should be a valid downstream HTTP header, as seen by the + // :ref:`router filter `. + // If unset, host/authority header will be used for populating the SNI. If the specified header + // is not found or the value is empty, host/authority header will be used instead. + // This field is intended to be set with ``auto_sni`` and/or ``auto_san_validation`` fields. + // If none of these fields are set then setting this would be a no-op. + // Does nothing if a filter before the http router filter sets the corresponding metadata. + string override_auto_sni_header = 3 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; +} + +// Configures the alternate protocols cache which tracks alternate protocols that can be used to +// make an HTTP connection to an origin server. See https://tools.ietf.org/html/rfc7838 for +// HTTP Alternative Services and https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-04 +// for the "HTTPS" DNS resource record. +// [#next-free-field: 6] +message AlternateProtocolsCacheOptions { + // Allows pre-populating the cache with HTTP/3 alternate protocols entries with a 7 day lifetime. + // This will cause Envoy to attempt HTTP/3 to those upstreams, even if the upstreams have not + // advertised HTTP/3 support. These entries will be overwritten by alt-svc + // response headers or cached values. + // As with regular cached entries, if the origin response would result in clearing an existing + // alternate protocol cache entry, pre-populated entries will also be cleared. + // Adding a cache entry with hostname=foo.com port=123 is the equivalent of getting + // response headers + // alt-svc: h3=:"123"; ma=86400" in a response to a request to foo.com:123 + message AlternateProtocolsCacheEntry { + // The host name for the alternate protocol entry. + string hostname = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // The port for the alternate protocol entry. + uint32 port = 2 [(validate.rules).uint32 = {lt: 65535 gt: 0}]; + } + + // The name of the cache. Multiple named caches allow independent alternate protocols cache + // configurations to operate within a single Envoy process using different configurations. All + // alternate protocols cache options with the same name *must* be equal in all fields when + // referenced from different configuration components. Configuration will fail to load if this is + // not the case. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The maximum number of entries that the cache will hold. If not specified defaults to 1024. + // + // .. note: + // + // The implementation is approximate and enforced independently on each worker thread, thus + // it is possible for the maximum entries in the cache to go slightly above the configured + // value depending on timing. This is similar to how other circuit breakers work. + google.protobuf.UInt32Value max_entries = 2 [(validate.rules).uint32 = {gt: 0}]; + + // Allows configuring a persistent + // :ref:`key value store ` to flush + // alternate protocols entries to disk. + // This function is currently only supported if concurrency is 1 + // Cached entries will take precedence over pre-populated entries below. + TypedExtensionConfig key_value_store_config = 3; + + // Allows pre-populating the cache with entries, as described above. + repeated AlternateProtocolsCacheEntry prepopulated_entries = 4; + + // Optional list of hostnames suffixes for which Alt-Svc entries can be shared. For example, if + // this list contained the value ``.c.example.com``, then an Alt-Svc entry for ``foo.c.example.com`` + // could be shared with ``bar.c.example.com`` but would not be shared with ``baz.example.com``. On + // the other hand, if the list contained the value ``.example.com`` then all three hosts could share + // Alt-Svc entries. Each entry must start with ``.``. If a hostname matches multiple suffixes, the + // first listed suffix will be used. + // + // Since lookup in this list is O(n), it is recommended that the number of suffixes be limited. + // [#not-implemented-hide:] + repeated string canonical_suffixes = 5; +} + +// [#next-free-field: 8] +message HttpProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HttpProtocolOptions"; + + // Action to take when Envoy receives client request with header names containing underscore + // characters. + // Underscore character is allowed in header names by the RFC-7230 and this behavior is implemented + // as a security measure due to systems that treat '_' and '-' as interchangeable. Envoy by default allows client request headers with underscore + // characters. + enum HeadersWithUnderscoresAction { + // Allow headers with underscores. This is the default behavior. + ALLOW = 0; + + // Reject client request. HTTP/1 requests are rejected with the 400 status. HTTP/2 requests + // end with the stream reset. The "httpN.requests_rejected_with_underscores_in_headers" counter + // is incremented for each rejected request. + REJECT_REQUEST = 1; + + // Drop the client header with name containing underscores. The header is dropped before the filter chain is + // invoked and as such filters will not see dropped headers. The + // "httpN.dropped_headers_with_underscores" is incremented for each dropped header. + DROP_HEADER = 2; + } + + // The idle timeout for connections. The idle timeout is defined as the + // period in which there are no active requests. When the + // idle timeout is reached the connection will be closed. If the connection is an HTTP/2 + // downstream connection a drain sequence will occur prior to closing the connection, see + // :ref:`drain_timeout + // `. + // Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive. + // If not specified, this defaults to 1 hour. To disable idle timeouts explicitly set this to 0. + // + // .. warning:: + // Disabling this timeout has a highly likelihood of yielding connection leaks due to lost TCP + // FIN packets, etc. + // + // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" + // is configured, this timeout is scaled for downstream connections according to the value for + // :ref:`HTTP_DOWNSTREAM_CONNECTION_IDLE `. + google.protobuf.Duration idle_timeout = 1; + + // The maximum duration of a connection. The duration is defined as a period since a connection + // was established. If not set, there is no max duration. When max_connection_duration is reached, + // the drain sequence will kick-in. The connection will be closed after the drain timeout period + // if there are no active streams. See :ref:`drain_timeout + // `. + google.protobuf.Duration max_connection_duration = 3; + + // The maximum number of headers (request headers if configured on HttpConnectionManager, + // response headers when configured on a cluster). + // If unconfigured, the default maximum number of headers allowed is 100. + // The default value for requests can be overridden by setting runtime key ``envoy.reloadable_features.max_request_headers_count``. + // The default value for responses can be overridden by setting runtime key ``envoy.reloadable_features.max_response_headers_count``. + // Downstream requests that exceed this limit will receive a 431 response for HTTP/1.x and cause a stream + // reset for HTTP/2. + // Upstream responses that exceed this limit will result in a 502 response. + google.protobuf.UInt32Value max_headers_count = 2 [(validate.rules).uint32 = {gte: 1}]; + + // The maximum size of response headers. + // If unconfigured, the default is 60 KiB, except for HTTP/1 response headers which have a default + // of 80KiB. + // The default value can be overridden by setting runtime key ``envoy.reloadable_features.max_response_headers_size_kb``. + // Responses that exceed this limit will result in a 503 response. + // In Envoy, this setting is only valid when configured on an upstream cluster, not on the + // :ref:`HTTP Connection Manager + // `. + // + // .. note:: + // + // Currently some protocol codecs impose limits on the maximum size of a single header. + // + // * HTTP/2 (when using nghttp2) limits a single header to around 100kb. + // * HTTP/3 limits a single header to around 1024kb. + // + google.protobuf.UInt32Value max_response_headers_kb = 7 + [(validate.rules).uint32 = {lte: 8192 gt: 0}]; + + // Total duration to keep alive an HTTP request/response stream. If the time limit is reached the stream will be + // reset independent of any other timeouts. If not specified, this value is not set. + google.protobuf.Duration max_stream_duration = 4; + + // Action to take when a client request with a header name containing underscore characters is received. + // If this setting is not specified, the value defaults to ALLOW. + // + // .. note:: + // + // Upstream responses are not affected by this setting. + // + // .. note:: + // + // This only affects client headers. It does not affect headers added by Envoy filters and does not have any + // impact if added to cluster config. + HeadersWithUnderscoresAction headers_with_underscores_action = 5; + + // Optional maximum requests for both upstream and downstream connections. + // If not specified, there is no limit. + // Setting this parameter to 1 will effectively disable keep alive. + // For HTTP/2 and HTTP/3, due to concurrent stream processing, the limit is approximate. + google.protobuf.UInt32Value max_requests_per_connection = 6; +} + +// [#next-free-field: 12] +message Http1ProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.Http1ProtocolOptions"; + + // [#next-free-field: 9] + message HeaderKeyFormat { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.Http1ProtocolOptions.HeaderKeyFormat"; + + message ProperCaseWords { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.Http1ProtocolOptions.HeaderKeyFormat.ProperCaseWords"; + } + + oneof header_format { + option (validate.required) = true; + + // Formats the header by proper casing words: the first character and any character following + // a special character will be capitalized if it's an alpha character. For example, + // "content-type" becomes "Content-Type", and "foo$b#$are" becomes "Foo$B#$Are". + // Note that while this results in most headers following conventional casing, certain headers + // are not covered. For example, the "TE" header will be formatted as "Te". + ProperCaseWords proper_case_words = 1; + + // Configuration for stateful formatter extensions that allow using received headers to + // affect the output of encoding headers. E.g., preserving case during proxying. + // [#extension-category: envoy.http.stateful_header_formatters] + TypedExtensionConfig stateful_formatter = 8; + } + } + + // Handle HTTP requests with absolute URLs in the requests. These requests + // are generally sent by clients to forward/explicit proxies. This allows clients to configure + // envoy as their HTTP proxy. In Unix, for example, this is typically done by setting the + // ``http_proxy`` environment variable. + google.protobuf.BoolValue allow_absolute_url = 1; + + // Handle incoming HTTP/1.0 and HTTP 0.9 requests. + // This is off by default, and not fully standards compliant. There is support for pre-HTTP/1.1 + // style connect logic, dechunking, and handling lack of client host iff + // ``default_host_for_http_10`` is configured. + bool accept_http_10 = 2; + + // A default host for HTTP/1.0 requests. This is highly suggested if ``accept_http_10`` is true as + // Envoy does not otherwise support HTTP/1.0 without a Host header. + // This is a no-op if ``accept_http_10`` is not true. + string default_host_for_http_10 = 3; + + // Describes how the keys for response headers should be formatted. By default, all header keys + // are lower cased. + HeaderKeyFormat header_key_format = 4; + + // Enables trailers for HTTP/1. By default the HTTP/1 codec drops proxied trailers. + // + // .. attention:: + // + // Note that this only happens when Envoy is chunk encoding which occurs when: + // - The request is HTTP/1.1. + // - Is neither a HEAD only request nor a HTTP Upgrade. + // - Not a response to a HEAD request. + // - The content length header is not present. + bool enable_trailers = 5; + + // Allows Envoy to process requests/responses with both ``Content-Length`` and ``Transfer-Encoding`` + // headers set. By default such messages are rejected, but if option is enabled - Envoy will + // remove Content-Length header and process message. + // See `RFC7230, sec. 3.3.3 `_ for details. + // + // .. attention:: + // Enabling this option might lead to request smuggling vulnerability, especially if traffic + // is proxied via multiple layers of proxies. + // [#comment:TODO: This field is ignored when the + // :ref:`header validation configuration ` + // is present.] + bool allow_chunked_length = 6; + + // Allows invalid HTTP messaging. When this option is false, then Envoy will terminate + // HTTP/1.1 connections upon receiving an invalid HTTP message. However, + // when this option is true, then Envoy will leave the HTTP/1.1 connection + // open where possible. + // If set, this overrides any HCM :ref:`stream_error_on_invalid_http_messaging + // `. + google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 7; + + // Allows sending fully qualified URLs when proxying the first line of the + // response. By default, Envoy will only send the path components in the first line. + // If this is true, Envoy will create a fully qualified URI composing scheme + // (inferred if not present), host (from the host/:authority header) and path + // (from first line or :path header). + bool send_fully_qualified_url = 8; + + // [#not-implemented-hide:] Hiding so that field can be removed after BalsaParser is rolled out. + // If set, force HTTP/1 parser: BalsaParser if true, http-parser if false. + // If unset, HTTP/1 parser is selected based on + // envoy.reloadable_features.http1_use_balsa_parser. + // See issue #21245. + google.protobuf.BoolValue use_balsa_parser = 9 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // [#not-implemented-hide:] Hiding so that field can be removed. + // If true, and BalsaParser is used (either `use_balsa_parser` above is true, + // or `envoy.reloadable_features.http1_use_balsa_parser` is true and + // `use_balsa_parser` is unset), then every non-empty method with only valid + // characters is accepted. Otherwise, methods not on the hard-coded list are + // rejected. + // Once UHV is enabled, this field should be removed, and BalsaParser should + // allow any method. UHV validates the method, rejecting empty string or + // invalid characters, and provides :ref:`restrict_http_methods + // ` + // to reject custom methods. + bool allow_custom_methods = 10 [(xds.annotations.v3.field_status).work_in_progress = true]; + + // Ignore HTTP/1.1 upgrade values matching any of the supplied matchers. + // + // .. note:: + // + // ``h2c`` upgrades are always removed for backwards compatibility, regardless of the + // value in this setting. + repeated type.matcher.v3.StringMatcher ignore_http_11_upgrade = 11; +} + +message KeepaliveSettings { + // Send HTTP/2 PING frames at this period, in order to test that the connection is still alive. + // If this is zero, interval PINGs will not be sent. + google.protobuf.Duration interval = 1 [(validate.rules).duration = {gte {nanos: 1000000}}]; + + // How long to wait for a response to a keepalive PING. If a response is not received within this + // time period, the connection will be aborted. Note that in order to prevent the influence of + // Head-of-line (HOL) blocking the timeout period is extended when *any* frame is received on + // the connection, under the assumption that if a frame is received the connection is healthy. + google.protobuf.Duration timeout = 2 [(validate.rules).duration = { + required: true + gte {nanos: 1000000} + }]; + + // A random jitter amount as a percentage of interval that will be added to each interval. + // A value of zero means there will be no jitter. + // The default value is 15%. + type.v3.Percent interval_jitter = 3; + + // If the connection has been idle for this duration, send a HTTP/2 ping ahead + // of new stream creation, to quickly detect dead connections. + // If this is zero, this type of PING will not be sent. + // If an interval ping is outstanding, a second ping will not be sent as the + // interval ping will determine if the connection is dead. + // + // The same feature for HTTP/3 is given by inheritance from QUICHE which uses :ref:`connection idle_timeout ` and the current PTO of the connection to decide whether to probe before sending a new request. + google.protobuf.Duration connection_idle_interval = 4 + [(validate.rules).duration = {gte {nanos: 1000000}}]; +} + +// [#next-free-field: 18] +message Http2ProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.Http2ProtocolOptions"; + + // Defines a parameter to be sent in the SETTINGS frame. + // See `RFC7540, sec. 6.5.1 `_ for details. + message SettingsParameter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.Http2ProtocolOptions.SettingsParameter"; + + // The 16 bit parameter identifier. + google.protobuf.UInt32Value identifier = 1 [ + (validate.rules).uint32 = {lte: 65535 gte: 0}, + (validate.rules).message = {required: true} + ]; + + // The 32 bit parameter value. + google.protobuf.UInt32Value value = 2 [(validate.rules).message = {required: true}]; + } + + // `Maximum table size `_ + // (in octets) that the encoder is permitted to use for the dynamic HPACK table. Valid values + // range from 0 to 4294967295 (2^32 - 1) and defaults to 4096. 0 effectively disables header + // compression. + google.protobuf.UInt32Value hpack_table_size = 1; + + // `Maximum concurrent streams `_ + // allowed for peer on one HTTP/2 connection. Valid values range from 1 to 2147483647 (2^31 - 1) + // and defaults to 1024 for safety and should be sufficient for most use cases. + // + // For upstream connections, this also limits how many streams Envoy will initiate concurrently + // on a single connection. If the limit is reached, Envoy may queue requests or establish + // additional connections (as allowed per circuit breaker limits). + // + // This acts as an upper bound: Envoy will lower the max concurrent streams allowed on a given + // connection based on upstream settings. Config dumps will reflect the configured upper bound, + // not the per-connection negotiated limits. + google.protobuf.UInt32Value max_concurrent_streams = 2 + [(validate.rules).uint32 = {lte: 2147483647 gte: 1}]; + + // `Initial stream-level flow-control window + // `_ size. Valid values range from 65535 + // (2^16 - 1, HTTP/2 default) to 2147483647 (2^31 - 1, HTTP/2 maximum) and defaults to + // 16MiB (16 * 1024 * 1024). + // + // .. note:: + // + // 65535 is the initial window size from HTTP/2 spec. We only support increasing the default window size now, + // so it's also the minimum. + // + // This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the + // HTTP/2 codec buffers. Once the buffer reaches this pointer, watermark callbacks will fire to + // stop the flow of data to the codec buffers. + google.protobuf.UInt32Value initial_stream_window_size = 3 + [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}]; + + // Similar to ``initial_stream_window_size``, but for connection-level flow-control + // window. The default is 24MiB (24 * 1024 * 1024). + google.protobuf.UInt32Value initial_connection_window_size = 4 + [(validate.rules).uint32 = {lte: 2147483647 gte: 65535}]; + + // Allows proxying Websocket and other upgrades over H2 connect. + bool allow_connect = 5; + + // [#not-implemented-hide:] Hiding until Envoy has full metadata support. + // Still under implementation. DO NOT USE. + // + // Allows sending and receiving HTTP/2 METADATA frames. See [metadata + // docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more + // information. + bool allow_metadata = 6; + + // Limit the number of pending outbound downstream frames of all types (frames that are waiting to + // be written into the socket). Exceeding this limit triggers flood mitigation and connection is + // terminated. The ``http2.outbound_flood`` stat tracks the number of terminated connections due + // to flood mitigation. The default limit is 10000. + google.protobuf.UInt32Value max_outbound_frames = 7 [(validate.rules).uint32 = {gte: 1}]; + + // Limit the number of pending outbound downstream frames of types PING, SETTINGS and RST_STREAM, + // preventing high memory utilization when receiving continuous stream of these frames. Exceeding + // this limit triggers flood mitigation and connection is terminated. The + // ``http2.outbound_control_flood`` stat tracks the number of terminated connections due to flood + // mitigation. The default limit is 1000. + google.protobuf.UInt32Value max_outbound_control_frames = 8 [(validate.rules).uint32 = {gte: 1}]; + + // Limit the number of consecutive inbound frames of types HEADERS, CONTINUATION and DATA with an + // empty payload and no end stream flag. Those frames have no legitimate use and are abusive, but + // might be a result of a broken HTTP/2 implementation. The `http2.inbound_empty_frames_flood`` + // stat tracks the number of connections terminated due to flood mitigation. + // Setting this to 0 will terminate connection upon receiving first frame with an empty payload + // and no end stream flag. The default limit is 1. + google.protobuf.UInt32Value max_consecutive_inbound_frames_with_empty_payload = 9; + + // Limit the number of inbound PRIORITY frames allowed per each opened stream. If the number + // of PRIORITY frames received over the lifetime of connection exceeds the value calculated + // using this formula:: + // + // ``max_inbound_priority_frames_per_stream`` * (1 + ``opened_streams``) + // + // the connection is terminated. For downstream connections the ``opened_streams`` is incremented when + // Envoy receives complete response headers from the upstream server. For upstream connection the + // ``opened_streams`` is incremented when Envoy send the HEADERS frame for a new stream. The + // ``http2.inbound_priority_frames_flood`` stat tracks + // the number of connections terminated due to flood mitigation. The default limit is 100. + google.protobuf.UInt32Value max_inbound_priority_frames_per_stream = 10; + + // Limit the number of inbound WINDOW_UPDATE frames allowed per DATA frame sent. If the number + // of WINDOW_UPDATE frames received over the lifetime of connection exceeds the value calculated + // using this formula:: + // + // 5 + 2 * (``opened_streams`` + + // ``max_inbound_window_update_frames_per_data_frame_sent`` * ``outbound_data_frames``) + // + // the connection is terminated. For downstream connections the ``opened_streams`` is incremented when + // Envoy receives complete response headers from the upstream server. For upstream connections the + // ``opened_streams`` is incremented when Envoy sends the HEADERS frame for a new stream. The + // ``http2.inbound_priority_frames_flood`` stat tracks the number of connections terminated due to + // flood mitigation. The default max_inbound_window_update_frames_per_data_frame_sent value is 10. + // Setting this to 1 should be enough to support HTTP/2 implementations with basic flow control, + // but more complex implementations that try to estimate available bandwidth require at least 2. + google.protobuf.UInt32Value max_inbound_window_update_frames_per_data_frame_sent = 11 + [(validate.rules).uint32 = {gte: 1}]; + + // Allows invalid HTTP messaging and headers. When this option is disabled (default), then + // the whole HTTP/2 connection is terminated upon receiving invalid HEADERS frame. However, + // when this option is enabled, only the offending stream is terminated. + // + // This is overridden by HCM :ref:`stream_error_on_invalid_http_messaging + // ` + // iff present. + // + // This is deprecated in favor of :ref:`override_stream_error_on_invalid_http_message + // ` + // + // See `RFC7540, sec. 8.1 `_ for details. + bool stream_error_on_invalid_http_messaging = 12 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Allows invalid HTTP messaging and headers. When this option is disabled (default), then + // the whole HTTP/2 connection is terminated upon receiving invalid HEADERS frame. However, + // when this option is enabled, only the offending stream is terminated. + // + // This overrides any HCM :ref:`stream_error_on_invalid_http_messaging + // ` + // + // See `RFC7540, sec. 8.1 `_ for details. + google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 14; + + // [#not-implemented-hide:] + // Specifies SETTINGS frame parameters to be sent to the peer, with two exceptions: + // + // 1. SETTINGS_ENABLE_PUSH (0x2) is not configurable as HTTP/2 server push is not supported by + // Envoy. + // + // 2. SETTINGS_ENABLE_CONNECT_PROTOCOL (0x8) is only configurable through the named field + // 'allow_connect'. + // + // Note that custom parameters specified through this field can not also be set in the + // corresponding named parameters: + // + // .. code-block:: text + // + // ID Field Name + // ---------------- + // 0x1 hpack_table_size + // 0x3 max_concurrent_streams + // 0x4 initial_stream_window_size + // + // Collisions will trigger config validation failure on load/update. Likewise, inconsistencies + // between custom parameters with the same identifier will trigger a failure. + // + // See `IANA HTTP/2 Settings + // `_ for + // standardized identifiers. + repeated SettingsParameter custom_settings_parameters = 13; + + // Send HTTP/2 PING frames to verify that the connection is still healthy. If the remote peer + // does not respond within the configured timeout, the connection will be aborted. + KeepaliveSettings connection_keepalive = 15; + + // [#not-implemented-hide:] Hiding so that the field can be removed after oghttp2 is rolled out. + // If set, force use of a particular HTTP/2 codec: oghttp2 if true, nghttp2 if false. + // If unset, HTTP/2 codec is selected based on envoy.reloadable_features.http2_use_oghttp2. + google.protobuf.BoolValue use_oghttp2_codec = 16 + [(xds.annotations.v3.field_status).work_in_progress = true]; + + // Configure the maximum amount of metadata than can be handled per stream. Defaults to 1 MB. + google.protobuf.UInt64Value max_metadata_size = 17; +} + +// [#not-implemented-hide:] +message GrpcProtocolOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcProtocolOptions"; + + Http2ProtocolOptions http2_protocol_options = 1; +} + +// A message which allows using HTTP/3. +// [#next-free-field: 9] +message Http3ProtocolOptions { + QuicProtocolOptions quic_protocol_options = 1; + + // Allows invalid HTTP messaging and headers. When this option is disabled (default), then + // the whole HTTP/3 connection is terminated upon receiving invalid HEADERS frame. However, + // when this option is enabled, only the offending stream is terminated. + // + // If set, this overrides any HCM :ref:`stream_error_on_invalid_http_messaging + // `. + google.protobuf.BoolValue override_stream_error_on_invalid_http_message = 2; + + // Allows proxying Websocket and other upgrades over HTTP/3 CONNECT using + // the header mechanisms from the `HTTP/2 extended connect RFC + // `_ + // and settings `proposed for HTTP/3 + // `_ + // Note that HTTP/3 CONNECT is not yet an RFC. + bool allow_extended_connect = 5 [(xds.annotations.v3.field_status).work_in_progress = true]; + + // [#not-implemented-hide:] Hiding until Envoy has full metadata support. + // Still under implementation. DO NOT USE. + // + // Allows sending and receiving HTTP/3 METADATA frames. See [metadata + // docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more + // information. + bool allow_metadata = 6; + + // [#not-implemented-hide:] Hiding until Envoy has full HTTP/3 upstream support. + // Still under implementation. DO NOT USE. + // + // Disables QPACK compression related features for HTTP/3 including: + // No huffman encoding, zero dynamic table capacity and no cookie crumbing. + // This can be useful for trading off CPU vs bandwidth when an upstream HTTP/3 connection multiplexes multiple downstream connections. + bool disable_qpack = 7; + + // Disables connection level flow control for HTTP/3 streams. This is useful in situations where the streams share the same connection + // but originate from different end-clients, so that each stream can make progress independently at non-front-line proxies. + bool disable_connection_flow_control_for_streams = 8; +} + +// A message to control transformations to the :scheme header +message SchemeHeaderTransformation { + oneof transformation { + // Overwrite any Scheme header with the contents of this string. + // If set, takes precedence over match_upstream. + string scheme_to_overwrite = 1 [(validate.rules).string = {in: "http" in: "https"}]; + } + + // Set the Scheme header to match the upstream transport protocol. For example, should a + // request be sent to the upstream over TLS, the scheme header will be set to "https". Should the + // request be sent over plaintext, the scheme header will be set to "http". + // If scheme_to_overwrite is set, this field is not used. + bool match_upstream = 2; +} diff --git a/modules/sync/envoyproxy/envoy/cas/175d2f7896be8a9a86b2eecf8cab4cf5c8e5c5361842335f8c607f3a1ce908a57419a79822d110b334254694bc67e6bd67dfcf0ef08de910b898a8a617eadd4f b/modules/sync/envoyproxy/envoy/cas/175d2f7896be8a9a86b2eecf8cab4cf5c8e5c5361842335f8c607f3a1ce908a57419a79822d110b334254694bc67e6bd67dfcf0ef08de910b898a8a617eadd4f new file mode 100644 index 00000000..c015db21 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/175d2f7896be8a9a86b2eecf8cab4cf5c8e5c5361842335f8c607f3a1ce908a57419a79822d110b334254694bc67e6bd67dfcf0ef08de910b898a8a617eadd4f @@ -0,0 +1,113 @@ +syntax = "proto3"; + +package envoy.config.common.mutation_rules.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/type/matcher/v3/regex.proto"; +import "envoy/type/matcher/v3/string.proto"; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.common.mutation_rules.v3"; +option java_outer_classname = "MutationRulesProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/common/mutation_rules/v3;mutation_rulesv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Header mutation rules] + +// The HeaderMutationRules structure specifies what headers may be +// manipulated by a processing filter. This set of rules makes it +// possible to control which modifications a filter may make. +// +// By default, an external processing server may add, modify, or remove +// any header except for an "Envoy internal" header (which is typically +// denoted by an x-envoy prefix) or specific headers that may affect +// further filter processing: +// +// * ``host`` +// * ``:authority`` +// * ``:scheme`` +// * ``:method`` +// +// Every attempt to add, change, append, or remove a header will be +// tested against the rules here. Disallowed header mutations will be +// ignored unless ``disallow_is_error`` is set to true. +// +// Attempts to remove headers are further constrained -- regardless of the +// settings, system-defined headers (that start with ``:``) and the ``host`` +// header may never be removed. +// +// In addition, a counter will be incremented whenever a mutation is +// rejected. In the ext_proc filter, that counter is named +// ``rejected_header_mutations``. +// [#next-free-field: 8] +message HeaderMutationRules { + // By default, certain headers that could affect processing of subsequent + // filters or request routing cannot be modified. These headers are + // ``host``, ``:authority``, ``:scheme``, and ``:method``. Setting this parameter + // to true allows these headers to be modified as well. + google.protobuf.BoolValue allow_all_routing = 1; + + // If true, allow modification of envoy internal headers. By default, these + // start with ``x-envoy`` but this may be overridden in the ``Bootstrap`` + // configuration using the + // :ref:`header_prefix ` + // field. Default is false. + google.protobuf.BoolValue allow_envoy = 2; + + // If true, prevent modification of any system header, defined as a header + // that starts with a ``:`` character, regardless of any other settings. + // A processing server may still override the ``:status`` of an HTTP response + // using an ``ImmediateResponse`` message. Default is false. + google.protobuf.BoolValue disallow_system = 3; + + // If true, prevent modifications of all header values, regardless of any + // other settings. A processing server may still override the ``:status`` + // of an HTTP response using an ``ImmediateResponse`` message. Default is false. + google.protobuf.BoolValue disallow_all = 4; + + // If set, specifically allow any header that matches this regular + // expression. This overrides all other settings except for + // ``disallow_expression``. + type.matcher.v3.RegexMatcher allow_expression = 5; + + // If set, specifically disallow any header that matches this regular + // expression regardless of any other settings. + type.matcher.v3.RegexMatcher disallow_expression = 6; + + // If true, and if the rules in this list cause a header mutation to be + // disallowed, then the filter using this configuration will terminate the + // request with a 500 error. In addition, regardless of the setting of this + // parameter, any attempt to set, add, or modify a disallowed header will + // cause the ``rejected_header_mutations`` counter to be incremented. + // Default is false. + google.protobuf.BoolValue disallow_is_error = 7; +} + +// The HeaderMutation structure specifies an action that may be taken on HTTP +// headers. +message HeaderMutation { + message RemoveOnMatch { + // A string matcher that will be applied to the header key. If the header key + // matches, the header will be removed. + type.matcher.v3.StringMatcher key_matcher = 1 [(validate.rules).message = {required: true}]; + } + + oneof action { + option (validate.required) = true; + + // Remove the specified header if it exists. + string remove = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Append new header by the specified HeaderValueOption. + core.v3.HeaderValueOption append = 2; + + // Remove the header if the key matches the specified string matcher. + RemoveOnMatch remove_on_match = 3; + } +} diff --git a/modules/sync/envoyproxy/envoy/cas/18d90b067529f445ae790449e2f0c58111103fc49d3206e1e6e453e4fde8a1e95038f89fc272ced56ebb1fd2246852cf3afb275885d34c14d2b7185a6d3cb6c5 b/modules/sync/envoyproxy/envoy/cas/18d90b067529f445ae790449e2f0c58111103fc49d3206e1e6e453e4fde8a1e95038f89fc272ced56ebb1fd2246852cf3afb275885d34c14d2b7185a6d3cb6c5 new file mode 100644 index 00000000..7405c596 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/18d90b067529f445ae790449e2f0c58111103fc49d3206e1e6e453e4fde8a1e95038f89fc272ced56ebb1fd2246852cf3afb275885d34c14d2b7185a6d3cb6c5 @@ -0,0 +1,168 @@ +syntax = "proto3"; + +package envoy.config.trace.v3; + +import "envoy/config/core/v3/http_service.proto"; + +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.config.trace.v3"; +option java_outer_classname = "ZipkinProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/trace/v3;tracev3"; +option (udpa.annotations.file_migrate).move_to_package = "envoy.extensions.tracers.zipkin.v4alpha"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Zipkin tracer] + +// Configuration for the Zipkin tracer. +// [#extension: envoy.tracers.zipkin] +// [#next-free-field: 10] +message ZipkinConfig { + option (udpa.annotations.versioning).previous_message_type = "envoy.config.trace.v2.ZipkinConfig"; + + // Available trace context options for handling different trace header formats. + enum TraceContextOption { + // Use B3 headers only (default behavior). + USE_B3 = 0; + + // Enable B3 and W3C dual header support: + // - For downstream: Extract from B3 headers first, fallback to W3C traceparent if B3 is unavailable. + // - For upstream: Inject both B3 and W3C traceparent headers. + // When this option is NOT set, only B3 headers are used for both extraction and injection. + USE_B3_WITH_W3C_PROPAGATION = 1; + } + + // Available Zipkin collector endpoint versions. + enum CollectorEndpointVersion { + // Zipkin API v1, JSON over HTTP. + // [#comment: The default implementation of Zipkin client before this field is added was only v1 + // and the way user configure this was by not explicitly specifying the version. Consequently, + // before this is added, the corresponding Zipkin collector expected to receive v1 payload. + // Hence the motivation of adding HTTP_JSON_V1 as the default is to avoid a breaking change when + // user upgrading Envoy with this change. Furthermore, we also immediately deprecate this field, + // since in Zipkin realm this v1 version is considered to be not preferable anymore.] + DEPRECATED_AND_UNAVAILABLE_DO_NOT_USE = 0 + [deprecated = true, (envoy.annotations.disallowed_by_default_enum) = true]; + + // Zipkin API v2, JSON over HTTP. + HTTP_JSON = 1; + + // Zipkin API v2, protobuf over HTTP. + HTTP_PROTO = 2; + + // [#not-implemented-hide:] + GRPC = 3; + } + + // The cluster manager cluster that hosts the Zipkin collectors. + // Note: This field will be deprecated in future releases in favor of + // :ref:`collector_service `. + // Either this field or collector_service must be specified. + string collector_cluster = 1; + + // The API endpoint of the Zipkin service where the spans will be sent. When + // using a standard Zipkin installation. + // Note: This field will be deprecated in future releases in favor of + // :ref:`collector_service `. + // Required when using collector_cluster. + string collector_endpoint = 2; + + // Determines whether a 128bit trace id will be used when creating a new + // trace instance. The default value is false, which will result in a 64 bit trace id being used. + bool trace_id_128bit = 3; + + // Determines whether client and server spans will share the same span context. + // The default value is true. + google.protobuf.BoolValue shared_span_context = 4; + + // Determines the selected collector endpoint version. + CollectorEndpointVersion collector_endpoint_version = 5; + + // Optional hostname to use when sending spans to the collector_cluster. Useful for collectors + // that require a specific hostname. Defaults to :ref:`collector_cluster ` above. + // Note: This field will be deprecated in future releases in favor of + // :ref:`collector_service `. + string collector_hostname = 6; + + // If this is set to true, then Envoy will be treated as an independent hop in trace chain. A complete span pair will be created for a single + // request. Server span will be created for the downstream request and client span will be created for the related upstream request. + // This should be set to true in the following cases: + // + // * The Envoy Proxy is used as gateway or ingress. + // * The Envoy Proxy is used as sidecar but inbound traffic capturing or outbound traffic capturing is disabled. + // * Any case that the :ref:`start_child_span of router ` is set to true. + // + // .. attention:: + // + // If this is set to true, then the + // :ref:`start_child_span of router ` + // SHOULD be set to true also to ensure the correctness of trace chain. + // + // Both this field and ``start_child_span`` are deprecated by the + // :ref:`spawn_upstream_span `. + // Please use that ``spawn_upstream_span`` field to control the span creation. + bool split_spans_for_request = 7 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Determines which trace context format to use for trace header extraction and propagation. + // This controls both downstream request header extraction and upstream request header injection. + // Here is the spec for W3C trace headers: https://www.w3.org/TR/trace-context/ + // The default value is USE_B3 to maintain backward compatibility. + TraceContextOption trace_context_option = 8; + + // HTTP service configuration for the Zipkin collector. + // When specified, this configuration takes precedence over the legacy fields: + // collector_cluster, collector_endpoint, and collector_hostname. + // This provides a complete HTTP service configuration including cluster, URI, timeout, and headers. + // If not specified, the legacy fields above will be used for backward compatibility. + // + // Required fields when using collector_service: + // + // * ``http_uri.cluster`` - Must be specified and non-empty + // * ``http_uri.uri`` - Must be specified and non-empty + // * ``http_uri.timeout`` - Optional + // + // Full URI Support with Automatic Parsing: + // + // The ``uri`` field supports both path-only and full URI formats: + // + // .. code-block:: yaml + // + // tracing: + // provider: + // name: envoy.tracers.zipkin + // typed_config: + // "@type": type.googleapis.com/envoy.config.trace.v3.ZipkinConfig + // collector_service: + // http_uri: + // # Full URI format - hostname and path are extracted automatically + // uri: "https://zipkin-collector.example.com/api/v2/spans" + // cluster: zipkin + // timeout: 5s + // request_headers_to_add: + // - header: + // key: "X-Custom-Token" + // value: "your-custom-token" + // - header: + // key: "X-Service-ID" + // value: "your-service-id" + // + // URI Parsing Behavior: + // + // * Full URI: ``"https://zipkin-collector.example.com/api/v2/spans"`` + // + // * Hostname: ``zipkin-collector.example.com`` (sets HTTP ``Host`` header) + // * Path: ``/api/v2/spans`` (sets HTTP request path) + // + // * Path only: ``"/api/v2/spans"`` + // + // * Hostname: Uses cluster name as fallback + // * Path: ``/api/v2/spans`` + core.v3.HttpService collector_service = 9; +} diff --git a/modules/sync/envoyproxy/envoy/cas/1a9db550014817a7ab0e397006fefed890a2cf80bf6d895c4d348ae8e4bc84349175ceb206e972fbc9b152908c9ecc65cc91b00a785c04fc7cd5b9c5c7de4284 b/modules/sync/envoyproxy/envoy/cas/1a9db550014817a7ab0e397006fefed890a2cf80bf6d895c4d348ae8e4bc84349175ceb206e972fbc9b152908c9ecc65cc91b00a785c04fc7cd5b9c5c7de4284 new file mode 100644 index 00000000..238494a0 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/1a9db550014817a7ab0e397006fefed890a2cf80bf6d895c4d348ae8e4bc84349175ceb206e972fbc9b152908c9ecc65cc91b00a785c04fc7cd5b9c5c7de4284 @@ -0,0 +1,212 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/socket_option.proto"; + +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "AddressProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Network addresses] + +message Pipe { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Pipe"; + + // Unix Domain Socket path. On Linux, paths starting with '@' will use the + // abstract namespace. The starting '@' is replaced by a null byte by Envoy. + // Paths starting with '@' will result in an error in environments other than + // Linux. + string path = 1 [(validate.rules).string = {min_len: 1}]; + + // The mode for the Pipe. Not applicable for abstract sockets. + uint32 mode = 2 [(validate.rules).uint32 = {lte: 511}]; +} + +// The address represents an envoy internal listener. +// [#comment: TODO(asraa): When address available, remove workaround from test/server/server_fuzz_test.cc:30.] +message EnvoyInternalAddress { + oneof address_name_specifier { + option (validate.required) = true; + + // Specifies the :ref:`name ` of the + // internal listener. + string server_listener_name = 1; + } + + // Specifies an endpoint identifier to distinguish between multiple endpoints for the same internal listener in a + // single upstream pool. Only used in the upstream addresses for tracking changes to individual endpoints. This, for + // example, may be set to the final destination IP for the target internal listener. + string endpoint_id = 2; +} + +// [#next-free-field: 8] +message SocketAddress { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.SocketAddress"; + + enum Protocol { + TCP = 0; + UDP = 1; + } + + Protocol protocol = 1 [(validate.rules).enum = {defined_only: true}]; + + // The address for this socket. :ref:`Listeners ` will bind + // to the address. An empty address is not allowed. Specify ``0.0.0.0`` or ``::`` + // to bind to any address. [#comment:TODO(zuercher) reinstate when implemented: + // It is possible to distinguish a Listener address via the prefix/suffix matching + // in :ref:`FilterChainMatch `.] When used + // within an upstream :ref:`BindConfig `, the address + // controls the source address of outbound connections. For :ref:`clusters + // `, the cluster type determines whether the + // address must be an IP (``STATIC`` or ``EDS`` clusters) or a hostname resolved by DNS + // (``STRICT_DNS`` or ``LOGICAL_DNS`` clusters). Address resolution can be customized + // via :ref:`resolver_name `. + string address = 2 [(validate.rules).string = {min_len: 1}]; + + oneof port_specifier { + option (validate.required) = true; + + uint32 port_value = 3 [(validate.rules).uint32 = {lte: 65535}]; + + // This is only valid if :ref:`resolver_name + // ` is specified below and the + // named resolver is capable of named port resolution. + string named_port = 4; + } + + // The name of the custom resolver. This must have been registered with Envoy. If + // this is empty, a context dependent default applies. If the address is a concrete + // IP address, no resolution will occur. If address is a hostname this + // should be set for resolution other than DNS. Specifying a custom resolver with + // ``STRICT_DNS`` or ``LOGICAL_DNS`` will generate an error at runtime. + string resolver_name = 5; + + // When binding to an IPv6 address above, this enables `IPv4 compatibility + // `_. Binding to ``::`` will + // allow both IPv4 and IPv6 connections, with peer IPv4 addresses mapped into + // IPv6 space as ``::FFFF:``. + bool ipv4_compat = 6; + + // Filepath that specifies the Linux network namespace this socket will be created in (see ``man 7 + // network_namespaces``). If this field is set, Envoy will create the socket in the specified + // network namespace. + // + // .. note:: + // Setting this parameter requires Envoy to run with the ``CAP_NET_ADMIN`` capability. + // + // .. attention:: + // Network namespaces are only configurable on Linux. Otherwise, this field has no effect. + string network_namespace_filepath = 7; +} + +message TcpKeepalive { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.TcpKeepalive"; + + // Maximum number of keepalive probes to send without response before deciding + // the connection is dead. Default is to use the OS level configuration (unless + // overridden, Linux defaults to 9.) + google.protobuf.UInt32Value keepalive_probes = 1; + + // The number of seconds a connection needs to be idle before keep-alive probes + // start being sent. Default is to use the OS level configuration (unless + // overridden, Linux defaults to 7200s (i.e., 2 hours.) + google.protobuf.UInt32Value keepalive_time = 2; + + // The number of seconds between keep-alive probes. Default is to use the OS + // level configuration (unless overridden, Linux defaults to 75s.) + google.protobuf.UInt32Value keepalive_interval = 3; +} + +message ExtraSourceAddress { + // The additional address to bind. + SocketAddress address = 1 [(validate.rules).message = {required: true}]; + + // Additional socket options that may not be present in Envoy source code or + // precompiled binaries. If specified, this will override the + // :ref:`socket_options ` + // in the BindConfig. If specified with no + // :ref:`socket_options ` + // or an empty list of :ref:`socket_options `, + // it means no socket option will apply. + SocketOptionsOverride socket_options = 2; +} + +// [#next-free-field: 7] +message BindConfig { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.BindConfig"; + + // The address to bind to when creating a socket. + SocketAddress source_address = 1; + + // Whether to set the ``IP_FREEBIND`` option when creating the socket. When this + // flag is set to true, allows the :ref:`source_address + // ` to be an IP address + // that is not configured on the system running Envoy. When this flag is set + // to false, the option ``IP_FREEBIND`` is disabled on the socket. When this + // flag is not set (default), the socket is not modified, i.e. the option is + // neither enabled nor disabled. + google.protobuf.BoolValue freebind = 2; + + // Additional socket options that may not be present in Envoy source code or + // precompiled binaries. + repeated SocketOption socket_options = 3; + + // Extra source addresses appended to the address specified in the ``source_address`` + // field. This enables to specify multiple source addresses. + // The source address selection is determined by :ref:`local_address_selector + // `. + repeated ExtraSourceAddress extra_source_addresses = 5; + + // Deprecated by + // :ref:`extra_source_addresses ` + repeated SocketAddress additional_source_addresses = 4 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Custom local address selector to override the default (i.e. + // :ref:`DefaultLocalAddressSelector + // `). + // [#extension-category: envoy.upstream.local_address_selector] + TypedExtensionConfig local_address_selector = 6; +} + +// Addresses specify either a logical or physical address and port, which are +// used to tell Envoy where to bind/listen, connect to upstream and find +// management servers. +message Address { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.Address"; + + oneof address { + option (validate.required) = true; + + SocketAddress socket_address = 1; + + Pipe pipe = 2; + + // Specifies a user-space address handled by :ref:`internal listeners + // `. + EnvoyInternalAddress envoy_internal_address = 3; + } +} + +// CidrRange specifies an IP Address and a prefix length to construct +// the subnet mask for a `CIDR `_ range. +message CidrRange { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.CidrRange"; + + // IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``. + string address_prefix = 1 [(validate.rules).string = {min_len: 1}]; + + // Length of prefix, e.g. 0, 32. Defaults to 0 when unset. + google.protobuf.UInt32Value prefix_len = 2 [(validate.rules).uint32 = {lte: 128}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/1c25d514b7c22ff54c3b590dd512b90fb7e147db1935a90a27467f2745a5364e5ca1a4ac4a144525438ac7252a5aaba6f14f2fc8926e38f52f9bc61705edae3a b/modules/sync/envoyproxy/envoy/cas/1c25d514b7c22ff54c3b590dd512b90fb7e147db1935a90a27467f2745a5364e5ca1a4ac4a144525438ac7252a5aaba6f14f2fc8926e38f52f9bc61705edae3a new file mode 100644 index 00000000..406c5c19 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/1c25d514b7c22ff54c3b590dd512b90fb7e147db1935a90a27467f2745a5364e5ca1a4ac4a144525438ac7252a5aaba6f14f2fc8926e38f52f9bc61705edae3a @@ -0,0 +1,452 @@ +syntax = "proto3"; + +package envoy.service.ext_proc.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto"; +import "envoy/type/v3/http_status.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/struct.proto"; + +import "xds/annotations/v3/status.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.service.ext_proc.v3"; +option java_outer_classname = "ExternalProcessorProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/service/ext_proc/v3;ext_procv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: External processing service] + +// A service that can access and modify HTTP requests and responses +// as part of a filter chain. +// The overall external processing protocol works like this: +// +// 1. The data plane sends to the service information about the HTTP request. +// 2. The service sends back a ProcessingResponse message that directs +// the data plane to either stop processing, continue without it, or send +// it the next chunk of the message body. +// 3. If so requested, the data plane sends the server the message body in +// chunks, or the entire body at once. In either case, the server may send +// back a ProcessingResponse for each message it receives, or wait for +// a certain amount of body chunks received before streaming back the +// ProcessingResponse messages. +// 4. If so requested, the data plane sends the server the HTTP trailers, +// and the server sends back a ProcessingResponse. +// 5. At this point, request processing is done, and we pick up again +// at step 1 when the data plane receives a response from the upstream +// server. +// 6. At any point above, if the server closes the gRPC stream cleanly, +// then the data plane proceeds without consulting the server. +// 7. At any point above, if the server closes the gRPC stream with an error, +// then the data plane returns a 500 error to the client, unless the filter +// was configured to ignore errors. +// +// In other words, the process is a request/response conversation, but +// using a gRPC stream to make it easier for the server to +// maintain state. +service ExternalProcessor { + // This begins the bidirectional stream that the data plane will use to + // give the server control over what the filter does. The actual + // protocol is described by the ProcessingRequest and ProcessingResponse + // messages below. + rpc Process(stream ProcessingRequest) returns (stream ProcessingResponse) { + } +} + +// This message specifies the filter protocol configurations which will be sent to the ext_proc +// server in a :ref:`ProcessingRequest `. +// If the server does not support these protocol configurations, it may choose to close the gRPC stream. +// If the server supports these protocol configurations, it should respond based on the API specifications. +message ProtocolConfiguration { + // Specify the filter configuration :ref:`request_body_mode + // ` + envoy.extensions.filters.http.ext_proc.v3.ProcessingMode.BodySendMode request_body_mode = 1 + [(validate.rules).enum = {defined_only: true}]; + + // Specify the filter configuration :ref:`response_body_mode + // ` + envoy.extensions.filters.http.ext_proc.v3.ProcessingMode.BodySendMode response_body_mode = 2 + [(validate.rules).enum = {defined_only: true}]; + + // Specify the filter configuration :ref:`send_body_without_waiting_for_header_response + // ` + // If the client is waiting for a header response from the server, setting ``true`` means the client will send body to the server + // as they arrive. Setting ``false`` means the client will buffer the arrived data and not send it to the server immediately. + bool send_body_without_waiting_for_header_response = 3; +} + +// This represents the different types of messages that the data plane can send +// to an external processing server. +// [#next-free-field: 12] +message ProcessingRequest { + reserved 1; + + reserved "async_mode"; + + // Each request message will include one of the following sub-messages. Which + // ones are set for a particular HTTP request/response depend on the + // processing mode. + oneof request { + option (validate.required) = true; + + // Information about the HTTP request headers, as well as peer info and additional + // properties. Unless ``observability_mode`` is ``true``, the server must send back a + // HeaderResponse message, an ImmediateResponse message, or close the stream. + HttpHeaders request_headers = 2; + + // Information about the HTTP response headers, as well as peer info and additional + // properties. Unless ``observability_mode`` is ``true``, the server must send back a + // HeaderResponse message or close the stream. + HttpHeaders response_headers = 3; + + // A chunk of the HTTP request body. Unless ``observability_mode`` is true, the server must send back + // a BodyResponse message, an ImmediateResponse message, or close the stream. + HttpBody request_body = 4; + + // A chunk of the HTTP response body. Unless ``observability_mode`` is ``true``, the server must send back + // a BodyResponse message or close the stream. + HttpBody response_body = 5; + + // The HTTP trailers for the request path. Unless ``observability_mode`` is ``true``, the server + // must send back a TrailerResponse message or close the stream. + // + // This message is only sent if the trailers processing mode is set to ``SEND`` and + // the original downstream request has trailers. + HttpTrailers request_trailers = 6; + + // The HTTP trailers for the response path. Unless ``observability_mode`` is ``true``, the server + // must send back a TrailerResponse message or close the stream. + // + // This message is only sent if the trailers processing mode is set to ``SEND`` and + // the original upstream response has trailers. + HttpTrailers response_trailers = 7; + } + + // Dynamic metadata associated with the request. + config.core.v3.Metadata metadata_context = 8; + + // The values of properties selected by the ``request_attributes`` + // or ``response_attributes`` list in the configuration. Each entry + // in the list is populated from the standard + // :ref:`attributes ` supported in the data plane. + map attributes = 9; + + // Specify whether the filter that sent this request is running in :ref:`observability_mode + // ` + // and defaults to false. + // + // * A value of ``false`` indicates that the server must respond + // to this message by either sending back a matching ProcessingResponse message, + // or by closing the stream. + // * A value of ``true`` indicates that the server should not respond to this message, as any + // responses will be ignored. However, it may still close the stream to indicate that no more messages + // are needed. + // + bool observability_mode = 10; + + // Specify the filter protocol configurations to be sent to the server. + // ``protocol_config`` is only encoded in the first ``ProcessingRequest`` message from the client to the server. + ProtocolConfiguration protocol_config = 11; +} + +// This represents the different types of messages the server may send back to the data plane +// when the ``observability_mode`` field in the received ProcessingRequest is set to false. +// +// * If the corresponding ``BodySendMode`` in the +// :ref:`processing_mode ` +// is not set to ``FULL_DUPLEX_STREAMED``, then for every received ProcessingRequest, +// the server must send back exactly one ProcessingResponse message. +// * If it is set to ``FULL_DUPLEX_STREAMED``, the server must follow the API defined +// for this mode to send the ProcessingResponse messages. +// [#next-free-field: 11] +message ProcessingResponse { + // The response type that is sent by the server. + oneof response { + option (validate.required) = true; + + // The server must send back this message in response to a message with the + // ``request_headers`` field set. + HeadersResponse request_headers = 1; + + // The server must send back this message in response to a message with the + // ``response_headers`` field set. + HeadersResponse response_headers = 2; + + // The server must send back this message in response to a message with + // the ``request_body`` field set. + BodyResponse request_body = 3; + + // The server must send back this message in response to a message with + // the ``response_body`` field set. + BodyResponse response_body = 4; + + // The server must send back this message in response to a message with + // the ``request_trailers`` field set. + TrailersResponse request_trailers = 5; + + // The server must send back this message in response to a message with + // the ``response_trailers`` field set. + TrailersResponse response_trailers = 6; + + // If specified, attempt to create a locally generated response, send it + // downstream, and stop processing additional filters and ignore any + // additional messages received from the remote server for this request or + // response. If a response has already started -- for example, if this + // message is sent response to a ``response_body`` message -- then + // this will either ship the reply directly to the downstream codec, + // or reset the stream. + ImmediateResponse immediate_response = 7; + } + + // Optional metadata that will be emitted as dynamic metadata to be consumed by + // following filters. This metadata will be placed in the namespace(s) specified by the top-level + // field name(s) of the struct. + google.protobuf.Struct dynamic_metadata = 8; + + // Override how parts of the HTTP request and response are processed + // for the duration of this particular request/response only. Servers + // may use this to intelligently control how requests are processed + // based on the headers and other metadata that they see. + // This field is only applicable when servers responding to the header requests. + // If it is set in the response to the body or trailer requests, it will be ignored by the data plane. + // It is also ignored by the data plane when the ext_proc filter config + // :ref:`allow_mode_override + // ` + // is set to false, or + // :ref:`send_body_without_waiting_for_header_response + // ` + // is set to true. + envoy.extensions.filters.http.ext_proc.v3.ProcessingMode mode_override = 9; + + // When ext_proc server receives a request message, in case it needs more + // time to process the message, it sends back a ProcessingResponse message + // with a new timeout value. When the data plane receives this response + // message, it ignores other fields in the response, just stop the original + // timer, which has the timeout value specified in + // :ref:`message_timeout + // ` + // and start a new timer with this ``override_message_timeout`` value and keep the + // data plane ext_proc filter state machine intact. + // Has to be >= 1ms and <= + // :ref:`max_message_timeout ` + // Such message can be sent at most once in a particular data plane ext_proc filter processing state. + // To enable this API, one has to set ``max_message_timeout`` to a number >= 1ms. + google.protobuf.Duration override_message_timeout = 10; +} + +// The following are messages that are sent to the server. + +// This message is sent to the external server when the HTTP request and responses +// are first received. +message HttpHeaders { + // The HTTP request headers. All header keys will be + // lower-cased, because HTTP header keys are case-insensitive. + // The header value is encoded in the + // :ref:`raw_value ` field. + config.core.v3.HeaderMap headers = 1; + + // [#not-implemented-hide:] + // This field is deprecated and not implemented. Attributes will be sent in + // the top-level :ref:`attributes attributes = 2 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // If ``true``, then there is no message body associated with this + // request or response. + bool end_of_stream = 3; +} + +// This message is sent to the external server when the HTTP request and +// response bodies are received. +message HttpBody { + // The contents of the body in the HTTP request/response. Note that in + // streaming mode multiple ``HttpBody`` messages may be sent. + bytes body = 1; + + // If ``true``, this will be the last ``HttpBody`` message that will be sent and no + // trailers will be sent for the current request/response. + bool end_of_stream = 2; +} + +// This message is sent to the external server when the HTTP request and +// response trailers are received. +message HttpTrailers { + // The header value is encoded in the + // :ref:`raw_value ` field. + config.core.v3.HeaderMap trailers = 1; +} + +// The following are messages that may be sent back by the server. + +// This message is sent by the external server to the data plane after ``HttpHeaders`` was +// sent to it. +message HeadersResponse { + // Details the modifications (if any) to be made by the data plane to the current + // request/response. + CommonResponse response = 1; +} + +// This message is sent by the external server to the data plane after ``HttpBody`` was +// sent to it. +message BodyResponse { + // Details the modifications (if any) to be made by the data plane to the current + // request/response. + CommonResponse response = 1; +} + +// This message is sent by the external server to the data plane after ``HttpTrailers`` was +// sent to it. +message TrailersResponse { + // Details the modifications (if any) to be made by the data plane to the current + // request/response trailers. + HeaderMutation header_mutation = 1; +} + +// This message contains common fields between header and body responses. +// [#next-free-field: 6] +message CommonResponse { + // The status of the response. + enum ResponseStatus { + // Apply the mutation instructions in this message to the + // request or response, and then continue processing the filter + // stream as normal. This is the default. + CONTINUE = 0; + + // Apply the specified header mutation, replace the body with the body + // specified in the body mutation (if present), and do not send any + // further messages for this request or response even if the processing + // mode is configured to do so. + // + // When used in response to a request_headers or response_headers message, + // this status makes it possible to either completely replace the body + // while discarding the original body, or to add a body to a message that + // formerly did not have one. + // + // In other words, this response makes it possible to turn an HTTP GET + // into a POST, PUT, or PATCH. + CONTINUE_AND_REPLACE = 1; + } + + // If set, provide additional direction on how the data plane should + // handle the rest of the HTTP filter chain. + ResponseStatus status = 1 [(validate.rules).enum = {defined_only: true}]; + + // Instructions on how to manipulate the headers. When responding to an + // HttpBody request, header mutations will only take effect if + // the current processing mode for the body is BUFFERED. + HeaderMutation header_mutation = 2; + + // Replace the body of the last message sent to the remote server on this + // stream. If responding to an HttpBody request, simply replace or clear + // the body chunk that was sent with that request. Body mutations may take + // effect in response either to ``header`` or ``body`` messages. When it is + // in response to ``header`` messages, it only take effect if the + // :ref:`status ` + // is set to CONTINUE_AND_REPLACE. + BodyMutation body_mutation = 3; + + // [#not-implemented-hide:] + // Add new trailers to the message. This may be used when responding to either a + // HttpHeaders or HttpBody message, but only if this message is returned + // along with the CONTINUE_AND_REPLACE status. + // The header value is encoded in the + // :ref:`raw_value ` field. + config.core.v3.HeaderMap trailers = 4; + + // Clear the route cache for the current client request. This is necessary + // if the remote server modified headers that are used to calculate the route. + // This field is ignored in the response direction. This field is also ignored + // if the data plane ext_proc filter is in the upstream filter chain. + bool clear_route_cache = 5; +} + +// This message causes the filter to attempt to create a locally +// generated response, send it downstream, stop processing +// additional filters, and ignore any additional messages received +// from the remote server for this request or response. If a response +// has already started, then this will either ship the reply directly +// to the downstream codec, or reset the stream. +// [#next-free-field: 6] +message ImmediateResponse { + // The response code to return. + type.v3.HttpStatus status = 1 [(validate.rules).message = {required: true}]; + + // Apply changes to the default headers, which will include content-type. + HeaderMutation headers = 2; + + // The message body to return with the response which is sent using the + // text/plain content type, or encoded in the grpc-message header. + bytes body = 3; + + // If set, then include a gRPC status trailer. + GrpcStatus grpc_status = 4; + + // A string detailing why this local reply was sent, which may be included + // in log and debug output (e.g. this populates the %RESPONSE_CODE_DETAILS% + // command operator field for use in access logging). + string details = 5; +} + +// This message specifies a gRPC status for an ImmediateResponse message. +message GrpcStatus { + // The actual gRPC status. + uint32 status = 1; +} + +// Change HTTP headers or trailers by appending, replacing, or removing +// headers. +message HeaderMutation { + // Add or replace HTTP headers. Attempts to set the value of + // any ``x-envoy`` header, and attempts to set the ``:method``, + // ``:authority``, ``:scheme``, or ``host`` headers will be ignored. + // The header value is encoded in the + // :ref:`raw_value ` field. + repeated config.core.v3.HeaderValueOption set_headers = 1; + + // Remove these HTTP headers. Attempts to remove system headers -- + // any header starting with ``:``, plus ``host`` -- will be ignored. + repeated string remove_headers = 2; +} + +// The body response message corresponding to FULL_DUPLEX_STREAMED body mode. +message StreamedBodyResponse { + // The body response chunk that will be passed to the upstream/downstream by the data plane. + bytes body = 1; + + // The server sets this flag to true if it has received a body request with + // :ref:`end_of_stream ` set to true, + // and this is the last chunk of body responses. + bool end_of_stream = 2; +} + +// This message specifies the body mutation the server sends to the data plane. +message BodyMutation { + // The type of mutation for the body. + oneof mutation { + // The entire body to replace. + // Should only be used when the corresponding ``BodySendMode`` in the + // :ref:`processing_mode ` + // is not set to ``FULL_DUPLEX_STREAMED``. + bytes body = 1; + + // Clear the corresponding body chunk. + // Should only be used when the corresponding ``BodySendMode`` in the + // :ref:`processing_mode ` + // is not set to ``FULL_DUPLEX_STREAMED``. + // Clear the corresponding body chunk. + bool clear_body = 2; + + // Must be used when the corresponding ``BodySendMode`` in the + // :ref:`processing_mode ` + // is set to ``FULL_DUPLEX_STREAMED``. + StreamedBodyResponse streamed_response = 3 + [(xds.annotations.v3.field_status).work_in_progress = true]; + } +} diff --git a/modules/sync/envoyproxy/envoy/cas/1f3f879c54b1a2d224518fd83a0102d0d2773bc6ec191cc330efa19ebbfed6040cbfa7cafce5ef133402fd1455954aa17c7938f765340f34603adda028d14a82 b/modules/sync/envoyproxy/envoy/cas/1f3f879c54b1a2d224518fd83a0102d0d2773bc6ec191cc330efa19ebbfed6040cbfa7cafce5ef133402fd1455954aa17c7938f765340f34603adda028d14a82 new file mode 100644 index 00000000..cfa30afb --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/1f3f879c54b1a2d224518fd83a0102d0d2773bc6ec191cc330efa19ebbfed6040cbfa7cafce5ef133402fd1455954aa17c7938f765340f34603adda028d14a82 @@ -0,0 +1,351 @@ +syntax = "proto3"; + +package envoy.config.listener.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/type/v3/range.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.listener.v3"; +option java_outer_classname = "ListenerComponentsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/listener/v3;listenerv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Listener components] +// Listener :ref:`configuration overview ` + +// [#next-free-field: 6] +message Filter { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.listener.Filter"; + + reserved 3, 2; + + reserved "config"; + + // The name of the filter configuration. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + oneof config_type { + // Filter specific configuration which depends on the filter being + // instantiated. See the supported filters for further documentation. + // [#extension-category: envoy.filters.network] + google.protobuf.Any typed_config = 4; + + // Configuration source specifier for an extension configuration discovery + // service. In case of a failure and without the default configuration, the + // listener closes the connections. + core.v3.ExtensionConfigSource config_discovery = 5; + } +} + +// Specifies the match criteria for selecting a specific filter chain for a +// listener. +// +// In order for a filter chain to be selected, *ALL* of its criteria must be +// fulfilled by the incoming connection, properties of which are set by the +// networking stack and/or listener filters. +// +// The following order applies: +// +// 1. Destination port. +// 2. Destination IP address. +// 3. Server name (e.g. SNI for TLS protocol), +// 4. Transport protocol. +// 5. Application protocols (e.g. ALPN for TLS protocol). +// 6. Directly connected source IP address (this will only be different from the source IP address +// when using a listener filter that overrides the source address, such as the :ref:`Proxy Protocol +// listener filter `). +// 7. Source type (e.g. any, local or external network). +// 8. Source IP address. +// 9. Source port. +// +// For criteria that allow ranges or wildcards, the most specific value in any +// of the configured filter chains that matches the incoming connection is going +// to be used (e.g. for SNI ``www.example.com`` the most specific match would be +// ``www.example.com``, then ``*.example.com``, then ``*.com``, then any filter +// chain without ``server_names`` requirements). +// +// A different way to reason about the filter chain matches: +// Suppose there exists N filter chains. Prune the filter chain set using the above 8 steps. +// In each step, filter chains which most specifically matches the attributes continue to the next step. +// The listener guarantees at most 1 filter chain is left after all of the steps. +// +// Example: +// +// For destination port, filter chains specifying the destination port of incoming traffic are the +// most specific match. If none of the filter chains specifies the exact destination port, the filter +// chains which do not specify ports are the most specific match. Filter chains specifying the +// wrong port can never be the most specific match. +// +// [#comment: Implemented rules are kept in the preference order, with deprecated fields +// listed at the end, because that's how we want to list them in the docs. +// +// [#comment:TODO(PiotrSikora): Add support for configurable precedence of the rules] +// [#next-free-field: 14] +message FilterChainMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.listener.FilterChainMatch"; + + enum ConnectionSourceType { + // Any connection source matches. + ANY = 0; + + // Match a connection originating from the same host. + SAME_IP_OR_LOOPBACK = 1; + + // Match a connection originating from a different host. + EXTERNAL = 2; + } + + reserved 1; + + // Optional destination port to consider when use_original_dst is set on the + // listener in determining a filter chain match. + google.protobuf.UInt32Value destination_port = 8 [(validate.rules).uint32 = {lte: 65535 gte: 1}]; + + // If non-empty, an IP address and prefix length to match addresses when the + // listener is bound to 0.0.0.0/:: or when use_original_dst is specified. + repeated core.v3.CidrRange prefix_ranges = 3; + + // If non-empty, an IP address and suffix length to match addresses when the + // listener is bound to 0.0.0.0/:: or when use_original_dst is specified. + // [#not-implemented-hide:] + string address_suffix = 4; + + // [#not-implemented-hide:] + google.protobuf.UInt32Value suffix_len = 5; + + // The criteria is satisfied if the directly connected source IP address of the downstream + // connection is contained in at least one of the specified subnets. If the parameter is not + // specified or the list is empty, the directly connected source IP address is ignored. + repeated core.v3.CidrRange direct_source_prefix_ranges = 13; + + // Specifies the connection source IP match type. Can be any, local or external network. + ConnectionSourceType source_type = 12 [(validate.rules).enum = {defined_only: true}]; + + // The criteria is satisfied if the source IP address of the downstream + // connection is contained in at least one of the specified subnets. If the + // parameter is not specified or the list is empty, the source IP address is + // ignored. + repeated core.v3.CidrRange source_prefix_ranges = 6; + + // The criteria is satisfied if the source port of the downstream connection + // is contained in at least one of the specified ports. If the parameter is + // not specified, the source port is ignored. + repeated uint32 source_ports = 7 + [(validate.rules).repeated = {items {uint32 {lte: 65535 gte: 1}}}]; + + // If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining + // a filter chain match. Those values will be compared against the server names of a new + // connection, when detected by one of the listener filters. + // + // The server name will be matched against all wildcard domains, i.e. ``www.example.com`` + // will be first matched against ``www.example.com``, then ``*.example.com``, then ``*.com``. + // + // Note that partial wildcards are not supported, and values like ``*w.example.com`` are invalid. + // The value ``*`` is also not supported, and ``server_names`` should be omitted instead. + // + // .. attention:: + // + // See the :ref:`FAQ entry ` on how to configure SNI for more + // information. + repeated string server_names = 11; + + // If non-empty, a transport protocol to consider when determining a filter chain match. + // This value will be compared against the transport protocol of a new connection, when + // it's detected by one of the listener filters. + // + // Suggested values include: + // + // * ``raw_buffer`` - default, used when no transport protocol is detected, + // * ``tls`` - set by :ref:`envoy.filters.listener.tls_inspector ` + // when TLS protocol is detected. + string transport_protocol = 9; + + // If non-empty, a list of application protocols (e.g. ALPN for TLS protocol) to consider when + // determining a filter chain match. Those values will be compared against the application + // protocols of a new connection, when detected by one of the listener filters. + // + // Suggested values include: + // + // * ``http/1.1`` - set by :ref:`envoy.filters.listener.tls_inspector + // `, + // * ``h2`` - set by :ref:`envoy.filters.listener.tls_inspector ` + // + // .. attention:: + // + // Currently, only :ref:`TLS Inspector ` provides + // application protocol detection based on the requested + // `ALPN `_ values. + // + // However, the use of ALPN is pretty much limited to the HTTP/2 traffic on the Internet, + // and matching on values other than ``h2`` is going to lead to a lot of false negatives, + // unless all connecting clients are known to use ALPN. + repeated string application_protocols = 10; +} + +// A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and +// various other parameters. +// [#next-free-field: 10] +message FilterChain { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.listener.FilterChain"; + + reserved 2, 8; + + reserved "tls_context", "on_demand_configuration"; + + // The criteria to use when matching a connection to this filter chain. + FilterChainMatch filter_chain_match = 1; + + // A list of individual network filters that make up the filter chain for + // connections established with the listener. Order matters as the filters are + // processed sequentially as connection events happen. Note: If the filter + // list is empty, the connection will close by default. + // + // For QUIC listeners, network filters other than HTTP Connection Manager (HCM) + // can be created, but due to differences in the connection implementation compared + // to TCP, the onData() method will never be called. Therefore, network filters + // for QUIC listeners should only expect to do work at the start of a new connection + // (i.e. in onNewConnection()). HCM must be the last (or only) filter in the chain. + repeated Filter filters = 3; + + // Whether the listener should expect a PROXY protocol V1 header on new + // connections. If this option is enabled, the listener will assume that that + // remote address of the connection is the one specified in the header. Some + // load balancers including the AWS ELB support this option. If the option is + // absent or set to false, Envoy will use the physical peer address of the + // connection as the remote address. + // + // This field is deprecated. Add a + // :ref:`PROXY protocol listener filter ` + // explicitly instead. + google.protobuf.BoolValue use_proxy_proto = 4 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Filter chain metadata. + core.v3.Metadata metadata = 5; + + // Optional custom transport socket implementation to use for downstream connections. + // To setup TLS, set a transport socket with name ``envoy.transport_sockets.tls`` and + // :ref:`DownstreamTlsContext ` in the ``typed_config``. + // If no transport socket configuration is specified, new connections + // will be set up with plaintext. + // [#extension-category: envoy.transport_sockets.downstream] + core.v3.TransportSocket transport_socket = 6; + + // If present and nonzero, the amount of time to allow incoming connections to complete any + // transport socket negotiations. If this expires before the transport reports connection + // establishment, the connection is summarily closed. + google.protobuf.Duration transport_socket_connect_timeout = 9; + + // The unique name (or empty) by which this filter chain is known. + // Note: :ref:`filter_chain_matcher + // ` + // requires that filter chains are uniquely named within a listener. + string name = 7; +} + +// Listener filter chain match configuration. This is a recursive structure which allows complex +// nested match configurations to be built using various logical operators. +// +// Examples: +// +// * Matches if the destination port is 3306. +// +// .. code-block:: yaml +// +// destination_port_range: +// start: 3306 +// end: 3307 +// +// * Matches if the destination port is 3306 or 15000. +// +// .. code-block:: yaml +// +// or_match: +// rules: +// - destination_port_range: +// start: 3306 +// end: 3307 +// - destination_port_range: +// start: 15000 +// end: 15001 +// +// [#next-free-field: 6] +message ListenerFilterChainMatchPredicate { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.listener.ListenerFilterChainMatchPredicate"; + + // A set of match configurations used for logical operations. + message MatchSet { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.listener.ListenerFilterChainMatchPredicate.MatchSet"; + + // The list of rules that make up the set. + repeated ListenerFilterChainMatchPredicate rules = 1 + [(validate.rules).repeated = {min_items: 2}]; + } + + oneof rule { + option (validate.required) = true; + + // A set that describes a logical OR. If any member of the set matches, the match configuration + // matches. + MatchSet or_match = 1; + + // A set that describes a logical AND. If all members of the set match, the match configuration + // matches. + MatchSet and_match = 2; + + // A negation match. The match configuration will match if the negated match condition matches. + ListenerFilterChainMatchPredicate not_match = 3; + + // The match configuration will always match. + bool any_match = 4 [(validate.rules).bool = {const: true}]; + + // Match destination port. Particularly, the match evaluation must use the recovered local port if + // the owning listener filter is after :ref:`an original_dst listener filter `. + type.v3.Int32Range destination_port_range = 5; + } +} + +// [#next-free-field: 6] +message ListenerFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.listener.ListenerFilter"; + + reserved 2; + + reserved "config"; + + // The name of the filter configuration. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + oneof config_type { + // Filter specific configuration which depends on the filter being + // instantiated. See the supported filters for further documentation. + // [#extension-category: envoy.filters.listener,envoy.filters.udp_listener] + google.protobuf.Any typed_config = 3; + + // Configuration source specifier for an extension configuration discovery + // service. In case of a failure and without the default configuration, the + // listener closes the connections. + core.v3.ExtensionConfigSource config_discovery = 5; + } + + // Optional match predicate used to disable the filter. The filter is enabled when this field is empty. + // See :ref:`ListenerFilterChainMatchPredicate ` + // for further examples. + ListenerFilterChainMatchPredicate filter_disabled = 4; +} diff --git a/modules/sync/envoyproxy/envoy/cas/228b44c84ee8b6c130b4a061960ac1fd5a222d903f100caeed5206441656d9692892a7c5c29a604df6c0c4130560fc8766a377cbdf9bd2f7fc804cc9eddf09af b/modules/sync/envoyproxy/envoy/cas/228b44c84ee8b6c130b4a061960ac1fd5a222d903f100caeed5206441656d9692892a7c5c29a604df6c0c4130560fc8766a377cbdf9bd2f7fc804cc9eddf09af new file mode 100644 index 00000000..a530db3d --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/228b44c84ee8b6c130b4a061960ac1fd5a222d903f100caeed5206441656d9692892a7c5c29a604df6c0c4130560fc8766a377cbdf9bd2f7fc804cc9eddf09af @@ -0,0 +1,111 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/substitution_format_string.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "ProxyProtocolProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Proxy protocol] + +message ProxyProtocolPassThroughTLVs { + enum PassTLVsMatchType { + // Pass all TLVs. + INCLUDE_ALL = 0; + + // Pass specific TLVs defined in tlv_type. + INCLUDE = 1; + } + + // The strategy to pass through TLVs. Default is INCLUDE_ALL. + // If INCLUDE_ALL is set, all TLVs will be passed through no matter the tlv_type field. + PassTLVsMatchType match_type = 1; + + // The TLV types that are applied based on match_type. + // TLV type is defined as uint8_t in proxy protocol. See `the spec + // `_ for details. + repeated uint32 tlv_type = 2 [(validate.rules).repeated = {items {uint32 {lt: 256}}}]; +} + +// Represents a single Type-Length-Value (TLV) entry. +message TlvEntry { + // The type of the TLV. Must be a uint8 (0-255) as per the Proxy Protocol v2 specification. + uint32 type = 1 [(validate.rules).uint32 = {lt: 256}]; + + // The static value of the TLV. + // Only one of ``value`` or ``format_string`` may be set. + bytes value = 2; + + // Uses the :ref:`format string ` to dynamically + // populate the TLV value from stream information. This allows dynamic values + // such as metadata, filter state, or other stream properties to be included in + // the TLV. + // + // For example: + // + // .. code-block:: yaml + // + // type: 0xF0 + // format_string: + // text_format_source: + // inline_string: "%DYNAMIC_METADATA(envoy.filters.network:key)%" + // + // The formatted string will be used directly as the TLV value. + // Only one of ``value`` or ``format_string`` may be set. + SubstitutionFormatString format_string = 3; +} + +message ProxyProtocolConfig { + enum Version { + // PROXY protocol version 1. Human readable format. + V1 = 0; + + // PROXY protocol version 2. Binary format. + V2 = 1; + } + + // The PROXY protocol version to use. See https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt for details + Version version = 1; + + // This config controls which TLVs can be passed to upstream if it is Proxy Protocol + // V2 header. If there is no setting for this field, no TLVs will be passed through. + ProxyProtocolPassThroughTLVs pass_through_tlvs = 2; + + // This config allows additional TLVs to be included in the upstream PROXY protocol + // V2 header. Unlike ``pass_through_tlvs``, which passes TLVs from the downstream request, + // ``added_tlvs`` provides an extension mechanism for defining new TLVs that are included + // with the upstream request. These TLVs may not be present in the downstream request and + // can be defined at either the transport socket level or the host level to provide more + // granular control over the TLVs that are included in the upstream request. + // + // Host-level TLVs are specified in the ``metadata.typed_filter_metadata`` field under the + // ``envoy.transport_sockets.proxy_protocol`` namespace. + // + // .. literalinclude:: /_configs/repo/proxy_protocol.yaml + // :language: yaml + // :lines: 49-57 + // :linenos: + // :lineno-start: 49 + // :caption: :download:`proxy_protocol.yaml ` + // + // **Precedence behavior**: + // + // - When a TLV is defined at both the host level and the transport socket level, the value + // from the host level configuration takes precedence. This allows users to define default TLVs + // at the transport socket level and override them at the host level. + // - Any TLV defined in the ``pass_through_tlvs`` field will be overridden by either the host-level + // or transport socket-level TLV. + repeated TlvEntry added_tlvs = 3; +} + +message PerHostConfig { + // Enables per-host configuration for Proxy Protocol. + repeated TlvEntry added_tlvs = 1; +} diff --git a/modules/sync/envoyproxy/envoy/cas/287739521df4ccf47e2466a84022be6911d45006c26e28da2adadf3c8de7173b3d1677c66ca4b77e17a9fb1b672f484df217e1b4611c93488d60245e6e44e1ad b/modules/sync/envoyproxy/envoy/cas/287739521df4ccf47e2466a84022be6911d45006c26e28da2adadf3c8de7173b3d1677c66ca4b77e17a9fb1b672f484df217e1b4611c93488d60245e6e44e1ad new file mode 100644 index 00000000..ce32c957 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/287739521df4ccf47e2466a84022be6911d45006c26e28da2adadf3c8de7173b3d1677c66ca4b77e17a9fb1b672f484df217e1b4611c93488d60245e6e44e1ad @@ -0,0 +1,19 @@ +syntax = "proto3"; + +package envoy.extensions.grpc_service.call_credentials.google_refresh_token.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.grpc_service.call_credentials.google_refresh_token.v3"; +option java_outer_classname = "GoogleRefreshTokenCredentialsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/grpc_service/call_credentials/google_refresh_token/v3;google_refresh_tokenv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC Google Refresh Token Credentials] + +// [#not-implemented-hide:] +message GoogleRefreshTokenCredentials { + // JSON refresh token. + string token = 1; +} diff --git a/modules/sync/envoyproxy/envoy/cas/288e891984b853d364c541615d3cd487a5f48e82d756c8f75b949f954ce000669155b5603fd34e19a29c176d19829cfb1f796be1dbc7480917733bdd43844aa3 b/modules/sync/envoyproxy/envoy/cas/288e891984b853d364c541615d3cd487a5f48e82d756c8f75b949f954ce000669155b5603fd34e19a29c176d19829cfb1f796be1dbc7480917733bdd43844aa3 new file mode 100644 index 00000000..5ad32af5 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/288e891984b853d364c541615d3cd487a5f48e82d756c8f75b949f954ce000669155b5603fd34e19a29c176d19829cfb1f796be1dbc7480917733bdd43844aa3 @@ -0,0 +1,133 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.ext_proc.v3; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.ext_proc.v3"; +option java_outer_classname = "ProcessingModeProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3;ext_procv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: External Processing Filter] +// External Processing Filter Processing Mode +// [#extension: envoy.filters.http.ext_proc] + +// This configuration describes which parts of an HTTP request and +// response are sent to a remote server and how they are delivered. + +// [#next-free-field: 7] +message ProcessingMode { + // Control how headers and trailers are handled + enum HeaderSendMode { + // When used to configure the ext_proc filter :ref:`processing_mode + // `, + // the default HeaderSendMode depends on which part of the message is being processed. By + // default, request and response headers are sent, while trailers are skipped. + // + // When used in :ref:`mode_override + // ` or + // :ref:`allowed_override_modes + // `, + // a value of DEFAULT indicates that there is no change from the behavior that is configured for + // the filter in :ref:`processing_mode + // `. + DEFAULT = 0; + + // Send the header or trailer. + SEND = 1; + + // Do not send the header or trailer. + SKIP = 2; + } + + // Control how the request and response bodies are handled + // When body mutation by external processor is enabled, ext_proc filter will always remove + // the content length header in four cases below because content length can not be guaranteed + // to be set correctly: + // 1) STREAMED BodySendMode: header processing completes before body mutation comes back. + // 2) BUFFERED_PARTIAL BodySendMode: body is buffered and could be injected in different phases. + // 3) BUFFERED BodySendMode + SKIP HeaderSendMode: header processing (e.g., update content-length) is skipped. + // 4) FULL_DUPLEX_STREAMED BodySendMode: header processing completes before body mutation comes back. + // + // In Envoy's http1 codec implementation, removing content length will enable chunked transfer + // encoding whenever feasible. The recipient (either client or server) must be able + // to parse and decode the chunked transfer coding. + // (see `details in RFC9112 `_). + // + // In BUFFERED BodySendMode + SEND HeaderSendMode, content length header is allowed but it is + // external processor's responsibility to set the content length correctly matched to the length + // of mutated body. If they don't match, the corresponding body mutation will be rejected and + // local reply will be sent with an error message. + enum BodySendMode { + // Do not send the body at all. This is the default. + NONE = 0; + + // Stream the body to the server in pieces as they are seen. + STREAMED = 1; + + // Buffer the message body in memory and send the entire body at once. + // If the body exceeds the configured buffer limit, then the + // downstream system will receive an error. + BUFFERED = 2; + + // Buffer the message body in memory and send the entire body in one + // chunk. If the body exceeds the configured buffer limit, then the body contents + // up to the buffer limit will be sent. + BUFFERED_PARTIAL = 3; + + // The ext_proc client (the data plane) streams the body to the server in pieces as they arrive. + // + // 1) The server may choose to buffer any number chunks of data before processing them. + // After it finishes buffering, the server processes the buffered data. Then it splits the processed + // data into any number of chunks, and streams them back to the ext_proc client one by one. + // The server may continuously do so until the complete body is processed. + // The individual response chunk size is recommended to be no greater than 64K bytes, or + // :ref:`max_receive_message_length ` + // if EnvoyGrpc is used. + // + // 2) The server may also choose to buffer the entire message, including the headers (if header mode is + // ``SEND``), the entire body, and the trailers (if present), before sending back any response. + // The server response has to maintain the headers-body-trailers ordering. + // + // 3) Note that the server might also choose not to buffer data. That is, upon receiving a + // body request, it could process the data and send back a body response immediately. + // + // In this body mode: + // * The corresponding trailer mode has to be set to ``SEND``. + // * The client will send body and trailers (if present) to the server as they arrive. + // Sending the trailers (if present) is to inform the server the complete body arrives. + // In case there are no trailers, then the client will set + // :ref:`end_of_stream ` + // to true as part of the last body chunk request to notify the server that no other data is to be sent. + // * The server needs to send + // :ref:`StreamedBodyResponse ` + // to the client in the body response. + // * The client will stream the body chunks in the responses from the server to the upstream/downstream as they arrive. + + FULL_DUPLEX_STREAMED = 4; + } + + // How to handle the request header. Default is "SEND". + // Note this field is ignored in :ref:`mode_override + // `, since mode + // overrides can only affect messages exchanged after the request header is processed. + HeaderSendMode request_header_mode = 1 [(validate.rules).enum = {defined_only: true}]; + + // How to handle the response header. Default is "SEND". + HeaderSendMode response_header_mode = 2 [(validate.rules).enum = {defined_only: true}]; + + // How to handle the request body. Default is "NONE". + BodySendMode request_body_mode = 3 [(validate.rules).enum = {defined_only: true}]; + + // How do handle the response body. Default is "NONE". + BodySendMode response_body_mode = 4 [(validate.rules).enum = {defined_only: true}]; + + // How to handle the request trailers. Default is "SKIP". + HeaderSendMode request_trailer_mode = 5 [(validate.rules).enum = {defined_only: true}]; + + // How to handle the response trailers. Default is "SKIP". + HeaderSendMode response_trailer_mode = 6 [(validate.rules).enum = {defined_only: true}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/2894818b159d82e436454b897303459c693593507e5ddfd71291a3aafd6f5e5ff829b72738d56910423f1f06c8712d6c0968db606d275420b4ff2d333d7e8b34 b/modules/sync/envoyproxy/envoy/cas/2894818b159d82e436454b897303459c693593507e5ddfd71291a3aafd6f5e5ff829b72738d56910423f1f06c8712d6c0968db606d275420b4ff2d333d7e8b34 new file mode 100644 index 00000000..6452fced --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/2894818b159d82e436454b897303459c693593507e5ddfd71291a3aafd6f5e5ff829b72738d56910423f1f06c8712d6c0968db606d275420b4ff2d333d7e8b34 @@ -0,0 +1,65 @@ +syntax = "proto3"; + +package envoy.type.matcher; + +import "envoy/type/matcher/number.proto"; +import "envoy/type/matcher/string.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher"; +option java_outer_classname = "ValueProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher"; +option (udpa.annotations.file_status).package_version_status = FROZEN; + +// [#protodoc-title: Value matcher] + +// Specifies the way to match a Protobuf::Value. Primitive values and ListValue are supported. +// StructValue is not supported and is always not matched. +// [#next-free-field: 7] +message ValueMatcher { + // NullMatch is an empty message to specify a null value. + message NullMatch { + } + + // Specifies how to match a value. + oneof match_pattern { + option (validate.required) = true; + + // If specified, a match occurs if and only if the target value is a NullValue. + NullMatch null_match = 1; + + // If specified, a match occurs if and only if the target value is a double value and is + // matched to this field. + DoubleMatcher double_match = 2; + + // If specified, a match occurs if and only if the target value is a string value and is + // matched to this field. + StringMatcher string_match = 3; + + // If specified, a match occurs if and only if the target value is a bool value and is equal + // to this field. + bool bool_match = 4; + + // If specified, value match will be performed based on whether the path is referring to a + // valid primitive value in the metadata. If the path is referring to a non-primitive value, + // the result is always not matched. + bool present_match = 5; + + // If specified, a match occurs if and only if the target value is a list value and + // is matched to this field. + ListMatcher list_match = 6; + } +} + +// Specifies the way to match a list value. +message ListMatcher { + oneof match_pattern { + option (validate.required) = true; + + // If specified, at least one of the values in the list must match the value specified. + ValueMatcher one_of = 1; + } +} diff --git a/modules/sync/envoyproxy/envoy/cas/2974d42d6aca9cc1d92da59d423f3a9a7e490c887716b5b3a018962cc0390463580cc5dd7cf1634fda75a07894ef32650dd7bd24c68a39f5e322193f7437621b b/modules/sync/envoyproxy/envoy/cas/2974d42d6aca9cc1d92da59d423f3a9a7e490c887716b5b3a018962cc0390463580cc5dd7cf1634fda75a07894ef32650dd7bd24c68a39f5e322193f7437621b new file mode 100644 index 00000000..7c873fc2 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/2974d42d6aca9cc1d92da59d423f3a9a7e490c887716b5b3a018962cc0390463580cc5dd7cf1634fda75a07894ef32650dd7bd24c68a39f5e322193f7437621b @@ -0,0 +1,24 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.mcp.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.mcp.v3"; +option java_outer_classname = "McpProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/mcp/v3;mcpv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: MCP] +// MCP filter :ref:`configuration overview `. +// [#extension: envoy.filters.http.mcp] + +message Mcp { + // TODO: Add configuration fields +} + +// McpOverride for MCP filter +message McpOverride { + // TODO: Add configuration fields +} diff --git a/modules/sync/envoyproxy/envoy/cas/2d8529937573b5af22c4a01154056d54c8e1b7ce7b96511d19f6109749f9f4053a143a206cf1d298d2ff688e67608f03ea18d80dba10cece6f6dae33e25a8122 b/modules/sync/envoyproxy/envoy/cas/2d8529937573b5af22c4a01154056d54c8e1b7ce7b96511d19f6109749f9f4053a143a206cf1d298d2ff688e67608f03ea18d80dba10cece6f6dae33e25a8122 new file mode 100644 index 00000000..fba8cdee --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/2d8529937573b5af22c4a01154056d54c8e1b7ce7b96511d19f6109749f9f4053a143a206cf1d298d2ff688e67608f03ea18d80dba10cece6f6dae33e25a8122 @@ -0,0 +1,27 @@ +syntax = "proto3"; + +package envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.bootstrap.reverse_tunnel.downstream_socket_interface.v3"; +option java_outer_classname = "DownstreamReverseConnectionSocketInterfaceProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3;downstream_socket_interfacev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Bootstrap settings for downstream reverse connection socket interface] +// [#extension: envoy.bootstrap.reverse_tunnel.downstream_socket_interface] + +// Configuration for the downstream reverse connection socket interface. +// This interface initiates reverse connections to upstream Envoys and provides +// them as socket connections for downstream requests. +message DownstreamReverseConnectionSocketInterface { + // Stat prefix to be used for downstream reverse connection socket interface stats. + string stat_prefix = 1; + + // Enable detailed per-host and per-cluster statistics. + // When enabled, emits hidden statistics for individual hosts and clusters. + // Defaults to false. + bool enable_detailed_stats = 2; +} diff --git a/modules/sync/envoyproxy/envoy/cas/32ec3f8854e5a6ceed6ac53d62142d707ea1c335da41359d8d57cfd3cff4edd5afbe1fd1d7a40057a17ae0f20c106756d7d29480007969dcd4b1845fb2e3ad6b b/modules/sync/envoyproxy/envoy/cas/32ec3f8854e5a6ceed6ac53d62142d707ea1c335da41359d8d57cfd3cff4edd5afbe1fd1d7a40057a17ae0f20c106756d7d29480007969dcd4b1845fb2e3ad6b new file mode 100644 index 00000000..9a335f55 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/32ec3f8854e5a6ceed6ac53d62142d707ea1c335da41359d8d57cfd3cff4edd5afbe1fd1d7a40057a17ae0f20c106756d7d29480007969dcd4b1845fb2e3ad6b @@ -0,0 +1,108 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.cache_v2.v3; + +import "envoy/config/route/v3/route_components.proto"; +import "envoy/type/matcher/v3/string.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.cache_v2.v3"; +option java_outer_classname = "CacheProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/cache_v2/v3;cache_v2v3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: HTTP Cache Filter V2] + +// [#extension: envoy.filters.http.cache_v2] +// [#next-free-field: 8] +message CacheV2Config { + // [#not-implemented-hide:] + // Modifies cache key creation by restricting which parts of the URL are included. + message KeyCreatorParams { + // If true, exclude the URL scheme from the cache key. Set to true if your origins always + // produce the same response for http and https requests. + bool exclude_scheme = 1; + + // If true, exclude the host from the cache key. Set to true if your origins' responses don't + // ever depend on host. + bool exclude_host = 2; + + // If ``query_parameters_included`` is nonempty, only query parameters matched + // by one or more of its matchers are included in the cache key. Any other + // query params will not affect cache lookup. + repeated config.route.v3.QueryParameterMatcher query_parameters_included = 3; + + // If ``query_parameters_excluded`` is nonempty, query parameters matched by one + // or more of its matchers are excluded from the cache key (even if also + // matched by ``query_parameters_included``), and will not affect cache lookup. + repeated config.route.v3.QueryParameterMatcher query_parameters_excluded = 4; + } + + // Config specific to the cache storage implementation. Required unless ``disabled`` + // is true. + // [#extension-category: envoy.http.cache_v2] + google.protobuf.Any typed_config = 1; + + // When true, the cache filter is a no-op filter. + // + // Possible use-cases for this include: + // - Turning a filter on and off with :ref:`ECDS `. + // [#comment: once route-specific overrides are implemented, they are the more likely use-case.] + google.protobuf.BoolValue disabled = 5; + + // [#not-implemented-hide:] + // List of matching rules that defines allowed ``Vary`` headers. + // + // The ``vary`` response header holds a list of header names that affect the + // contents of a response, as described by + // https://httpwg.org/specs/rfc7234.html#caching.negotiated.responses. + // + // During insertion, ``allowed_vary_headers`` acts as a allowlist: if a + // response's ``vary`` header mentions any header names that aren't matched by any rules in + // ``allowed_vary_headers``, that response will not be cached. + // + // During lookup, ``allowed_vary_headers`` controls what request headers will be + // sent to the cache storage implementation. + repeated type.matcher.v3.StringMatcher allowed_vary_headers = 2; + + // [#not-implemented-hide:] + // + // + // Modifies cache key creation by restricting which parts of the URL are included. + KeyCreatorParams key_creator_params = 3; + + // [#not-implemented-hide:] + // + // + // Max body size the cache filter will insert into a cache. 0 means unlimited (though the cache + // storage implementation may have its own limit beyond which it will reject insertions). + uint32 max_body_bytes = 4; + + // By default, a ``cache-control: no-cache`` or ``pragma: no-cache`` header in the request + // causes the cache to validate with its upstream even if the lookup is a hit. Setting this + // to true will ignore these headers. + bool ignore_request_cache_control_header = 6; + + // If this is set, requests sent upstream to populate the cache will go to the + // specified cluster rather than the cluster selected by the vhost and route. + // + // If you have actions to be taken by the router filter - either + // ``upstream_http_filters`` or one of the ``RouteConfiguration`` actions such as + // ``response_headers_to_add`` - then the cache's side-channel going directly to the + // routed cluster will bypass these actions. You can set ``override_upstream_cluster`` + // to an internal listener which duplicates the relevant ``RouteConfiguration``, to + // replicate the desired behavior on the side-channel upstream request issued by the + // cache. + // + // This is a workaround for implementation constraints which it is hoped will at some + // point become unnecessary, then unsupported and this field will be removed. + string override_upstream_cluster = 7; +} diff --git a/modules/sync/envoyproxy/envoy/cas/37544485154fc1be701779188515c219db0415ee12110f40fd75e51cf5ac61275914ac75f9c349c711215d45c2a1a525cd589738d1f2d119aa56ee3aec2a234a b/modules/sync/envoyproxy/envoy/cas/37544485154fc1be701779188515c219db0415ee12110f40fd75e51cf5ac61275914ac75f9c349c711215d45c2a1a525cd589738d1f2d119aa56ee3aec2a234a new file mode 100644 index 00000000..6d12765c --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/37544485154fc1be701779188515c219db0415ee12110f40fd75e51cf5ac61275914ac75f9c349c711215d45c2a1a525cd589738d1f2d119aa56ee3aec2a234a @@ -0,0 +1,220 @@ +syntax = "proto3"; + +package envoy.config.endpoint.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/struct.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.endpoint.v3"; +option java_outer_classname = "LoadReportProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/endpoint/v3;endpointv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Load Report] + +// These are stats Envoy reports to the management server at a frequency defined by +// :ref:`LoadStatsResponse.load_reporting_interval`. +// Stats per upstream region/zone and optionally per subzone. +// [#next-free-field: 15] +message UpstreamLocalityStats { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.endpoint.UpstreamLocalityStats"; + + // Name of zone, region and optionally endpoint group these metrics were + // collected from. Zone and region names could be empty if unknown. + core.v3.Locality locality = 1; + + // The total number of requests successfully completed by the endpoints in the + // locality. + uint64 total_successful_requests = 2; + + // The total number of unfinished requests. A request can be an HTTP request + // or a TCP connection for a TCP connection pool. + uint64 total_requests_in_progress = 3; + + // The total number of requests that failed due to errors at the endpoint, + // aggregated over all endpoints in the locality. + uint64 total_error_requests = 4; + + // The total number of requests that were issued by this Envoy since + // the last report. This information is aggregated over all the + // upstream endpoints in the locality. A request can be an HTTP request + // or a TCP connection for a TCP connection pool. + uint64 total_issued_requests = 8; + + // The total number of connections in an established state at the time of the + // report. This field is aggregated over all the upstream endpoints in the + // locality. + // In Envoy, this information may be based on ``upstream_cx_active metric``. + // [#not-implemented-hide:] + uint64 total_active_connections = 9 [(xds.annotations.v3.field_status).work_in_progress = true]; + + // The total number of connections opened since the last report. + // This field is aggregated over all the upstream endpoints in the locality. + // In Envoy, this information may be based on ``upstream_cx_total`` metric + // compared to itself between start and end of an interval, i.e. + // ``upstream_cx_total``(now) - ``upstream_cx_total``(now - + // load_report_interval). + // [#not-implemented-hide:] + uint64 total_new_connections = 10 [(xds.annotations.v3.field_status).work_in_progress = true]; + + // The total number of connection failures since the last report. + // This field is aggregated over all the upstream endpoints in the locality. + // In Envoy, this information may be based on ``upstream_cx_connect_fail`` + // metric compared to itself between start and end of an interval, i.e. + // ``upstream_cx_connect_fail``(now) - ``upstream_cx_connect_fail``(now - + // load_report_interval). + // [#not-implemented-hide:] + uint64 total_fail_connections = 11 [(xds.annotations.v3.field_status).work_in_progress = true]; + + // CPU utilization stats for multi-dimensional load balancing. + // This typically comes from endpoint metrics reported via ORCA. + UnnamedEndpointLoadMetricStats cpu_utilization = 12; + + // Memory utilization for multi-dimensional load balancing. + // This typically comes from endpoint metrics reported via ORCA. + UnnamedEndpointLoadMetricStats mem_utilization = 13; + + // Blended application-defined utilization for multi-dimensional load balancing. + // This typically comes from endpoint metrics reported via ORCA. + UnnamedEndpointLoadMetricStats application_utilization = 14; + + // Named stats for multi-dimensional load balancing. + // These typically come from endpoint metrics reported via ORCA. + repeated EndpointLoadMetricStats load_metric_stats = 5; + + // Endpoint granularity stats information for this locality. This information + // is populated if the Server requests it by setting + // :ref:`LoadStatsResponse.report_endpoint_granularity`. + repeated UpstreamEndpointStats upstream_endpoint_stats = 7; + + // [#not-implemented-hide:] The priority of the endpoint group these metrics + // were collected from. + uint32 priority = 6; +} + +// [#next-free-field: 8] +message UpstreamEndpointStats { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.endpoint.UpstreamEndpointStats"; + + // Upstream host address. + core.v3.Address address = 1; + + // Opaque and implementation dependent metadata of the + // endpoint. Envoy will pass this directly to the management server. + google.protobuf.Struct metadata = 6; + + // The total number of requests successfully completed by the endpoints in the + // locality. These include non-5xx responses for HTTP, where errors + // originate at the client and the endpoint responded successfully. For gRPC, + // the grpc-status values are those not covered by total_error_requests below. + uint64 total_successful_requests = 2; + + // The total number of unfinished requests for this endpoint. + uint64 total_requests_in_progress = 3; + + // The total number of requests that failed due to errors at the endpoint. + // For HTTP these are responses with 5xx status codes and for gRPC the + // grpc-status values: + // + // - DeadlineExceeded + // - Unimplemented + // - Internal + // - Unavailable + // - Unknown + // - DataLoss + uint64 total_error_requests = 4; + + // The total number of requests that were issued to this endpoint + // since the last report. A single TCP connection, HTTP or gRPC + // request or stream is counted as one request. + uint64 total_issued_requests = 7; + + // Stats for multi-dimensional load balancing. + repeated EndpointLoadMetricStats load_metric_stats = 5; +} + +message EndpointLoadMetricStats { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.endpoint.EndpointLoadMetricStats"; + + // Name of the metric; may be empty. + string metric_name = 1; + + // Number of calls that finished and included this metric. + uint64 num_requests_finished_with_metric = 2; + + // Sum of metric values across all calls that finished with this metric for + // load_reporting_interval. + double total_metric_value = 3; +} + +// Same as EndpointLoadMetricStats, except without the metric_name field. +message UnnamedEndpointLoadMetricStats { + // Number of calls that finished and included this metric. + uint64 num_requests_finished_with_metric = 1; + + // Sum of metric values across all calls that finished with this metric for + // load_reporting_interval. + double total_metric_value = 2; +} + +// Per cluster load stats. Envoy reports these stats a management server in a +// :ref:`LoadStatsRequest` +// Next ID: 7 +// [#next-free-field: 7] +message ClusterStats { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.endpoint.ClusterStats"; + + message DroppedRequests { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.endpoint.ClusterStats.DroppedRequests"; + + // Identifier for the policy specifying the drop. + string category = 1 [(validate.rules).string = {min_len: 1}]; + + // Total number of deliberately dropped requests for the category. + uint64 dropped_count = 2; + } + + // The name of the cluster. + string cluster_name = 1 [(validate.rules).string = {min_len: 1}]; + + // The eds_cluster_config service_name of the cluster. + // It's possible that two clusters send the same service_name to EDS, + // in that case, the management server is supposed to do aggregation on the load reports. + string cluster_service_name = 6; + + // Need at least one. + repeated UpstreamLocalityStats upstream_locality_stats = 2 + [(validate.rules).repeated = {min_items: 1}]; + + // Cluster-level stats such as total_successful_requests may be computed by + // summing upstream_locality_stats. In addition, below there are additional + // cluster-wide stats. + // + // The total number of dropped requests. This covers requests + // deliberately dropped by the drop_overload policy and circuit breaking. + uint64 total_dropped_requests = 3; + + // Information about deliberately dropped requests for each category specified + // in the DropOverload policy. + repeated DroppedRequests dropped_requests = 5; + + // Period over which the actual load report occurred. This will be guaranteed to include every + // request reported. Due to system load and delays between the ``LoadStatsRequest`` sent from Envoy + // and the ``LoadStatsResponse`` message sent from the management server, this may be longer than + // the requested load reporting interval in the ``LoadStatsResponse``. + google.protobuf.Duration load_report_interval = 4; +} diff --git a/modules/sync/envoyproxy/envoy/cas/37b7ca8ce578dd30f08da36eb7137ff90f977f058a71a2fc4b2fb1e1304d4fbf09fd02ed26d0041d8f5812d75b358ea17b60c1016953cf328da053ec30ba8f27 b/modules/sync/envoyproxy/envoy/cas/37b7ca8ce578dd30f08da36eb7137ff90f977f058a71a2fc4b2fb1e1304d4fbf09fd02ed26d0041d8f5812d75b358ea17b60c1016953cf328da053ec30ba8f27 new file mode 100644 index 00000000..2d2c2a72 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/37b7ca8ce578dd30f08da36eb7137ff90f977f058a71a2fc4b2fb1e1304d4fbf09fd02ed26d0041d8f5812d75b358ea17b60c1016953cf328da053ec30ba8f27 @@ -0,0 +1,547 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.ext_authz.v3; + +import "envoy/config/common/mutation_rules/v3/mutation_rules.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/grpc_service.proto"; +import "envoy/config/core/v3/http_uri.proto"; +import "envoy/type/matcher/v3/metadata.proto"; +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/v3/http_status.proto"; + +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.ext_authz.v3"; +option java_outer_classname = "ExtAuthzProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_authz/v3;ext_authzv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: External Authorization] +// External Authorization :ref:`configuration overview `. +// [#extension: envoy.filters.http.ext_authz] + +// [#next-free-field: 31] +message ExtAuthz { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v3.ExtAuthz"; + + reserved 4; + + reserved "use_alpha"; + + // External authorization service configuration. + oneof services { + // gRPC service configuration (default timeout: 200ms). + config.core.v3.GrpcService grpc_service = 1; + + // HTTP service configuration (default timeout: 200ms). + HttpService http_service = 3; + } + + // API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and + // version of messages used on the wire. + config.core.v3.ApiVersion transport_api_version = 12 + [(validate.rules).enum = {defined_only: true}]; + + // Changes the filter's behavior on errors: + // + // #. When set to ``true``, the filter will ``accept`` the client request even if communication with + // the authorization service has failed, or if the authorization service has returned an HTTP 5xx + // error. + // + // #. When set to ``false``, the filter will ``reject`` client requests and return ``Forbidden`` + // if communication with the authorization service has failed, or if the authorization service + // has returned an HTTP 5xx error. + // + // Errors can always be tracked in the :ref:`stats `. + bool failure_mode_allow = 2; + + // When ``failure_mode_allow`` and ``failure_mode_allow_header_add`` are both set to ``true``, + // ``x-envoy-auth-failure-mode-allowed: true`` will be added to request headers if the communication + // with the authorization service has failed, or if the authorization service has returned a + // HTTP 5xx error. + bool failure_mode_allow_header_add = 19; + + // Enables the filter to buffer the client request body and send it within the authorization request. + // The ``x-envoy-auth-partial-body: false|true`` metadata header will be added to the authorization + // request indicating whether the body data is partial. + BufferSettings with_request_body = 5; + + // Clears the route cache in order to allow the external authorization service to correctly affect + // routing decisions. The filter clears all cached routes when: + // + // #. The field is set to ``true``. + // + // #. The status returned from the authorization service is an HTTP 200 or gRPC 0. + // + // #. At least one ``authorization response header`` is added to the client request, or is used to + // alter another client request header. + // + bool clear_route_cache = 6; + + // Sets the HTTP status that is returned to the client when the authorization server returns an error + // or cannot be reached. The default status is HTTP 403 Forbidden. + type.v3.HttpStatus status_on_error = 7; + + // When this is set to ``true``, the filter will check the :ref:`ext_authz response + // ` for invalid header and + // query parameter mutations. If the side stream response is invalid, it will send a local reply + // to the downstream request with status HTTP 500 Internal Server Error. + // + // .. note:: + // Both ``headers_to_remove`` and ``query_parameters_to_remove`` are validated, but invalid elements in + // those fields should not affect any headers and thus will not cause the filter to send a local reply. + // + // When set to ``false``, any invalid mutations will be visible to the rest of Envoy and may cause + // unexpected behavior. + // + // If you are using ext_authz with an untrusted ext_authz server, you should set this to ``true``. + bool validate_mutations = 24; + + // Specifies a list of metadata namespaces whose values, if present, will be passed to the + // ext_authz service. The :ref:`filter_metadata ` + // is passed as an opaque ``protobuf::Struct``. + // + // .. note:: + // This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service. + // + // For example, if the ``jwt_authn`` filter is used and :ref:`payload_in_metadata + // ` is set, + // then the following will pass the jwt payload to the authorization server. + // + // .. code-block:: yaml + // + // metadata_context_namespaces: + // - envoy.filters.http.jwt_authn + // + repeated string metadata_context_namespaces = 8; + + // Specifies a list of metadata namespaces whose values, if present, will be passed to the + // ext_authz service. :ref:`typed_filter_metadata ` + // is passed as a ``protobuf::Any``. + // + // .. note:: + // This field applies exclusively to the gRPC ext_authz service and has no effect on the HTTP service. + // + // This works similarly to ``metadata_context_namespaces`` but allows Envoy and the ext_authz server to share + // the protobuf message definition in order to perform safe parsing. + // + repeated string typed_metadata_context_namespaces = 16; + + // Specifies a list of route metadata namespaces whose values, if present, will be passed to the + // ext_authz service at :ref:`route_metadata_context ` in + // :ref:`CheckRequest `. + // :ref:`filter_metadata ` is passed as an opaque ``protobuf::Struct``. + repeated string route_metadata_context_namespaces = 21; + + // Specifies a list of route metadata namespaces whose values, if present, will be passed to the + // ext_authz service at :ref:`route_metadata_context ` in + // :ref:`CheckRequest `. + // :ref:`typed_filter_metadata ` is passed as a ``protobuf::Any``. + repeated string route_typed_metadata_context_namespaces = 22; + + // Specifies if the filter is enabled. + // + // If :ref:`runtime_key ` is specified, + // Envoy will lookup the runtime key to get the percentage of requests to filter. + // + // If this field is not specified, the filter will be enabled for all requests. + config.core.v3.RuntimeFractionalPercent filter_enabled = 9; + + // Specifies if the filter is enabled with metadata matcher. + // If this field is not specified, the filter will be enabled for all requests. + type.matcher.v3.MetadataMatcher filter_enabled_metadata = 14; + + // Specifies whether to deny the requests when the filter is disabled. + // If :ref:`runtime_key ` is specified, + // Envoy will lookup the runtime key to determine whether to deny requests for filter-protected paths + // when the filter is disabled. If the filter is disabled in ``typed_per_filter_config`` for the path, + // requests will not be denied. + // + // If this field is not specified, all requests will be allowed when disabled. + // + // If a request is denied due to this setting, the response code in :ref:`status_on_error + // ` will + // be returned. + config.core.v3.RuntimeFeatureFlag deny_at_disable = 11; + + // Specifies if the peer certificate is sent to the external service. + // + // When this field is ``true``, Envoy will include the peer X.509 certificate, if available, in the + // :ref:`certificate`. + bool include_peer_certificate = 10; + + // Optional additional prefix to use when emitting statistics. This allows distinguishing + // emitted statistics between configured ``ext_authz`` filters in an HTTP filter chain. For example: + // + // .. code-block:: yaml + // + // http_filters: + // - name: envoy.filters.http.ext_authz + // typed_config: + // "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + // stat_prefix: waf # This emits ext_authz.waf.ok, ext_authz.waf.denied, etc. + // - name: envoy.filters.http.ext_authz + // typed_config: + // "@type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz + // stat_prefix: blocker # This emits ext_authz.blocker.ok, ext_authz.blocker.denied, etc. + // + string stat_prefix = 13; + + // Optional labels that will be passed to :ref:`labels` in + // :ref:`destination`. + // The labels will be read from :ref:`metadata` with the specified key. + string bootstrap_metadata_labels_key = 15; + + // Check request to authorization server will include the client request headers that have a correspondent match + // in the :ref:`list `. If this option isn't specified, then + // all client request headers are included in the check request to a gRPC authorization server, whereas no client request headers + // (besides the ones allowed by default - see note below) are included in the check request to an HTTP authorization server. + // This inconsistency between gRPC and HTTP servers is to maintain backwards compatibility with legacy behavior. + // + // .. note:: + // + // For requests to an HTTP authorization server: in addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``, + // ``Content-Length``, and ``Authorization`` are **additionally included** in the list. + // + // .. note:: + // + // For requests to an HTTP authorization server: the value of ``Content-Length`` will be set to ``0`` and the request to the + // authorization server will not have a message body. However, the check request can include the buffered + // client request body (controlled by :ref:`with_request_body + // ` setting); + // consequently, the value of ``Content-Length`` in the authorization request reflects the size of its payload. + // + // .. note:: + // + // This can be overridden by the field ``disallowed_headers`` below. That is, if a header + // matches for both ``allowed_headers`` and ``disallowed_headers``, the header will NOT be sent. + type.matcher.v3.ListStringMatcher allowed_headers = 17; + + // If set, specifically disallow any header in this list to be forwarded to the external + // authentication server. This overrides the above ``allowed_headers`` if a header matches both. + type.matcher.v3.ListStringMatcher disallowed_headers = 25; + + // Specifies if the TLS session level details like SNI are sent to the external service. + // + // When this field is ``true``, Envoy will include the SNI name used for TLSClientHello, if available, in the + // :ref:`tls_session`. + bool include_tls_session = 18; + + // Whether to increment cluster statistics (e.g. cluster..upstream_rq_*) on authorization failure. + // Defaults to ``true``. + google.protobuf.BoolValue charge_cluster_response_stats = 20; + + // Whether to encode the raw headers (i.e., unsanitized values and unconcatenated multi-line headers) + // in the authorization request. Works with both HTTP and gRPC clients. + // + // When this is set to ``true``, header values are not sanitized. Headers with the same key will also + // not be combined into a single, comma-separated header. + // Requests to gRPC services will populate the field + // :ref:`header_map`. + // Requests to HTTP services will be constructed with the unsanitized header values and preserved + // multi-line headers with the same key. + // + // If this field is set to ``false``, header values will be sanitized, with any non-UTF-8-compliant + // bytes replaced with ``'!'``. Headers with the same key will have their values concatenated into a + // single comma-separated header value. + // Requests to gRPC services will populate the field + // :ref:`headers`. + // Requests to HTTP services will have their header values sanitized and will not preserve + // multi-line headers with the same key. + // + // It is recommended to set this to ``true`` unless you rely on the previous behavior. + // + // It is set to ``false`` by default for backwards compatibility. + bool encode_raw_headers = 23; + + // Rules for what modifications an ext_authz server may make to the request headers before + // continuing decoding / forwarding upstream. + // + // If set to anything, enables header mutation checking against configured rules. Note that + // :ref:`HeaderMutationRules ` + // has defaults that change ext_authz behavior. Also note that if this field is set to anything, + // ext_authz can no longer append to :-prefixed headers. + // + // If empty, header mutation rule checking is completely disabled. + // + // Regardless of what is configured here, ext_authz cannot remove :-prefixed headers. + // + // This field and ``validate_mutations`` have different use cases. ``validate_mutations`` enables + // correctness checks for all header / query parameter mutations (e.g. for invalid characters). + // This field allows the filter to reject mutations to specific headers. + config.common.mutation_rules.v3.HeaderMutationRules decoder_header_mutation_rules = 26; + + // Enable or disable ingestion of dynamic metadata from the ext_authz service. + // + // If ``false``, the filter will ignore dynamic metadata injected by the ext_authz service. If the + // ext_authz service tries injecting dynamic metadata, the filter will log, increment the + // ``ignored_dynamic_metadata`` stat, then continue handling the response. + // + // If ``true``, the filter will ingest dynamic metadata entries as normal. + // + // If unset, defaults to ``true``. + google.protobuf.BoolValue enable_dynamic_metadata_ingestion = 27; + + // Additional metadata to be added to the filter state for logging purposes. The metadata will be + // added to StreamInfo's filter state under the namespace corresponding to the ext_authz filter + // name. + google.protobuf.Struct filter_metadata = 28; + + // When set to ``true``, the filter will emit per-stream stats for access logging. The filter state + // key will be the same as the filter name. + // + // If using Envoy gRPC, emits latency, bytes sent / received, upstream info, and upstream cluster + // info. If not using Envoy gRPC, emits only latency. Note that stats are ONLY added to filter + // state if a check request is actually made to an ext_authz service. + // + // If this is ``false`` the filter will not emit stats, but filter_metadata will still be respected if + // it has a value. + // + // Field ``latency_us`` is exposed for CEL and logging when using gRPC or HTTP service. + // Fields ``bytesSent`` and ``bytesReceived`` are exposed for CEL and logging only when using gRPC service. + bool emit_filter_state_stats = 29; + + // Sets the maximum size (in bytes) of the response body that the filter will send downstream + // when a request is denied by the external authorization service. + // + // If the authorization server returns a response body larger than this configured limit, + // the body will be truncated to ``max_denied_response_body_bytes`` before being sent to the + // downstream client. + // + // If this field is not set or is set to 0, no truncation will occur, and the entire + // denied response body will be forwarded. + uint32 max_denied_response_body_bytes = 30; +} + +// Configuration for buffering the request data. +message BufferSettings { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v2.BufferSettings"; + + // Sets the maximum size of a message body that the filter will hold in memory. Envoy will return + // ``HTTP 413`` and will *not* initiate the authorization process when the buffer reaches the size + // set in this field. Note that this setting will have precedence over :ref:`failure_mode_allow + // `. + uint32 max_request_bytes = 1 [(validate.rules).uint32 = {gt: 0}]; + + // When this field is ``true``, Envoy will buffer the message until ``max_request_bytes`` is reached. + // The authorization request will be dispatched and no 413 HTTP error will be returned by the + // filter. + bool allow_partial_message = 2; + + // If ``true``, the body sent to the external authorization service is set as raw bytes and populates + // :ref:`raw_body` + // in the HTTP request attribute context. Otherwise, :ref:`body + // ` will be populated + // with a UTF-8 string request body. + // + // This field only affects configurations using a :ref:`grpc_service + // `. In configurations that use + // an :ref:`http_service `, this + // has no effect. + bool pack_as_bytes = 3; +} + +// HttpService is used for raw HTTP communication between the filter and the authorization service. +// When configured, the filter will parse the client request and use these attributes to call the +// authorization server. Depending on the response, the filter may reject or accept the client +// request. Note that in any of these events, metadata can be added, removed or overridden by the +// filter: +// +// On authorization request, a list of allowed request headers may be supplied. See +// :ref:`allowed_headers +// ` +// for details. Additional headers metadata may be added to the authorization request. See +// :ref:`headers_to_add +// ` for +// details. +// +// On authorization response status ``HTTP 200 OK``, the filter will allow traffic to the upstream and +// additional headers metadata may be added to the original client request. See +// :ref:`allowed_upstream_headers +// ` +// for details. Additionally, the filter may add additional headers to the client's response. See +// :ref:`allowed_client_headers_on_success +// ` +// for details. +// +// On other authorization response statuses, the filter will not allow traffic. Additional headers +// metadata as well as body may be added to the client's response. See :ref:`allowed_client_headers +// ` +// for details. +// [#next-free-field: 10] +message HttpService { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v2.HttpService"; + + reserved 3, 4, 5, 6; + + // Sets the HTTP server URI which the authorization requests must be sent to. + config.core.v3.HttpUri server_uri = 1; + + // Sets a prefix to the value of authorization request header ``Path``. + string path_prefix = 2; + + // Settings used for controlling authorization request metadata. + AuthorizationRequest authorization_request = 7; + + // Settings used for controlling authorization response metadata. + AuthorizationResponse authorization_response = 8; + + // Optional retry policy for requests to the authorization server. + // If not set, no retries will be performed. + // + // .. note:: + // When this field is set, the ``ext_authz`` filter will buffer the request body for retry purposes. + config.core.v3.RetryPolicy retry_policy = 9; +} + +message AuthorizationRequest { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v2.AuthorizationRequest"; + + // Authorization request includes the client request headers that have a corresponding match + // in the :ref:`list `. + // This field has been deprecated in favor of :ref:`allowed_headers + // `. + // + // .. note:: + // + // In addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``, + // ``Content-Length``, and ``Authorization`` are **automatically included** in the list. + // + // .. note:: + // + // By default, the ``Content-Length`` header is set to ``0`` and the request to the authorization + // service has no message body. However, the authorization request *may* include the buffered + // client request body (controlled by :ref:`with_request_body + // ` + // setting); hence the value of its ``Content-Length`` reflects the size of its payload. + // + type.matcher.v3.ListStringMatcher allowed_headers = 1 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Sets a list of headers that will be included in the request to the authorization service. Note that + // client request headers with the same key will be overridden. + repeated config.core.v3.HeaderValue headers_to_add = 2; +} + +// [#next-free-field: 6] +message AuthorizationResponse { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v2.AuthorizationResponse"; + + // When this :ref:`list ` is set, authorization + // response headers that have a correspondent match will be added to the original client request. + // Note that coexistent headers will be overridden. + type.matcher.v3.ListStringMatcher allowed_upstream_headers = 1; + + // When this :ref:`list ` is set, authorization + // response headers that have a correspondent match will be added to the original client request. + // Note that coexistent headers will be appended. + type.matcher.v3.ListStringMatcher allowed_upstream_headers_to_append = 3; + + // When this :ref:`list ` is set, authorization + // response headers that have a correspondent match will be added to the client's response. Note + // that when this list is *not* set, all the authorization response headers, except ``Authority + // (Host)`` will be in the response to the client. When a header is included in this list, ``Path``, + // ``Status``, ``Content-Length``, ``WWWAuthenticate`` and ``Location`` are automatically added. + type.matcher.v3.ListStringMatcher allowed_client_headers = 2; + + // When this :ref:`list ` is set, authorization + // response headers that have a correspondent match will be added to the client's response when + // the authorization response itself is successful, i.e. not failed or denied. When this list is + // *not* set, no additional headers will be added to the client's response on success. + type.matcher.v3.ListStringMatcher allowed_client_headers_on_success = 4; + + // When this :ref:`list ` is set, authorization + // response headers that have a correspondent match will be emitted as dynamic metadata to be consumed + // by the next filter. This metadata lives in a namespace specified by the canonical name of extension filter + // that requires it: + // + // - :ref:`envoy.filters.http.ext_authz ` for HTTP filter. + // - :ref:`envoy.filters.network.ext_authz ` for network filter. + type.matcher.v3.ListStringMatcher dynamic_metadata_from_headers = 5; +} + +// Extra settings on a per virtualhost/route/weighted-cluster level. +message ExtAuthzPerRoute { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v2.ExtAuthzPerRoute"; + + oneof override { + option (validate.required) = true; + + // Disable the ext auth filter for this particular vhost or route. + // If disabled is specified in multiple per-filter-configs, the most specific one will be used. + // If the filter is disabled by default and this is set to ``false``, the filter will be enabled + // for this vhost or route. + bool disabled = 1; + + // Check request settings for this route. + CheckSettings check_settings = 2 [(validate.rules).message = {required: true}]; + } +} + +// Extra settings for the check request. +// [#next-free-field: 6] +message CheckSettings { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.ext_authz.v2.CheckSettings"; + + // Context extensions to set on the CheckRequest's + // :ref:`AttributeContext.context_extensions` + // + // You can use this to provide extra context for the external authorization server on specific + // virtual hosts/routes. For example, adding a context extension on the virtual host level can + // give the ext-authz server information on what virtual host is used without needing to parse the + // host header. If CheckSettings is specified in multiple per-filter-configs, they will be merged + // in order, and the result will be used. + // + // Merge semantics for this field are such that keys from more specific configs override. + // + // .. note:: + // These settings are only applied to a filter configured with a + // :ref:`grpc_service`. + map context_extensions = 1 [(udpa.annotations.sensitive) = true]; + + // When set to ``true``, disable the configured :ref:`with_request_body + // ` for a specific route. + // + // Only one of ``disable_request_body_buffering`` and + // :ref:`with_request_body ` + // may be specified. + bool disable_request_body_buffering = 2; + + // Enable or override request body buffering, which is configured using the + // :ref:`with_request_body ` + // option for a specific route. + // + // Only one of ``with_request_body`` and + // :ref:`disable_request_body_buffering ` + // may be specified. + BufferSettings with_request_body = 3; + + // Override the external authorization service for this route. + // This allows different routes to use different external authorization service backends + // and service types (gRPC or HTTP). If specified, this overrides the filter-level service + // configuration regardless of the original service type. + oneof service_override { + // Override with a gRPC service configuration. + config.core.v3.GrpcService grpc_service = 4; + + // Override with an HTTP service configuration. + HttpService http_service = 5; + } +} diff --git a/modules/sync/envoyproxy/envoy/cas/3a48c8154c692475e6a12b5e8766e4e07895405dc852686b736ecef833b1131261e0feee837354e2f395557d8607802386168ada138656c8099f95cb23ab42d3 b/modules/sync/envoyproxy/envoy/cas/3a48c8154c692475e6a12b5e8766e4e07895405dc852686b736ecef833b1131261e0feee837354e2f395557d8607802386168ada138656c8099f95cb23ab42d3 new file mode 100644 index 00000000..ad47303d --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/3a48c8154c692475e6a12b5e8766e4e07895405dc852686b736ecef833b1131261e0feee837354e2f395557d8607802386168ada138656c8099f95cb23ab42d3 @@ -0,0 +1,313 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.tcp_proxy.v3; + +import "envoy/config/accesslog/v3/accesslog.proto"; +import "envoy/config/core/v3/backoff.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/proxy_protocol.proto"; +import "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto"; +import "envoy/type/v3/hash_policy.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.tcp_proxy.v3"; +option java_outer_classname = "TcpProxyProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/tcp_proxy/v3;tcp_proxyv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: TCP Proxy] +// TCP Proxy :ref:`configuration overview `. +// [#extension: envoy.filters.network.tcp_proxy] + +// [#next-free-field: 21] +message TcpProxy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.tcp_proxy.v2.TcpProxy"; + + // Allows specification of multiple upstream clusters along with weights indicating the percentage of + // traffic forwarded to each cluster. The cluster selection is based on these weights. + message WeightedCluster { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.tcp_proxy.v2.TcpProxy.WeightedCluster"; + + message ClusterWeight { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.tcp_proxy.v2.TcpProxy.WeightedCluster.ClusterWeight"; + + // Name of the upstream cluster. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // When a request matches the route, the choice of an upstream cluster is + // determined by its weight. The sum of weights across all entries in the + // clusters array determines the total weight. + uint32 weight = 2 [(validate.rules).uint32 = {gte: 1}]; + + // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints + // in the upstream cluster with metadata matching what is set in this field will be considered + // for load balancing. Note that this will be merged with what's provided in + // :ref:`TcpProxy.metadata_match + // `, with values + // here taking precedence. The filter name should be specified as ``envoy.lb``. + config.core.v3.Metadata metadata_match = 3; + } + + // Specifies the upstream clusters associated with this configuration. + repeated ClusterWeight clusters = 1 [(validate.rules).repeated = {min_items: 1}]; + } + + // Configuration for tunneling TCP over other transports or application layers. + // Tunneling is supported over HTTP/1.1 and HTTP/2. The upstream protocol is + // determined by the cluster configuration. + // [#next-free-field: 10] + message TunnelingConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.tcp_proxy.v2.TcpProxy.TunnelingConfig"; + + // The hostname to send in the synthesized CONNECT headers to the upstream proxy. + // This field evaluates command operators if present; otherwise, the value is used as-is. + // + // For example, dynamically set the hostname using downstream SNI: + // + // .. code-block:: yaml + // + // tunneling_config: + // hostname: "%REQUESTED_SERVER_NAME%:443" + // + // For example, dynamically set the hostname using dynamic metadata: + // + // .. code-block:: yaml + // + // tunneling_config: + // hostname: "%DYNAMIC_METADATA(tunnel:address)%" + // + string hostname = 1 [(validate.rules).string = {min_len: 1}]; + + // Use the ``POST`` method instead of the ``CONNECT`` method to tunnel the TCP stream. + // The ``protocol: bytestream`` header is not set for HTTP/2 to comply with the specification. + // + // The upstream proxy is expected to interpret the POST payload as raw TCP. + bool use_post = 2; + + // Additional request headers to send to the upstream proxy. This is mainly used to + // trigger the upstream to convert POST requests back to CONNECT requests. + // + // Neither ``:``-prefixed pseudo-headers like ``:path`` nor the ``host`` header can be overridden. + repeated config.core.v3.HeaderValueOption headers_to_add = 3 + [(validate.rules).repeated = {max_items: 1000}]; + + // Save response headers to the downstream connection's filter state for consumption + // by network filters. The filter state key is ``envoy.tcp_proxy.propagate_response_headers``. + bool propagate_response_headers = 4; + + // The path used with the POST method. The default path is ``/``. If this field is specified and + // :ref:`use_post field ` + // is not set to true, the configuration will be rejected. + string post_path = 5; + + // Save response trailers to the downstream connection's filter state for consumption + // by network filters. The filter state key is ``envoy.tcp_proxy.propagate_response_trailers``. + bool propagate_response_trailers = 6; + + // The configuration of the request ID extension used for generation, validation, and + // associated tracing operations when tunneling. + // + // If this field is set, a request ID is generated using the specified extension. If + // this field is not set, no request ID is generated. + // + // When a request ID is generated, it is also stored in the downstream connection's + // dynamic metadata under the namespace ``envoy.filters.network.tcp_proxy`` with the key + // ``tunnel_request_id`` to allow emission from TCP proxy access logs via the + // ``%DYNAMIC_METADATA(envoy.filters.network.tcp_proxy:tunnel_request_id)%`` formatter. + // [#extension-category: envoy.request_id] + http_connection_manager.v3.RequestIDExtension request_id_extension = 7; + + // The request header name to use for emitting the generated request ID on the tunneling + // HTTP request. + // + // If not specified or set to an empty string, the default header name ``x-request-id`` is + // used. + // + // .. note:: + // This setting does not alter the internal request ID handling elsewhere in Envoy and + // only controls the header emitted on the tunneling request. + string request_id_header = 8; + + // The dynamic metadata key to use when storing the generated request ID. The metadata is + // stored under the namespace ``envoy.filters.network.tcp_proxy``. + // + // If not specified or set to an empty string, the default key ``tunnel_request_id`` is used. + // This enables customizing the key used by access log formatters such as + // ``%DYNAMIC_METADATA(envoy.filters.network.tcp_proxy:)%``. + string request_id_metadata_key = 9; + } + + message OnDemand { + // Optional configuration for the on-demand cluster discovery service. + // If not specified, on-demand cluster discovery is disabled. When specified, the filter pauses a request + // to an unknown cluster and begins a cluster discovery process. When discovery completes (successfully + // or not), the request is resumed. + config.core.v3.ConfigSource odcds_config = 1; + + // xdstp:// resource locator for on-demand cluster collection. + // [#not-implemented-hide:] + string resources_locator = 2; + + // The timeout for on-demand cluster lookup. If the CDS cannot return the required cluster, + // the downstream request will be closed with the error code detail NO_CLUSTER_FOUND. + // [#not-implemented-hide:] + google.protobuf.Duration timeout = 3; + } + + message TcpAccessLogOptions { + // The interval for flushing access logs. By default, the TCP proxy flushes a single access log when the + // connection is closed. If this field is set, the TCP proxy flushes access logs periodically at the + // specified interval. + // The interval must be at least 1ms. + google.protobuf.Duration access_log_flush_interval = 1 + [(validate.rules).duration = {gte {nanos: 1000000}}]; + + // If set to true, the access log is flushed when the TCP proxy successfully establishes a + // connection with the upstream. If the connection fails, the access log is not flushed. + bool flush_access_log_on_connected = 2; + } + + reserved 6; + + reserved "deprecated_v1"; + + // The prefix to use when emitting :ref:`statistics + // `. + string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; + + oneof cluster_specifier { + option (validate.required) = true; + + // The upstream cluster to connect to. + string cluster = 2; + + // Multiple upstream clusters can be specified. The request is routed to one of the upstream clusters + // based on the weights assigned to each cluster. + WeightedCluster weighted_clusters = 10; + } + + // The on demand policy for the upstream cluster. + // It applies to both + // :ref:`TcpProxy.cluster ` + // and + // :ref:`TcpProxy.weighted_clusters `. + OnDemand on_demand = 14; + + // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints + // in the upstream cluster with metadata matching what is set in this field will be considered + // for load balancing. The filter name should be specified as ``envoy.lb``. + config.core.v3.Metadata metadata_match = 9; + + // The idle timeout for connections managed by the TCP proxy filter. The idle timeout is defined as the + // period in which there are no bytes sent or received on either the upstream or downstream connection. + // If not set, the default idle timeout is 1 hour. If set to ``0s``, the timeout is disabled. + // It is possible to dynamically override this configuration by setting a per-connection filter state + // object for the key ``envoy.tcp_proxy.per_connection_idle_timeout_ms``. + // + // .. warning:: + // Disabling this timeout is likely to yield connection leaks due to lost TCP FIN packets, etc. + google.protobuf.Duration idle_timeout = 8; + + // [#not-implemented-hide:] The idle timeout for connections managed by the TCP proxy + // filter. The idle timeout is defined as the period in which there is no + // active traffic. If not set, there is no idle timeout. When the idle timeout + // is reached the connection will be closed. The distinction between + // downstream_idle_timeout/upstream_idle_timeout provides a means to set + // timeout based on the last byte sent on the downstream/upstream connection. + google.protobuf.Duration downstream_idle_timeout = 3; + + // [#not-implemented-hide:] + google.protobuf.Duration upstream_idle_timeout = 4; + + // Configuration for :ref:`access logs ` emitted by this TCP proxy. + repeated config.accesslog.v3.AccessLog access_log = 5; + + // The maximum number of unsuccessful connection attempts that will be made before + // giving up. If the parameter is not specified, 1 connection attempt will be made. + google.protobuf.UInt32Value max_connect_attempts = 7 [(validate.rules).uint32 = {gte: 1}]; + + // Sets the backoff strategy. If not set, the retries are performed without backoff. + config.core.v3.BackoffStrategy backoff_options = 18; + + // Optional configuration for TCP proxy hash policy. If hash_policy is not set, the hash-based + // load balancing algorithms will select a host randomly. Currently the number of hash policies is + // limited to 1. + repeated type.v3.HashPolicy hash_policy = 11 [(validate.rules).repeated = {max_items: 1}]; + + // If set, this configures tunneling, for example configuration options to tunnel TCP payload over + // HTTP CONNECT. If this message is absent, the payload is proxied upstream as usual. + // It is possible to dynamically override this configuration and disable tunneling per connection by + // setting a per-connection filter state object for the key ``envoy.tcp_proxy.disable_tunneling``. + TunnelingConfig tunneling_config = 12; + + // The maximum duration of a connection. The duration is defined as the period since a connection was + // established. If not set, there is no maximum duration. When ``max_downstream_connection_duration`` is + // reached, the connection is closed. The duration must be at least ``1ms``. + google.protobuf.Duration max_downstream_connection_duration = 13 + [(validate.rules).duration = {gte {nanos: 1000000}}]; + + // Percentage-based jitter for ``max_downstream_connection_duration``. The jitter increases the + // ``max_downstream_connection_duration`` by a random duration up to the provided percentage. + // This field is ignored if ``max_downstream_connection_duration`` is not set. If not set, no jitter + // is added. + type.v3.Percent max_downstream_connection_duration_jitter_percentage = 20; + + // If both this field and :ref:`access_log_flush_interval + // ` + // are specified, the former (deprecated field) is ignored. + // + // .. attention:: + // This field is deprecated in favor of + // :ref:`access_log_flush_interval + // `. + google.protobuf.Duration access_log_flush_interval = 15 [ + deprecated = true, + (validate.rules).duration = {gte {nanos: 1000000}}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If both this field and :ref:`flush_access_log_on_connected + // ` + // are specified, the former (deprecated field) is ignored. + // + // .. attention:: + // This field is deprecated in favor of + // :ref:`flush_access_log_on_connected + // `. + bool flush_access_log_on_connected = 16 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Additional access log options for the TCP proxy. + TcpAccessLogOptions access_log_options = 17; + + // If set, the specified ``PROXY`` protocol TLVs (Type-Length-Value) are added to the ``PROXY`` protocol state + // created by the TCP proxy filter. These TLVs are sent in the PROXY protocol v2 header to the upstream. + // + // This field only takes effect when the TCP proxy filter is creating new ``PROXY`` protocol state and an + // upstream proxy protocol transport socket is configured in the cluster. If the connection already + // contains ``PROXY`` protocol state (including any TLVs) parsed by a downstream proxy protocol listener + // upstream proxy protocol transport socket is configured in the cluster. If the connection already + // contains PROXY protocol state (including any TLVs) parsed by a downstream proxy protocol listener + // filter, the TLVs specified here are ignored. + // + // .. note:: + // To ensure the specified TLVs are allowed in the upstream ``PROXY`` protocol header, you must also + // configure passthrough TLVs on the upstream proxy protocol transport. See + // :ref:`core.v3.ProxyProtocolConfig.pass_through_tlvs ` + // for details. + repeated config.core.v3.TlvEntry proxy_protocol_tlvs = 19; +} diff --git a/modules/sync/envoyproxy/envoy/cas/3a4bba752e25fbe98c5decf5fb7cef33f26d62cb772a1090a70f52d120f0649f2dd7597c650b360e5b8cb94c73127bc4218ea40d973b391377fe723e65f0297b b/modules/sync/envoyproxy/envoy/cas/3a4bba752e25fbe98c5decf5fb7cef33f26d62cb772a1090a70f52d120f0649f2dd7597c650b360e5b8cb94c73127bc4218ea40d973b391377fe723e65f0297b new file mode 100644 index 00000000..0ed5a2d9 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/3a4bba752e25fbe98c5decf5fb7cef33f26d62cb772a1090a70f52d120f0649f2dd7597c650b360e5b8cb94c73127bc4218ea40d973b391377fe723e65f0297b @@ -0,0 +1,22 @@ +syntax = "proto3"; + +package envoy.extensions.grpc_service.call_credentials.google_iam.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.grpc_service.call_credentials.google_iam.v3"; +option java_outer_classname = "GoogleIamCredentialsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/grpc_service/call_credentials/google_iam/v3;google_iamv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC Google IAM Credentials] + +// [#not-implemented-hide:] +message GoogleIamCredentials { + // Authorization token. + string authorization_token = 1; + + // Authority selector. + string authority_selector = 2; +} diff --git a/modules/sync/envoyproxy/envoy/cas/3e60681753f480f9fc7da5503210259f2d9043fe030621bf444b81df7bd222fd56927f3e1a307b5a237e8272405afa8919779b67b8632c6bc77479c483e8272d b/modules/sync/envoyproxy/envoy/cas/3e60681753f480f9fc7da5503210259f2d9043fe030621bf444b81df7bd222fd56927f3e1a307b5a237e8272405afa8919779b67b8632c6bc77479c483e8272d new file mode 100644 index 00000000..28bcfe2c --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/3e60681753f480f9fc7da5503210259f2d9043fe030621bf444b81df7bd222fd56927f3e1a307b5a237e8272405afa8919779b67b8632c6bc77479c483e8272d @@ -0,0 +1,116 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.reverse_tunnel.v3; + +import "envoy/config/core/v3/base.proto"; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.reverse_tunnel.v3"; +option java_outer_classname = "ReverseTunnelProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/reverse_tunnel/v3;reverse_tunnelv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Reverse Tunnel Network Filter] +// Reverse Tunnel Network Filter :ref:`configuration overview `. +// [#extension: envoy.filters.network.reverse_tunnel] + +// Validation configuration for reverse tunnel identifiers. +// Validates the node ID and cluster ID extracted from reverse tunnel handshake headers +// against expected values specified using format strings. +message Validation { + // Format string to extract the expected node identifier for validation. + // The formatted value is compared against the ``x-envoy-reverse-tunnel-node-id`` header + // from the incoming handshake request. If they do not match, the connection is rejected + // with HTTP ``403 Forbidden``. + // + // Supports Envoy's :ref:`command operators `: + // + // * ``%DYNAMIC_METADATA(namespace:key)%``: Extract expected value from dynamic metadata. + // * ``%FILTER_STATE(key)%``: Extract expected value from filter state. + // * ``%DOWNSTREAM_REMOTE_ADDRESS%``: Use downstream connection IP address. + // * Plain strings: Use a static expected value. + // + // If empty, node ID validation is skipped. + // + // Example using dynamic metadata allowlist: + // + // .. code-block:: yaml + // + // node_id_format: "%DYNAMIC_METADATA(envoy.reverse_tunnel.allowlist:expected_node_id)%" + // + string node_id_format = 1 [(validate.rules).string = {max_len: 1024}]; + + // Format string to extract the expected cluster identifier for validation. + // The formatted value is compared against the ``x-envoy-reverse-tunnel-cluster-id`` header + // from the incoming handshake request. If they do not match, the connection is rejected + // with HTTP ``403 Forbidden``. + // + // Supports the same :ref:`command operators ` as + // ``node_id_format``. + // + // If empty, cluster ID validation is skipped. + // + // Example using filter state: + // + // .. code-block:: yaml + // + // cluster_id_format: "%FILTER_STATE(expected_cluster_id)%" + // + string cluster_id_format = 2 [(validate.rules).string = {max_len: 1024}]; + + // Whether to emit validation results as dynamic metadata. + // When enabled, the filter emits metadata under the namespace specified by + // ``dynamic_metadata_namespace`` containing: + // + // * ``node_id``: The actual node ID from the handshake request. + // * ``cluster_id``: The actual cluster ID from the handshake request. + // * ``validation_result``: Either ``allowed`` or ``denied``. + // + // This metadata can be used by subsequent filters or for access logging. + // Defaults to ``false``. + bool emit_dynamic_metadata = 3; + + // Namespace for emitted dynamic metadata when ``emit_dynamic_metadata`` is ``true``. + // If not specified, defaults to ``envoy.filters.network.reverse_tunnel``. + string dynamic_metadata_namespace = 4 [(validate.rules).string = {max_len: 255}]; +} + +// Configuration for the reverse tunnel network filter. +// This filter handles reverse tunnel connection acceptance and rejection by processing +// HTTP requests where required identification values are provided via HTTP headers. +// [#next-free-field: 6] +message ReverseTunnel { + // Ping interval for health checks on established reverse tunnel connections. + // If not specified, defaults to ``2 seconds``. + google.protobuf.Duration ping_interval = 1 [(validate.rules).duration = { + lte {seconds: 300} + gte {nanos: 1000000} + }]; + + // Whether to automatically close connections after processing reverse tunnel requests. + // + // * When set to ``true``, connections are closed after acceptance or rejection. + // * When set to ``false``, connections remain open for potential reuse. + // + // Defaults to ``false``. + bool auto_close_connections = 2; + + // HTTP path to match for reverse tunnel requests. + // If not specified, defaults to ``/reverse_connections/request``. + string request_path = 3 [(validate.rules).string = {min_len: 1 max_len: 255 ignore_empty: true}]; + + // HTTP method to match for reverse tunnel requests. + // If not specified (``METHOD_UNSPECIFIED``), this defaults to ``GET``. + config.core.v3.RequestMethod request_method = 4 [(validate.rules).enum = {defined_only: true}]; + + // Optional validation configuration for node and cluster identifiers. + // If specified, the filter validates the ``x-envoy-reverse-tunnel-node-id`` and + // ``x-envoy-reverse-tunnel-cluster-id`` headers against expected values extracted + // using format strings. Requests that fail validation are rejected with HTTP ``403 Forbidden``. + Validation validation = 5; +} diff --git a/modules/sync/envoyproxy/envoy/cas/3f412b3191f2a03f0e2ffffc9f45803b3db58bd1e6842a7ec18d509f3623096a4ff7bc8fb2c2305d22d8dc403f4c0b4eca7e4e88c0a8475f952e405525d9ccb7 b/modules/sync/envoyproxy/envoy/cas/3f412b3191f2a03f0e2ffffc9f45803b3db58bd1e6842a7ec18d509f3623096a4ff7bc8fb2c2305d22d8dc403f4c0b4eca7e4e88c0a8475f952e405525d9ccb7 new file mode 100644 index 00000000..36c6174e --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/3f412b3191f2a03f0e2ffffc9f45803b3db58bd1e6842a7ec18d509f3623096a4ff7bc8fb2c2305d22d8dc403f4c0b4eca7e4e88c0a8475f952e405525d9ccb7 @@ -0,0 +1,603 @@ +shake256:a9c4ad5b20a2946a25d5efb7f096b32ffaa567e3e9a7d89984870104aab45f08d7f6f10c7c72affdc4aabab0471066958ae97c3bb5925b7cb268f8afde27ebbf LICENSE +shake256:7a9a5a3a62ffe3acb50d67d1b0806566f798ac145649c493bf156a2e5d927e264464f5d3add734c687acde39586cc032795e8ea07f51f5bb2493fd0423db10c3 bazel/cc_proto_descriptor_library/testdata/test-extension.proto +shake256:9e8bd1676e9fcea1d02e7cd0ce63f87e6c76b4b31467ec3df1f4a580da427488a764f9e48617a5be98d85057c648f46ec1925b05cae4346b207210327283dd11 bazel/cc_proto_descriptor_library/testdata/test.proto +shake256:76295fd73d7f33a987c1243e8821818b80bd8b04634fc9ccd10879ab3c1ade926e3ef847f11d8e07ccf8fcf011561d151a5d4926505d6494a23119614e049aa6 bazel/cc_proto_descriptor_library/testdata/test1.proto +shake256:036e58836a23359ebf2324efe94106d38521bef2ad6dab6b46b0379dc66192e8f29097c96a9f1c3b299274ec10b47204d63d9e23a010eb5e1c5d4ed52f15c3f7 buf.md +shake256:f9abf7473dc3f95cc9ce2dabfabeedbf0f5fd808e1eb09ab07776ca3991ec073784ef8cb2f6df49a8293f1033141e29d687de39f506046b663b258728864f6b4 buf.yaml +shake256:7144b74045a5813f5f81b71eb11ca0ddac4105e3d20b51a146b634f7dc8c529de6fc84d2c4d3fb635eec48616f787eca10287f14ea10ec3d218e9562508be0ba contrib/envoy/extensions/compression/qatzip/compressor/v3alpha/qatzip.proto +shake256:ae38a03abf75ec63838de20438d1fdaf6ca49f6fcc9d701c4f918411027fcabfe08355fb24d7767074d9c440842bc86fd8788ad25e8c47e98782d6b5379f8b42 contrib/envoy/extensions/compression/qatzstd/compressor/v3alpha/qatzstd.proto +shake256:b7a48d5f96609de62c69948d9050b6fe41d81f476f7779a8d46c8d1d8595dbcead84d193fce745eb375f2fb5ba034633c76a4d1c4987627205f9b8b49bcd6104 contrib/envoy/extensions/config/v3alpha/kv_store_xds_delegate_config.proto +shake256:fa51c63f2698c8856558be8080bc5340c7d1d9fecfcec48a16e154c6fd7886703897da973a1d4e321bc8748043ec6a7fce2069fe45530f104b73f07b3325296c contrib/envoy/extensions/filters/http/checksum/v3alpha/checksum.proto +shake256:ce179ee97700792b3af9c1cb5081b3e62de6f98743f93e6166f73db8e4eb06c9bfd95fc8eec110af02ce1650d12d3dcf8eb74fd0fa21d5653dcaa2c0b84f7fab contrib/envoy/extensions/filters/http/dynamo/v3/dynamo.proto +shake256:47d573dcc69241ec96ca579a48df33d669b3fd9d3de31066e51bfc0da5ff2c150c38269232e6e63fcf37c8716d72fec1e97c143a061791b15de2a9e4ddaea122 contrib/envoy/extensions/filters/http/golang/v3alpha/golang.proto +shake256:c91ad7320770b1bbacf2ac9cfcb3b9ad4814290098d6b54131979be9acb38393595d69a2c89854e6248984cd3c12df7a9e69eeee4ef8cc1fcb814a91e770fa46 contrib/envoy/extensions/filters/http/language/v3alpha/language.proto +shake256:75bebf5cdb07a03584c0367cb291bf599154285a0c28bc56d4190b90fd0ff0734d57a3ef0a8bf88005abd9202cceb47df0c13a0dcbc9af3665513e4e4c96aada contrib/envoy/extensions/filters/http/sxg/v3alpha/sxg.proto +shake256:8cf720d1ee2c70bc75784a9e3d1af11106d1a52418ec13671346d4fde5bd552882b95adae8f35e774d5d34d70f5d6150a36d635e0df072de98eec0208bbf0ee8 contrib/envoy/extensions/filters/network/client_ssl_auth/v3/client_ssl_auth.proto +shake256:cb2005d9e1d460d9fb5b6e1d18c3fb0e6b08db1d9e3f20a2287ac91aabe486826b9d8fa0b674b0a075eeb660da61158d86ce0dce9952ea20c1d73e27b47452e6 contrib/envoy/extensions/filters/network/generic_proxy/codecs/kafka/v3/kafka.proto +shake256:b6678557d0f621ab70455895ce208de8c41b4f51ea1c4cd2a661bc4d72a241a39b39a0bdad5521130f1645c78b37cf68ef3f9b2339a66111b27fc3d89adade00 contrib/envoy/extensions/filters/network/golang/v3alpha/golang.proto +shake256:e1d0772c1e79f87f10446e70e445510cee7549c348789cbaa4b6e17ab6931aea85a6051f3d3c056472e6900e9b711063a01a70abcced4d271558e455f397df98 contrib/envoy/extensions/filters/network/kafka_broker/v3/kafka_broker.proto +shake256:3b5eaa38005e7284020fa83bf98b27dc6022bd88b014a2e03ceb284b5145bd3bbb455204f4b844c2d889a290e0e85c4f58b5c91f728fdff07826ecb4e90d1437 contrib/envoy/extensions/filters/network/kafka_mesh/v3alpha/kafka_mesh.proto +shake256:b358663115fc5d273c2fdeae4177ec77e455e830cc5ed529863f229faa531b643ffac3547d974b0675c3da6ab78f71615926c4ec4b2f065bda15fb84fe456ff7 contrib/envoy/extensions/filters/network/mysql_proxy/v3/mysql_proxy.proto +shake256:add12f026b68305a95ca38d27b99c60f2fbd064e6207da36607131627006bda245156eeeabfffd798f85829b81f9f97a749e8936af83702ca652415cb02c5d27 contrib/envoy/extensions/filters/network/postgres_proxy/v3alpha/postgres_proxy.proto +shake256:3f3e2331e55ceb14cd6f56a5add4364b134e731f7f925306998d8d8838f717ebb3f6efdf7c8905be7a7251e6c4038b90e1396bfd84db2d1dce2b22630321aae0 contrib/envoy/extensions/filters/network/rocketmq_proxy/v3/rocketmq_proxy.proto +shake256:f788b766d979ecdf38a9a23d447ec167d9c461bd4776e261a15a5062ebba61c31135066937d088999278481ed593bc7d662ac7ce64885b29e0e670211b938fad contrib/envoy/extensions/filters/network/rocketmq_proxy/v3/route.proto +shake256:726bb7baad0914a388e5094f559c289ffe68b86216453e24a0d477535f4b5248925c1706983b3867fac7fd9ae0eee2a8c2913c5252726812e4bd6fbc4b931c14 contrib/envoy/extensions/filters/network/sip_proxy/router/v3alpha/router.proto +shake256:814c9c9f84d6c9518d7b396be3c45c734f94be7f972e591e3b9ba081a63b9abee6569e32e183e5d03453f462551b69af7dc20461dc31e3e2bcc411be5d8fd8a8 contrib/envoy/extensions/filters/network/sip_proxy/tra/v3alpha/tra.proto +shake256:672f7c0aa8932a96a3a45f20e4f58bfa7aa418771393a8b844facae585b8b4d5d184c304fae94762a8acf54d6e724e20064e535b0ac0e8889e2a0c6d4cfe1660 contrib/envoy/extensions/filters/network/sip_proxy/v3alpha/route.proto +shake256:8ffcc12678ded759d7f71dbc576f4a865c9dfdf5cbde41d77e43694ff4158bd76cbdc04258284f289ca61d2a47941ed53ac8ae0bb71956c1d8098813bfb974a4 contrib/envoy/extensions/filters/network/sip_proxy/v3alpha/sip_proxy.proto +shake256:bdd1669fcd617d3bda7dc5641875d063e878e343a1535c177f17290637ae649d69960feed3b81bbb378ec04797be4bff4bb13265fd69681cac4b58c86bc88b61 contrib/envoy/extensions/matching/input_matchers/hyperscan/v3alpha/hyperscan.proto +shake256:e1cf9ee5689bd0c31288f67dc28ff17351fdd16d3fa7f111483c34536b861e76d2c407d00bc0d2661aa1f53a32cbf72afba072443a4b49da7b5318576e0bb4f0 contrib/envoy/extensions/network/connection_balance/dlb/v3alpha/dlb.proto +shake256:75de73d5c5355f082e4d607078c0891ac2e1899e281718301e1a6d5a89bd2816304e1473d702c4634bb440d388b990d60cc48d21e8ce698e7de59c096463a201 contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha/cryptomb.proto +shake256:444c37b67f885a3f631bb0dcb8140a07cc0f56503a8b4296bdc89638d06591aad6732f2c3bdae8c4891e44bb4c7cabb592821d95fc6c1477eea81e3b237e7ecd contrib/envoy/extensions/private_key_providers/qat/v3alpha/qat.proto +shake256:33e1082c3889f2641394dc2e7074c5ba5ce3126bdc9ba1060ed407ce7e1ae7d41fa5b3a75575286e681ec3851e0c368bde67cea84c0d6bb065b69722cba624b8 contrib/envoy/extensions/regex_engines/hyperscan/v3alpha/hyperscan.proto +shake256:9825c2f88055cd25c52078a6c508fe77bad594cabb2da12253b4c71057ba330f441300dc8db264a18ab8abd2d324e2fce1089918903ecefacc1bf49c4219c74a contrib/envoy/extensions/router/cluster_specifier/golang/v3alpha/golang.proto +shake256:cc70776633491456a381ae3d23406d5099ca7f1f76e2d50dd2febfd8eff9146d38b60fdb44ef8e42a1a2e054264cfdef847875db46cc09afec3c9ed886bfe31b contrib/envoy/extensions/tap_sinks/udp_sink/v3alpha/udp_sink.proto +shake256:fa5971bfc9d3068cbec7922a2442669502e1085efddbdaf11e2e94924f3693687928380f73d0e49ce95bf13596f3affe99e8794631e7975e51755b31fca26b42 contrib/envoy/extensions/upstreams/http/tcp/golang/v3alpha/golang.proto +shake256:80887a746d8294ce4f4dcd0467ee6fe7b157da9555360459146587cf1f3166560d586c1650e274ce9449d5fceeeee3df9a6a096e100b04cd45394841dba6cc26 contrib/envoy/extensions/vcl/v3alpha/vcl_socket_interface.proto +shake256:4d73b76b955d3478a5f466d844271d6c7b4b453b62f013c24eb7881b03f547d063158a3cf522c37d480ab561ce43060115c75ebe5ff70b193c2d4dd1d3bff60f envoy/admin/v2alpha/certs.proto +shake256:392009644dca0f075cd5dc284bacc4d5a6dc0e9254998b32cb58f6773316f608696de51c8c825c8a5f1f4c42b2cececab719f23d8e33fcf20702d652e4db68fc envoy/admin/v2alpha/clusters.proto +shake256:e4db3591f411e0073c4d281b2573e88576c5f9de4b544efb50bb342b54e7e1acc4fa6585401f2629fbf6def9d6d1d92d499994ff1e2f5dd217ecb0a227c292fc envoy/admin/v2alpha/config_dump.proto +shake256:4f2bce6af0bbc8be1cdece55535545e089ead78542386e3c8296cb92280f7609f52854a8271121b19d5b42e39c51c84d2a77f63e27e9bc5f16733e2328cb53d2 envoy/admin/v2alpha/listeners.proto +shake256:babcaf94ee63ef61c6e8a78b5cec1478bef04363192b5279554ca60f4de7850f43864bfd2131e25b133d6f4e39d1223307126baf092edae54524cf64eec4c139 envoy/admin/v2alpha/memory.proto +shake256:a34da07ab2e4a8bd9209a1399e188eac2be481978cc552ced7c6c5bd2de0ca3ca3dd8f324af7b69888381f0522fa4ea23caf5b997dc6afef44e88687472a88a4 envoy/admin/v2alpha/metrics.proto +shake256:572464b7bb7321d388f6e6bbecd73ec0fdee640812cd58a975615ccb561fb63e384945ee6bcfec2c5428bd98e08562f9cfd48f3fafcc362c8c1ffef50e54dfd7 envoy/admin/v2alpha/mutex_stats.proto +shake256:47d3268ce2101d2c203883255d72b5bc2fda272a1fb0e99dbd44ce214d8ea2f771ccb29809e617dd8fcabe3fe0e5f78c1d8780462ffb8f022f7bce3a37a6be7d envoy/admin/v2alpha/server_info.proto +shake256:7b13e01379b3accf542fc1b635e9773f704929127eca82c3d631bd91d71cb4dc6970a66e9777f93f694ef52f46121c78c40f701e25659f56eed0ea13b8a98ef8 envoy/admin/v2alpha/tap.proto +shake256:b0fc6c0c38c61ab85eddc6842483bafaf3442db13de31ab87de2d8287e8737f3cb2c7c7a24d07bc44d5cbfb9094b7140ef69c83a0285ba6dbed3f5c301e6b082 envoy/admin/v3/certs.proto +shake256:3ecd52c0173847a8f34a9276ea4411f01160e06109098d7b9d3d37f3271cc789b60ad62fbb175188bee7048039a5968dc6aa6488ce20d7c31d0da58bfab013f1 envoy/admin/v3/clusters.proto +shake256:b74573ab490303f5a6d136e1c0c1b8ac1f9a617bebc73db2d44750f0ca4fd4389c58d1fded5624b38a021fb65c48192326a71209468c1cba243ec4b52d2a176d envoy/admin/v3/config_dump.proto +shake256:e5c3e7849f8aab45cf872016d0b6f6288e7d1694fe103e3b0f64e74a7444dec99b7f296e59cbfe28373c351b0404b7c865e1281b175c19434c5b84f3d4225d03 envoy/admin/v3/config_dump_shared.proto +shake256:e72b3a5de25f5c898cbfe5fc83fef8dd66c03bcb396c52fd2edab6870a3b6cf3b696f66591fd3cbd6f7d28cd23e71d49786756a8ddcb6ae42144fb36077132af envoy/admin/v3/init_dump.proto +shake256:6570272d2d533e5eb9d66f2f9cda21c84aae72a753b497192014ceb2cc77f7a3698e9b52488303c04b0ed6e6c653c49912a55781d873b4113f8a66eadd87655c envoy/admin/v3/listeners.proto +shake256:4cea80b96515e73ed166ffb074490e388706151c316a6281d580cad1b94c25c2f2fad927bd57061193640a791bfdb17936a60bca6e44a7332685a143f7eb2f12 envoy/admin/v3/memory.proto +shake256:1fbd58b26fc343916e3a95e7c8bbcd18be83aa4100f0cbb1171556685079dd0c7d6d705bba862d77dbdcf960e9be17cad3e5cb0a5994e9ba9b88b541a9d66411 envoy/admin/v3/metrics.proto +shake256:7d878df1ba81097b3bd150127d366a41db794cd7243a03e0b233c563044e15b5d0f74565d5f9408efff46de7dfb7c3b0a5842cb02882758acbc15323fcb46ceb envoy/admin/v3/mutex_stats.proto +shake256:b5082be33b95bbc2c8a1bae0d4ab9585ce842da65878270cf233bf066be2276fd9282b37d7b809cb974812a92cd343d877f95344756ba946b6b05630261df3ce envoy/admin/v3/server_info.proto +shake256:6a478eb836b32fa6eb4912a3cc311d3e54b267e7a628426efc49cb81959b0b5215ed46deacd0233d4aeaab32a303ca5309fcd030012bfedde2de782fc0787310 envoy/admin/v3/tap.proto +shake256:3adb067791805262a0ab31825adf5239b87c95c057cf3b4dffa4a7a8debf5ed4a53e239ed3108da8981c69fe795b1cde14a02c133f410dd0f886e71f6479319a envoy/annotations/deprecation.proto +shake256:f2de7186256f2d6d35bc5e77e5a2060e3be9256970d9415cfa01bd9d0a063f98e2a7bb47bf7b03706d9d466062aa2faca4ea91f45fc93f995340d497bc9d7186 envoy/annotations/resource.proto +shake256:6bcd4872bc82d5ea2fbb17106cdba7772b0b241931a935266ce04e980804700b5b0ea06ac0156f60645830a6ab234bdfc46a37f51bb49a18afdc6bdc984563c5 envoy/api/v2/auth/cert.proto +shake256:4ee13ab3002ccc1c7a6143d26373585edcef9829006e3f6daf46f4e1aacffce7eb83d4c61f5464a62f021eb73126e855650aac16b222b0e0ea8f3d7700ce07b7 envoy/api/v2/auth/common.proto +shake256:fc23072cb4fe3305d96f0d2906e00ef441ca4168ebdb5e03ae90ff55de2c7f8e597049853e149378f283b87d20270e29b91205729bc4400ac8981fd9a00be0d4 envoy/api/v2/auth/secret.proto +shake256:be1ae530ce5457cf99390111b1c49a4eb22ec4c88a926c88aba17f798283648c5b8c0c19b50e82fc38ab4b86b68b2c7880ceddf200218e8e37e27f66a7825742 envoy/api/v2/auth/tls.proto +shake256:15394420cc45218d6f94c6d4d374afbfaee234bb34f5347c9e24f53351ae1d9702b2e6ee54e212c690065f5ba41e7bec67c797f9f67f66bd73a52646761ac7e4 envoy/api/v2/cds.proto +shake256:8ef3d1a78d916b9aa11b7d1ebd91dc3b8ae11e1c8e0394ace665b30f5af424efa0857fc017ffbfab8180aeda10f374129e77c0649d13897bb3550d803b904a3a envoy/api/v2/cluster.proto +shake256:dcf8ada507f8f3d3bc8e2d27b16ccce79ee4cea169bc664b7a16412816429e4833dc7cfc0c1f9cb93da2857135d9ae785ae595ec16eb2656670d3023e1976962 envoy/api/v2/cluster/circuit_breaker.proto +shake256:c42724147597e47e16d67d23c262164c30794cfb11008029b88608165ef6c28f193f3be64b16024ea38e55b684bf67fb7d1d48b57399669b85cb3be0f4c8dcaf envoy/api/v2/cluster/filter.proto +shake256:641cf1b144e9467ff3a518dcff9303974f5ffd7320833992eb1040b670492055bf51d07c3f94ad4108419964b19a320d4d17f498094df3476f0556026e729933 envoy/api/v2/cluster/outlier_detection.proto +shake256:94d83f6ef94961e92bb3c07c3cf513e755e03408f15ee290af3047f7fcd79a7a3eab72cf2cbab525312a4d58efa3d6e6510014f2df2b79762767b45a491c373c envoy/api/v2/core/address.proto +shake256:23237102de7fddb83c181d3b7bfa7d34e693bb9b414f2ac87bdde48a4ad1bd6d8fda9c26cab0e13869d1f0285f725b1d1f978ad63e310f1bd81bb110315b9e24 envoy/api/v2/core/backoff.proto +shake256:13cf2aac8defd6070f70fcd106137a8fb8cb8bf27ac53fc76c876b0dfc098faeaaa90c87fc31aa9c22ca16e576764f7bc4f6e6bb15264310ea266b3fc577d7f3 envoy/api/v2/core/base.proto +shake256:58c4a77b91b41262c7c5db6d9883ba32b83955cc7490c326a7393bc2716646af68282476e0ff4605541d9cf6049a6a9ed4bd124c45e3dc12089c4346d86b3be0 envoy/api/v2/core/config_source.proto +shake256:6a143f29c2c8a492b4d04bc5ab6258c80c2aef067cd0382050a6813c950ddc47c5ec763f6b797398c6a2c03be3bfba65b127be9ffcf5f07d3b6e9631c74fc2b8 envoy/api/v2/core/event_service_config.proto +shake256:488b4d588a48823ff76c9be096afec4ca1573a0fae135436a7b691494d6153759f08ba1abf8b108949b1d1b9225cf6ed4fc934bc3ee03ea0546f0e97d3732b9e envoy/api/v2/core/grpc_method_list.proto +shake256:7b95620b8d3fb3c0b67d8bc400d7d1c61492f2ce4807f75ab5f77086925eeae9b3bc1275c8568b2bef90cfb386466168be40f3f67e613cd307007a372e8fce3f envoy/api/v2/core/grpc_service.proto +shake256:8f651da5a7966d944fb75b1d3a2c245101cb3cdc4883d2d5ba9a54440a6daf5986f92460c5e8f3f439198131246891093ad1aac6f9d70a32d8ffec3834fc030e envoy/api/v2/core/health_check.proto +shake256:662c11e025424aa76f09f82c7f4f374398d62c59b823f2ef865492b54e0560edfc04b989c8e050f0b2e62d7bd764aea4374859a4fbf97f20d6adb50563c4dcf0 envoy/api/v2/core/http_uri.proto +shake256:9c4b1b16e8883e5a4ab925b8da52d27e5ae1891b5391c9416c01e8ea172a34a9786000c15d3728f031f548101d9f2c4cce42fccbfe603c7189a9504de48e0ae0 envoy/api/v2/core/protocol.proto +shake256:4183d9068d64aacc842a36e6ea35f750e7f08118e1b9a8bb9da1aeade8d4a462dc024b226489f5918511261d4e023a5e7676c05a4b91624dab490df30cb6b1c3 envoy/api/v2/core/socket_option.proto +shake256:87a9f435ecb6daab09bdd9d1615fc8883c3b1951b9dc35e5ac2421e68c749893cd1bdd266bcfb21b816e6518c09e623bd08c3a0d519129c85686fb3e7de92928 envoy/api/v2/discovery.proto +shake256:119c145cf6a5e4e18331364889c9ce3ad897293b9b5a79a0480d566f44338a6781ae5801df1f9e9675c78d6ff4ed1eb91e7f61e7dc3e075855a2ec1b6c6bc024 envoy/api/v2/eds.proto +shake256:09e85cf3be7bb8b48dedcc2f0be2729ffa3e4f8bf3a62477adaa8bbfb096b6bc54ceb3a214f0367bd1e629d27db07b389fc2051b3bc106438f1ac37f5ad8b824 envoy/api/v2/endpoint.proto +shake256:d34472c35bbf374d27edc187d7a9748623b9f315d98ceda6c98a3efd883e8d643711dba2e7def8159a04ea8d32a70a84caa1bc4701a19ac7ef412ff6c74ed474 envoy/api/v2/endpoint/endpoint.proto +shake256:41d9f97e89161ba8aa2a398c753b6692bed579d1abec9df50782c120410a8ccb1d382e70729486028036d5fb81aecf784a5f87a03335790b9a6843f2ea8b3fc8 envoy/api/v2/endpoint/endpoint_components.proto +shake256:b47b6d2db7d09e3059247b3620abd6dfa60be9ed18f53336f5cd0f692a8d5dc98393b20f64461bf440bd3d6dbc92794104e6c56c6021599e31b91b60ef6a66c6 envoy/api/v2/endpoint/load_report.proto +shake256:639c987ea02b03f1c4329299df8fcace9c807fcff8e1fe2c651f1f8110bb39d401c9fae511abc9e8b0c08c2c00eaf7ac6116d64fc428cb72fd116064a012b01b envoy/api/v2/lds.proto +shake256:20dcee2d61c25ab8f6ca81f5dcc45c32bfe28821c419f91a1a013a9afd0a5d2a665afadac356922af4f6fc1807ca89f75ec84703ff04ccb30c5a7479f57debd6 envoy/api/v2/listener.proto +shake256:3660a7db469f0a78a086f2c9a3ea6417ee67fad8d8f66f6df255c096780b2f9fac4058f69fafb7b31bb41371be08d49df8e4dd7cbaab57dc81faa072a0b2d961 envoy/api/v2/listener/listener.proto +shake256:01ed343576226520f26c740fd0ff17db2c90a3b40ceb767b5dac115a5ddc45da4fe8bbba5bc07cb5a5b1b1c2c4ad1b9e8bc9f9d789faa245c4b689b4ad31efa1 envoy/api/v2/listener/listener_components.proto +shake256:9eba07e2c57d6721e5c21bd25db39e433e6beb2690f19cc35e491b6ee398a21c602cc66f5c4998bc671c6c60935def6e9fdb78263ebf619a5ad9c5cd0040bf08 envoy/api/v2/listener/quic_config.proto +shake256:bce97795ccfd54cb5517de97a66f625d6358e490738a83016ad6fc352258bd265962bb5cf02c9c53e40130ef02aa0271c766682588b3bbc53c518da9ccac6d88 envoy/api/v2/listener/udp_listener_config.proto +shake256:c4f13154764837590c09419febc8778291e5de10cdca3b4acc72cda616a6e1f542e0ac7183aac0f37348c9761ac3a506fbe657432daba38469e9c6d7d9237b37 envoy/api/v2/ratelimit/ratelimit.proto +shake256:5109fdb17b9347ab1483afac5e638422b3164935fe79f691a8f371adc240c60430a85caf88385588957e3c07d1855bdc0ebb391940b6d5201e1bd3a0c9f28434 envoy/api/v2/rds.proto +shake256:0eefdba40313bb46ee9d204281aa7bebbd8e21329ebb752dbf82d29e0213e8d76d0139a50221d34977d8fcd3bda842cdbb160b55f33969256e5ecb5c59232c09 envoy/api/v2/route.proto +shake256:6b3fe64c7dce23224bed799cdb5162b71f9152b4020e9a002decddc9f8c366c58e21b3c03d681c643c79e78e8945fab211564ffeea0a16e5d8509b7d3d66a8bc envoy/api/v2/route/route.proto +shake256:f236b4f96272bdd8ba4cf24cf02938cb51d915589dea4bcc7a03923361f616bfc4c5ed05d63e5437f8da95a8d423c391d61907e862f445b3f23b7bec07d8ad9b envoy/api/v2/route/route_components.proto +shake256:bc9898fe8b4765b8bfc498d32721a1ed0209a5420d351825522e73c0dcdc915768c5d88eb3b25dfadb6168bbf9d2cf233620950c32f38bddc382527cefa5c259 envoy/api/v2/scoped_route.proto +shake256:6f247444f93f26c93eacb2890b7b831944c5187ebae43414dbe1455abc2b49a7f0f2d965d787b5db9a6ba585d1865add9c35b4ece5fdeeaf08bab78752d17b6e envoy/api/v2/srds.proto +shake256:11e4ff5a2c6dcb48b7d58a3d37bf0ee7cf0c9725684d856f0a0a56c7d6ad07d67478f8f8b3afce1f5634c3f18ba5497f44d902cf931e1a5d01dd78b639336889 envoy/config/accesslog/v2/als.proto +shake256:f00cdaf3138ffede9241f899df44d894016dc547bba274e945eca8d923f158d848ef208fe3271b639ef4858f8e7141ec86461af7a35259fe265fd76d9aad29bb envoy/config/accesslog/v2/file.proto +shake256:4c4053ab7accefbd9a3fd4e9804d8e18ddd5e2aeee2d2c54b3ed1ee90488b292dcbe6aa4da4f245c1d4a70eefb9a19dd839d6e32533352fb5bb2cc8bd2b3be8e envoy/config/accesslog/v3/accesslog.proto +shake256:f17fed4317d85246c5b637ab098c1ec900898a4f1a6de66bf20cc4916d91b19fbfe94b3b8008aff5898f561affb1bf7bfb244a1cc8984928c2f246ffd7b91f63 envoy/config/bootstrap/v2/bootstrap.proto +shake256:c33fcfa432a6a1ddfaa759db672f56be0eec4f9a45705bc88a83c2775a23db2eb0824ba6af4bccf082c58bb304f58968f08f7f39e238581c2ec0337b35b30145 envoy/config/bootstrap/v3/bootstrap.proto +shake256:ef15d2b7031d8edb952315f6f4dd986f1ca0137662cbf58466fc1ae58d9daaa396a6f79be8da1c5de511dc7620c29dec56ec4a1ca9ef29c1dc24de71da2e40e0 envoy/config/cluster/aggregate/v2alpha/cluster.proto +shake256:e96c45cc69cf74ea9fa9ce48596722f01c84f8164b2c8b213a1c901973d70cd9f88a797b22b83423bd548efa3452793495f5f730f2d6c79a3cc4de88f1e23013 envoy/config/cluster/dynamic_forward_proxy/v2alpha/cluster.proto +shake256:f88d1d71037a70c72f39863a5a9ec8d65ded375d725b7e416d36ec233adcd670e010a8b024c755835c16899a8e4c1d00ee24eacc7bc51c778296d6c5fff1fc8a envoy/config/cluster/redis/redis_cluster.proto +shake256:10a21c816540ed52d9dd7002be5d269527d7927a5b55acff457c434c996df2ad57355f996157d4e4fdab2d6db7f1a80c5f1ce94115c3b31cdef782b5c7d26b7b envoy/config/cluster/v3/circuit_breaker.proto +shake256:f75af2771b6d007291e7a3213e7b027a1a498364c9cc86ee85d40d25fe4ba8f39e48f29de9a57e7b2ac1c87c048298ca64c8828c40bc043f19c8038b72e3330e envoy/config/cluster/v3/cluster.proto +shake256:b3be2cbe299480ca14f70ab1684fec6d05045dcea3359785a5c9651036aa8c216b927a23d6107b5c1fd86b6e5bcbb204366562bc7356bb634584ddead1bc2ec0 envoy/config/cluster/v3/filter.proto +shake256:98b1c26901946bf3ffca0a0528724578ea47c176c8de0354aad5c4d2daa7a8436b3b7444741d8645c9ce01f679b1ff83a22daebb1060af8bad082193088b4242 envoy/config/cluster/v3/outlier_detection.proto +shake256:238687121388f8ec3ca6be644812aa45483557f65c5a22f97868ac71fafb3b6770a8256bc28b1f56286d959e8316227035b2606e58aa4b0fae141181f665d4f6 envoy/config/common/dynamic_forward_proxy/v2alpha/dns_cache.proto +shake256:14212536f4874aa3d72398818186611af78b88cd84497439e90174013822a27b0cbd476f0dba6d18be520d6e0969e8a2649530dc89313fdcce7272cb7317a51d envoy/config/common/key_value/v3/config.proto +shake256:36d0af392c209533e79a725e8e1999e141deed82a1769728a96465761fd5346382719b47765b4be6753777f80b1f93b214c6eb8a501d9e7431753ad8b993f136 envoy/config/common/matcher/v3/matcher.proto +shake256:bb688fa3d164e48efde9a75f15dd7b27477008fecdf1de1507fd0b230418349e51045dbb409c39c07bab2ecd1be4f85c044dcaad213c998b59e0c3a22b04d3b0 envoy/config/common/mutation_rules/v3/mutation_rules.proto +shake256:cbad07f379e55edc8e8cbefff8799dee2698ef277b0f8d68d8e4a040cccfc877d2bcd19ca008021ebbc796148d0e7bc01a5f8b6fd1a5dede10e1b1b2672f202c envoy/config/common/tap/v2alpha/common.proto +shake256:9bdcea3eb88a11101bd929c0023324fd3f4de83be267d8221eb85c279ff885ed115bc5ba0dfbad50b8bec34ee582181b57556d3c982e3f488bd07282c2a916df envoy/config/core/v3/address.proto +shake256:fdb34f03c4ddb608eaddf33afadc37719a5844bc0f2b0a3d46acdd3a47e03766e7b0021067c67f2f0f1f55e651e0c7000b9e4d2c44aacef35c0f71b016416750 envoy/config/core/v3/backoff.proto +shake256:5e7d0238586f5b9dcb7eb825f7256694e31cd8082ebd27e23ec810b50a414434f31c6ec652e5bd7aff2d4b6f05f665de1ca58852dd9020af4e70cf1551382d7a envoy/config/core/v3/base.proto +shake256:8226bbfb813cffa2b928184a6eeb04043ff9e554c0b097c2b1fb3c607f3c5b873d628dc9a171f594af63315d155845e947db3a4790c636975e51ed0b8a629579 envoy/config/core/v3/config_source.proto +shake256:58094a58339d6781d0d06e48e32ce262aaf8f79448b624a9ac2792248efbd1217c6606c493ec80226069b95efd89e9fa25357a8e76afe0775ddecd40f0ad7d78 envoy/config/core/v3/event_service_config.proto +shake256:fe914c4817a48cf5e7ca7d9cabd28f99eee574396cc29419ca282b75a126126fc4a9c417fe5f702082500b0d9032586a4c7b50f4810ce34c2c1dacef2ab48663 envoy/config/core/v3/extension.proto +shake256:b8c9d6866b3e14f1e41ea50d6977325cf48575bd3a815cc36077ec0f631a69882b3d168c7ae39717b93102a3f3285dadee6d1e0c4aeb461399ea649abf8384b9 envoy/config/core/v3/grpc_method_list.proto +shake256:d2f80ca130b2ec005d4200041e4df633e76c95e48f55a7c431ebdcc68fac696c44c030d03b7e46852bf16e474662ecf75a3889c66769ccbb8cec0676a54c27ba envoy/config/core/v3/grpc_service.proto +shake256:e6f9d1ab3b04678a52f9383851a25489155a01b86ff5b7908b82367d9d39373c2376014c0714c54d23e2eb705a9886c2eaf873ba6e2404a3a441a0301125fe17 envoy/config/core/v3/health_check.proto +shake256:e72a9109cba19d603c43c8a5e7505dc1d710e9a8f79b135190c7e50e570b728df279d903f13f5c6aa5149f562f613fdad442aa327466650443ad43baf747fb2e envoy/config/core/v3/http_service.proto +shake256:ee0b0b1aeb239c4327f288f4b00507172a97cfcf5449c12d9abe4ee71a07534c6f80578568b0a445a6818604a3cb44e3cf640f66dee9fb212dff8e31de9f3309 envoy/config/core/v3/http_uri.proto +shake256:a104e128142e280ddde124ddabbb90593a61c69ed8ffce733194dc23331c9ad15acd54abf9acd8d9135e3ae9412f2c08cc60f0094cf3cd026cd8fc0a5eb3062f envoy/config/core/v3/protocol.proto +shake256:5288e856c742176528181b2cc2feb6432f4384e24e600fcd5191dbc7180b7a939e8ec2417d2f8124852ba0b03110217013a847cb3e8b5343eeecd198677b9345 envoy/config/core/v3/proxy_protocol.proto +shake256:8dc2e42d6be6f5e608487cc7a5cfd89670edc9a21be4ece3bbff666939f36a2ec7d18283cfa43007557e10e59a603e9844d8e76ce528e51e5d7b79fbfdd041b5 envoy/config/core/v3/resolver.proto +shake256:600c407b3baecc7213d993c5b2c76748c396b7c197de79b94e12427201633d5c5e900dcf1fb3de264dd4ae90c615c8c01194f43d690381f2c79d7604acefc098 envoy/config/core/v3/socket_cmsg_headers.proto +shake256:54fb8bdc367e04a2b306de2e85bcca91f79ee21802d963ea46a5761a344e3db3666600f3c860fe7c18052aae3141b4dcb14e9449e83adb08036e8b2e5848658b envoy/config/core/v3/socket_option.proto +shake256:2ecc944e590837c4b221e72959420b145d0ef24fb8ac4534355cdb0bd6bd6c333093baf209e5d4c933a386cdec5e48e5f7c07859d329b518f937a371e92eb0bb envoy/config/core/v3/substitution_format_string.proto +shake256:ca4da0953d0209d8c791e9d9eb1910c2d2e577a467348e4986a8c3c341db38e52516a7bf6dc4815ea0e8d1ba7566e314e50c89f3d33ee217b19335939b1142d1 envoy/config/core/v3/udp_socket_config.proto +shake256:f21f75567e86558fb38afe39c448339f1a5363d8add311ce8117e6d4ae8cb8c0eb37c8116636004203da6420eb226ee8b142e9306441cce1be69a0475febaa53 envoy/config/endpoint/v3/endpoint.proto +shake256:303fb1667359e27d6ec2aece183975387269521eaf32a9092183560a0cfb88c72976ad820c8d3c2dedbdb1821ad3bf90ed231d827343295779098a0905026cfc envoy/config/endpoint/v3/endpoint_components.proto +shake256:ab22092143f11a2bb940fd0a240fc9730e3441ce6c9fa0b9655877da59372d2fc1c3fa36aa9f9b68f7659b27ac66d617255d3810f869b5bba5ab41ab4107792b envoy/config/endpoint/v3/load_report.proto +shake256:2d64307e37f83d7f3d7d7702252ae62811016f56644599787a12e0d59c2a414e6454f8518fad20079a195415d543f1c8532615056f5d1aa58f39d38d0713c509 envoy/config/filter/accesslog/v2/accesslog.proto +shake256:2e04814e594b2f7b966528e191ec9c9d7eee8b81ee070f8f1ce057829aca88bb877666a67534989dd0fc653c86109caf2113d38b5276a9a4ec710e30b303c37e envoy/config/filter/dubbo/router/v2alpha1/router.proto +shake256:cb4a510b6cc2d26c941134827154e1d4f9142add0d92470d7de710bbbf26dfe696eba02d256d97e93c874a4eb3f8ea4215cc1f99a4b478085d044dc27f8f6faa envoy/config/filter/fault/v2/fault.proto +shake256:870cdd98267a9028f41edcbaf811fa8ffa62cf8a09f06386769c7dd46b9e43c7496184fc551ee23dd43e3c37bb87405d599634a0096053d90a5eadbab9c0ef15 envoy/config/filter/http/adaptive_concurrency/v2alpha/adaptive_concurrency.proto +shake256:307f7ba037584aa60c116ab81bdebfc57f955fe2aeab90f71ad08afda92d14cc5ec93bc180e5e026ffb1372f42c9ab610d1238dbd0aba4e0a7fa13b588834a61 envoy/config/filter/http/aws_lambda/v2alpha/aws_lambda.proto +shake256:7837e63e24ef6969166ad19d00d825827ab4f33cd2cdc1d314cdf307130aa4f99642be1490b27f395aa030de57e0620e50436fb4b2915238a943134fdf1e0a03 envoy/config/filter/http/aws_request_signing/v2alpha/aws_request_signing.proto +shake256:993900853d6c5b14b2778802dab83b56056d0a8862cc00fb7ae981f249f037aaae42ec53eeb447275152a83a9825a562c2dacc8391b9550e260f651155e0c700 envoy/config/filter/http/buffer/v2/buffer.proto +shake256:e17bffb8959f0ebd69a5f76aa1fecc5c149a52c8883315499788cd3832aad4a9ab4028aab401d10cd12a54c618ee48e1865a8b7dadf9b174545bda38ade11fd8 envoy/config/filter/http/cache/v2alpha/cache.proto +shake256:366ce40fc1609240c011e89743df49698f53243e673279cfe6df1a3fb5011ec1681a7153670b5a03b401718f26686bf96000094f7c0360e3284754440749c517 envoy/config/filter/http/compressor/v2/compressor.proto +shake256:7edf20c50b174033cef65e0b7546ea572a3f5306bd0106fd30eacc18a82efce49ad9d30f6c39577f36b97b373b281c4048cef86d5ea4bba5075fd2b29c8e1cb0 envoy/config/filter/http/cors/v2/cors.proto +shake256:bb31e2ef037ee26af526662fce06b264b2e166f742ec9f32bf113dba81df5e2a76f033db03d23df77f4417593994502508fcd2512f1dd95928b84969a3ce802d envoy/config/filter/http/csrf/v2/csrf.proto +shake256:1d9282eae617b10bf59dcb7633be402cb61cbbac9285c9e5677218f48bba048a73f459d28ec8b2b7384de99a8281f61fb58c4227dc250b97363860cdd168044e envoy/config/filter/http/dynamic_forward_proxy/v2alpha/dynamic_forward_proxy.proto +shake256:76db280e6229da9e4ae842fc296ba18cd72a9e803c045380a7353ee6f765cb69f4c129b559c22ffe920c7f2437f0404a61ec0108681051b0321fba07f894dbe1 envoy/config/filter/http/dynamo/v2/dynamo.proto +shake256:597e702de8f7a40d1fd9744bacce3076dec835378127af4c19e336e480332c0f27da7e4d5b76ae77f160bc3b5088d54e71e5e65016c97735b1c2eecb511d62df envoy/config/filter/http/ext_authz/v2/ext_authz.proto +shake256:d1b6d7c97efce1de7fccb2ba0472bdf62a20f4d0a716450549b03a3dbf405c4a1592385d7195b629ba43336a6649161e832933f3df2fc193aca16cb06d6b60e2 envoy/config/filter/http/fault/v2/fault.proto +shake256:050055233ed4396d983d99b84e8f6a5c3b0d77c80f7607ab28848156b18e268b57419282cb21d44a877ee43ebb3ba95ccdab886fa861a581e51daa3582ac815c envoy/config/filter/http/grpc_http1_bridge/v2/config.proto +shake256:28e5bedd6b62b170f46454d53864405335b83e56699060794d6b2fd6c41215ec056e13dc69726bf576eb2cc4e5e0ab3ea97b29d31b82bd343bc3715ff3093482 envoy/config/filter/http/grpc_http1_reverse_bridge/v2alpha1/config.proto +shake256:3d7cf31ebca862e3f338116034e2e553a3bb02d824e5c60d36dc16329c8c89d4f983388a6701ff5f28f2836c7504ae8dc4a547c750e61fa2b2ec804d7afdd172 envoy/config/filter/http/grpc_stats/v2alpha/config.proto +shake256:4451c917e256788daea0ace8618859b6d92078cb0f4a521c5f37aff6c1f65c643570375af579af06088bdf134b5d478df3300d0ec1c8499f4675ebe3701c22a8 envoy/config/filter/http/grpc_web/v2/grpc_web.proto +shake256:955bd5acf952e1c646307d585ebff1ddb4b9e12a7c211cdbd18683f9c5ec86bef360d6d501c919cf23307575a4e52bb7e1d8269a6bc13a0895d465067ebc542f envoy/config/filter/http/gzip/v2/gzip.proto +shake256:59e8e289a11351075573f2ddd7a37db76634c8948ed3e6ce6700086fb333c2c5fbb699c32a2a8a953fff83e601c78cd07e1c190b1656fc54c96e580f4a07d2f3 envoy/config/filter/http/header_to_metadata/v2/header_to_metadata.proto +shake256:42d4431a3ab45ef6f56608563c40c650ee96b48e840109bc81b72ace5ee088e1730cc8311942f17c3c7f840401ac795527f37011fa0f8baaa71862f1df4ea3f6 envoy/config/filter/http/health_check/v2/health_check.proto +shake256:7d100ed17b8aa3d24e851dd599ee8265010a64ead4583270004dd1e4119a3347a12ebf54b3bb1d46e82a082739adae9563d6d4a95fae0d72082c49aaecd651e1 envoy/config/filter/http/ip_tagging/v2/ip_tagging.proto +shake256:0e52935864306aaffb1aed4a1ceadb85c9d2faa05d1b85f6ca28f4f2f1c5905d8c1bc3d2e82b784d6b4afa6ac8915fa84e35a5d8b5d61bd1d15162c27795ad38 envoy/config/filter/http/jwt_authn/v2alpha/config.proto +shake256:c0905fa961a0b2650e460950ea69a761bbaecb36f3275501e2af3eab849a118859552ffc25fed71acee9467d821644cf8bc0f63b4b03898cbd409bcf542a0438 envoy/config/filter/http/lua/v2/lua.proto +shake256:ade55f48104a52c6a1a07a69eac9362734ca4d1b2b5b388a723770ac870d9f41aa87a698fddeec5fa5b807e6f3af6cb27bc1306d0c037f2ec16a6316ad9c46e0 envoy/config/filter/http/on_demand/v2/on_demand.proto +shake256:c2ad802957739a45a3aa91759fd5d695873aee61068f8a038f052062057a991d5df8c42940a6f18c158e605702188ce8ecbe8c8fabd108597fb4d153a361b516 envoy/config/filter/http/original_src/v2alpha1/original_src.proto +shake256:7a9da6e3d21b951381677149a4ab86cf91c36da9941460b9f0a5779756a8e8420771414f1a7f8ecdd9d11711e96641c5a513783fd73ec32ebcb78e39a20f6bca envoy/config/filter/http/rate_limit/v2/rate_limit.proto +shake256:f3a1c6647ae372e0b96759e4a81c6a0d3b200e3065f30bd68f53afc8196dcc5e5506bc3e1b87b7fa9f55c6300c2f74202ac6c693558d5b9e129ec356dea99418 envoy/config/filter/http/rbac/v2/rbac.proto +shake256:413fe9d15a14a89a22ce071bc25638552237e23446df0a201ecc174cdbc01b002d0f1214f9229a7189b649d26bd1a074b2ec14a59ba5c883654be8028f79bb03 envoy/config/filter/http/router/v2/router.proto +shake256:b6c5109ebaba66d44558c5b42cbdf0b7a2415bcd33350fa1b3bd87bfb79a57a1cbc1c53b745b3f15d2ae8296185973aef15bc6c35651f054f8f14270c6836fc2 envoy/config/filter/http/squash/v2/squash.proto +shake256:396fb5d3083f51ee0c11021b3c8f12795daa40f767de6ca35259c02710fda3e074777e53b4aeb6d1c0f2df8d12d82e54b211a2bb68260914de7e99176a941cda envoy/config/filter/http/tap/v2alpha/tap.proto +shake256:5b8b39f989d4085aec086bad0adde86332f122d5a7039bd417971ebad896c6b0d3f954ef2cf20f2db3e144fad5faa647fcc4f780855c73610a476ec2ff8479a2 envoy/config/filter/http/transcoder/v2/transcoder.proto +shake256:0d6c3b6012f347a164577edd8719c672791fcf42bfaae8801ea78358f1810948ce8e96f160bb7c0cae6d31e599072b15b7765efbea24b4b66171f654132dea3f envoy/config/filter/listener/http_inspector/v2/http_inspector.proto +shake256:ad9a5ebe5ad5dfbcd7cb9ca60512f309b7977f3e799916f203d16a0e5ffcea17ad6f6754e1dc0b1790b4b310c620f7f7b299a666165b6226d8b11e0411b26db8 envoy/config/filter/listener/original_dst/v2/original_dst.proto +shake256:f0f087b21bf93903c09469582f75f567815ea9e61a60fc696a800d3dc9a715a2f1c6bdc46d254add4deae2b7e099458754cb6e00b2875068d967cc884bfe4177 envoy/config/filter/listener/original_src/v2alpha1/original_src.proto +shake256:e87549581f5c86532b2bb5f98f7b36174de46c3f06eccd5450f7de62d009ed796d271943f8dd097ee97470a9a21f56737ba0619f4abf6ec72e314a4a6ae45c8a envoy/config/filter/listener/proxy_protocol/v2/proxy_protocol.proto +shake256:22f6d98be5ea471289b31b871ecef036632bb6db471a2cab6b7e5ccc11567a3722f8c1bbdb79e3aa74b23bc5d96330b097749d9010e73b180e9d491fb3075c6a envoy/config/filter/listener/tls_inspector/v2/tls_inspector.proto +shake256:1456550bea1922225a08a3b31c07d216ace78840dcd333d7c0fe202643b55c8e743b644b97f817c70558dccd760ff621289bc20582d521c090b5107d1f7f9465 envoy/config/filter/network/client_ssl_auth/v2/client_ssl_auth.proto +shake256:0df0940ecb3b653bbafe1ecba3506cce4b15d0da8ffa99591acc62b6ccab803fcb096cb468891b5b60c8f02ebec00737a2585e8bceb1103ca27dcc2f0466d298 envoy/config/filter/network/direct_response/v2/config.proto +shake256:dbdd276342dcc3634ad05a1a440099992ab5f3d122e4a02a51e5103115f672650aeec58af6f49fe03891c63199c1bd778621adbaced888d4199bd89a81536efa envoy/config/filter/network/dubbo_proxy/v2alpha1/dubbo_proxy.proto +shake256:1d6d4703df00e15becb0f3482904cb9d9e2b3275958478c0e947f213e3169da8c5cb19f71177337529ca7090f67e44ba8f7db0fcc81c71d2e23bb608f381ad5c envoy/config/filter/network/dubbo_proxy/v2alpha1/route.proto +shake256:02b5ec1c189f640a9f3544ae58b6f6eaf99c995f91290b44d4ec279f7faae01cc6672478f67603eff54dba99efba1ae5b6850f76428a08d2247c4c777b4f0f67 envoy/config/filter/network/echo/v2/echo.proto +shake256:f620691491093a0c4deeaa76d679ab9e08733bcfd5782d01e22d3f013326b9af64dc0dc85abe8968d7da59730c5f6f597ea9c7c0153724077af9c22762e553b2 envoy/config/filter/network/ext_authz/v2/ext_authz.proto +shake256:a7f813dbdfaadb034a6a7332b0255a0e3b22c62a143f04961312762d3abbf1f55bead00e1df978bdd79ea16c8d90d7c6fd485b60367217391e39ec5aab637b2b envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto +shake256:c287f1093bd60b0ed243f40f69dc868a8856f31b36cc3f44790c0ed62e24c23fee9046ff0c55512f5fdbabd3f7fb89ca60d13a90ae0e1595189e5f2ef03febb1 envoy/config/filter/network/kafka_broker/v2alpha1/kafka_broker.proto +shake256:35476c557e6f472b50de17f81ba0acb566e934ae8a1f6b074e5516c797bd9737ae81a44a553af1702b2a29b7a60d41a815abff0fbc960ec4032dcbe7dd0dafa7 envoy/config/filter/network/local_rate_limit/v2alpha/local_rate_limit.proto +shake256:ff5bdb82fe17ffc5e034384ede8f7be5ba4dda6b7aedcf79e3e2a6ceb15253b2e7468944000118b6a8825aeeac97437f5850ac702a6bd2fd4f8e007050588c87 envoy/config/filter/network/mongo_proxy/v2/mongo_proxy.proto +shake256:6358160a2bb957573173e82b28b78768815df7674e3b755e2d73b28926aae148219181fc7a728fab85a0bf9046ff8a3148fe266630fbd6213583b61f093fc1a1 envoy/config/filter/network/mysql_proxy/v1alpha1/mysql_proxy.proto +shake256:f7871c4be8c05a913f14222ad951bcae6adbcbb8c06e1054d04fa726ceaddd4b9662bbabca46863b0662a800f07ac5e0d7cd8259e427f179e43410e12261344d envoy/config/filter/network/rate_limit/v2/rate_limit.proto +shake256:28d44c0675c62529d36fe6cdca9b6195cfbd79c0a28c5214e7b1a8dcea07098639385ffb8707a569ae7c073d72731511c48aac49d157181cddabe721617eba51 envoy/config/filter/network/rbac/v2/rbac.proto +shake256:20013e3fa4f7dcbfac0a112706f65603465c3a2690347a5d73a5c51186306f65fa335620753d5df37e40867dba5262c848e91983488a492d4df6cdc5834665ef envoy/config/filter/network/redis_proxy/v2/redis_proxy.proto +shake256:8b1bc807c6c7bcc0ce1eabeb73492054766baa72cc282d9586fe31dbcfd605a585eb4663bbaac2569d92883ca51fc185951739cd61c41cbec0e419a00b966fc6 envoy/config/filter/network/sni_cluster/v2/sni_cluster.proto +shake256:dc8c92bc94f230e7fea77366937e8f7434fe3e1eceaf1fa39efceafbf3abc462d24bb1b9e666e0871d03737ed493c13e617c3d155ab739b072f3de16dc953559 envoy/config/filter/network/tcp_proxy/v2/tcp_proxy.proto +shake256:82e6c06843d291a8b5709eb695063c78c7ae1d2c1a2b8b2292223305dda4428b1e7eaafb5f306c7eb15dfad1235e60003c253f7a6a5d2e60beec891f23e97338 envoy/config/filter/network/thrift_proxy/v2alpha1/route.proto +shake256:114b21fa77aecb64aca3aab1c3b7d53bc1e7066340c773705815ab4fde30388db17f015ce9522572c3dff389942faa04205440f7969a11cdeea4a23af2f1aee2 envoy/config/filter/network/thrift_proxy/v2alpha1/thrift_proxy.proto +shake256:6cbf64dd0d1c15d6e2c93f4e4afde9f5d7f451654331fae4b02c921606f00f23cfb0caa36f2f06fb9f2ccb0d9f234fa0cbf03ca0a874b0a3bba922b4505e2312 envoy/config/filter/network/zookeeper_proxy/v1alpha1/zookeeper_proxy.proto +shake256:da300993632e7361d6ee03a7662b0e6acc5892e7e07fa8520bc17cf2522385532cc563b364cbc8273fb73bc03531b346ac43f230b753ac137f2dc7fc42168a84 envoy/config/filter/thrift/rate_limit/v2alpha1/rate_limit.proto +shake256:1d3dcf44a5b9aa1d72644ce5fd320c750dd4602cf38fe13a84ded28c71f96b18495917e56a5dc5393891f71bca3694625259f5406be8d534af8b4011b82c7927 envoy/config/filter/thrift/router/v2alpha1/router.proto +shake256:8b64c01228242819c686d8298bcc8cd5a0009f46172bb1160a0b504fcd9887a1d1a16f18f601186ba23509ca27d5fab13dc3ab4dcab7fe5d0ec5afec73a3279a envoy/config/filter/udp/udp_proxy/v2alpha/udp_proxy.proto +shake256:9c1bb39ce93f4f855fe268b2e6d4d54dd73bb2542292e0b86bfaf165d3e675e4d064899b0acc06993e0d58336f3260c16e2c1543dd72e9e0428a0b3c36495e45 envoy/config/grpc_credential/v2alpha/aws_iam.proto +shake256:ccd04514495a977770d0f97b6e366907b20b06daf79b935cea836ac8127e59a5a62116085c4a412751562cddd709808ff87781d7bab9e2f659e563b827dba353 envoy/config/grpc_credential/v2alpha/file_based_metadata.proto +shake256:3f8a8ff682430a9deb7aed8aba00fb69ba6696e62ae7161963ca11e80e4195db0bb9d0efca69da4ba67e9cd62fbce30ae0450144bf3e8d905d90e2eb2418ce59 envoy/config/grpc_credential/v3/file_based_metadata.proto +shake256:8913cce18ff3029b4361fe7cd0af29f512b44f31cff11c45f213873000f5e246f5376640a4df5818b9e9b1b296e5790a53909f4f50434154ea12b001fb180f29 envoy/config/health_checker/redis/v2/redis.proto +shake256:55c7c15b14acd86d816cfec4ac71c775f41c28059fa30449b2b636141bf6acaa769751f331d3fa8c2deed0c1c4a5b493d412761f638768fdab99fd08467afe2a envoy/config/listener/v2/api_listener.proto +shake256:047590d1b4f17739e8b57fd51ef0a1595e76358171b4470db6d058ef045fe31b4dbfcefd8aff4d8fd8fa861fa235a90e00ae867bfd65a78887dff4d08863e0a8 envoy/config/listener/v3/api_listener.proto +shake256:112f2a8870a2ab47df0547e5f412f629ef41b5d79b5c4f3d7bdbea39d73dc4ccd8d88710d6433de85121c4940f0d9a003237e16366309dc652fc220666028f32 envoy/config/listener/v3/listener.proto +shake256:898dcb73232fc67a2cdd1d61309a81f12c1da724cc3e5c9877e2a1c8f8c4b9f6d170383f7dff706ffc19dca6e09c9cd558136dc75a9cf507c7e1d341c497a293 envoy/config/listener/v3/listener_components.proto +shake256:a11917471e11f29c38dd4650a5a17c27bb52f83a37c27b31f0820da873e4a5bfab148d78d65fe152f954a8284fc29dc4cfb37855c8b4fbacb51b53d45bf3441a envoy/config/listener/v3/quic_config.proto +shake256:1d22bc9a3a0507d33d49885136fbee5c011fd5f74ac1f9ef105c7bca44d0ac9159452d54b8b559e428b8ccf83bfd7870911823678b5a38f44eb2ae1f3c8b1b1a envoy/config/listener/v3/udp_listener_config.proto +shake256:4f66defabea04b57f142cab999dd99555839e1eafd08aeda613bf09565089d4526163edcbd8b645798cc030da7731b4ab9e4c1c69fa9b9f5f4566d11d873cf4f envoy/config/metrics/v2/metrics_service.proto +shake256:381b65015b4dcf88a0b952cc9a87e083818051fa779f8cb7cd45ce92cbd24ca51f4a898bd4d35651962428db7cfcc23bd6203666402466a5aba58caeb3a8ff2c envoy/config/metrics/v2/stats.proto +shake256:a49fbe0a644dadf659afbce6a37b84716587601a0040f177bc88a42e5dc542f7110eafbff73383e2a07815fad1a156edbdeade4e9685f059ca319f2fa98fac7e envoy/config/metrics/v3/metrics_service.proto +shake256:a8554de3c086b2484470c8e4034fdc0e830708d90a38e319b28f9cacbc5cd39328f36abee0ef4d7cc378be2cde369b0ec69925e6836eb6c23c3b82fd4dd3c783 envoy/config/metrics/v3/stats.proto +shake256:00f5305f959618a910e0ffdf75afc0666c5217d86f64db2377b7e5c4c742cdbcbfa572a791db73ac3c4c5c37d3b3b41234c36a4b4b313e6a0bab8a48a4dba3ef envoy/config/overload/v2alpha/overload.proto +shake256:b1b80519ed10cd644f155c72798d6d0f8a55d4657fb61d2de8aab8c821865aa7b60be401f52e6b04157c806772428ea368d36791ded9328940fe980b70e42f8f envoy/config/overload/v3/overload.proto +shake256:89a239eff6cea2da4775f5ba8245b06aa675dd8c55d466537de4c17dca74965a54425b365da798ac31cc2165f497274457cfc8d607fa7872686d0d85b221b4e3 envoy/config/ratelimit/v2/rls.proto +shake256:56a59a28387e09e6e782cbfc68daad166335b3c6de22b367d07981a1d85683405ca5598aff8f3512d781af14e855332eff88cf76472616f7120807bb60ce988e envoy/config/ratelimit/v3/rls.proto +shake256:2ffedca49b310f8130941f9e8de30c1b55f5cc5fcf2adde9db1f041a4fa654fe07c76505d15632304475f0004e9483b3dcc6896d6d7438e21f188c5457fa4c62 envoy/config/rbac/v2/rbac.proto +shake256:7b61006ff5a9d4a71cd174e21992beb4b22dc29202469a416395baa41c177e4edb73440ea323e75b5d17c16c8b05eb79c86e2494d7283d45d4453584f27d3426 envoy/config/rbac/v3/rbac.proto +shake256:9d482847cac75e699a0121874df7d06db534dcd9267f6d756691929550a8bf1c2ea73d85eae8ad873e0e7fc27872d06f07402ae8ea3b6163df3d4803b23b5666 envoy/config/resource_monitor/fixed_heap/v2alpha/fixed_heap.proto +shake256:d54077cd2998eb60031387346af05ebbccc9fe88e3b0d6f8d4a6b15ffc3f065b0741f42761ce9c3e6cd8d922ae67eb922c155f5490f0a2684923b0c70b1a09e2 envoy/config/resource_monitor/injected_resource/v2alpha/injected_resource.proto +shake256:864a6dbb71a9dc13b1f4724b7cf798208ab247d5eb4c51a3067fd7bad1e7c871c8c0a0c6cbd753462f43cd911f535756d23e24809848f4fdcce86ce58ff8c4f2 envoy/config/retry/omit_canary_hosts/v2/omit_canary_hosts.proto +shake256:42fcafbdb4d49cb14673cc7e2f1d4d12320d5df4f9ad5ef96398ee7aeaa0d731fc5e7fa8ed0c6d8eb7153f89b5eee8512eb94bde1c9ab42b91fb322140e07e21 envoy/config/retry/omit_host_metadata/v2/omit_host_metadata_config.proto +shake256:33f92a4028d3695fd5acb12636463b5d3217fe99aeecad27aa46c9888347f193c9f8b1c71559d8d3e999eb32785de600478db13e2128f559c3dbdecc44c766af envoy/config/retry/previous_hosts/v2/previous_hosts.proto +shake256:9db8237cbf8f7d69fb0ef897855f00e1b6a6517fba00f5972df3495948cc66c9a15270099b5aa7c6334d373514f1a9a30af239da352a3a6f718cf24ba7ddd6d5 envoy/config/retry/previous_priorities/previous_priorities_config.proto +shake256:508f82391d37554846ccfc4f806926470b0b5b71b1684be4c612426cd8e3265a6e8f33b03c26fa7038a0ba931e0343c26b7c34dc3e9325d52a74f9650303ec61 envoy/config/route/v3/route.proto +shake256:18f31908af63584b6662711f451e843f2b2c3b70b9270820704e4e73979af564b12c00cf59fbd38498485747c9b95ecbcf7714a24b2d379d897d7f37dcc2d733 envoy/config/route/v3/route_components.proto +shake256:134c73bfd73b81e521e4e18e6627c1c251e27f3df44ff846832d1330a018176583c0d9dd25711b5f2575b7ead00bc1c74fe14a198c49e2ea50a1ac3139c9249f envoy/config/route/v3/scoped_route.proto +shake256:9c87eab6e7c8b5285888a411d17ac8325dce79b086da2ec31ba0ad1c1df5d9d37b3fc81fd4eb02d6b2b05051b189ea07e764463fb09c3c9e28473b931349a610 envoy/config/tap/v3/common.proto +shake256:44907bc9d2d03cc048d930b0a78bb6b72b4f353bc9f3a6524f2e93f0a47a2c7234c8299bdc989927d0ca64c593732557bab2d80f47b0c0fca3cdb2d87cc8eace envoy/config/trace/v2/datadog.proto +shake256:bef0bd256ae2d3261475815ec6187b5e852b6a0178d5e9927f526da8ee5d7ef61f4de2639f5ea3511093bde05515b62392becb83ed98f669f3e9a3baeacf203b envoy/config/trace/v2/dynamic_ot.proto +shake256:4637407c3a7a724268ec49ee0bee774f940f60c54d7e13838a12ea9c6115fb34ed56fa20c31ab972a2c9d022616784038e940d2f40c43c0fbb3b85bc9f53bf36 envoy/config/trace/v2/http_tracer.proto +shake256:e86033f3fbb58c172f8fc1a5111f060e09aee3d58d1454955a7d8262422de2a4f1a692456696aa46aae0389f4106738412ed50d067815e30b00106fcc7061006 envoy/config/trace/v2/lightstep.proto +shake256:69abf1db7b6b8ab228edfcca9b0e46831ab9b9374979e609a86bf2204df09d906b33279905bd04d9ff62d4f02c94a3a9dbedb042ba6e3dd96f46db72e5c9f67f envoy/config/trace/v2/service.proto +shake256:db7a4656ca79bb7a54e54e6c6d0c7fe39871f6333f32084aceb29823252bc2bca6090d1f79bebf9c0d2cc9517cb9bbf730003164fe278bdb8777765738320a14 envoy/config/trace/v2/trace.proto +shake256:57cd057a541105aa9f9188ce8135599b752cc1297823951edccf8bf4ad7aa45ce5493f923c7073738d524e9a585090ade1b83f75b6e103ced1dbacb7f8e89a12 envoy/config/trace/v2/zipkin.proto +shake256:14278856f8d450a326b53fd4bf1e136132131664538b2e6d56cdb2c0964c4141c959c1ab0670f6dc53cf84341f3450cd02cdf9fcc0086883648b642648298cda envoy/config/trace/v2alpha/xray.proto +shake256:8d3b5af6ae067de523ffd978d48c5d5426c091552276b300c62c4b2e4903bdc33b1b1b3245cf23056875ccb4d744b676cf7e23f2cfa5aa1d0381458174a21ff2 envoy/config/trace/v3/datadog.proto +shake256:6b579882c08e28fb21fd011c98212afc0edefafa702dd6bfb7545c79d105ae3b5abb8d150246aab75c67f9043c1c7a697b71da38dfa012fe52eab5cb93b477da envoy/config/trace/v3/dynamic_ot.proto +shake256:1125570b23390d44e86ae7a592edeefeafce7821b5281748cf452660d73c20022ce1b3ca8cce1e364209a201b57ff3d5cf75b69be828572475720122be764cdb envoy/config/trace/v3/http_tracer.proto +shake256:a4e359032b0711c7e2ec3dac5bdeb45b4910d590096d1f16ee559bb9210b0c94ab61c3e86dc9f85c6c2320f3769cfb97fdcb5d111af3350ac291c53343587c53 envoy/config/trace/v3/lightstep.proto +shake256:5c63a5548079a410d3c40d11a8761f5472beab03ad573a41f061872a8b2f32e4b33a361cbecc54cc472e3bc35072cf299dde525736aa5303bfefa5d7f73d7360 envoy/config/trace/v3/opentelemetry.proto +shake256:c0071ad84f5e61f0075857b2635f283e4e8e62ca3b9c25e0a7a7fa88ef9ce8ffe243002a5633389ea76f772d1a3d9e44a0a385da9c80aa7880f19f2119764421 envoy/config/trace/v3/service.proto +shake256:a457e40b626a98e1714ca795c0f4c1e56c9efefef26b15b62dc0f1978e957de8e3b99f2a862f7b4fd88fafee15e50189af04cfd3c8b2bd8539a0bf0c9a221a74 envoy/config/trace/v3/skywalking.proto +shake256:d0205fe3c89d1f582db76034f79b0ffc035a8bd2c0d6c1b2fa0a080c9836e3fc69ec5c01d2ff82fdb53d52c27ff9e55f424535eb83b118a5bfc4b96654d41f17 envoy/config/trace/v3/trace.proto +shake256:719e4642cbe678ecafd1338699e9535aa6d448bc97ffed191fd59263dd37ee9fc432d7b7b9f7dd2303b1f4eb87416a237ce1d6b76f8a3321fa253e0167ff6a7b envoy/config/trace/v3/xray.proto +shake256:c8c66d1ff533c2b66cacc300d07c03d7e3d2fba6f98204a7b19739bb3411d64de521b48fa071bb30b49b74105a0d848e14bd8c8cc6117b8af917fb4c7ff8155d envoy/config/trace/v3/zipkin.proto +shake256:72b952cd7788414d2b15680e550320cacb9c2b05f41eebd366a352bf9a8a196bd13dfb37ae05c61d1dce10e3c20db7da9e08647cf1c021dbc040a06b7796f313 envoy/config/transport_socket/alts/v2alpha/alts.proto +shake256:791160950506e2699fca23d4f0a0064aae30c3d30ce6573ede6cdc993b7eec4c118ebfc80850b5dfe907cc8a2af039898741cb25a3b02fc1509e793c9c1c989e envoy/config/transport_socket/raw_buffer/v2/raw_buffer.proto +shake256:d3a0e662e7812372f28a70493a537c01d08628928062da79a6e328e19dd3d40c8376cf811c14decde7bad578a0123f3439be78c6665a1310d6ea3162a55ef556 envoy/config/transport_socket/tap/v2alpha/tap.proto +shake256:a384da635a4197c3cf8ac48f23e764ede9767970455bd7cf1323a18593efc4508198480c9d1cb36278c210d82d519b6e7822a569fd502eff74509802974dbae5 envoy/config/upstream/local_address_selector/v3/default_local_address_selector.proto +shake256:d7f5be3b0700a9aca56b8103381e2b6c492798c086fc2169808c5b6f57798d6f5e9ed0b2eccf7c2137aec6611a5c7e4e20bb7878bb80cc171fbd2ff0dd39f798 envoy/data/accesslog/v2/accesslog.proto +shake256:7188953c02eed213b986a7f1de8c311441e9e42cfdf01a9d8490667fd71c550d968527bc20be8592bbfc728c874f0dd998dfa3743c8adcdc04b8827b7bacd010 envoy/data/accesslog/v3/accesslog.proto +shake256:678006c89c679ff2bbec15ea088af73a37958d828750a0a760ce561b0ceeab7fddaff1db91bc9abd58c64896a613149eec677169bea9bf49e2cca9a357b2e834 envoy/data/cluster/v2alpha/outlier_detection_event.proto +shake256:ee04b813c98e80ddfffbb24402adc26ea381b319e15c9c311ee9c718d4db80ad89ecabdf4ed455aa025a8a31f8c05a9508cbc69046e6ed48c78fe05d8b17914d envoy/data/cluster/v3/outlier_detection_event.proto +shake256:4949c45e24893b84cd2159ff9bd7abb5493facd0418def75117e1e512d142a8fef8e73e7b2a314621997df36441ccfd9b41d02ffeb114bc1b688940a56cba2f2 envoy/data/core/v2alpha/health_check_event.proto +shake256:5074d5c9185ae449c6d77e0cbf47b96a8d6f16c693196e1cce340dfeeb78efe9e49a8244d06097aa1c473d6db063d2dec759eacebe84e80d757794d53c36f6f7 envoy/data/core/v3/health_check_event.proto +shake256:fb22be3c902578521d77ca8769f88ced976e03612efe4299fbde79e62c57e8bbcdc79e27621afe121dc1f22e53eb3e681a3c64090a4ece6e88851d90c464ccf8 envoy/data/core/v3/tlv_metadata.proto +shake256:0ddbf0a812e2cdbfa67cffe6f295dddfe3ff1b67fafe2b189dbe56b794f198ea795af6f704b0106867702bf8ae60b1fb641eea702dafeed356514f56ea1ab8f6 envoy/data/dns/v2alpha/dns_table.proto +shake256:25c641eb9d2005b702048207b9e492e3498ce1c42c53954c645389fdc9d276ff97fb1cb63e06d61204c9ebe695fda0d55561d4f608d5b4903ba267d8d7553b2c envoy/data/dns/v3/dns_table.proto +shake256:65f89ef9986261b3a954ceeefd67a70ffd83ecf80fc8e50dab782d1ab212295a7625c96b56f9d277bd1ab96bbeb2c12525b74a32bcdbc2b09d541a86b7dae7c3 envoy/data/tap/v2alpha/common.proto +shake256:61cde86c7ef95ebe901410b910bf31fc2d0be253300932e44cb3b97a83437127df5c47e3c659e0f27220f44a74e10e2c8682386ba61e4e86f7465fa2f2227f46 envoy/data/tap/v2alpha/http.proto +shake256:53a01b2346d8821a23d0d7aa21fd7c134f89c74b7c33c1894aa94f08b59aef3e0093d0e676f08991dbc81ddd9a329a1008cc689f5ea6ac1b00f47a86aabb3476 envoy/data/tap/v2alpha/transport.proto +shake256:891d5bdb9017028abad1e14c68ee3b0e1646f569b97476b8eb8c63d2b781a4b06cb502a46582409292ee431a7e4c0aaf3b28e0272a25e03fbaa56713cb9e6f6b envoy/data/tap/v2alpha/wrapper.proto +shake256:631bfbc49593e820da137679e03ac21405ef7d76e2d68816de0a484bdf0d419f6d72e7d246591904c7712e002e10ebf7b0422c61818d26f1d23337e676f93652 envoy/data/tap/v3/common.proto +shake256:c82a19f7ce291208de13a789ed6d20354a890d763d8abf84c61240efa3dd470ec08ad91ad03621c45314c492b5a01d696db1b6f522863109bf779f5060b865bd envoy/data/tap/v3/http.proto +shake256:2a5fa7d2cc7b884becff0309f16a824dde527aa73d830caf47c31c2a3f3cb8a8722338acf265ddab960ea6d41620f28042eae36507fae369ceb6116a0a8c05a9 envoy/data/tap/v3/transport.proto +shake256:06a9c81be98880bf743fdc7bad0cfbadad1bd333d89c88364ebe24deeaf2287c33be918618f2dfe9cafa31bd85a0e82a1f5c834d0d13ca285835813aeae7ab9a envoy/data/tap/v3/wrapper.proto +shake256:751d80e997924ab9d8826ac8deb4645239f57629571ac7cc458cacb8ada4779999258188a10d9728c0c17961305cb587074c054d6b23391dbfa3852a94a42c1e envoy/extensions/access_loggers/file/v3/file.proto +shake256:87551ab9254c96245cb5ff34c00d54a309356ba00865dfafd7d31d3ee8ac497087f852545238b0ee32a5b55f0fc9282f8574422a6bdcbb1df1877c69eaa0ae9b envoy/extensions/access_loggers/filters/cel/v3/cel.proto +shake256:56b5bfeea1b9589f8782e223818f04fc325bb38825f275cbb89387474f4e7fded90c907292e660bc01f02f2313aeeb19a29c9fefc0c82e031347130bc4fe9ebf envoy/extensions/access_loggers/fluentd/v3/fluentd.proto +shake256:cea5ade650586c7e3d0f5f583c76140ad465de448b21d230b21aebf5b0f6184bc79b12a11374d7672221a612c59a82a23f6061c3bcd978d4cb4d3b7eb321c613 envoy/extensions/access_loggers/grpc/v3/als.proto +shake256:aa1e11e4d509ca799b5c1c6bfc0488da23a4260d1610c9e586ce85230f42953e0b536dcfe207e368fec4bff5a006c00dffe714568b3abc97cbdb488b0df34b49 envoy/extensions/access_loggers/open_telemetry/v3/logs_service.proto +shake256:667450b661666527e11db45d12b9a0b0376e9c8eded7a80cbe8be51d33569ce931ed8267ac4be3d3cf8f1d1d689b3fe8ce52ddaf61fd2942a52bbf550dcbdb05 envoy/extensions/access_loggers/stream/v3/stream.proto +shake256:dc17cdcb684c9ed3fbd22ebb50989ccaba1edaafe8b2788b64c2aabe277a2540c48136b9db30129543b72ccc3835b563c43589187c10d932d24f55efa43d1ff3 envoy/extensions/access_loggers/wasm/v3/wasm.proto +shake256:02c3685ee9a377c8dc2d6dda1e5906e97b78d430219252c734d583bacb37dbe13bc2f7e9b8fe6d3a919d56e66349c076e4ce243aa955d0ebe5bc1dbb8d0d78ba envoy/extensions/bootstrap/internal_listener/v3/internal_listener.proto +shake256:d5eac6c1a79275aef661d3fdf96f471580083b55a808b79b9c01d69204252fcba82f67f47a80a456abf6ec930fe687ce26f08866f116e0fbe4c7be200d68f1d9 envoy/extensions/clusters/aggregate/v3/cluster.proto +shake256:e3fbc3da2acacca933166dc9dabde689f5f20e29f2b7ab43f839c0b29c8bb5bea668ff8536544d06a5a0020b7c537e3789fe9a671b2e217880442891c899d9a3 envoy/extensions/clusters/common/dns/v3/dns.proto +shake256:b8474a002d72c2f26c487b3f7ff34c9d28dede1ae5deebca5bca92acdc82e3eb084a31405538e2210f87d882cc4cedc05abe0a337497ff6dc211e65c16dcf02a envoy/extensions/clusters/dns/v3/dns_cluster.proto +shake256:7e03724651ff36311b8dc7064d7edd827f2b39c1d84707d9adbdba769385598813dcfe57343b470230c54a1d953ce09eba33b42e1b3baa52e3cc4e9b35565e7a envoy/extensions/clusters/dynamic_forward_proxy/v3/cluster.proto +shake256:5f8a02cf67b5c30f47a9459137ed47a77744906a5bb75baafbce675671109b7038b8464dc2b5e186728bd6360fa0d889df05ff944a21894a27d3cd2d7e38218b envoy/extensions/clusters/redis/v3/redis_cluster.proto +shake256:9a433eba11a7f4b3fa7ec0c57f89f1d8d9bb514953054bdbb6084f8aec89120f49a316d7b5a38b1cd16d4ab69e09ee5f4beed66abaf2fa285710024cb2be8468 envoy/extensions/common/async_files/v3/async_file_manager.proto +shake256:d3843eb1cfd3580ee2ee865f9f8dc55a4cd5d2ecc6bca5eb658ed9a4ec86ed85bd90355ded72a5cf38ebcbbf7990bb72fe6387604f8560b3d2e111590524014b envoy/extensions/common/aws/v3/credential_provider.proto +shake256:b507b895388f9b46bd947d35a58112996e4d468a2002e06ab5511ebe3f03db0f6e5015ecdd0d04b06a65cde949cf2a5165ee7131fbf6dc2e3263970374d9c72c envoy/extensions/common/dynamic_forward_proxy/v3/dns_cache.proto +shake256:dee56c7243546db3dcb520fc8c60eeca88376540e5bdbc2a4002dbcf8c61f2c012b17c1e87fc23cc833906440619398fa8a19cf1b4f5cfee4901ccad6c67c8e7 envoy/extensions/common/matching/v3/extension_matcher.proto +shake256:1c6def9643491a1c8aa4b53cb2d0bb744acce4945d9eb63a3e7733d3f6a568c3a1d90531b42787d751a6ce3bbc861db13d1ac2a031892895ee3a2b66c70877db envoy/extensions/common/ratelimit/v3/ratelimit.proto +shake256:d0460fa03ea121f02b6240c234f86f50569c78e1e1b0751d21bdcd3f07e90a1f551cfd6b5b1beb96623f89ca1dd5fa409722e112d8fae05afc83611d37add45d envoy/extensions/common/tap/v3/common.proto +shake256:9da9e3129e59f3177a102a530d9c11b974c06bceb112924d1612993e48c266bbdd32f366fb9dd7c86dbb64666edc716ed8266e00f750d8a729b85a0bfb932a97 envoy/extensions/compression/brotli/compressor/v3/brotli.proto +shake256:e75815678d15ffdfee38535448fe91b904f26d1a2d8e25c3a16197c3e9713e94a5c7c9e893cd8eaf3f0d34f00168aaa53f3bc50a03ba3aa12f57ff98e5b9461d envoy/extensions/compression/brotli/decompressor/v3/brotli.proto +shake256:478847c0e8b17d45ba72ce23d3c0e658e8f479ddb8e70217a2b01f95f5005559432f958ffc1f3bbe524ec1afaa9d3c743f3d7e6b23380863847e37c4b309c537 envoy/extensions/compression/gzip/compressor/v3/gzip.proto +shake256:cefe1d4f68cf744c03b12227f097ed1cb32af4d23fbc72ba227c012da5d06ea82cb1e7cdba3558cca9d942bcb976ef9b71fe65bc80379a9942de1937604aece1 envoy/extensions/compression/gzip/decompressor/v3/gzip.proto +shake256:6970164ab52037dc7cb57972e4949deecda9f9a807cfa875f98cf96392ef3f88c12791bdf03f207885940fb888fc4df0e1f3350c8a86fb6ee0e1492da0d2fea5 envoy/extensions/compression/zstd/compressor/v3/zstd.proto +shake256:e63326da75acfa8ec8373a4f5552d89e171ddea73f8e081375a125a1a0d66f6ec85ade9b0a05fad190f4f5295a7f856fec6c6748e3faaaf356d4b5bab27e6954 envoy/extensions/compression/zstd/decompressor/v3/zstd.proto +shake256:3d8958129036bc56f9b6546fdc0d75d0b3bebbdcbb26b6f267c96f83031abd01bac80e946942cff60f46b3df0586a2f50539074ec4d93f20ea99505e9afbcd7b envoy/extensions/config/validators/minimum_clusters/v3/minimum_clusters.proto +shake256:a65ed4a946414668a5de2b91a263b8a814456dd6eaf385b16d3e50e0058102ccdab4d67b86fd9fcd6b5ec1ec41ebe61e0242e50a5b7b6ba10b98322678b0365c envoy/extensions/dynamic_modules/v3/dynamic_modules.proto +shake256:10d9f4d444b46337f205d8690ab38b50a4b8464aefafc1de2f0871f2b5000782bc237fa6f1934543bf87e9cff15a83145f31f972409ec7c2868c00eca946e322 envoy/extensions/early_data/v3/default_early_data_policy.proto +shake256:214ce39eefd934f17dd4a3f5912580313c1c548eace2cda4674c72916827fb79c3752ae8bd95c8e0c50fda9a8dca3eacfca5e155e145786690b05f30d1e44654 envoy/extensions/filters/common/dependency/v3/dependency.proto +shake256:1dc0cd631dc4ab17eb4b5eb919f7daf9b45d61d88a72bdd0888c853b33563966a7c89948948d6454c70c3662282a98d33121d71482babd07ddb13d66cf24e641 envoy/extensions/filters/common/fault/v3/fault.proto +shake256:df574600c0b95f0d3a67e84873051d67fb2204bd1416334e9a6604b12f69c1702988042636741c3979d120a525a098b12c1d976abd0381d4efc97eda88754fcc envoy/extensions/filters/common/matcher/action/v3/skip_action.proto +shake256:7b605d9bfd56c9e08a6f3318733547f870b050a8afa366b551ca8450a668920c817138cbab70909de8abda9149ce897f05069b79c89273520ad27848472d146a envoy/extensions/filters/common/set_filter_state/v3/value.proto +shake256:e6df3bb2bfd67f962c667bf9357058f6525731e037937de2db16a88222ed331f2ae53bfc0878a878ad30517f3e80381bed41198d30ac3963f243dae9672a72c3 envoy/extensions/filters/http/adaptive_concurrency/v3/adaptive_concurrency.proto +shake256:3b505ee35fb0516a12fb2b6a8719392717d0d8edb3b5ca0bc76bff8d7d7f415f52fd1bf7a646aabb476606dae85971fa1e273dae165c400b662d7d3f06e80f9e envoy/extensions/filters/http/admission_control/v3/admission_control.proto +shake256:a78504454f77d6b293890693de4d63ec9ccbb54b5bfd88421221c2ab8cd55ccbf343d8de99591eb5e912cf3dc0cf9193b6b065d4056c32cb2e48c46f983560aa envoy/extensions/filters/http/alternate_protocols_cache/v3/alternate_protocols_cache.proto +shake256:5a0cd327b6fa81883930058fdf67a8544df52a5fab5b2d5846561275ab474f0b7a17f1830065f9edc84c841343becb39986ff68f497d1d6b49a62edc73375b71 envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto +shake256:85ba38d715bdda34415e69f23c54e5e5fa02b5d913d26ac086a69433a16101d445cf369e48ccba09f6ccb7b0c1f783ca3fa41f759810e4dcd85dfc5cb89835ac envoy/extensions/filters/http/aws_lambda/v3/aws_lambda.proto +shake256:2b2a3165fd143ed1d1b64b32b702b5f2c11178c6d30a2bf1548b70308eb7db7af801d5e20bebadf06892bcc65c9a4a38a09580ddea6f451e297d708e84e5e679 envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto +shake256:a012539b93b3211ab8eaa539d7e5792c404eabbcadc186a517229c24f109368600dc9fa7101a18216b333310c6c214f0daf76a1d65aa824c7aae8a6c56834550 envoy/extensions/filters/http/bandwidth_limit/v3/bandwidth_limit.proto +shake256:0658d9ac6676216ef3c6a8d93e91d5ed61e9ebff0c4be5bfd1d7cdafdb3e4179a796bb5128b97da5497fe76f13f8b4c9b3c1d567257200326ad0f33275314592 envoy/extensions/filters/http/basic_auth/v3/basic_auth.proto +shake256:206a2c768f2b92f64a57eccf17009e8a6dc212dc7093b5fea083be08cae2f3df5ca3757aa37ee3e5bd4f5c7feaff43cae53e6cfe028ea1c3f3f18859321d0e26 envoy/extensions/filters/http/buffer/v3/buffer.proto +shake256:092c99ed8673f473541343b33d81bc4d0e0e5d5cc1d480ca1a2a99e502a72f91444c69ddec54957a7acf7f69e9a163f99d211a50fcad50d1941a2afea84726cd envoy/extensions/filters/http/cache/v3/cache.proto +shake256:44aee45498a29aab141211300debf8d21ca32b91974b941358765eddaff8edf6a44b4f1f201b9156b78ecaf90fde2e204bbdc4ace89bef75fa30afdd2d300658 envoy/extensions/filters/http/cdn_loop/v3/cdn_loop.proto +shake256:6742503496a716373df6642db049f7c4ccf30b75f97798dca06efcc7a9eddd675beaf4fe997d6efe8a89085706cbd997e005800e9e4c4ce80dc1dfecc310c070 envoy/extensions/filters/http/composite/v3/composite.proto +shake256:5dcbac65153f622e39d47cd0e5cdfde3d23d927678bfc76390edb4bb34db280c6f4bc3d9288d9b39e449c552f4a5e82c4d5d4f5277364f1f30f1b1dfa64897ca envoy/extensions/filters/http/compressor/v3/compressor.proto +shake256:f76396fc10338f03835c8015117c14c6345e9544bff3300eda5aca31281d342902fdbfc69924318db6c8b22beba6e26b63e04b2de12248f98eeb6dface9a89df envoy/extensions/filters/http/connect_grpc_bridge/v3/config.proto +shake256:677757e90aaa84b929d892f82079e879572b926402a7024684ff19fd7d1cefcd874d472427d46492fb412c44339653394979691d2be35700d4e0354302c636cc envoy/extensions/filters/http/cors/v3/cors.proto +shake256:24767a84ee65b6e9e6428051c9743be3072eea6c2a53fcf956ec59b47f2427aceb4dbf795b9ea6f87bd5bd15493338f74bcb878e2417543c78db9611eaaadbce envoy/extensions/filters/http/credential_injector/v3/credential_injector.proto +shake256:86d3b5213890d1c4282fe4b466d3cbc3ab2a8afe6e91c6449b5ed1dde08ce5d7e48fe921551639033d0a744d6f08cc56865386fad1ad61d75e27fac18b550a93 envoy/extensions/filters/http/csrf/v3/csrf.proto +shake256:82ffd0cbfca838b0c290aa200fab3203a91825fb676853feb477c97c3cfd0b92f209e5af6daab0257bde72d859764e46cd4f986aca0227e98bd77023fc4b0765 envoy/extensions/filters/http/custom_response/v3/custom_response.proto +shake256:b6ad74944a6e9d41423c56167880b837e29398140519214771a4620522f8eaf703d17ace4ced56f00b4cdbd0858652c73e6da54bf45c283b4e3335e7bd9729fd envoy/extensions/filters/http/decompressor/v3/decompressor.proto +shake256:e17e1ccadd977742a7884357a8920b35a26bcfa9bb6a50caf00bc88b151ca809c5e651f2f04aba6135aa0c969a47a6f2be403d8a7af923ee6e69b25999d93e17 envoy/extensions/filters/http/dynamic_forward_proxy/v3/dynamic_forward_proxy.proto +shake256:aa0c08cc3ad8ff6bdf2f27745d0cb83dbaed18dde30fdfb8d887922d5d5de8cb3a39e73c5ddd866a85a872bb32d695a78aa5f821eeca4e6794de182a57e02489 envoy/extensions/filters/http/dynamic_modules/v3/dynamic_modules.proto +shake256:aac4aa7873f5d3faf853263f8e437f86326f5e0c7226ab1347226d31e8d976c1434f62613182c5b611049f829e5d97c2ac347a34846f150a187b5f02d628044d envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto +shake256:46aadb2e4c6efee85e68e74e1e38cd8f51255f7d2aee27afd2cd5f4be9b7fe6b42907b229195b7457f56f4d0e1ca5aeae53f067d9d16130b22a77cc6ab9fe72a envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto +shake256:11fcc4809401b50ceb84666b5d7dde3531baa2527bedea9f380e6034ac442db429168f63cc9fd25a059c3798663b1b7d70de33337c6c40693ebe971673a0a59a envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto +shake256:943b936172d2c0860b92a0afa56913a1be1352d1271f46602903adbce38a51c7f651d973e5005f2e7baadee6391622726288c0f4b9481db3c1d6d01a6771b30a envoy/extensions/filters/http/fault/v3/fault.proto +shake256:17a99bcf1de1e3157f141247a5c03ee70c9b537ed3b45e255a01952a6492201b82e077f9d30d88266019b2abb34c4f2576aa1fb97f305e2f744297b8573533ce envoy/extensions/filters/http/file_system_buffer/v3/file_system_buffer.proto +shake256:32c11e93a8a0fd4d7d72d3676d66c1a0f14764d7a7df9ab8ac35a6fe8384b1a8a5cdd3bd7662994a51ed5833840855a9495f2baddadd8a29bd06f0fba39a1ce3 envoy/extensions/filters/http/gcp_authn/v3/gcp_authn.proto +shake256:519184af6a7faed6e85ff545e070353cf589a48ebfd3cf90ba20938916178f73a8d38a6173514c36ef54eebf07a89b2699d4a918cbb243480f411c629b5ff96e envoy/extensions/filters/http/geoip/v3/geoip.proto +shake256:47e47d602ed52567c8ea6649f1dadf18ed958b2ddff78b2376dfc19922a4f01817bae6250660ccf2b85c8fa98ef6db326105d33905c600727e4e7e9084855dda envoy/extensions/filters/http/grpc_field_extraction/v3/config.proto +shake256:54ccc9976e5be2c8496523ee57a6de9c6b9237930e904c43a6531d6d6ff5c88cec12037998ad3a90beffcde8d9ada39d0c09c0b17fadd461dec04f94d8d3f6c4 envoy/extensions/filters/http/grpc_http1_bridge/v3/config.proto +shake256:35678736fadaab25fc9272b2cb7eeef51ad4b9918db5397823fc8acef4a53b16257eca5c8b321a8c76ad75b92179ed78391978d522366baa2d2276d960a3b883 envoy/extensions/filters/http/grpc_http1_reverse_bridge/v3/config.proto +shake256:9785b66a76a0a40de3ba46c4ea9f51964da7959430d165835edba22073a17f7333fc102e3245606aba6b419c0da0053692c07c8ca83ed4925ea172aa9181bbbd envoy/extensions/filters/http/grpc_json_reverse_transcoder/v3/transcoder.proto +shake256:294f73c06abd0145671ef0990937f3db59ec9853b2acf381016e62b43d622340285febb07118c3b5a7b677d996d9bd2ac9d1c83a50782e660e31a26f3c658faa envoy/extensions/filters/http/grpc_json_transcoder/v3/transcoder.proto +shake256:d9a4d41a9792b6012069dca15e2c976f6ddd652efea683a3a55220b846b4bcff6035c1d6e15d87de5c4b86805d37bd289e305047e4577f500cd5a8d944c1ef4b envoy/extensions/filters/http/grpc_stats/v3/config.proto +shake256:3a59bc4b6b35fdc24ec0d2b13aad7e9d87fcc0f2d6bac1173870a993cd643defab7ee86ea754985ef2ec40af21385d002f3ce4a042a8d1cd86fab9348eff427f envoy/extensions/filters/http/grpc_web/v3/grpc_web.proto +shake256:b8efb51f7b329e3d2e96c2aae437cf032560c7fe34fbfaf77a0365d6a5d328a52b69a740867a3ef2ada2181764cf30d101901d7002b95f61550066299ac98924 envoy/extensions/filters/http/gzip/v3/gzip.proto +shake256:bc32e26f241c733ed2ad7058be7245b29174a9b3a5e7e2fbaeea928da4ce0739672bb423ea15485dd903bb5f14fd126edac775dafd9a5d279b78a4c9756a1344 envoy/extensions/filters/http/header_mutation/v3/header_mutation.proto +shake256:9820dba39ead15a6e5d67d9424be4c793ea6a035c70ebd1ddf88b4e12d7215c893e3250093ceefbb25bef9588d343e0ee0aaeef87c364bc978079e6747bdeb49 envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto +shake256:f865f9d2e827432ef4c8c9e0ac8e846235caca27c3660f45be67ac76263d744ed14229a30cf92c60def1be82776df857bf578d08ffb9cece051b72bd8241e24e envoy/extensions/filters/http/health_check/v3/health_check.proto +shake256:e21dabe4f701068b930a6c2586ed13869ab20e7756b0ab88bf4730ac17d0eca7b68083f2fb86a8a15acf96150b78411dd840a35bb2865cceeb2c2840913e3f59 envoy/extensions/filters/http/ip_tagging/v3/ip_tagging.proto +shake256:45c4c0ac25f4b6ca432de42473f54e11620bf8b355c27c242ab40a0d1a215e889c98a4a36c61680b8f3873a9f886317cc905d715dbceb3cf12da2c5a9c8be57f envoy/extensions/filters/http/json_to_metadata/v3/json_to_metadata.proto +shake256:e92dd8ae24881b69e86460c842566105f3289bb648877fbbe1b7a656a23eb496d6378f197ea5ddd3939dd88d9bcd4ec1b057e81fef31dfdabb12086555ca349e envoy/extensions/filters/http/jwt_authn/v3/config.proto +shake256:49399294c8f69e4092b27abaf692a23c812c3f687661268a7fdef357633f6092e9b7949537e203c81ddbe3f2d649636fc5baf98a298a4e47f654b8b5e473902f envoy/extensions/filters/http/kill_request/v3/kill_request.proto +shake256:19ec3cf38907ae52aaec3e7ca8b03c11606425d9da90edc01a6922decf1e8c7962fa4b68dd625d9002863d5465c09eae29b724c4a4bffb7f3a718c936cc59614 envoy/extensions/filters/http/local_ratelimit/v3/local_rate_limit.proto +shake256:9a844d826893023debba55942b249a822aa24d24efc5df4df8fe21a2efb31a0ac07acb1ada1247ff21c8b1c8a7f508f25f01eff03b7f48c9417bb2ef412e5fb9 envoy/extensions/filters/http/lua/v3/lua.proto +shake256:eb0736ac1eaf9f2c5910ca6ba32b3f9195a12fc020aef36eb10294be01dc188ef14b6b0627557ac851f3eab1d7434764b65fbaa268f727a0372ce4d7d653ca77 envoy/extensions/filters/http/oauth2/v3/oauth.proto +shake256:b2b81e43eb2abcb265d8f8eefaa3ed528c6ce42a02874adc5ccabe5ee7a70d4a59de073a20d939910b815abeaf0bbc001c4b97d6c73a3732301589b8c4711980 envoy/extensions/filters/http/on_demand/v3/on_demand.proto +shake256:1d3227dce10e77b73f813d975d24dafd38c5d3ab6a2491a45f3b56a4e8d6412a9b7d687db0e83e300672d7e1bad9998066dbeac43580d6027713e2793cd44e30 envoy/extensions/filters/http/original_src/v3/original_src.proto +shake256:defc254ec21e468106588b7104cb19d5b6ed45c78b15ddc8f4a93205687d7425d9b010f53ad266b4cb0ad3804fe8bd5e82947cc1418d54457c69250381cc4116 envoy/extensions/filters/http/proto_api_scrubber/v3/config.proto +shake256:f4611c0bcea1cf38675648d0de86ad6050e17c230fc53902b68a6c9aac7f07101b9cf604215e1ca671ec1ba0165893f84e1bde0a49ec121352a04d51b734e209 envoy/extensions/filters/http/proto_api_scrubber/v3/matcher_actions.proto +shake256:71ee8e2035201dc6dd62cd966006e6135e557dce100b299314117875937adef13ac049d0a2ee07cb29251fcfd79640aadcd709f44f24c7650b4512e0d93174c1 envoy/extensions/filters/http/proto_message_extraction/v3/config.proto +shake256:28bd12f97bccae3aa606022c3f09d1d4acade512e586542287c6e6af79242d005caaa91ff24ae517a498d38a63e34906ac899f286461d4701c824be602b0a24b envoy/extensions/filters/http/rate_limit_quota/v3/rate_limit_quota.proto +shake256:595b3c1e7ea15d538d8dd9a6384df4ab047f160e0216bc483d6295e6ce590f229be2dd9ade8e165bc128ba73d10f89abfcae65e8696aae970589c728b08477d0 envoy/extensions/filters/http/ratelimit/v3/rate_limit.proto +shake256:d561ae7060e246cf1747f84ad61db452f40fd609c8d8fa2ae195758da7d3c16efa07367e2c16c6df86f36f2313bca896c9b5321612e9e1937f2f56caa6ec47a8 envoy/extensions/filters/http/rbac/v3/rbac.proto +shake256:abae59c3409bf09c5501f64a2795677d2fe8cda98dc194f4657740c272c6626551708c2a9f3ae304f40ac78081ab4b79ee0d6c8fc630ba0f1c5889fbc3bbf5f7 envoy/extensions/filters/http/router/v3/router.proto +shake256:d38cb8d1499d4aca120889be75342aa6a764b98840210510553bba03db976148eb33f935fa8d18fdbb6a306bb5fcf39bf01cd143b51a7308566638858ba2c8e3 envoy/extensions/filters/http/set_filter_state/v3/set_filter_state.proto +shake256:2d8d34eb836ad52142372664bc0d5e2c0a3432beb2ac2baf5e5190bedd33b625ec3a4c646d45bcf3612ee34b4d27bd598ccb957701ace8adc2d69002d03e1a8d envoy/extensions/filters/http/set_metadata/v3/set_metadata.proto +shake256:c29c6d22b41d00bd1a0c1ef267637fc69e8e43dcbe035dca36946ca152031f28cc5fb3773ece8c10b5051c9bf41f183abe458845d060c5b154c34265cf5368bf envoy/extensions/filters/http/stateful_session/v3/stateful_session.proto +shake256:b952bd81dd83e9e92746b3115b433f59177125187778bae5ce268e5d74fa54116c38560118b2d3f2d9ac2526ebd34b372d1311728e0b21ce2aec9bf9b4df7069 envoy/extensions/filters/http/tap/v3/tap.proto +shake256:3fece685b44ed055e4973a2c99d778057b4b9afcfda5994363a78c6576d336dd2b3de619bd2ed79b8e075a93e9448962a8d7e1bd053bee8cecb3bad9288c32a3 envoy/extensions/filters/http/thrift_to_metadata/v3/thrift_to_metadata.proto +shake256:62ca580d449d9bfbc44a50576ce74ae2449838aa77333ce29b32dc1157ce4f5ff9bbc5f55e8aa47bee9c0a81bb311656458254570cfac7c5755baf1a54d1199e envoy/extensions/filters/http/upstream_codec/v3/upstream_codec.proto +shake256:7be62eac9f7e39c3ffa0070ae67183e9f795a6da804cfb80fa698e74236fa7f2ecca7eb7643750881ed954e23e47121b4340fa8b834924fe235b3f22001af52e envoy/extensions/filters/http/wasm/v3/wasm.proto +shake256:42754ad153b616a11218efdf3758ef197b6fa86a79b7eb54c2a69dc7a8a7516f277f13d417a2edc1da4335c1bc7ee788ba3d004d94db1ec2fd65d45033a95d8a envoy/extensions/filters/listener/http_inspector/v3/http_inspector.proto +shake256:ff875be86e430acc9cf5417559b1dcbe9908d93fe650a8c2bb8efa1477380310cb4b28e2b99f0123f63ed403e02b86e7d4b54bc6ac4321c1c39d4bb49724c320 envoy/extensions/filters/listener/local_ratelimit/v3/local_ratelimit.proto +shake256:4a6222cdacd18827561373bb4b265bfd8fce19d1d0ba98f8684d4ab00c25df3e828b5ed1b2cbd5613098947f3fe6a6cb4f98a4328a087affc3e5500cae2a8152 envoy/extensions/filters/listener/original_dst/v3/original_dst.proto +shake256:66ba94f4db7b435bf3334fd6f1e9cff5cc57a16f1482473043266888af1de5c3b367cd3597eeeb2f651479fea2131f6dec7bc2060e1a2b2137ac07d5886af19f envoy/extensions/filters/listener/original_src/v3/original_src.proto +shake256:5165f6af65f72345ff5d45ca98162cfaabc6f61bae81b2330182a92b81bb8eb23df7a63af83c211d122801cbbb55aba8d9f3911f29c0e9e1a2ca90091be37d6d envoy/extensions/filters/listener/proxy_protocol/v3/proxy_protocol.proto +shake256:cfa0377e1e757d077ba5ce2367ce376d2e02fa8af8e9d17081ce3501c15672485aae78a5096e34615fde5d4c26f3e7074e17e16de774ac82e240d9da8c4cf97b envoy/extensions/filters/listener/tls_inspector/v3/tls_inspector.proto +shake256:7fb4a9e553e835261f8b5ceadaab651f2c62e087b21ea911fa73f93a7a225280400dae1ed41dc8c12e6e48ae03140ffa5b42703fc4108bb4e8d3c1d46b1c01e9 envoy/extensions/filters/network/connection_limit/v3/connection_limit.proto +shake256:e25fa5bec0ccbb67c93a7490ef54159ef21897f7152d693133098346224b8b3fe3f7384397d2f8fb9c1bbc019ff7af93e107fd157194eae16066f7cee812dcda envoy/extensions/filters/network/direct_response/v3/config.proto +shake256:cc08f1da65cfd2a369dd00ebdcbeaec212436b7447914ea40ae9663db6b0c8d6383a20833d8b1f7c162fa0ef55cb159f578c1d596f51f7da021643628051810a envoy/extensions/filters/network/dubbo_proxy/router/v3/router.proto +shake256:4aa8fbb891c4f33443faab88bfcc469e6c43febd790ae7a42b2344f15da519a254362c1033ad0eaff1fdaf2d2dd23d6ae8ea6e1eb4fd2222b512f248b857be7a envoy/extensions/filters/network/dubbo_proxy/v3/dubbo_proxy.proto +shake256:b5aa593876329390075e36b05896ba1a53f7a6cec718f0dc36fb4d0fbd23426803ed3a035b00082a296e5e0bd54d3b8e321407bf87c2342b48c3941255a942a9 envoy/extensions/filters/network/dubbo_proxy/v3/route.proto +shake256:6bbcfb264094ea05e42dde37d991b735d59286c5aebcf78d1b263379541f1fe2119ea72580aecb53edff47bddaba873e1badc96d73956ae64923e472ffb537c2 envoy/extensions/filters/network/echo/v3/echo.proto +shake256:3064cddb46019f51a271eb488c705ff3749ca535b63b2769f8cb2ca9b76df9cd71b20eba79479a7682e9c5339bf8761c03e801888f64ac305444fb056170f713 envoy/extensions/filters/network/ext_authz/v3/ext_authz.proto +shake256:8685d02bff664dfe96b7990912e40660d3e9945a9107152de7364a487a6f886c20d6af61cbd803bb7d93b1a3b1fd78e8f2e1d6d70c5424dadcf7727fedbe9aab envoy/extensions/filters/network/ext_proc/v3/ext_proc.proto +shake256:e457b38d22593438c13d6c7c1e8034c1f26880994e3a0b1f0bbfa70fb8fee2af67095abbeb8d9a2a7a51f6d1b43d4c466f63f22f3ebd1e9b4fca5e403f58637a envoy/extensions/filters/network/generic_proxy/action/v3/action.proto +shake256:5d42e421358f8b855a150c085d481c86fc97d63467e349a09ee370b9ece4ca9f324c1ad82216d347ee09dc21ae461e74af87900df20f5ec7bdc4416179cd62b8 envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3/dubbo.proto +shake256:a2f773aa218c0be748f502dc38227451ffd316db83b6dc4c25c1c38a880505f1fb54fa880e5185e6cb5df419182d76c9142550145a808a8377e9beced176053b envoy/extensions/filters/network/generic_proxy/codecs/http1/v3/http1.proto +shake256:38c38372911fc508b09d7643f104662c8b756deb2f4074cc7786ac71cbe25afb95040b0f1c5fe0ca0fb3e3c048fc13fd47722a73037d99edb18ed24d7171529b envoy/extensions/filters/network/generic_proxy/matcher/v3/matcher.proto +shake256:990910042d14b791cfc23677df7592313d816696cb7c4c9f5d352286a5882ddfd0be3e93e0226daa3d1473f2863ed503b4e076228b93c31a85c56a0ba98a683c envoy/extensions/filters/network/generic_proxy/router/v3/router.proto +shake256:f28e303b2c8ebf38f22f3248e6e949bbd1eb6d08e6700cbc810d283553a27dbe0b04a8c172554efeb4cfe430fe57c0650337be449f6670e8208aecd407cac5b1 envoy/extensions/filters/network/generic_proxy/v3/generic_proxy.proto +shake256:7084f88ef89e808dff1f0246917ce721896f8467b69e801a0e0b4148fa3f71abc7205b0f9e098dc07dfa635cdbf4b514ab410856d3342febf0e308e979bebbb0 envoy/extensions/filters/network/generic_proxy/v3/route.proto +shake256:b3d867b0a9c2e20cb73635d31678949447f24b6476822b96a7954b70f8e0c3630fa44b542dfcc6c8beb76af5308aba3a8cf4810a976ed0ff307a2db48e39b775 envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto +shake256:668f665598f56fc23cf72fb07af2ea9bd19f1f0f4559d83f664cdbc865d066a9f2414579ce72207fc2efe04ab1cd1175d449f6f572f021cd9c60e467b1b7bbda envoy/extensions/filters/network/local_ratelimit/v3/local_rate_limit.proto +shake256:ed382c5021bdd2dcdead147278a9b343cd78fa4e1e6142a09f0479375edf664c6d40fe69b7bcdcaf4a6ac500e5be27bfb824c402d6934695e605b5540ce6f17a envoy/extensions/filters/network/mongo_proxy/v3/mongo_proxy.proto +shake256:4275b6a6cf29c0bea83f4af29f74d74061d8138bd5dd3fced6b848dd6925e75123ff26b5caec6a391703a0f72e1688eaae92a48fbab238d78669db1b114b4664 envoy/extensions/filters/network/ratelimit/v3/rate_limit.proto +shake256:aa88a5a272e85552ea9c02d9411ff0a545d9c0a4a0345db2c7c9ffa173ccb554d5c904b8fb177c2fd608c47feebe16457071b0eb1bfa401314d07008da49478e envoy/extensions/filters/network/rbac/v3/rbac.proto +shake256:fded602942862aa5a62e2a91e78ef0d44fe47f5a8a9b05616f2bdfedc54e69a1e1fc886e107003f7228830041d6a91b2b16ab59da3f88f03c771872d4218bf2b envoy/extensions/filters/network/redis_proxy/v3/redis_proxy.proto +shake256:619c70284bae19989a4742feb2c895d0f0e222b9a930ae8742a42420ce6ec0265a3e86213fce4b1b7f5aff76f07623e291eb3d0ac6adc2d3fc68a57ffc8fcab7 envoy/extensions/filters/network/set_filter_state/v3/set_filter_state.proto +shake256:25bd66409ff35d0586bc0044e66f1e1dce1d0468827a918b24e47e7d462eed3111f16422598a7178fad89ce05dcf2d2b6a153c88e56993d3448429e83ecd7070 envoy/extensions/filters/network/sni_cluster/v3/sni_cluster.proto +shake256:e3ea7ba1c2fcc332e031713bde4b92e894ad6d650df9355b1d6cfd29439fe33578be62cba39f88f3c8a8845edeb0fae6a15a7874043b40b4f45e566c639bb19b envoy/extensions/filters/network/sni_dynamic_forward_proxy/v3/sni_dynamic_forward_proxy.proto +shake256:5e38beface5c951d3cc4a05c15a220101e1a51a5c298f07dc7dfb6e0a4eae782350b496828a814086e8840eb0161203de08fcb9f6fcfffd62b038c9064d801e8 envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto +shake256:053b0baab6180520c5c2286be33254d0b50ec7c9cc4be9da19f61d59b21025de7de78dad34af65fba8396fcbf45ef35a1db9b7bbc0da489cc723c43b848a9f40 envoy/extensions/filters/network/thrift_proxy/filters/header_to_metadata/v3/header_to_metadata.proto +shake256:e0fbef37510c2cb48041d269bdbf648a265a2ab859daac9c0d7c16c9ada91d4f4d07854e9d3af7f3f4ce92f7838625e603afbb92ad7404f98def19eead357875 envoy/extensions/filters/network/thrift_proxy/filters/payload_to_metadata/v3/payload_to_metadata.proto +shake256:c2810280f8595c193b5c9cef0cf1b664046fd568e240e3169f6c5f9d98b223c83e2e7850b7b4ebdb99fe36e7e493bb9d9c500303465f9295e32559175c943d7d envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v3/rate_limit.proto +shake256:0c8fceafc6119af0fcea55ccbcd514a77a471f822e4f8cf8ba899eca1392e326aef811bcd03b5989e4cf3832aa0a6ef0928ccda72f5f0becb9308c2b37401d64 envoy/extensions/filters/network/thrift_proxy/router/v3/router.proto +shake256:dd60313c8303ec66220535b1f1089c4c3670f261b5ca1c85eadc9ad1686f7f16e41683ef86c6e1c9d6e33a8b1ef892a03b5652b8ae9ed9631c6e6ff35cdfd211 envoy/extensions/filters/network/thrift_proxy/v3/route.proto +shake256:7ed9f82e986f8b4536bbc8343b7f6a20bb3b1c5f53e55266d00792f55d7a2e08ee9400d9feec448c38ac7abd5a6c4dc80ed20a7f43fa8b242ba6bd1945b56183 envoy/extensions/filters/network/thrift_proxy/v3/thrift_proxy.proto +shake256:1d16001d635cd983fdd0021dbfdb73f87efb41508b6cb5e637ab343f20f9bac8e0419ab3be7a5865c908c4e8d1317f29fcb6682991a2c76cd523091e875d6f66 envoy/extensions/filters/network/wasm/v3/wasm.proto +shake256:9ba04c15ed1a83409dd6102333eca6f31995c479bce9d0af3584d600599a877e31e6b4aa76ac8b0767384128dcefe302ea6f0836a74dd648ef86b6150d00ffbb envoy/extensions/filters/network/zookeeper_proxy/v3/zookeeper_proxy.proto +shake256:da97414bfcf74c6437aa405054365fa1d89e56778fab0510a672df7847771316083bc00c0cece2ce3ddfe828425bef3b9c19ead7089067ab2e7c9d93e54ead74 envoy/extensions/filters/udp/dns_filter/v3/dns_filter.proto +shake256:ce2cc8854cf066d5af22d29382cf8c48fec21386ea035ef7a6e7b6acecfe9e2e32575c577e2e3905de816cee3e02f9d2baa653e15a4283c9e1783aaaa269ce08 envoy/extensions/filters/udp/udp_proxy/session/dynamic_forward_proxy/v3/dynamic_forward_proxy.proto +shake256:12840ff55337412639f5723ad910c1a12a665f9d1a2b949de3df273d49b3998b79d093fa550d75b87d300b7ec948ace5d9f1dd15fc4f086ab987dd5382ad3602 envoy/extensions/filters/udp/udp_proxy/session/http_capsule/v3/http_capsule.proto +shake256:e5efd7c39a13bd85f51e45e06146e65abbde3d1755fa33b1f04cff6201ececb28c9d18cc9a216db49facda118f4a2a777415e418688c98cdd0d9eae78dfd069a envoy/extensions/filters/udp/udp_proxy/v3/route.proto +shake256:90c9a5e1b2bfe3cf7dccc8cb444c46a99c9214ab0a7b0c78c19f9f9cdb9787c35a1a85547849ae858e97f440352069bbabe91c5efeb9d8643c457a64737ac00c envoy/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto +shake256:418871dbaadf7051a0d5b1e65711dd249b7f8f9b3c4bbd58c156f7f1349fdc791879ac3a09ed762e2449b67f146c5b2a0a357f55bc1e2e236bd0ad0affc757ba envoy/extensions/formatter/cel/v3/cel.proto +shake256:09e58246327361ee807122f7f6a9c4196e3d2fc24ef3d7b33caf3d43ee69b2e4d2afbf8761fefdff9fc25e2d6287c6c8ce63de6fdd916fd482d16cbc1b64aaa4 envoy/extensions/formatter/metadata/v3/metadata.proto +shake256:fea0013ee58d5bab8985c8ccc364e378f131377f0f7caf0f94c06e4222a973dcef18c139eeba10ce16454423547376d1f32850321f8721621344f2470a29d4e6 envoy/extensions/formatter/req_without_query/v3/req_without_query.proto +shake256:69f743422dc263f7520519b4e10ea48e40859bfd6e1b9316344849c5fc1110aaa0bb867b75a612d049a56f6c5c605a3f7050e18a9809bf01088f1650fa17bdf3 envoy/extensions/geoip_providers/common/v3/common.proto +shake256:c66f7492b5ff90e01f72acfdb18eeacf91491956c177c9b9c6b8620623741bf1d068e74ec01d5dfb7ef4b7897b09ac84265893f7b19c271d25c52fc5a3e36fd6 envoy/extensions/geoip_providers/maxmind/v3/maxmind.proto +shake256:4a151f7408451fe2eae927cdc8ec73a2fda8de863151640fed965d0b7330a60578db177089f2e7811a050de2a800c7b62d15047a55d87420f86bd910ce437587 envoy/extensions/health_check/event_sinks/file/v3/file.proto +shake256:227bef7a6683e83eb2544b81cddf8d085d588b5323cb3a70310c6d43083b1799ed370a67042e8fe15c9a4766b7a0b0735f21a7fdb7b642b3cd528f4c66dca8c5 envoy/extensions/health_checkers/redis/v3/redis.proto +shake256:bc7fad5e1d7ce4fef15a7f97c8d6f3e66f6601c90c4c987ee4b14457e84b0af1bc51015a816b5b0077924c2278a3e55df3b3682ed0e75d6988890b70febc8966 envoy/extensions/health_checkers/thrift/v3/thrift.proto +shake256:ff9835c6f498d4d3c8ff151878270548673fc15db88f48aaed4ae4c8c89baa1080e829fe8276d2b014fd83653fe04c52cdd9b2620fe8c88c456942bf0e96588e envoy/extensions/http/cache/file_system_http_cache/v3/file_system_http_cache.proto +shake256:15c5fe0f88d3faf64dd64ae8c4515a10bd20819565f23b202cfbf8e908cd252bb279458607dc0968e021728e44b716e819d802926956f41e91dd1cdc932e783a envoy/extensions/http/cache/simple_http_cache/v3/config.proto +shake256:6f61959660cff32b12feab412ab5763c2ca598c7af8439e3de8ab409eee02d60f7424ae5368588ef48a6215290183bc718e582c18d46f04b3ce8e65d70dfff21 envoy/extensions/http/custom_response/local_response_policy/v3/local_response_policy.proto +shake256:4950afe9d63476b20e8bf7e1f474bfdf4e9f3dcfdffeb2e51cbdb84314bf18774b60751e5c756922e4356b5a7751b0177d09b344fec53b1183749dc96ff03196 envoy/extensions/http/custom_response/redirect_policy/v3/redirect_policy.proto +shake256:7f0e981a037ddd48e37e73f0f9dbe999ca911b4ae917b5ce06123a733bbc220bd5ef3308a7c3d3ebc64604a83c3349c06e12cabfcd64fd1a08c1260a81d1ad2e envoy/extensions/http/early_header_mutation/header_mutation/v3/header_mutation.proto +shake256:c851fc9464f1389754d1246830fae57cb7caa2c3ea5904bb69e394a07cb0ce6e9459fa2499fdc619cf0acde50832b8cfe0198e4691a23023e95d12bc7a914269 envoy/extensions/http/ext_proc/response_processors/save_processing_response/v3/save_processing_response.proto +shake256:a181479f6dc29ac082a54cab8fb709f4bca39c35d1be062d830a211f03df0b549a2d18dc7eb2cdd34e6b4a6388959760a63225f012255b6ca285e6b28dfee5dc envoy/extensions/http/header_formatters/preserve_case/v3/preserve_case.proto +shake256:114aef732cbb5085916309eac9a199ad819ae7fd22780c959e71bb2c4fb739bb0dbb7357e884dd2879f6407df6158c298da830f0dfaa8a4cb7ea442fd1206f93 envoy/extensions/http/header_validators/envoy_default/v3/header_validator.proto +shake256:50d845f7bff3775b456175cbc1f1c04381db23bdde5943cb73e8112c67ee6e379107a063ee88493ee9b3f0054a7525a7fe4e5e0b8c85fb2e8bb80e97b0070eb2 envoy/extensions/http/injected_credentials/generic/v3/generic.proto +shake256:fc2bd4a42546e31038e731ff4646a016a5b126733c9e7ec565118b2fc4f4821b51699977e13f7ea80e51dfa2df31d5a5808263a2314393bf664e70aeff8bb6b2 envoy/extensions/http/injected_credentials/oauth2/v3/oauth2.proto +shake256:97a7c1a7dbec726161b4b980259f51744f4839253f20752e51c31213c041d8109c85c29cae138e7d575ddc27f1edda599007802ebeaad57583b5f5c45b93a4ec envoy/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto +shake256:9046d084b19926996f65f6a0a6e5486b87942636c4d6b31d04ef246bbf1227c58fbd1d3cf1a7acd212e1686184a46b9e09caa944296928ec551f3d50d1bdf7ab envoy/extensions/http/original_ip_detection/xff/v3/xff.proto +shake256:dc55ecb0f8715e8a44b37595950f7660c38048cc7f8c1ead8f859889b189c8a27b060357d6ca46069aa73566698d6180126288480df5780e1703a1acd71b67ad envoy/extensions/http/stateful_session/cookie/v3/cookie.proto +shake256:dec5e094a90a34c797d9a57d4ddc8c503bf62dbba0fdb84df509d681501b529932234730ff2083e4892fafdcc61ffb4a5e0b2ac72f91d45e14107c46be9ed9ca envoy/extensions/http/stateful_session/envelope/v3/envelope.proto +shake256:d65ef8c09d91ea81c580be40025e8d47304949e771c7703878c9401eb2890424cf3195259c57e36ccbafc723e4f2453d38b5cff55bca01d885dc9919753d6917 envoy/extensions/http/stateful_session/header/v3/header.proto +shake256:f4f40da154b91c5e812b9052ebb2f40e2a2197abcb0da08c06f80421907fe23fa51d2cdacce3c386013dee3e5012c333486f41c7482cfc8746e196b999762fa5 envoy/extensions/internal_redirect/allow_listed_routes/v3/allow_listed_routes_config.proto +shake256:3a0fe2dda37d6ef760596f9ef1217837d0ca6045f0b4e37c2bf79d3c9d3d2462fea787b78107a364b2d5dc20d05c5487b10b53e8b5bdcb95cf01848a07708ed2 envoy/extensions/internal_redirect/previous_routes/v3/previous_routes_config.proto +shake256:9bf7115b738e507c09777b248ae7fcdcffb7908769d316c479b6cc6a526deb0d599e6b9f9c7f64afb2d6b193f54aa1e7e7a846ffa73294386db4c4bf9adb6f12 envoy/extensions/internal_redirect/safe_cross_scheme/v3/safe_cross_scheme_config.proto +shake256:6a007316c0ee2726a32af18a23e61cdf8b129c7ebb01f3cf1e101b0a18c47e78d5f14c2584c84b23e58f6f52468be3b2c4c175bdc7fc2c53e2668afb8b8c5677 envoy/extensions/key_value/file_based/v3/config.proto +shake256:a20c4a200c6302e69f163f49bca671cff457b677b76b30bbfe44cfe78888121056a6a85e956d905a18a4d71b2b25eee6e3ef74536af90685036ed9ebbc918bdc envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.proto +shake256:0116ad69672ab05cfdf0c0d476e470bb880db0a497883377aaad5d1bc443a590f27681c2abd73df2ca19de21d330a7de69c8be19e15e80fec3f257479a9c4a93 envoy/extensions/load_balancing_policies/cluster_provided/v3/cluster_provided.proto +shake256:f842e3464bae55134e484e29ee6901253c784d885e6bc62d4f906a147c91d3affb11f5ab7ca9ccfa24b5fb08efa11e3ee838f452faec2e6c1f20acb9269993dc envoy/extensions/load_balancing_policies/common/v3/common.proto +shake256:25c22487c24a950f4300c5082e57ef5e5a965b863668b8f3dc9263a861f9505c8849013aca73a6fda9112fd19c6451400e3d225d620c315d673bfaea1bfaf168 envoy/extensions/load_balancing_policies/least_request/v3/least_request.proto +shake256:82b636496e8c69961fc462d5cd88bbde2493a146bb59458ae0b28842006ffa025388f9f604a014f145c236c938eecebab3ee64a2d77f83c4497e8009c7e955c2 envoy/extensions/load_balancing_policies/maglev/v3/maglev.proto +shake256:07b9ce71f7219bcc1d79957620a25c0896986b305f8139cc9a74d047e56e919af6596351ae2f887cc0f3c6b08802550affdde52eeb717be2c4b7c0f3b7accbba envoy/extensions/load_balancing_policies/override_host/v3/override_host.proto +shake256:d88e3d6952bc9827ef7e92790c4aa7bcddd81486f4a3162afe6c97e0ed3281b85e94cdecf5c4100d9d07a151ec6c0e0088641dcdf09d2e67d425ffb46907bd2a envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.proto +shake256:14035bc49cef4a7e0d25930d409af20d8f74032a102a88953dc77b620205df625bcadfe69ec9881e73481b3b23bfcfbef1b87247460be38e68d749291af318df envoy/extensions/load_balancing_policies/random/v3/random.proto +shake256:6ef8080f4b9cc3d9766a69e26d789b16d149e6f0754b7f211038e2b657afe4560bcfe34fb2f2e025343c7017062a83642e6f3452c74838788c0b09cf25a7f56c envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.proto +shake256:691efa6e69d36bef31bd84c3002119e91a7ca7efaa60569ab0c18f4e78423f887086eb9db941806511d78bf6061c257c99fcb199b060c9beb7f4b1c5666aa8d3 envoy/extensions/load_balancing_policies/round_robin/v3/round_robin.proto +shake256:fa99fb6373f07bb327f4c8c0f0f8ab64c3a839ba4ad393c7fdb8d05056dda912fee08bf412db38d93348d23371fbc45c6f9d02c454563493a811b3979bdcabe5 envoy/extensions/load_balancing_policies/subset/v3/subset.proto +shake256:d673104b092490db0e84941abe555c9870146903924a4d13ce28c7160cba9d7ad5aa573997ff50ae14e59fa45dada45ce76afb8490792be9e614a8445c55f2af envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.proto +shake256:1e37d347ef665bbf89aa2437a21c2bdeb64e7a303eb2be072a786af97d4ba1d76063f1f2026e2fd2f3c22e542c4b0c8f319a6899108dfa2d959d5a229c73d656 envoy/extensions/matching/common_inputs/environment_variable/v3/input.proto +shake256:dc915eb998e7b51ba653e5669cb4ddfdf3b0beaae3e7911a8688d8b7b30522120e761a951d967fade0f78afe88d3730a38f53f148178c78ed8e942327f5100c2 envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto +shake256:d227dc732d21538dabc1aebbda1423e1e7edcf9fc3815d7161a5f2451956ce6b7f0874150246a1128d8cd031d59f6f237df8d27624d44495eabce26326aa5f43 envoy/extensions/matching/common_inputs/ssl/v3/ssl_inputs.proto +shake256:c8ad4158166bc5d9552173149b76287d35e0f142457740a971d8d50a1a31ca154c5bac3aa8265d1abdf9cd0223643afa30db998c0e354f26ff66035b0fc617c9 envoy/extensions/matching/input_matchers/consistent_hashing/v3/consistent_hashing.proto +shake256:8f1301b6a4f15025967881d846e1866c0abd637f645202da0137196db618f307bb3be31429d6c841bf642556fbb0a8bf964ed90bb144ef921d062764444677e6 envoy/extensions/matching/input_matchers/ip/v3/ip.proto +shake256:10c52742299d0dc8b6eea424790a9f44c39f28b204d7ad0af6da35fc33d8a3f89154d42d769eb559aa0acc28a9e6fd896d2a6560fd95c91afe234d4e75636915 envoy/extensions/matching/input_matchers/metadata/v3/metadata.proto +shake256:88434c32dad5c61f6898371ff51de383160f36ee292c7b46983de2a4d54a0af20843221b52d8061759fa9b4767a387f4891c3d9aabc1bb4c56faa6d3e7a3345e envoy/extensions/matching/input_matchers/runtime_fraction/v3/runtime_fraction.proto +shake256:84fa5b00e53d153b1958f4cd8ec6ca9702f27208f44b546a259e3935d899d4d7cf80cda04664f71c289b33e3070ff7b37efb5a00170bef7945b3451bffc60330 envoy/extensions/network/dns_resolver/apple/v3/apple_dns_resolver.proto +shake256:79334ac047e2b07007131cf121df1fb2dd4056b7018785d2a0c4cc1b5dd0ff3624f8178240bb430d54cc448d89ef878834c29b824ae376694cd989ccd0cd7918 envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto +shake256:4c84314b7b487a19899212080e03bc56720f7a7bd9d2ea5bb5096b3afffbec2db6459fca8b4b919aa6ed7d5bd57947588cf58d5720d4a3818abf018c3ae42abb envoy/extensions/network/dns_resolver/getaddrinfo/v3/getaddrinfo_dns_resolver.proto +shake256:c4b373033fef9f58de1beaff37f5c835eecbc378b775d04d08147b3cbacbfc6629923f109eb754096604444c7791a43edbe0a15398843c7790a20aac6e82ae1c envoy/extensions/network/socket_interface/v3/default_socket_interface.proto +shake256:feee06cda1e05a53ff064f726ba892b2bdc07c192adcc50052818cb62ba1880cce1a559c352f35dc45eb275e8fd8fdde3602257ce4742d7485de67a77b6485ec envoy/extensions/outlier_detection_monitors/common/v3/error_types.proto +shake256:ef828f1761de1b5bcf19f71e99c4874d4b1e33475fe7ee3aa1c461d202afc3e4ff0ac4e3de52f4ef8c79f700ff481b6af3fa25084856e80a05b9181a9aecb701 envoy/extensions/outlier_detection_monitors/consecutive_errors/v3/consecutive_errors.proto +shake256:b59aa69fbb5a3fd019d0629969b596f1ef33d11c2db37b7167c80d49825c56ba11514538b5b5e18d9305862104bfd2ce2232b462a3632484756a12bdf3287943 envoy/extensions/path/match/uri_template/v3/uri_template_match.proto +shake256:4c14d13dd9e1e782b7a0dc85854642bfb2df4839adc50747cc71fa12c706d05a544208edeed5c5245f3506dfd83004a899d96d8fdf39dfe653382e92e8b6a3cf envoy/extensions/path/rewrite/uri_template/v3/uri_template_rewrite.proto +shake256:f7680ea8269c00d0a1c18ee2f3af1e75f8dd2c000c5e8b943910b9d94929ab55ee5d987f52e72a9de04314d7b1067f32b720b754a90f86de61696b264851498e envoy/extensions/quic/connection_debug_visitor/quic_stats/v3/quic_stats.proto +shake256:1f74c6723791858d9dea2478140f942cd69348c0b3914dc9e8e0fdbeb37ceebdec52d13770018d4ef0b13b65bdf421da6211355bdfde5cfed9b71b4b20532c9a envoy/extensions/quic/connection_debug_visitor/v3/connection_debug_visitor_basic.proto +shake256:8fdfdf3e80e32c8390ba4c4102963331fd68d4e4d7ba16b00cd92111659dd118cf968b654434b822c5844c3e5583f0ab13b1f6311016bbf0276d08e06e48feef envoy/extensions/quic/connection_id_generator/quic_lb/v3/quic_lb.proto +shake256:b35b11e7deba787adcaa488361dce33d97804b1f276dcaa3c936a50dea030722b9d8707590b3d9e29093061ee67c6eac3ac1d107aa88d58a209d055674198b6a envoy/extensions/quic/connection_id_generator/v3/envoy_deterministic_connection_id_generator.proto +shake256:0d5c109aec1c8a34845c051213323cef13b8acb789a973993caab647c2015addd698e8b7d1df443e81dd966f198cf9029f3ad8e941b1308837d6e317212c2b43 envoy/extensions/quic/crypto_stream/v3/crypto_stream.proto +shake256:b81a6625d0afccd2d290f73787080f319dc2cbac737ff9f655a40d285847b80de77e5b4361d6f5208cb68e439517fccbed20d590e5ce2b47e5276f73a614764e envoy/extensions/quic/proof_source/v3/proof_source.proto +shake256:65be7ddec7f03e73203304f27b2dab6c0adb2f96bcf27859e458d1ee924c4cc13224b7b78b298e07baeedd9bfe26dcdb04c95e93363c32a34ae919edd722c46e envoy/extensions/quic/server_preferred_address/v3/datasource.proto +shake256:bd5330bdb3af2fdd0d6c19e7d2dea7f1f9f3a33b23b8abe7b3ce5e00986ce129e525839820b220d83a2778cce498c427cc8b81685d7e47fce1530bf3ec6e891b envoy/extensions/quic/server_preferred_address/v3/fixed_server_preferred_address_config.proto +shake256:2cb8ebd50ee8f7dbe73b59288a57e8ce66169d0cf29fc0eac26709c6284e36e54582383668fd57d81428187b36b4c2c551b5a4192091ad7d7e8afcae14550e78 envoy/extensions/rate_limit_descriptors/expr/v3/expr.proto +shake256:efefeef95cda09d43c21ea224d984c6164d9eda0b5c74dc3103bb2125bbd19f6296557896636464cb6df3ece2ec78f92554204f6c2e8d269cc3ee78ce8952891 envoy/extensions/rbac/audit_loggers/stream/v3/stream.proto +shake256:12e6aab5a6bb2b487e96b85d1df9a327e4915ee2990d1e5b335a5d02b5b5ab74ef3e5357fb7c01b07cecce676349c9023fdd5fdc3954ff85a32e67232ca01883 envoy/extensions/rbac/matchers/upstream_ip_port/v3/upstream_ip_port_matcher.proto +shake256:516e7d1e52f23285dc29da142505c4c5b1752e48f9fec69021cd8df1e163ed5a2c0be22dce9f050ce81f15e9ed3994403e598ef577fad62f829f6fc56206f1c1 envoy/extensions/rbac/principals/mtls_authenticated/v3/mtls_authenticated.proto +shake256:ed50a0a24b7ede925b68420c09fcd56b455eff0efa60a01082c77f61835ce52d988901474e3c3003545a1c8c16e6d97629f4d23e543d06041237fa650a8d0f5e envoy/extensions/regex_engines/v3/google_re2.proto +shake256:acedfc0d080637f91af6bd52396281588d2e7216106d9c0fe4db78bb876e85f60e5cb8da19952d04c610e0889f43e14c3074485c4886a7262c3d4cabf2b13435 envoy/extensions/request_id/uuid/v3/uuid.proto +shake256:298c4e17fc11e286b92291f710b2eda207d4bfbe91758e2f81ca934f7d1d1ceead2d96629922ca5764920e16f6b57e3ebb91a8ed7ecfe0cc214187d026e83c0a envoy/extensions/resource_monitors/cgroup_memory/v3/cgroup_memory.proto +shake256:f16bf9d750ade1919fe6da89224ba8951dedc35f291bb221ce5a69509caeb2b2b0c25b67e5ac580b9b7119efefe37cf900d978acbdc147470c8fbba3f326de15 envoy/extensions/resource_monitors/cpu_utilization/v3/cpu_utilization.proto +shake256:7f052f002d7e537933393a868929ec03b18b400819f44912c47f99a8fedfcad3dd11b77aeea43550e0ad5615384eb09f31ce8fc3db239543a1b92a6a003aa7d6 envoy/extensions/resource_monitors/downstream_connections/v3/downstream_connections.proto +shake256:12822650ee1addeed10c840b45b21a1578afff4ad262643364a5379a198fcf23dcb812e68cb8be40cea686ad0d4b6e575e1cd439a8ad5a261980f56e4b4f7ee4 envoy/extensions/resource_monitors/fixed_heap/v3/fixed_heap.proto +shake256:a99a18f73f95166d72f4daad65414723da4f3979be982e87e6a0e2e5f3a49dc5b0e49ff4f35c775aa48f3963d1522dfba66b7fddf1e13019b7503920fe7c0d62 envoy/extensions/resource_monitors/injected_resource/v3/injected_resource.proto +shake256:2d3237daa2aabf8c1379f7f16a5d10b87e41171a0eb5566e64b076fffd5725149040bae21fa5ce5fad3a244ac4118d9d90fa9b99219795648b3b39d2d85dacce envoy/extensions/retry/host/omit_canary_hosts/v3/omit_canary_hosts.proto +shake256:fbbab489437bd68a2d6dc6d762674947e94a5cbe005136ab35ac841b1ebc055df5aaf1c93e371cb4ff75dd84e9d5c13e8f581e87a2fc3ce70f84ba444abd4cde envoy/extensions/retry/host/omit_host_metadata/v3/omit_host_metadata_config.proto +shake256:541e01abca6919462a0d0cf1c85380321afbd0ad796915fa5734c13420603761ab956dfb51a4b1f9e3ed0658eb36f8e29f98e909044efc4998b5f0ac3187f895 envoy/extensions/retry/host/previous_hosts/v3/previous_hosts.proto +shake256:03777221093ecc5820256aa74fddbd488cbd21276dfb6f4155c379078d8070b1757464dfd3d657139733272d5f2308140af8fade16a491757156a9c96502d146 envoy/extensions/retry/priority/previous_priorities/v3/previous_priorities_config.proto +shake256:73aafa2c0d0ef67990969355e95643e8194dc84941666c70b9a1aeba1b4be20bbe8091825f496c26ec52f2f1ffd837abc2255b67f7e2a4a59a913beb20898b44 envoy/extensions/router/cluster_specifiers/lua/v3/lua.proto +shake256:69537d185104e9a65353c4103e9446f326e66207e18b54358d25f14660db77ce2a8a0a94d67d0b6efef5ad70a47174a259a61ba874b711062b1ff49f29bb37dd envoy/extensions/router/cluster_specifiers/matcher/v3/matcher.proto +shake256:baaef5b0dcd805f206a977806ecf55cd8785134085fa515bd3ddb848d3986d502fb8144bb0f6f06a11595c5444ff42da361497a4b70eeb21f1a8e0095b183c3b envoy/extensions/stat_sinks/graphite_statsd/v3/graphite_statsd.proto +shake256:f4ffbd13c1469d72b79196a50468dab6abcec6746b806d7ad07ad727fef7c0c4c043c8b063c30abc8a4c350ee1e0a032cfe188eed994e693b5426b02832046e8 envoy/extensions/stat_sinks/open_telemetry/v3/open_telemetry.proto +shake256:af239d758d000d60037294ba32773a6c102bd1a2de6c685299e94f127f09445a72a9f88821459c921fae1e9f9fe71259a20334fe4e9a96ac98e8efd59c9a5d87 envoy/extensions/stat_sinks/wasm/v3/wasm.proto +shake256:d7f75c34e0b7f8789150ee0eb5b19e71db666175432858ae35a618e1ed1d11c22833a10b0b7dab072dace62c6128b14ba0c1aed987b36594e77a0d78c4fea8e8 envoy/extensions/string_matcher/lua/v3/lua.proto +shake256:6e72f2f15a05142e84506fe9c5e5a52365f4bc84a2832ff2920e05e5a770b8c065bfc548f30a152619c7d1089aa835cb82fb1180cc1ca1f9e4125ec5b9b6ce15 envoy/extensions/tracers/fluentd/v3/fluentd.proto +shake256:2dea78d980bdbcfd314655d85f68cdb80170b1a3a26689033ce3ab8d6b2323ee2f5f9ca431521c888046b1f67fe1b1df7e1b41e72a9525255a892647d03ba47e envoy/extensions/tracers/opentelemetry/resource_detectors/v3/dynatrace_resource_detector.proto +shake256:0b54ea2b09ad005e0f28e296f023999896dd1007d70b19359a8f771f82b222bf2987c8fbf517530c3f45e6a4319efc8aa63af3bad9659194a52854bfa39e7491 envoy/extensions/tracers/opentelemetry/resource_detectors/v3/environment_resource_detector.proto +shake256:5371f5be86060c954b6f8ff11aa8a8c8b2ef94175278fb84547bcfe1bce1496cbff48c324a90b2bc59a57f5d622bcd8be23f907252238be7e3cd391b241ffe18 envoy/extensions/tracers/opentelemetry/resource_detectors/v3/static_config_resource_detector.proto +shake256:d3ab1839e0d23b7027166b6e3c4ed1eb161268611607a79e8a0fe7c3d6ab5f744f66f925ea3390a6031fcd8aeae23c4711e4b5c8bcdc92cd8f4bb8bb8dc89dd2 envoy/extensions/tracers/opentelemetry/samplers/v3/always_on_sampler.proto +shake256:5cf81b0cf871e6a216da80ab14a9e98d6cf071015137f1ebe567f5710d7122832bce5e3eb9e99532ecbf4602248b7c3f995a48c09d48bad6cfed8958fc3b8145 envoy/extensions/tracers/opentelemetry/samplers/v3/cel_sampler.proto +shake256:265484879d7ae5d9a0bb600cce1741b0f6d64ae04be75e7ce927c771066a565c54e1d99758ed3f85a04b3d17dd087018ed6fa0c21f46f90c59fb2d1d4c50cc67 envoy/extensions/tracers/opentelemetry/samplers/v3/dynatrace_sampler.proto +shake256:541e1172fd525e99b287600e7a58bd7b2bc7e0eb07514d8cec74002aadbf0c5385f93bb2efa3ab1f80f98e009996bab83fbb3bca3a19dbd394153172960781f4 envoy/extensions/tracers/opentelemetry/samplers/v3/parent_based_sampler.proto +shake256:e4b240ec009feb9dc7a44a85a04f71753af28a2ca562c606283a22d87d2b8f96dd9898bd34655f72259ac17f177c3254ffcbafa87ede213ea3a9399aa541b716 envoy/extensions/tracers/opentelemetry/samplers/v3/trace_id_ratio_based_sampler.proto +shake256:5b0a26f3fef746f0134abbfb12488a75cb6f71f1fe32cb3010571df1c61a0cbd9c60dcd14f7518e5cab37b005ba0bb90a25f0e4c6d1095bcfc75046023720725 envoy/extensions/transport_sockets/alts/v3/alts.proto +shake256:c89926efa58f9b00f2eef628d75352686701d1e12b269de0ffba93f7649233152a576759931350ba542d7ab374ddb4a982e8a248be9bb2297ae096cf86149293 envoy/extensions/transport_sockets/http_11_proxy/v3/upstream_http_11_connect.proto +shake256:6acc101dff2f6d9dfd42d93835b7eaab9d899ce27194865d6daa1c171d12bbb277784d478d2f2810f1bba0cf84341f59c7271bf3435d6583d9b6ab8b074123fb envoy/extensions/transport_sockets/internal_upstream/v3/internal_upstream.proto +shake256:432449b6de25f852f1c6d8ebb4df1376dfa0042cfa816a7906cafa4739032b3f66f887a2d85fbc00c2e6fd948515acb3732d7be761bf2e9af2d1739dde866b91 envoy/extensions/transport_sockets/proxy_protocol/v3/upstream_proxy_protocol.proto +shake256:ebf23934294ebd7ef3232d9e181e5aad268449fcf56a4d6e28392d793102e35cb0b4edaa9e122478c8140f53c56fc57c8ec3d10bfbc0dbd3b1e799bbedd51755 envoy/extensions/transport_sockets/quic/v3/quic_transport.proto +shake256:142e115afeaa6a4f0579552383c702b436bd640e359d05ad2617da6bad6044951b3d6ba0e9474fe34c2ac1e8d8468c0eb6417c4dcbef4317d24a694f65585af3 envoy/extensions/transport_sockets/raw_buffer/v3/raw_buffer.proto +shake256:655ebe077789126227c45261078f8d64dd0d989295108efcbc136d2b59a717c6b2a486289156584173a79a7d90cf9429b8d43154cb534cb1aa671eb6a3abda22 envoy/extensions/transport_sockets/s2a/v3/s2a.proto +shake256:b65431721a1a46acfdd0a792ff8b87e2aa557a27cc2e8db151f97d02da20a70f02cdc21ebf72656e165931fcdac08deb6e3075d4431fc4bba160d3a8455776d3 envoy/extensions/transport_sockets/starttls/v3/starttls.proto +shake256:b55ba8ad8802bf22c4a8110670ff402dc1d61dac65692b1d88e05d4ba9b937c0e7f9549c93127bf58a5d01deeb5d09d115fb2c9ddcb71aaf61aee0643e40fdc0 envoy/extensions/transport_sockets/tap/v3/tap.proto +shake256:2db6ce813ff15044dcf88785d43e388e2bb26d59cf4015c0630a6cad9a2439e82f8bd8c2b254c420745604abadf2da52ff4da9bb3c6dff6fd6431eb6417a88f3 envoy/extensions/transport_sockets/tcp_stats/v3/tcp_stats.proto +shake256:70c3f79a8f5ada5334027f2ea99ebeee20e3dd431ef94d82eb096355a8aee3784a309eb588ce1f474844ba17fc17b0220fa2470b69908245d6b2ea3aef26c22a envoy/extensions/transport_sockets/tls/v3/cert.proto +shake256:e5c7d2878ae07f98b7b076de1060c76cae457efb0558322736cdc1139f8c38c3bbada85ae0efbe867f5e8aae201c82d0aadba8f88a4c217cfc315c96a4b1ea98 envoy/extensions/transport_sockets/tls/v3/common.proto +shake256:d541b64ff4c04ea5298fcf5208c8571980ce1a691fe5c2b86d8f0a94427160e244adb2381204e45d8d237864211281dbd0ab1bc6f48810625310c15af14fc509 envoy/extensions/transport_sockets/tls/v3/secret.proto +shake256:0711d88a9129014e77db8a918e6b1ff5fd7dd6f1e2e19cce9573ea29c253d700594809a424beebdb28ce10898b9c1db5ae88c05ae4b0cd139821dd502e6f68f2 envoy/extensions/transport_sockets/tls/v3/tls.proto +shake256:ef69428a40297702fd453f6613f08e24a434f80a18b1cb7099ecf856ef9eaee3fa624afe50fd0c50f311ea91d070338d43f31ea8a0717bfee51f935d6170c47b envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto +shake256:5ed9430060ee0140165e8bb75940bc40dd565350df5c01e0f3e154b708e4d39ebd525fd439a64da2b8656d438a39da89fa5250b721b90f4a84ea1f682b33ce35 envoy/extensions/udp_packet_writer/v3/udp_default_writer_factory.proto +shake256:628eef9f3842581bfef3c63dcb967478ecbf486c3da4491eefa31814f8fcd4d782b9f5fe81454015dfb2762d447fa6561a05622a59d52d34b75591413fea6321 envoy/extensions/udp_packet_writer/v3/udp_gso_batch_writer_factory.proto +shake256:79f80278f4f4e33eb6864b817786b5305cc6ae0da122f53e426e567cea75b910af45ab9cb858c81a91553386afe0ba5f2b0bbd4d17f855b3cd219a0b08d1b4f4 envoy/extensions/upstreams/http/generic/v3/generic_connection_pool.proto +shake256:1bc3d5c62725d72b2b5959f92e15634cc579ed8e136a92532150f83c2481dd0e9f251fad8f969390d298a39b3d05cd33754c8ce9cd994a321a7da9a0e5e6adf5 envoy/extensions/upstreams/http/http/v3/http_connection_pool.proto +shake256:102e997c91c76da612869b2a666ffe2e554593d6c3bdd63a5bbc9ac70d1a0064346c9415fa2f74368db77b4c3be872636c2917899d9dd951d959ae52ae15176b envoy/extensions/upstreams/http/tcp/v3/tcp_connection_pool.proto +shake256:d56f95c23b4fd61618df5dccf70e260f07194b05638161cbfe7b1636aff5114d7e90b49660b32891f570dae71fd2484ac392716197e2dea6318c2f3ccb5ee951 envoy/extensions/upstreams/http/udp/v3/udp_connection_pool.proto +shake256:67f8c22322b3279e63a6afd72715b52f4621719de35ee92362525013c51e365cf066d2b47734d3326597db5ebc353accab57ec8097f69d0bbaea2170f6de3434 envoy/extensions/upstreams/http/v3/http_protocol_options.proto +shake256:622d6f175b2b12659fad78cd611c5393c3866f584985ff06c29e1ab8a4a4628ead7c2db69a6380c7debf88bae406747b39780d23afc07aa17e7687ad45761a20 envoy/extensions/upstreams/tcp/generic/v3/generic_connection_pool.proto +shake256:96f4fcb2c56df1b0b0ac3414449baf6774e2aa8969255016a23513e170fec1536a30b6b4739f314403d7d61f6d6c3c78a5751e3fe112a4f946d5b8e065bea1de envoy/extensions/upstreams/tcp/v3/tcp_protocol_options.proto +shake256:4383b785c7cf3c88d63153c5d841c7a5125c1a883789f36dd07b11434ad73ce8da5af9292b4a078e98101fb11769d14ba8a55b088f0fec67540d9a55364fde80 envoy/extensions/wasm/v3/wasm.proto +shake256:762e5a35ffa359e351715abcb4d10973dc3eb542f39faf50fb2fd1a69d747413e88c992e218bba253a5a57745a384e923a24bda721056db31c0b2a310f80ba44 envoy/extensions/watchdog/profile_action/v3/profile_action.proto +shake256:4996109c5c6ad7c4df245ff378f41569c9323f6691c2f02bf26e6ded7b6059aed8b5214deb18008cf4fdcc9dd12499f170c570d0381ffc656e6119bfdcbd7205 envoy/service/accesslog/v2/als.proto +shake256:f4a29b2899acf38dc693efa125c0434c56847ea1569b056df833528e5a0603b3f6a62df53b9cf40ec9aa06e30b4cef0688764d468a6eb8da3680e99897106a68 envoy/service/accesslog/v3/als.proto +shake256:a8b6784c472dbaa98f1f3fddd68a50f4dfed29af2c11e7cb0ff350275fdc4cf60b9bf9224c06766af0389b082af73d219cd4f494db207ab45fc88edd7c0ed909 envoy/service/auth/v2/attribute_context.proto +shake256:08a77da191422df68e2e2c432f597478b353b8d04455b618922e642f5938513fea27ec1950aa52acd3333b9d7d82be1035e3c0a253e5b97648cff309bcc8deef envoy/service/auth/v2/external_auth.proto +shake256:4eb4d2e4dd59617cf8ed6ba4d58661099422e8ede70006d905916dd5c60c660380fe977aa61f16361fe6d733c485c853c228dd5483dc4fd40ba7961e7319db8b envoy/service/auth/v2alpha/external_auth.proto +shake256:ef19b99ed5f32b4e64a0001c1fa08917f7ab7374852f3599be77864a113908dd7cfa5287be61aa838423b151fe7af3e8193f2569ca452807875b4a2836171aff envoy/service/auth/v3/attribute_context.proto +shake256:60bf140ff9f0e440bb27912913de0472c27f1a5781b41f2bb7acf944a869d5136da2bc42c0aa81f639be2b7fc21df20698c5e2daa5d584e6e1519d16d6fa788e envoy/service/auth/v3/external_auth.proto +shake256:2217dc6bf6933bed2e621b0a8a1f9a3ed3b77239591020eda87b0f592c3c00dbe299988b262029e022705549c0621b17dac6f1d320ff3a5dfc5aa07fcdea0e61 envoy/service/cluster/v3/cds.proto +shake256:c1370a13fe2e5e6b894233bb6432a0b8af8ddf1cf1078de0c750484b3055a78f7974a39fd6f1493d7ed485bcb0261715fa1be067c25f43e4f9469f48df8000da envoy/service/discovery/v2/ads.proto +shake256:ee52e1e4dacec7ff8d1a05136a89bdf7475eb1e6efaeb773f6e608a5f7d00379a3d4211d22a8ea82750a6eb36c8034522da5ab99007cef8c989d58a551717de1 envoy/service/discovery/v2/hds.proto +shake256:0318c755e701e782a34e6faa9e63ff5df3c75f4b8c7b78ed0648e1cd5fc815de826d24b1e9cf3908432c2023d3e6e2d7a3018ab2042be851fbfc1f81a82fc72d envoy/service/discovery/v2/rtds.proto +shake256:9d4cd9fdba3a202916bf6cff81d6eb2529974dc817135aaa900e859e678f9420b78821e80e6891bbde807a71bff8b5b7ceb4b3e31fb01a098d0ef252ec4d0832 envoy/service/discovery/v2/sds.proto +shake256:732ae86f43a83be70c45a2938b8d66e20bfc1abdab938a8705ad971039eaf5931dc9414c4e7299acf00c948e45afa5b1f16b70cffd4ce3e33775a88985a3ca97 envoy/service/discovery/v3/ads.proto +shake256:d0363f981b6164e21562c4686a479114fa780df94fce216e2796b71da32440ee994b4df3365f28dd16f6e029e25eb8aeca72e6437212f48613e617a6f0dddb35 envoy/service/discovery/v3/discovery.proto +shake256:e8a56f89e6931dfa885cfd8de54dc6f92ae0164e007d0e5f366dcc25705008c5e263f636be831687f270d531ae698f7350b91623f9a647a242e49cf6b15931fa envoy/service/endpoint/v3/eds.proto +shake256:416d8c86026458e77fe8ae3845a769f59e3845ef062b5dbe6288745598223e2a450d28cebbc3cd8c6bd07f9838dc836ae7a2193a5c4ba81b14b1ff7c66daa10c envoy/service/endpoint/v3/leds.proto +shake256:b5bf9e082c4ec76d09d874ea26f0f2f70c77bf64caf46de1f9533dc61155ad06da023d650ab6f030c67da25f10488b47caeea7ff20efbc574ab3ff749f7e15c7 envoy/service/event_reporting/v2alpha/event_reporting_service.proto +shake256:357a584bbb25276c4dc0262c69fdd6f44fd6eeb08d50a2c4f8cb1b9f2a16b10385df785ca42ae0ca173bf38aefe80b14572ebf939b97d46ee84688218e1ba920 envoy/service/event_reporting/v3/event_reporting_service.proto +shake256:a0edcf6dd39882ac26ff14ac91358f007f677326661c1c7e90316d2911754ddfe115367f7d0be190960933316ebb7a1b3e98a20335848a1189778cdff85c282e envoy/service/ext_proc/v3/external_processor.proto +shake256:8ed6ff32eba9f5a768ed19ffa70ed80227a7beca9ab61da117f3858af346fc3f5445d14aa839231c6d5c8a8a64988a1e3623a3a61132b0120fdfcfbf10a01bb6 envoy/service/extension/v3/config_discovery.proto +shake256:8dc8e6bba48aa83023d8af0412d52cebd600eab03b0561a5c1c26b0ee561058eb3e11edf4ece580c2c5b8360a28264dc47c3a9e496701f2c796515dce5ed80fb envoy/service/health/v3/hds.proto +shake256:b30e1a9c40bddf8c84bbeeba1c23d3a391a440e0900b1fc589032b29601f055913c7ccacca2e200c1e4db6cb1131d29bf36161e1dd2e54210a9285adce491076 envoy/service/listener/v3/lds.proto +shake256:e6295415f5e5c97db3d7a76bf1ff2fbadc3d0bbb9dc89560869e243b497c84c21b8b811984d03e2f05fde18c0be89b84f3c4961e1623eda41be9e0cc582eff27 envoy/service/load_stats/v2/lrs.proto +shake256:699477da8f3f972de622c6a2945200c249456c1544c0b5890be78007e6b2549e2e7cdea581b0b1648fa45ad472eae3ab70461eb9f05ea069127b8e0d18d4d531 envoy/service/load_stats/v3/lrs.proto +shake256:b449e325335c4a27aaffffee78cd8efd0dc7f341590c6960ca3fc0820cd6c16cd43f600f602b4e505c0bef8ff96397b80fe3483315cb7ab0e8715c7a09f04e3f envoy/service/metrics/v2/metrics_service.proto +shake256:91f3b9e83028d2470ea9cdd586cc834f7e849b3ce3c1deac251fcbcbb7d1384e671a094596c6782563a3a3d2745da8e4a2aab0be31f980968a9a7a7208a8b9b2 envoy/service/metrics/v3/metrics_service.proto +shake256:8bd5e085a8a4d58e707005ccc2150b5e4ba95ee45625ee96156e4daa0b9c5e95204c74ea56fcf7f4ee6d28471cb4adcd6b55501c53f4432360641b19f6c3adb5 envoy/service/network_ext_proc/v3/network_external_processor.proto +shake256:4134d14b8efd20d58f826e9849d6e53b2d3ac7242560d367b7abc6d2a7ee155135e112da7a9bd738e5ebb22180c4bdbad8071c9c9574e945897bf6a608c7260d envoy/service/rate_limit_quota/v3/rlqs.proto +shake256:d2ae1ae11068ba99047618b4f3355c6c63b0cadb7f2b92b62ecaa418d6012a7bd2590ffd8ac4f1d30b9586b3eec6d14a8dacf67d7f4edf7f3946eb606609f962 envoy/service/ratelimit/v2/rls.proto +shake256:9641a91435e6e6b8c64e8e68adb42c0ce592170cc68972d4724169361766892b4d2a00b16e4dc9a2863d7b4d05ff1ebd27e820622355d2de4f5d09b7d71983ef envoy/service/ratelimit/v3/rls.proto +shake256:216d9b8b599926c745c66f9213c7158da4d4578f3a014d92900ba387032b086041bf6ecb1335a93d113fa08c10fc5d7f0601f5d13977d11e718820a5f9e30d15 envoy/service/redis_auth/v3/redis_external_auth.proto +shake256:d8c032e24b649e9bcd34a34c1aa7a3301636cac0d28ba8f2f66bf913f4020518c7147c5258ae7456b2c2a9098238e7d348682e510eec4b22b89ef0a6083b97ee envoy/service/route/v3/rds.proto +shake256:851029f814d9f06c8ddce15d14758f3b6bd3a12fc22f94abddb181a557e345053c6d99cef3f5fe00629e1c9880c606a677b3e146a0bc416e771eb63a32928c30 envoy/service/route/v3/srds.proto +shake256:bc3b113db998b71b675b735aacef60a5a44c4e5b4ae806c3451609adaa29d1abde505591df5e59afa71256aaadd47954750fc8d52b23dfb1a77b14a979e3195c envoy/service/runtime/v3/rtds.proto +shake256:224273be92cff332779fbc3c4cc05e9d896f07f7399755eaef09d4393c823c1417db21551aba27d8d638e9d2c5b2faa0ec7be818a80f669bf0bb3f2c050f3bf5 envoy/service/secret/v3/sds.proto +shake256:2e52093226a25dcfa49f732d9eb94d4e0cf45ea33ffaba69d33e237e1b3b57a1c09125dfe84aea26cf027949c665e65a1e0c3816a0f7632bfc1a27e60164afa1 envoy/service/status/v2/csds.proto +shake256:ac4a57cb2f25fbfce2a8daef2546317e33d09d8162447b82d56491df84b4847880ea6fa7048a0d82380191fced4f1caa1490773c8584aac1251b274429a8335b envoy/service/status/v3/csds.proto +shake256:8c3cdd75a9d29c3cab6409ef44c6560d04b701a5fbb750110a3c690cceed6579eebfa31ba1d3c24220fd30311fc3b1fc71382fd75b87617289584cb89614a8af envoy/service/tap/v2alpha/common.proto +shake256:9238348d1c026eaae1bbcb2eaf891214f11caa40506ac196f09635cef0d600b3fff85c7940f470bdfd0c77ede8b043bd595ef40fb49ef1d570d09b974ae3aee8 envoy/service/tap/v2alpha/tap.proto +shake256:7b68954434433606940c6fa3e32b470dfd6bd645d00e45d70292b0590be710452082946dd19eeaed41fe1a01395c093b0b2c5d5b4b5d25d8ed3d758b854dc629 envoy/service/tap/v3/tap.proto +shake256:690a4716c9c4c5360fc02c82ae8293203c13be4e1134f4d0cc335d6a5da7215b3c0d5448c04926e3e06a790c0a4d012054fff23ac609209e9c1cc3c2a32319ec envoy/type/hash_policy.proto +shake256:d19e024e24adeec5f0b76401119a091029122e4ac3f8a3294b47dca1ec8f8f65ae752c85d68375097421fdd0a5d5cb795603e2d721c5be802b8425f2ffae6755 envoy/type/http.proto +shake256:f6c1ee6c7e0835c3eb5f79a4b6c82fe6cc0875db25649420b9b074f0de7457c89892acc979e2fc37a5ee1b46f441635d19ed243505f0fe47c67ab56472d02474 envoy/type/http/v3/cookie.proto +shake256:0ae546ed47fc0e7f7067fe017de48efd5de4d88d4aa1fa4df6b9eaa51531830675076ff50f13011b4e5d1244aefaa3475e4102f25c9c07fe5fd4f93cdc1e9f92 envoy/type/http/v3/path_transformation.proto +shake256:9809a923db1af1a7ddc5ce050f7cdb9161e42b486765f9dc4c278ca55245897e524ece578d9200cbc16e5dc558b6e62ae0ad9bbbb28f0256444977007d125bf6 envoy/type/http_status.proto +shake256:c72973b0f8238dcde807395ef1b3722004a0fdd34c3e08118914285246babaa837ab4e1614f9a1cbeb93d3d8942f316bc870fc9d40afd1df9f4e08362694a784 envoy/type/matcher/metadata.proto +shake256:4a704a75f9c4816bfa4ab17ae4e9672b1b7e2e5a89177d4413ec3c13296e02918fc511aea1ca3e67bd4927691065b038392f5f6370780b78bb0b3c4fdc77e4b4 envoy/type/matcher/node.proto +shake256:0f00d2d7c167ff88b003036b0cc735fa7d839ab1a914fa03e38f9e67f8fc010fc50b7e743322141d3932169ed51fea1481af7bf5494ba47bb8793d932fba51d0 envoy/type/matcher/number.proto +shake256:4b05ff8e5ecf96d4a5fe628207d9ebf496207b03bdf7a4ca919821744ca76c715799b5f9bfad2caa1dce7d9d1941cc89fa84272603bf7081200f4ba059a7cdba envoy/type/matcher/path.proto +shake256:f64d77676fe9afb578981a25087575bd5473a0339bf128c008b266f89eeafe4615208e0ff2f3b82f9a3a77152c7f8ce49adf14fddd1c52e67362b44a3ab464cd envoy/type/matcher/regex.proto +shake256:cbd2eeb817c033f1083f650aa40e899eccbd5fb928901b2b7d00090a3255adfd14ee71f696ee01cd5db9ea298c9dd1a080ec578d94cdfaa0326b0cc014bcba63 envoy/type/matcher/string.proto +shake256:839ad15eb02acdb2dae9af33fa54e09d1681db3309c2cc28a5a83ab7490f8881d34487caa3e13c1cb2a10749f5f8d7c3c0ae43a69c2c1a9e6c11e0f91ef0834c envoy/type/matcher/struct.proto +shake256:b8aeb0435ab80c4f331ede8ee6367cf5eb25df2219c291e177b1be3dae38269671d7d2c2855e045c88058f0e973fdd447875a154228148abb5f00e94f4c47281 envoy/type/matcher/v3/address.proto +shake256:368384c1f18c40e250a3c223bad867c16c2171e4f3e81dc0e64f95ab0ac8ffa138e3615f975ff473c19ac9cc1de304ce6de23935424d7246b15449a70c8a1f55 envoy/type/matcher/v3/filter_state.proto +shake256:5f019ed81965c01108460610edac0725a6870e0fb85ffd2a1f64af152acb81e1333c24ae15f1c4aef42584271bac8bc6b70e1101ecbcaea42bce4661ed61604f envoy/type/matcher/v3/http_inputs.proto +shake256:125f10e793bed8cf67953b7f5509561afaf62088e12d3e09e386e745a351a7c907684a4978bf06333d9016ca027f19f4dda33385651c8ddefabf97f5809324c6 envoy/type/matcher/v3/metadata.proto +shake256:80fa673ba90f13a4986f6e6119784a9c59c841826227c38ed3ff837bd8213e9cb9a831a890f524b01f180664bbc8318ba8ecc52f7ef10fef2e5c55024681fca0 envoy/type/matcher/v3/node.proto +shake256:5cdefb24c00ba89be1cfd0ff3f0d1e191b0679d13a1dbaef9fcf16075c0d8d5e4f29ee460c29514b12074b53343198695873edacd165261d7ccccd4a4f590acb envoy/type/matcher/v3/number.proto +shake256:6332bfd31883dd3f0adb9cf32312f33ed4405ad8c371f60d6c325b8c7ca490760c0900c78c141b38b46d042b8155f141cefad9a6b3575f8a218ac653b8c4158a envoy/type/matcher/v3/path.proto +shake256:e34e7701305faf83076adebc1d9369573633e627a0e88a9c53fea1ab24a0e2dd400fd6772d75babdcac0174f54562e006792d65bf9c36565453b229ef02e0ad5 envoy/type/matcher/v3/regex.proto +shake256:262bde80e71fe6a168dd1b6a9ee1d1b27d3bbfe0e9e1e91129921cc0732f28380f5bb1cb18c041c29d57c93848b8c2ce35a16b0d4428d4df4e044c0fd6624bf0 envoy/type/matcher/v3/status_code_input.proto +shake256:5fddb73ab97242cae4a7799462d4ff64408489e07cbf4443cb5409f4cb666c8aa5165bafde373670a5db0084f80cca5797b63aba31f893174715e3be15c1dab5 envoy/type/matcher/v3/string.proto +shake256:0f38a58bd6eeba1aa88f3a5abdac8668f2540c620fcff2170763d93a5f764ef6694c0630c311d919fd8bc89735a5effcf50ac43fa77b2073392eaa206dcf501a envoy/type/matcher/v3/struct.proto +shake256:914b167bc0d15d4a96649c05ac568368e28cbe04d346a46526a07ef17f5b14944149c389a0a03a2a2b05de151940b8b459b7811cafa35d525a94a02d12a22618 envoy/type/matcher/v3/value.proto +shake256:a8dce06687fff254822d8665c7e5ac5633646822f786dca35d9dbe625a3fc3cf0d688220893dad91774493e1eb16226741fdbfd9e650b378742908324c4cf41b envoy/type/matcher/value.proto +shake256:c61a778022e769b7b86a6f2cf3311fa799234b4b8e8ca8645031605c6c6879b72dfef9928703ec02fdd24618b3afe1adcd0524d60af763d35dfb0c81c7c08c4b envoy/type/metadata/v2/metadata.proto +shake256:35ee01ad69132a5e671569227885b005ffee1364d7c60a3ebbf8c630872d444446d0bd4c964168d2d81d91806800ebdcfaa0b18a79dd436725295d0d9842fcaa envoy/type/metadata/v3/metadata.proto +shake256:ddfe76d43d5adbe5f2cbab06d966d142799b6cda620586672398c31f0ce34c0573112c6c55d9bc01e71782626d3808ad13f7c9ec79b00b430e3c77b788903156 envoy/type/percent.proto +shake256:17b206d1bff0fd1139d6be415b51e54947515ebbaf3ef6cefbe3849d2038eada9ff6bf7b1297066f624711966a9637ff3e78086274a5209f9d053c4ed7e04a6b envoy/type/range.proto +shake256:161720c94d007dfc3bd529c5a702119b85ba308622708caa6f942415e70c5df4615d58692574fcc217f07c11556c64982d94408ca3a1f78659dccbb96f31e8ff envoy/type/semantic_version.proto +shake256:b135fdd513959ff7a4e66d9935e9cb29f5ddeb4fca8e2e342fcf382c6f8e850126491d37a6ef8e234713490e4e95e8ed8d043399fce783d0398652f3c8af0667 envoy/type/token_bucket.proto +shake256:d201238906946214da41f85403023182139eb36c964414993bb659243aded648f4988b0a16875a6ee6e1e0bb1211a2c86a85b416cad62d4d00417a69fcca5d85 envoy/type/tracing/v2/custom_tag.proto +shake256:3f94e4dff884970471a386922110c7a611caf0c07dc38f6e3cd84209bdaf289951530a79b3864f7939cf335dd57a2e7896682479decce7921fc2bdac3b5d35d3 envoy/type/tracing/v3/custom_tag.proto +shake256:884e6803443363459542a1df859f5172ebdf5cae23fba2b2695a471af539c472d410bae54566813d865f05e079978a26c3406e174bc4076aed578ee6b690f5a1 envoy/type/v3/hash_policy.proto +shake256:406e55d1c3c28926cdcec7950f4e1ddac8f71fe9524f26df66e5f04e865b7fe37ec881c2c2ea96ee5928856a4f07ffc8b05e95a9987b99edc58ca8bf01668c04 envoy/type/v3/http.proto +shake256:d202ec6e99b45a8e9a5671718b070c368e6a5067194ab1c73da32705d28d45802db75994b6e5fb938b9bf4bd2eff59d52dddc8797e085ee99ca6a8d6db475de8 envoy/type/v3/http_status.proto +shake256:93083c00b1962447c795b3c85e8f291fb8fe80688209e48f07f1924b717fed0f76daac681f35b9da6f8719e77156feaf858694e8181df4174e450b46d499a478 envoy/type/v3/percent.proto +shake256:2a803a46ac7d02d32b5208db241509bda30e370014f07f211863e6086ac7ff1ae0cb1966cd60a32ca0cfed5aa2f35415cf676ea8c4120e0fd6fec7ad5dda2bfa envoy/type/v3/range.proto +shake256:e6fddcc8548f308a8bbc564bf1e302e640c95e2c1089a91891eac9711084b3d6b0d69341d9d9bbf7b49f485768df4b6454fb8778d3a76b7a732e0107b2e2b1b6 envoy/type/v3/ratelimit_strategy.proto +shake256:927bc95f9752bc98d44dac7bd56fc63f2e8fd8d8d4416704c396f5b4480c2f5d07ecb0b431050d0f9dc76af34d05731c18a28e62853a4787a9f0e95ca94891a2 envoy/type/v3/ratelimit_unit.proto +shake256:e802325fe5d940c76aab0881202db793985b6b26cbbe58d478363f1145a0c68b400754bd7b96d589d6a441a8f4a8eef8edb2409a202b0ee288818f0db3bcb726 envoy/type/v3/semantic_version.proto +shake256:cdd6fe9a656c7bde8194e9107f48f520b6f73ad7bc8a01b61df2fc56a9a79a09338503cbbcf457e0a9ec23b069851eb6deac656ba2ef31ef19bcc0b5b7fdb69d envoy/type/v3/token_bucket.proto +shake256:b85a6a8a18ed14fd96fa1d81be0f8d40a5f1a873f7dee40f037c004f5d77b5930dbbb9058bceee6ea5a1679cbec098795d13a261aa13afaf4d7e6b29fd7d19fb envoy/watchdog/v3/abort_action.proto diff --git a/modules/sync/envoyproxy/envoy/cas/3fa1741eaccaa0bb0c970910df1df48c1e90f504e27325a5d235c5f46da0ee621d04b6581c24aa93ed88d96170d64ea150e5499a709308659500c9a2293eb364 b/modules/sync/envoyproxy/envoy/cas/3fa1741eaccaa0bb0c970910df1df48c1e90f504e27325a5d235c5f46da0ee621d04b6581c24aa93ed88d96170d64ea150e5499a709308659500c9a2293eb364 new file mode 100644 index 00000000..e51ade13 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/3fa1741eaccaa0bb0c970910df1df48c1e90f504e27325a5d235c5f46da0ee621d04b6581c24aa93ed88d96170d64ea150e5499a709308659500c9a2293eb364 @@ -0,0 +1,185 @@ +syntax = "proto3"; + +package envoy.extensions.common.aws.v3; + +import "envoy/config/core/v3/base.proto"; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.common.aws.v3"; +option java_outer_classname = "CredentialProviderProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/common/aws/v3;awsv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: AWS common configuration] + +// Configuration for AWS credential provider. This is optional and the credentials are normally +// retrieved from the environment or AWS configuration files by following the default credential +// provider chain. However, this configuration can be used to override the default behavior. +// [#next-free-field: 11] +message AwsCredentialProvider { + // The option to use `AssumeRoleWithWebIdentity `_. + AssumeRoleWithWebIdentityCredentialProvider assume_role_with_web_identity_provider = 1; + + // The option to use an inline credential. If inline credential is provided, no chain will be created and only the inline credential will be used. + InlineCredentialProvider inline_credential = 2; + + // The option to specify parameters for credential retrieval from an envoy data source, such as a file in AWS credential format. + CredentialsFileCredentialProvider credentials_file_provider = 3; + + // Create a custom credential provider chain instead of the default credential provider chain. + // If set to TRUE, the credential provider chain that is created contains only those set in this credential provider message. + // If set to FALSE, the settings provided here will act as modifiers to the default credential provider chain. + // Defaults to FALSE. + // + // This has no effect if inline_credential is provided. + bool custom_credential_provider_chain = 4; + + // The option to use `IAM Roles Anywhere `_. + IAMRolesAnywhereCredentialProvider iam_roles_anywhere_credential_provider = 5; + + // The option to use credentials sourced from standard `AWS configuration files `_. + ConfigCredentialProvider config_credential_provider = 6; + + // The option to use credentials sourced from `container environment variables `_. + ContainerCredentialProvider container_credential_provider = 7; + + // The option to use credentials sourced from `environment variables `_. + EnvironmentCredentialProvider environment_credential_provider = 8; + + // The option to use credentials sourced from an EC2 `Instance Profile `_. + InstanceProfileCredentialProvider instance_profile_credential_provider = 9; + + // The option to use `STS:AssumeRole aka Role Chaining `_. + AssumeRoleCredentialProvider assume_role_credential_provider = 10; +} + +// Configuration to use an inline AWS credential. This is an equivalent to setting the well-known +// environment variables ``AWS_ACCESS_KEY_ID``, ``AWS_SECRET_ACCESS_KEY``, and the optional ``AWS_SESSION_TOKEN``. +message InlineCredentialProvider { + // The AWS access key ID. + string access_key_id = 1 [(validate.rules).string = {min_len: 1}]; + + // The AWS secret access key. + string secret_access_key = 2 + [(validate.rules).string = {min_len: 1}, (udpa.annotations.sensitive) = true]; + + // The AWS session token. This is optional. + string session_token = 3 [(udpa.annotations.sensitive) = true]; +} + +// Configuration to use `AssumeRoleWithWebIdentity `_ +// to retrieve AWS credentials. +message AssumeRoleWithWebIdentityCredentialProvider { + // Data source for a web identity token that is provided by the identity provider to assume the role. + // When using this data source, even if a ``watched_directory`` is provided, the token file will only be re-read when the credentials + // returned from AssumeRoleWithWebIdentity expire. + config.core.v3.DataSource web_identity_token_data_source = 1 + [(udpa.annotations.sensitive) = true]; + + // The ARN of the role to assume. + string role_arn = 2 [(validate.rules).string = {min_len: 1}]; + + // Optional role session name to use in AssumeRoleWithWebIdentity API call. + string role_session_name = 3; +} + +message CredentialsFileCredentialProvider { + // Data source from which to retrieve AWS credentials + // When using this data source, if a ``watched_directory`` is provided, the credential file will be re-read when a file move is detected. + // See :ref:`watched_directory ` for more information about the ``watched_directory`` field. + config.core.v3.DataSource credentials_data_source = 1 [(udpa.annotations.sensitive) = true]; + + // The profile within the credentials_file data source. If not provided, the default profile will be used. + string profile = 2; +} + +// Configuration to use `IAM Roles Anywhere `_ +// to retrieve AWS credentials. +// [#next-free-field: 9] +message IAMRolesAnywhereCredentialProvider { + // The ARN of the role to assume via the IAM Roles Anywhere sessions API. See `Configure Roles `_ for more details. + string role_arn = 1 [(validate.rules).string = {min_len: 1}]; + + // The certificate used for authenticating to the IAM Roles Anywhere service. + // This certificate must match one configured in the IAM Roles Anywhere profile. See `Configure Roles `_ for more details. + config.core.v3.DataSource certificate = 2 [(validate.rules).message = {required: true}]; + + // The optional certificate chain, required when you are using a subordinate certificate authority for certificate issuance. + // A certificate chain can contain a maximum of 5 elements, see `The IAM Roles Anywhere authentication process `_ for more details. + config.core.v3.DataSource certificate_chain = 3; + + // The TLS private key matching the certificate provided. + config.core.v3.DataSource private_key = 4 + [(validate.rules).message = {required: true}, (udpa.annotations.sensitive) = true]; + + // The arn of the IAM Roles Anywhere trust anchor configured in your AWS account. A trust anchor in IAM Roles anywhere establishes + // trust between your certificate authority (CA) and AWS. See `Establish trust `_ for more details. + string trust_anchor_arn = 5 [(validate.rules).string = {min_len: 1}]; + + // The IAM Roles Anywhere profile ARN configured in your AWS account. + string profile_arn = 6 [(validate.rules).string = {min_len: 1}]; + + // An optional role session name, used when identifying the role in subsequent AWS API calls. + string role_session_name = 7; + + // An optional session duration, used when calculating the maximum time before vended credentials expire. This value cannot exceed the value configured + // in the IAM Roles Anywhere profile and the resultant session duration is calculate by the formula `here `_. + // If no session duration is provided here, the session duration is sourced from the IAM Roles Anywhere profile. + google.protobuf.Duration session_duration = 8 [(validate.rules).duration = { + lte {seconds: 43200} + gte {seconds: 900} + }]; +} + +// The Config Credential Provider has no configurable parameters, but listing it in a custom credential provider chain will enable this +// credential provider. +message ConfigCredentialProvider { +} + +// The Container Credential Provider has no configurable parameters, but listing it in a custom credential provider chain will enable this +// credential provider. +message ContainerCredentialProvider { +} + +// The Environment Credential Provider has no configurable parameters, but listing it in a custom credential provider chain will enable this +// credential provider. +message EnvironmentCredentialProvider { +} + +// The Instance Profile Credential Provider has no configurable parameters, but listing it in a custom credential provider chain will enable this +// credential provider. +message InstanceProfileCredentialProvider { +} + +// Configuration to use `AssumeRole `_ for retrieving new credentials, via role chaining. +// [#next-free-field: 6] +message AssumeRoleCredentialProvider { + // The ARN of the role to assume. + string role_arn = 1 [(validate.rules).string = {min_len: 1}]; + + // An optional role session name, used when identifying the role in subsequent AWS API calls. If not provided, the role session name will default + // to the current timestamp. + string role_session_name = 2; + + // Optional string value to use as the externalId + string external_id = 3; + + // An optional duration, in seconds, of the role session. Minimum role duration is 900s (5 minutes) and maximum is 43200s (12 hours). + // If the session duration is not provided, the default will be determined using the `table described here `_. + google.protobuf.Duration session_duration = 4 [(validate.rules).duration = { + lte {seconds: 43200} + gte {seconds: 900} + }]; + + // The credential provider for signing the AssumeRole request. This is optional and if not set, + // it will be retrieved from the procedure described in :ref:`config_http_filters_aws_request_signing`. + // This list of credential providers cannot include an AssumeRole credential provider and if one is provided + // it will be ignored. + AwsCredentialProvider credential_provider = 5; +} diff --git a/modules/sync/envoyproxy/envoy/cas/42f2592de4fbebcf7e63d68365509a95284fcc01f0ac09b9ad467d6e2d43aec209478d614cec99be11a5f33fa9033e1d0ac86a91504b123fb272df9bac55d74d b/modules/sync/envoyproxy/envoy/cas/42f2592de4fbebcf7e63d68365509a95284fcc01f0ac09b9ad467d6e2d43aec209478d614cec99be11a5f33fa9033e1d0ac86a91504b123fb272df9bac55d74d new file mode 100644 index 00000000..c5f1b4fb --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/42f2592de4fbebcf7e63d68365509a95284fcc01f0ac09b9ad467d6e2d43aec209478d614cec99be11a5f33fa9033e1d0ac86a91504b123fb272df9bac55d74d @@ -0,0 +1,88 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.composite.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/extension.proto"; + +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.composite.v3"; +option java_outer_classname = "CompositeProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/composite/v3;compositev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Composite] +// Composite Filter :ref:`configuration overview `. +// [#extension: envoy.filters.http.composite] + +// :ref:`Composite filter ` config. The composite filter config +// allows delegating filter handling to another filter as determined by matching on the request +// headers. This makes it possible to use different filters or filter configurations based on the +// incoming request. +// +// This is intended to be used with +// :ref:`ExtensionWithMatcher ` +// where a match tree is specified that indicates (via +// :ref:`ExecuteFilterAction `) +// which filter configuration to create and delegate to. +message Composite { +} + +// A list of filter configurations to be called in order. Note that this can be used as the type +// inside of an ECDS :ref:`TypedExtensionConfig +// ` extension, which allows a chain of +// filters to be configured dynamically. In that case, the types of all filters in the chain must +// be present in the :ref:`ExtensionConfigSource.type_urls +// ` field. +message FilterChainConfiguration { + repeated config.core.v3.TypedExtensionConfig typed_config = 1; +} + +// Configuration for an extension configuration discovery service with name. +message DynamicConfig { + // The name of the extension configuration. It also serves as a resource name in ExtensionConfigDS. + // The resource type in the ``DiscoveryRequest`` will be :ref:`TypedExtensionConfig + // `. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // Configuration source specifier for an extension configuration discovery + // service. In case of a failure and without the default configuration, + // 500(Internal Server Error) will be returned. + config.core.v3.ExtensionConfigSource config_discovery = 2; +} + +// Composite match action (see :ref:`matching docs ` for more info on match actions). +// This specifies the filter configuration of the filter that the composite filter should delegate filter interactions to. +message ExecuteFilterAction { + // Filter specific configuration which depends on the filter being + // instantiated. See the supported filters for further documentation. + // Only one of ``typed_config`` or ``dynamic_config`` can be set. + // Ignored if ``filter_chain`` is set. + // [#extension-category: envoy.filters.http] + config.core.v3.TypedExtensionConfig typed_config = 1 + [(udpa.annotations.field_migrate).oneof_promotion = "config_type"]; + + // Dynamic configuration of filter obtained via extension configuration discovery service. + // Only one of ``typed_config`` or ``dynamic_config`` can be set. + // Ignored if ``filter_chain`` is set. + DynamicConfig dynamic_config = 2 + [(udpa.annotations.field_migrate).oneof_promotion = "config_type"]; + + // An inlined list of filter configurations. The specified filters will be executed in order. + // [#not-implemented-hide:] + FilterChainConfiguration filter_chain = 4; + + // Probability of the action execution. If not specified, this is 100%. + // This allows sampling behavior for the configured actions. + // For example, if + // :ref:`default_value ` + // under the ``sample_percent`` is configured with 30%, a dice roll with that + // probability is done. The underline action will only be executed if the + // dice roll returns positive. Otherwise, the action is skipped. + config.core.v3.RuntimeFractionalPercent sample_percent = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/43e45fb3e4a545ad85e52c78ab7a51420e9394fd1f861c4dabd90a19c084721263ae2e4aba91ea48fb9d1f0c1a8ba626850d45cfbcac18042ef50581fafaae9a b/modules/sync/envoyproxy/envoy/cas/43e45fb3e4a545ad85e52c78ab7a51420e9394fd1f861c4dabd90a19c084721263ae2e4aba91ea48fb9d1f0c1a8ba626850d45cfbcac18042ef50581fafaae9a new file mode 100644 index 00000000..204f02f4 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/43e45fb3e4a545ad85e52c78ab7a51420e9394fd1f861c4dabd90a19c084721263ae2e4aba91ea48fb9d1f0c1a8ba626850d45cfbcac18042ef50581fafaae9a @@ -0,0 +1,194 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.thrift_to_metadata.v3; + +import "envoy/extensions/filters/network/thrift_proxy/v3/thrift_proxy.proto"; + +import "google/protobuf/struct.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.thrift_to_metadata.v3"; +option java_outer_classname = "ThriftToMetadataProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/thrift_to_metadata/v3;thrift_to_metadatav3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Thrift-To-Metadata Filter] +// +// The Thrift to Metadata filter serves for thrift over HTTP traffic, expecting serialized +// Thrift request and response bodies in the HTTP payload. It extracts *thrift metadata* from the +// HTTP body and put them into the *filter metadata*. This is useful for matching load balancer +// subsets, logging, etc. +// +// Thrift to Metadata :ref:`configuration overview `. +// [#extension: envoy.filters.http.thrift_to_metadata] + +enum Field { + // The Thrift method name, string value. + METHOD_NAME = 0; + + // The Thrift protocol name, string value. Values are "binary", "binary/non-strict", and "compact", with "(auto)" suffix if + // :ref:`protocol ` + // is set to :ref:`AUTO_PROTOCOL` + PROTOCOL = 1; + + // The Thrift transport name, string value. Values are "framed", "header", and "unframed", with "(auto)" suffix if + // :ref:`transport ` + // is set to :ref:`AUTO_TRANSPORT` + TRANSPORT = 2; + + // The Thrift message type, singed 16-bit integer value. + HEADER_FLAGS = 3; + + // The Thrift sequence ID, singed 32-bit integer value. + SEQUENCE_ID = 4; + + // The Thrift message type, string value. Values in request are "call" and "oneway", and in response are "reply" and "exception". + MESSAGE_TYPE = 5; + + // The Thrift reply type, string value. This is only valid for response rules. Values are "success" and "error". + REPLY_TYPE = 6; +} + +message KeyValuePair { + // The namespace — if this is empty, the filter's namespace will be used. + string metadata_namespace = 1; + + // The key to use within the namespace. + string key = 2 [(validate.rules).string = {min_len: 1}]; + + // When used for on_present case, if value is non-empty it'll be used instead + // of the field value. + // + // When used for on_missing case, a non-empty value must be provided. + google.protobuf.Value value = 3; +} + +message FieldSelector { + // field name to log + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // field id to match + int32 id = 2 [(validate.rules).int32 = {lte: 32767 gte: -32768}]; + + // next node of the field selector + FieldSelector child = 3; +} + +// [#next-free-field: 6] +message Rule { + // The field to match on. + // :ref:`field_selector` + // takes precedence if both are set. + Field field = 1; + + // Specifies that a match will be performed on the value of a field in the thrift body. + // If set, the whole http body will be buffered to extract the field value, which + // may have performance implications. + // + // It's a thrift over http version of + // :ref:`field_selector`. + // + // See also `payload-to-metadata `_ + // for more reference. + // + // Example: + // + // .. code-block:: yaml + // + // method_name: foo + // field_selector: + // name: info + // id: 2 + // child: + // name: version + // id: 1 + // + // The above yaml will match on value of ``info.version`` in the below thrift schema as input of + // :ref:`on_present` or + // :ref:`on_missing` + // while we are processing ``foo`` method. This rule won't be applied to ``bar`` method. + // + // .. code-block:: thrift + // + // struct Info { + // 1: required string version; + // } + // service Server { + // bool foo(1: i32 id, 2: Info info); + // bool bar(1: i32 id, 2: Info info); + // } + // + FieldSelector field_selector = 2; + + // If specified, :ref:`field_selector` + // will be used to extract the field value *only* on the thrift message with method name. + string method_name = 3; + + // The key-value pair to set in the *filter metadata* if the field is present + // in *thrift metadata*. + // + // If the value in the KeyValuePair is non-empty, it'll be used instead + // of field value. + KeyValuePair on_present = 4; + + // The key-value pair to set in the *filter metadata* if the field is missing + // in *thrift metadata*. + // + // The value in the KeyValuePair must be set, since it'll be used in lieu + // of the missing field value. + KeyValuePair on_missing = 5; +} + +// The configuration for transforming thrift metadata into filter metadata. +// +// [#next-free-field: 7] +message ThriftToMetadata { + // The list of rules to apply to http request body to extract thrift metadata. + repeated Rule request_rules = 1; + + // The list of rules to apply to http response body to extract thrift metadata. + repeated Rule response_rules = 2; + + // Supplies the type of transport that the Thrift proxy should use. Defaults to + // :ref:`AUTO_TRANSPORT`. + network.thrift_proxy.v3.TransportType transport = 3 + [(validate.rules).enum = {defined_only: true}]; + + // Supplies the type of protocol that the Thrift proxy should use. Defaults to + // :ref:`AUTO_PROTOCOL`. + // Note that :ref:`LAX_BINARY` + // is not distinguished by :ref:`AUTO_PROTOCOL`, + // which is the same with :ref:`thrift_proxy network filter `. + // Note that :ref:`TWITTER` is + // not supported due to deprecation in envoy. + network.thrift_proxy.v3.ProtocolType protocol = 4 [(validate.rules).enum = {defined_only: true}]; + + // Allowed content-type for thrift payload to filter metadata transformation. + // Default to ``{"application/x-thrift"}``. + // + // Set ``allow_empty_content_type`` if empty/missing content-type header + // is allowed. + repeated string allow_content_types = 5 + [(validate.rules).repeated = {items {string {min_len: 1}}}]; + + // Allowed empty content-type for thrift payload to filter metadata transformation. + // Default to false. + bool allow_empty_content_type = 6; +} + +// Thrift to metadata configuration on a per-route basis, which overrides the global configuration for +// request rules and responses rules. +message ThriftToMetadataPerRoute { + option (xds.annotations.v3.message_status).work_in_progress = true; + + // The list of rules to apply to http request body to extract thrift metadata. + repeated Rule request_rules = 1; + + // The list of rules to apply to http response body to extract thrift metadata. + repeated Rule response_rules = 2; +} diff --git a/modules/sync/envoyproxy/envoy/cas/47a85b1ba384f1512d854424c1f56d8b385ea6444b86df61c1c4710c3e1ad7f3a33fa02802e7c75a49654da1427a0efba7764bc5916bf6de58428cd63693ded1 b/modules/sync/envoyproxy/envoy/cas/47a85b1ba384f1512d854424c1f56d8b385ea6444b86df61c1c4710c3e1ad7f3a33fa02802e7c75a49654da1427a0efba7764bc5916bf6de58428cd63693ded1 new file mode 100644 index 00000000..662eefc4 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/47a85b1ba384f1512d854424c1f56d8b385ea6444b86df61c1c4710c3e1ad7f3a33fa02802e7c75a49654da1427a0efba7764bc5916bf6de58428cd63693ded1 @@ -0,0 +1,152 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.header_to_metadata.v3; + +import "envoy/type/matcher/v3/regex.proto"; + +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.header_to_metadata.v3"; +option java_outer_classname = "HeaderToMetadataProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/header_to_metadata/v3;header_to_metadatav3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Header-To-Metadata Filter] +// +// The configuration for transforming headers into metadata. This is useful +// for matching load balancer subsets, logging, etc. +// +// Header to Metadata :ref:`configuration overview `. +// [#extension: envoy.filters.http.header_to_metadata] + +message Config { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.header_to_metadata.v2.Config"; + + // Specifies the value type to use in metadata. + enum ValueType { + STRING = 0; + + NUMBER = 1; + + // The value is a serialized `protobuf.Value + // `_. + PROTOBUF_VALUE = 2; + } + + // Specifies the encoding scheme for the value. + enum ValueEncode { + // No encoding is applied. + NONE = 0; + + // The value is encoded in `Base64 `_. + // + // .. note:: + // + // This is mostly used for ``STRING`` and ``PROTOBUF_VALUE`` to escape the + // non-ASCII characters in the header. + // + BASE64 = 1; + } + + // [#next-free-field: 7] + message KeyValuePair { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.header_to_metadata.v2.Config.KeyValuePair"; + + // The namespace — if this is empty, the filter's namespace will be used. + string metadata_namespace = 1; + + // The key to use within the namespace. + string key = 2 [(validate.rules).string = {min_len: 1}]; + + // The value to pair with the given key. + // + // When used for a + // :ref:`on_header_present ` + // case, if value is non-empty it'll be used instead of the header value. If both are empty, no metadata is added. + // + // When used for a :ref:`on_header_missing ` + // case, a non-empty value must be provided otherwise no metadata is added. + string value = 3 [(udpa.annotations.field_migrate).oneof_promotion = "value_type"]; + + // If present, the header's value will be matched and substituted with this. If there is no match or substitution, the header value + // is used as-is. + // + // This is only used for :ref:`on_header_present `. + // + // .. note:: + // + // If the ``value`` field is non-empty this field should be empty. + // + type.matcher.v3.RegexMatchAndSubstitute regex_value_rewrite = 6 + [(udpa.annotations.field_migrate).oneof_promotion = "value_type"]; + + // The value's type — defaults to string. + ValueType type = 4 [(validate.rules).enum = {defined_only: true}]; + + // How is the value encoded, default is NONE (not encoded). + // The value will be decoded accordingly before storing to metadata. + ValueEncode encode = 5; + } + + // A Rule defines what metadata to apply when a header is present or missing. + // [#next-free-field: 6] + message Rule { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.header_to_metadata.v2.Config.Rule"; + + // Specifies that a match will be performed on the value of a header or a cookie. + // + // The header to be extracted. + string header = 1 [ + (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}, + (udpa.annotations.field_migrate).oneof_promotion = "header_cookie_specifier" + ]; + + // The cookie to be extracted. + string cookie = 5 [ + (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}, + (udpa.annotations.field_migrate).oneof_promotion = "header_cookie_specifier" + ]; + + // If the header or cookie is present, apply this metadata ``KeyValuePair``. + // + // If the value in the ``KeyValuePair`` is non-empty, it'll be used instead + // of the header or cookie value. + KeyValuePair on_header_present = 2 [(udpa.annotations.field_migrate).rename = "on_present"]; + + // If the header or cookie is not present, apply this metadata ``KeyValuePair``. + // + // The value in the ``KeyValuePair`` must be set, since it'll be used in lieu + // of the missing header or cookie value. + KeyValuePair on_header_missing = 3 [(udpa.annotations.field_migrate).rename = "on_missing"]; + + // Whether or not to remove the header after a rule is applied. + // + // This prevents headers from leaking. + // This field is not supported in case of a cookie. + bool remove = 4; + } + + // The list of rules to apply to requests. + repeated Rule request_rules = 1; + + // The list of rules to apply to responses. + repeated Rule response_rules = 2; + + // Optional prefix to use when emitting filter statistics. When configured, + // statistics are emitted with the prefix ``http_filter_name.``. + // + // This emits statistics such as: + // + // - ``http_filter_name.my_header_converter.rules_processed`` + // - ``http_filter_name.my_header_converter.metadata_added`` + // + // If not configured, no statistics are emitted. + string stat_prefix = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/4b3dff76008b54711f1fb62db1ef09f079ed3da6d6ec89f546594bd1ea01b638ba3b6bec705e16639a755b19007d2377010c7e7d006579e3d1395aee983756cc b/modules/sync/envoyproxy/envoy/cas/4b3dff76008b54711f1fb62db1ef09f079ed3da6d6ec89f546594bd1ea01b638ba3b6bec705e16639a755b19007d2377010c7e7d006579e3d1395aee983756cc new file mode 100644 index 00000000..d4ccf4eb --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/4b3dff76008b54711f1fb62db1ef09f079ed3da6d6ec89f546594bd1ea01b638ba3b6bec705e16639a755b19007d2377010c7e7d006579e3d1395aee983756cc @@ -0,0 +1,85 @@ +syntax = "proto3"; + +package envoy.extensions.geoip_providers.common.v3; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.geoip_providers.common.v3"; +option java_outer_classname = "CommonProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/geoip_providers/common/v3;commonv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Common Geolocation Provider Configuration] +// Common geolocation provider :ref:`configuration overview `. +// Common configuration shared across geolocation providers. + +message CommonGeoipProviderConfig { + // The set of geolocation headers to add to the request. If any of the configured headers is present + // in the incoming request, it will be overridden by the :ref:`GeoIP filter `. + // [#next-free-field: 13] + message GeolocationHeadersToAdd { + // If set, the header will be used to populate the country ISO code associated with the IP address. + string country = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the header will be used to populate the city associated with the IP address. + string city = 2 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the header will be used to populate the region ISO code associated with the IP address. + // The least specific subdivision will be selected as the region value. + string region = 3 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the header will be used to populate the ASN associated with the IP address. + string asn = 4 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // This field is deprecated; use ``anon`` instead. + string is_anon = 5 [ + deprecated = true, + (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If set, the IP address will be checked if it belongs to any type of anonymization network (e.g., VPN, public proxy). + // The header will be populated with the check result. Header value will be set to either ``true`` or ``false`` depending on the check result. + string anon = 12 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the IP address will be checked if it belongs to a VPN and the header will be populated with the check result. + // Header value will be set to either ``true`` or ``false`` depending on the check result. + string anon_vpn = 6 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the IP address will be checked if it belongs to a hosting provider and the header will be populated with the check result. + // Header value will be set to either ``true`` or ``false`` depending on the check result. + string anon_hosting = 7 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the IP address will be checked if it belongs to a TOR exit node and the header will be populated with the check result. + // Header value will be set to either ``true`` or ``false`` depending on the check result. + string anon_tor = 8 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the IP address will be checked if it belongs to a public proxy and the header will be populated with the check result. + // Header value will be set to either ``true`` or ``false`` depending on the check result. + string anon_proxy = 9 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the header will be used to populate the ISP associated with the IP address. + string isp = 10 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + + // If set, the IP address will be checked if it belongs to the ISP named iCloud Private Relay and the header will be populated with the check result. + // Header value will be set to either ``true`` or ``false`` depending on the check result. + string apple_private_relay = 11 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME ignore_empty: true}]; + } + + // Configuration for geolocation headers to add to the request. + GeolocationHeadersToAdd geo_headers_to_add = 1 [(validate.rules).message = {required: true}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/4bcf0fe81cddf339e3add76e432b404823cee937521b87cfa3d3062cccc6737ea842028dab050f99f4aeb2e8950ed82e359707125e6093916f8fdcc6a879f8e5 b/modules/sync/envoyproxy/envoy/cas/4bcf0fe81cddf339e3add76e432b404823cee937521b87cfa3d3062cccc6737ea842028dab050f99f4aeb2e8950ed82e359707125e6093916f8fdcc6a879f8e5 new file mode 100644 index 00000000..70d58451 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/4bcf0fe81cddf339e3add76e432b404823cee937521b87cfa3d3062cccc6737ea842028dab050f99f4aeb2e8950ed82e359707125e6093916f8fdcc6a879f8e5 @@ -0,0 +1,17 @@ +syntax = "proto3"; + +package envoy.extensions.grpc_service.channel_credentials.insecure.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.grpc_service.channel_credentials.insecure.v3"; +option java_outer_classname = "InsecureCredentialsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/grpc_service/channel_credentials/insecure/v3;insecurev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC Insecure Credentials] + +// [#not-implemented-hide:] +message InsecureCredentials { +} diff --git a/modules/sync/envoyproxy/envoy/cas/4e306b1098b447470219676e0a3cc95a4819d2a694fd58ec4349b803bd907396fddca5e3edad7a8ce919d818a27a84e9e68cc0a2a0a5fe1ce547418b30e49132 b/modules/sync/envoyproxy/envoy/cas/4e306b1098b447470219676e0a3cc95a4819d2a694fd58ec4349b803bd907396fddca5e3edad7a8ce919d818a27a84e9e68cc0a2a0a5fe1ce547418b30e49132 new file mode 100644 index 00000000..7364a962 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/4e306b1098b447470219676e0a3cc95a4819d2a694fd58ec4349b803bd907396fddca5e3edad7a8ce919d818a27a84e9e68cc0a2a0a5fe1ce547418b30e49132 @@ -0,0 +1,2718 @@ +syntax = "proto3"; + +package envoy.config.route.v3; + +import "envoy/config/common/mutation_rules/v3/mutation_rules.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/proxy_protocol.proto"; +import "envoy/type/matcher/v3/filter_state.proto"; +import "envoy/type/matcher/v3/metadata.proto"; +import "envoy/type/matcher/v3/regex.proto"; +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/metadata/v3/metadata.proto"; +import "envoy/type/tracing/v3/custom_tag.proto"; +import "envoy/type/v3/percent.proto"; +import "envoy/type/v3/range.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/type/matcher/v3/matcher.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.route.v3"; +option java_outer_classname = "RouteComponentsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/route/v3;routev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP route components] +// * Routing :ref:`architecture overview ` +// * HTTP :ref:`router filter ` + +// The top level element in the routing configuration is a virtual host. Each virtual host has +// a logical name as well as a set of domains that get routed to it based on the incoming request's +// host header. This allows a single listener to service multiple top level domain path trees. Once +// a virtual host is selected based on the domain, the routes are processed in order to see which +// upstream cluster to route to or whether to perform a redirect. +// [#next-free-field: 26] +message VirtualHost { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.VirtualHost"; + + enum TlsRequirementType { + // No TLS requirement for the virtual host. + NONE = 0; + + // External requests must use TLS. If a request is external and it is not + // using TLS, a 301 redirect will be sent telling the client to use HTTPS. + EXTERNAL_ONLY = 1; + + // All requests must use TLS. If a request is not using TLS, a 301 redirect + // will be sent telling the client to use HTTPS. + ALL = 2; + } + + reserved 9, 12; + + reserved "per_filter_config"; + + // The logical name of the virtual host. This is used when emitting certain + // statistics but is not relevant for routing. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // A list of domains (host/authority header) that will be matched to this + // virtual host. Wildcard hosts are supported in the suffix or prefix form. + // + // Domain search order: + // 1. Exact domain names: ``www.foo.com``. + // 2. Suffix domain wildcards: ``*.foo.com`` or ``*-bar.foo.com``. + // 3. Prefix domain wildcards: ``foo.*`` or ``foo-*``. + // 4. Special wildcard ``*`` matching any domain. + // + // .. note:: + // + // The wildcard will not match the empty string. + // For example, ``*-bar.foo.com`` will match ``baz-bar.foo.com`` but not ``-bar.foo.com``. + // The longest wildcards match first. + // Only a single virtual host in the entire route configuration can match on ``*``. A domain + // must be unique across all virtual hosts or the config will fail to load. + // + // Domains cannot contain control characters. This is validated by the well_known_regex HTTP_HEADER_VALUE. + repeated string domains = 2 [(validate.rules).repeated = { + min_items: 1 + items {string {well_known_regex: HTTP_HEADER_VALUE strict: false}} + }]; + + // The list of routes that will be matched, in order, for incoming requests. + // The first route that matches will be used. + // Only one of this and ``matcher`` can be specified. + repeated Route routes = 3 [(udpa.annotations.field_migrate).oneof_promotion = "route_selection"]; + + // The match tree to use when resolving route actions for incoming requests. Only one of this and ``routes`` + // can be specified. + xds.type.matcher.v3.Matcher matcher = 21 + [(udpa.annotations.field_migrate).oneof_promotion = "route_selection"]; + + // Specifies the type of TLS enforcement the virtual host expects. If this option is not + // specified, there is no TLS requirement for the virtual host. + TlsRequirementType require_tls = 4 [(validate.rules).enum = {defined_only: true}]; + + // A list of virtual clusters defined for this virtual host. Virtual clusters + // are used for additional statistics gathering. + repeated VirtualCluster virtual_clusters = 5; + + // Specifies a set of rate limit configurations that will be applied to the + // virtual host. + repeated RateLimit rate_limits = 6; + + // Specifies a list of HTTP headers that should be added to each request + // handled by this virtual host. Headers specified at this level are applied + // after headers from enclosed :ref:`envoy_v3_api_msg_config.route.v3.Route` and before headers from the + // enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including + // details on header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption request_headers_to_add = 7 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each request + // handled by this virtual host. + repeated string request_headers_to_remove = 13 [(validate.rules).repeated = { + items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Specifies a list of HTTP headers that should be added to each response + // handled by this virtual host. Headers specified at this level are applied + // after headers from enclosed :ref:`envoy_v3_api_msg_config.route.v3.Route` and before headers from the + // enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including + // details on header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption response_headers_to_add = 10 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each response + // handled by this virtual host. + repeated string response_headers_to_remove = 11 [(validate.rules).repeated = { + items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Indicates that the virtual host has a CORS policy. This field is ignored if related cors policy is + // found in the + // :ref:`VirtualHost.typed_per_filter_config`. + // + // .. attention:: + // + // This option has been deprecated. Please use + // :ref:`VirtualHost.typed_per_filter_config` + // to configure the CORS HTTP filter. + CorsPolicy cors = 8 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // This field can be used to provide virtual host level per filter config. The key should match the + // :ref:`filter config name + // `. + // See :ref:`HTTP filter route-specific config ` + // for details. + // [#comment: An entry's value may be wrapped in a + // :ref:`FilterConfig` + // message to specify additional options.] + map typed_per_filter_config = 15; + + // Decides whether the :ref:`x-envoy-attempt-count + // ` header should be included + // in the upstream request. Setting this option will cause it to override any existing header + // value, so in the case of two Envoys on the request path with this option enabled, the upstream + // will see the attempt count as perceived by the second Envoy. + // + // Defaults to ``false``. + // + // This header is unaffected by the + // :ref:`suppress_envoy_headers + // ` flag. + // + // [#next-major-version: rename to include_attempt_count_in_request.] + bool include_request_attempt_count = 14; + + // Decides whether the :ref:`x-envoy-attempt-count + // ` header should be included + // in the downstream response. Setting this option will cause the router to override any existing header + // value, so in the case of two Envoys on the request path with this option enabled, the downstream + // will see the attempt count as perceived by the Envoy closest upstream from itself. + // + // Defaults to ``false``. + // + // This header is unaffected by the + // :ref:`suppress_envoy_headers + // ` flag. + bool include_attempt_count_in_response = 19; + + // Indicates the retry policy for all routes in this virtual host. Note that setting a + // route level entry will take precedence over this config and it'll be treated + // independently (e.g., values are not inherited). + RetryPolicy retry_policy = 16; + + // [#not-implemented-hide:] + // Specifies the configuration for retry policy extension. Note that setting a route level entry + // will take precedence over this config and it'll be treated independently (e.g., values are not + // inherited). :ref:`Retry policy ` should not be + // set if this field is used. + google.protobuf.Any retry_policy_typed_config = 20; + + // Indicates the hedge policy for all routes in this virtual host. Note that setting a + // route level entry will take precedence over this config and it'll be treated + // independently (e.g., values are not inherited). + HedgePolicy hedge_policy = 17; + + // Decides whether to include the :ref:`x-envoy-is-timeout-retry ` + // request header in retries initiated by per-try timeouts. + bool include_is_timeout_retry_header = 23; + + // The maximum bytes which will be buffered for retries and shadowing. If set, the bytes actually buffered will be + // the minimum value of this and the listener ``per_connection_buffer_limit_bytes``. + // + // .. attention:: + // + // This field has been deprecated. Please use :ref:`request_body_buffer_limit + // ` instead. + // Only one of ``per_request_buffer_limit_bytes`` and ``request_body_buffer_limit`` could be set. + google.protobuf.UInt32Value per_request_buffer_limit_bytes = 18 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // The maximum bytes which will be buffered for request bodies to support large request body + // buffering beyond the ``per_connection_buffer_limit_bytes``. + // + // This limit is specifically for the request body buffering and allows buffering larger payloads while maintaining + // flow control. + // + // Buffer limit precedence (from highest to lowest priority): + // + // 1. If ``request_body_buffer_limit`` is set, then ``request_body_buffer_limit`` will be used. + // 2. If :ref:`per_request_buffer_limit_bytes ` + // is set but ``request_body_buffer_limit`` is not, then ``min(per_request_buffer_limit_bytes, per_connection_buffer_limit_bytes)`` + // will be used. + // 3. If neither is set, then ``per_connection_buffer_limit_bytes`` will be used. + // + // For flow control chunk sizes, ``min(per_connection_buffer_limit_bytes, 16KB)`` will be used. + // + // Only one of :ref:`per_request_buffer_limit_bytes ` + // and ``request_body_buffer_limit`` could be set. + google.protobuf.UInt64Value request_body_buffer_limit = 25 + [(validate.rules).message = {required: false}]; + + // Specify a set of default request mirroring policies for every route under this virtual host. + // It takes precedence over the route config mirror policy entirely. + // That is, policies are not merged, the most specific non-empty one becomes the mirror policies. + repeated RouteAction.RequestMirrorPolicy request_mirror_policies = 22; + + // The metadata field can be used to provide additional information + // about the virtual host. It can be used for configuration, stats, and logging. + // The metadata should go under the filter namespace that will need it. + // For instance, if the metadata is intended for the Router filter, + // the filter name should be specified as ``envoy.filters.http.router``. + core.v3.Metadata metadata = 24; +} + +// A filter-defined action type. +message FilterAction { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.FilterAction"; + + google.protobuf.Any action = 1; +} + +// This can be used in route matcher :ref:`VirtualHost.matcher `. +// When the matcher matches, routes will be matched and run. +message RouteList { + // The list of routes that will be matched and run, in order. The first route that matches will be used. + repeated Route routes = 1; +} + +// A route is both a specification of how to match a request as well as an indication of what to do +// next (e.g., redirect, forward, rewrite, etc.). +// +// .. attention:: +// +// Envoy supports routing on HTTP method via :ref:`header matching +// `. +// [#next-free-field: 21] +message Route { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.Route"; + + reserved 6, 8; + + reserved "per_filter_config"; + + // Name for the route. + string name = 14; + + // Route matching parameters. + RouteMatch match = 1 [(validate.rules).message = {required: true}]; + + oneof action { + option (validate.required) = true; + + // Route request to some upstream cluster. + RouteAction route = 2; + + // Return a redirect. + RedirectAction redirect = 3; + + // Return an arbitrary HTTP response directly, without proxying. + DirectResponseAction direct_response = 7; + + // [#not-implemented-hide:] + // A filter-defined action (e.g., it could dynamically generate the RouteAction). + // [#comment: TODO(samflattery): Remove cleanup in route_fuzz_test.cc when + // implemented] + FilterAction filter_action = 17; + + // [#not-implemented-hide:] + // An action used when the route will generate a response directly, + // without forwarding to an upstream host. This will be used in non-proxy + // xDS clients like the gRPC server. It could also be used in the future + // in Envoy for a filter that directly generates responses for requests. + NonForwardingAction non_forwarding_action = 18; + } + + // The Metadata field can be used to provide additional information + // about the route. It can be used for configuration, stats, and logging. + // The metadata should go under the filter namespace that will need it. + // For instance, if the metadata is intended for the Router filter, + // the filter name should be specified as ``envoy.filters.http.router``. + core.v3.Metadata metadata = 4; + + // Decorator for the matched route. + Decorator decorator = 5; + + // This field can be used to provide route specific per filter config. The key should match the + // :ref:`filter config name + // `. + // See :ref:`HTTP filter route-specific config ` + // for details. + // [#comment: An entry's value may be wrapped in a + // :ref:`FilterConfig` + // message to specify additional options.] + map typed_per_filter_config = 13; + + // Specifies a set of headers that will be added to requests matching this + // route. Headers specified at this level are applied before headers from the + // enclosing :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` and + // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on + // header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption request_headers_to_add = 9 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each request + // matching this route. + repeated string request_headers_to_remove = 12 [(validate.rules).repeated = { + items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Specifies a set of headers that will be added to responses to requests + // matching this route. Headers specified at this level are applied before + // headers from the enclosing :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost` and + // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including + // details on header value syntax, see the documentation on + // :ref:`custom request headers `. + repeated core.v3.HeaderValueOption response_headers_to_add = 10 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each response + // to requests matching this route. + repeated string response_headers_to_remove = 11 [(validate.rules).repeated = { + items {string {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Presence of the object defines whether the connection manager's tracing configuration + // is overridden by this route specific instance. + Tracing tracing = 15; + + // The maximum bytes which will be buffered for retries and shadowing. + // If set, the bytes actually buffered will be the minimum value of this and the + // listener per_connection_buffer_limit_bytes. + // + // .. attention:: + // + // This field has been deprecated. Please use :ref:`request_body_buffer_limit + // ` instead. + // Only one of ``per_request_buffer_limit_bytes`` and ``request_body_buffer_limit`` may be set. + google.protobuf.UInt32Value per_request_buffer_limit_bytes = 16 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // The human readable prefix to use when emitting statistics for this endpoint. + // The statistics are rooted at vhost..route.. + // This should be set for highly critical + // endpoints that one wishes to get “per-route” statistics on. + // If not set, endpoint statistics are not generated. + // + // The emitted statistics are the same as those documented for :ref:`virtual clusters `. + // + // .. warning:: + // + // We do not recommend setting up a stat prefix for + // every application endpoint. This is both not easily maintainable and + // statistics use a non-trivial amount of memory (approximately 1KiB per route). + string stat_prefix = 19; + + // The maximum bytes which will be buffered for request bodies to support large request body + // buffering beyond the ``per_connection_buffer_limit_bytes``. + // + // This limit is specifically for the request body buffering and allows buffering larger payloads while maintaining + // flow control. + // + // Buffer limit precedence (from highest to lowest priority): + // + // 1. If ``request_body_buffer_limit`` is set: use ``request_body_buffer_limit`` + // 2. If :ref:`per_request_buffer_limit_bytes ` + // is set but ``request_body_buffer_limit`` is not: use ``min(per_request_buffer_limit_bytes, per_connection_buffer_limit_bytes)`` + // 3. If neither is set: use ``per_connection_buffer_limit_bytes`` + // + // For flow control chunk sizes, use ``min(per_connection_buffer_limit_bytes, 16KB)``. + // + // Only one of :ref:`per_request_buffer_limit_bytes ` + // and ``request_body_buffer_limit`` may be set. + google.protobuf.UInt64Value request_body_buffer_limit = 20; +} + +// Compared to the :ref:`cluster ` field that specifies a +// single upstream cluster as the target of a request, the :ref:`weighted_clusters +// ` option allows for specification of +// multiple upstream clusters along with weights that indicate the percentage of +// traffic to be forwarded to each cluster. The router selects an upstream cluster based on the +// weights. +// [#next-free-field: 6] +message WeightedCluster { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.WeightedCluster"; + + // [#next-free-field: 13] + message ClusterWeight { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.WeightedCluster.ClusterWeight"; + + reserved 7, 8; + + reserved "per_filter_config"; + + // Only one of ``name`` and ``cluster_header`` may be specified. + // [#next-major-version: Need to add back the validation rule: (validate.rules).string = {min_len: 1}] + // Name of the upstream cluster. The cluster must exist in the + // :ref:`cluster manager configuration `. + string name = 1 [(udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier"]; + + // Only one of ``name`` and ``cluster_header`` may be specified. + // [#next-major-version: Need to add back the validation rule: (validate.rules).string = {min_len: 1 }] + // Envoy will determine the cluster to route to by reading the value of the + // HTTP header named by cluster_header from the request headers. If the + // header is not found or the referenced cluster does not exist, Envoy will + // return a 404 response. + // + // .. attention:: + // + // Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 + // ``Host`` header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string cluster_header = 12 [ + (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}, + (udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier" + ]; + + // The weight of the cluster. This value is relative to the other clusters' + // weights. When a request matches the route, the choice of an upstream cluster + // is determined by its weight. The sum of weights across all + // entries in the clusters array must be greater than 0, and must not exceed + // uint32_t maximal value (4294967295). + google.protobuf.UInt32Value weight = 2; + + // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints in + // the upstream cluster with metadata matching what is set in this field will be considered for + // load balancing. Note that this will be merged with what's provided in + // :ref:`RouteAction.metadata_match `, with + // values here taking precedence. The filter name should be specified as ``envoy.lb``. + core.v3.Metadata metadata_match = 3; + + // Specifies a list of headers to be added to requests when this cluster is selected + // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. + // Headers specified at this level are applied before headers from the enclosing + // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`, and + // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on + // header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption request_headers_to_add = 4 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each request when + // this cluster is selected through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. + repeated string request_headers_to_remove = 9 [(validate.rules).repeated = { + items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Specifies a list of headers to be added to responses when this cluster is selected + // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. + // Headers specified at this level are applied before headers from the enclosing + // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`, and + // :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration`. For more information, including details on + // header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated core.v3.HeaderValueOption response_headers_to_add = 5 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of headers to be removed from responses when this cluster is selected + // through the enclosing :ref:`envoy_v3_api_msg_config.route.v3.RouteAction`. + repeated string response_headers_to_remove = 6 [(validate.rules).repeated = { + items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // This field can be used to provide weighted cluster specific per filter config. The key should match the + // :ref:`filter config name + // `. + // See :ref:`HTTP filter route-specific config ` + // for details. + // [#comment: An entry's value may be wrapped in a + // :ref:`FilterConfig` + // message to specify additional options.] + map typed_per_filter_config = 10; + + oneof host_rewrite_specifier { + // Indicates that during forwarding, the host header will be swapped with + // this value. + string host_rewrite_literal = 11 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + } + } + + // Specifies one or more upstream clusters associated with the route. + repeated ClusterWeight clusters = 1 [(validate.rules).repeated = {min_items: 1}]; + + // Specifies the total weight across all clusters. The sum of all cluster weights must equal this + // value, if this is greater than 0. + // This field is now deprecated, and the client will use the sum of all + // cluster weights. It is up to the management server to supply the correct weights. + google.protobuf.UInt32Value total_weight = 3 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Specifies the runtime key prefix that should be used to construct the + // runtime keys associated with each cluster. When the ``runtime_key_prefix`` is + // specified, the router will look for weights associated with each upstream + // cluster under the key ``runtime_key_prefix`` + ``.`` + ``cluster[i].name`` where + // ``cluster[i]`` denotes an entry in the clusters array field. If the runtime + // key for the cluster does not exist, the value specified in the + // configuration file will be used as the default weight. See the :ref:`runtime documentation + // ` for how key names map to the underlying implementation. + string runtime_key_prefix = 2; + + oneof random_value_specifier { + // Specifies the header name that is used to look up the random value passed in the request header. + // This is used to ensure consistent cluster picking across multiple proxy levels for weighted traffic. + // If header is not present or invalid, Envoy will fall back to use the internally generated random value. + // This header is expected to be single-valued header as we only want to have one selected value throughout + // the process for the consistency. And the value is a unsigned number between 0 and UINT64_MAX. + string header_name = 4 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // When set to true, the hash policies will be used to generate the random value for weighted cluster selection. + // This could ensure consistent cluster picking across multiple proxy levels for weighted traffic. + google.protobuf.BoolValue use_hash_policy = 5; + } +} + +// Configuration for a cluster specifier plugin. +message ClusterSpecifierPlugin { + // The name of the plugin and its opaque configuration. + // + // [#extension-category: envoy.router.cluster_specifier_plugin] + core.v3.TypedExtensionConfig extension = 1 [(validate.rules).message = {required: true}]; + + // If is_optional is not set or is set to false and the plugin defined by this message is not a + // supported type, the containing resource is NACKed. If is_optional is set to true, the resource + // would not be NACKed for this reason. In this case, routes referencing this plugin's name would + // not be treated as an illegal configuration, but would result in a failure if the route is + // selected. + bool is_optional = 2; +} + +// [#next-free-field: 17] +message RouteMatch { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteMatch"; + + message GrpcRouteMatchOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteMatch.GrpcRouteMatchOptions"; + } + + message TlsContextMatchOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteMatch.TlsContextMatchOptions"; + + // If specified, the route will match against whether or not a certificate is presented. + // If not specified, certificate presentation status (true or false) will not be considered when route matching. + google.protobuf.BoolValue presented = 1; + + // If specified, the route will match against whether or not a certificate is validated. + // If not specified, certificate validation status (true or false) will not be considered when route matching. + // + // .. warning:: + // + // Client certificate validation is not currently performed upon TLS session resumption. For + // a resumed TLS session the route will match only when ``validated`` is false, regardless of + // whether the client TLS certificate is valid. + // + // The only known workaround for this issue is to disable TLS session resumption entirely, by + // setting both :ref:`disable_stateless_session_resumption ` + // and :ref:`disable_stateful_session_resumption ` on the DownstreamTlsContext. + google.protobuf.BoolValue validated = 2; + } + + // An extensible message for matching CONNECT or CONNECT-UDP requests. + message ConnectMatcher { + } + + reserved 5, 3; + + reserved "regex"; + + oneof path_specifier { + option (validate.required) = true; + + // If specified, the route is a prefix rule meaning that the prefix must + // match the beginning of the ``:path`` header. + string prefix = 1; + + // If specified, the route is an exact path rule meaning that the path must + // exactly match the ``:path`` header once the query string is removed. + string path = 2; + + // If specified, the route is a regular expression rule meaning that the + // regex must match the ``:path`` header once the query string is removed. The entire path + // (without the query string) must match the regex. The rule will not match if only a + // subsequence of the ``:path`` header matches the regex. + // + // [#next-major-version: In the v3 API we should redo how path specification works such + // that we utilize StringMatcher, and additionally have consistent options around whether we + // strip query strings, do a case-sensitive match, etc. In the interim it will be too disruptive + // to deprecate the existing options. We should even consider whether we want to do away with + // path_specifier entirely and just rely on a set of header matchers which can already match + // on :path, etc. The issue with that is it is unclear how to generically deal with query string + // stripping. This needs more thought.] + type.matcher.v3.RegexMatcher safe_regex = 10 [(validate.rules).message = {required: true}]; + + // If this is used as the matcher, the matcher will only match CONNECT or CONNECT-UDP requests. + // Note that this will not match other Extended CONNECT requests (WebSocket and the like) as + // they are normalized in Envoy as HTTP/1.1 style upgrades. + // This is the only way to match CONNECT requests for HTTP/1.1. For HTTP/2 and HTTP/3, + // where Extended CONNECT requests may have a path, the path matchers will work if + // there is a path present. + // Note that CONNECT support is currently considered alpha in Envoy. + // [#comment: TODO(htuch): Replace the above comment with an alpha tag.] + ConnectMatcher connect_matcher = 12; + + // If specified, the route is a path-separated prefix rule meaning that the + // ``:path`` header (without the query string) must either exactly match the + // ``path_separated_prefix`` or have it as a prefix, followed by ``/`` + // + // For example, ``/api/dev`` would match + // ``/api/dev``, ``/api/dev/``, ``/api/dev/v1``, and ``/api/dev?param=true`` + // but would not match ``/api/developer`` + // + // Expect the value to not contain ``?`` or ``#`` and not to end in ``/`` + string path_separated_prefix = 14 [(validate.rules).string = {pattern: "^[^?#]+[^?#/]$"}]; + + // [#extension-category: envoy.path.match] + core.v3.TypedExtensionConfig path_match_policy = 15; + } + + // Indicates that prefix/path matching should be case-sensitive. The default + // is true. Ignored for safe_regex matching. + google.protobuf.BoolValue case_sensitive = 4; + + // Indicates that the route should additionally match on a runtime key. Every time the route + // is considered for a match, it must also fall under the percentage of matches indicated by + // this field. For some fraction N/D, a random number in the range [0,D) is selected. If the + // number is <= the value of the numerator N, or if the key is not present, the default + // value, the router continues to evaluate the remaining match criteria. A runtime_fraction + // route configuration can be used to roll out route changes in a gradual manner without full + // code/config deploys. Refer to the :ref:`traffic shifting + // ` docs for additional documentation. + // + // .. note:: + // + // Parsing this field is implemented such that the runtime key's data may be represented + // as a FractionalPercent proto represented as JSON/YAML and may also be represented as an + // integer with the assumption that the value is an integral percentage out of 100. For + // instance, a runtime key lookup returning the value "42" would parse as a FractionalPercent + // whose numerator is 42 and denominator is HUNDRED. This preserves legacy semantics. + core.v3.RuntimeFractionalPercent runtime_fraction = 9; + + // Specifies a set of headers that the route should match on. The router will + // check the request’s headers against all the specified headers in the route + // config. A match will happen if all the headers in the route are present in + // the request with the same values (or based on presence if the value field + // is not in the config). + repeated HeaderMatcher headers = 6; + + // Specifies a set of URL query parameters on which the route should + // match. The router will check the query string from the ``path`` header + // against all the specified query parameters. If the number of specified + // query parameters is nonzero, they all must match the ``path`` header's + // query string for a match to occur. In the event query parameters are + // repeated, only the first value for each key will be considered. + // + // .. note:: + // + // If query parameters are used to pass request message fields when + // `grpc_json_transcoder `_ + // is used, the transcoded message fields may be different. The query parameters are + // URL-encoded, but the message fields are not. For example, if a query + // parameter is "foo%20bar", the message field will be "foo bar". + repeated QueryParameterMatcher query_parameters = 7; + + // If specified, only gRPC requests will be matched. The router will check + // that the ``Content-Type`` header has ``application/grpc`` or one of the various + // ``application/grpc+`` values. + GrpcRouteMatchOptions grpc = 8; + + // If specified, the client tls context will be matched against the defined + // match options. + // + // [#next-major-version: unify with RBAC] + TlsContextMatchOptions tls_context = 11; + + // Specifies a set of dynamic metadata matchers on which the route should match. + // The router will check the dynamic metadata against all the specified dynamic metadata matchers. + // If the number of specified dynamic metadata matchers is nonzero, they all must match the + // dynamic metadata for a match to occur. + repeated type.matcher.v3.MetadataMatcher dynamic_metadata = 13; + + // Specifies a set of filter state matchers on which the route should match. + // The router will check the filter state against all the specified filter state matchers. + // If the number of specified filter state matchers is nonzero, they all must match the + // filter state for a match to occur. + repeated type.matcher.v3.FilterStateMatcher filter_state = 16; +} + +// Cors policy configuration. +// +// .. attention:: +// +// This message has been deprecated. Please use +// :ref:`CorsPolicy in filter extension ` +// as as alternative. +// +// [#next-free-field: 14] +message CorsPolicy { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.CorsPolicy"; + + reserved 1, 8, 7; + + reserved "allow_origin", "allow_origin_regex", "enabled"; + + // Specifies string patterns that match allowed origins. An origin is allowed if any of the + // string matchers match. + repeated type.matcher.v3.StringMatcher allow_origin_string_match = 11; + + // Specifies the content for the ``access-control-allow-methods`` header. + string allow_methods = 2; + + // Specifies the content for the ``access-control-allow-headers`` header. + string allow_headers = 3; + + // Specifies the content for the ``access-control-expose-headers`` header. + string expose_headers = 4; + + // Specifies the content for the ``access-control-max-age`` header. + string max_age = 5; + + // Specifies whether the resource allows credentials. + google.protobuf.BoolValue allow_credentials = 6; + + oneof enabled_specifier { + // Specifies the % of requests for which the CORS filter is enabled. + // + // If neither ``enabled``, ``filter_enabled``, nor ``shadow_enabled`` are specified, the CORS + // filter will be enabled for 100% of the requests. + // + // If :ref:`runtime_key ` is + // specified, Envoy will lookup the runtime key to get the percentage of requests to filter. + core.v3.RuntimeFractionalPercent filter_enabled = 9; + } + + // Specifies the % of requests for which the CORS policies will be evaluated and tracked, but not + // enforced. + // + // This field is intended to be used when ``filter_enabled`` and ``enabled`` are off. One of those + // fields have to explicitly disable the filter in order for this setting to take effect. + // + // If :ref:`runtime_key ` is specified, + // Envoy will lookup the runtime key to get the percentage of requests for which it will evaluate + // and track the request's ``Origin`` to determine if it's valid but will not enforce any policies. + core.v3.RuntimeFractionalPercent shadow_enabled = 10; + + // Specify whether allow requests whose target server's IP address is more private than that from + // which the request initiator was fetched. + // + // More details refer to https://developer.chrome.com/blog/private-network-access-preflight. + google.protobuf.BoolValue allow_private_network_access = 12; + + // Specifies if preflight requests not matching the configured allowed origin should be forwarded + // to the upstream. Default is ``true``. + google.protobuf.BoolValue forward_not_matching_preflights = 13; +} + +// [#next-free-field: 43] +message RouteAction { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteAction"; + + enum ClusterNotFoundResponseCode { + // HTTP status code - 503 Service Unavailable. + SERVICE_UNAVAILABLE = 0; + + // HTTP status code - 404 Not Found. + NOT_FOUND = 1; + + // HTTP status code - 500 Internal Server Error. + INTERNAL_SERVER_ERROR = 2; + } + + // Configures :ref:`internal redirect ` behavior. + // [#next-major-version: remove this definition - it's defined in the InternalRedirectPolicy message.] + enum InternalRedirectAction { + option deprecated = true; + + PASS_THROUGH_INTERNAL_REDIRECT = 0; + HANDLE_INTERNAL_REDIRECT = 1; + } + + // The router is capable of shadowing traffic from one cluster to another. The current + // implementation is "fire and forget," meaning Envoy will not wait for the shadow cluster to + // respond before returning the response from the primary cluster. All normal statistics are + // collected for the shadow cluster making this feature useful for testing. + // + // During shadowing, the host/authority header is altered such that ``-shadow`` is appended. This is + // useful for logging. For example, ``cluster1`` becomes ``cluster1-shadow``. This behavior can be + // disabled by setting ``disable_shadow_host_suffix_append`` to ``true``. + // + // .. note:: + // + // Shadowing will not be triggered if the primary cluster does not exist. + // + // .. note:: + // + // Shadowing doesn't support HTTP CONNECT and upgrades. + // [#next-free-field: 9] + message RequestMirrorPolicy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.RequestMirrorPolicy"; + + reserved 2; + + reserved "runtime_key"; + + // Only one of ``cluster`` and ``cluster_header`` can be specified. + // [#next-major-version: Need to add back the validation rule: (validate.rules).string = {min_len: 1}] + // Specifies the cluster that requests will be mirrored to. The cluster must + // exist in the cluster manager configuration. + string cluster = 1 [(udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier"]; + + // Only one of ``cluster`` and ``cluster_header`` can be specified. + // Envoy will determine the cluster to route to by reading the value of the + // HTTP header named by cluster_header from the request headers. Only the first value in header is used, + // and no shadow request will happen if the value is not found in headers. Envoy will not wait for + // the shadow cluster to respond before returning the response from the primary cluster. + // + // .. attention:: + // + // Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 + // ``Host`` header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string cluster_header = 5 [ + (validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}, + (udpa.annotations.field_migrate).oneof_promotion = "cluster_specifier" + ]; + + // If not specified, all requests to the target cluster will be mirrored. + // + // If specified, this field takes precedence over the ``runtime_key`` field and requests must also + // fall under the percentage of matches indicated by this field. + // + // For some fraction N/D, a random number in the range [0,D) is selected. If the + // number is <= the value of the numerator N, or if the key is not present, the default + // value, the request will be mirrored. + core.v3.RuntimeFractionalPercent runtime_fraction = 3; + + // Specifies whether the trace span for the shadow request should be sampled. If this field is not explicitly set, + // the shadow request will inherit the sampling decision of its parent span. This ensures consistency with the trace + // sampling policy of the original request and prevents oversampling, especially in scenarios where runtime sampling + // is disabled. + google.protobuf.BoolValue trace_sampled = 4; + + // Disables appending the ``-shadow`` suffix to the shadowed ``Host`` header. + // + // Defaults to ``false``. + bool disable_shadow_host_suffix_append = 6; + + // Specifies a list of header mutations that should be applied to each mirrored request. + // Header mutations are applied in the order they are specified. For more information, including + // details on header value syntax, see the documentation on :ref:`custom request headers + // `. + repeated common.mutation_rules.v3.HeaderMutation request_headers_mutations = 7 + [(validate.rules).repeated = {max_items: 1000}]; + + // Indicates that during mirroring, the host header will be swapped with this value. + // :ref:`disable_shadow_host_suffix_append + // ` + // is implicitly enabled if this field is set. + string host_rewrite_literal = 8 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + } + + // Specifies the route's hashing policy if the upstream cluster uses a hashing :ref:`load balancer + // `. + // [#next-free-field: 7] + message HashPolicy { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy"; + + message Header { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy.Header"; + + // The name of the request header that will be used to obtain the hash + // key. If the request header is not present, no hash will be produced. + string header_name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // If specified, the request header value will be rewritten and used + // to produce the hash key. + type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 2; + } + + // CookieAttribute defines an API for adding additional attributes for a HTTP cookie. + message CookieAttribute { + // The name of the cookie attribute. + string name = 1 + [(validate.rules).string = + {min_len: 1 max_bytes: 16384 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // The optional value of the cookie attribute. + string value = 2 [(validate.rules).string = + {max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}]; + } + + // Envoy supports two types of cookie affinity: + // + // 1. Passive. Envoy takes a cookie that's present in the cookies header and + // hashes on its value. + // + // 2. Generated. Envoy generates and sets a cookie with an expiration (TTL) + // on the first request from the client in its response to the client, + // based on the endpoint the request gets sent to. The client then + // presents this on the next and all subsequent requests. The hash of + // this is sufficient to ensure these requests get sent to the same + // endpoint. The cookie is generated by hashing the source and + // destination ports and addresses so that multiple independent HTTP2 + // streams on the same connection will independently receive the same + // cookie, even if they arrive at the Envoy simultaneously. + message Cookie { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy.Cookie"; + + // The name of the cookie that will be used to obtain the hash key. If the + // cookie is not present and ttl below is not set, no hash will be + // produced. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // If specified, a cookie with the TTL will be generated if the cookie is + // not present. If the TTL is present and zero, the generated cookie will + // be a session cookie. + google.protobuf.Duration ttl = 2; + + // The name of the path for the cookie. If no path is specified here, no path + // will be set for the cookie. + string path = 3; + + // Additional attributes for the cookie. They will be used when generating a new cookie. + repeated CookieAttribute attributes = 4; + } + + message ConnectionProperties { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy.ConnectionProperties"; + + // Hash on source IP address. + bool source_ip = 1; + } + + message QueryParameter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy.QueryParameter"; + + // The name of the URL query parameter that will be used to obtain the hash + // key. If the parameter is not present, no hash will be produced. Query + // parameter names are case-sensitive. If query parameters are repeated, only + // the first value will be considered. + string name = 1 [(validate.rules).string = {min_len: 1}]; + } + + message FilterState { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.HashPolicy.FilterState"; + + // The name of the Object in the per-request filterState, which is an + // Envoy::Hashable object. If there is no data associated with the key, + // or the stored object is not Envoy::Hashable, no hash will be produced. + string key = 1 [(validate.rules).string = {min_len: 1}]; + } + + oneof policy_specifier { + option (validate.required) = true; + + // Header hash policy. + Header header = 1; + + // Cookie hash policy. + Cookie cookie = 2; + + // Connection properties hash policy. + ConnectionProperties connection_properties = 3; + + // Query parameter hash policy. + QueryParameter query_parameter = 5; + + // Filter state hash policy. + FilterState filter_state = 6; + } + + // The flag that short-circuits the hash computing. This field provides a + // 'fallback' style of configuration: "if a terminal policy doesn't work, + // fallback to rest of the policy list", it saves time when the terminal + // policy works. + // + // If true, and there is already a hash computed, ignore rest of the + // list of hash polices. + // For example, if the following hash methods are configured: + // + // ========= ======== + // specifier terminal + // ========= ======== + // Header A true + // Header B false + // Header C false + // ========= ======== + // + // The generateHash process ends if policy "header A" generates a hash, as + // it's a terminal policy. + bool terminal = 4; + } + + // Allows enabling and disabling upgrades on a per-route basis. + // This overrides any enabled/disabled upgrade filter chain specified in the + // HttpConnectionManager + // :ref:`upgrade_configs + // ` + // but does not affect any custom filter chain specified there. + message UpgradeConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RouteAction.UpgradeConfig"; + + // Configuration for sending data upstream as a raw data payload. This is used for + // CONNECT or POST requests, when forwarding request payload as raw TCP. + message ConnectConfig { + // If present, the proxy protocol header will be prepended to the CONNECT payload sent upstream. + core.v3.ProxyProtocolConfig proxy_protocol_config = 1; + + // If set, the route will also allow forwarding POST payload as raw TCP. + bool allow_post = 2; + } + + // The case-insensitive name of this upgrade, for example, "websocket". + // For each upgrade type present in upgrade_configs, requests with + // Upgrade: [upgrade_type] will be proxied upstream. + string upgrade_type = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Determines if upgrades are available on this route. + // + // Defaults to ``true``. + google.protobuf.BoolValue enabled = 2; + + // Configuration for sending data upstream as a raw data payload. This is used for + // CONNECT requests, when forwarding CONNECT payload as raw TCP. + // Note that CONNECT support is currently considered alpha in Envoy. + // [#comment: TODO(htuch): Replace the above comment with an alpha tag.] + ConnectConfig connect_config = 3; + } + + message MaxStreamDuration { + // Specifies the maximum duration allowed for streams on the route. If not specified, the value + // from the :ref:`max_stream_duration + // ` field in + // :ref:`HttpConnectionManager.common_http_protocol_options + // ` + // is used. If this field is set explicitly to zero, any + // HttpConnectionManager max_stream_duration timeout will be disabled for + // this route. + google.protobuf.Duration max_stream_duration = 1; + + // If present, and the request contains a `grpc-timeout header + // `_, use that value as the + // ``max_stream_duration``, but limit the applied timeout to the maximum value specified here. + // If set to 0, the ``grpc-timeout`` header is used without modification. + google.protobuf.Duration grpc_timeout_header_max = 2; + + // If present, Envoy will adjust the timeout provided by the ``grpc-timeout`` header by + // subtracting the provided duration from the header. This is useful for allowing Envoy to set + // its global timeout to be less than that of the deadline imposed by the calling client, which + // makes it more likely that Envoy will handle the timeout instead of having the call canceled + // by the client. If, after applying the offset, the resulting timeout is zero or negative, + // the stream will timeout immediately. + google.protobuf.Duration grpc_timeout_header_offset = 3; + } + + reserved 12, 18, 19, 16, 22, 21, 10; + + reserved "request_mirror_policy"; + + oneof cluster_specifier { + option (validate.required) = true; + + // Indicates the upstream cluster to which the request should be routed + // to. + string cluster = 1 [(validate.rules).string = {min_len: 1}]; + + // Envoy will determine the cluster to route to by reading the value of the + // HTTP header named by cluster_header from the request headers. If the + // header is not found or the referenced cluster does not exist, Envoy will + // return a 404 response. + // + // .. attention:: + // + // Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 + // ``Host`` header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string cluster_header = 2 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // Multiple upstream clusters can be specified for a given route. The + // request is routed to one of the upstream clusters based on weights + // assigned to each cluster. See + // :ref:`traffic splitting ` + // for additional documentation. + WeightedCluster weighted_clusters = 3; + + // Name of the cluster specifier plugin to use to determine the cluster for requests on this route. + // The cluster specifier plugin name must be defined in the associated + // :ref:`cluster specifier plugins ` + // in the :ref:`name ` field. + string cluster_specifier_plugin = 37; + + // Custom cluster specifier plugin configuration to use to determine the cluster for requests + // on this route. + ClusterSpecifierPlugin inline_cluster_specifier_plugin = 39; + } + + // The HTTP status code to use when configured cluster is not found. + // The default response code is 503 Service Unavailable. + ClusterNotFoundResponseCode cluster_not_found_response_code = 20 + [(validate.rules).enum = {defined_only: true}]; + + // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints + // in the upstream cluster with metadata matching what's set in this field will be considered + // for load balancing. If using :ref:`weighted_clusters + // `, metadata will be merged, with values + // provided there taking precedence. The filter name should be specified as ``envoy.lb``. + core.v3.Metadata metadata_match = 4; + + // Indicates that during forwarding, the matched prefix (or path) should be + // swapped with this value. This option allows application URLs to be rooted + // at a different path from those exposed at the reverse proxy layer. The router filter will + // place the original path before rewrite into the :ref:`x-envoy-original-path + // ` header. + // + // Only one of :ref:`regex_rewrite ` + // :ref:`path_rewrite_policy `, + // or :ref:`prefix_rewrite ` may be specified. + // + // .. attention:: + // + // Pay careful attention to the use of trailing slashes in the + // :ref:`route's match ` prefix value. + // Stripping a prefix from a path requires multiple Routes to handle all cases. For example, + // rewriting ``/prefix`` to ``/`` and ``/prefix/etc`` to ``/etc`` cannot be done in a single + // :ref:`Route `, as shown by the below config entries: + // + // .. code-block:: yaml + // + // - match: + // prefix: "/prefix/" + // route: + // prefix_rewrite: "/" + // - match: + // prefix: "/prefix" + // route: + // prefix_rewrite: "/" + // + // Having above entries in the config, requests to ``/prefix`` will be stripped to ``/``, while + // requests to ``/prefix/etc`` will be stripped to ``/etc``. + string prefix_rewrite = 5 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Indicates that during forwarding, portions of the path that match the + // pattern should be rewritten, even allowing the substitution of capture + // groups from the pattern into the new path as specified by the rewrite + // substitution string. This is useful to allow application paths to be + // rewritten in a way that is aware of segments with variable content like + // identifiers. The router filter will place the original path as it was + // before the rewrite into the :ref:`x-envoy-original-path + // ` header. + // + // Only one of :ref:`regex_rewrite `, + // :ref:`prefix_rewrite `, or + // :ref:`path_rewrite_policy `] + // may be specified. + // + // Examples using Google's `RE2 `_ engine: + // + // * The path pattern ``^/service/([^/]+)(/.*)$`` paired with a substitution + // string of ``\2/instance/\1`` would transform ``/service/foo/v1/api`` + // into ``/v1/api/instance/foo``. + // + // * The pattern ``one`` paired with a substitution string of ``two`` would + // transform ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/two/zzz``. + // + // * The pattern ``^(.*?)one(.*)$`` paired with a substitution string of + // ``\1two\2`` would replace only the first occurrence of ``one``, + // transforming path ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/one/zzz``. + // + // * The pattern ``(?i)/xxx/`` paired with a substitution string of ``/yyy/`` + // would do a case-insensitive match and transform path ``/aaa/XxX/bbb`` to + // ``/aaa/yyy/bbb``. + type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 32; + + // [#extension-category: envoy.path.rewrite] + core.v3.TypedExtensionConfig path_rewrite_policy = 41; + + // If one of the host rewrite specifiers is set and the + // :ref:`suppress_envoy_headers + // ` flag is not + // set to true, the router filter will place the original host header value before + // rewriting into the :ref:`x-envoy-original-host + // ` header. + // + // And if the + // :ref:`append_x_forwarded_host ` + // is set to true, the original host value will also be appended to the + // :ref:`config_http_conn_man_headers_x-forwarded-host` header. + // + oneof host_rewrite_specifier { + // Indicates that during forwarding, the host header will be swapped with + // this value. + string host_rewrite_literal = 6 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Indicates that during forwarding, the host header will be swapped with + // the hostname of the upstream host chosen by the cluster manager. This + // option is applicable only when the destination cluster for a route is of + // type ``strict_dns`` or ``logical_dns``, + // or when :ref:`hostname ` + // field is not empty. Setting this to true with other cluster types + // has no effect. + google.protobuf.BoolValue auto_host_rewrite = 7; + + // Indicates that during forwarding, the host header will be swapped with the content of given + // downstream or :ref:`custom ` header. + // If header value is empty, host header is left intact. + // + // .. attention:: + // + // Pay attention to the potential security implications of using this option. Provided header + // must come from trusted source. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string host_rewrite_header = 29 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // Indicates that during forwarding, the host header will be swapped with + // the result of the regex substitution executed on path value with query and fragment removed. + // This is useful for transitioning variable content between path segment and subdomain. + // + // For example with the following config: + // + // .. code-block:: yaml + // + // host_rewrite_path_regex: + // pattern: + // google_re2: {} + // regex: "^/(.+)/.+$" + // substitution: \1 + // + // Would rewrite the host header to ``envoyproxy.io`` given the path ``/envoyproxy.io/some/path``. + type.matcher.v3.RegexMatchAndSubstitute host_rewrite_path_regex = 35; + } + + // If set, then a host rewrite action (one of + // :ref:`host_rewrite_literal `, + // :ref:`auto_host_rewrite `, + // :ref:`host_rewrite_header `, or + // :ref:`host_rewrite_path_regex `) + // causes the original value of the host header, if any, to be appended to the + // :ref:`config_http_conn_man_headers_x-forwarded-host` HTTP header if it is different to the last value appended. + bool append_x_forwarded_host = 38; + + // Specifies the upstream timeout for the route. If not specified, the default is 15s. This + // spans between the point at which the entire downstream request (i.e. end-of-stream) has been + // processed and when the upstream response has been completely processed. A value of 0 will + // disable the route's timeout. + // + // .. note:: + // + // This timeout includes all retries. See also + // :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`, + // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms`, and the + // :ref:`retry overview `. + google.protobuf.Duration timeout = 8; + + // Specifies the idle timeout for the route. If not specified, there is no per-route idle timeout, + // although the connection manager wide :ref:`stream_idle_timeout + // ` + // will still apply. A value of 0 will completely disable the route's idle timeout, even if a + // connection manager stream idle timeout is configured. + // + // The idle timeout is distinct to :ref:`timeout + // `, which provides an upper bound + // on the upstream response time; :ref:`idle_timeout + // ` instead bounds the amount + // of time the request's stream may be idle. + // + // After header decoding, the idle timeout will apply on downstream and + // upstream request events. Each time an encode/decode event for headers or + // data is processed for the stream, the timer will be reset. If the timeout + // fires, the stream is terminated with a 408 Request Timeout error code if no + // upstream response header has been received, otherwise a stream reset + // occurs. + // + // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" + // is configured, this timeout is scaled according to the value for + // :ref:`HTTP_DOWNSTREAM_STREAM_IDLE `. + // + // This timeout may also be used in place of ``flush_timeout`` in very specific cases. See the + // documentation for ``flush_timeout`` for more details. + google.protobuf.Duration idle_timeout = 24; + + // Specifies the codec stream flush timeout for the route. + // + // If not specified, the first preference is the global :ref:`stream_flush_timeout + // `, + // but only if explicitly configured. + // + // If neither the explicit HCM-wide flush timeout nor this route-specific flush timeout is configured, + // the route's stream idle timeout is reused for this timeout. This is for + // backwards compatibility since both behaviors were historically controlled by the one timeout. + // + // If the route also does not have an idle timeout configured, the global :ref:`stream_idle_timeout + // `. used, again + // for backwards compatibility. That timeout defaults to 5 minutes. + // + // A value of 0 via any of the above paths will completely disable the timeout for a given route. + google.protobuf.Duration flush_timeout = 42; + + // Specifies how to send request over TLS early data. + // If absent, allows `safe HTTP requests `_ to be sent on early data. + // [#extension-category: envoy.route.early_data_policy] + core.v3.TypedExtensionConfig early_data_policy = 40; + + // Indicates that the route has a retry policy. Note that if this is set, + // it'll take precedence over the virtual host level retry policy entirely + // (e.g., policies are not merged, the most internal one becomes the enforced policy). + RetryPolicy retry_policy = 9; + + // [#not-implemented-hide:] + // Specifies the configuration for retry policy extension. Note that if this is set, it'll take + // precedence over the virtual host level retry policy entirely (e.g., policies are not merged, + // the most internal one becomes the enforced policy). :ref:`Retry policy ` + // should not be set if this field is used. + google.protobuf.Any retry_policy_typed_config = 33; + + // Specify a set of route request mirroring policies. + // It takes precedence over the virtual host and route config mirror policy entirely. + // That is, policies are not merged, the most specific non-empty one becomes the mirror policies. + repeated RequestMirrorPolicy request_mirror_policies = 30; + + // Optionally specifies the :ref:`routing priority `. + core.v3.RoutingPriority priority = 11 [(validate.rules).enum = {defined_only: true}]; + + // Specifies a set of rate limit configurations that could be applied to the + // route. + repeated RateLimit rate_limits = 13; + + // Specifies if the rate limit filter should include the virtual host rate + // limits. By default, if the route configured rate limits, the virtual host + // :ref:`rate_limits ` are not applied to the + // request. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`vh_rate_limits ` + google.protobuf.BoolValue include_vh_rate_limits = 14 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Specifies a list of hash policies to use for ring hash load balancing. Each + // hash policy is evaluated individually and the combined result is used to + // route the request. The method of combination is deterministic such that + // identical lists of hash policies will produce the same hash. Since a hash + // policy examines specific parts of a request, it can fail to produce a hash + // (i.e. if the hashed header is not present). If (and only if) all configured + // hash policies fail to generate a hash, no hash will be produced for + // the route. In this case, the behavior is the same as if no hash policies + // were specified (i.e. the ring hash load balancer will choose a random + // backend). If a hash policy has the "terminal" attribute set to true, and + // there is already a hash generated, the hash is returned immediately, + // ignoring the rest of the hash policy list. + repeated HashPolicy hash_policy = 15; + + // Indicates that the route has a CORS policy. This field is ignored if related cors policy is + // found in the :ref:`Route.typed_per_filter_config` or + // :ref:`WeightedCluster.ClusterWeight.typed_per_filter_config`. + // + // .. attention:: + // + // This option has been deprecated. Please use + // :ref:`Route.typed_per_filter_config` or + // :ref:`WeightedCluster.ClusterWeight.typed_per_filter_config` + // to configure the CORS HTTP filter. + CorsPolicy cors = 17 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Deprecated by :ref:`grpc_timeout_header_max ` + // If present, and the request is a gRPC request, use the + // `grpc-timeout header `_, + // or its default value (infinity) instead of + // :ref:`timeout `, but limit the applied timeout + // to the maximum value specified here. If configured as 0, the maximum allowed timeout for + // gRPC requests is infinity. If not configured at all, the ``grpc-timeout`` header is not used + // and gRPC requests time out like any other requests using + // :ref:`timeout ` or its default. + // This can be used to prevent unexpected upstream request timeouts due to potentially long + // time gaps between gRPC request and response in gRPC streaming mode. + // + // .. note:: + // + // If a timeout is specified using :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`, it takes + // precedence over `grpc-timeout header `_, when + // both are present. See also + // :ref:`config_http_filters_router_x-envoy-upstream-rq-timeout-ms`, + // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms`, and the + // :ref:`retry overview `. + google.protobuf.Duration max_grpc_timeout = 23 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Deprecated by :ref:`grpc_timeout_header_offset `. + // If present, Envoy will adjust the timeout provided by the ``grpc-timeout`` header by subtracting + // the provided duration from the header. This is useful in allowing Envoy to set its global + // timeout to be less than that of the deadline imposed by the calling client, which makes it more + // likely that Envoy will handle the timeout instead of having the call canceled by the client. + // The offset will only be applied if the provided grpc_timeout is greater than the offset. This + // ensures that the offset will only ever decrease the timeout and never set it to 0 (meaning + // infinity). + google.protobuf.Duration grpc_timeout_offset = 28 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + repeated UpgradeConfig upgrade_configs = 25; + + // If present, Envoy will try to follow an upstream redirect response instead of proxying the + // response back to the downstream. An upstream redirect response is defined + // by :ref:`redirect_response_codes + // `. + InternalRedirectPolicy internal_redirect_policy = 34; + + InternalRedirectAction internal_redirect_action = 26 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // An internal redirect is handled, iff the number of previous internal redirects that a + // downstream request has encountered is lower than this value, and + // :ref:`internal_redirect_action ` + // is set to :ref:`HANDLE_INTERNAL_REDIRECT + // ` + // In the case where a downstream request is bounced among multiple routes by internal redirect, + // the first route that hits this threshold, or has + // :ref:`internal_redirect_action ` + // set to + // :ref:`PASS_THROUGH_INTERNAL_REDIRECT + // ` + // will pass the redirect back to downstream. + // + // If not specified, at most one redirect will be followed. + google.protobuf.UInt32Value max_internal_redirects = 31 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Indicates that the route has a hedge policy. Note that if this is set, + // it'll take precedence over the virtual host level hedge policy entirely + // (e.g., policies are not merged, the most internal one becomes the enforced policy). + HedgePolicy hedge_policy = 27; + + // Specifies the maximum stream duration for this route. + MaxStreamDuration max_stream_duration = 36; +} + +// HTTP retry :ref:`architecture overview `. +// [#next-free-field: 14] +message RetryPolicy { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RetryPolicy"; + + enum ResetHeaderFormat { + SECONDS = 0; + UNIX_TIMESTAMP = 1; + } + + message RetryPriority { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RetryPolicy.RetryPriority"; + + reserved 2; + + reserved "config"; + + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // [#extension-category: envoy.retry_priorities] + oneof config_type { + google.protobuf.Any typed_config = 3; + } + } + + message RetryHostPredicate { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RetryPolicy.RetryHostPredicate"; + + reserved 2; + + reserved "config"; + + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // [#extension-category: envoy.retry_host_predicates] + oneof config_type { + google.protobuf.Any typed_config = 3; + } + } + + message RetryBackOff { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RetryPolicy.RetryBackOff"; + + // Specifies the base interval between retries. This parameter is required and must be greater + // than zero. Values less than 1 ms are rounded up to 1 ms. + // See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion of Envoy's + // back-off algorithm. + google.protobuf.Duration base_interval = 1 [(validate.rules).duration = { + required: true + gt {} + }]; + + // Specifies the maximum interval between retries. This parameter is optional, but must be + // greater than or equal to the ``base_interval`` if set. The default is 10 times the + // ``base_interval``. See :ref:`config_http_filters_router_x-envoy-max-retries` for a discussion + // of Envoy's back-off algorithm. + google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}]; + } + + message ResetHeader { + // The name of the reset header. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // The format of the reset header. + ResetHeaderFormat format = 2 [(validate.rules).enum = {defined_only: true}]; + } + + // A retry back-off strategy that applies when the upstream server rate limits + // the request. + // + // Given this configuration: + // + // .. code-block:: yaml + // + // rate_limited_retry_back_off: + // reset_headers: + // - name: Retry-After + // format: SECONDS + // - name: X-RateLimit-Reset + // format: UNIX_TIMESTAMP + // max_interval: "300s" + // + // The following algorithm will apply: + // + // 1. If the response contains the header ``Retry-After`` its value must be on + // the form ``120`` (an integer that represents the number of seconds to + // wait before retrying). If so, this value is used as the back-off interval. + // 2. Otherwise, if the response contains the header ``X-RateLimit-Reset`` its + // value must be on the form ``1595320702`` (an integer that represents the + // point in time at which to retry, as a Unix timestamp in seconds). If so, + // the current time is subtracted from this value and the result is used as + // the back-off interval. + // 3. Otherwise, Envoy will use the default + // :ref:`exponential back-off ` + // strategy. + // + // No matter which format is used, if the resulting back-off interval exceeds + // ``max_interval`` it is discarded and the next header in ``reset_headers`` + // is tried. If a request timeout is configured for the route it will further + // limit how long the request will be allowed to run. + // + // To prevent many clients retrying at the same point in time jitter is added + // to the back-off interval, so the resulting interval is decided by taking: + // ``random(interval, interval * 1.5)``. + // + // .. attention:: + // + // Configuring ``rate_limited_retry_back_off`` will not by itself cause a request + // to be retried. You will still need to configure the right retry policy to match + // the responses from the upstream server. + message RateLimitedRetryBackOff { + // Specifies the reset headers (like ``Retry-After`` or ``X-RateLimit-Reset``) + // to match against the response. Headers are tried in order, and matched case + // insensitive. The first header to be parsed successfully is used. If no headers + // match the default exponential back-off is used instead. + repeated ResetHeader reset_headers = 1 [(validate.rules).repeated = {min_items: 1}]; + + // Specifies the maximum back off interval that Envoy will allow. If a reset + // header contains an interval longer than this then it will be discarded and + // the next header will be tried. + // + // Defaults to 300 seconds. + google.protobuf.Duration max_interval = 2 [(validate.rules).duration = {gt {}}]; + } + + // Specifies the conditions under which retry takes place. These are the same + // conditions documented for :ref:`config_http_filters_router_x-envoy-retry-on` and + // :ref:`config_http_filters_router_x-envoy-retry-grpc-on`. + string retry_on = 1; + + // Specifies the allowed number of retries. This parameter is optional and + // defaults to 1. These are the same conditions documented for + // :ref:`config_http_filters_router_x-envoy-max-retries`. + google.protobuf.UInt32Value num_retries = 2 + [(udpa.annotations.field_migrate).rename = "max_retries"]; + + // Specifies a non-zero upstream timeout per retry attempt (including the initial attempt). This + // parameter is optional. The same conditions documented for + // :ref:`config_http_filters_router_x-envoy-upstream-rq-per-try-timeout-ms` apply. + // + // .. note:: + // + // If left unspecified, Envoy will use the global + // :ref:`route timeout ` for the request. + // Consequently, when using a :ref:`5xx ` based + // retry policy, a request that times out will not be retried as the total timeout budget + // would have been exhausted. + google.protobuf.Duration per_try_timeout = 3; + + // Specifies an upstream idle timeout per retry attempt (including the initial attempt). This + // parameter is optional and if absent there is no per-try idle timeout. The semantics of the per- + // try idle timeout are similar to the + // :ref:`route idle timeout ` and + // :ref:`stream idle timeout + // ` + // both enforced by the HTTP connection manager. The difference is that this idle timeout + // is enforced by the router for each individual attempt and thus after all previous filters have + // run, as opposed to *before* all previous filters run for the other idle timeouts. This timeout + // is useful in cases in which total request timeout is bounded by a number of retries and a + // :ref:`per_try_timeout `, but + // there is a desire to ensure each try is making incremental progress. Note also that similar + // to :ref:`per_try_timeout `, + // this idle timeout does not start until after both the entire request has been received by the + // router *and* a connection pool connection has been obtained. Unlike + // :ref:`per_try_timeout `, + // the idle timer continues once the response starts streaming back to the downstream client. + // This ensures that response data continues to make progress without using one of the HTTP + // connection manager idle timeouts. + google.protobuf.Duration per_try_idle_timeout = 13; + + // Specifies an implementation of a RetryPriority which is used to determine the + // distribution of load across priorities used for retries. Refer to + // :ref:`retry plugin configuration ` for more details. + RetryPriority retry_priority = 4; + + // Specifies a collection of RetryHostPredicates that will be consulted when selecting a host + // for retries. If any of the predicates reject the host, host selection will be reattempted. + // Refer to :ref:`retry plugin configuration ` for more + // details. + repeated RetryHostPredicate retry_host_predicate = 5; + + // Retry options predicates that will be applied prior to retrying a request. These predicates + // allow customizing request behavior between retries. + // [#comment: add [#extension-category: envoy.retry_options_predicates] when there are built-in extensions] + repeated core.v3.TypedExtensionConfig retry_options_predicates = 12; + + // The maximum number of times host selection will be reattempted before giving up, at which + // point the host that was last selected will be routed to. If unspecified, this will default to + // retrying once. + int64 host_selection_retry_max_attempts = 6; + + // HTTP status codes that should trigger a retry in addition to those specified by retry_on. + repeated uint32 retriable_status_codes = 7; + + // Specifies parameters that control exponential retry back off. This parameter is optional, in which case the + // default base interval is 25 milliseconds or, if set, the current value of the + // ``upstream.base_retry_backoff_ms`` runtime parameter. The default maximum interval is 10 times + // the base interval. The documentation for :ref:`config_http_filters_router_x-envoy-max-retries` + // describes Envoy's back-off algorithm. + RetryBackOff retry_back_off = 8; + + // Specifies parameters that control a retry back-off strategy that is used + // when the request is rate limited by the upstream server. The server may + // return a response header like ``Retry-After`` or ``X-RateLimit-Reset`` to + // provide feedback to the client on how long to wait before retrying. If + // configured, this back-off strategy will be used instead of the + // default exponential back off strategy (configured using ``retry_back_off``) + // whenever a response includes the matching headers. + RateLimitedRetryBackOff rate_limited_retry_back_off = 11; + + // HTTP response headers that trigger a retry if present in the response. A retry will be + // triggered if any of the header matches match the upstream response headers. + // The field is only consulted if 'retriable-headers' retry policy is active. + repeated HeaderMatcher retriable_headers = 9; + + // HTTP headers which must be present in the request for retries to be attempted. + repeated HeaderMatcher retriable_request_headers = 10; +} + +// HTTP request hedging :ref:`architecture overview `. +message HedgePolicy { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.HedgePolicy"; + + // Specifies the number of initial requests that should be sent upstream. + // Must be at least 1. + // + // Defaults to 1. + // [#not-implemented-hide:] + google.protobuf.UInt32Value initial_requests = 1 [(validate.rules).uint32 = {gte: 1}]; + + // Specifies a probability that an additional upstream request should be sent + // on top of what is specified by initial_requests. + // + // Defaults to 0. + // [#not-implemented-hide:] + type.v3.FractionalPercent additional_request_chance = 2; + + // Indicates that a hedged request should be sent when the per-try timeout is hit. + // This means that a retry will be issued without resetting the original request, leaving multiple upstream requests in flight. + // The first request to complete successfully will be the one returned to the caller. + // + // * At any time, a successful response (i.e. not triggering any of the retry-on conditions) would be returned to the client. + // * Before per-try timeout, an error response (per retry-on conditions) would be retried immediately or returned to the client + // if there are no more retries left. + // * After per-try timeout, an error response would be discarded, as a retry in the form of a hedged request is already in progress. + // + // .. note:: + // + // For this to have effect, you must have a :ref:`RetryPolicy ` that retries at least + // one error code and specifies a maximum number of retries. + // + // Defaults to ``false``. + bool hedge_on_per_try_timeout = 3; +} + +// [#next-free-field: 10] +message RedirectAction { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RedirectAction"; + + enum RedirectResponseCode { + // Moved Permanently HTTP Status Code - 301. + MOVED_PERMANENTLY = 0; + + // Found HTTP Status Code - 302. + FOUND = 1; + + // See Other HTTP Status Code - 303. + SEE_OTHER = 2; + + // Temporary Redirect HTTP Status Code - 307. + TEMPORARY_REDIRECT = 3; + + // Permanent Redirect HTTP Status Code - 308. + PERMANENT_REDIRECT = 4; + } + + // When the scheme redirection take place, the following rules apply: + // 1. If the source URI scheme is ``http`` and the port is explicitly + // set to ``:80``, the port will be removed after the redirection + // 2. If the source URI scheme is ``https`` and the port is explicitly + // set to ``:443``, the port will be removed after the redirection + oneof scheme_rewrite_specifier { + // The scheme portion of the URL will be swapped with "https". + bool https_redirect = 4; + + // The scheme portion of the URL will be swapped with this value. + string scheme_redirect = 7; + } + + // The host portion of the URL will be swapped with this value. + string host_redirect = 1 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // The port value of the URL will be swapped with this value. + uint32 port_redirect = 8; + + oneof path_rewrite_specifier { + // The path portion of the URL will be swapped with this value. + // Please note that query string in path_redirect will override the + // request's query string and will not be stripped. + // + // For example, let's say we have the following routes: + // + // - match: { path: "/old-path-1" } + // redirect: { path_redirect: "/new-path-1" } + // - match: { path: "/old-path-2" } + // redirect: { path_redirect: "/new-path-2", strip-query: "true" } + // - match: { path: "/old-path-3" } + // redirect: { path_redirect: "/new-path-3?foo=1", strip_query: "true" } + // + // 1. if request uri is "/old-path-1?bar=1", users will be redirected to "/new-path-1?bar=1" + // 2. if request uri is "/old-path-2?bar=1", users will be redirected to "/new-path-2" + // 3. if request uri is "/old-path-3?bar=1", users will be redirected to "/new-path-3?foo=1" + string path_redirect = 2 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Indicates that during redirection, the matched prefix (or path) + // should be swapped with this value. This option allows redirect URLs be dynamically created + // based on the request. + // + // .. attention:: + // + // Pay attention to the use of trailing slashes as mentioned in + // :ref:`RouteAction's prefix_rewrite `. + string prefix_rewrite = 5 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Indicates that during redirect, portions of the path that match the + // pattern should be rewritten, even allowing the substitution of capture + // groups from the pattern into the new path as specified by the rewrite + // substitution string. This is useful to allow application paths to be + // rewritten in a way that is aware of segments with variable content like + // identifiers. + // + // Examples using Google's `RE2 `_ engine: + // + // * The path pattern ``^/service/([^/]+)(/.*)$`` paired with a substitution + // string of ``\2/instance/\1`` would transform ``/service/foo/v1/api`` + // into ``/v1/api/instance/foo``. + // + // * The pattern ``one`` paired with a substitution string of ``two`` would + // transform ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/two/zzz``. + // + // * The pattern ``^(.*?)one(.*)$`` paired with a substitution string of + // ``\1two\2`` would replace only the first occurrence of ``one``, + // transforming path ``/xxx/one/yyy/one/zzz`` into ``/xxx/two/yyy/one/zzz``. + // + // * The pattern ``(?i)/xxx/`` paired with a substitution string of ``/yyy/`` + // would do a case-insensitive match and transform path ``/aaa/XxX/bbb`` to + // ``/aaa/yyy/bbb``. + type.matcher.v3.RegexMatchAndSubstitute regex_rewrite = 9; + } + + // The HTTP status code to use in the redirect response. The default response + // code is MOVED_PERMANENTLY (301). + RedirectResponseCode response_code = 3 [(validate.rules).enum = {defined_only: true}]; + + // Indicates that during redirection, the query portion of the URL will + // be removed. Default value is false. + bool strip_query = 6; +} + +message DirectResponseAction { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.DirectResponseAction"; + + // Specifies the HTTP response status to be returned. + uint32 status = 1 [(validate.rules).uint32 = {lt: 600 gte: 200}]; + + // Specifies the content of the response body. If this setting is omitted, + // no body is included in the generated response. + // + // .. note:: + // + // Headers can be specified using ``response_headers_to_add`` in the enclosing + // :ref:`envoy_v3_api_msg_config.route.v3.Route`, :ref:`envoy_v3_api_msg_config.route.v3.RouteConfiguration` or + // :ref:`envoy_v3_api_msg_config.route.v3.VirtualHost`. + core.v3.DataSource body = 2; +} + +// [#not-implemented-hide:] +message NonForwardingAction { +} + +message Decorator { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.Decorator"; + + // The operation name associated with the request matched to this route. If tracing is + // enabled, this information will be used as the span name reported for this request. + // + // .. note:: + // + // For ingress (inbound) requests, or egress (outbound) responses, this value may be overridden + // by the :ref:`x-envoy-decorator-operation + // ` header. + string operation = 1 [(validate.rules).string = {min_len: 1}]; + + // Whether the decorated details should be propagated to the other party. The default is ``true``. + google.protobuf.BoolValue propagate = 2; +} + +message Tracing { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.Tracing"; + + // Target percentage of requests managed by this HTTP connection manager that will be force + // traced if the :ref:`x-client-trace-id ` + // header is set. This field is a direct analog for the runtime variable + // 'tracing.client_enabled' in the :ref:`HTTP Connection Manager + // `. + // Default: 100% + type.v3.FractionalPercent client_sampling = 1; + + // Target percentage of requests managed by this HTTP connection manager that will be randomly + // selected for trace generation, if not requested by the client or not forced. This field is + // a direct analog for the runtime variable 'tracing.random_sampling' in the + // :ref:`HTTP Connection Manager `. + // Default: 100% + type.v3.FractionalPercent random_sampling = 2; + + // Target percentage of requests managed by this HTTP connection manager that will be traced + // after all other sampling checks have been applied (client-directed, force tracing, random + // sampling). This field functions as an upper limit on the total configured sampling rate. For + // instance, setting client_sampling to 100% but overall_sampling to 1% will result in only 1% + // of client requests with the appropriate headers to be force traced. This field is a direct + // analog for the runtime variable 'tracing.global_enabled' in the + // :ref:`HTTP Connection Manager `. + // Default: 100% + type.v3.FractionalPercent overall_sampling = 3; + + // A list of custom tags with unique tag name to create tags for the active span. + // It will take effect after merging with the :ref:`corresponding configuration + // ` + // configured in the HTTP connection manager. If two tags with the same name are configured + // each in the HTTP connection manager and the route level, the one configured here takes + // priority. + repeated type.tracing.v3.CustomTag custom_tags = 4; +} + +// A virtual cluster is a way of specifying a regex matching rule against +// certain important endpoints such that statistics are generated explicitly for +// the matched requests. The reason this is useful is that when doing +// prefix/path matching Envoy does not always know what the application +// considers to be an endpoint. Thus, it’s impossible for Envoy to generically +// emit per endpoint statistics. However, often systems have highly critical +// endpoints that they wish to get “perfect” statistics on. Virtual cluster +// statistics are perfect in the sense that they are emitted on the downstream +// side such that they include network level failures. +// +// Documentation for :ref:`virtual cluster statistics `. +// +// .. note:: +// +// Virtual clusters are a useful tool, but we do not recommend setting up a virtual cluster for +// every application endpoint. This is both not easily maintainable and as well the matching and +// statistics output are not free. +message VirtualCluster { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.VirtualCluster"; + + reserved 1, 3; + + reserved "pattern", "method"; + + // Specifies a list of header matchers to use for matching requests. Each specified header must + // match. The pseudo-headers ``:path`` and ``:method`` can be used to match the request path and + // method, respectively. + repeated HeaderMatcher headers = 4; + + // Specifies the name of the virtual cluster. The virtual cluster name as well + // as the virtual host name are used when emitting statistics. The statistics are emitted by the + // router filter and are documented :ref:`here `. + string name = 2 [(validate.rules).string = {min_len: 1}]; +} + +// Global rate limiting :ref:`architecture overview `. +// Also applies to Local rate limiting :ref:`using descriptors `. +// [#next-free-field: 7] +message RateLimit { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RateLimit"; + + // [#next-free-field: 13] + message Action { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action"; + + // The following descriptor entry is appended to the descriptor: + // + // .. code-block:: cpp + // + // ("source_cluster", "") + // + // is derived from the :option:`--service-cluster` option. + message SourceCluster { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.SourceCluster"; + } + + // The following descriptor entry is appended to the descriptor: + // + // .. code-block:: cpp + // + // ("destination_cluster", "") + // + // Once a request matches against a route table rule, a routed cluster is determined by one of + // the following :ref:`route table configuration ` + // settings: + // + // * :ref:`cluster ` indicates the upstream cluster + // to route to. + // * :ref:`weighted_clusters ` + // chooses a cluster randomly from a set of clusters with attributed weight. + // * :ref:`cluster_header ` indicates which + // header in the request contains the target cluster. + message DestinationCluster { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.DestinationCluster"; + } + + // The following descriptor entry is appended when a header contains a key that matches the + // ``header_name``: + // + // .. code-block:: cpp + // + // ("", "") + message RequestHeaders { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.RequestHeaders"; + + // The header name to be queried from the request headers. The header’s + // value is used to populate the value of the descriptor entry for the + // descriptor_key. + string header_name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // The key to use in the descriptor entry. + string descriptor_key = 2 [(validate.rules).string = {min_len: 1}]; + + // Controls the behavior when the specified header is not present in the request. + // + // If set to ``false`` (default): + // + // * Envoy does **NOT** call the rate limiting service for this descriptor. + // * Useful if the header is optional and you prefer to skip rate limiting when it's absent. + // + // If set to ``true``: + // + // * Envoy calls the rate limiting service but omits this descriptor if the header is missing. + // * Useful if you want Envoy to enforce rate limiting even when the header is not present. + // + bool skip_if_absent = 3; + } + + // The following descriptor entry is appended when a query parameter contains a key that matches the + // ``query_parameter_name``: + // + // .. code-block:: cpp + // + // ("", "") + message QueryParameters { + // The name of the query parameter to use for rate limiting. Value of this query parameter is used to populate + // the value of the descriptor entry for the descriptor_key. + string query_parameter_name = 1 [(validate.rules).string = {min_len: 1}]; + + // The key to use when creating the rate limit descriptor entry. This descriptor key will be used to identify the + // rate limit rule in the rate limiting service. + string descriptor_key = 2 [(validate.rules).string = {min_len: 1}]; + + // Controls the behavior when the specified query parameter is not present in the request. + // + // If set to ``false`` (default): + // + // * Envoy does **NOT** call the rate limiting service for this descriptor. + // * Useful if the query parameter is optional and you prefer to skip rate limiting when it's absent. + // + // If set to ``true``: + // + // * Envoy calls the rate limiting service but omits this descriptor if the query parameter is missing. + // * Useful if you want Envoy to enforce rate limiting even when the query parameter is not present. + // + bool skip_if_absent = 3; + } + + // The following descriptor entry is appended to the descriptor and is populated using the + // trusted address from :ref:`x-forwarded-for `: + // + // .. code-block:: cpp + // + // ("remote_address", "") + message RemoteAddress { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.RemoteAddress"; + } + + // The following descriptor entry is appended to the descriptor and is populated using the + // masked address from :ref:`x-forwarded-for `: + // + // .. code-block:: cpp + // + // ("masked_remote_address", "") + message MaskedRemoteAddress { + // Length of prefix mask len for IPv4 (e.g. 0, 32). + // + // Defaults to 32 when unset. + // + // For example, trusted address from x-forwarded-for is ``192.168.1.1``, + // the descriptor entry is ("masked_remote_address", "192.168.1.1/32"); + // if mask len is 24, the descriptor entry is ("masked_remote_address", "192.168.1.0/24"). + google.protobuf.UInt32Value v4_prefix_mask_len = 1 [(validate.rules).uint32 = {lte: 32}]; + + // Length of prefix mask len for IPv6 (e.g. 0, 128). + // + // Defaults to 128 when unset. + // + // For example, trusted address from x-forwarded-for is ``2001:abcd:ef01:2345:6789:abcd:ef01:234``, + // the descriptor entry is ("masked_remote_address", "2001:abcd:ef01:2345:6789:abcd:ef01:234/128"); + // if mask len is 64, the descriptor entry is ("masked_remote_address", "2001:abcd:ef01:2345::/64"). + google.protobuf.UInt32Value v6_prefix_mask_len = 2 [(validate.rules).uint32 = {lte: 128}]; + } + + // The following descriptor entry is appended to the descriptor: + // + // .. code-block:: cpp + // + // ("generic_key", "") + message GenericKey { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.GenericKey"; + + // The value to use in the descriptor entry. + string descriptor_value = 1 [(validate.rules).string = {min_len: 1}]; + + // An optional key to use in the descriptor entry. If not set it defaults + // to 'generic_key' as the descriptor key. + string descriptor_key = 2; + } + + // The following descriptor entry is appended to the descriptor: + // + // .. code-block:: cpp + // + // ("header_match", "") + message HeaderValueMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.RateLimit.Action.HeaderValueMatch"; + + // The key to use in the descriptor entry. + // + // Defaults to ``header_match``. + string descriptor_key = 4; + + // The value to use in the descriptor entry. + string descriptor_value = 1 [(validate.rules).string = {min_len: 1}]; + + // If set to true, the action will append a descriptor entry when the + // request matches the headers. If set to false, the action will append a + // descriptor entry when the request does not match the headers. The + // default value is true. + google.protobuf.BoolValue expect_match = 2; + + // Specifies a set of headers that the rate limit action should match + // on. The action will check the request’s headers against all the + // specified headers in the config. A match will happen if all the + // headers in the config are present in the request with the same values + // (or based on presence if the value field is not in the config). + repeated HeaderMatcher headers = 3 [(validate.rules).repeated = {min_items: 1}]; + } + + // The following descriptor entry is appended when the + // :ref:`dynamic metadata ` contains a key value: + // + // .. code-block:: cpp + // + // ("", "") + // + // .. attention:: + // This action has been deprecated in favor of the :ref:`metadata ` action + message DynamicMetaData { + // The key to use in the descriptor entry. + string descriptor_key = 1 [(validate.rules).string = {min_len: 1}]; + + // Metadata struct that defines the key and path to retrieve the string value. A match will + // only happen if the value in the dynamic metadata is of type string. + type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}]; + + // An optional value to use if ``metadata_key`` is empty. If not set and + // no value is present under the metadata_key then no descriptor is generated. + string default_value = 3; + } + + // The following descriptor entry is appended when the metadata contains a key value: + // + // .. code-block:: cpp + // + // ("", "") + // [#next-free-field: 6] + message MetaData { + enum Source { + // Query :ref:`dynamic metadata ` + DYNAMIC = 0; + + // Query :ref:`route entry metadata ` + ROUTE_ENTRY = 1; + } + + // The key to use in the descriptor entry. + string descriptor_key = 1 [(validate.rules).string = {min_len: 1}]; + + // Metadata struct that defines the key and path to retrieve the string value. A match will + // only happen if the value in the metadata is of type string. + type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}]; + + // An optional value to use if ``metadata_key`` is empty. If not set and + // no value is present under the metadata_key then ``skip_if_absent`` is followed to + // skip calling the rate limiting service or skip the descriptor. + string default_value = 3; + + // Source of metadata + Source source = 4 [(validate.rules).enum = {defined_only: true}]; + + // Controls the behavior when the specified ``metadata_key`` is empty and ``default_value`` is not set. + // + // If set to ``false`` (default): + // + // * Envoy does **NOT** call the rate limiting service for this descriptor. + // * Useful if the metadata is optional and you prefer to skip rate limiting when it's absent. + // + // If set to ``true``: + // + // * Envoy calls the rate limiting service but omits this descriptor if the ``metadata_key`` is empty and + // ``default_value`` is missing. + // * Useful if you want Envoy to enforce rate limiting even when the metadata is not present. + // + bool skip_if_absent = 5; + } + + // The following descriptor entry is appended to the descriptor: + // + // .. code-block:: cpp + // + // ("query_match", "") + message QueryParameterValueMatch { + // The key to use in the descriptor entry. + // + // Defaults to ``query_match``. + string descriptor_key = 4; + + // The value to use in the descriptor entry. + string descriptor_value = 1 [(validate.rules).string = {min_len: 1}]; + + // If set to true, the action will append a descriptor entry when the + // request matches the headers. If set to false, the action will append a + // descriptor entry when the request does not match the headers. The + // default value is true. + google.protobuf.BoolValue expect_match = 2; + + // Specifies a set of query parameters that the rate limit action should match + // on. The action will check the request’s query parameters against all the + // specified query parameters in the config. A match will happen if all the + // query parameters in the config are present in the request with the same values + // (or based on presence if the value field is not in the config). + repeated QueryParameterMatcher query_parameters = 3 + [(validate.rules).repeated = {min_items: 1}]; + } + + oneof action_specifier { + option (validate.required) = true; + + // Rate limit on source cluster. + SourceCluster source_cluster = 1; + + // Rate limit on destination cluster. + DestinationCluster destination_cluster = 2; + + // Rate limit on request headers. + RequestHeaders request_headers = 3; + + // Rate limit on query parameters. + QueryParameters query_parameters = 12; + + // Rate limit on remote address. + RemoteAddress remote_address = 4; + + // Rate limit on a generic key. + GenericKey generic_key = 5; + + // Rate limit on the existence of request headers. + HeaderValueMatch header_value_match = 6; + + // Rate limit on dynamic metadata. + // + // .. attention:: + // This field has been deprecated in favor of the :ref:`metadata ` field + DynamicMetaData dynamic_metadata = 7 [ + deprecated = true, + (envoy.annotations.deprecated_at_minor_version) = "3.0", + (envoy.annotations.disallowed_by_default) = true + ]; + + // Rate limit on metadata. + MetaData metadata = 8; + + // Rate limit descriptor extension. See the rate limit descriptor extensions documentation. + // + // :ref:`HTTP matching input functions ` are + // permitted as descriptor extensions. The input functions are only + // looked up if there is no rate limit descriptor extension matching + // the type URL. + // + // [#extension-category: envoy.rate_limit_descriptors] + core.v3.TypedExtensionConfig extension = 9; + + // Rate limit on masked remote address. + MaskedRemoteAddress masked_remote_address = 10; + + // Rate limit on the existence of query parameters. + QueryParameterValueMatch query_parameter_value_match = 11; + } + } + + message Override { + // Fetches the override from the dynamic metadata. + message DynamicMetadata { + // Metadata struct that defines the key and path to retrieve the struct value. + // The value must be a struct containing an integer "requests_per_unit" property + // and a "unit" property with a value parseable to :ref:`RateLimitUnit + // enum ` + type.metadata.v3.MetadataKey metadata_key = 1 [(validate.rules).message = {required: true}]; + } + + oneof override_specifier { + option (validate.required) = true; + + // Limit override from dynamic metadata. + DynamicMetadata dynamic_metadata = 1; + } + } + + message HitsAddend { + // Fixed number of hits to add to the rate limit descriptor. + // + // One of the ``number`` or ``format`` fields should be set but not both. + google.protobuf.UInt64Value number = 1 [(validate.rules).uint64 = {lte: 1000000000}]; + + // Substitution format string to extract the number of hits to add to the rate limit descriptor. + // The same :ref:`format specifier ` as used for + // :ref:`HTTP access logging ` applies here. + // + // .. note:: + // + // The format string must contains only single valid substitution field. If the format string + // not meets the requirement, the configuration will be rejected. + // + // The substitution field should generates a non-negative number or string representation of + // a non-negative number. The value of the non-negative number should be less than or equal + // to 1000000000 like the ``number`` field. If the output of the substitution field not meet + // the requirement, this will be treated as an error and the current descriptor will be ignored. + // + // For example, the ``%BYTES_RECEIVED%`` format string will be replaced with the number of bytes + // received in the request. + // + // One of the ``number`` or ``format`` fields should be set but not both. + string format = 2 [(validate.rules).string = {prefix: "%" suffix: "%" ignore_empty: true}]; + } + + // Refers to the stage set in the filter. The rate limit configuration only + // applies to filters with the same stage number. The default stage number is + // 0. + // + // .. note:: + // + // The filter supports a range of 0 - 10 inclusively for stage numbers. + // + // .. note:: + // This is not supported if the rate limit action is configured in the ``typed_per_filter_config`` like + // :ref:`VirtualHost.typed_per_filter_config` or + // :ref:`Route.typed_per_filter_config`, etc. + google.protobuf.UInt32Value stage = 1 [(validate.rules).uint32 = {lte: 10}]; + + // The key to be set in runtime to disable this rate limit configuration. + // + // .. note:: + // This is not supported if the rate limit action is configured in the ``typed_per_filter_config`` like + // :ref:`VirtualHost.typed_per_filter_config` or + // :ref:`Route.typed_per_filter_config`, etc. + string disable_key = 2; + + // A list of actions that are to be applied for this rate limit configuration. + // Order matters as the actions are processed sequentially and the descriptor + // is composed by appending descriptor entries in that sequence. If an action + // cannot append a descriptor entry, no descriptor is generated for the + // configuration. See :ref:`composing actions + // ` for additional documentation. + repeated Action actions = 3 [(validate.rules).repeated = {min_items: 1}]; + + // An optional limit override to be appended to the descriptor produced by this + // rate limit configuration. If the override value is invalid or cannot be resolved + // from metadata, no override is provided. See :ref:`rate limit override + // ` for more information. + // + // .. note:: + // This is not supported if the rate limit action is configured in the ``typed_per_filter_config`` like + // :ref:`VirtualHost.typed_per_filter_config` or + // :ref:`Route.typed_per_filter_config`, etc. + Override limit = 4; + + // An optional hits addend to be appended to the descriptor produced by this rate limit + // configuration. + // + // .. note:: + // This is only supported if the rate limit action is configured in the ``typed_per_filter_config`` like + // :ref:`VirtualHost.typed_per_filter_config` or + // :ref:`Route.typed_per_filter_config`, etc. + HitsAddend hits_addend = 5; + + // If true, the rate limit request will be applied when the stream completes. The default value is false. + // This is useful when the rate limit budget needs to reflect the response context that is not available + // on the request path. + // + // For example, let's say the upstream service calculates the usage statistics and returns them in the response body + // and we want to utilize these numbers to apply the rate limit action for the subsequent requests. + // Combined with another filter that can set the desired addend based on the response (e.g. Lua filter), + // this can be used to subtract the usage statistics from the rate limit budget. + // + // A rate limit applied on the stream completion is "fire-and-forget" by nature, and rate limit is not enforced by this config. + // In other words, the current request won't be blocked when this is true, but the budget will be updated for the subsequent + // requests based on the action with this field set to true. Users should ensure that the rate limit is enforced by the actions + // applied on the request path, i.e. the ones with this field set to false. + // + // Currently, this is only supported by the HTTP global rate filter. + bool apply_on_stream_done = 6; +} + +// .. attention:: +// +// Internally, Envoy always uses the HTTP/2 ``:authority`` header to represent the HTTP/1 ``Host`` +// header. Thus, if attempting to match on ``Host``, match on ``:authority`` instead. +// +// .. attention:: +// +// To route on HTTP method, use the special HTTP/2 ``:method`` header. This works for both +// HTTP/1 and HTTP/2 as Envoy normalizes headers. E.g., +// +// .. code-block:: json +// +// { +// "name": ":method", +// "string_match": { +// "exact": "POST" +// } +// } +// +// .. attention:: +// In the absence of any header match specifier, match will default to :ref:`present_match +// `. i.e, a request that has the :ref:`name +// ` header will match, regardless of the header's +// value. +// +// [#next-major-version: HeaderMatcher should be refactored to use StringMatcher.] +// [#next-free-field: 15] +message HeaderMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.HeaderMatcher"; + + reserved 2, 3, 5; + + reserved "regex_match"; + + // Specifies the name of the header in the request. + string name = 1 + [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}]; + + // Specifies how the header match will be performed to route the request. + oneof header_match_specifier { + // If specified, header match will be performed based on the value of the header. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`string_match `. + string exact_match = 4 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // If specified, this regex string is a regular expression rule which implies the entire request + // header value must match the regex. The rule will not match if only a subsequence of the + // request header value matches the regex. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`string_match `. + type.matcher.v3.RegexMatcher safe_regex_match = 11 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // If specified, header match will be performed based on range. + // The rule will match if the request header value is within this range. + // The entire request header value must represent an integer in base 10 notation: consisting of + // an optional plus or minus sign followed by a sequence of digits. The rule will not match if + // the header value does not represent an integer. Match will fail for empty values, floating + // point numbers or if only a subsequence of the header value is an integer. + // + // Examples: + // + // * For range [-10,0), route will match for header value -1, but not for 0, ``somestring``, 10.9, + // ``-1somestring`` + type.v3.Int64Range range_match = 6; + + // If specified as true, header match will be performed based on whether the header is in the + // request. If specified as false, header match will be performed based on whether the header is absent. + bool present_match = 7; + + // If specified, header match will be performed based on the prefix of the header value. + // + // .. note:: + // + // Empty prefix is not allowed. Please use ``present_match`` instead. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`string_match `. + // + // Examples: + // + // * The prefix ``abcd`` matches the value ``abcdxyz``, but not for ``abcxyz``. + string prefix_match = 9 [ + deprecated = true, + (validate.rules).string = {min_len: 1}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If specified, header match will be performed based on the suffix of the header value. + // + // .. note:: + // + // Empty suffix is not allowed. Please use ``present_match`` instead. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`string_match `. + // + // Examples: + // + // * The suffix ``abcd`` matches the value ``xyzabcd``, but not for ``xyzbcd``. + string suffix_match = 10 [ + deprecated = true, + (validate.rules).string = {min_len: 1}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If specified, header match will be performed based on whether the header value contains + // the given value or not. + // + // .. note:: + // + // Empty contains match is not allowed. Please use ``present_match`` instead. + // + // .. attention:: + // + // This field is deprecated. Please use :ref:`string_match `. + // + // Examples: + // + // * The value ``abcd`` matches the value ``xyzabcdpqr``, but not for ``xyzbcdpqr``. + string contains_match = 12 [ + deprecated = true, + (validate.rules).string = {min_len: 1}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If specified, header match will be performed based on the string match of the header value. + type.matcher.v3.StringMatcher string_match = 13; + } + + // If specified, the match result will be inverted before checking. + // + // Defaults to ``false``. + // + // Examples: + // + // * The regex ``\d{3}`` does not match the value ``1234``, so it will match when inverted. + // * The range [-10,0) will match the value -1, so it will not match when inverted. + bool invert_match = 8; + + // If specified, for any header match rule, if the header match rule specified header + // does not exist, this header value will be treated as empty. + // + // Defaults to ``false``. + // + // Examples: + // + // * The header match rule specified header "header1" to range match of [0, 10], + // :ref:`invert_match ` + // is set to true and :ref:`treat_missing_header_as_empty ` + // is set to true; The "header1" header is not present. The match rule will + // treat the "header1" as an empty header. The empty header does not match the range, + // so it will match when inverted. + // * The header match rule specified header "header2" to range match of [0, 10], + // :ref:`invert_match ` + // is set to true and :ref:`treat_missing_header_as_empty ` + // is set to false; The "header2" header is not present and the header + // matcher rule for "header2" will be ignored so it will not match. + // * The header match rule specified header "header3" to a string regex match + // ``^$`` which means an empty string, and + // :ref:`treat_missing_header_as_empty ` + // is set to true; The "header3" header is not present. + // The match rule will treat the "header3" header as an empty header so it will match. + // * The header match rule specified header "header4" to a string regex match + // ``^$`` which means an empty string, and + // :ref:`treat_missing_header_as_empty ` + // is set to false; The "header4" header is not present. + // The match rule for "header4" will be ignored so it will not match. + bool treat_missing_header_as_empty = 14; +} + +// Query parameter matching treats the query string of a request's :path header +// as an ampersand-separated list of keys and/or key=value elements. +// [#next-free-field: 7] +message QueryParameterMatcher { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.route.QueryParameterMatcher"; + + reserved 3, 4; + + reserved "value", "regex"; + + // Specifies the name of a key that must be present in the requested + // ``path``'s query string. + string name = 1 [(validate.rules).string = {min_len: 1 max_bytes: 1024}]; + + oneof query_parameter_match_specifier { + // Specifies whether a query parameter value should match against a string. + type.matcher.v3.StringMatcher string_match = 5 [(validate.rules).message = {required: true}]; + + // Specifies whether a query parameter should be present. + bool present_match = 6; + } +} + +// HTTP Internal Redirect :ref:`architecture overview `. +// [#next-free-field: 6] +message InternalRedirectPolicy { + // An internal redirect is not handled, unless the number of previous internal redirects that a + // downstream request has encountered is lower than this value. + // In the case where a downstream request is bounced among multiple routes by internal redirect, + // the first route that hits this threshold, or does not set :ref:`internal_redirect_policy + // ` + // will pass the redirect back to downstream. + // + // If not specified, at most one redirect will be followed. + google.protobuf.UInt32Value max_internal_redirects = 1; + + // Defines what upstream response codes are allowed to trigger internal redirect. If unspecified, + // only 302 will be treated as internal redirect. + // Only 301, 302, 303, 307 and 308 are valid values. Any other codes will be ignored. + repeated uint32 redirect_response_codes = 2 [(validate.rules).repeated = {max_items: 5}]; + + // Specifies a list of predicates that are queried when an upstream response is deemed + // to trigger an internal redirect by all other criteria. Any predicate in the list can reject + // the redirect, causing the response to be proxied to downstream. + // [#extension-category: envoy.internal_redirect_predicates] + repeated core.v3.TypedExtensionConfig predicates = 3; + + // Allow internal redirect to follow a target URI with a different scheme than the value of + // x-forwarded-proto. The default is ``false``. + bool allow_cross_scheme_redirect = 4; + + // Specifies a list of headers, by name, to copy from the internal redirect into the subsequent + // request. If a header is specified here but not present in the redirect, it will be cleared in + // the subsequent request. + repeated string response_headers_to_copy = 5 [(validate.rules).repeated = { + unique: true + items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; +} + +// A simple wrapper for an HTTP filter config. This is intended to be used as a wrapper for the +// map value in +// :ref:`VirtualHost.typed_per_filter_config`, +// :ref:`Route.typed_per_filter_config`, +// or :ref:`WeightedCluster.ClusterWeight.typed_per_filter_config` +// to add additional flags to the filter. +message FilterConfig { + // The filter config. + google.protobuf.Any config = 1; + + // If true, the filter is optional, meaning that if the client does + // not support the specified filter, it may ignore the map entry rather + // than rejecting the config. + bool is_optional = 2; + + // If true, the filter is disabled in the route or virtual host and the ``config`` field is ignored. + // See :ref:`route based filter chain ` + // for more details. + // + // .. note:: + // + // This field will take effect when the request arrive and filter chain is created for the request. + // If initial route is selected for the request and a filter is disabled in the initial route, then + // the filter will not be added to the filter chain. + // And if the request is mutated later and re-match to another route, the disabled filter by the + // initial route will not be added back to the filter chain because the filter chain is already + // created and it is too late to change the chain. + // + // This field only make sense for the downstream HTTP filters for now. + bool disabled = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/5be0d34d2448031378eb44f676a6f51827f9d2d2546ab6df3b67c5c3da1011face37d508a8a0b95bdc4cce3abd94ea5f1fa591428646ff478a153466eae1494f b/modules/sync/envoyproxy/envoy/cas/5be0d34d2448031378eb44f676a6f51827f9d2d2546ab6df3b67c5c3da1011face37d508a8a0b95bdc4cce3abd94ea5f1fa591428646ff478a153466eae1494f new file mode 100644 index 00000000..2db3a621 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/5be0d34d2448031378eb44f676a6f51827f9d2d2546ab6df3b67c5c3da1011face37d508a8a0b95bdc4cce3abd94ea5f1fa591428646ff478a153466eae1494f @@ -0,0 +1,17 @@ +syntax = "proto3"; + +package envoy.extensions.matching.common_inputs.stats.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.matching.common_inputs.stats.v3"; +option java_outer_classname = "StatsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/stats/v3;statsv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Stats matcher] + +// Specifies the way to match stats with full name. +message StatFullNameMatchInput { +} diff --git a/modules/sync/envoyproxy/envoy/cas/636af6b3bc6d3dc404d5e6e812088126624b82cfcd0c5bb5922e242e7a5f6e449ca990dbab2614e0130d88377efdce6d075bd1911731fca11e14eaf7b945150e b/modules/sync/envoyproxy/envoy/cas/636af6b3bc6d3dc404d5e6e812088126624b82cfcd0c5bb5922e242e7a5f6e449ca990dbab2614e0130d88377efdce6d075bd1911731fca11e14eaf7b945150e new file mode 100644 index 00000000..322dabd2 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/636af6b3bc6d3dc404d5e6e812088126624b82cfcd0c5bb5922e242e7a5f6e449ca990dbab2614e0130d88377efdce6d075bd1911731fca11e14eaf7b945150e @@ -0,0 +1,114 @@ +syntax = "proto3"; + +package envoy.extensions.filters.udp.dns_filter.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/resolver.proto"; +import "envoy/data/dns/v3/dns_table.proto"; + +import "google/protobuf/duration.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.udp.dns_filter.v3"; +option java_outer_classname = "DnsFilterProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/udp/dns_filter/v3;dns_filterv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: DNS Filter] +// DNS Filter :ref:`configuration overview `. +// [#extension: envoy.filters.udp.dns_filter] + +// Configuration for the DNS filter. +message DnsFilterConfig { + // This message contains the configuration for the DNS Filter operating + // in a server context. This message will contain the virtual hosts and + // associated addresses with which Envoy will respond to queries + message ServerContextConfig { + oneof config_source { + option (validate.required) = true; + + // Load the configuration specified from the control plane + data.dns.v3.DnsTable inline_dns_table = 1; + + // Seed the filter configuration from an external path. This source + // is a yaml formatted file that contains the DnsTable driving Envoy's + // responses to DNS queries + config.core.v3.DataSource external_dns_table = 2; + } + } + + // This message contains the configuration for the DNS Filter operating + // in a client context. This message will contain the timeouts, retry, + // and forwarding configuration for Envoy to make DNS requests to other + // resolvers + // + // [#next-free-field: 6] + message ClientContextConfig { + // Sets the maximum time we will wait for the upstream query to complete + // We allow 5s for the upstream resolution to complete, so the minimum + // value here is 1. Note that the total latency for a failed query is the + // number of retries multiplied by the resolver_timeout. + google.protobuf.Duration resolver_timeout = 1 [(validate.rules).duration = {gte {seconds: 1}}]; + + // This field was used for `dns_resolution_config` in Envoy 1.19.0 and + // 1.19.1. + // Control planes that need to set this field for Envoy 1.19.0 and + // 1.19.1 clients should fork the protobufs and change the field type + // to `DnsResolutionConfig`. + // Control planes that need to simultaneously support Envoy 1.18.x and + // Envoy 1.19.x should avoid Envoy 1.19.0 and 1.19.1. + // + // [#not-implemented-hide:] + repeated config.core.v3.Address upstream_resolvers = 2 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // DNS resolution configuration which includes the underlying dns resolver addresses and options. + // This field is deprecated in favor of + // :ref:`typed_dns_resolver_config `. + config.core.v3.DnsResolutionConfig dns_resolution_config = 5 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // DNS resolver type configuration extension. This extension can be used to configure c-ares, apple, + // or any other DNS resolver types and the related parameters. + // For example, an object of + // :ref:`CaresDnsResolverConfig ` + // can be packed into this ``typed_dns_resolver_config``. This configuration replaces the + // :ref:`dns_resolution_config ` + // configuration. + // During the transition period when both ``dns_resolution_config`` and ``typed_dns_resolver_config`` exists, + // when ``typed_dns_resolver_config`` is in place, Envoy will use it and ignore ``dns_resolution_config``. + // When ``typed_dns_resolver_config`` is missing, the default behavior is in place. + // [#extension-category: envoy.network.dns_resolver] + config.core.v3.TypedExtensionConfig typed_dns_resolver_config = 4; + + // Controls how many outstanding external lookup contexts the filter tracks. + // The context structure allows the filter to respond to every query even if the external + // resolution times out or is otherwise unsuccessful + uint64 max_pending_lookups = 3 [(validate.rules).uint64 = {gte: 1}]; + } + + // The stat prefix used when emitting DNS filter statistics + string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; + + // Server context configuration contains the data that the filter uses to respond + // to DNS requests. + ServerContextConfig server_config = 2; + + // Client context configuration controls Envoy's behavior when it must use external + // resolvers to answer a query. This object is optional and if omitted instructs + // the filter to resolve queries from the data in the server_config. + // Also, if ``client_config`` is omitted, here is the Envoy's behavior to create DNS resolver: + // + // 1. If :ref:`typed_dns_resolver_config ` + // is not empty, uses it. + // + // 2. Otherwise, uses the default c-ares DNS resolver. + // + ClientContextConfig client_config = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/688fce59f3ffa1578320bdf4c261ed966f3cd468c076768aa0c5ec3b470978850bc3a353fed1e88b648366e52555c0c2c6f85d659ba7438a58d552376ba4c89d b/modules/sync/envoyproxy/envoy/cas/688fce59f3ffa1578320bdf4c261ed966f3cd468c076768aa0c5ec3b470978850bc3a353fed1e88b648366e52555c0c2c6f85d659ba7438a58d552376ba4c89d new file mode 100644 index 00000000..caa79898 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/688fce59f3ffa1578320bdf4c261ed966f3cd468c076768aa0c5ec3b470978850bc3a353fed1e88b648366e52555c0c2c6f85d659ba7438a58d552376ba4c89d @@ -0,0 +1,23 @@ +syntax = "proto3"; + +package envoy.data.core.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.data.core.v3"; +option java_outer_classname = "TlvMetadataProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/data/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Proxy Protocol Filter Typed Metadata] +// PROXY protocol filter typed metadata. + +message TlvsMetadata { + // Typed metadata for :ref:`Proxy protocol filter `, that represents a map of TLVs. + // Each entry in the map consists of a key which corresponds to a configured + // :ref:`rule key ` and a value (TLV value in bytes). + // :ref:`Proxy protocol filter ` + // populates both typed and untyped metadata. + map typed_metadata = 1; +} diff --git a/modules/sync/envoyproxy/envoy/cas/6a4880727a18c76c27422fb04451cb0c08cb6acc712b2ba3b3a68c81cb00feb401d2d4f8d666cbaaa787331838d3b8b8a9cf3a0ec609f9cb00c9f97574edae2a b/modules/sync/envoyproxy/envoy/cas/6a4880727a18c76c27422fb04451cb0c08cb6acc712b2ba3b3a68c81cb00feb401d2d4f8d666cbaaa787331838d3b8b8a9cf3a0ec609f9cb00c9f97574edae2a new file mode 100644 index 00000000..a4ed6e91 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/6a4880727a18c76c27422fb04451cb0c08cb6acc712b2ba3b3a68c81cb00feb401d2d4f8d666cbaaa787331838d3b8b8a9cf3a0ec609f9cb00c9f97574edae2a @@ -0,0 +1,443 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/event_service_config.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/proxy_protocol.proto"; +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/v3/http.proto"; +import "envoy/type/v3/range.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "HealthCheckProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Health check] +// * Health checking :ref:`architecture overview `. +// * If health checking is configured for a cluster, additional statistics are emitted. They are +// documented :ref:`here `. + +// Endpoint health status. +enum HealthStatus { + // The health status is not known. This is interpreted by Envoy as ``HEALTHY``. + UNKNOWN = 0; + + // Healthy. + HEALTHY = 1; + + // Unhealthy. + UNHEALTHY = 2; + + // Connection draining in progress. E.g., + // ``_ + // or + // ``_. + // This is interpreted by Envoy as ``UNHEALTHY``. + DRAINING = 3; + + // Health check timed out. This is part of HDS and is interpreted by Envoy as + // ``UNHEALTHY``. + TIMEOUT = 4; + + // Degraded. + DEGRADED = 5; +} + +message HealthStatusSet { + // An order-independent set of health status. + repeated HealthStatus statuses = 1 + [(validate.rules).repeated = {items {enum {defined_only: true}}}]; +} + +// [#next-free-field: 27] +message HealthCheck { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HealthCheck"; + + // Describes the encoding of the payload bytes in the payload. + message Payload { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.Payload"; + + oneof payload { + option (validate.required) = true; + + // Hex encoded payload. E.g., "000000FF". + string text = 1 [(validate.rules).string = {min_len: 1}]; + + // Binary payload. + bytes binary = 2; + } + } + + // [#next-free-field: 15] + message HttpHealthCheck { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.HttpHealthCheck"; + + reserved 5, 7; + + reserved "service_name", "use_http2"; + + // The value of the host header in the HTTP health check request. If + // left empty (default value), the name of the cluster this health check is associated + // with will be used. The host header can be customized for a specific endpoint by setting the + // :ref:`hostname ` field. + string host = 1 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE}]; + + // Specifies the HTTP path that will be requested during health checking. For example + // ``/healthcheck``. + string path = 2 [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_VALUE}]; + + // HTTP specific payload to be sent as the request body during health checking. + // If specified, the method should support a request body (POST, PUT, PATCH, etc.). + Payload send = 3; + + // Specifies a list of HTTP expected responses to match in the first ``response_buffer_size`` bytes of the response body. + // If it is set, both the expected response check and status code determine the health check. + // When checking the response, “fuzzy” matching is performed such that each payload block must be found, + // and in the order specified, but not necessarily contiguous. + // + // .. note:: + // + // It is recommended to set ``response_buffer_size`` based on the total Payload size for efficiency. + // The default buffer size is 1024 bytes when it is not set. + repeated Payload receive = 4; + + // Specifies the size of response buffer in bytes that is used to Payload match. + // The default value is 1024. Setting to 0 implies that the Payload will be matched against the entire response. + google.protobuf.UInt64Value response_buffer_size = 14 [(validate.rules).uint64 = {gte: 0}]; + + // Specifies a list of HTTP headers that should be added to each request that is sent to the + // health checked cluster. For more information, including details on header value syntax, see + // the documentation on :ref:`custom request headers + // `. + repeated HeaderValueOption request_headers_to_add = 6 + [(validate.rules).repeated = {max_items: 1000}]; + + // Specifies a list of HTTP headers that should be removed from each request that is sent to the + // health checked cluster. + repeated string request_headers_to_remove = 8 [(validate.rules).repeated = { + items {string {well_known_regex: HTTP_HEADER_NAME strict: false}} + }]; + + // Specifies a list of HTTP response statuses considered healthy. If provided, replaces default + // 200-only policy - 200 must be included explicitly as needed. Ranges follow half-open + // semantics of :ref:`Int64Range `. The start and end of each + // range are required. Only statuses in the range [100, 600) are allowed. + repeated type.v3.Int64Range expected_statuses = 9; + + // Specifies a list of HTTP response statuses considered retriable. If provided, responses in this range + // will count towards the configured :ref:`unhealthy_threshold `, + // but will not result in the host being considered immediately unhealthy. Ranges follow half-open semantics of + // :ref:`Int64Range `. The start and end of each range are required. + // Only statuses in the range [100, 600) are allowed. The :ref:`expected_statuses ` + // field takes precedence for any range overlaps with this field i.e. if status code 200 is both retriable and expected, a 200 response will + // be considered a successful health check. By default all responses not in + // :ref:`expected_statuses ` will result in + // the host being considered immediately unhealthy i.e. if status code 200 is expected and there are no configured retriable statuses, any + // non-200 response will result in the host being marked unhealthy. + repeated type.v3.Int64Range retriable_statuses = 12; + + // Use specified application protocol for health checks. + type.v3.CodecClientType codec_client_type = 10 [(validate.rules).enum = {defined_only: true}]; + + // An optional service name parameter which is used to validate the identity of + // the health checked cluster using a :ref:`StringMatcher + // `. See the :ref:`architecture overview + // ` for more information. + type.matcher.v3.StringMatcher service_name_matcher = 11; + + // HTTP Method that will be used for health checking, default is "GET". + // GET, HEAD, POST, PUT, DELETE, OPTIONS, TRACE, PATCH methods are supported. + // Request body payloads are supported for POST, PUT, PATCH, and OPTIONS methods only. + // CONNECT method is disallowed because it is not appropriate for health check request. + // If a non-200 response is expected by the method, it needs to be set in :ref:`expected_statuses `. + RequestMethod method = 13 [(validate.rules).enum = {defined_only: true not_in: 6}]; + } + + message TcpHealthCheck { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.TcpHealthCheck"; + + // Empty payloads imply a connect-only health check. + Payload send = 1; + + // When checking the response, “fuzzy” matching is performed such that each + // payload block must be found, and in the order specified, but not + // necessarily contiguous. + repeated Payload receive = 2; + + // When setting this value, it tries to attempt health check request with ProxyProtocol. + // When ``send`` is presented, they are sent after preceding ProxyProtocol header. + // Only ProxyProtocol header is sent when ``send`` is not presented. + // It allows to use both ProxyProtocol V1 and V2. In V1, it presents L3/L4. In V2, it includes + // LOCAL command and doesn't include L3/L4. + ProxyProtocolConfig proxy_protocol_config = 3; + } + + message RedisHealthCheck { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.RedisHealthCheck"; + + // If set, optionally perform ``EXISTS `` instead of ``PING``. A return value + // from Redis of 0 (does not exist) is considered a passing healthcheck. A return value other + // than 0 is considered a failure. This allows the user to mark a Redis instance for maintenance + // by setting the specified key to any value and waiting for traffic to drain. + string key = 1; + } + + // `grpc.health.v1.Health + // `_-based + // healthcheck. See `gRPC doc `_ + // for details. + message GrpcHealthCheck { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.GrpcHealthCheck"; + + // An optional service name parameter which will be sent to gRPC service in + // `grpc.health.v1.HealthCheckRequest + // `_. + // message. See `gRPC health-checking overview + // `_ for more information. + string service_name = 1; + + // The value of the :authority header in the gRPC health check request. If + // left empty (default value), the name of the cluster this health check is associated + // with will be used. The authority header can be customized for a specific endpoint by setting + // the :ref:`hostname ` field. + string authority = 2 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Specifies a list of key-value pairs that should be added to the metadata of each GRPC call + // that is sent to the health checked cluster. For more information, including details on header value syntax, + // see the documentation on :ref:`custom request headers + // `. + repeated HeaderValueOption initial_metadata = 3 [(validate.rules).repeated = {max_items: 1000}]; + } + + // Custom health check. + message CustomHealthCheck { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.CustomHealthCheck"; + + reserved 2; + + reserved "config"; + + // The registered name of the custom health checker. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // A custom health checker specific configuration which depends on the custom health checker + // being instantiated. See :api:`envoy/config/health_checker` for reference. + // [#extension-category: envoy.health_checkers] + oneof config_type { + google.protobuf.Any typed_config = 3; + } + } + + // Health checks occur over the transport socket specified for the cluster. This implies that if a + // cluster is using a TLS-enabled transport socket, the health check will also occur over TLS. + // + // This allows overriding the cluster TLS settings, just for health check connections. + message TlsOptions { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.HealthCheck.TlsOptions"; + + // Specifies the ALPN protocols for health check connections. This is useful if the + // corresponding upstream is using ALPN-based :ref:`FilterChainMatch + // ` along with different protocols for health checks + // versus data connections. If empty, no ALPN protocols will be set on health check connections. + repeated string alpn_protocols = 1; + } + + reserved 10; + + // The time to wait for a health check response. If the timeout is reached the + // health check attempt will be considered a failure. + google.protobuf.Duration timeout = 1 [(validate.rules).duration = { + required: true + gt {} + }]; + + // The interval between health checks. + google.protobuf.Duration interval = 2 [(validate.rules).duration = { + required: true + gt {} + }]; + + // An optional jitter amount in milliseconds. If specified, Envoy will start health + // checking after for a random time in ms between 0 and initial_jitter. This only + // applies to the first health check. + google.protobuf.Duration initial_jitter = 20; + + // An optional jitter amount in milliseconds. If specified, during every + // interval Envoy will add interval_jitter to the wait time. + google.protobuf.Duration interval_jitter = 3; + + // An optional jitter amount as a percentage of interval_ms. If specified, + // during every interval Envoy will add ``interval_ms`` * + // ``interval_jitter_percent`` / 100 to the wait time. + // + // If interval_jitter_ms and interval_jitter_percent are both set, both of + // them will be used to increase the wait time. + uint32 interval_jitter_percent = 18; + + // The number of unhealthy health checks required before a host is marked + // unhealthy. Note that for ``http`` health checking if a host responds with a code not in + // :ref:`expected_statuses ` + // or :ref:`retriable_statuses `, + // this threshold is ignored and the host is considered immediately unhealthy. + google.protobuf.UInt32Value unhealthy_threshold = 4 [(validate.rules).message = {required: true}]; + + // The number of healthy health checks required before a host is marked + // healthy. Note that during startup, only a single successful health check is + // required to mark a host healthy. + google.protobuf.UInt32Value healthy_threshold = 5 [(validate.rules).message = {required: true}]; + + // [#not-implemented-hide:] Non-serving port for health checking. + google.protobuf.UInt32Value alt_port = 6; + + // Reuse health check connection between health checks. Default is true. + google.protobuf.BoolValue reuse_connection = 7; + + oneof health_checker { + option (validate.required) = true; + + // HTTP health check. + HttpHealthCheck http_health_check = 8; + + // TCP health check. + TcpHealthCheck tcp_health_check = 9; + + // gRPC health check. + GrpcHealthCheck grpc_health_check = 11; + + // Custom health check. + CustomHealthCheck custom_health_check = 13; + } + + // The "no traffic interval" is a special health check interval that is used when a cluster has + // never had traffic routed to it. This lower interval allows cluster information to be kept up to + // date, without sending a potentially large amount of active health checking traffic for no + // reason. Once a cluster has been used for traffic routing, Envoy will shift back to using the + // standard health check interval that is defined. Note that this interval takes precedence over + // any other. + // + // The default value for "no traffic interval" is 60 seconds. + google.protobuf.Duration no_traffic_interval = 12 [(validate.rules).duration = {gt {}}]; + + // The "no traffic healthy interval" is a special health check interval that + // is used for hosts that are currently passing active health checking + // (including new hosts) when the cluster has received no traffic. + // + // This is useful for when we want to send frequent health checks with + // ``no_traffic_interval`` but then revert to lower frequency ``no_traffic_healthy_interval`` once + // a host in the cluster is marked as healthy. + // + // Once a cluster has been used for traffic routing, Envoy will shift back to using the + // standard health check interval that is defined. + // + // If no_traffic_healthy_interval is not set, it will default to the + // no traffic interval and send that interval regardless of health state. + google.protobuf.Duration no_traffic_healthy_interval = 24 [(validate.rules).duration = {gt {}}]; + + // The "unhealthy interval" is a health check interval that is used for hosts that are marked as + // unhealthy. As soon as the host is marked as healthy, Envoy will shift back to using the + // standard health check interval that is defined. + // + // The default value for "unhealthy interval" is the same as "interval". + google.protobuf.Duration unhealthy_interval = 14 [(validate.rules).duration = {gt {}}]; + + // The "unhealthy edge interval" is a special health check interval that is used for the first + // health check right after a host is marked as unhealthy. For subsequent health checks + // Envoy will shift back to using either "unhealthy interval" if present or the standard health + // check interval that is defined. + // + // The default value for "unhealthy edge interval" is the same as "unhealthy interval". + google.protobuf.Duration unhealthy_edge_interval = 15 [(validate.rules).duration = {gt {}}]; + + // The "healthy edge interval" is a special health check interval that is used for the first + // health check right after a host is marked as healthy. For subsequent health checks + // Envoy will shift back to using the standard health check interval that is defined. + // + // The default value for "healthy edge interval" is the same as the default interval. + google.protobuf.Duration healthy_edge_interval = 16 [(validate.rules).duration = {gt {}}]; + + // Specifies the path to the :ref:`health check event log `. + // + // .. attention:: + // This field is deprecated in favor of the extension + // :ref:`event_logger ` and + // :ref:`event_log_path ` + // in the file sink extension. + string event_log_path = 17 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // A list of event log sinks to process the health check event. + // [#extension-category: envoy.health_check.event_sinks] + repeated TypedExtensionConfig event_logger = 25; + + // [#not-implemented-hide:] + // The gRPC service for the health check event service. + // If empty, health check events won't be sent to a remote endpoint. + EventServiceConfig event_service = 22; + + // If set to true, health check failure events will always be logged. If set to false, only the + // initial health check failure event will be logged. + // The default value is false. + bool always_log_health_check_failures = 19; + + // If set to true, health check success events will always be logged. If set to false, only host addition event will be logged + // if it is the first successful health check, or if the healthy threshold is reached. + // The default value is false. + bool always_log_health_check_success = 26; + + // This allows overriding the cluster TLS settings, just for health check connections. + TlsOptions tls_options = 21; + + // Optional key/value pairs that will be used to match a transport socket from those specified in the cluster's + // :ref:`tranport socket matches `. + // For example, the following match criteria + // + // .. code-block:: yaml + // + // transport_socket_match_criteria: + // useMTLS: true + // + // Will match the following :ref:`cluster socket match ` + // + // .. code-block:: yaml + // + // transport_socket_matches: + // - name: "useMTLS" + // match: + // useMTLS: true + // transport_socket: + // name: envoy.transport_sockets.tls + // config: { ... } # tls socket configuration + // + // If this field is set, then for health checks it will supersede an entry of ``envoy.transport_socket`` in the + // :ref:`LbEndpoint.Metadata `. + // This allows using different transport socket capabilities for health checking versus proxying to the + // endpoint. + // + // If the key/values pairs specified do not match any + // :ref:`transport socket matches `, + // the cluster's :ref:`transport socket ` + // will be used for health check socket configuration. + google.protobuf.Struct transport_socket_match_criteria = 23; +} diff --git a/modules/sync/envoyproxy/envoy/cas/6e08a950c353824af726fd5f4162d3b21a2107b2264106a8b10a1b119950a0f27a21ef97ec32bce738db040a25e561dddc70bb569861b67eb2ef434159d44462 b/modules/sync/envoyproxy/envoy/cas/6e08a950c353824af726fd5f4162d3b21a2107b2264106a8b10a1b119950a0f27a21ef97ec32bce738db040a25e561dddc70bb569861b67eb2ef434159d44462 new file mode 100644 index 00000000..b060bce9 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/6e08a950c353824af726fd5f4162d3b21a2107b2264106a8b10a1b119950a0f27a21ef97ec32bce738db040a25e561dddc70bb569861b67eb2ef434159d44462 @@ -0,0 +1,102 @@ +syntax = "proto3"; + +package envoy.extensions.network.dns_resolver.cares.v3; + +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/resolver.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.network.dns_resolver.cares.v3"; +option java_outer_classname = "CaresDnsResolverProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/network/dns_resolver/cares/v3;caresv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: c-ares DNS resolver] +// [#extension: envoy.network.dns_resolver.cares] + +// Configuration for c-ares DNS resolver. +// [#next-free-field: 11] +message CaresDnsResolverConfig { + // A list of DNS resolver addresses. + // :ref:`use_resolvers_as_fallback ` + // below dictates if the DNS client should override system defaults or only use the provided + // resolvers if the system defaults are not available, i.e., as a fallback. + repeated config.core.v3.Address resolvers = 1; + + // If true use the resolvers listed in the + // :ref:`resolvers ` + // field only if c-ares is unable to obtain a + // nameserver from the system (e.g., ``/etc/resolv.conf``). + // Otherwise, the resolvers listed in the resolvers list will override the default system + // resolvers. Defaults to false. + bool use_resolvers_as_fallback = 3; + + // The resolver will query available network interfaces and determine if there are no available + // interfaces for a given IP family. It will then filter these addresses from the results it + // presents. e.g., if there are no available IPv4 network interfaces, the resolver will not + // provide IPv4 addresses. + bool filter_unroutable_families = 4; + + // Configuration of DNS resolver option flags which control the behavior of the DNS resolver. + config.core.v3.DnsResolverOptions dns_resolver_options = 2; + + // This option allows the number of UDP based DNS queries to be capped. + // + // .. note:: + // This is only applicable to c-ares DNS resolver currently. + // + google.protobuf.UInt32Value udp_max_queries = 5; + + // The number of seconds each name server is given to respond to a query on the first try of any given server. + // + // .. note:: + // While the c-ares library defaults to 2 seconds, Envoy's default (if this field is unset) is 5 seconds. + // This adjustment was made to maintain the previous behavior after users reported an increase in DNS resolution times. + // + google.protobuf.UInt64Value query_timeout_seconds = 6 [(validate.rules).uint64 = {gte: 1}]; + + // The maximum number of query attempts the resolver will make before giving up. + // Each attempt may use a different name server. + // + // .. note:: + // While the c-ares library defaults to 3 attempts, Envoy's default (if this field is unset) is 4 attempts. + // This adjustment was made to maintain the previous behavior after users reported an increase in DNS resolution times. + // + google.protobuf.UInt32Value query_tries = 7 [(validate.rules).uint32 = {gte: 1}]; + + // Enable round-robin selection of name servers for DNS resolution. When enabled, the resolver will cycle through the + // list of name servers for each resolution request. This can help distribute the query load across multiple name + // servers. If disabled (default), the resolver will try name servers in the order they are configured. + // + // .. note:: + // This setting overrides any system configuration for name server rotation. + // + bool rotate_nameservers = 8; + + // Maximum EDNS0 UDP payload size in bytes. + // If set, c-ares will include EDNS0 in DNS queries and use this value as the maximum UDP response size. + // + // Recommended values: + // + // * **1232**: Safe default (avoids fragmentation). + // * **4096**: Maximum allowed. + // + // If unset, c-ares uses its internal default (usually 1232). + google.protobuf.UInt32Value edns0_max_payload_size = 9 + [(validate.rules).uint32 = {lte: 4096 gte: 512}]; + + // The maximum duration for which a UDP channel will be kept alive before being refreshed. + // + // If set, the DNS resolver will periodically reinitialize its c-ares channel after the + // specified duration. This can help with avoiding stale socket states, and providing + // better load distribution across UDP ports. + // + // If not specified, no periodic refresh will be performed. + google.protobuf.Duration max_udp_channel_duration = 10 [(validate.rules).duration = {gte {}}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/713d411cee39f04b628ebfc3532d4a8af422cfb8885f372599ed0d86dd4011f743d160c66485159be9dee939ecf66de5c323cd1fc4523f1c3be62bde4e3bbbac b/modules/sync/envoyproxy/envoy/cas/713d411cee39f04b628ebfc3532d4a8af422cfb8885f372599ed0d86dd4011f743d160c66485159be9dee939ecf66de5c323cd1fc4523f1c3be62bde4e3bbbac new file mode 100644 index 00000000..054ac143 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/713d411cee39f04b628ebfc3532d4a8af422cfb8885f372599ed0d86dd4011f743d160c66485159be9dee939ecf66de5c323cd1fc4523f1c3be62bde4e3bbbac @@ -0,0 +1,49 @@ +syntax = "proto3"; + +package envoy.extensions.clusters.reverse_connection.v3; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.clusters.reverse_connection.v3"; +option java_outer_classname = "ReverseConnectionProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/clusters/reverse_connection/v3;reverse_connectionv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Reverse connection cluster] +// [#extension: envoy.clusters.reverse_connection] + +// Configuration for a cluster of type REVERSE_CONNECTION. +message ReverseConnectionClusterConfig { + // Time interval after which Envoy removes unused dynamic hosts created for reverse connections. + // Hosts that are not referenced by any connection pool are deleted during cleanup. + // + // If unset, Envoy uses a default of 60s. + google.protobuf.Duration cleanup_interval = 1 [(validate.rules).duration = {gt {}}]; + + // Host identifier format string. + // + // This format string is evaluated against the downstream request context to compute + // the host identifier for selecting the reverse connection endpoint. The format string + // supports Envoy's standard formatter syntax, including: + // + // * ``%REQ(header-name)%``: Extract request header value. + // * ``%DYNAMIC_METADATA(namespace:key)%``: Extract dynamic metadata value. + // * ``%CEL(expression)%``: Evaluate CEL expression. + // * ``%DOWNSTREAM_REMOTE_ADDRESS%``: Downstream connection address. + // * ``%DOWNSTREAM_LOCAL_ADDRESS%``: Downstream local address. + // * Plain text and combinations of the above. + // + // Examples: + // + // * ``%REQ(x-remote-node-id)%``: Use the value of the ``x-remote-node-id`` header. + // * ``%REQ(host):EXTRACT_FIRST_PART%``: Extract the first part of the Host header before a dot. + // * ``%CEL(request.headers['x-node-id'] | orValue('default'))%``: Use CEL with fallback. + // * ``node-%REQ(x-tenant-id)%-%REQ(x-region)%``: Combine multiple values. + // + // If the format string evaluates to an empty value, the request will not be routed. + string host_id_format = 2 [(validate.rules).string = {min_len: 1}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/7215f9898193b8af53eb913822e4a62030a22efcd12ab8b10e268e0a04ed5c2c6e5c827f445c7948a594fc9baaeb9dac34dc6cf9bfa1e76d4e1d4273bd9b1b87 b/modules/sync/envoyproxy/envoy/cas/7215f9898193b8af53eb913822e4a62030a22efcd12ab8b10e268e0a04ed5c2c6e5c827f445c7948a594fc9baaeb9dac34dc6cf9bfa1e76d4e1d4273bd9b1b87 new file mode 100644 index 00000000..f64c16bb --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/7215f9898193b8af53eb913822e4a62030a22efcd12ab8b10e268e0a04ed5c2c6e5c827f445c7948a594fc9baaeb9dac34dc6cf9bfa1e76d4e1d4273bd9b1b87 @@ -0,0 +1,27 @@ +syntax = "proto3"; + +package envoy.extensions.grpc_service.channel_credentials.tls.v3; + +import "envoy/extensions/transport_sockets/tls/v3/tls.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.grpc_service.channel_credentials.tls.v3"; +option java_outer_classname = "TlsCredentialsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/grpc_service/channel_credentials/tls/v3;tlsv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC TLS Credentials] + +// [#not-implemented-hide:] +message TlsCredentials { + // The certificate provider instance for the root cert. Must be set. + transport_sockets.tls.v3.CommonTlsContext.CertificateProviderInstance root_certificate_provider = + 1; + + // The certificate provider instance for the identity cert. Optional; + // if unset, no identity certificate will be sent to the server. + transport_sockets.tls.v3.CommonTlsContext.CertificateProviderInstance + identity_certificate_provider = 2; +} diff --git a/modules/sync/envoyproxy/envoy/cas/738f54621e145760f7b19dfd49f2a1b93f3e7e906e90b0d10d8020dfb60671ba007e5a16ad49b43c0f17c26263ad7b75037096c0d099ab9b3766a134b967f4ec b/modules/sync/envoyproxy/envoy/cas/738f54621e145760f7b19dfd49f2a1b93f3e7e906e90b0d10d8020dfb60671ba007e5a16ad49b43c0f17c26263ad7b75037096c0d099ab9b3766a134b967f4ec new file mode 100644 index 00000000..cacb0981 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/738f54621e145760f7b19dfd49f2a1b93f3e7e906e90b0d10d8020dfb60671ba007e5a16ad49b43c0f17c26263ad7b75037096c0d099ab9b3766a134b967f4ec @@ -0,0 +1,31 @@ +syntax = "proto3"; + +package envoy.extensions.grpc_service.call_credentials.file_based_metadata.v3; + +import "envoy/config/core/v3/base.proto"; + +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.grpc_service.call_credentials.file_based_metadata.v3"; +option java_outer_classname = "FileBasedMetadataCredentialsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/grpc_service/call_credentials/file_based_metadata/v3;file_based_metadatav3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: File-Based Metadata Call Credentials] + +// [#not-implemented-hide:] +message FileBasedMetadataCallCredentials { + // Location or inline data of secret to use for authentication of the Google gRPC connection + // this secret will be attached to a header of the gRPC connection + config.core.v3.DataSource secret_data = 1 [(udpa.annotations.sensitive) = true]; + + // Metadata header key to use for sending the secret data + // if no header key is set, "authorization" header will be used + string header_key = 2; + + // Prefix to prepend to the secret in the metadata header + // if no prefix is set, the default is to use no prefix + string header_prefix = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/746fb58032fe1f28ddc17510e1aff7da41b73a76970c9e30dd6efe749ffe94572c8752280fd6fd70bc32623bb6e284ff852c95d8e0beb6706e0512b3252c786b b/modules/sync/envoyproxy/envoy/cas/746fb58032fe1f28ddc17510e1aff7da41b73a76970c9e30dd6efe749ffe94572c8752280fd6fd70bc32623bb6e284ff852c95d8e0beb6706e0512b3252c786b new file mode 100644 index 00000000..abaaf4ea --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/746fb58032fe1f28ddc17510e1aff7da41b73a76970c9e30dd6efe749ffe94572c8752280fd6fd70bc32623bb6e284ff852c95d8e0beb6706e0512b3252c786b @@ -0,0 +1,92 @@ +syntax = "proto3"; + +package envoy.extensions.load_balancing_policies.client_side_weighted_round_robin.v3; + +import "envoy/extensions/load_balancing_policies/common/v3/common.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.load_balancing_policies.client_side_weighted_round_robin.v3"; +option java_outer_classname = "ClientSideWeightedRoundRobinProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3;client_side_weighted_round_robinv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Client-Side Weighted Round Robin Load Balancing Policy] +// [#extension: envoy.load_balancing_policies.client_side_weighted_round_robin] + +// Configuration for the client_side_weighted_round_robin LB policy. +// +// This policy differs from the built-in ROUND_ROBIN policy in terms of +// how the endpoint weights are determined. In the ROUND_ROBIN policy, +// the endpoint weights are sent by the control plane via EDS. However, +// in this policy, the endpoint weights are instead determined via qps (queries +// per second), eps (errors per second), and utilization metrics sent by the +// endpoint using the Open Request Cost Aggregation (ORCA) protocol. Utilization +// is determined by using the ORCA application_utilization field, if set, or +// else falling back to the cpu_utilization field. All queries count toward qps, +// regardless of result. Only failed queries count toward eps. A config +// parameter error_utilization_penalty controls the penalty to adjust endpoint +// weights using eps and qps. The weight of a given endpoint is computed as: +// ``qps / (utilization + eps/qps * error_utilization_penalty)``. +// +// Note that Envoy will forward the ORCA response headers/trailers from the upstream +// cluster to the downstream client. This means that if the downstream client is also +// configured to use ``client_side_weighted_round_robin`` it will load balance against +// Envoy based on upstream weights. This can happen when Envoy is used as a reverse proxy. +// To avoid this issue you can configure the :ref:`header_mutation filter ` to remove +// the ORCA payload from the response headers/trailers. +// +// See the :ref:`load balancing architecture +// overview` for more information. +// +// [#next-free-field: 9] +message ClientSideWeightedRoundRobin { + // Whether to enable out-of-band utilization reporting collection from + // the endpoints. By default, per-request utilization reporting is used. + google.protobuf.BoolValue enable_oob_load_report = 1; + + // Load reporting interval to request from the server. Note that the + // server may not provide reports as frequently as the client requests. + // Used only when enable_oob_load_report is true. Default is 10 seconds. + google.protobuf.Duration oob_reporting_period = 2; + + // A given endpoint must report load metrics continuously for at least + // this long before the endpoint weight will be used. This avoids + // churn when the set of endpoint addresses changes. Takes effect + // both immediately after we establish a connection to an endpoint and + // after weight_expiration_period has caused us to stop using the most + // recent load metrics. Default is 10 seconds. + google.protobuf.Duration blackout_period = 3; + + // If a given endpoint has not reported load metrics in this long, + // then we stop using the reported weight. This ensures that we do + // not continue to use very stale weights. Once we stop using a stale + // value, if we later start seeing fresh reports again, the + // blackout_period applies. Defaults to 3 minutes. + google.protobuf.Duration weight_expiration_period = 4; + + // How often endpoint weights are recalculated. Values less than 100ms are + // capped at 100ms. Default is 1 second. + google.protobuf.Duration weight_update_period = 5; + + // The multiplier used to adjust endpoint weights with the error rate + // calculated as eps/qps. Configuration is rejected if this value is negative. + // Default is 1.0. + google.protobuf.FloatValue error_utilization_penalty = 6 [(validate.rules).float = {gte: 0.0}]; + + // By default, endpoint weight is computed based on the :ref:`application_utilization ` field reported by the endpoint. + // If that field is not set, then utilization will instead be computed by taking the max of the values of the metrics specified here. + // For map fields in the ORCA proto, the string will be of the form ``.``. For example, the string ``named_metrics.foo`` will mean to look for the key ``foo`` in the ORCA :ref:`named_metrics ` field. + // If none of the specified metrics are present in the load report, then :ref:`cpu_utilization ` is used instead. + repeated string metric_names_for_computing_utilization = 7; + + // Configuration for slow start mode. + // If this configuration is not set, slow start will not be not enabled. + // [#not-implemented-hide:] + common.v3.SlowStartConfig slow_start_config = 8; +} diff --git a/modules/sync/envoyproxy/envoy/cas/75c59a779d426c636bff95bfe400b99da0138fc3e3949fd2d06425cdb77fb732a1d3454a48661100941d1895d79d17e38f335418d04cf9bd85f511219d196974 b/modules/sync/envoyproxy/envoy/cas/75c59a779d426c636bff95bfe400b99da0138fc3e3949fd2d06425cdb77fb732a1d3454a48661100941d1895d79d17e38f335418d04cf9bd85f511219d196974 new file mode 100644 index 00000000..730e065e --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/75c59a779d426c636bff95bfe400b99da0138fc3e3949fd2d06425cdb77fb732a1d3454a48661100941d1895d79d17e38f335418d04cf9bd85f511219d196974 @@ -0,0 +1,1275 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.http_connection_manager.v3; + +import "envoy/config/accesslog/v3/accesslog.proto"; +import "envoy/config/core/v3/address.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/protocol.proto"; +import "envoy/config/core/v3/substitution_format_string.proto"; +import "envoy/config/route/v3/route.proto"; +import "envoy/config/route/v3/scoped_route.proto"; +import "envoy/config/trace/v3/http_tracer.proto"; +import "envoy/type/http/v3/path_transformation.proto"; +import "envoy/type/tracing/v3/custom_tag.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/security.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.http_connection_manager.v3"; +option java_outer_classname = "HttpConnectionManagerProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/http_connection_manager/v3;http_connection_managerv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP connection manager] +// HTTP connection manager :ref:`configuration overview `. +// [#extension: envoy.filters.network.http_connection_manager] + +// [#next-free-field: 60] +message HttpConnectionManager { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager"; + + enum CodecType { + // For every new connection, the connection manager will determine which + // codec to use. This mode supports both ALPN for TLS listeners as well as + // protocol inference for plaintext listeners. If ALPN data is available, it + // is preferred, otherwise protocol inference is used. In almost all cases, + // this is the right option to choose for this setting. + AUTO = 0; + + // The connection manager will assume that the client is speaking HTTP/1.1. + HTTP1 = 1; + + // The connection manager will assume that the client is speaking HTTP/2 + // (Envoy does not require HTTP/2 to take place over TLS or to use ALPN. + // Prior knowledge is allowed). + HTTP2 = 2; + + // The connection manager will assume that the client is speaking HTTP/3. + // This needs to be consistent with listener and transport socket config. + HTTP3 = 3; + } + + enum ServerHeaderTransformation { + // Overwrite any Server header with the contents of server_name. + OVERWRITE = 0; + + // If no Server header is present, append Server server_name + // If a Server header is present, pass it through. + APPEND_IF_ABSENT = 1; + + // Pass through the value of the server header, and do not append a header + // if none is present. + PASS_THROUGH = 2; + } + + // How to handle the :ref:`config_http_conn_man_headers_x-forwarded-client-cert` (XFCC) HTTP + // header. + enum ForwardClientCertDetails { + // Do not send the XFCC header to the next hop. This is the default value. + SANITIZE = 0; + + // When the client connection is mTLS (Mutual TLS), forward the XFCC header + // in the request. + FORWARD_ONLY = 1; + + // When the client connection is mTLS, append the client certificate + // information to the request’s XFCC header and forward it. + APPEND_FORWARD = 2; + + // When the client connection is mTLS, reset the XFCC header with the client + // certificate information and send it to the next hop. + SANITIZE_SET = 3; + + // Always forward the XFCC header in the request, regardless of whether the + // client connection is mTLS. + ALWAYS_FORWARD_ONLY = 4; + } + + // Determines the action for request that contain ``%2F``, ``%2f``, ``%5C`` or ``%5c`` sequences in the URI path. + // This operation occurs before URL normalization and the merge slashes transformations if they were enabled. + enum PathWithEscapedSlashesAction { + // Default behavior specific to implementation (i.e. Envoy) of this configuration option. + // Envoy, by default, takes the KEEP_UNCHANGED action. + // + // .. note:: + // + // The implementation may change the default behavior at-will. + IMPLEMENTATION_SPECIFIC_DEFAULT = 0; + + // Keep escaped slashes. + KEEP_UNCHANGED = 1; + + // Reject client request with the 400 status. gRPC requests will be rejected with the INTERNAL (13) error code. + // The ``httpN.downstream_rq_failed_path_normalization`` counter is incremented for each rejected request. + REJECT_REQUEST = 2; + + // Unescape ``%2F`` and ``%5C`` sequences and redirect request to the new path if these sequences were present. + // Redirect occurs after path normalization and merge slashes transformations if they were configured. + // + // .. note:: + // + // gRPC requests will be rejected with the INTERNAL (13) error code. This option minimizes possibility of path + // confusion exploits by forcing request with unescaped slashes to traverse all parties: downstream client, + // intermediate proxies, Envoy and upstream server. The ``httpN.downstream_rq_redirected_with_normalized_path`` + // counter is incremented for each redirected request. + // + UNESCAPE_AND_REDIRECT = 3; + + // Unescape ``%2F`` and ``%5C`` sequences. + // + // .. note:: + // + // This option should not be enabled if intermediaries perform path based access control as it may lead to path + // confusion vulnerabilities. + // + UNESCAPE_AND_FORWARD = 4; + } + + // [#next-free-field: 11] + message Tracing { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager.Tracing"; + + enum OperationName { + // The HTTP listener is used for ingress/incoming requests. + INGRESS = 0; + + // The HTTP listener is used for egress/outgoing requests. + EGRESS = 1; + } + + reserved 1, 2; + + reserved "operation_name", "request_headers_for_tags"; + + // Target percentage of requests managed by this HTTP connection manager that will be force + // traced if the :ref:`x-client-trace-id ` + // header is set. This field is a direct analog for the runtime variable + // 'tracing.client_enabled' in the :ref:`HTTP Connection Manager + // `. + // Default: 100% + type.v3.Percent client_sampling = 3; + + // Target percentage of requests managed by this HTTP connection manager that will be randomly + // selected for trace generation, if not requested by the client or not forced. This field is + // a direct analog for the runtime variable 'tracing.random_sampling' in the + // :ref:`HTTP Connection Manager `. + // Default: 100% + type.v3.Percent random_sampling = 4; + + // Target percentage of requests managed by this HTTP connection manager that will be traced + // after all other sampling checks have been applied (client-directed, force tracing, random + // sampling). This field functions as an upper limit on the total configured sampling rate. For + // instance, setting client_sampling to 100% but overall_sampling to 1% will result in only 1% + // of client requests with the appropriate headers to be force traced. This field is a direct + // analog for the runtime variable 'tracing.global_enabled' in the + // :ref:`HTTP Connection Manager `. + // Default: 100% + type.v3.Percent overall_sampling = 5; + + // Whether to annotate spans with additional data. If true, spans will include logs for stream + // events. + bool verbose = 6; + + // Maximum length of the request path to extract and include in the HttpUrl tag. Used to + // truncate lengthy request paths to meet the needs of a tracing backend. + // Default: 256 + google.protobuf.UInt32Value max_path_tag_length = 7; + + // A list of custom tags with unique tag name to create tags for the active span. + repeated type.tracing.v3.CustomTag custom_tags = 8; + + // Configuration for an external tracing provider. + // If not specified, no tracing will be performed. + config.trace.v3.Tracing.Http provider = 9; + + // Create separate tracing span for each upstream request if true. And if this flag is set to true, + // the tracing provider will assume that Envoy will be independent hop in the trace chain and may + // set span type to client or server based on this flag. + // This will deprecate the + // :ref:`start_child_span ` + // in the router. + // + // Users should set appropriate value based on their tracing provider and actual scenario: + // + // * If Envoy is used as sidecar and users want to make the sidecar and its application as only one + // hop in the trace chain, this flag should be set to false. And please also make sure the + // :ref:`start_child_span ` + // in the router is not set to true. + // * If Envoy is used as gateway or independent proxy, or users want to make the sidecar and its + // application as different hops in the trace chain, this flag should be set to true. + // * If tracing provider that has explicit requirements on span creation (like SkyWalking), + // this flag should be set to true. + // + // The default value is false for now for backward compatibility. + google.protobuf.BoolValue spawn_upstream_span = 10; + } + + message InternalAddressConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager." + "InternalAddressConfig"; + + // Whether unix socket addresses should be considered internal. + bool unix_sockets = 1; + + // List of CIDR ranges that are treated as internal. If unset, then RFC1918 / RFC4193 + // IP addresses will be considered internal. + repeated config.core.v3.CidrRange cidr_ranges = 2; + } + + // [#next-free-field: 7] + message SetCurrentClientCertDetails { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager." + "SetCurrentClientCertDetails"; + + reserved 2; + + // Whether to forward the subject of the client cert. Defaults to false. + google.protobuf.BoolValue subject = 1; + + // Whether to forward the entire client cert in URL encoded PEM format. This will appear in the + // XFCC header comma separated from other values with the value Cert="PEM". + // Defaults to false. + bool cert = 3; + + // Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM + // format. This will appear in the XFCC header comma separated from other values with the value + // Chain="PEM". + // Defaults to false. + bool chain = 6; + + // Whether to forward the DNS type Subject Alternative Names of the client cert. + // Defaults to false. + bool dns = 4; + + // Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to + // false. + bool uri = 5; + } + + // The configuration for HTTP upgrades. + // For each upgrade type desired, an UpgradeConfig must be added. + // + // .. warning:: + // + // The current implementation of upgrade headers does not handle multi-valued upgrade headers. Support for + // multi-valued headers may be added in the future if needed. + // + // .. warning:: + // The current implementation of upgrade headers does not work with HTTP/2 upstreams. + // + message UpgradeConfig { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager." + "UpgradeConfig"; + + // The case-insensitive name of this upgrade, e.g. "websocket". + // For each upgrade type present in upgrade_configs, requests with + // Upgrade: [upgrade_type] + // will be proxied upstream. + string upgrade_type = 1; + + // If present, this represents the filter chain which will be created for + // this type of upgrade. If no filters are present, the filter chain for + // HTTP connections will be used for this upgrade type. + repeated HttpFilter filters = 2; + + // Determines if upgrades are enabled or disabled by default. Defaults to true. + // This can be overridden on a per-route basis with :ref:`cluster + // ` as documented in the + // :ref:`upgrade documentation `. + google.protobuf.BoolValue enabled = 3; + } + + // [#not-implemented-hide:] Transformations that apply to path headers. Transformations are applied + // before any processing of requests by HTTP filters, routing, and matching. Only the normalized + // path will be visible internally if a transformation is enabled. Any path rewrites that the + // router performs (e.g. :ref:`regex_rewrite + // ` or :ref:`prefix_rewrite + // `) will apply to the ``:path`` header + // destined for the upstream. + // + // .. note:: + // + // Access logging and tracing will show the original ``:path`` header. + // + message PathNormalizationOptions { + // [#not-implemented-hide:] Normalization applies internally before any processing of requests by + // HTTP filters, routing, and matching *and* will affect the forwarded ``:path`` header. Defaults + // to :ref:`NormalizePathRFC3986 + // `. When not + // specified, this value may be overridden by the runtime variable + // :ref:`http_connection_manager.normalize_path`. + // Envoy will respond with 400 to paths that are malformed (e.g. for paths that fail RFC 3986 + // normalization due to disallowed characters.) + type.http.v3.PathTransformation forwarding_transformation = 1; + + // [#not-implemented-hide:] Normalization only applies internally before any processing of + // requests by HTTP filters, routing, and matching. These will be applied after full + // transformation is applied. The ``:path`` header before this transformation will be restored in + // the router filter and sent upstream unless it was mutated by a filter. Defaults to no + // transformations. + // Multiple actions can be applied in the same Transformation, forming a sequential + // pipeline. The transformations will be performed in the order that they appear. Envoy will + // respond with 400 to paths that are malformed (e.g. for paths that fail RFC 3986 + // normalization due to disallowed characters.) + type.http.v3.PathTransformation http_filter_transformation = 2; + } + + // Configures the manner in which the Proxy-Status HTTP response header is + // populated. + // + // See the [Proxy-Status + // RFC](https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-proxy-status-08). + // [#comment:TODO: Update this with the non-draft URL when finalized.] + // + // The Proxy-Status header is a string of the form: + // + // "; error=; details=
" + // [#next-free-field: 7] + message ProxyStatusConfig { + // If true, the details field of the Proxy-Status header is not populated with stream_info.response_code_details. + // This value defaults to ``false``, i.e. the ``details`` field is populated by default. + bool remove_details = 1; + + // If true, the details field of the Proxy-Status header will not contain + // connection termination details. This value defaults to ``false``, i.e. the + // ``details`` field will contain connection termination details by default. + bool remove_connection_termination_details = 2; + + // If true, the details field of the Proxy-Status header will not contain an + // enumeration of the Envoy ResponseFlags. This value defaults to ``false``, + // i.e. the ``details`` field will contain a list of ResponseFlags by default. + bool remove_response_flags = 3; + + // If true, overwrites the existing Status header with the response code + // recommended by the Proxy-Status spec. + // This value defaults to ``false``, i.e. the HTTP response code is not + // overwritten. + bool set_recommended_response_code = 4; + + // The name of the proxy as it appears at the start of the Proxy-Status + // header. + // + // If neither of these values are set, this value defaults to ``server_name``, + // which itself defaults to "envoy". + oneof proxy_name { + // If ``use_node_id`` is set, Proxy-Status headers will use the Envoy's node + // ID as the name of the proxy. + bool use_node_id = 5; + + // If ``literal_proxy_name`` is set, Proxy-Status headers will use this + // value as the name of the proxy. + string literal_proxy_name = 6; + } + } + + message HcmAccessLogOptions { + // The interval to flush the above access logs. By default, the HCM will flush exactly one access log + // on stream close, when the HTTP request is complete. If this field is set, the HCM will flush access + // logs periodically at the specified interval. This is especially useful in the case of long-lived + // requests, such as CONNECT and Websockets. Final access logs can be detected via the + // ``requestComplete()`` method of ``StreamInfo`` in access log filters, or through the ``%DURATION%`` substitution + // string. + // The interval must be at least 1 millisecond. + google.protobuf.Duration access_log_flush_interval = 1 + [(validate.rules).duration = {gte {nanos: 1000000}}]; + + // If set to true, HCM will flush an access log when a new HTTP request is received, after request + // headers have been evaluated, before iterating through the HTTP filter chain. + // This log record, if enabled, does not depend on periodic log records or request completion log. + // Details related to upstream cluster, such as upstream host, will not be available for this log. + bool flush_access_log_on_new_request = 2; + + // If true, the HCM will flush an access log when a tunnel is successfully established. For example, + // this could be when an upstream has successfully returned 101 Switching Protocols, or when the proxy + // has returned 200 to a CONNECT request. + bool flush_log_on_tunnel_successfully_established = 3; + } + + reserved 27, 11; + + reserved "idle_timeout"; + + // Supplies the type of codec that the connection manager should use. + CodecType codec_type = 1 [(validate.rules).enum = {defined_only: true}]; + + // The human readable prefix to use when emitting statistics for the + // connection manager. See the :ref:`statistics documentation ` for + // more information. + string stat_prefix = 2 [(validate.rules).string = {min_len: 1}]; + + oneof route_specifier { + option (validate.required) = true; + + // The connection manager’s route table will be dynamically loaded via the RDS API. + Rds rds = 3; + + // The route table for the connection manager is static and is specified in this property. + config.route.v3.RouteConfiguration route_config = 4; + + // A route table will be dynamically assigned to each request based on request attributes + // (e.g., the value of a header). The "routing scopes" (i.e., route tables) and "scope keys" are + // specified in this message. + ScopedRoutes scoped_routes = 31; + } + + // A list of individual HTTP filters that make up the filter chain for + // requests made to the connection manager. :ref:`Order matters ` + // as the filters are processed sequentially as request events happen. + repeated HttpFilter http_filters = 5; + + // Whether the connection manager manipulates the :ref:`config_http_conn_man_headers_user-agent` + // and :ref:`config_http_conn_man_headers_downstream-service-cluster` headers. See the linked + // documentation for more information. Defaults to false. + google.protobuf.BoolValue add_user_agent = 6; + + // Presence of the object defines whether the connection manager + // emits :ref:`tracing ` data to the :ref:`configured tracing provider + // `. + Tracing tracing = 7; + + // Additional settings for HTTP requests handled by the connection manager. These will be + // applicable to both HTTP/1.1 and HTTP/2 requests. + config.core.v3.HttpProtocolOptions common_http_protocol_options = 35 + [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + + // If set to ``true``, Envoy will not initiate an immediate drain timer for downstream HTTP/1 connections + // once :ref:`common_http_protocol_options.max_connection_duration + // ` is exceeded. + // Instead, Envoy will wait until the next downstream request arrives, add a ``connection: close`` header + // to the response, and then gracefully close the connection once the stream has completed. + // + // This behavior adheres to `RFC 9112, Section 9.6 `_. + // + // If set to ``false``, exceeding ``max_connection_duration`` triggers Envoy's default drain behavior for HTTP/1, + // where the connection is eventually closed after all active streams finish. + // + // This option has no effect if ``max_connection_duration`` is not configured. + // Defaults to ``false``. + bool http1_safe_max_connection_duration = 58; + + // Additional HTTP/1 settings that are passed to the HTTP/1 codec. + // [#comment:TODO: The following fields are ignored when the + // :ref:`header validation configuration ` + // is present: + // 1. :ref:`allow_chunked_length `] + config.core.v3.Http1ProtocolOptions http_protocol_options = 8; + + // Additional HTTP/2 settings that are passed directly to the HTTP/2 codec. + config.core.v3.Http2ProtocolOptions http2_protocol_options = 9 + [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + + // Additional HTTP/3 settings that are passed directly to the HTTP/3 codec. + config.core.v3.Http3ProtocolOptions http3_protocol_options = 44; + + // An optional override that the connection manager will write to the server + // header in responses. If not set, the default is ``envoy``. + string server_name = 10 + [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Defines the action to be applied to the Server header on the response path. + // By default, Envoy will overwrite the header with the value specified in + // server_name. + ServerHeaderTransformation server_header_transformation = 34 + [(validate.rules).enum = {defined_only: true}]; + + // Allows for explicit transformation of the :scheme header on the request path. + // If not set, Envoy's default :ref:`scheme ` + // handling applies. + config.core.v3.SchemeHeaderTransformation scheme_header_transformation = 48; + + // The maximum request headers size for incoming connections. + // If unconfigured, the default max request headers allowed is 60 KiB. + // The default value can be overridden by setting runtime key ``envoy.reloadable_features.max_request_headers_size_kb``. + // Requests that exceed this limit will receive a 431 response. + // + // .. note:: + // + // Currently some protocol codecs impose limits on the maximum size of a single header. + // + // * HTTP/2 (when using nghttp2) limits a single header to around 100kb. + // * HTTP/3 limits a single header to around 1024kb. + // + google.protobuf.UInt32Value max_request_headers_kb = 29 + [(validate.rules).uint32 = {lte: 8192 gt: 0}]; + + // The stream idle timeout for connections managed by the connection manager. + // If not specified, this defaults to 5 minutes. The default value was selected + // so as not to interfere with any smaller configured timeouts that may have + // existed in configurations prior to the introduction of this feature, while + // introducing robustness to TCP connections that terminate without a FIN. + // + // This idle timeout applies to new streams and is overridable by the + // :ref:`route-level idle_timeout + // `. Even on a stream in + // which the override applies, prior to receipt of the initial request + // headers, the :ref:`stream_idle_timeout + // ` + // applies. Each time an encode/decode event for headers or data is processed + // for the stream, the timer will be reset. If the timeout fires, the stream + // is terminated with a 408 Request Timeout error code if no upstream response + // header has been received, otherwise a stream reset occurs. + // + // If the :ref:`overload action ` "envoy.overload_actions.reduce_timeouts" + // is configured, this timeout is scaled according to the value for + // :ref:`HTTP_DOWNSTREAM_STREAM_IDLE `. + // + // Note that it is possible to idle timeout even if the wire traffic for a stream is non-idle, due + // to the granularity of events presented to the connection manager. For example, while receiving + // very large request headers, it may be the case that there is traffic regularly arriving on the + // wire while the connection manage is only able to observe the end-of-headers event, hence the + // stream may still idle timeout. + // + // A value of 0 will completely disable the connection manager stream idle + // timeout, although per-route idle timeout overrides will continue to apply. + // + // This timeout is also used as the default value for :ref:`stream_flush_timeout + // `. + google.protobuf.Duration stream_idle_timeout = 24 + [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + + // The stream flush timeout for connections managed by the connection manager. + // + // If not specified, the value of stream_idle_timeout is used. This is for backwards compatibility + // since this was the original behavior. In essence this timeout is an override for the + // stream_idle_timeout that applies specifically to the end of stream flush case. + // + // This timeout specifies the amount of time that Envoy will wait for the peer to open enough + // window to write any remaining stream data once the entirety of stream data (local end stream is + // true) has been buffered pending available window. In other words, this timeout defends against + // a peer that does not release enough window to completely write the stream, even though all + // data has been proxied within available flow control windows. If the timeout is hit in this + // case, the :ref:`tx_flush_timeout ` counter will be + // incremented. Note that :ref:`max_stream_duration + // ` does not apply to + // this corner case. + google.protobuf.Duration stream_flush_timeout = 59; + + // The amount of time that Envoy will wait for the entire request to be received. + // The timer is activated when the request is initiated, and is disarmed when the last byte of the + // request is sent upstream (i.e. all decoding filters have processed the request), OR when the + // response is initiated. If not specified or set to 0, this timeout is disabled. + google.protobuf.Duration request_timeout = 28 + [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + + // The amount of time that Envoy will wait for the request headers to be received. The timer is + // activated when the first byte of the headers is received, and is disarmed when the last byte of + // the headers has been received. If not specified or set to 0, this timeout is disabled. + google.protobuf.Duration request_headers_timeout = 41 [ + (validate.rules).duration = {gte {}}, + (udpa.annotations.security).configure_for_untrusted_downstream = true + ]; + + // The time that Envoy will wait between sending an HTTP/2 “shutdown + // notification” (GOAWAY frame with max stream ID) and a final GOAWAY frame. + // This is used so that Envoy provides a grace period for new streams that + // race with the final GOAWAY frame. During this grace period, Envoy will + // continue to accept new streams. After the grace period, a final GOAWAY + // frame is sent and Envoy will start refusing new streams. Draining occurs + // either when a connection hits the idle timeout, when :ref:`max_connection_duration + // ` + // is reached, or during general server draining. The default grace period is + // 5000 milliseconds (5 seconds) if this option is not specified. + google.protobuf.Duration drain_timeout = 12; + + // The delayed close timeout is for downstream connections managed by the HTTP connection manager. + // It is defined as a grace period after connection close processing has been locally initiated + // during which Envoy will wait for the peer to close (i.e., a TCP FIN/RST is received by Envoy + // from the downstream connection) prior to Envoy closing the socket associated with that + // connection. + // + // .. note:: + // + // This timeout is enforced even when the socket associated with the downstream connection is pending a flush of + // the write buffer. However, any progress made writing data to the socket will restart the timer associated with + // this timeout. This means that the total grace period for a socket in this state will be + // +. + // + // Delaying Envoy's connection close and giving the peer the opportunity to initiate the close + // sequence mitigates a race condition that exists when downstream clients do not drain/process + // data in a connection's receive buffer after a remote close has been detected via a socket + // ``write()``. This race leads to such clients failing to process the response code sent by Envoy, + // which could result in erroneous downstream processing. + // + // If the timeout triggers, Envoy will close the connection's socket. + // + // The default timeout is 1000 ms if this option is not specified. + // + // .. note:: + // To be useful in avoiding the race condition described above, this timeout must be set + // to *at least* +<100ms to account for + // a reasonable "worst" case processing time for a full iteration of Envoy's event loop>. + // + // .. warning:: + // A value of ``0`` will completely disable delayed close processing. When disabled, the downstream + // connection's socket will be closed immediately after the write flush is completed or will + // never close if the write flush does not complete. + // + google.protobuf.Duration delayed_close_timeout = 26; + + // Configuration for :ref:`HTTP access logs ` + // emitted by the connection manager. + repeated config.accesslog.v3.AccessLog access_log = 13; + + // The interval to flush the above access logs. + // + // .. attention:: + // + // This field is deprecated in favor of + // :ref:`access_log_flush_interval + // `. + // Note that if both this field and :ref:`access_log_flush_interval + // ` + // are specified, the former (deprecated field) is ignored. + google.protobuf.Duration access_log_flush_interval = 54 [ + deprecated = true, + (validate.rules).duration = {gte {nanos: 1000000}}, + (envoy.annotations.deprecated_at_minor_version) = "3.0" + ]; + + // If set to true, HCM will flush an access log once when a new HTTP request is received, after the request + // headers have been evaluated, and before iterating through the HTTP filter chain. + // + // .. attention:: + // + // This field is deprecated in favor of + // :ref:`flush_access_log_on_new_request + // `. + // Note that if both this field and :ref:`flush_access_log_on_new_request + // ` + // are specified, the former (deprecated field) is ignored. + bool flush_access_log_on_new_request = 55 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Additional access log options for HTTP connection manager. + HcmAccessLogOptions access_log_options = 56; + + // If set to true, the connection manager will use the real remote address + // of the client connection when determining internal versus external origin and manipulating + // various headers. If set to false or absent, the connection manager will use the + // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header. See the documentation for + // :ref:`config_http_conn_man_headers_x-forwarded-for`, + // :ref:`config_http_conn_man_headers_x-envoy-internal`, and + // :ref:`config_http_conn_man_headers_x-envoy-external-address` for more information. + google.protobuf.BoolValue use_remote_address = 14 + [(udpa.annotations.security).configure_for_untrusted_downstream = true]; + + // The number of additional ingress proxy hops from the right side of the + // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header to trust when + // determining the origin client's IP address. The default is zero if this option + // is not specified. See the documentation for + // :ref:`config_http_conn_man_headers_x-forwarded-for` for more information. + uint32 xff_num_trusted_hops = 19; + + // Configuration for original IP detection extensions. + // + // When these extensions are configured, Envoy will invoke them with the incoming request headers and + // details about the downstream connection, including the directly connected address. Each extension uses + // this information to determine the effective remote IP address for the request. If an extension cannot + // identify the original IP address and isn't set to reject the request, Envoy will sequentially attempt + // the remaining extensions until one successfully determines the IP or explicitly rejects the request. + // If all extensions fail without rejection, Envoy defaults to using the directly connected remote address. + // + // .. warning:: + // These extensions cannot be configured simultaneously with :ref:`use_remote_address + // ` + // or :ref:`xff_num_trusted_hops + // `. + // + // [#extension-category: envoy.http.original_ip_detection] + repeated config.core.v3.TypedExtensionConfig original_ip_detection_extensions = 46; + + // The configuration for the early header mutation extensions. + // + // When configured the extensions will be called before any routing, tracing, or any filter processing. + // Each extension will be applied in the order they are configured. + // If the same header is mutated by multiple extensions, then the last extension will win. + // + // [#extension-category: envoy.http.early_header_mutation] + repeated config.core.v3.TypedExtensionConfig early_header_mutation_extensions = 52; + + // Configures what network addresses are considered internal for stats and header sanitation + // purposes. If unspecified, only RFC1918 IP addresses will be considered internal. + // See the documentation for :ref:`config_http_conn_man_headers_x-envoy-internal` for more + // information about internal/external addresses. + // + // .. warning:: + // As of Envoy 1.33.0 no IP addresses will be considered trusted. If you have tooling such as probes + // on your private network which need to be treated as trusted (e.g. changing arbitrary x-envoy headers) + // you will have to manually include those addresses or CIDR ranges like: + // + // .. validated-code-block:: yaml + // :type-name: envoy.extensions.filters.network.http_connection_manager.v3.InternalAddressConfig + // + // cidr_ranges: + // address_prefix: 10.0.0.0 + // prefix_len: 8 + // cidr_ranges: + // address_prefix: 192.168.0.0 + // prefix_len: 16 + // cidr_ranges: + // address_prefix: 172.16.0.0 + // prefix_len: 12 + // cidr_ranges: + // address_prefix: 127.0.0.1 + // prefix_len: 32 + // cidr_ranges: + // address_prefix: fd00:: + // prefix_len: 8 + // cidr_ranges: + // address_prefix: ::1 + // prefix_len: 128 + // + InternalAddressConfig internal_address_config = 25; + + // If set, Envoy will not append the remote address to the + // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header. This may be used in + // conjunction with HTTP filters that explicitly manipulate XFF after the HTTP connection manager + // has mutated the request headers. While :ref:`use_remote_address + // ` + // will also suppress XFF addition, it has consequences for logging and other + // Envoy uses of the remote address, so ``skip_xff_append`` should be used + // when only an elision of XFF addition is intended. + bool skip_xff_append = 21; + + // Via header value to append to request and response headers. If this is + // empty, no via header will be appended. + string via = 22 [(validate.rules).string = {well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Whether the connection manager will generate the :ref:`x-request-id + // ` header if it does not exist. This defaults to + // true. Generating a random UUID4 is expensive so in high throughput scenarios where this feature + // is not desired it can be disabled. + google.protobuf.BoolValue generate_request_id = 15; + + // Whether the connection manager will keep the :ref:`x-request-id + // ` header if passed for a request that is edge + // (Edge request is the request from external clients to front Envoy) and not reset it, which + // is the current Envoy behaviour. This defaults to false. + bool preserve_external_request_id = 32; + + // If set, Envoy will always set :ref:`x-request-id ` header in response. + // If this is false or not set, the request ID is returned in responses only if tracing is forced using + // :ref:`x-envoy-force-trace ` header. + bool always_set_request_id_in_response = 37; + + // How to handle the :ref:`config_http_conn_man_headers_x-forwarded-client-cert` (XFCC) HTTP + // header. + ForwardClientCertDetails forward_client_cert_details = 16 + [(validate.rules).enum = {defined_only: true}]; + + // This field is valid only when :ref:`forward_client_cert_details + // ` + // is APPEND_FORWARD or SANITIZE_SET and the client connection is mTLS. It specifies the fields in + // the client certificate to be forwarded. Note that in the + // :ref:`config_http_conn_man_headers_x-forwarded-client-cert` header, ``Hash`` is always set, and + // ``By`` is always set when the client certificate presents the URI type Subject Alternative Name + // value. + SetCurrentClientCertDetails set_current_client_cert_details = 17; + + // If proxy_100_continue is true, Envoy will proxy incoming "Expect: + // 100-continue" headers upstream, and forward "100 Continue" responses + // downstream. If this is false or not set, Envoy will instead strip the + // "Expect: 100-continue" header, and send a "100 Continue" response itself. + bool proxy_100_continue = 18; + + // If + // :ref:`use_remote_address + // ` + // is true and represent_ipv4_remote_address_as_ipv4_mapped_ipv6 is true and the remote address is + // an IPv4 address, the address will be mapped to IPv6 before it is appended to ``x-forwarded-for``. + // This is useful for testing compatibility of upstream services that parse the header value. For + // example, 50.0.0.1 is represented as ::FFFF:50.0.0.1. See `IPv4-Mapped IPv6 Addresses + // `_ for details. This will also affect the + // :ref:`config_http_conn_man_headers_x-envoy-external-address` header. See + // :ref:`http_connection_manager.represent_ipv4_remote_address_as_ipv4_mapped_ipv6 + // ` for runtime + // control. + // [#not-implemented-hide:] + bool represent_ipv4_remote_address_as_ipv4_mapped_ipv6 = 20; + + repeated UpgradeConfig upgrade_configs = 23; + + // Should paths be normalized according to RFC 3986 before any processing of + // requests by HTTP filters or routing? This affects the upstream ``:path`` header + // as well. For paths that fail this check, Envoy will respond with 400 to + // paths that are malformed. This defaults to false currently but will default + // true in the future. When not specified, this value may be overridden by the + // runtime variable + // :ref:`http_connection_manager.normalize_path`. + // See `Normalization and Comparison `_ + // for details of normalization. + // Note that Envoy does not perform + // `case normalization `_ + // [#comment:TODO: This field is ignored when the + // :ref:`header validation configuration ` + // is present.] + google.protobuf.BoolValue normalize_path = 30; + + // Determines if adjacent slashes in the path are merged into one before any processing of + // requests by HTTP filters or routing. This affects the upstream ``:path`` header as well. Without + // setting this option, incoming requests with path ``//dir///file`` will not match against route + // with ``prefix`` match set to ``/dir``. Defaults to ``false``. Note that slash merging is not part of + // `HTTP spec `_ and is provided for convenience. + // [#comment:TODO: This field is ignored when the + // :ref:`header validation configuration ` + // is present.] + bool merge_slashes = 33; + + // Action to take when request URL path contains escaped slash sequences (%2F, %2f, %5C and %5c). + // The default value can be overridden by the :ref:`http_connection_manager.path_with_escaped_slashes_action` + // runtime variable. + // The :ref:`http_connection_manager.path_with_escaped_slashes_action_sampling` runtime + // variable can be used to apply the action to a portion of all requests. + // [#comment:TODO: This field is ignored when the + // :ref:`header validation configuration ` + // is present.] + PathWithEscapedSlashesAction path_with_escaped_slashes_action = 45; + + // The configuration of the request ID extension. This includes operations such as + // generation, validation, and associated tracing operations. If empty, the + // :ref:`UuidRequestIdConfig ` + // default extension is used with default parameters. See the documentation for that extension + // for details on what it does. Customizing the configuration for the default extension can be + // achieved by configuring it explicitly here. For example, to disable trace reason packing, + // the following configuration can be used: + // + // .. validated-code-block:: yaml + // :type-name: envoy.extensions.filters.network.http_connection_manager.v3.RequestIDExtension + // + // typed_config: + // "@type": type.googleapis.com/envoy.extensions.request_id.uuid.v3.UuidRequestIdConfig + // pack_trace_reason: false + // + // [#extension-category: envoy.request_id] + RequestIDExtension request_id_extension = 36; + + // The configuration to customize local reply returned by Envoy. It can customize status code, + // body text and response content type. If not specified, status code and text body are hard + // coded in Envoy, the response content type is plain text. + LocalReplyConfig local_reply_config = 38; + + // Determines if the port part should be removed from host/authority header before any processing + // of request by HTTP filters or routing. The port would be removed only if it is equal to the :ref:`listener's` + // local port. This affects the upstream host header unless the method is + // CONNECT in which case if no filter adds a port the original port will be restored before headers are + // sent upstream. + // Without setting this option, incoming requests with host ``example:443`` will not match against + // route with :ref:`domains` match set to ``example``. Defaults to ``false``. Note that port removal is not part + // of `HTTP spec `_ and is provided for convenience. + // Only one of ``strip_matching_host_port`` or ``strip_any_host_port`` can be set. + bool strip_matching_host_port = 39 + [(udpa.annotations.field_migrate).oneof_promotion = "strip_port_mode"]; + + oneof strip_port_mode { + // Determines if the port part should be removed from host/authority header before any processing + // of request by HTTP filters or routing. + // This affects the upstream host header unless the method is CONNECT in + // which case if no filter adds a port the original port will be restored before headers are sent upstream. + // Without setting this option, incoming requests with host ``example:443`` will not match against + // route with :ref:`domains` match set to ``example``. Defaults to ``false``. Note that port removal is not part + // of `HTTP spec `_ and is provided for convenience. + // Only one of ``strip_matching_host_port`` or ``strip_any_host_port`` can be set. + bool strip_any_host_port = 42; + } + + // Governs Envoy's behavior when receiving invalid HTTP from downstream. + // If this option is false (default), Envoy will err on the conservative side handling HTTP + // errors, terminating both HTTP/1.1 and HTTP/2 connections when receiving an invalid request. + // If this option is set to true, Envoy will be more permissive, only resetting the invalid + // stream in the case of HTTP/2 and leaving the connection open where possible (if the entire + // request is read for HTTP/1.1) + // In general this should be true for deployments receiving trusted traffic (L2 Envoys, + // company-internal mesh) and false when receiving untrusted traffic (edge deployments). + // + // If different behaviors for invalid_http_message for HTTP/1 and HTTP/2 are + // desired, one should use the new HTTP/1 option :ref:`override_stream_error_on_invalid_http_message + // ` or the new HTTP/2 option + // :ref:`override_stream_error_on_invalid_http_message + // ` + // ``not`` the deprecated but similarly named :ref:`stream_error_on_invalid_http_messaging + // ` + google.protobuf.BoolValue stream_error_on_invalid_http_message = 40; + + // [#not-implemented-hide:] Path normalization configuration. This includes + // configurations for transformations (e.g. RFC 3986 normalization or merge + // adjacent slashes) and the policy to apply them. The policy determines + // whether transformations affect the forwarded ``:path`` header. RFC 3986 path + // normalization is enabled by default and the default policy is that the + // normalized header will be forwarded. See :ref:`PathNormalizationOptions + // ` + // for details. + PathNormalizationOptions path_normalization_options = 43; + + // Determines if trailing dot of the host should be removed from host/authority header before any + // processing of request by HTTP filters or routing. + // This affects the upstream host header. + // Without setting this option, incoming requests with host ``example.com.`` will not match against + // route with :ref:`domains` match set to ``example.com``. Defaults to ``false``. + // When the incoming request contains a host/authority header that includes a port number, + // setting this option will strip a trailing dot, if present, from the host section, + // leaving the port as is (e.g. host value ``example.com.:443`` will be updated to ``example.com:443``). + bool strip_trailing_host_dot = 47; + + // Proxy-Status HTTP response header configuration. + // If this config is set, the Proxy-Status HTTP response header field is + // populated. By default, it is not. + ProxyStatusConfig proxy_status_config = 49; + + // Configuration options for Header Validation (UHV). + // UHV is an extensible mechanism for checking validity of HTTP requests as well as providing + // normalization for request attributes, such as URI path. + // If the typed_header_validation_config is present it overrides the following options: + // ``normalize_path``, ``merge_slashes``, ``path_with_escaped_slashes_action`` + // ``http_protocol_options.allow_chunked_length``, ``common_http_protocol_options.headers_with_underscores_action``. + // + // The default UHV checks the following: + // + // #. HTTP/1 header map validity according to `RFC 7230 section 3.2`_ + // #. Syntax of HTTP/1 request target URI and response status + // #. HTTP/2 header map validity according to `RFC 7540 section 8.1.2`_ + // #. Syntax of HTTP/3 pseudo headers + // #. Syntax of ``Content-Length`` and ``Transfer-Encoding`` + // #. Validation of HTTP/1 requests with both ``Content-Length`` and ``Transfer-Encoding`` headers + // #. Normalization of the URI path according to `Normalization and Comparison `_ + // without `case normalization `_ + // + // [#not-implemented-hide:] + // [#extension-category: envoy.http.header_validators] + config.core.v3.TypedExtensionConfig typed_header_validation_config = 50; + + // Append the ``x-forwarded-port`` header with the port value client used to connect to Envoy. It + // will be ignored if the ``x-forwarded-port`` header has been set by any trusted proxy in front of Envoy. + bool append_x_forwarded_port = 51; + + // Append the :ref:`config_http_conn_man_headers_x-envoy-local-overloaded` HTTP header in the scenario where + // the Overload Manager has been triggered. + bool append_local_overload = 57; + + // Whether the HCM will add ProxyProtocolFilterState to the Connection lifetime filter state. Defaults to ``true``. + // This should be set to ``false`` in cases where Envoy's view of the downstream address may not correspond to the + // actual client address, for example, if there's another proxy in front of the Envoy. + google.protobuf.BoolValue add_proxy_protocol_connection_state = 53; +} + +// The configuration to customize local reply returned by Envoy. +message LocalReplyConfig { + // Configuration of list of mappers which allows to filter and change local response. + // The mappers will be checked by the specified order until one is matched. + repeated ResponseMapper mappers = 1; + + // The configuration to form response body from the :ref:`command operators ` + // and to specify response content type as one of: plain/text or application/json. + // + // Example one: "plain/text" ``body_format``. + // + // .. validated-code-block:: yaml + // :type-name: envoy.config.core.v3.SubstitutionFormatString + // + // text_format: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%\n" + // + // The following response body in "plain/text" format will be generated for a request with + // local reply body of "upstream connection error", response_code=503 and path=/foo. + // + // .. code-block:: text + // + // upstream connect error:503:path=/foo + // + // Example two: "application/json" ``body_format``. + // + // .. validated-code-block:: yaml + // :type-name: envoy.config.core.v3.SubstitutionFormatString + // + // json_format: + // status: "%RESPONSE_CODE%" + // message: "%LOCAL_REPLY_BODY%" + // path: "%REQ(:path)%" + // + // The following response body in "application/json" format would be generated for a request with + // local reply body of "upstream connection error", response_code=503 and path=/foo. + // + // .. code-block:: json + // + // { + // "status": 503, + // "message": "upstream connection error", + // "path": "/foo" + // } + // + config.core.v3.SubstitutionFormatString body_format = 2; +} + +// The configuration to filter and change local response. +// [#next-free-field: 6] +message ResponseMapper { + // Filter to determine if this mapper should apply. + config.accesslog.v3.AccessLogFilter filter = 1 [(validate.rules).message = {required: true}]; + + // The new response status code if specified. + google.protobuf.UInt32Value status_code = 2 [(validate.rules).uint32 = {lt: 600 gte: 200}]; + + // The new local reply body text if specified. It will be used in the ``%LOCAL_REPLY_BODY%`` + // command operator in the ``body_format``. + config.core.v3.DataSource body = 3; + + // A per mapper ``body_format`` to override the :ref:`body_format `. + // It will be used when this mapper is matched. + config.core.v3.SubstitutionFormatString body_format_override = 4; + + // HTTP headers to add to a local reply. This allows the response mapper to append, to add + // or to override headers of any local reply before it is sent to a downstream client. + repeated config.core.v3.HeaderValueOption headers_to_add = 5 + [(validate.rules).repeated = {max_items: 1000}]; +} + +message Rds { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.Rds"; + + // Configuration source specifier for RDS. + config.core.v3.ConfigSource config_source = 1; + + // The name of the route configuration. This name will be passed to the RDS + // API. This allows an Envoy configuration with multiple HTTP listeners (and + // associated HTTP connection manager filters) to use different route + // configurations. + string route_config_name = 2; +} + +// This message is used to work around the limitations with 'oneof' and repeated fields. +message ScopedRouteConfigurationsList { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRouteConfigurationsList"; + + repeated config.route.v3.ScopedRouteConfiguration scoped_route_configurations = 1 + [(validate.rules).repeated = {min_items: 1}]; +} + +// [#next-free-field: 6] +message ScopedRoutes { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes"; + + // Specifies the mechanism for constructing "scope keys" based on HTTP request attributes. These + // keys are matched against a set of :ref:`Key` + // objects assembled from :ref:`ScopedRouteConfiguration` + // messages distributed via SRDS (the Scoped Route Discovery Service) or assigned statically via + // :ref:`scoped_route_configurations_list`. + // + // Upon receiving a request's headers, the Router will build a key using the algorithm specified + // by this message. This key will be used to look up the routing table (i.e., the + // :ref:`RouteConfiguration`) to use for the request. + message ScopeKeyBuilder { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder"; + + // Specifies the mechanism for constructing key fragments which are composed into scope keys. + message FragmentBuilder { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder." + "FragmentBuilder"; + + // Specifies how the value of a header should be extracted. + // The following example maps the structure of a header to the fields in this message. + // + // .. code:: + // + // <0> <1> <-- index + // X-Header: a=b;c=d + // | || | + // | || \----> + // | || + // | |\----> + // | | + // | \----> + // | + // \----> + // + // Each 'a=b' key-value pair constitutes an 'element' of the header field. + message HeaderValueExtractor { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder." + "FragmentBuilder.HeaderValueExtractor"; + + // Specifies a header field's key value pair to match on. + message KvElement { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRoutes.ScopeKeyBuilder." + "FragmentBuilder.HeaderValueExtractor.KvElement"; + + // The separator between key and value (e.g., '=' separates 'k=v;...'). + // If an element is an empty string, the element is ignored. + // If an element contains no separator, the whole element is parsed as key and the + // fragment value is an empty string. + // If there are multiple values for a matched key, the first value is returned. + string separator = 1 [(validate.rules).string = {min_len: 1}]; + + // The key to match on. + string key = 2 [(validate.rules).string = {min_len: 1}]; + } + + // The name of the header field to extract the value from. + // + // .. note:: + // + // If the header appears multiple times only the first value is used. + string name = 1 [ + (validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false} + ]; + + // The element separator (e.g., ';' separates 'a;b;c;d'). + // Default: empty string. This causes the entirety of the header field to be extracted. + // If this field is set to an empty string and 'index' is used in the oneof below, 'index' + // must be set to 0. + string element_separator = 2; + + oneof extract_type { + // Specifies the zero based index of the element to extract. + // Note Envoy concatenates multiple values of the same header key into a comma separated + // string, the splitting always happens after the concatenation. + uint32 index = 3; + + // Specifies the key value pair to extract the value from. + KvElement element = 4; + } + } + + oneof type { + option (validate.required) = true; + + // Specifies how a header field's value should be extracted. + HeaderValueExtractor header_value_extractor = 1; + } + } + + // The final(built) scope key consists of the ordered union of these fragments, which are compared in order with the + // fragments of a :ref:`ScopedRouteConfiguration`. + // A missing fragment during comparison will make the key invalid, i.e., the computed key doesn't match any key. + repeated FragmentBuilder fragments = 1 [(validate.rules).repeated = {min_items: 1}]; + } + + // The name assigned to the scoped routing configuration. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // The algorithm to use for constructing a scope key for each request. + ScopeKeyBuilder scope_key_builder = 2 [(validate.rules).message = {required: true}]; + + // Configuration source specifier for RDS. + // This config source is used to subscribe to RouteConfiguration resources specified in + // ScopedRouteConfiguration messages. + config.core.v3.ConfigSource rds_config_source = 3; + + oneof config_specifier { + option (validate.required) = true; + + // The set of routing scopes corresponding to the HCM. A scope is assigned to a request by + // matching a key constructed from the request's attributes according to the algorithm specified + // by the + // :ref:`ScopeKeyBuilder` + // in this message. + ScopedRouteConfigurationsList scoped_route_configurations_list = 4; + + // The set of routing scopes associated with the HCM will be dynamically loaded via the SRDS + // API. A scope is assigned to a request by matching a key constructed from the request's + // attributes according to the algorithm specified by the + // :ref:`ScopeKeyBuilder` + // in this message. + ScopedRds scoped_rds = 5; + } +} + +message ScopedRds { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.ScopedRds"; + + // Configuration source specifier for scoped RDS. + config.core.v3.ConfigSource scoped_rds_config_source = 1 + [(validate.rules).message = {required: true}]; + + // xdstp:// resource locator for scoped RDS collection. + // [#not-implemented-hide:] + string srds_resources_locator = 2; +} + +// [#next-free-field: 8] +message HttpFilter { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.HttpFilter"; + + reserved 3, 2; + + reserved "config"; + + // The name of the filter configuration. It also serves as a resource name in ExtensionConfigDS. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + oneof config_type { + // Filter specific configuration which depends on the filter being instantiated. See the supported + // filters for further documentation. + // + // To support configuring a :ref:`match tree `, use an + // :ref:`ExtensionWithMatcher ` + // with the desired HTTP filter. + // [#extension-category: envoy.filters.http] + google.protobuf.Any typed_config = 4; + + // Configuration source specifier for an extension configuration discovery service. + // In case of a failure and without the default configuration, the HTTP listener responds with code 500. + // Extension configs delivered through this mechanism are not expected to require warming (see https://github.com/envoyproxy/envoy/issues/12061). + // + // To support configuring a :ref:`match tree `, use an + // :ref:`ExtensionWithMatcher ` + // with the desired HTTP filter. This works for both the default filter configuration as well + // as for filters provided via the API. + config.core.v3.ExtensionConfigSource config_discovery = 5; + } + + // If true, clients that do not support this filter may ignore the + // filter but otherwise accept the config. + // Otherwise, clients that do not support this filter must reject the config. + bool is_optional = 6; + + // If true, the filter is disabled by default and must be explicitly enabled by setting + // per filter configuration in the route configuration. + // See :ref:`route based filter chain ` + // for more details. + // + // Terminal filters (e.g. ``envoy.filters.http.router``) cannot be marked as disabled. + bool disabled = 7; +} + +message RequestIDExtension { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.http_connection_manager.v2.RequestIDExtension"; + + // Request ID extension specific configuration. + google.protobuf.Any typed_config = 1; +} + +// [#protodoc-title: Envoy Mobile HTTP connection manager] +// HTTP connection manager for use in Envoy mobile. +// [#extension: envoy.filters.network.envoy_mobile_http_connection_manager] +message EnvoyMobileHttpConnectionManager { + // The configuration for the underlying HttpConnectionManager which will be + // instantiated for Envoy mobile. + HttpConnectionManager config = 1; +} diff --git a/modules/sync/envoyproxy/envoy/cas/7a766c160b8106c34fe067b54d44f89736dc070bc115d8fe475172b262c98d33b717fe58c1561bfbe44f3fdd5856120c2583c7fc1b38d0099acc3dd6d5ef76c8 b/modules/sync/envoyproxy/envoy/cas/7a766c160b8106c34fe067b54d44f89736dc070bc115d8fe475172b262c98d33b717fe58c1561bfbe44f3fdd5856120c2583c7fc1b38d0099acc3dd6d5ef76c8 new file mode 100644 index 00000000..9db3757b --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/7a766c160b8106c34fe067b54d44f89736dc070bc115d8fe475172b262c98d33b717fe58c1561bfbe44f3fdd5856120c2583c7fc1b38d0099acc3dd6d5ef76c8 @@ -0,0 +1,20 @@ +syntax = "proto3"; + +package envoy.extensions.http.cache_v2.simple_http_cache.v3; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.http.cache_v2.simple_http_cache.v3"; +option java_outer_classname = "ConfigProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/http/cache_v2/simple_http_cache/v3;simple_http_cachev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: SimpleHttpCache CacheFilter storage plugin] + +// [#extension: envoy.extensions.http.cache_v2.simple] +message SimpleHttpCacheV2Config { +} diff --git a/modules/sync/envoyproxy/envoy/cas/7cf78e9c1627775630db0c853ca3602c21b43a5d2abae605e1e15ae338498104787d3a8ccebeb93e93ed60f546c1ba3734c4201e9093e245b02b6fb65e6efe86 b/modules/sync/envoyproxy/envoy/cas/7cf78e9c1627775630db0c853ca3602c21b43a5d2abae605e1e15ae338498104787d3a8ccebeb93e93ed60f546c1ba3734c4201e9093e245b02b6fb65e6efe86 new file mode 100644 index 00000000..0c12c3f6 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/7cf78e9c1627775630db0c853ca3602c21b43a5d2abae605e1e15ae338498104787d3a8ccebeb93e93ed60f546c1ba3734c4201e9093e245b02b6fb65e6efe86 @@ -0,0 +1,40 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.tap.v3; + +import "envoy/extensions/common/tap/v3/common.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.tap.v3"; +option java_outer_classname = "TapProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/tap/v3;tapv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Tap] +// Tap :ref:`configuration overview `. +// [#extension: envoy.filters.http.tap] + +// Top level configuration for the tap filter. +message Tap { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.tap.v2alpha.Tap"; + + // Common configuration for the HTTP tap filter. + common.tap.v3.CommonExtensionConfig common_config = 1 + [(validate.rules).message = {required: true}]; + + // Indicates whether HTTP tap filter records the time stamp for request/response headers. + // Request headers time stamp is stored after receiving request headers. + // Response headers time stamp is stored after receiving response headers. + bool record_headers_received_time = 2; + + // Indicates whether report downstream connection info + bool record_downstream_connection = 3; + + // If enabled, upstream connection information will be reported. + bool record_upstream_connection = 4; +} diff --git a/modules/sync/envoyproxy/envoy/cas/7f087cb09cf323d4b7a6618148870959c3affaded64b3510afbf484eee19791cf12caf80aa4d5721809b6bfef662053913aeff0e8aa92b3f57774d6ed3f86253 b/modules/sync/envoyproxy/envoy/cas/7f087cb09cf323d4b7a6618148870959c3affaded64b3510afbf484eee19791cf12caf80aa4d5721809b6bfef662053913aeff0e8aa92b3f57774d6ed3f86253 new file mode 100644 index 00000000..c2fc09b6 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/7f087cb09cf323d4b7a6618148870959c3affaded64b3510afbf484eee19791cf12caf80aa4d5721809b6bfef662053913aeff0e8aa92b3f57774d6ed3f86253 @@ -0,0 +1,625 @@ +shake256:a9c4ad5b20a2946a25d5efb7f096b32ffaa567e3e9a7d89984870104aab45f08d7f6f10c7c72affdc4aabab0471066958ae97c3bb5925b7cb268f8afde27ebbf LICENSE +shake256:7a9a5a3a62ffe3acb50d67d1b0806566f798ac145649c493bf156a2e5d927e264464f5d3add734c687acde39586cc032795e8ea07f51f5bb2493fd0423db10c3 bazel/cc_proto_descriptor_library/testdata/test-extension.proto +shake256:9e8bd1676e9fcea1d02e7cd0ce63f87e6c76b4b31467ec3df1f4a580da427488a764f9e48617a5be98d85057c648f46ec1925b05cae4346b207210327283dd11 bazel/cc_proto_descriptor_library/testdata/test.proto +shake256:76295fd73d7f33a987c1243e8821818b80bd8b04634fc9ccd10879ab3c1ade926e3ef847f11d8e07ccf8fcf011561d151a5d4926505d6494a23119614e049aa6 bazel/cc_proto_descriptor_library/testdata/test1.proto +shake256:036e58836a23359ebf2324efe94106d38521bef2ad6dab6b46b0379dc66192e8f29097c96a9f1c3b299274ec10b47204d63d9e23a010eb5e1c5d4ed52f15c3f7 buf.md +shake256:f9abf7473dc3f95cc9ce2dabfabeedbf0f5fd808e1eb09ab07776ca3991ec073784ef8cb2f6df49a8293f1033141e29d687de39f506046b663b258728864f6b4 buf.yaml +shake256:7144b74045a5813f5f81b71eb11ca0ddac4105e3d20b51a146b634f7dc8c529de6fc84d2c4d3fb635eec48616f787eca10287f14ea10ec3d218e9562508be0ba contrib/envoy/extensions/compression/qatzip/compressor/v3alpha/qatzip.proto +shake256:ae38a03abf75ec63838de20438d1fdaf6ca49f6fcc9d701c4f918411027fcabfe08355fb24d7767074d9c440842bc86fd8788ad25e8c47e98782d6b5379f8b42 contrib/envoy/extensions/compression/qatzstd/compressor/v3alpha/qatzstd.proto +shake256:b7a48d5f96609de62c69948d9050b6fe41d81f476f7779a8d46c8d1d8595dbcead84d193fce745eb375f2fb5ba034633c76a4d1c4987627205f9b8b49bcd6104 contrib/envoy/extensions/config/v3alpha/kv_store_xds_delegate_config.proto +shake256:fa51c63f2698c8856558be8080bc5340c7d1d9fecfcec48a16e154c6fd7886703897da973a1d4e321bc8748043ec6a7fce2069fe45530f104b73f07b3325296c contrib/envoy/extensions/filters/http/checksum/v3alpha/checksum.proto +shake256:ce179ee97700792b3af9c1cb5081b3e62de6f98743f93e6166f73db8e4eb06c9bfd95fc8eec110af02ce1650d12d3dcf8eb74fd0fa21d5653dcaa2c0b84f7fab contrib/envoy/extensions/filters/http/dynamo/v3/dynamo.proto +shake256:47d573dcc69241ec96ca579a48df33d669b3fd9d3de31066e51bfc0da5ff2c150c38269232e6e63fcf37c8716d72fec1e97c143a061791b15de2a9e4ddaea122 contrib/envoy/extensions/filters/http/golang/v3alpha/golang.proto +shake256:c91ad7320770b1bbacf2ac9cfcb3b9ad4814290098d6b54131979be9acb38393595d69a2c89854e6248984cd3c12df7a9e69eeee4ef8cc1fcb814a91e770fa46 contrib/envoy/extensions/filters/http/language/v3alpha/language.proto +shake256:75bebf5cdb07a03584c0367cb291bf599154285a0c28bc56d4190b90fd0ff0734d57a3ef0a8bf88005abd9202cceb47df0c13a0dcbc9af3665513e4e4c96aada contrib/envoy/extensions/filters/http/sxg/v3alpha/sxg.proto +shake256:8cf720d1ee2c70bc75784a9e3d1af11106d1a52418ec13671346d4fde5bd552882b95adae8f35e774d5d34d70f5d6150a36d635e0df072de98eec0208bbf0ee8 contrib/envoy/extensions/filters/network/client_ssl_auth/v3/client_ssl_auth.proto +shake256:cb2005d9e1d460d9fb5b6e1d18c3fb0e6b08db1d9e3f20a2287ac91aabe486826b9d8fa0b674b0a075eeb660da61158d86ce0dce9952ea20c1d73e27b47452e6 contrib/envoy/extensions/filters/network/generic_proxy/codecs/kafka/v3/kafka.proto +shake256:b6678557d0f621ab70455895ce208de8c41b4f51ea1c4cd2a661bc4d72a241a39b39a0bdad5521130f1645c78b37cf68ef3f9b2339a66111b27fc3d89adade00 contrib/envoy/extensions/filters/network/golang/v3alpha/golang.proto +shake256:e1d0772c1e79f87f10446e70e445510cee7549c348789cbaa4b6e17ab6931aea85a6051f3d3c056472e6900e9b711063a01a70abcced4d271558e455f397df98 contrib/envoy/extensions/filters/network/kafka_broker/v3/kafka_broker.proto +shake256:3b5eaa38005e7284020fa83bf98b27dc6022bd88b014a2e03ceb284b5145bd3bbb455204f4b844c2d889a290e0e85c4f58b5c91f728fdff07826ecb4e90d1437 contrib/envoy/extensions/filters/network/kafka_mesh/v3alpha/kafka_mesh.proto +shake256:b358663115fc5d273c2fdeae4177ec77e455e830cc5ed529863f229faa531b643ffac3547d974b0675c3da6ab78f71615926c4ec4b2f065bda15fb84fe456ff7 contrib/envoy/extensions/filters/network/mysql_proxy/v3/mysql_proxy.proto +shake256:add12f026b68305a95ca38d27b99c60f2fbd064e6207da36607131627006bda245156eeeabfffd798f85829b81f9f97a749e8936af83702ca652415cb02c5d27 contrib/envoy/extensions/filters/network/postgres_proxy/v3alpha/postgres_proxy.proto +shake256:3f3e2331e55ceb14cd6f56a5add4364b134e731f7f925306998d8d8838f717ebb3f6efdf7c8905be7a7251e6c4038b90e1396bfd84db2d1dce2b22630321aae0 contrib/envoy/extensions/filters/network/rocketmq_proxy/v3/rocketmq_proxy.proto +shake256:f788b766d979ecdf38a9a23d447ec167d9c461bd4776e261a15a5062ebba61c31135066937d088999278481ed593bc7d662ac7ce64885b29e0e670211b938fad contrib/envoy/extensions/filters/network/rocketmq_proxy/v3/route.proto +shake256:726bb7baad0914a388e5094f559c289ffe68b86216453e24a0d477535f4b5248925c1706983b3867fac7fd9ae0eee2a8c2913c5252726812e4bd6fbc4b931c14 contrib/envoy/extensions/filters/network/sip_proxy/router/v3alpha/router.proto +shake256:814c9c9f84d6c9518d7b396be3c45c734f94be7f972e591e3b9ba081a63b9abee6569e32e183e5d03453f462551b69af7dc20461dc31e3e2bcc411be5d8fd8a8 contrib/envoy/extensions/filters/network/sip_proxy/tra/v3alpha/tra.proto +shake256:672f7c0aa8932a96a3a45f20e4f58bfa7aa418771393a8b844facae585b8b4d5d184c304fae94762a8acf54d6e724e20064e535b0ac0e8889e2a0c6d4cfe1660 contrib/envoy/extensions/filters/network/sip_proxy/v3alpha/route.proto +shake256:8ffcc12678ded759d7f71dbc576f4a865c9dfdf5cbde41d77e43694ff4158bd76cbdc04258284f289ca61d2a47941ed53ac8ae0bb71956c1d8098813bfb974a4 contrib/envoy/extensions/filters/network/sip_proxy/v3alpha/sip_proxy.proto +shake256:bdd1669fcd617d3bda7dc5641875d063e878e343a1535c177f17290637ae649d69960feed3b81bbb378ec04797be4bff4bb13265fd69681cac4b58c86bc88b61 contrib/envoy/extensions/matching/input_matchers/hyperscan/v3alpha/hyperscan.proto +shake256:e1cf9ee5689bd0c31288f67dc28ff17351fdd16d3fa7f111483c34536b861e76d2c407d00bc0d2661aa1f53a32cbf72afba072443a4b49da7b5318576e0bb4f0 contrib/envoy/extensions/network/connection_balance/dlb/v3alpha/dlb.proto +shake256:75de73d5c5355f082e4d607078c0891ac2e1899e281718301e1a6d5a89bd2816304e1473d702c4634bb440d388b990d60cc48d21e8ce698e7de59c096463a201 contrib/envoy/extensions/private_key_providers/cryptomb/v3alpha/cryptomb.proto +shake256:444c37b67f885a3f631bb0dcb8140a07cc0f56503a8b4296bdc89638d06591aad6732f2c3bdae8c4891e44bb4c7cabb592821d95fc6c1477eea81e3b237e7ecd contrib/envoy/extensions/private_key_providers/qat/v3alpha/qat.proto +shake256:33e1082c3889f2641394dc2e7074c5ba5ce3126bdc9ba1060ed407ce7e1ae7d41fa5b3a75575286e681ec3851e0c368bde67cea84c0d6bb065b69722cba624b8 contrib/envoy/extensions/regex_engines/hyperscan/v3alpha/hyperscan.proto +shake256:9825c2f88055cd25c52078a6c508fe77bad594cabb2da12253b4c71057ba330f441300dc8db264a18ab8abd2d324e2fce1089918903ecefacc1bf49c4219c74a contrib/envoy/extensions/router/cluster_specifier/golang/v3alpha/golang.proto +shake256:cc70776633491456a381ae3d23406d5099ca7f1f76e2d50dd2febfd8eff9146d38b60fdb44ef8e42a1a2e054264cfdef847875db46cc09afec3c9ed886bfe31b contrib/envoy/extensions/tap_sinks/udp_sink/v3alpha/udp_sink.proto +shake256:fa5971bfc9d3068cbec7922a2442669502e1085efddbdaf11e2e94924f3693687928380f73d0e49ce95bf13596f3affe99e8794631e7975e51755b31fca26b42 contrib/envoy/extensions/upstreams/http/tcp/golang/v3alpha/golang.proto +shake256:80887a746d8294ce4f4dcd0467ee6fe7b157da9555360459146587cf1f3166560d586c1650e274ce9449d5fceeeee3df9a6a096e100b04cd45394841dba6cc26 contrib/envoy/extensions/vcl/v3alpha/vcl_socket_interface.proto +shake256:4d73b76b955d3478a5f466d844271d6c7b4b453b62f013c24eb7881b03f547d063158a3cf522c37d480ab561ce43060115c75ebe5ff70b193c2d4dd1d3bff60f envoy/admin/v2alpha/certs.proto +shake256:392009644dca0f075cd5dc284bacc4d5a6dc0e9254998b32cb58f6773316f608696de51c8c825c8a5f1f4c42b2cececab719f23d8e33fcf20702d652e4db68fc envoy/admin/v2alpha/clusters.proto +shake256:e4db3591f411e0073c4d281b2573e88576c5f9de4b544efb50bb342b54e7e1acc4fa6585401f2629fbf6def9d6d1d92d499994ff1e2f5dd217ecb0a227c292fc envoy/admin/v2alpha/config_dump.proto +shake256:4f2bce6af0bbc8be1cdece55535545e089ead78542386e3c8296cb92280f7609f52854a8271121b19d5b42e39c51c84d2a77f63e27e9bc5f16733e2328cb53d2 envoy/admin/v2alpha/listeners.proto +shake256:babcaf94ee63ef61c6e8a78b5cec1478bef04363192b5279554ca60f4de7850f43864bfd2131e25b133d6f4e39d1223307126baf092edae54524cf64eec4c139 envoy/admin/v2alpha/memory.proto +shake256:a34da07ab2e4a8bd9209a1399e188eac2be481978cc552ced7c6c5bd2de0ca3ca3dd8f324af7b69888381f0522fa4ea23caf5b997dc6afef44e88687472a88a4 envoy/admin/v2alpha/metrics.proto +shake256:572464b7bb7321d388f6e6bbecd73ec0fdee640812cd58a975615ccb561fb63e384945ee6bcfec2c5428bd98e08562f9cfd48f3fafcc362c8c1ffef50e54dfd7 envoy/admin/v2alpha/mutex_stats.proto +shake256:47d3268ce2101d2c203883255d72b5bc2fda272a1fb0e99dbd44ce214d8ea2f771ccb29809e617dd8fcabe3fe0e5f78c1d8780462ffb8f022f7bce3a37a6be7d envoy/admin/v2alpha/server_info.proto +shake256:7b13e01379b3accf542fc1b635e9773f704929127eca82c3d631bd91d71cb4dc6970a66e9777f93f694ef52f46121c78c40f701e25659f56eed0ea13b8a98ef8 envoy/admin/v2alpha/tap.proto +shake256:b0fc6c0c38c61ab85eddc6842483bafaf3442db13de31ab87de2d8287e8737f3cb2c7c7a24d07bc44d5cbfb9094b7140ef69c83a0285ba6dbed3f5c301e6b082 envoy/admin/v3/certs.proto +shake256:3ecd52c0173847a8f34a9276ea4411f01160e06109098d7b9d3d37f3271cc789b60ad62fbb175188bee7048039a5968dc6aa6488ce20d7c31d0da58bfab013f1 envoy/admin/v3/clusters.proto +shake256:b74573ab490303f5a6d136e1c0c1b8ac1f9a617bebc73db2d44750f0ca4fd4389c58d1fded5624b38a021fb65c48192326a71209468c1cba243ec4b52d2a176d envoy/admin/v3/config_dump.proto +shake256:e5c3e7849f8aab45cf872016d0b6f6288e7d1694fe103e3b0f64e74a7444dec99b7f296e59cbfe28373c351b0404b7c865e1281b175c19434c5b84f3d4225d03 envoy/admin/v3/config_dump_shared.proto +shake256:e72b3a5de25f5c898cbfe5fc83fef8dd66c03bcb396c52fd2edab6870a3b6cf3b696f66591fd3cbd6f7d28cd23e71d49786756a8ddcb6ae42144fb36077132af envoy/admin/v3/init_dump.proto +shake256:6570272d2d533e5eb9d66f2f9cda21c84aae72a753b497192014ceb2cc77f7a3698e9b52488303c04b0ed6e6c653c49912a55781d873b4113f8a66eadd87655c envoy/admin/v3/listeners.proto +shake256:4cea80b96515e73ed166ffb074490e388706151c316a6281d580cad1b94c25c2f2fad927bd57061193640a791bfdb17936a60bca6e44a7332685a143f7eb2f12 envoy/admin/v3/memory.proto +shake256:1fbd58b26fc343916e3a95e7c8bbcd18be83aa4100f0cbb1171556685079dd0c7d6d705bba862d77dbdcf960e9be17cad3e5cb0a5994e9ba9b88b541a9d66411 envoy/admin/v3/metrics.proto +shake256:7d878df1ba81097b3bd150127d366a41db794cd7243a03e0b233c563044e15b5d0f74565d5f9408efff46de7dfb7c3b0a5842cb02882758acbc15323fcb46ceb envoy/admin/v3/mutex_stats.proto +shake256:b5082be33b95bbc2c8a1bae0d4ab9585ce842da65878270cf233bf066be2276fd9282b37d7b809cb974812a92cd343d877f95344756ba946b6b05630261df3ce envoy/admin/v3/server_info.proto +shake256:6a478eb836b32fa6eb4912a3cc311d3e54b267e7a628426efc49cb81959b0b5215ed46deacd0233d4aeaab32a303ca5309fcd030012bfedde2de782fc0787310 envoy/admin/v3/tap.proto +shake256:3adb067791805262a0ab31825adf5239b87c95c057cf3b4dffa4a7a8debf5ed4a53e239ed3108da8981c69fe795b1cde14a02c133f410dd0f886e71f6479319a envoy/annotations/deprecation.proto +shake256:f2de7186256f2d6d35bc5e77e5a2060e3be9256970d9415cfa01bd9d0a063f98e2a7bb47bf7b03706d9d466062aa2faca4ea91f45fc93f995340d497bc9d7186 envoy/annotations/resource.proto +shake256:6bcd4872bc82d5ea2fbb17106cdba7772b0b241931a935266ce04e980804700b5b0ea06ac0156f60645830a6ab234bdfc46a37f51bb49a18afdc6bdc984563c5 envoy/api/v2/auth/cert.proto +shake256:4ee13ab3002ccc1c7a6143d26373585edcef9829006e3f6daf46f4e1aacffce7eb83d4c61f5464a62f021eb73126e855650aac16b222b0e0ea8f3d7700ce07b7 envoy/api/v2/auth/common.proto +shake256:fc23072cb4fe3305d96f0d2906e00ef441ca4168ebdb5e03ae90ff55de2c7f8e597049853e149378f283b87d20270e29b91205729bc4400ac8981fd9a00be0d4 envoy/api/v2/auth/secret.proto +shake256:be1ae530ce5457cf99390111b1c49a4eb22ec4c88a926c88aba17f798283648c5b8c0c19b50e82fc38ab4b86b68b2c7880ceddf200218e8e37e27f66a7825742 envoy/api/v2/auth/tls.proto +shake256:15394420cc45218d6f94c6d4d374afbfaee234bb34f5347c9e24f53351ae1d9702b2e6ee54e212c690065f5ba41e7bec67c797f9f67f66bd73a52646761ac7e4 envoy/api/v2/cds.proto +shake256:8ef3d1a78d916b9aa11b7d1ebd91dc3b8ae11e1c8e0394ace665b30f5af424efa0857fc017ffbfab8180aeda10f374129e77c0649d13897bb3550d803b904a3a envoy/api/v2/cluster.proto +shake256:dcf8ada507f8f3d3bc8e2d27b16ccce79ee4cea169bc664b7a16412816429e4833dc7cfc0c1f9cb93da2857135d9ae785ae595ec16eb2656670d3023e1976962 envoy/api/v2/cluster/circuit_breaker.proto +shake256:c42724147597e47e16d67d23c262164c30794cfb11008029b88608165ef6c28f193f3be64b16024ea38e55b684bf67fb7d1d48b57399669b85cb3be0f4c8dcaf envoy/api/v2/cluster/filter.proto +shake256:641cf1b144e9467ff3a518dcff9303974f5ffd7320833992eb1040b670492055bf51d07c3f94ad4108419964b19a320d4d17f498094df3476f0556026e729933 envoy/api/v2/cluster/outlier_detection.proto +shake256:94d83f6ef94961e92bb3c07c3cf513e755e03408f15ee290af3047f7fcd79a7a3eab72cf2cbab525312a4d58efa3d6e6510014f2df2b79762767b45a491c373c envoy/api/v2/core/address.proto +shake256:23237102de7fddb83c181d3b7bfa7d34e693bb9b414f2ac87bdde48a4ad1bd6d8fda9c26cab0e13869d1f0285f725b1d1f978ad63e310f1bd81bb110315b9e24 envoy/api/v2/core/backoff.proto +shake256:13cf2aac8defd6070f70fcd106137a8fb8cb8bf27ac53fc76c876b0dfc098faeaaa90c87fc31aa9c22ca16e576764f7bc4f6e6bb15264310ea266b3fc577d7f3 envoy/api/v2/core/base.proto +shake256:58c4a77b91b41262c7c5db6d9883ba32b83955cc7490c326a7393bc2716646af68282476e0ff4605541d9cf6049a6a9ed4bd124c45e3dc12089c4346d86b3be0 envoy/api/v2/core/config_source.proto +shake256:6a143f29c2c8a492b4d04bc5ab6258c80c2aef067cd0382050a6813c950ddc47c5ec763f6b797398c6a2c03be3bfba65b127be9ffcf5f07d3b6e9631c74fc2b8 envoy/api/v2/core/event_service_config.proto +shake256:488b4d588a48823ff76c9be096afec4ca1573a0fae135436a7b691494d6153759f08ba1abf8b108949b1d1b9225cf6ed4fc934bc3ee03ea0546f0e97d3732b9e envoy/api/v2/core/grpc_method_list.proto +shake256:7b95620b8d3fb3c0b67d8bc400d7d1c61492f2ce4807f75ab5f77086925eeae9b3bc1275c8568b2bef90cfb386466168be40f3f67e613cd307007a372e8fce3f envoy/api/v2/core/grpc_service.proto +shake256:8f651da5a7966d944fb75b1d3a2c245101cb3cdc4883d2d5ba9a54440a6daf5986f92460c5e8f3f439198131246891093ad1aac6f9d70a32d8ffec3834fc030e envoy/api/v2/core/health_check.proto +shake256:662c11e025424aa76f09f82c7f4f374398d62c59b823f2ef865492b54e0560edfc04b989c8e050f0b2e62d7bd764aea4374859a4fbf97f20d6adb50563c4dcf0 envoy/api/v2/core/http_uri.proto +shake256:9c4b1b16e8883e5a4ab925b8da52d27e5ae1891b5391c9416c01e8ea172a34a9786000c15d3728f031f548101d9f2c4cce42fccbfe603c7189a9504de48e0ae0 envoy/api/v2/core/protocol.proto +shake256:4183d9068d64aacc842a36e6ea35f750e7f08118e1b9a8bb9da1aeade8d4a462dc024b226489f5918511261d4e023a5e7676c05a4b91624dab490df30cb6b1c3 envoy/api/v2/core/socket_option.proto +shake256:87a9f435ecb6daab09bdd9d1615fc8883c3b1951b9dc35e5ac2421e68c749893cd1bdd266bcfb21b816e6518c09e623bd08c3a0d519129c85686fb3e7de92928 envoy/api/v2/discovery.proto +shake256:119c145cf6a5e4e18331364889c9ce3ad897293b9b5a79a0480d566f44338a6781ae5801df1f9e9675c78d6ff4ed1eb91e7f61e7dc3e075855a2ec1b6c6bc024 envoy/api/v2/eds.proto +shake256:09e85cf3be7bb8b48dedcc2f0be2729ffa3e4f8bf3a62477adaa8bbfb096b6bc54ceb3a214f0367bd1e629d27db07b389fc2051b3bc106438f1ac37f5ad8b824 envoy/api/v2/endpoint.proto +shake256:d34472c35bbf374d27edc187d7a9748623b9f315d98ceda6c98a3efd883e8d643711dba2e7def8159a04ea8d32a70a84caa1bc4701a19ac7ef412ff6c74ed474 envoy/api/v2/endpoint/endpoint.proto +shake256:41d9f97e89161ba8aa2a398c753b6692bed579d1abec9df50782c120410a8ccb1d382e70729486028036d5fb81aecf784a5f87a03335790b9a6843f2ea8b3fc8 envoy/api/v2/endpoint/endpoint_components.proto +shake256:b47b6d2db7d09e3059247b3620abd6dfa60be9ed18f53336f5cd0f692a8d5dc98393b20f64461bf440bd3d6dbc92794104e6c56c6021599e31b91b60ef6a66c6 envoy/api/v2/endpoint/load_report.proto +shake256:639c987ea02b03f1c4329299df8fcace9c807fcff8e1fe2c651f1f8110bb39d401c9fae511abc9e8b0c08c2c00eaf7ac6116d64fc428cb72fd116064a012b01b envoy/api/v2/lds.proto +shake256:20dcee2d61c25ab8f6ca81f5dcc45c32bfe28821c419f91a1a013a9afd0a5d2a665afadac356922af4f6fc1807ca89f75ec84703ff04ccb30c5a7479f57debd6 envoy/api/v2/listener.proto +shake256:3660a7db469f0a78a086f2c9a3ea6417ee67fad8d8f66f6df255c096780b2f9fac4058f69fafb7b31bb41371be08d49df8e4dd7cbaab57dc81faa072a0b2d961 envoy/api/v2/listener/listener.proto +shake256:01ed343576226520f26c740fd0ff17db2c90a3b40ceb767b5dac115a5ddc45da4fe8bbba5bc07cb5a5b1b1c2c4ad1b9e8bc9f9d789faa245c4b689b4ad31efa1 envoy/api/v2/listener/listener_components.proto +shake256:9eba07e2c57d6721e5c21bd25db39e433e6beb2690f19cc35e491b6ee398a21c602cc66f5c4998bc671c6c60935def6e9fdb78263ebf619a5ad9c5cd0040bf08 envoy/api/v2/listener/quic_config.proto +shake256:bce97795ccfd54cb5517de97a66f625d6358e490738a83016ad6fc352258bd265962bb5cf02c9c53e40130ef02aa0271c766682588b3bbc53c518da9ccac6d88 envoy/api/v2/listener/udp_listener_config.proto +shake256:c4f13154764837590c09419febc8778291e5de10cdca3b4acc72cda616a6e1f542e0ac7183aac0f37348c9761ac3a506fbe657432daba38469e9c6d7d9237b37 envoy/api/v2/ratelimit/ratelimit.proto +shake256:5109fdb17b9347ab1483afac5e638422b3164935fe79f691a8f371adc240c60430a85caf88385588957e3c07d1855bdc0ebb391940b6d5201e1bd3a0c9f28434 envoy/api/v2/rds.proto +shake256:0eefdba40313bb46ee9d204281aa7bebbd8e21329ebb752dbf82d29e0213e8d76d0139a50221d34977d8fcd3bda842cdbb160b55f33969256e5ecb5c59232c09 envoy/api/v2/route.proto +shake256:6b3fe64c7dce23224bed799cdb5162b71f9152b4020e9a002decddc9f8c366c58e21b3c03d681c643c79e78e8945fab211564ffeea0a16e5d8509b7d3d66a8bc envoy/api/v2/route/route.proto +shake256:f236b4f96272bdd8ba4cf24cf02938cb51d915589dea4bcc7a03923361f616bfc4c5ed05d63e5437f8da95a8d423c391d61907e862f445b3f23b7bec07d8ad9b envoy/api/v2/route/route_components.proto +shake256:bc9898fe8b4765b8bfc498d32721a1ed0209a5420d351825522e73c0dcdc915768c5d88eb3b25dfadb6168bbf9d2cf233620950c32f38bddc382527cefa5c259 envoy/api/v2/scoped_route.proto +shake256:6f247444f93f26c93eacb2890b7b831944c5187ebae43414dbe1455abc2b49a7f0f2d965d787b5db9a6ba585d1865add9c35b4ece5fdeeaf08bab78752d17b6e envoy/api/v2/srds.proto +shake256:11e4ff5a2c6dcb48b7d58a3d37bf0ee7cf0c9725684d856f0a0a56c7d6ad07d67478f8f8b3afce1f5634c3f18ba5497f44d902cf931e1a5d01dd78b639336889 envoy/config/accesslog/v2/als.proto +shake256:f00cdaf3138ffede9241f899df44d894016dc547bba274e945eca8d923f158d848ef208fe3271b639ef4858f8e7141ec86461af7a35259fe265fd76d9aad29bb envoy/config/accesslog/v2/file.proto +shake256:4c4053ab7accefbd9a3fd4e9804d8e18ddd5e2aeee2d2c54b3ed1ee90488b292dcbe6aa4da4f245c1d4a70eefb9a19dd839d6e32533352fb5bb2cc8bd2b3be8e envoy/config/accesslog/v3/accesslog.proto +shake256:f17fed4317d85246c5b637ab098c1ec900898a4f1a6de66bf20cc4916d91b19fbfe94b3b8008aff5898f561affb1bf7bfb244a1cc8984928c2f246ffd7b91f63 envoy/config/bootstrap/v2/bootstrap.proto +shake256:012964f6302f1be544858bbdec9638aa5eea252b22d0226c3213917a2b03d2682c1b9393486b4810938f211a045c9130bed7e1b91c2fa583b7ef894db1eb4905 envoy/config/bootstrap/v3/bootstrap.proto +shake256:ef15d2b7031d8edb952315f6f4dd986f1ca0137662cbf58466fc1ae58d9daaa396a6f79be8da1c5de511dc7620c29dec56ec4a1ca9ef29c1dc24de71da2e40e0 envoy/config/cluster/aggregate/v2alpha/cluster.proto +shake256:e96c45cc69cf74ea9fa9ce48596722f01c84f8164b2c8b213a1c901973d70cd9f88a797b22b83423bd548efa3452793495f5f730f2d6c79a3cc4de88f1e23013 envoy/config/cluster/dynamic_forward_proxy/v2alpha/cluster.proto +shake256:f88d1d71037a70c72f39863a5a9ec8d65ded375d725b7e416d36ec233adcd670e010a8b024c755835c16899a8e4c1d00ee24eacc7bc51c778296d6c5fff1fc8a envoy/config/cluster/redis/redis_cluster.proto +shake256:10a21c816540ed52d9dd7002be5d269527d7927a5b55acff457c434c996df2ad57355f996157d4e4fdab2d6db7f1a80c5f1ce94115c3b31cdef782b5c7d26b7b envoy/config/cluster/v3/circuit_breaker.proto +shake256:f75af2771b6d007291e7a3213e7b027a1a498364c9cc86ee85d40d25fe4ba8f39e48f29de9a57e7b2ac1c87c048298ca64c8828c40bc043f19c8038b72e3330e envoy/config/cluster/v3/cluster.proto +shake256:b3be2cbe299480ca14f70ab1684fec6d05045dcea3359785a5c9651036aa8c216b927a23d6107b5c1fd86b6e5bcbb204366562bc7356bb634584ddead1bc2ec0 envoy/config/cluster/v3/filter.proto +shake256:98b1c26901946bf3ffca0a0528724578ea47c176c8de0354aad5c4d2daa7a8436b3b7444741d8645c9ce01f679b1ff83a22daebb1060af8bad082193088b4242 envoy/config/cluster/v3/outlier_detection.proto +shake256:238687121388f8ec3ca6be644812aa45483557f65c5a22f97868ac71fafb3b6770a8256bc28b1f56286d959e8316227035b2606e58aa4b0fae141181f665d4f6 envoy/config/common/dynamic_forward_proxy/v2alpha/dns_cache.proto +shake256:14212536f4874aa3d72398818186611af78b88cd84497439e90174013822a27b0cbd476f0dba6d18be520d6e0969e8a2649530dc89313fdcce7272cb7317a51d envoy/config/common/key_value/v3/config.proto +shake256:36d0af392c209533e79a725e8e1999e141deed82a1769728a96465761fd5346382719b47765b4be6753777f80b1f93b214c6eb8a501d9e7431753ad8b993f136 envoy/config/common/matcher/v3/matcher.proto +shake256:175d2f7896be8a9a86b2eecf8cab4cf5c8e5c5361842335f8c607f3a1ce908a57419a79822d110b334254694bc67e6bd67dfcf0ef08de910b898a8a617eadd4f envoy/config/common/mutation_rules/v3/mutation_rules.proto +shake256:cbad07f379e55edc8e8cbefff8799dee2698ef277b0f8d68d8e4a040cccfc877d2bcd19ca008021ebbc796148d0e7bc01a5f8b6fd1a5dede10e1b1b2672f202c envoy/config/common/tap/v2alpha/common.proto +shake256:1a9db550014817a7ab0e397006fefed890a2cf80bf6d895c4d348ae8e4bc84349175ceb206e972fbc9b152908c9ecc65cc91b00a785c04fc7cd5b9c5c7de4284 envoy/config/core/v3/address.proto +shake256:fdb34f03c4ddb608eaddf33afadc37719a5844bc0f2b0a3d46acdd3a47e03766e7b0021067c67f2f0f1f55e651e0c7000b9e4d2c44aacef35c0f71b016416750 envoy/config/core/v3/backoff.proto +shake256:5e7d0238586f5b9dcb7eb825f7256694e31cd8082ebd27e23ec810b50a414434f31c6ec652e5bd7aff2d4b6f05f665de1ca58852dd9020af4e70cf1551382d7a envoy/config/core/v3/base.proto +shake256:f3cb7e88d65a8b2d19c1255815c37f61b708887327f5b3a58fe5b6bf8c0c1607d12b7bcabf156947db5c9108c041599af9f6a25ac22d0225326cc1c4418a343d envoy/config/core/v3/config_source.proto +shake256:58094a58339d6781d0d06e48e32ce262aaf8f79448b624a9ac2792248efbd1217c6606c493ec80226069b95efd89e9fa25357a8e76afe0775ddecd40f0ad7d78 envoy/config/core/v3/event_service_config.proto +shake256:fe914c4817a48cf5e7ca7d9cabd28f99eee574396cc29419ca282b75a126126fc4a9c417fe5f702082500b0d9032586a4c7b50f4810ce34c2c1dacef2ab48663 envoy/config/core/v3/extension.proto +shake256:b8c9d6866b3e14f1e41ea50d6977325cf48575bd3a815cc36077ec0f631a69882b3d168c7ae39717b93102a3f3285dadee6d1e0c4aeb461399ea649abf8384b9 envoy/config/core/v3/grpc_method_list.proto +shake256:8c73bfaf4c0aa348a088e9c432b16703dca8ebd6e0227c4301076f7c64cb1af98bd0a1e395b05f2d4c311d10f57baf851dba7c19dca1e5e447dee7b4b6f9fd81 envoy/config/core/v3/grpc_service.proto +shake256:6a4880727a18c76c27422fb04451cb0c08cb6acc712b2ba3b3a68c81cb00feb401d2d4f8d666cbaaa787331838d3b8b8a9cf3a0ec609f9cb00c9f97574edae2a envoy/config/core/v3/health_check.proto +shake256:e72a9109cba19d603c43c8a5e7505dc1d710e9a8f79b135190c7e50e570b728df279d903f13f5c6aa5149f562f613fdad442aa327466650443ad43baf747fb2e envoy/config/core/v3/http_service.proto +shake256:ee0b0b1aeb239c4327f288f4b00507172a97cfcf5449c12d9abe4ee71a07534c6f80578568b0a445a6818604a3cb44e3cf640f66dee9fb212dff8e31de9f3309 envoy/config/core/v3/http_uri.proto +shake256:1580679222615a4c489cfd5f311a2ceb66378020ac353ee807f791abe9dc9c4d3994c5ca5ebd8ddf509382e7b6a55c1d3954a03a9917702659ccaaef7acbc5f9 envoy/config/core/v3/protocol.proto +shake256:228b44c84ee8b6c130b4a061960ac1fd5a222d903f100caeed5206441656d9692892a7c5c29a604df6c0c4130560fc8766a377cbdf9bd2f7fc804cc9eddf09af envoy/config/core/v3/proxy_protocol.proto +shake256:8dc2e42d6be6f5e608487cc7a5cfd89670edc9a21be4ece3bbff666939f36a2ec7d18283cfa43007557e10e59a603e9844d8e76ce528e51e5d7b79fbfdd041b5 envoy/config/core/v3/resolver.proto +shake256:600c407b3baecc7213d993c5b2c76748c396b7c197de79b94e12427201633d5c5e900dcf1fb3de264dd4ae90c615c8c01194f43d690381f2c79d7604acefc098 envoy/config/core/v3/socket_cmsg_headers.proto +shake256:54fb8bdc367e04a2b306de2e85bcca91f79ee21802d963ea46a5761a344e3db3666600f3c860fe7c18052aae3141b4dcb14e9449e83adb08036e8b2e5848658b envoy/config/core/v3/socket_option.proto +shake256:2ecc944e590837c4b221e72959420b145d0ef24fb8ac4534355cdb0bd6bd6c333093baf209e5d4c933a386cdec5e48e5f7c07859d329b518f937a371e92eb0bb envoy/config/core/v3/substitution_format_string.proto +shake256:ca4da0953d0209d8c791e9d9eb1910c2d2e577a467348e4986a8c3c341db38e52516a7bf6dc4815ea0e8d1ba7566e314e50c89f3d33ee217b19335939b1142d1 envoy/config/core/v3/udp_socket_config.proto +shake256:f21f75567e86558fb38afe39c448339f1a5363d8add311ce8117e6d4ae8cb8c0eb37c8116636004203da6420eb226ee8b142e9306441cce1be69a0475febaa53 envoy/config/endpoint/v3/endpoint.proto +shake256:303fb1667359e27d6ec2aece183975387269521eaf32a9092183560a0cfb88c72976ad820c8d3c2dedbdb1821ad3bf90ed231d827343295779098a0905026cfc envoy/config/endpoint/v3/endpoint_components.proto +shake256:37544485154fc1be701779188515c219db0415ee12110f40fd75e51cf5ac61275914ac75f9c349c711215d45c2a1a525cd589738d1f2d119aa56ee3aec2a234a envoy/config/endpoint/v3/load_report.proto +shake256:2d64307e37f83d7f3d7d7702252ae62811016f56644599787a12e0d59c2a414e6454f8518fad20079a195415d543f1c8532615056f5d1aa58f39d38d0713c509 envoy/config/filter/accesslog/v2/accesslog.proto +shake256:2e04814e594b2f7b966528e191ec9c9d7eee8b81ee070f8f1ce057829aca88bb877666a67534989dd0fc653c86109caf2113d38b5276a9a4ec710e30b303c37e envoy/config/filter/dubbo/router/v2alpha1/router.proto +shake256:cb4a510b6cc2d26c941134827154e1d4f9142add0d92470d7de710bbbf26dfe696eba02d256d97e93c874a4eb3f8ea4215cc1f99a4b478085d044dc27f8f6faa envoy/config/filter/fault/v2/fault.proto +shake256:870cdd98267a9028f41edcbaf811fa8ffa62cf8a09f06386769c7dd46b9e43c7496184fc551ee23dd43e3c37bb87405d599634a0096053d90a5eadbab9c0ef15 envoy/config/filter/http/adaptive_concurrency/v2alpha/adaptive_concurrency.proto +shake256:307f7ba037584aa60c116ab81bdebfc57f955fe2aeab90f71ad08afda92d14cc5ec93bc180e5e026ffb1372f42c9ab610d1238dbd0aba4e0a7fa13b588834a61 envoy/config/filter/http/aws_lambda/v2alpha/aws_lambda.proto +shake256:7837e63e24ef6969166ad19d00d825827ab4f33cd2cdc1d314cdf307130aa4f99642be1490b27f395aa030de57e0620e50436fb4b2915238a943134fdf1e0a03 envoy/config/filter/http/aws_request_signing/v2alpha/aws_request_signing.proto +shake256:993900853d6c5b14b2778802dab83b56056d0a8862cc00fb7ae981f249f037aaae42ec53eeb447275152a83a9825a562c2dacc8391b9550e260f651155e0c700 envoy/config/filter/http/buffer/v2/buffer.proto +shake256:e17bffb8959f0ebd69a5f76aa1fecc5c149a52c8883315499788cd3832aad4a9ab4028aab401d10cd12a54c618ee48e1865a8b7dadf9b174545bda38ade11fd8 envoy/config/filter/http/cache/v2alpha/cache.proto +shake256:366ce40fc1609240c011e89743df49698f53243e673279cfe6df1a3fb5011ec1681a7153670b5a03b401718f26686bf96000094f7c0360e3284754440749c517 envoy/config/filter/http/compressor/v2/compressor.proto +shake256:7edf20c50b174033cef65e0b7546ea572a3f5306bd0106fd30eacc18a82efce49ad9d30f6c39577f36b97b373b281c4048cef86d5ea4bba5075fd2b29c8e1cb0 envoy/config/filter/http/cors/v2/cors.proto +shake256:bb31e2ef037ee26af526662fce06b264b2e166f742ec9f32bf113dba81df5e2a76f033db03d23df77f4417593994502508fcd2512f1dd95928b84969a3ce802d envoy/config/filter/http/csrf/v2/csrf.proto +shake256:1d9282eae617b10bf59dcb7633be402cb61cbbac9285c9e5677218f48bba048a73f459d28ec8b2b7384de99a8281f61fb58c4227dc250b97363860cdd168044e envoy/config/filter/http/dynamic_forward_proxy/v2alpha/dynamic_forward_proxy.proto +shake256:76db280e6229da9e4ae842fc296ba18cd72a9e803c045380a7353ee6f765cb69f4c129b559c22ffe920c7f2437f0404a61ec0108681051b0321fba07f894dbe1 envoy/config/filter/http/dynamo/v2/dynamo.proto +shake256:597e702de8f7a40d1fd9744bacce3076dec835378127af4c19e336e480332c0f27da7e4d5b76ae77f160bc3b5088d54e71e5e65016c97735b1c2eecb511d62df envoy/config/filter/http/ext_authz/v2/ext_authz.proto +shake256:d1b6d7c97efce1de7fccb2ba0472bdf62a20f4d0a716450549b03a3dbf405c4a1592385d7195b629ba43336a6649161e832933f3df2fc193aca16cb06d6b60e2 envoy/config/filter/http/fault/v2/fault.proto +shake256:050055233ed4396d983d99b84e8f6a5c3b0d77c80f7607ab28848156b18e268b57419282cb21d44a877ee43ebb3ba95ccdab886fa861a581e51daa3582ac815c envoy/config/filter/http/grpc_http1_bridge/v2/config.proto +shake256:28e5bedd6b62b170f46454d53864405335b83e56699060794d6b2fd6c41215ec056e13dc69726bf576eb2cc4e5e0ab3ea97b29d31b82bd343bc3715ff3093482 envoy/config/filter/http/grpc_http1_reverse_bridge/v2alpha1/config.proto +shake256:3d7cf31ebca862e3f338116034e2e553a3bb02d824e5c60d36dc16329c8c89d4f983388a6701ff5f28f2836c7504ae8dc4a547c750e61fa2b2ec804d7afdd172 envoy/config/filter/http/grpc_stats/v2alpha/config.proto +shake256:4451c917e256788daea0ace8618859b6d92078cb0f4a521c5f37aff6c1f65c643570375af579af06088bdf134b5d478df3300d0ec1c8499f4675ebe3701c22a8 envoy/config/filter/http/grpc_web/v2/grpc_web.proto +shake256:955bd5acf952e1c646307d585ebff1ddb4b9e12a7c211cdbd18683f9c5ec86bef360d6d501c919cf23307575a4e52bb7e1d8269a6bc13a0895d465067ebc542f envoy/config/filter/http/gzip/v2/gzip.proto +shake256:59e8e289a11351075573f2ddd7a37db76634c8948ed3e6ce6700086fb333c2c5fbb699c32a2a8a953fff83e601c78cd07e1c190b1656fc54c96e580f4a07d2f3 envoy/config/filter/http/header_to_metadata/v2/header_to_metadata.proto +shake256:42d4431a3ab45ef6f56608563c40c650ee96b48e840109bc81b72ace5ee088e1730cc8311942f17c3c7f840401ac795527f37011fa0f8baaa71862f1df4ea3f6 envoy/config/filter/http/health_check/v2/health_check.proto +shake256:7d100ed17b8aa3d24e851dd599ee8265010a64ead4583270004dd1e4119a3347a12ebf54b3bb1d46e82a082739adae9563d6d4a95fae0d72082c49aaecd651e1 envoy/config/filter/http/ip_tagging/v2/ip_tagging.proto +shake256:0e52935864306aaffb1aed4a1ceadb85c9d2faa05d1b85f6ca28f4f2f1c5905d8c1bc3d2e82b784d6b4afa6ac8915fa84e35a5d8b5d61bd1d15162c27795ad38 envoy/config/filter/http/jwt_authn/v2alpha/config.proto +shake256:c0905fa961a0b2650e460950ea69a761bbaecb36f3275501e2af3eab849a118859552ffc25fed71acee9467d821644cf8bc0f63b4b03898cbd409bcf542a0438 envoy/config/filter/http/lua/v2/lua.proto +shake256:ade55f48104a52c6a1a07a69eac9362734ca4d1b2b5b388a723770ac870d9f41aa87a698fddeec5fa5b807e6f3af6cb27bc1306d0c037f2ec16a6316ad9c46e0 envoy/config/filter/http/on_demand/v2/on_demand.proto +shake256:c2ad802957739a45a3aa91759fd5d695873aee61068f8a038f052062057a991d5df8c42940a6f18c158e605702188ce8ecbe8c8fabd108597fb4d153a361b516 envoy/config/filter/http/original_src/v2alpha1/original_src.proto +shake256:7a9da6e3d21b951381677149a4ab86cf91c36da9941460b9f0a5779756a8e8420771414f1a7f8ecdd9d11711e96641c5a513783fd73ec32ebcb78e39a20f6bca envoy/config/filter/http/rate_limit/v2/rate_limit.proto +shake256:f3a1c6647ae372e0b96759e4a81c6a0d3b200e3065f30bd68f53afc8196dcc5e5506bc3e1b87b7fa9f55c6300c2f74202ac6c693558d5b9e129ec356dea99418 envoy/config/filter/http/rbac/v2/rbac.proto +shake256:413fe9d15a14a89a22ce071bc25638552237e23446df0a201ecc174cdbc01b002d0f1214f9229a7189b649d26bd1a074b2ec14a59ba5c883654be8028f79bb03 envoy/config/filter/http/router/v2/router.proto +shake256:b6c5109ebaba66d44558c5b42cbdf0b7a2415bcd33350fa1b3bd87bfb79a57a1cbc1c53b745b3f15d2ae8296185973aef15bc6c35651f054f8f14270c6836fc2 envoy/config/filter/http/squash/v2/squash.proto +shake256:396fb5d3083f51ee0c11021b3c8f12795daa40f767de6ca35259c02710fda3e074777e53b4aeb6d1c0f2df8d12d82e54b211a2bb68260914de7e99176a941cda envoy/config/filter/http/tap/v2alpha/tap.proto +shake256:5b8b39f989d4085aec086bad0adde86332f122d5a7039bd417971ebad896c6b0d3f954ef2cf20f2db3e144fad5faa647fcc4f780855c73610a476ec2ff8479a2 envoy/config/filter/http/transcoder/v2/transcoder.proto +shake256:0d6c3b6012f347a164577edd8719c672791fcf42bfaae8801ea78358f1810948ce8e96f160bb7c0cae6d31e599072b15b7765efbea24b4b66171f654132dea3f envoy/config/filter/listener/http_inspector/v2/http_inspector.proto +shake256:ad9a5ebe5ad5dfbcd7cb9ca60512f309b7977f3e799916f203d16a0e5ffcea17ad6f6754e1dc0b1790b4b310c620f7f7b299a666165b6226d8b11e0411b26db8 envoy/config/filter/listener/original_dst/v2/original_dst.proto +shake256:f0f087b21bf93903c09469582f75f567815ea9e61a60fc696a800d3dc9a715a2f1c6bdc46d254add4deae2b7e099458754cb6e00b2875068d967cc884bfe4177 envoy/config/filter/listener/original_src/v2alpha1/original_src.proto +shake256:e87549581f5c86532b2bb5f98f7b36174de46c3f06eccd5450f7de62d009ed796d271943f8dd097ee97470a9a21f56737ba0619f4abf6ec72e314a4a6ae45c8a envoy/config/filter/listener/proxy_protocol/v2/proxy_protocol.proto +shake256:22f6d98be5ea471289b31b871ecef036632bb6db471a2cab6b7e5ccc11567a3722f8c1bbdb79e3aa74b23bc5d96330b097749d9010e73b180e9d491fb3075c6a envoy/config/filter/listener/tls_inspector/v2/tls_inspector.proto +shake256:1456550bea1922225a08a3b31c07d216ace78840dcd333d7c0fe202643b55c8e743b644b97f817c70558dccd760ff621289bc20582d521c090b5107d1f7f9465 envoy/config/filter/network/client_ssl_auth/v2/client_ssl_auth.proto +shake256:0df0940ecb3b653bbafe1ecba3506cce4b15d0da8ffa99591acc62b6ccab803fcb096cb468891b5b60c8f02ebec00737a2585e8bceb1103ca27dcc2f0466d298 envoy/config/filter/network/direct_response/v2/config.proto +shake256:dbdd276342dcc3634ad05a1a440099992ab5f3d122e4a02a51e5103115f672650aeec58af6f49fe03891c63199c1bd778621adbaced888d4199bd89a81536efa envoy/config/filter/network/dubbo_proxy/v2alpha1/dubbo_proxy.proto +shake256:1d6d4703df00e15becb0f3482904cb9d9e2b3275958478c0e947f213e3169da8c5cb19f71177337529ca7090f67e44ba8f7db0fcc81c71d2e23bb608f381ad5c envoy/config/filter/network/dubbo_proxy/v2alpha1/route.proto +shake256:02b5ec1c189f640a9f3544ae58b6f6eaf99c995f91290b44d4ec279f7faae01cc6672478f67603eff54dba99efba1ae5b6850f76428a08d2247c4c777b4f0f67 envoy/config/filter/network/echo/v2/echo.proto +shake256:f620691491093a0c4deeaa76d679ab9e08733bcfd5782d01e22d3f013326b9af64dc0dc85abe8968d7da59730c5f6f597ea9c7c0153724077af9c22762e553b2 envoy/config/filter/network/ext_authz/v2/ext_authz.proto +shake256:a7f813dbdfaadb034a6a7332b0255a0e3b22c62a143f04961312762d3abbf1f55bead00e1df978bdd79ea16c8d90d7c6fd485b60367217391e39ec5aab637b2b envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto +shake256:c287f1093bd60b0ed243f40f69dc868a8856f31b36cc3f44790c0ed62e24c23fee9046ff0c55512f5fdbabd3f7fb89ca60d13a90ae0e1595189e5f2ef03febb1 envoy/config/filter/network/kafka_broker/v2alpha1/kafka_broker.proto +shake256:35476c557e6f472b50de17f81ba0acb566e934ae8a1f6b074e5516c797bd9737ae81a44a553af1702b2a29b7a60d41a815abff0fbc960ec4032dcbe7dd0dafa7 envoy/config/filter/network/local_rate_limit/v2alpha/local_rate_limit.proto +shake256:ff5bdb82fe17ffc5e034384ede8f7be5ba4dda6b7aedcf79e3e2a6ceb15253b2e7468944000118b6a8825aeeac97437f5850ac702a6bd2fd4f8e007050588c87 envoy/config/filter/network/mongo_proxy/v2/mongo_proxy.proto +shake256:6358160a2bb957573173e82b28b78768815df7674e3b755e2d73b28926aae148219181fc7a728fab85a0bf9046ff8a3148fe266630fbd6213583b61f093fc1a1 envoy/config/filter/network/mysql_proxy/v1alpha1/mysql_proxy.proto +shake256:f7871c4be8c05a913f14222ad951bcae6adbcbb8c06e1054d04fa726ceaddd4b9662bbabca46863b0662a800f07ac5e0d7cd8259e427f179e43410e12261344d envoy/config/filter/network/rate_limit/v2/rate_limit.proto +shake256:28d44c0675c62529d36fe6cdca9b6195cfbd79c0a28c5214e7b1a8dcea07098639385ffb8707a569ae7c073d72731511c48aac49d157181cddabe721617eba51 envoy/config/filter/network/rbac/v2/rbac.proto +shake256:20013e3fa4f7dcbfac0a112706f65603465c3a2690347a5d73a5c51186306f65fa335620753d5df37e40867dba5262c848e91983488a492d4df6cdc5834665ef envoy/config/filter/network/redis_proxy/v2/redis_proxy.proto +shake256:8b1bc807c6c7bcc0ce1eabeb73492054766baa72cc282d9586fe31dbcfd605a585eb4663bbaac2569d92883ca51fc185951739cd61c41cbec0e419a00b966fc6 envoy/config/filter/network/sni_cluster/v2/sni_cluster.proto +shake256:dc8c92bc94f230e7fea77366937e8f7434fe3e1eceaf1fa39efceafbf3abc462d24bb1b9e666e0871d03737ed493c13e617c3d155ab739b072f3de16dc953559 envoy/config/filter/network/tcp_proxy/v2/tcp_proxy.proto +shake256:82e6c06843d291a8b5709eb695063c78c7ae1d2c1a2b8b2292223305dda4428b1e7eaafb5f306c7eb15dfad1235e60003c253f7a6a5d2e60beec891f23e97338 envoy/config/filter/network/thrift_proxy/v2alpha1/route.proto +shake256:114b21fa77aecb64aca3aab1c3b7d53bc1e7066340c773705815ab4fde30388db17f015ce9522572c3dff389942faa04205440f7969a11cdeea4a23af2f1aee2 envoy/config/filter/network/thrift_proxy/v2alpha1/thrift_proxy.proto +shake256:6cbf64dd0d1c15d6e2c93f4e4afde9f5d7f451654331fae4b02c921606f00f23cfb0caa36f2f06fb9f2ccb0d9f234fa0cbf03ca0a874b0a3bba922b4505e2312 envoy/config/filter/network/zookeeper_proxy/v1alpha1/zookeeper_proxy.proto +shake256:da300993632e7361d6ee03a7662b0e6acc5892e7e07fa8520bc17cf2522385532cc563b364cbc8273fb73bc03531b346ac43f230b753ac137f2dc7fc42168a84 envoy/config/filter/thrift/rate_limit/v2alpha1/rate_limit.proto +shake256:1d3dcf44a5b9aa1d72644ce5fd320c750dd4602cf38fe13a84ded28c71f96b18495917e56a5dc5393891f71bca3694625259f5406be8d534af8b4011b82c7927 envoy/config/filter/thrift/router/v2alpha1/router.proto +shake256:8b64c01228242819c686d8298bcc8cd5a0009f46172bb1160a0b504fcd9887a1d1a16f18f601186ba23509ca27d5fab13dc3ab4dcab7fe5d0ec5afec73a3279a envoy/config/filter/udp/udp_proxy/v2alpha/udp_proxy.proto +shake256:9c1bb39ce93f4f855fe268b2e6d4d54dd73bb2542292e0b86bfaf165d3e675e4d064899b0acc06993e0d58336f3260c16e2c1543dd72e9e0428a0b3c36495e45 envoy/config/grpc_credential/v2alpha/aws_iam.proto +shake256:ccd04514495a977770d0f97b6e366907b20b06daf79b935cea836ac8127e59a5a62116085c4a412751562cddd709808ff87781d7bab9e2f659e563b827dba353 envoy/config/grpc_credential/v2alpha/file_based_metadata.proto +shake256:3f8a8ff682430a9deb7aed8aba00fb69ba6696e62ae7161963ca11e80e4195db0bb9d0efca69da4ba67e9cd62fbce30ae0450144bf3e8d905d90e2eb2418ce59 envoy/config/grpc_credential/v3/file_based_metadata.proto +shake256:8913cce18ff3029b4361fe7cd0af29f512b44f31cff11c45f213873000f5e246f5376640a4df5818b9e9b1b296e5790a53909f4f50434154ea12b001fb180f29 envoy/config/health_checker/redis/v2/redis.proto +shake256:55c7c15b14acd86d816cfec4ac71c775f41c28059fa30449b2b636141bf6acaa769751f331d3fa8c2deed0c1c4a5b493d412761f638768fdab99fd08467afe2a envoy/config/listener/v2/api_listener.proto +shake256:047590d1b4f17739e8b57fd51ef0a1595e76358171b4470db6d058ef045fe31b4dbfcefd8aff4d8fd8fa861fa235a90e00ae867bfd65a78887dff4d08863e0a8 envoy/config/listener/v3/api_listener.proto +shake256:112f2a8870a2ab47df0547e5f412f629ef41b5d79b5c4f3d7bdbea39d73dc4ccd8d88710d6433de85121c4940f0d9a003237e16366309dc652fc220666028f32 envoy/config/listener/v3/listener.proto +shake256:1f3f879c54b1a2d224518fd83a0102d0d2773bc6ec191cc330efa19ebbfed6040cbfa7cafce5ef133402fd1455954aa17c7938f765340f34603adda028d14a82 envoy/config/listener/v3/listener_components.proto +shake256:a11917471e11f29c38dd4650a5a17c27bb52f83a37c27b31f0820da873e4a5bfab148d78d65fe152f954a8284fc29dc4cfb37855c8b4fbacb51b53d45bf3441a envoy/config/listener/v3/quic_config.proto +shake256:1d22bc9a3a0507d33d49885136fbee5c011fd5f74ac1f9ef105c7bca44d0ac9159452d54b8b559e428b8ccf83bfd7870911823678b5a38f44eb2ae1f3c8b1b1a envoy/config/listener/v3/udp_listener_config.proto +shake256:4f66defabea04b57f142cab999dd99555839e1eafd08aeda613bf09565089d4526163edcbd8b645798cc030da7731b4ab9e4c1c69fa9b9f5f4566d11d873cf4f envoy/config/metrics/v2/metrics_service.proto +shake256:381b65015b4dcf88a0b952cc9a87e083818051fa779f8cb7cd45ce92cbd24ca51f4a898bd4d35651962428db7cfcc23bd6203666402466a5aba58caeb3a8ff2c envoy/config/metrics/v2/stats.proto +shake256:a49fbe0a644dadf659afbce6a37b84716587601a0040f177bc88a42e5dc542f7110eafbff73383e2a07815fad1a156edbdeade4e9685f059ca319f2fa98fac7e envoy/config/metrics/v3/metrics_service.proto +shake256:0ab7a51526349d17204ee9d8ea113d3786daa4820362b5f6343919aab1ce08622c5831302b043b080ef74ad38101100f25f807b50ab19b8fa4f825fac23d292b envoy/config/metrics/v3/stats.proto +shake256:00f5305f959618a910e0ffdf75afc0666c5217d86f64db2377b7e5c4c742cdbcbfa572a791db73ac3c4c5c37d3b3b41234c36a4b4b313e6a0bab8a48a4dba3ef envoy/config/overload/v2alpha/overload.proto +shake256:e2127d379ca4b3095227bfca37afce4626c1f19c0f12fb5750cb96e102ad44a4b69ef87a9ffe1871025355f89b4c2a4ac2c099ff53da65237672a923c2625006 envoy/config/overload/v3/overload.proto +shake256:89a239eff6cea2da4775f5ba8245b06aa675dd8c55d466537de4c17dca74965a54425b365da798ac31cc2165f497274457cfc8d607fa7872686d0d85b221b4e3 envoy/config/ratelimit/v2/rls.proto +shake256:56a59a28387e09e6e782cbfc68daad166335b3c6de22b367d07981a1d85683405ca5598aff8f3512d781af14e855332eff88cf76472616f7120807bb60ce988e envoy/config/ratelimit/v3/rls.proto +shake256:2ffedca49b310f8130941f9e8de30c1b55f5cc5fcf2adde9db1f041a4fa654fe07c76505d15632304475f0004e9483b3dcc6896d6d7438e21f188c5457fa4c62 envoy/config/rbac/v2/rbac.proto +shake256:7b61006ff5a9d4a71cd174e21992beb4b22dc29202469a416395baa41c177e4edb73440ea323e75b5d17c16c8b05eb79c86e2494d7283d45d4453584f27d3426 envoy/config/rbac/v3/rbac.proto +shake256:9d482847cac75e699a0121874df7d06db534dcd9267f6d756691929550a8bf1c2ea73d85eae8ad873e0e7fc27872d06f07402ae8ea3b6163df3d4803b23b5666 envoy/config/resource_monitor/fixed_heap/v2alpha/fixed_heap.proto +shake256:d54077cd2998eb60031387346af05ebbccc9fe88e3b0d6f8d4a6b15ffc3f065b0741f42761ce9c3e6cd8d922ae67eb922c155f5490f0a2684923b0c70b1a09e2 envoy/config/resource_monitor/injected_resource/v2alpha/injected_resource.proto +shake256:864a6dbb71a9dc13b1f4724b7cf798208ab247d5eb4c51a3067fd7bad1e7c871c8c0a0c6cbd753462f43cd911f535756d23e24809848f4fdcce86ce58ff8c4f2 envoy/config/retry/omit_canary_hosts/v2/omit_canary_hosts.proto +shake256:42fcafbdb4d49cb14673cc7e2f1d4d12320d5df4f9ad5ef96398ee7aeaa0d731fc5e7fa8ed0c6d8eb7153f89b5eee8512eb94bde1c9ab42b91fb322140e07e21 envoy/config/retry/omit_host_metadata/v2/omit_host_metadata_config.proto +shake256:33f92a4028d3695fd5acb12636463b5d3217fe99aeecad27aa46c9888347f193c9f8b1c71559d8d3e999eb32785de600478db13e2128f559c3dbdecc44c766af envoy/config/retry/previous_hosts/v2/previous_hosts.proto +shake256:9db8237cbf8f7d69fb0ef897855f00e1b6a6517fba00f5972df3495948cc66c9a15270099b5aa7c6334d373514f1a9a30af239da352a3a6f718cf24ba7ddd6d5 envoy/config/retry/previous_priorities/previous_priorities_config.proto +shake256:508f82391d37554846ccfc4f806926470b0b5b71b1684be4c612426cd8e3265a6e8f33b03c26fa7038a0ba931e0343c26b7c34dc3e9325d52a74f9650303ec61 envoy/config/route/v3/route.proto +shake256:4e306b1098b447470219676e0a3cc95a4819d2a694fd58ec4349b803bd907396fddca5e3edad7a8ce919d818a27a84e9e68cc0a2a0a5fe1ce547418b30e49132 envoy/config/route/v3/route_components.proto +shake256:134c73bfd73b81e521e4e18e6627c1c251e27f3df44ff846832d1330a018176583c0d9dd25711b5f2575b7ead00bc1c74fe14a198c49e2ea50a1ac3139c9249f envoy/config/route/v3/scoped_route.proto +shake256:9c87eab6e7c8b5285888a411d17ac8325dce79b086da2ec31ba0ad1c1df5d9d37b3fc81fd4eb02d6b2b05051b189ea07e764463fb09c3c9e28473b931349a610 envoy/config/tap/v3/common.proto +shake256:44907bc9d2d03cc048d930b0a78bb6b72b4f353bc9f3a6524f2e93f0a47a2c7234c8299bdc989927d0ca64c593732557bab2d80f47b0c0fca3cdb2d87cc8eace envoy/config/trace/v2/datadog.proto +shake256:bef0bd256ae2d3261475815ec6187b5e852b6a0178d5e9927f526da8ee5d7ef61f4de2639f5ea3511093bde05515b62392becb83ed98f669f3e9a3baeacf203b envoy/config/trace/v2/dynamic_ot.proto +shake256:4637407c3a7a724268ec49ee0bee774f940f60c54d7e13838a12ea9c6115fb34ed56fa20c31ab972a2c9d022616784038e940d2f40c43c0fbb3b85bc9f53bf36 envoy/config/trace/v2/http_tracer.proto +shake256:e86033f3fbb58c172f8fc1a5111f060e09aee3d58d1454955a7d8262422de2a4f1a692456696aa46aae0389f4106738412ed50d067815e30b00106fcc7061006 envoy/config/trace/v2/lightstep.proto +shake256:69abf1db7b6b8ab228edfcca9b0e46831ab9b9374979e609a86bf2204df09d906b33279905bd04d9ff62d4f02c94a3a9dbedb042ba6e3dd96f46db72e5c9f67f envoy/config/trace/v2/service.proto +shake256:db7a4656ca79bb7a54e54e6c6d0c7fe39871f6333f32084aceb29823252bc2bca6090d1f79bebf9c0d2cc9517cb9bbf730003164fe278bdb8777765738320a14 envoy/config/trace/v2/trace.proto +shake256:57cd057a541105aa9f9188ce8135599b752cc1297823951edccf8bf4ad7aa45ce5493f923c7073738d524e9a585090ade1b83f75b6e103ced1dbacb7f8e89a12 envoy/config/trace/v2/zipkin.proto +shake256:14278856f8d450a326b53fd4bf1e136132131664538b2e6d56cdb2c0964c4141c959c1ab0670f6dc53cf84341f3450cd02cdf9fcc0086883648b642648298cda envoy/config/trace/v2alpha/xray.proto +shake256:8d3b5af6ae067de523ffd978d48c5d5426c091552276b300c62c4b2e4903bdc33b1b1b3245cf23056875ccb4d744b676cf7e23f2cfa5aa1d0381458174a21ff2 envoy/config/trace/v3/datadog.proto +shake256:6b579882c08e28fb21fd011c98212afc0edefafa702dd6bfb7545c79d105ae3b5abb8d150246aab75c67f9043c1c7a697b71da38dfa012fe52eab5cb93b477da envoy/config/trace/v3/dynamic_ot.proto +shake256:1125570b23390d44e86ae7a592edeefeafce7821b5281748cf452660d73c20022ce1b3ca8cce1e364209a201b57ff3d5cf75b69be828572475720122be764cdb envoy/config/trace/v3/http_tracer.proto +shake256:a4e359032b0711c7e2ec3dac5bdeb45b4910d590096d1f16ee559bb9210b0c94ab61c3e86dc9f85c6c2320f3769cfb97fdcb5d111af3350ac291c53343587c53 envoy/config/trace/v3/lightstep.proto +shake256:5c63a5548079a410d3c40d11a8761f5472beab03ad573a41f061872a8b2f32e4b33a361cbecc54cc472e3bc35072cf299dde525736aa5303bfefa5d7f73d7360 envoy/config/trace/v3/opentelemetry.proto +shake256:c0071ad84f5e61f0075857b2635f283e4e8e62ca3b9c25e0a7a7fa88ef9ce8ffe243002a5633389ea76f772d1a3d9e44a0a385da9c80aa7880f19f2119764421 envoy/config/trace/v3/service.proto +shake256:a457e40b626a98e1714ca795c0f4c1e56c9efefef26b15b62dc0f1978e957de8e3b99f2a862f7b4fd88fafee15e50189af04cfd3c8b2bd8539a0bf0c9a221a74 envoy/config/trace/v3/skywalking.proto +shake256:d0205fe3c89d1f582db76034f79b0ffc035a8bd2c0d6c1b2fa0a080c9836e3fc69ec5c01d2ff82fdb53d52c27ff9e55f424535eb83b118a5bfc4b96654d41f17 envoy/config/trace/v3/trace.proto +shake256:719e4642cbe678ecafd1338699e9535aa6d448bc97ffed191fd59263dd37ee9fc432d7b7b9f7dd2303b1f4eb87416a237ce1d6b76f8a3321fa253e0167ff6a7b envoy/config/trace/v3/xray.proto +shake256:18d90b067529f445ae790449e2f0c58111103fc49d3206e1e6e453e4fde8a1e95038f89fc272ced56ebb1fd2246852cf3afb275885d34c14d2b7185a6d3cb6c5 envoy/config/trace/v3/zipkin.proto +shake256:72b952cd7788414d2b15680e550320cacb9c2b05f41eebd366a352bf9a8a196bd13dfb37ae05c61d1dce10e3c20db7da9e08647cf1c021dbc040a06b7796f313 envoy/config/transport_socket/alts/v2alpha/alts.proto +shake256:791160950506e2699fca23d4f0a0064aae30c3d30ce6573ede6cdc993b7eec4c118ebfc80850b5dfe907cc8a2af039898741cb25a3b02fc1509e793c9c1c989e envoy/config/transport_socket/raw_buffer/v2/raw_buffer.proto +shake256:d3a0e662e7812372f28a70493a537c01d08628928062da79a6e328e19dd3d40c8376cf811c14decde7bad578a0123f3439be78c6665a1310d6ea3162a55ef556 envoy/config/transport_socket/tap/v2alpha/tap.proto +shake256:a384da635a4197c3cf8ac48f23e764ede9767970455bd7cf1323a18593efc4508198480c9d1cb36278c210d82d519b6e7822a569fd502eff74509802974dbae5 envoy/config/upstream/local_address_selector/v3/default_local_address_selector.proto +shake256:d7f5be3b0700a9aca56b8103381e2b6c492798c086fc2169808c5b6f57798d6f5e9ed0b2eccf7c2137aec6611a5c7e4e20bb7878bb80cc171fbd2ff0dd39f798 envoy/data/accesslog/v2/accesslog.proto +shake256:7188953c02eed213b986a7f1de8c311441e9e42cfdf01a9d8490667fd71c550d968527bc20be8592bbfc728c874f0dd998dfa3743c8adcdc04b8827b7bacd010 envoy/data/accesslog/v3/accesslog.proto +shake256:678006c89c679ff2bbec15ea088af73a37958d828750a0a760ce561b0ceeab7fddaff1db91bc9abd58c64896a613149eec677169bea9bf49e2cca9a357b2e834 envoy/data/cluster/v2alpha/outlier_detection_event.proto +shake256:ee04b813c98e80ddfffbb24402adc26ea381b319e15c9c311ee9c718d4db80ad89ecabdf4ed455aa025a8a31f8c05a9508cbc69046e6ed48c78fe05d8b17914d envoy/data/cluster/v3/outlier_detection_event.proto +shake256:4949c45e24893b84cd2159ff9bd7abb5493facd0418def75117e1e512d142a8fef8e73e7b2a314621997df36441ccfd9b41d02ffeb114bc1b688940a56cba2f2 envoy/data/core/v2alpha/health_check_event.proto +shake256:5074d5c9185ae449c6d77e0cbf47b96a8d6f16c693196e1cce340dfeeb78efe9e49a8244d06097aa1c473d6db063d2dec759eacebe84e80d757794d53c36f6f7 envoy/data/core/v3/health_check_event.proto +shake256:688fce59f3ffa1578320bdf4c261ed966f3cd468c076768aa0c5ec3b470978850bc3a353fed1e88b648366e52555c0c2c6f85d659ba7438a58d552376ba4c89d envoy/data/core/v3/tlv_metadata.proto +shake256:0ddbf0a812e2cdbfa67cffe6f295dddfe3ff1b67fafe2b189dbe56b794f198ea795af6f704b0106867702bf8ae60b1fb641eea702dafeed356514f56ea1ab8f6 envoy/data/dns/v2alpha/dns_table.proto +shake256:25c641eb9d2005b702048207b9e492e3498ce1c42c53954c645389fdc9d276ff97fb1cb63e06d61204c9ebe695fda0d55561d4f608d5b4903ba267d8d7553b2c envoy/data/dns/v3/dns_table.proto +shake256:65f89ef9986261b3a954ceeefd67a70ffd83ecf80fc8e50dab782d1ab212295a7625c96b56f9d277bd1ab96bbeb2c12525b74a32bcdbc2b09d541a86b7dae7c3 envoy/data/tap/v2alpha/common.proto +shake256:61cde86c7ef95ebe901410b910bf31fc2d0be253300932e44cb3b97a83437127df5c47e3c659e0f27220f44a74e10e2c8682386ba61e4e86f7465fa2f2227f46 envoy/data/tap/v2alpha/http.proto +shake256:53a01b2346d8821a23d0d7aa21fd7c134f89c74b7c33c1894aa94f08b59aef3e0093d0e676f08991dbc81ddd9a329a1008cc689f5ea6ac1b00f47a86aabb3476 envoy/data/tap/v2alpha/transport.proto +shake256:891d5bdb9017028abad1e14c68ee3b0e1646f569b97476b8eb8c63d2b781a4b06cb502a46582409292ee431a7e4c0aaf3b28e0272a25e03fbaa56713cb9e6f6b envoy/data/tap/v2alpha/wrapper.proto +shake256:631bfbc49593e820da137679e03ac21405ef7d76e2d68816de0a484bdf0d419f6d72e7d246591904c7712e002e10ebf7b0422c61818d26f1d23337e676f93652 envoy/data/tap/v3/common.proto +shake256:fb758aa0b36e31dccf24f3a64b1621e97ef5d8c80f86e6dfa0844df109d719209dbb6a15d74536f66fcefda9fee5154462dbf640963243a2641b84d17b0a4502 envoy/data/tap/v3/http.proto +shake256:2a5fa7d2cc7b884becff0309f16a824dde527aa73d830caf47c31c2a3f3cb8a8722338acf265ddab960ea6d41620f28042eae36507fae369ceb6116a0a8c05a9 envoy/data/tap/v3/transport.proto +shake256:06a9c81be98880bf743fdc7bad0cfbadad1bd333d89c88364ebe24deeaf2287c33be918618f2dfe9cafa31bd85a0e82a1f5c834d0d13ca285835813aeae7ab9a envoy/data/tap/v3/wrapper.proto +shake256:751d80e997924ab9d8826ac8deb4645239f57629571ac7cc458cacb8ada4779999258188a10d9728c0c17961305cb587074c054d6b23391dbfa3852a94a42c1e envoy/extensions/access_loggers/file/v3/file.proto +shake256:87551ab9254c96245cb5ff34c00d54a309356ba00865dfafd7d31d3ee8ac497087f852545238b0ee32a5b55f0fc9282f8574422a6bdcbb1df1877c69eaa0ae9b envoy/extensions/access_loggers/filters/cel/v3/cel.proto +shake256:56b5bfeea1b9589f8782e223818f04fc325bb38825f275cbb89387474f4e7fded90c907292e660bc01f02f2313aeeb19a29c9fefc0c82e031347130bc4fe9ebf envoy/extensions/access_loggers/fluentd/v3/fluentd.proto +shake256:cea5ade650586c7e3d0f5f583c76140ad465de448b21d230b21aebf5b0f6184bc79b12a11374d7672221a612c59a82a23f6061c3bcd978d4cb4d3b7eb321c613 envoy/extensions/access_loggers/grpc/v3/als.proto +shake256:aa1e11e4d509ca799b5c1c6bfc0488da23a4260d1610c9e586ce85230f42953e0b536dcfe207e368fec4bff5a006c00dffe714568b3abc97cbdb488b0df34b49 envoy/extensions/access_loggers/open_telemetry/v3/logs_service.proto +shake256:667450b661666527e11db45d12b9a0b0376e9c8eded7a80cbe8be51d33569ce931ed8267ac4be3d3cf8f1d1d689b3fe8ce52ddaf61fd2942a52bbf550dcbdb05 envoy/extensions/access_loggers/stream/v3/stream.proto +shake256:dc17cdcb684c9ed3fbd22ebb50989ccaba1edaafe8b2788b64c2aabe277a2540c48136b9db30129543b72ccc3835b563c43589187c10d932d24f55efa43d1ff3 envoy/extensions/access_loggers/wasm/v3/wasm.proto +shake256:02c3685ee9a377c8dc2d6dda1e5906e97b78d430219252c734d583bacb37dbe13bc2f7e9b8fe6d3a919d56e66349c076e4ce243aa955d0ebe5bc1dbb8d0d78ba envoy/extensions/bootstrap/internal_listener/v3/internal_listener.proto +shake256:2d8529937573b5af22c4a01154056d54c8e1b7ce7b96511d19f6109749f9f4053a143a206cf1d298d2ff688e67608f03ea18d80dba10cece6f6dae33e25a8122 envoy/extensions/bootstrap/reverse_tunnel/downstream_socket_interface/v3/downstream_reverse_connection_socket_interface.proto +shake256:8b7b3951df953ac62dfacfadbdb599faeb1072f96527f5ed8455463046d8a62c2ea0932dd5a3bd9feaabfd4812de4c0bf0515be825714cdfa27e1e934e736692 envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3/upstream_reverse_connection_socket_interface.proto +shake256:d5eac6c1a79275aef661d3fdf96f471580083b55a808b79b9c01d69204252fcba82f67f47a80a456abf6ec930fe687ce26f08866f116e0fbe4c7be200d68f1d9 envoy/extensions/clusters/aggregate/v3/cluster.proto +shake256:e3fbc3da2acacca933166dc9dabde689f5f20e29f2b7ab43f839c0b29c8bb5bea668ff8536544d06a5a0020b7c537e3789fe9a671b2e217880442891c899d9a3 envoy/extensions/clusters/common/dns/v3/dns.proto +shake256:b8474a002d72c2f26c487b3f7ff34c9d28dede1ae5deebca5bca92acdc82e3eb084a31405538e2210f87d882cc4cedc05abe0a337497ff6dc211e65c16dcf02a envoy/extensions/clusters/dns/v3/dns_cluster.proto +shake256:7e03724651ff36311b8dc7064d7edd827f2b39c1d84707d9adbdba769385598813dcfe57343b470230c54a1d953ce09eba33b42e1b3baa52e3cc4e9b35565e7a envoy/extensions/clusters/dynamic_forward_proxy/v3/cluster.proto +shake256:5f8a02cf67b5c30f47a9459137ed47a77744906a5bb75baafbce675671109b7038b8464dc2b5e186728bd6360fa0d889df05ff944a21894a27d3cd2d7e38218b envoy/extensions/clusters/redis/v3/redis_cluster.proto +shake256:713d411cee39f04b628ebfc3532d4a8af422cfb8885f372599ed0d86dd4011f743d160c66485159be9dee939ecf66de5c323cd1fc4523f1c3be62bde4e3bbbac envoy/extensions/clusters/reverse_connection/v3/reverse_connection.proto +shake256:9a433eba11a7f4b3fa7ec0c57f89f1d8d9bb514953054bdbb6084f8aec89120f49a316d7b5a38b1cd16d4ab69e09ee5f4beed66abaf2fa285710024cb2be8468 envoy/extensions/common/async_files/v3/async_file_manager.proto +shake256:3fa1741eaccaa0bb0c970910df1df48c1e90f504e27325a5d235c5f46da0ee621d04b6581c24aa93ed88d96170d64ea150e5499a709308659500c9a2293eb364 envoy/extensions/common/aws/v3/credential_provider.proto +shake256:b507b895388f9b46bd947d35a58112996e4d468a2002e06ab5511ebe3f03db0f6e5015ecdd0d04b06a65cde949cf2a5165ee7131fbf6dc2e3263970374d9c72c envoy/extensions/common/dynamic_forward_proxy/v3/dns_cache.proto +shake256:dee56c7243546db3dcb520fc8c60eeca88376540e5bdbc2a4002dbcf8c61f2c012b17c1e87fc23cc833906440619398fa8a19cf1b4f5cfee4901ccad6c67c8e7 envoy/extensions/common/matching/v3/extension_matcher.proto +shake256:1c6def9643491a1c8aa4b53cb2d0bb744acce4945d9eb63a3e7733d3f6a568c3a1d90531b42787d751a6ce3bbc861db13d1ac2a031892895ee3a2b66c70877db envoy/extensions/common/ratelimit/v3/ratelimit.proto +shake256:d0460fa03ea121f02b6240c234f86f50569c78e1e1b0751d21bdcd3f07e90a1f551cfd6b5b1beb96623f89ca1dd5fa409722e112d8fae05afc83611d37add45d envoy/extensions/common/tap/v3/common.proto +shake256:9da9e3129e59f3177a102a530d9c11b974c06bceb112924d1612993e48c266bbdd32f366fb9dd7c86dbb64666edc716ed8266e00f750d8a729b85a0bfb932a97 envoy/extensions/compression/brotli/compressor/v3/brotli.proto +shake256:e75815678d15ffdfee38535448fe91b904f26d1a2d8e25c3a16197c3e9713e94a5c7c9e893cd8eaf3f0d34f00168aaa53f3bc50a03ba3aa12f57ff98e5b9461d envoy/extensions/compression/brotli/decompressor/v3/brotli.proto +shake256:478847c0e8b17d45ba72ce23d3c0e658e8f479ddb8e70217a2b01f95f5005559432f958ffc1f3bbe524ec1afaa9d3c743f3d7e6b23380863847e37c4b309c537 envoy/extensions/compression/gzip/compressor/v3/gzip.proto +shake256:cefe1d4f68cf744c03b12227f097ed1cb32af4d23fbc72ba227c012da5d06ea82cb1e7cdba3558cca9d942bcb976ef9b71fe65bc80379a9942de1937604aece1 envoy/extensions/compression/gzip/decompressor/v3/gzip.proto +shake256:6970164ab52037dc7cb57972e4949deecda9f9a807cfa875f98cf96392ef3f88c12791bdf03f207885940fb888fc4df0e1f3350c8a86fb6ee0e1492da0d2fea5 envoy/extensions/compression/zstd/compressor/v3/zstd.proto +shake256:e63326da75acfa8ec8373a4f5552d89e171ddea73f8e081375a125a1a0d66f6ec85ade9b0a05fad190f4f5295a7f856fec6c6748e3faaaf356d4b5bab27e6954 envoy/extensions/compression/zstd/decompressor/v3/zstd.proto +shake256:3d8958129036bc56f9b6546fdc0d75d0b3bebbdcbb26b6f267c96f83031abd01bac80e946942cff60f46b3df0586a2f50539074ec4d93f20ea99505e9afbcd7b envoy/extensions/config/validators/minimum_clusters/v3/minimum_clusters.proto +shake256:a65ed4a946414668a5de2b91a263b8a814456dd6eaf385b16d3e50e0058102ccdab4d67b86fd9fcd6b5ec1ec41ebe61e0242e50a5b7b6ba10b98322678b0365c envoy/extensions/dynamic_modules/v3/dynamic_modules.proto +shake256:10d9f4d444b46337f205d8690ab38b50a4b8464aefafc1de2f0871f2b5000782bc237fa6f1934543bf87e9cff15a83145f31f972409ec7c2868c00eca946e322 envoy/extensions/early_data/v3/default_early_data_policy.proto +shake256:214ce39eefd934f17dd4a3f5912580313c1c548eace2cda4674c72916827fb79c3752ae8bd95c8e0c50fda9a8dca3eacfca5e155e145786690b05f30d1e44654 envoy/extensions/filters/common/dependency/v3/dependency.proto +shake256:1dc0cd631dc4ab17eb4b5eb919f7daf9b45d61d88a72bdd0888c853b33563966a7c89948948d6454c70c3662282a98d33121d71482babd07ddb13d66cf24e641 envoy/extensions/filters/common/fault/v3/fault.proto +shake256:df574600c0b95f0d3a67e84873051d67fb2204bd1416334e9a6604b12f69c1702988042636741c3979d120a525a098b12c1d976abd0381d4efc97eda88754fcc envoy/extensions/filters/common/matcher/action/v3/skip_action.proto +shake256:7b605d9bfd56c9e08a6f3318733547f870b050a8afa366b551ca8450a668920c817138cbab70909de8abda9149ce897f05069b79c89273520ad27848472d146a envoy/extensions/filters/common/set_filter_state/v3/value.proto +shake256:e6df3bb2bfd67f962c667bf9357058f6525731e037937de2db16a88222ed331f2ae53bfc0878a878ad30517f3e80381bed41198d30ac3963f243dae9672a72c3 envoy/extensions/filters/http/adaptive_concurrency/v3/adaptive_concurrency.proto +shake256:3b505ee35fb0516a12fb2b6a8719392717d0d8edb3b5ca0bc76bff8d7d7f415f52fd1bf7a646aabb476606dae85971fa1e273dae165c400b662d7d3f06e80f9e envoy/extensions/filters/http/admission_control/v3/admission_control.proto +shake256:a78504454f77d6b293890693de4d63ec9ccbb54b5bfd88421221c2ab8cd55ccbf343d8de99591eb5e912cf3dc0cf9193b6b065d4056c32cb2e48c46f983560aa envoy/extensions/filters/http/alternate_protocols_cache/v3/alternate_protocols_cache.proto +shake256:5a0cd327b6fa81883930058fdf67a8544df52a5fab5b2d5846561275ab474f0b7a17f1830065f9edc84c841343becb39986ff68f497d1d6b49a62edc73375b71 envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto +shake256:85ba38d715bdda34415e69f23c54e5e5fa02b5d913d26ac086a69433a16101d445cf369e48ccba09f6ccb7b0c1f783ca3fa41f759810e4dcd85dfc5cb89835ac envoy/extensions/filters/http/aws_lambda/v3/aws_lambda.proto +shake256:2b2a3165fd143ed1d1b64b32b702b5f2c11178c6d30a2bf1548b70308eb7db7af801d5e20bebadf06892bcc65c9a4a38a09580ddea6f451e297d708e84e5e679 envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto +shake256:a012539b93b3211ab8eaa539d7e5792c404eabbcadc186a517229c24f109368600dc9fa7101a18216b333310c6c214f0daf76a1d65aa824c7aae8a6c56834550 envoy/extensions/filters/http/bandwidth_limit/v3/bandwidth_limit.proto +shake256:0658d9ac6676216ef3c6a8d93e91d5ed61e9ebff0c4be5bfd1d7cdafdb3e4179a796bb5128b97da5497fe76f13f8b4c9b3c1d567257200326ad0f33275314592 envoy/extensions/filters/http/basic_auth/v3/basic_auth.proto +shake256:206a2c768f2b92f64a57eccf17009e8a6dc212dc7093b5fea083be08cae2f3df5ca3757aa37ee3e5bd4f5c7feaff43cae53e6cfe028ea1c3f3f18859321d0e26 envoy/extensions/filters/http/buffer/v3/buffer.proto +shake256:092c99ed8673f473541343b33d81bc4d0e0e5d5cc1d480ca1a2a99e502a72f91444c69ddec54957a7acf7f69e9a163f99d211a50fcad50d1941a2afea84726cd envoy/extensions/filters/http/cache/v3/cache.proto +shake256:32ec3f8854e5a6ceed6ac53d62142d707ea1c335da41359d8d57cfd3cff4edd5afbe1fd1d7a40057a17ae0f20c106756d7d29480007969dcd4b1845fb2e3ad6b envoy/extensions/filters/http/cache_v2/v3/cache.proto +shake256:44aee45498a29aab141211300debf8d21ca32b91974b941358765eddaff8edf6a44b4f1f201b9156b78ecaf90fde2e204bbdc4ace89bef75fa30afdd2d300658 envoy/extensions/filters/http/cdn_loop/v3/cdn_loop.proto +shake256:42f2592de4fbebcf7e63d68365509a95284fcc01f0ac09b9ad467d6e2d43aec209478d614cec99be11a5f33fa9033e1d0ac86a91504b123fb272df9bac55d74d envoy/extensions/filters/http/composite/v3/composite.proto +shake256:81791ad5ea2a3098874b479dccc17f83f0c81af3589b0c1edc99b99fef85ff69ee544e25b234ba6a3dc717e49df5a45f0adba27df13f5d1d56a6c8a4c7e6246f envoy/extensions/filters/http/compressor/v3/compressor.proto +shake256:f76396fc10338f03835c8015117c14c6345e9544bff3300eda5aca31281d342902fdbfc69924318db6c8b22beba6e26b63e04b2de12248f98eeb6dface9a89df envoy/extensions/filters/http/connect_grpc_bridge/v3/config.proto +shake256:677757e90aaa84b929d892f82079e879572b926402a7024684ff19fd7d1cefcd874d472427d46492fb412c44339653394979691d2be35700d4e0354302c636cc envoy/extensions/filters/http/cors/v3/cors.proto +shake256:24767a84ee65b6e9e6428051c9743be3072eea6c2a53fcf956ec59b47f2427aceb4dbf795b9ea6f87bd5bd15493338f74bcb878e2417543c78db9611eaaadbce envoy/extensions/filters/http/credential_injector/v3/credential_injector.proto +shake256:86d3b5213890d1c4282fe4b466d3cbc3ab2a8afe6e91c6449b5ed1dde08ce5d7e48fe921551639033d0a744d6f08cc56865386fad1ad61d75e27fac18b550a93 envoy/extensions/filters/http/csrf/v3/csrf.proto +shake256:82ffd0cbfca838b0c290aa200fab3203a91825fb676853feb477c97c3cfd0b92f209e5af6daab0257bde72d859764e46cd4f986aca0227e98bd77023fc4b0765 envoy/extensions/filters/http/custom_response/v3/custom_response.proto +shake256:b6ad74944a6e9d41423c56167880b837e29398140519214771a4620522f8eaf703d17ace4ced56f00b4cdbd0858652c73e6da54bf45c283b4e3335e7bd9729fd envoy/extensions/filters/http/decompressor/v3/decompressor.proto +shake256:e17e1ccadd977742a7884357a8920b35a26bcfa9bb6a50caf00bc88b151ca809c5e651f2f04aba6135aa0c969a47a6f2be403d8a7af923ee6e69b25999d93e17 envoy/extensions/filters/http/dynamic_forward_proxy/v3/dynamic_forward_proxy.proto +shake256:8fb944b54d8d218ce03755d1846a59dfafc5969a1895651ddb83ae80ed0e8ea08d80d06f55e7c7127cfc90da531d1aef6d6a4c3a17e6d5efcf2e63882c36bcbe envoy/extensions/filters/http/dynamic_modules/v3/dynamic_modules.proto +shake256:37b7ca8ce578dd30f08da36eb7137ff90f977f058a71a2fc4b2fb1e1304d4fbf09fd02ed26d0041d8f5812d75b358ea17b60c1016953cf328da053ec30ba8f27 envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto +shake256:8a596f09ecb0f753602be53fa65fd5f2ed09ec10e1e420f9d13439170a94a16c005769fb5784a80d12f834bdd8bc22043f448c8872b1df65fefa22bde57f8cb9 envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto +shake256:288e891984b853d364c541615d3cd487a5f48e82d756c8f75b949f954ce000669155b5603fd34e19a29c176d19829cfb1f796be1dbc7480917733bdd43844aa3 envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto +shake256:943b936172d2c0860b92a0afa56913a1be1352d1271f46602903adbce38a51c7f651d973e5005f2e7baadee6391622726288c0f4b9481db3c1d6d01a6771b30a envoy/extensions/filters/http/fault/v3/fault.proto +shake256:17a99bcf1de1e3157f141247a5c03ee70c9b537ed3b45e255a01952a6492201b82e077f9d30d88266019b2abb34c4f2576aa1fb97f305e2f744297b8573533ce envoy/extensions/filters/http/file_system_buffer/v3/file_system_buffer.proto +shake256:32c11e93a8a0fd4d7d72d3676d66c1a0f14764d7a7df9ab8ac35a6fe8384b1a8a5cdd3bd7662994a51ed5833840855a9495f2baddadd8a29bd06f0fba39a1ce3 envoy/extensions/filters/http/gcp_authn/v3/gcp_authn.proto +shake256:519184af6a7faed6e85ff545e070353cf589a48ebfd3cf90ba20938916178f73a8d38a6173514c36ef54eebf07a89b2699d4a918cbb243480f411c629b5ff96e envoy/extensions/filters/http/geoip/v3/geoip.proto +shake256:47e47d602ed52567c8ea6649f1dadf18ed958b2ddff78b2376dfc19922a4f01817bae6250660ccf2b85c8fa98ef6db326105d33905c600727e4e7e9084855dda envoy/extensions/filters/http/grpc_field_extraction/v3/config.proto +shake256:54ccc9976e5be2c8496523ee57a6de9c6b9237930e904c43a6531d6d6ff5c88cec12037998ad3a90beffcde8d9ada39d0c09c0b17fadd461dec04f94d8d3f6c4 envoy/extensions/filters/http/grpc_http1_bridge/v3/config.proto +shake256:35678736fadaab25fc9272b2cb7eeef51ad4b9918db5397823fc8acef4a53b16257eca5c8b321a8c76ad75b92179ed78391978d522366baa2d2276d960a3b883 envoy/extensions/filters/http/grpc_http1_reverse_bridge/v3/config.proto +shake256:9785b66a76a0a40de3ba46c4ea9f51964da7959430d165835edba22073a17f7333fc102e3245606aba6b419c0da0053692c07c8ca83ed4925ea172aa9181bbbd envoy/extensions/filters/http/grpc_json_reverse_transcoder/v3/transcoder.proto +shake256:294f73c06abd0145671ef0990937f3db59ec9853b2acf381016e62b43d622340285febb07118c3b5a7b677d996d9bd2ac9d1c83a50782e660e31a26f3c658faa envoy/extensions/filters/http/grpc_json_transcoder/v3/transcoder.proto +shake256:d9a4d41a9792b6012069dca15e2c976f6ddd652efea683a3a55220b846b4bcff6035c1d6e15d87de5c4b86805d37bd289e305047e4577f500cd5a8d944c1ef4b envoy/extensions/filters/http/grpc_stats/v3/config.proto +shake256:3a59bc4b6b35fdc24ec0d2b13aad7e9d87fcc0f2d6bac1173870a993cd643defab7ee86ea754985ef2ec40af21385d002f3ce4a042a8d1cd86fab9348eff427f envoy/extensions/filters/http/grpc_web/v3/grpc_web.proto +shake256:b8efb51f7b329e3d2e96c2aae437cf032560c7fe34fbfaf77a0365d6a5d328a52b69a740867a3ef2ada2181764cf30d101901d7002b95f61550066299ac98924 envoy/extensions/filters/http/gzip/v3/gzip.proto +shake256:bc32e26f241c733ed2ad7058be7245b29174a9b3a5e7e2fbaeea928da4ce0739672bb423ea15485dd903bb5f14fd126edac775dafd9a5d279b78a4c9756a1344 envoy/extensions/filters/http/header_mutation/v3/header_mutation.proto +shake256:47a85b1ba384f1512d854424c1f56d8b385ea6444b86df61c1c4710c3e1ad7f3a33fa02802e7c75a49654da1427a0efba7764bc5916bf6de58428cd63693ded1 envoy/extensions/filters/http/header_to_metadata/v3/header_to_metadata.proto +shake256:f865f9d2e827432ef4c8c9e0ac8e846235caca27c3660f45be67ac76263d744ed14229a30cf92c60def1be82776df857bf578d08ffb9cece051b72bd8241e24e envoy/extensions/filters/http/health_check/v3/health_check.proto +shake256:e21dabe4f701068b930a6c2586ed13869ab20e7756b0ab88bf4730ac17d0eca7b68083f2fb86a8a15acf96150b78411dd840a35bb2865cceeb2c2840913e3f59 envoy/extensions/filters/http/ip_tagging/v3/ip_tagging.proto +shake256:45c4c0ac25f4b6ca432de42473f54e11620bf8b355c27c242ab40a0d1a215e889c98a4a36c61680b8f3873a9f886317cc905d715dbceb3cf12da2c5a9c8be57f envoy/extensions/filters/http/json_to_metadata/v3/json_to_metadata.proto +shake256:e92dd8ae24881b69e86460c842566105f3289bb648877fbbe1b7a656a23eb496d6378f197ea5ddd3939dd88d9bcd4ec1b057e81fef31dfdabb12086555ca349e envoy/extensions/filters/http/jwt_authn/v3/config.proto +shake256:49399294c8f69e4092b27abaf692a23c812c3f687661268a7fdef357633f6092e9b7949537e203c81ddbe3f2d649636fc5baf98a298a4e47f654b8b5e473902f envoy/extensions/filters/http/kill_request/v3/kill_request.proto +shake256:19ec3cf38907ae52aaec3e7ca8b03c11606425d9da90edc01a6922decf1e8c7962fa4b68dd625d9002863d5465c09eae29b724c4a4bffb7f3a718c936cc59614 envoy/extensions/filters/http/local_ratelimit/v3/local_rate_limit.proto +shake256:9a844d826893023debba55942b249a822aa24d24efc5df4df8fe21a2efb31a0ac07acb1ada1247ff21c8b1c8a7f508f25f01eff03b7f48c9417bb2ef412e5fb9 envoy/extensions/filters/http/lua/v3/lua.proto +shake256:2974d42d6aca9cc1d92da59d423f3a9a7e490c887716b5b3a018962cc0390463580cc5dd7cf1634fda75a07894ef32650dd7bd24c68a39f5e322193f7437621b envoy/extensions/filters/http/mcp/v3/mcp.proto +shake256:128aa5a627b73673aa916bb0212ebc79da8333a669146775901af0ac3b97a60267968c918eede06673d64852613fd9f0af7a0b7f3ea0be3e6c6646d928d5dd09 envoy/extensions/filters/http/oauth2/v3/oauth.proto +shake256:fd2c273b62f3393a47ba7268781f55343d960d6d73d11f37fadb455f1dd4c1d4180fa119a5599ba3434e1032314cc1bf08482ade1ec956fdde963c996aacdb10 envoy/extensions/filters/http/on_demand/v3/on_demand.proto +shake256:1d3227dce10e77b73f813d975d24dafd38c5d3ab6a2491a45f3b56a4e8d6412a9b7d687db0e83e300672d7e1bad9998066dbeac43580d6027713e2793cd44e30 envoy/extensions/filters/http/original_src/v3/original_src.proto +shake256:defc254ec21e468106588b7104cb19d5b6ed45c78b15ddc8f4a93205687d7425d9b010f53ad266b4cb0ad3804fe8bd5e82947cc1418d54457c69250381cc4116 envoy/extensions/filters/http/proto_api_scrubber/v3/config.proto +shake256:f4611c0bcea1cf38675648d0de86ad6050e17c230fc53902b68a6c9aac7f07101b9cf604215e1ca671ec1ba0165893f84e1bde0a49ec121352a04d51b734e209 envoy/extensions/filters/http/proto_api_scrubber/v3/matcher_actions.proto +shake256:71ee8e2035201dc6dd62cd966006e6135e557dce100b299314117875937adef13ac049d0a2ee07cb29251fcfd79640aadcd709f44f24c7650b4512e0d93174c1 envoy/extensions/filters/http/proto_message_extraction/v3/config.proto +shake256:28bd12f97bccae3aa606022c3f09d1d4acade512e586542287c6e6af79242d005caaa91ff24ae517a498d38a63e34906ac899f286461d4701c824be602b0a24b envoy/extensions/filters/http/rate_limit_quota/v3/rate_limit_quota.proto +shake256:f6b9dcc9dfb1e6fbaa6b7a84c89c621eb79ec5c7341c179bbe08c3382de9aa3ed34fb549aa090e2c770693b966b3ca9851caf6746064d71c82909c549b2961d7 envoy/extensions/filters/http/ratelimit/v3/rate_limit.proto +shake256:d561ae7060e246cf1747f84ad61db452f40fd609c8d8fa2ae195758da7d3c16efa07367e2c16c6df86f36f2313bca896c9b5321612e9e1937f2f56caa6ec47a8 envoy/extensions/filters/http/rbac/v3/rbac.proto +shake256:abae59c3409bf09c5501f64a2795677d2fe8cda98dc194f4657740c272c6626551708c2a9f3ae304f40ac78081ab4b79ee0d6c8fc630ba0f1c5889fbc3bbf5f7 envoy/extensions/filters/http/router/v3/router.proto +shake256:d38cb8d1499d4aca120889be75342aa6a764b98840210510553bba03db976148eb33f935fa8d18fdbb6a306bb5fcf39bf01cd143b51a7308566638858ba2c8e3 envoy/extensions/filters/http/set_filter_state/v3/set_filter_state.proto +shake256:2d8d34eb836ad52142372664bc0d5e2c0a3432beb2ac2baf5e5190bedd33b625ec3a4c646d45bcf3612ee34b4d27bd598ccb957701ace8adc2d69002d03e1a8d envoy/extensions/filters/http/set_metadata/v3/set_metadata.proto +shake256:da97c315f9061cb3ed2e89bd696f2f6adc39416b878ae97e5727af3f7b85523eb976d0ff80b28d93cd51923fb49113b14fd54ea90861caed40e570ae541899da envoy/extensions/filters/http/stateful_session/v3/stateful_session.proto +shake256:7cf78e9c1627775630db0c853ca3602c21b43a5d2abae605e1e15ae338498104787d3a8ccebeb93e93ed60f546c1ba3734c4201e9093e245b02b6fb65e6efe86 envoy/extensions/filters/http/tap/v3/tap.proto +shake256:43e45fb3e4a545ad85e52c78ab7a51420e9394fd1f861c4dabd90a19c084721263ae2e4aba91ea48fb9d1f0c1a8ba626850d45cfbcac18042ef50581fafaae9a envoy/extensions/filters/http/thrift_to_metadata/v3/thrift_to_metadata.proto +shake256:62ca580d449d9bfbc44a50576ce74ae2449838aa77333ce29b32dc1157ce4f5ff9bbc5f55e8aa47bee9c0a81bb311656458254570cfac7c5755baf1a54d1199e envoy/extensions/filters/http/upstream_codec/v3/upstream_codec.proto +shake256:7be62eac9f7e39c3ffa0070ae67183e9f795a6da804cfb80fa698e74236fa7f2ecca7eb7643750881ed954e23e47121b4340fa8b834924fe235b3f22001af52e envoy/extensions/filters/http/wasm/v3/wasm.proto +shake256:42754ad153b616a11218efdf3758ef197b6fa86a79b7eb54c2a69dc7a8a7516f277f13d417a2edc1da4335c1bc7ee788ba3d004d94db1ec2fd65d45033a95d8a envoy/extensions/filters/listener/http_inspector/v3/http_inspector.proto +shake256:ff875be86e430acc9cf5417559b1dcbe9908d93fe650a8c2bb8efa1477380310cb4b28e2b99f0123f63ed403e02b86e7d4b54bc6ac4321c1c39d4bb49724c320 envoy/extensions/filters/listener/local_ratelimit/v3/local_ratelimit.proto +shake256:4a6222cdacd18827561373bb4b265bfd8fce19d1d0ba98f8684d4ab00c25df3e828b5ed1b2cbd5613098947f3fe6a6cb4f98a4328a087affc3e5500cae2a8152 envoy/extensions/filters/listener/original_dst/v3/original_dst.proto +shake256:66ba94f4db7b435bf3334fd6f1e9cff5cc57a16f1482473043266888af1de5c3b367cd3597eeeb2f651479fea2131f6dec7bc2060e1a2b2137ac07d5886af19f envoy/extensions/filters/listener/original_src/v3/original_src.proto +shake256:5165f6af65f72345ff5d45ca98162cfaabc6f61bae81b2330182a92b81bb8eb23df7a63af83c211d122801cbbb55aba8d9f3911f29c0e9e1a2ca90091be37d6d envoy/extensions/filters/listener/proxy_protocol/v3/proxy_protocol.proto +shake256:99340ca1d2b3bf1eecd55bc3e8512fcf36122a457d52627fac20b274a804c12a75057f95d1f06098fe53e1020007197bc09309bf6c8222a9906662b76bcd024e envoy/extensions/filters/listener/tls_inspector/v3/tls_inspector.proto +shake256:7fb4a9e553e835261f8b5ceadaab651f2c62e087b21ea911fa73f93a7a225280400dae1ed41dc8c12e6e48ae03140ffa5b42703fc4108bb4e8d3c1d46b1c01e9 envoy/extensions/filters/network/connection_limit/v3/connection_limit.proto +shake256:e25fa5bec0ccbb67c93a7490ef54159ef21897f7152d693133098346224b8b3fe3f7384397d2f8fb9c1bbc019ff7af93e107fd157194eae16066f7cee812dcda envoy/extensions/filters/network/direct_response/v3/config.proto +shake256:cc08f1da65cfd2a369dd00ebdcbeaec212436b7447914ea40ae9663db6b0c8d6383a20833d8b1f7c162fa0ef55cb159f578c1d596f51f7da021643628051810a envoy/extensions/filters/network/dubbo_proxy/router/v3/router.proto +shake256:4aa8fbb891c4f33443faab88bfcc469e6c43febd790ae7a42b2344f15da519a254362c1033ad0eaff1fdaf2d2dd23d6ae8ea6e1eb4fd2222b512f248b857be7a envoy/extensions/filters/network/dubbo_proxy/v3/dubbo_proxy.proto +shake256:b5aa593876329390075e36b05896ba1a53f7a6cec718f0dc36fb4d0fbd23426803ed3a035b00082a296e5e0bd54d3b8e321407bf87c2342b48c3941255a942a9 envoy/extensions/filters/network/dubbo_proxy/v3/route.proto +shake256:6bbcfb264094ea05e42dde37d991b735d59286c5aebcf78d1b263379541f1fe2119ea72580aecb53edff47bddaba873e1badc96d73956ae64923e472ffb537c2 envoy/extensions/filters/network/echo/v3/echo.proto +shake256:8ec4fe05b983a78569c3685a50e6b3b64124c431c608c880a3b3af5b0a8b568f131ae9e4edddfc7eaa84ec91097f43aa07587560f2f574bca7a35609a4214a06 envoy/extensions/filters/network/ext_authz/v3/ext_authz.proto +shake256:8118f88a7d299a9b7a57a7a94aa210aca62d813d5e4d64cca7c913cbe8334daa5bf391ae923972f6abbbee1e223d62dcb39d823d26c5a1d487d1730c552bc10c envoy/extensions/filters/network/ext_proc/v3/ext_proc.proto +shake256:e457b38d22593438c13d6c7c1e8034c1f26880994e3a0b1f0bbfa70fb8fee2af67095abbeb8d9a2a7a51f6d1b43d4c466f63f22f3ebd1e9b4fca5e403f58637a envoy/extensions/filters/network/generic_proxy/action/v3/action.proto +shake256:5d42e421358f8b855a150c085d481c86fc97d63467e349a09ee370b9ece4ca9f324c1ad82216d347ee09dc21ae461e74af87900df20f5ec7bdc4416179cd62b8 envoy/extensions/filters/network/generic_proxy/codecs/dubbo/v3/dubbo.proto +shake256:a2f773aa218c0be748f502dc38227451ffd316db83b6dc4c25c1c38a880505f1fb54fa880e5185e6cb5df419182d76c9142550145a808a8377e9beced176053b envoy/extensions/filters/network/generic_proxy/codecs/http1/v3/http1.proto +shake256:38c38372911fc508b09d7643f104662c8b756deb2f4074cc7786ac71cbe25afb95040b0f1c5fe0ca0fb3e3c048fc13fd47722a73037d99edb18ed24d7171529b envoy/extensions/filters/network/generic_proxy/matcher/v3/matcher.proto +shake256:990910042d14b791cfc23677df7592313d816696cb7c4c9f5d352286a5882ddfd0be3e93e0226daa3d1473f2863ed503b4e076228b93c31a85c56a0ba98a683c envoy/extensions/filters/network/generic_proxy/router/v3/router.proto +shake256:f28e303b2c8ebf38f22f3248e6e949bbd1eb6d08e6700cbc810d283553a27dbe0b04a8c172554efeb4cfe430fe57c0650337be449f6670e8208aecd407cac5b1 envoy/extensions/filters/network/generic_proxy/v3/generic_proxy.proto +shake256:7084f88ef89e808dff1f0246917ce721896f8467b69e801a0e0b4148fa3f71abc7205b0f9e098dc07dfa635cdbf4b514ab410856d3342febf0e308e979bebbb0 envoy/extensions/filters/network/generic_proxy/v3/route.proto +shake256:75c59a779d426c636bff95bfe400b99da0138fc3e3949fd2d06425cdb77fb732a1d3454a48661100941d1895d79d17e38f335418d04cf9bd85f511219d196974 envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto +shake256:668f665598f56fc23cf72fb07af2ea9bd19f1f0f4559d83f664cdbc865d066a9f2414579ce72207fc2efe04ab1cd1175d449f6f572f021cd9c60e467b1b7bbda envoy/extensions/filters/network/local_ratelimit/v3/local_rate_limit.proto +shake256:ed382c5021bdd2dcdead147278a9b343cd78fa4e1e6142a09f0479375edf664c6d40fe69b7bcdcaf4a6ac500e5be27bfb824c402d6934695e605b5540ce6f17a envoy/extensions/filters/network/mongo_proxy/v3/mongo_proxy.proto +shake256:4275b6a6cf29c0bea83f4af29f74d74061d8138bd5dd3fced6b848dd6925e75123ff26b5caec6a391703a0f72e1688eaae92a48fbab238d78669db1b114b4664 envoy/extensions/filters/network/ratelimit/v3/rate_limit.proto +shake256:aa88a5a272e85552ea9c02d9411ff0a545d9c0a4a0345db2c7c9ffa173ccb554d5c904b8fb177c2fd608c47feebe16457071b0eb1bfa401314d07008da49478e envoy/extensions/filters/network/rbac/v3/rbac.proto +shake256:fded602942862aa5a62e2a91e78ef0d44fe47f5a8a9b05616f2bdfedc54e69a1e1fc886e107003f7228830041d6a91b2b16ab59da3f88f03c771872d4218bf2b envoy/extensions/filters/network/redis_proxy/v3/redis_proxy.proto +shake256:3e60681753f480f9fc7da5503210259f2d9043fe030621bf444b81df7bd222fd56927f3e1a307b5a237e8272405afa8919779b67b8632c6bc77479c483e8272d envoy/extensions/filters/network/reverse_tunnel/v3/reverse_tunnel.proto +shake256:619c70284bae19989a4742feb2c895d0f0e222b9a930ae8742a42420ce6ec0265a3e86213fce4b1b7f5aff76f07623e291eb3d0ac6adc2d3fc68a57ffc8fcab7 envoy/extensions/filters/network/set_filter_state/v3/set_filter_state.proto +shake256:25bd66409ff35d0586bc0044e66f1e1dce1d0468827a918b24e47e7d462eed3111f16422598a7178fad89ce05dcf2d2b6a153c88e56993d3448429e83ecd7070 envoy/extensions/filters/network/sni_cluster/v3/sni_cluster.proto +shake256:e3ea7ba1c2fcc332e031713bde4b92e894ad6d650df9355b1d6cfd29439fe33578be62cba39f88f3c8a8845edeb0fae6a15a7874043b40b4f45e566c639bb19b envoy/extensions/filters/network/sni_dynamic_forward_proxy/v3/sni_dynamic_forward_proxy.proto +shake256:3a48c8154c692475e6a12b5e8766e4e07895405dc852686b736ecef833b1131261e0feee837354e2f395557d8607802386168ada138656c8099f95cb23ab42d3 envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto +shake256:053b0baab6180520c5c2286be33254d0b50ec7c9cc4be9da19f61d59b21025de7de78dad34af65fba8396fcbf45ef35a1db9b7bbc0da489cc723c43b848a9f40 envoy/extensions/filters/network/thrift_proxy/filters/header_to_metadata/v3/header_to_metadata.proto +shake256:e0fbef37510c2cb48041d269bdbf648a265a2ab859daac9c0d7c16c9ada91d4f4d07854e9d3af7f3f4ce92f7838625e603afbb92ad7404f98def19eead357875 envoy/extensions/filters/network/thrift_proxy/filters/payload_to_metadata/v3/payload_to_metadata.proto +shake256:c2810280f8595c193b5c9cef0cf1b664046fd568e240e3169f6c5f9d98b223c83e2e7850b7b4ebdb99fe36e7e493bb9d9c500303465f9295e32559175c943d7d envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v3/rate_limit.proto +shake256:0c8fceafc6119af0fcea55ccbcd514a77a471f822e4f8cf8ba899eca1392e326aef811bcd03b5989e4cf3832aa0a6ef0928ccda72f5f0becb9308c2b37401d64 envoy/extensions/filters/network/thrift_proxy/router/v3/router.proto +shake256:dd60313c8303ec66220535b1f1089c4c3670f261b5ca1c85eadc9ad1686f7f16e41683ef86c6e1c9d6e33a8b1ef892a03b5652b8ae9ed9631c6e6ff35cdfd211 envoy/extensions/filters/network/thrift_proxy/v3/route.proto +shake256:7ed9f82e986f8b4536bbc8343b7f6a20bb3b1c5f53e55266d00792f55d7a2e08ee9400d9feec448c38ac7abd5a6c4dc80ed20a7f43fa8b242ba6bd1945b56183 envoy/extensions/filters/network/thrift_proxy/v3/thrift_proxy.proto +shake256:1d16001d635cd983fdd0021dbfdb73f87efb41508b6cb5e637ab343f20f9bac8e0419ab3be7a5865c908c4e8d1317f29fcb6682991a2c76cd523091e875d6f66 envoy/extensions/filters/network/wasm/v3/wasm.proto +shake256:9ba04c15ed1a83409dd6102333eca6f31995c479bce9d0af3584d600599a877e31e6b4aa76ac8b0767384128dcefe302ea6f0836a74dd648ef86b6150d00ffbb envoy/extensions/filters/network/zookeeper_proxy/v3/zookeeper_proxy.proto +shake256:636af6b3bc6d3dc404d5e6e812088126624b82cfcd0c5bb5922e242e7a5f6e449ca990dbab2614e0130d88377efdce6d075bd1911731fca11e14eaf7b945150e envoy/extensions/filters/udp/dns_filter/v3/dns_filter.proto +shake256:ce2cc8854cf066d5af22d29382cf8c48fec21386ea035ef7a6e7b6acecfe9e2e32575c577e2e3905de816cee3e02f9d2baa653e15a4283c9e1783aaaa269ce08 envoy/extensions/filters/udp/udp_proxy/session/dynamic_forward_proxy/v3/dynamic_forward_proxy.proto +shake256:12840ff55337412639f5723ad910c1a12a665f9d1a2b949de3df273d49b3998b79d093fa550d75b87d300b7ec948ace5d9f1dd15fc4f086ab987dd5382ad3602 envoy/extensions/filters/udp/udp_proxy/session/http_capsule/v3/http_capsule.proto +shake256:e5efd7c39a13bd85f51e45e06146e65abbde3d1755fa33b1f04cff6201ececb28c9d18cc9a216db49facda118f4a2a777415e418688c98cdd0d9eae78dfd069a envoy/extensions/filters/udp/udp_proxy/v3/route.proto +shake256:90c9a5e1b2bfe3cf7dccc8cb444c46a99c9214ab0a7b0c78c19f9f9cdb9787c35a1a85547849ae858e97f440352069bbabe91c5efeb9d8643c457a64737ac00c envoy/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto +shake256:98b4491dad61ce1a62c98a1e229268e712489637a1dbc034c37dc031d42039921071f4396bf583fdebbc731db21196e192bd4c90f847caf51a90c8c54b84775a envoy/extensions/formatter/cel/v3/cel.proto +shake256:09e58246327361ee807122f7f6a9c4196e3d2fc24ef3d7b33caf3d43ee69b2e4d2afbf8761fefdff9fc25e2d6287c6c8ce63de6fdd916fd482d16cbc1b64aaa4 envoy/extensions/formatter/metadata/v3/metadata.proto +shake256:fea0013ee58d5bab8985c8ccc364e378f131377f0f7caf0f94c06e4222a973dcef18c139eeba10ce16454423547376d1f32850321f8721621344f2470a29d4e6 envoy/extensions/formatter/req_without_query/v3/req_without_query.proto +shake256:4b3dff76008b54711f1fb62db1ef09f079ed3da6d6ec89f546594bd1ea01b638ba3b6bec705e16639a755b19007d2377010c7e7d006579e3d1395aee983756cc envoy/extensions/geoip_providers/common/v3/common.proto +shake256:022c490b3a9aecb67218c125d84b38611bb0a95736ca7ee0bd1fd59b14f9b28da3391b06a0e790a495a559c209b680a2869bc5cd042fa9c4de9afc26385b7bd8 envoy/extensions/geoip_providers/maxmind/v3/maxmind.proto +shake256:7f89d816c9b3dd99415e179c26bc1a20c9404b6bfeee89f0e0f6449ecfe84964676d13b594b72f0ae8a8506128500e1e16f933ce8df9d394d1c0c4b45813aa17 envoy/extensions/grpc_service/call_credentials/access_token/v3/access_token_credentials.proto +shake256:738f54621e145760f7b19dfd49f2a1b93f3e7e906e90b0d10d8020dfb60671ba007e5a16ad49b43c0f17c26263ad7b75037096c0d099ab9b3766a134b967f4ec envoy/extensions/grpc_service/call_credentials/file_based_metadata/v3/file_based_metadata_credentials.proto +shake256:9b994b424db196e4024393e9773eb91d6c04f40ff51d62ddc3c5be89bf43a44361f944a70c2a1ef8c60e03fd31bf84b4f94a86b60f0ebadc2c8693a8d50bda2b envoy/extensions/grpc_service/call_credentials/google_compute_engine/v3/google_compute_engine_credentials.proto +shake256:3a4bba752e25fbe98c5decf5fb7cef33f26d62cb772a1090a70f52d120f0649f2dd7597c650b360e5b8cb94c73127bc4218ea40d973b391377fe723e65f0297b envoy/extensions/grpc_service/call_credentials/google_iam/v3/google_iam_credentials.proto +shake256:287739521df4ccf47e2466a84022be6911d45006c26e28da2adadf3c8de7173b3d1677c66ca4b77e17a9fb1b672f484df217e1b4611c93488d60245e6e44e1ad envoy/extensions/grpc_service/call_credentials/google_refresh_token/v3/google_refresh_token_credentials.proto +shake256:c4f207e0dd455917f2d2ff262738b2251f0ad9e2089ee7eede8bb1db6616c30ab66a50aefa73b453651d3354aff71bb825481afce3d128202e1e1df32242e949 envoy/extensions/grpc_service/call_credentials/service_account_jwt_access/v3/service_account_jwt_access_credentials.proto +shake256:e15b227bff5203ad4e5f26f97f15b19a8737d04089d7548c23a541220080f846ad5c4417fd874560786f53863bc4c76a04dca54138758749257029360097bac3 envoy/extensions/grpc_service/call_credentials/sts_service/v3/sts_service_credentials.proto +shake256:baaa05a38dbd4935506087fa463cfc3a8835aa79213b713885956c4176beea297948117e5ed8dc6a3d1dbb56730ee3f9af5dd3e452dcbc366fc9ef4bb1387570 envoy/extensions/grpc_service/channel_credentials/google_default/v3/google_default_credentials.proto +shake256:4bcf0fe81cddf339e3add76e432b404823cee937521b87cfa3d3062cccc6737ea842028dab050f99f4aeb2e8950ed82e359707125e6093916f8fdcc6a879f8e5 envoy/extensions/grpc_service/channel_credentials/insecure/v3/insecure_credentials.proto +shake256:bb28c723bc3100a46e0f6df343066f7360925ecf2fc8e6c85b07bf99d452c1777085d39e189ebc8c38142048aa9b0881481de9b10ce0c667c18fc0f12a6dfefc envoy/extensions/grpc_service/channel_credentials/local/v3/local_credentials.proto +shake256:7215f9898193b8af53eb913822e4a62030a22efcd12ab8b10e268e0a04ed5c2c6e5c827f445c7948a594fc9baaeb9dac34dc6cf9bfa1e76d4e1d4273bd9b1b87 envoy/extensions/grpc_service/channel_credentials/tls/v3/tls_credentials.proto +shake256:ac5ba8062d33e4d5aa748d0361c4432c67fc338e29d9e413c1477e57967de535e1f79f135a7ac836cfbc32678b2ee1862b0d14315c6faa0912e542d24be2c20f envoy/extensions/grpc_service/channel_credentials/xds/v3/xds_credentials.proto +shake256:4a151f7408451fe2eae927cdc8ec73a2fda8de863151640fed965d0b7330a60578db177089f2e7811a050de2a800c7b62d15047a55d87420f86bd910ce437587 envoy/extensions/health_check/event_sinks/file/v3/file.proto +shake256:227bef7a6683e83eb2544b81cddf8d085d588b5323cb3a70310c6d43083b1799ed370a67042e8fe15c9a4766b7a0b0735f21a7fdb7b642b3cd528f4c66dca8c5 envoy/extensions/health_checkers/redis/v3/redis.proto +shake256:bc7fad5e1d7ce4fef15a7f97c8d6f3e66f6601c90c4c987ee4b14457e84b0af1bc51015a816b5b0077924c2278a3e55df3b3682ed0e75d6988890b70febc8966 envoy/extensions/health_checkers/thrift/v3/thrift.proto +shake256:ff9835c6f498d4d3c8ff151878270548673fc15db88f48aaed4ae4c8c89baa1080e829fe8276d2b014fd83653fe04c52cdd9b2620fe8c88c456942bf0e96588e envoy/extensions/http/cache/file_system_http_cache/v3/file_system_http_cache.proto +shake256:15c5fe0f88d3faf64dd64ae8c4515a10bd20819565f23b202cfbf8e908cd252bb279458607dc0968e021728e44b716e819d802926956f41e91dd1cdc932e783a envoy/extensions/http/cache/simple_http_cache/v3/config.proto +shake256:df1206e2109fc9b8c5709f4ca2b97bee1b542246208dfade5d301f75f7c2465784191d253bfd96459324e467aed1de28e7af8b1940363ebce406534008fbd60a envoy/extensions/http/cache_v2/file_system_http_cache/v3/file_system_http_cache.proto +shake256:7a766c160b8106c34fe067b54d44f89736dc070bc115d8fe475172b262c98d33b717fe58c1561bfbe44f3fdd5856120c2583c7fc1b38d0099acc3dd6d5ef76c8 envoy/extensions/http/cache_v2/simple_http_cache/v3/config.proto +shake256:6f61959660cff32b12feab412ab5763c2ca598c7af8439e3de8ab409eee02d60f7424ae5368588ef48a6215290183bc718e582c18d46f04b3ce8e65d70dfff21 envoy/extensions/http/custom_response/local_response_policy/v3/local_response_policy.proto +shake256:4950afe9d63476b20e8bf7e1f474bfdf4e9f3dcfdffeb2e51cbdb84314bf18774b60751e5c756922e4356b5a7751b0177d09b344fec53b1183749dc96ff03196 envoy/extensions/http/custom_response/redirect_policy/v3/redirect_policy.proto +shake256:7f0e981a037ddd48e37e73f0f9dbe999ca911b4ae917b5ce06123a733bbc220bd5ef3308a7c3d3ebc64604a83c3349c06e12cabfcd64fd1a08c1260a81d1ad2e envoy/extensions/http/early_header_mutation/header_mutation/v3/header_mutation.proto +shake256:01f1be6da291eaba77746eb09c1837f51354726aa6f0c9aed1fe958b66d8298193826d0f4b33c97054c053f1e7860980f67ea074e897f405bd50d8d79279d8e4 envoy/extensions/http/ext_proc/processing_request_modifiers/mapped_attribute_builder/v3/mapped_attribute_builder.proto +shake256:c851fc9464f1389754d1246830fae57cb7caa2c3ea5904bb69e394a07cb0ce6e9459fa2499fdc619cf0acde50832b8cfe0198e4691a23023e95d12bc7a914269 envoy/extensions/http/ext_proc/response_processors/save_processing_response/v3/save_processing_response.proto +shake256:a181479f6dc29ac082a54cab8fb709f4bca39c35d1be062d830a211f03df0b549a2d18dc7eb2cdd34e6b4a6388959760a63225f012255b6ca285e6b28dfee5dc envoy/extensions/http/header_formatters/preserve_case/v3/preserve_case.proto +shake256:114aef732cbb5085916309eac9a199ad819ae7fd22780c959e71bb2c4fb739bb0dbb7357e884dd2879f6407df6158c298da830f0dfaa8a4cb7ea442fd1206f93 envoy/extensions/http/header_validators/envoy_default/v3/header_validator.proto +shake256:50d845f7bff3775b456175cbc1f1c04381db23bdde5943cb73e8112c67ee6e379107a063ee88493ee9b3f0054a7525a7fe4e5e0b8c85fb2e8bb80e97b0070eb2 envoy/extensions/http/injected_credentials/generic/v3/generic.proto +shake256:fc2bd4a42546e31038e731ff4646a016a5b126733c9e7ec565118b2fc4f4821b51699977e13f7ea80e51dfa2df31d5a5808263a2314393bf664e70aeff8bb6b2 envoy/extensions/http/injected_credentials/oauth2/v3/oauth2.proto +shake256:97a7c1a7dbec726161b4b980259f51744f4839253f20752e51c31213c041d8109c85c29cae138e7d575ddc27f1edda599007802ebeaad57583b5f5c45b93a4ec envoy/extensions/http/original_ip_detection/custom_header/v3/custom_header.proto +shake256:9046d084b19926996f65f6a0a6e5486b87942636c4d6b31d04ef246bbf1227c58fbd1d3cf1a7acd212e1686184a46b9e09caa944296928ec551f3d50d1bdf7ab envoy/extensions/http/original_ip_detection/xff/v3/xff.proto +shake256:dc55ecb0f8715e8a44b37595950f7660c38048cc7f8c1ead8f859889b189c8a27b060357d6ca46069aa73566698d6180126288480df5780e1703a1acd71b67ad envoy/extensions/http/stateful_session/cookie/v3/cookie.proto +shake256:dec5e094a90a34c797d9a57d4ddc8c503bf62dbba0fdb84df509d681501b529932234730ff2083e4892fafdcc61ffb4a5e0b2ac72f91d45e14107c46be9ed9ca envoy/extensions/http/stateful_session/envelope/v3/envelope.proto +shake256:d65ef8c09d91ea81c580be40025e8d47304949e771c7703878c9401eb2890424cf3195259c57e36ccbafc723e4f2453d38b5cff55bca01d885dc9919753d6917 envoy/extensions/http/stateful_session/header/v3/header.proto +shake256:f4f40da154b91c5e812b9052ebb2f40e2a2197abcb0da08c06f80421907fe23fa51d2cdacce3c386013dee3e5012c333486f41c7482cfc8746e196b999762fa5 envoy/extensions/internal_redirect/allow_listed_routes/v3/allow_listed_routes_config.proto +shake256:3a0fe2dda37d6ef760596f9ef1217837d0ca6045f0b4e37c2bf79d3c9d3d2462fea787b78107a364b2d5dc20d05c5487b10b53e8b5bdcb95cf01848a07708ed2 envoy/extensions/internal_redirect/previous_routes/v3/previous_routes_config.proto +shake256:9bf7115b738e507c09777b248ae7fcdcffb7908769d316c479b6cc6a526deb0d599e6b9f9c7f64afb2d6b193f54aa1e7e7a846ffa73294386db4c4bf9adb6f12 envoy/extensions/internal_redirect/safe_cross_scheme/v3/safe_cross_scheme_config.proto +shake256:6a007316c0ee2726a32af18a23e61cdf8b129c7ebb01f3cf1e101b0a18c47e78d5f14c2584c84b23e58f6f52468be3b2c4c175bdc7fc2c53e2668afb8b8c5677 envoy/extensions/key_value/file_based/v3/config.proto +shake256:746fb58032fe1f28ddc17510e1aff7da41b73a76970c9e30dd6efe749ffe94572c8752280fd6fd70bc32623bb6e284ff852c95d8e0beb6706e0512b3252c786b envoy/extensions/load_balancing_policies/client_side_weighted_round_robin/v3/client_side_weighted_round_robin.proto +shake256:0116ad69672ab05cfdf0c0d476e470bb880db0a497883377aaad5d1bc443a590f27681c2abd73df2ca19de21d330a7de69c8be19e15e80fec3f257479a9c4a93 envoy/extensions/load_balancing_policies/cluster_provided/v3/cluster_provided.proto +shake256:87692495bfc4ebe3af7e717827ef318d02ea70d14321bdb6a752efb7b21fb7ea727e7c085cfbac1b698eab1506a9ac73b97ba663a8ddb5d1a24eea0dc07fd5c4 envoy/extensions/load_balancing_policies/common/v3/common.proto +shake256:25c22487c24a950f4300c5082e57ef5e5a965b863668b8f3dc9263a861f9505c8849013aca73a6fda9112fd19c6451400e3d225d620c315d673bfaea1bfaf168 envoy/extensions/load_balancing_policies/least_request/v3/least_request.proto +shake256:82b636496e8c69961fc462d5cd88bbde2493a146bb59458ae0b28842006ffa025388f9f604a014f145c236c938eecebab3ee64a2d77f83c4497e8009c7e955c2 envoy/extensions/load_balancing_policies/maglev/v3/maglev.proto +shake256:07b9ce71f7219bcc1d79957620a25c0896986b305f8139cc9a74d047e56e919af6596351ae2f887cc0f3c6b08802550affdde52eeb717be2c4b7c0f3b7accbba envoy/extensions/load_balancing_policies/override_host/v3/override_host.proto +shake256:d88e3d6952bc9827ef7e92790c4aa7bcddd81486f4a3162afe6c97e0ed3281b85e94cdecf5c4100d9d07a151ec6c0e0088641dcdf09d2e67d425ffb46907bd2a envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.proto +shake256:14035bc49cef4a7e0d25930d409af20d8f74032a102a88953dc77b620205df625bcadfe69ec9881e73481b3b23bfcfbef1b87247460be38e68d749291af318df envoy/extensions/load_balancing_policies/random/v3/random.proto +shake256:6ef8080f4b9cc3d9766a69e26d789b16d149e6f0754b7f211038e2b657afe4560bcfe34fb2f2e025343c7017062a83642e6f3452c74838788c0b09cf25a7f56c envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.proto +shake256:691efa6e69d36bef31bd84c3002119e91a7ca7efaa60569ab0c18f4e78423f887086eb9db941806511d78bf6061c257c99fcb199b060c9beb7f4b1c5666aa8d3 envoy/extensions/load_balancing_policies/round_robin/v3/round_robin.proto +shake256:fa99fb6373f07bb327f4c8c0f0f8ab64c3a839ba4ad393c7fdb8d05056dda912fee08bf412db38d93348d23371fbc45c6f9d02c454563493a811b3979bdcabe5 envoy/extensions/load_balancing_policies/subset/v3/subset.proto +shake256:d673104b092490db0e84941abe555c9870146903924a4d13ce28c7160cba9d7ad5aa573997ff50ae14e59fa45dada45ce76afb8490792be9e614a8445c55f2af envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.proto +shake256:1e37d347ef665bbf89aa2437a21c2bdeb64e7a303eb2be072a786af97d4ba1d76063f1f2026e2fd2f3c22e542c4b0c8f319a6899108dfa2d959d5a229c73d656 envoy/extensions/matching/common_inputs/environment_variable/v3/input.proto +shake256:b22fb32e8f220cb821a316a53743bd76e1b451f2cd1ee36a8ddb9f3ff52f1f6d3ea9512edd7df45bba24f80b6af8b23de34793e48672ff2d384b675883aa5a7c envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto +shake256:d227dc732d21538dabc1aebbda1423e1e7edcf9fc3815d7161a5f2451956ce6b7f0874150246a1128d8cd031d59f6f237df8d27624d44495eabce26326aa5f43 envoy/extensions/matching/common_inputs/ssl/v3/ssl_inputs.proto +shake256:5be0d34d2448031378eb44f676a6f51827f9d2d2546ab6df3b67c5c3da1011face37d508a8a0b95bdc4cce3abd94ea5f1fa591428646ff478a153466eae1494f envoy/extensions/matching/common_inputs/stats/v3/stats.proto +shake256:c8ad4158166bc5d9552173149b76287d35e0f142457740a971d8d50a1a31ca154c5bac3aa8265d1abdf9cd0223643afa30db998c0e354f26ff66035b0fc617c9 envoy/extensions/matching/input_matchers/consistent_hashing/v3/consistent_hashing.proto +shake256:8f1301b6a4f15025967881d846e1866c0abd637f645202da0137196db618f307bb3be31429d6c841bf642556fbb0a8bf964ed90bb144ef921d062764444677e6 envoy/extensions/matching/input_matchers/ip/v3/ip.proto +shake256:10c52742299d0dc8b6eea424790a9f44c39f28b204d7ad0af6da35fc33d8a3f89154d42d769eb559aa0acc28a9e6fd896d2a6560fd95c91afe234d4e75636915 envoy/extensions/matching/input_matchers/metadata/v3/metadata.proto +shake256:88434c32dad5c61f6898371ff51de383160f36ee292c7b46983de2a4d54a0af20843221b52d8061759fa9b4767a387f4891c3d9aabc1bb4c56faa6d3e7a3345e envoy/extensions/matching/input_matchers/runtime_fraction/v3/runtime_fraction.proto +shake256:84fa5b00e53d153b1958f4cd8ec6ca9702f27208f44b546a259e3935d899d4d7cf80cda04664f71c289b33e3070ff7b37efb5a00170bef7945b3451bffc60330 envoy/extensions/network/dns_resolver/apple/v3/apple_dns_resolver.proto +shake256:6e08a950c353824af726fd5f4162d3b21a2107b2264106a8b10a1b119950a0f27a21ef97ec32bce738db040a25e561dddc70bb569861b67eb2ef434159d44462 envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto +shake256:4c84314b7b487a19899212080e03bc56720f7a7bd9d2ea5bb5096b3afffbec2db6459fca8b4b919aa6ed7d5bd57947588cf58d5720d4a3818abf018c3ae42abb envoy/extensions/network/dns_resolver/getaddrinfo/v3/getaddrinfo_dns_resolver.proto +shake256:c4b373033fef9f58de1beaff37f5c835eecbc378b775d04d08147b3cbacbfc6629923f109eb754096604444c7791a43edbe0a15398843c7790a20aac6e82ae1c envoy/extensions/network/socket_interface/v3/default_socket_interface.proto +shake256:feee06cda1e05a53ff064f726ba892b2bdc07c192adcc50052818cb62ba1880cce1a559c352f35dc45eb275e8fd8fdde3602257ce4742d7485de67a77b6485ec envoy/extensions/outlier_detection_monitors/common/v3/error_types.proto +shake256:ef828f1761de1b5bcf19f71e99c4874d4b1e33475fe7ee3aa1c461d202afc3e4ff0ac4e3de52f4ef8c79f700ff481b6af3fa25084856e80a05b9181a9aecb701 envoy/extensions/outlier_detection_monitors/consecutive_errors/v3/consecutive_errors.proto +shake256:b59aa69fbb5a3fd019d0629969b596f1ef33d11c2db37b7167c80d49825c56ba11514538b5b5e18d9305862104bfd2ce2232b462a3632484756a12bdf3287943 envoy/extensions/path/match/uri_template/v3/uri_template_match.proto +shake256:4c14d13dd9e1e782b7a0dc85854642bfb2df4839adc50747cc71fa12c706d05a544208edeed5c5245f3506dfd83004a899d96d8fdf39dfe653382e92e8b6a3cf envoy/extensions/path/rewrite/uri_template/v3/uri_template_rewrite.proto +shake256:f7680ea8269c00d0a1c18ee2f3af1e75f8dd2c000c5e8b943910b9d94929ab55ee5d987f52e72a9de04314d7b1067f32b720b754a90f86de61696b264851498e envoy/extensions/quic/connection_debug_visitor/quic_stats/v3/quic_stats.proto +shake256:1f74c6723791858d9dea2478140f942cd69348c0b3914dc9e8e0fdbeb37ceebdec52d13770018d4ef0b13b65bdf421da6211355bdfde5cfed9b71b4b20532c9a envoy/extensions/quic/connection_debug_visitor/v3/connection_debug_visitor_basic.proto +shake256:8a58afa18cfd1cbde48136072f331fe02420900d28cff068cca484cb2dff09f3b12409f8ba400ddd9452a4b355431eb52a493c17b870ddf9bd539c0ebd29de0e envoy/extensions/quic/connection_id_generator/quic_lb/v3/quic_lb.proto +shake256:b35b11e7deba787adcaa488361dce33d97804b1f276dcaa3c936a50dea030722b9d8707590b3d9e29093061ee67c6eac3ac1d107aa88d58a209d055674198b6a envoy/extensions/quic/connection_id_generator/v3/envoy_deterministic_connection_id_generator.proto +shake256:0d5c109aec1c8a34845c051213323cef13b8acb789a973993caab647c2015addd698e8b7d1df443e81dd966f198cf9029f3ad8e941b1308837d6e317212c2b43 envoy/extensions/quic/crypto_stream/v3/crypto_stream.proto +shake256:b81a6625d0afccd2d290f73787080f319dc2cbac737ff9f655a40d285847b80de77e5b4361d6f5208cb68e439517fccbed20d590e5ce2b47e5276f73a614764e envoy/extensions/quic/proof_source/v3/proof_source.proto +shake256:65be7ddec7f03e73203304f27b2dab6c0adb2f96bcf27859e458d1ee924c4cc13224b7b78b298e07baeedd9bfe26dcdb04c95e93363c32a34ae919edd722c46e envoy/extensions/quic/server_preferred_address/v3/datasource.proto +shake256:bd5330bdb3af2fdd0d6c19e7d2dea7f1f9f3a33b23b8abe7b3ce5e00986ce129e525839820b220d83a2778cce498c427cc8b81685d7e47fce1530bf3ec6e891b envoy/extensions/quic/server_preferred_address/v3/fixed_server_preferred_address_config.proto +shake256:2cb8ebd50ee8f7dbe73b59288a57e8ce66169d0cf29fc0eac26709c6284e36e54582383668fd57d81428187b36b4c2c551b5a4192091ad7d7e8afcae14550e78 envoy/extensions/rate_limit_descriptors/expr/v3/expr.proto +shake256:efefeef95cda09d43c21ea224d984c6164d9eda0b5c74dc3103bb2125bbd19f6296557896636464cb6df3ece2ec78f92554204f6c2e8d269cc3ee78ce8952891 envoy/extensions/rbac/audit_loggers/stream/v3/stream.proto +shake256:12e6aab5a6bb2b487e96b85d1df9a327e4915ee2990d1e5b335a5d02b5b5ab74ef3e5357fb7c01b07cecce676349c9023fdd5fdc3954ff85a32e67232ca01883 envoy/extensions/rbac/matchers/upstream_ip_port/v3/upstream_ip_port_matcher.proto +shake256:516e7d1e52f23285dc29da142505c4c5b1752e48f9fec69021cd8df1e163ed5a2c0be22dce9f050ce81f15e9ed3994403e598ef577fad62f829f6fc56206f1c1 envoy/extensions/rbac/principals/mtls_authenticated/v3/mtls_authenticated.proto +shake256:ed50a0a24b7ede925b68420c09fcd56b455eff0efa60a01082c77f61835ce52d988901474e3c3003545a1c8c16e6d97629f4d23e543d06041237fa650a8d0f5e envoy/extensions/regex_engines/v3/google_re2.proto +shake256:acedfc0d080637f91af6bd52396281588d2e7216106d9c0fe4db78bb876e85f60e5cb8da19952d04c610e0889f43e14c3074485c4886a7262c3d4cabf2b13435 envoy/extensions/request_id/uuid/v3/uuid.proto +shake256:298c4e17fc11e286b92291f710b2eda207d4bfbe91758e2f81ca934f7d1d1ceead2d96629922ca5764920e16f6b57e3ebb91a8ed7ecfe0cc214187d026e83c0a envoy/extensions/resource_monitors/cgroup_memory/v3/cgroup_memory.proto +shake256:f16bf9d750ade1919fe6da89224ba8951dedc35f291bb221ce5a69509caeb2b2b0c25b67e5ac580b9b7119efefe37cf900d978acbdc147470c8fbba3f326de15 envoy/extensions/resource_monitors/cpu_utilization/v3/cpu_utilization.proto +shake256:7f052f002d7e537933393a868929ec03b18b400819f44912c47f99a8fedfcad3dd11b77aeea43550e0ad5615384eb09f31ce8fc3db239543a1b92a6a003aa7d6 envoy/extensions/resource_monitors/downstream_connections/v3/downstream_connections.proto +shake256:12822650ee1addeed10c840b45b21a1578afff4ad262643364a5379a198fcf23dcb812e68cb8be40cea686ad0d4b6e575e1cd439a8ad5a261980f56e4b4f7ee4 envoy/extensions/resource_monitors/fixed_heap/v3/fixed_heap.proto +shake256:a99a18f73f95166d72f4daad65414723da4f3979be982e87e6a0e2e5f3a49dc5b0e49ff4f35c775aa48f3963d1522dfba66b7fddf1e13019b7503920fe7c0d62 envoy/extensions/resource_monitors/injected_resource/v3/injected_resource.proto +shake256:2d3237daa2aabf8c1379f7f16a5d10b87e41171a0eb5566e64b076fffd5725149040bae21fa5ce5fad3a244ac4118d9d90fa9b99219795648b3b39d2d85dacce envoy/extensions/retry/host/omit_canary_hosts/v3/omit_canary_hosts.proto +shake256:fbbab489437bd68a2d6dc6d762674947e94a5cbe005136ab35ac841b1ebc055df5aaf1c93e371cb4ff75dd84e9d5c13e8f581e87a2fc3ce70f84ba444abd4cde envoy/extensions/retry/host/omit_host_metadata/v3/omit_host_metadata_config.proto +shake256:541e01abca6919462a0d0cf1c85380321afbd0ad796915fa5734c13420603761ab956dfb51a4b1f9e3ed0658eb36f8e29f98e909044efc4998b5f0ac3187f895 envoy/extensions/retry/host/previous_hosts/v3/previous_hosts.proto +shake256:03777221093ecc5820256aa74fddbd488cbd21276dfb6f4155c379078d8070b1757464dfd3d657139733272d5f2308140af8fade16a491757156a9c96502d146 envoy/extensions/retry/priority/previous_priorities/v3/previous_priorities_config.proto +shake256:73aafa2c0d0ef67990969355e95643e8194dc84941666c70b9a1aeba1b4be20bbe8091825f496c26ec52f2f1ffd837abc2255b67f7e2a4a59a913beb20898b44 envoy/extensions/router/cluster_specifiers/lua/v3/lua.proto +shake256:69537d185104e9a65353c4103e9446f326e66207e18b54358d25f14660db77ce2a8a0a94d67d0b6efef5ad70a47174a259a61ba874b711062b1ff49f29bb37dd envoy/extensions/router/cluster_specifiers/matcher/v3/matcher.proto +shake256:baaef5b0dcd805f206a977806ecf55cd8785134085fa515bd3ddb848d3986d502fb8144bb0f6f06a11595c5444ff42da361497a4b70eeb21f1a8e0095b183c3b envoy/extensions/stat_sinks/graphite_statsd/v3/graphite_statsd.proto +shake256:b9baf36cbd39c8e4c3a3b4699a19240971d6076ceda83fe3dabebaa96f691c352be85d73dfd0fe9f2e3af7b6a75d4e22dfd9ded65e58c2122537dde25c74ae8d envoy/extensions/stat_sinks/open_telemetry/v3/open_telemetry.proto +shake256:af239d758d000d60037294ba32773a6c102bd1a2de6c685299e94f127f09445a72a9f88821459c921fae1e9f9fe71259a20334fe4e9a96ac98e8efd59c9a5d87 envoy/extensions/stat_sinks/wasm/v3/wasm.proto +shake256:d7f75c34e0b7f8789150ee0eb5b19e71db666175432858ae35a618e1ed1d11c22833a10b0b7dab072dace62c6128b14ba0c1aed987b36594e77a0d78c4fea8e8 envoy/extensions/string_matcher/lua/v3/lua.proto +shake256:6e72f2f15a05142e84506fe9c5e5a52365f4bc84a2832ff2920e05e5a770b8c065bfc548f30a152619c7d1089aa835cb82fb1180cc1ca1f9e4125ec5b9b6ce15 envoy/extensions/tracers/fluentd/v3/fluentd.proto +shake256:2dea78d980bdbcfd314655d85f68cdb80170b1a3a26689033ce3ab8d6b2323ee2f5f9ca431521c888046b1f67fe1b1df7e1b41e72a9525255a892647d03ba47e envoy/extensions/tracers/opentelemetry/resource_detectors/v3/dynatrace_resource_detector.proto +shake256:0b54ea2b09ad005e0f28e296f023999896dd1007d70b19359a8f771f82b222bf2987c8fbf517530c3f45e6a4319efc8aa63af3bad9659194a52854bfa39e7491 envoy/extensions/tracers/opentelemetry/resource_detectors/v3/environment_resource_detector.proto +shake256:5371f5be86060c954b6f8ff11aa8a8c8b2ef94175278fb84547bcfe1bce1496cbff48c324a90b2bc59a57f5d622bcd8be23f907252238be7e3cd391b241ffe18 envoy/extensions/tracers/opentelemetry/resource_detectors/v3/static_config_resource_detector.proto +shake256:d3ab1839e0d23b7027166b6e3c4ed1eb161268611607a79e8a0fe7c3d6ab5f744f66f925ea3390a6031fcd8aeae23c4711e4b5c8bcdc92cd8f4bb8bb8dc89dd2 envoy/extensions/tracers/opentelemetry/samplers/v3/always_on_sampler.proto +shake256:5cf81b0cf871e6a216da80ab14a9e98d6cf071015137f1ebe567f5710d7122832bce5e3eb9e99532ecbf4602248b7c3f995a48c09d48bad6cfed8958fc3b8145 envoy/extensions/tracers/opentelemetry/samplers/v3/cel_sampler.proto +shake256:265484879d7ae5d9a0bb600cce1741b0f6d64ae04be75e7ce927c771066a565c54e1d99758ed3f85a04b3d17dd087018ed6fa0c21f46f90c59fb2d1d4c50cc67 envoy/extensions/tracers/opentelemetry/samplers/v3/dynatrace_sampler.proto +shake256:541e1172fd525e99b287600e7a58bd7b2bc7e0eb07514d8cec74002aadbf0c5385f93bb2efa3ab1f80f98e009996bab83fbb3bca3a19dbd394153172960781f4 envoy/extensions/tracers/opentelemetry/samplers/v3/parent_based_sampler.proto +shake256:e4b240ec009feb9dc7a44a85a04f71753af28a2ca562c606283a22d87d2b8f96dd9898bd34655f72259ac17f177c3254ffcbafa87ede213ea3a9399aa541b716 envoy/extensions/tracers/opentelemetry/samplers/v3/trace_id_ratio_based_sampler.proto +shake256:5b0a26f3fef746f0134abbfb12488a75cb6f71f1fe32cb3010571df1c61a0cbd9c60dcd14f7518e5cab37b005ba0bb90a25f0e4c6d1095bcfc75046023720725 envoy/extensions/transport_sockets/alts/v3/alts.proto +shake256:c89926efa58f9b00f2eef628d75352686701d1e12b269de0ffba93f7649233152a576759931350ba542d7ab374ddb4a982e8a248be9bb2297ae096cf86149293 envoy/extensions/transport_sockets/http_11_proxy/v3/upstream_http_11_connect.proto +shake256:6acc101dff2f6d9dfd42d93835b7eaab9d899ce27194865d6daa1c171d12bbb277784d478d2f2810f1bba0cf84341f59c7271bf3435d6583d9b6ab8b074123fb envoy/extensions/transport_sockets/internal_upstream/v3/internal_upstream.proto +shake256:432449b6de25f852f1c6d8ebb4df1376dfa0042cfa816a7906cafa4739032b3f66f887a2d85fbc00c2e6fd948515acb3732d7be761bf2e9af2d1739dde866b91 envoy/extensions/transport_sockets/proxy_protocol/v3/upstream_proxy_protocol.proto +shake256:ebf23934294ebd7ef3232d9e181e5aad268449fcf56a4d6e28392d793102e35cb0b4edaa9e122478c8140f53c56fc57c8ec3d10bfbc0dbd3b1e799bbedd51755 envoy/extensions/transport_sockets/quic/v3/quic_transport.proto +shake256:142e115afeaa6a4f0579552383c702b436bd640e359d05ad2617da6bad6044951b3d6ba0e9474fe34c2ac1e8d8468c0eb6417c4dcbef4317d24a694f65585af3 envoy/extensions/transport_sockets/raw_buffer/v3/raw_buffer.proto +shake256:655ebe077789126227c45261078f8d64dd0d989295108efcbc136d2b59a717c6b2a486289156584173a79a7d90cf9429b8d43154cb534cb1aa671eb6a3abda22 envoy/extensions/transport_sockets/s2a/v3/s2a.proto +shake256:b65431721a1a46acfdd0a792ff8b87e2aa557a27cc2e8db151f97d02da20a70f02cdc21ebf72656e165931fcdac08deb6e3075d4431fc4bba160d3a8455776d3 envoy/extensions/transport_sockets/starttls/v3/starttls.proto +shake256:b55ba8ad8802bf22c4a8110670ff402dc1d61dac65692b1d88e05d4ba9b937c0e7f9549c93127bf58a5d01deeb5d09d115fb2c9ddcb71aaf61aee0643e40fdc0 envoy/extensions/transport_sockets/tap/v3/tap.proto +shake256:2db6ce813ff15044dcf88785d43e388e2bb26d59cf4015c0630a6cad9a2439e82f8bd8c2b254c420745604abadf2da52ff4da9bb3c6dff6fd6431eb6417a88f3 envoy/extensions/transport_sockets/tcp_stats/v3/tcp_stats.proto +shake256:70c3f79a8f5ada5334027f2ea99ebeee20e3dd431ef94d82eb096355a8aee3784a309eb588ce1f474844ba17fc17b0220fa2470b69908245d6b2ea3aef26c22a envoy/extensions/transport_sockets/tls/v3/cert.proto +shake256:e5c7d2878ae07f98b7b076de1060c76cae457efb0558322736cdc1139f8c38c3bbada85ae0efbe867f5e8aae201c82d0aadba8f88a4c217cfc315c96a4b1ea98 envoy/extensions/transport_sockets/tls/v3/common.proto +shake256:d541b64ff4c04ea5298fcf5208c8571980ce1a691fe5c2b86d8f0a94427160e244adb2381204e45d8d237864211281dbd0ab1bc6f48810625310c15af14fc509 envoy/extensions/transport_sockets/tls/v3/secret.proto +shake256:0711d88a9129014e77db8a918e6b1ff5fd7dd6f1e2e19cce9573ea29c253d700594809a424beebdb28ce10898b9c1db5ae88c05ae4b0cd139821dd502e6f68f2 envoy/extensions/transport_sockets/tls/v3/tls.proto +shake256:ef69428a40297702fd453f6613f08e24a434f80a18b1cb7099ecf856ef9eaee3fa624afe50fd0c50f311ea91d070338d43f31ea8a0717bfee51f935d6170c47b envoy/extensions/transport_sockets/tls/v3/tls_spiffe_validator_config.proto +shake256:5ed9430060ee0140165e8bb75940bc40dd565350df5c01e0f3e154b708e4d39ebd525fd439a64da2b8656d438a39da89fa5250b721b90f4a84ea1f682b33ce35 envoy/extensions/udp_packet_writer/v3/udp_default_writer_factory.proto +shake256:628eef9f3842581bfef3c63dcb967478ecbf486c3da4491eefa31814f8fcd4d782b9f5fe81454015dfb2762d447fa6561a05622a59d52d34b75591413fea6321 envoy/extensions/udp_packet_writer/v3/udp_gso_batch_writer_factory.proto +shake256:79f80278f4f4e33eb6864b817786b5305cc6ae0da122f53e426e567cea75b910af45ab9cb858c81a91553386afe0ba5f2b0bbd4d17f855b3cd219a0b08d1b4f4 envoy/extensions/upstreams/http/generic/v3/generic_connection_pool.proto +shake256:1bc3d5c62725d72b2b5959f92e15634cc579ed8e136a92532150f83c2481dd0e9f251fad8f969390d298a39b3d05cd33754c8ce9cd994a321a7da9a0e5e6adf5 envoy/extensions/upstreams/http/http/v3/http_connection_pool.proto +shake256:102e997c91c76da612869b2a666ffe2e554593d6c3bdd63a5bbc9ac70d1a0064346c9415fa2f74368db77b4c3be872636c2917899d9dd951d959ae52ae15176b envoy/extensions/upstreams/http/tcp/v3/tcp_connection_pool.proto +shake256:d56f95c23b4fd61618df5dccf70e260f07194b05638161cbfe7b1636aff5114d7e90b49660b32891f570dae71fd2484ac392716197e2dea6318c2f3ccb5ee951 envoy/extensions/upstreams/http/udp/v3/udp_connection_pool.proto +shake256:d6f4e5d1f41fc974dd3c4e1da68df1cb72b8479132c0e5c469c22658c20bb64000b74a159e7662bd33f6fa597be541cbde8e6bc687823c1854ca56c1253dc34b envoy/extensions/upstreams/http/v3/http_protocol_options.proto +shake256:622d6f175b2b12659fad78cd611c5393c3866f584985ff06c29e1ab8a4a4628ead7c2db69a6380c7debf88bae406747b39780d23afc07aa17e7687ad45761a20 envoy/extensions/upstreams/tcp/generic/v3/generic_connection_pool.proto +shake256:96f4fcb2c56df1b0b0ac3414449baf6774e2aa8969255016a23513e170fec1536a30b6b4739f314403d7d61f6d6c3c78a5751e3fe112a4f946d5b8e065bea1de envoy/extensions/upstreams/tcp/v3/tcp_protocol_options.proto +shake256:4383b785c7cf3c88d63153c5d841c7a5125c1a883789f36dd07b11434ad73ce8da5af9292b4a078e98101fb11769d14ba8a55b088f0fec67540d9a55364fde80 envoy/extensions/wasm/v3/wasm.proto +shake256:762e5a35ffa359e351715abcb4d10973dc3eb542f39faf50fb2fd1a69d747413e88c992e218bba253a5a57745a384e923a24bda721056db31c0b2a310f80ba44 envoy/extensions/watchdog/profile_action/v3/profile_action.proto +shake256:4996109c5c6ad7c4df245ff378f41569c9323f6691c2f02bf26e6ded7b6059aed8b5214deb18008cf4fdcc9dd12499f170c570d0381ffc656e6119bfdcbd7205 envoy/service/accesslog/v2/als.proto +shake256:f4a29b2899acf38dc693efa125c0434c56847ea1569b056df833528e5a0603b3f6a62df53b9cf40ec9aa06e30b4cef0688764d468a6eb8da3680e99897106a68 envoy/service/accesslog/v3/als.proto +shake256:a8b6784c472dbaa98f1f3fddd68a50f4dfed29af2c11e7cb0ff350275fdc4cf60b9bf9224c06766af0389b082af73d219cd4f494db207ab45fc88edd7c0ed909 envoy/service/auth/v2/attribute_context.proto +shake256:08a77da191422df68e2e2c432f597478b353b8d04455b618922e642f5938513fea27ec1950aa52acd3333b9d7d82be1035e3c0a253e5b97648cff309bcc8deef envoy/service/auth/v2/external_auth.proto +shake256:4eb4d2e4dd59617cf8ed6ba4d58661099422e8ede70006d905916dd5c60c660380fe977aa61f16361fe6d733c485c853c228dd5483dc4fd40ba7961e7319db8b envoy/service/auth/v2alpha/external_auth.proto +shake256:ef19b99ed5f32b4e64a0001c1fa08917f7ab7374852f3599be77864a113908dd7cfa5287be61aa838423b151fe7af3e8193f2569ca452807875b4a2836171aff envoy/service/auth/v3/attribute_context.proto +shake256:60bf140ff9f0e440bb27912913de0472c27f1a5781b41f2bb7acf944a869d5136da2bc42c0aa81f639be2b7fc21df20698c5e2daa5d584e6e1519d16d6fa788e envoy/service/auth/v3/external_auth.proto +shake256:2217dc6bf6933bed2e621b0a8a1f9a3ed3b77239591020eda87b0f592c3c00dbe299988b262029e022705549c0621b17dac6f1d320ff3a5dfc5aa07fcdea0e61 envoy/service/cluster/v3/cds.proto +shake256:c1370a13fe2e5e6b894233bb6432a0b8af8ddf1cf1078de0c750484b3055a78f7974a39fd6f1493d7ed485bcb0261715fa1be067c25f43e4f9469f48df8000da envoy/service/discovery/v2/ads.proto +shake256:ee52e1e4dacec7ff8d1a05136a89bdf7475eb1e6efaeb773f6e608a5f7d00379a3d4211d22a8ea82750a6eb36c8034522da5ab99007cef8c989d58a551717de1 envoy/service/discovery/v2/hds.proto +shake256:0318c755e701e782a34e6faa9e63ff5df3c75f4b8c7b78ed0648e1cd5fc815de826d24b1e9cf3908432c2023d3e6e2d7a3018ab2042be851fbfc1f81a82fc72d envoy/service/discovery/v2/rtds.proto +shake256:9d4cd9fdba3a202916bf6cff81d6eb2529974dc817135aaa900e859e678f9420b78821e80e6891bbde807a71bff8b5b7ceb4b3e31fb01a098d0ef252ec4d0832 envoy/service/discovery/v2/sds.proto +shake256:732ae86f43a83be70c45a2938b8d66e20bfc1abdab938a8705ad971039eaf5931dc9414c4e7299acf00c948e45afa5b1f16b70cffd4ce3e33775a88985a3ca97 envoy/service/discovery/v3/ads.proto +shake256:d0363f981b6164e21562c4686a479114fa780df94fce216e2796b71da32440ee994b4df3365f28dd16f6e029e25eb8aeca72e6437212f48613e617a6f0dddb35 envoy/service/discovery/v3/discovery.proto +shake256:e8a56f89e6931dfa885cfd8de54dc6f92ae0164e007d0e5f366dcc25705008c5e263f636be831687f270d531ae698f7350b91623f9a647a242e49cf6b15931fa envoy/service/endpoint/v3/eds.proto +shake256:416d8c86026458e77fe8ae3845a769f59e3845ef062b5dbe6288745598223e2a450d28cebbc3cd8c6bd07f9838dc836ae7a2193a5c4ba81b14b1ff7c66daa10c envoy/service/endpoint/v3/leds.proto +shake256:b5bf9e082c4ec76d09d874ea26f0f2f70c77bf64caf46de1f9533dc61155ad06da023d650ab6f030c67da25f10488b47caeea7ff20efbc574ab3ff749f7e15c7 envoy/service/event_reporting/v2alpha/event_reporting_service.proto +shake256:357a584bbb25276c4dc0262c69fdd6f44fd6eeb08d50a2c4f8cb1b9f2a16b10385df785ca42ae0ca173bf38aefe80b14572ebf939b97d46ee84688218e1ba920 envoy/service/event_reporting/v3/event_reporting_service.proto +shake256:1c25d514b7c22ff54c3b590dd512b90fb7e147db1935a90a27467f2745a5364e5ca1a4ac4a144525438ac7252a5aaba6f14f2fc8926e38f52f9bc61705edae3a envoy/service/ext_proc/v3/external_processor.proto +shake256:8ed6ff32eba9f5a768ed19ffa70ed80227a7beca9ab61da117f3858af346fc3f5445d14aa839231c6d5c8a8a64988a1e3623a3a61132b0120fdfcfbf10a01bb6 envoy/service/extension/v3/config_discovery.proto +shake256:8dc8e6bba48aa83023d8af0412d52cebd600eab03b0561a5c1c26b0ee561058eb3e11edf4ece580c2c5b8360a28264dc47c3a9e496701f2c796515dce5ed80fb envoy/service/health/v3/hds.proto +shake256:b30e1a9c40bddf8c84bbeeba1c23d3a391a440e0900b1fc589032b29601f055913c7ccacca2e200c1e4db6cb1131d29bf36161e1dd2e54210a9285adce491076 envoy/service/listener/v3/lds.proto +shake256:e6295415f5e5c97db3d7a76bf1ff2fbadc3d0bbb9dc89560869e243b497c84c21b8b811984d03e2f05fde18c0be89b84f3c4961e1623eda41be9e0cc582eff27 envoy/service/load_stats/v2/lrs.proto +shake256:699477da8f3f972de622c6a2945200c249456c1544c0b5890be78007e6b2549e2e7cdea581b0b1648fa45ad472eae3ab70461eb9f05ea069127b8e0d18d4d531 envoy/service/load_stats/v3/lrs.proto +shake256:b449e325335c4a27aaffffee78cd8efd0dc7f341590c6960ca3fc0820cd6c16cd43f600f602b4e505c0bef8ff96397b80fe3483315cb7ab0e8715c7a09f04e3f envoy/service/metrics/v2/metrics_service.proto +shake256:91f3b9e83028d2470ea9cdd586cc834f7e849b3ce3c1deac251fcbcbb7d1384e671a094596c6782563a3a3d2745da8e4a2aab0be31f980968a9a7a7208a8b9b2 envoy/service/metrics/v3/metrics_service.proto +shake256:8bd5e085a8a4d58e707005ccc2150b5e4ba95ee45625ee96156e4daa0b9c5e95204c74ea56fcf7f4ee6d28471cb4adcd6b55501c53f4432360641b19f6c3adb5 envoy/service/network_ext_proc/v3/network_external_processor.proto +shake256:4134d14b8efd20d58f826e9849d6e53b2d3ac7242560d367b7abc6d2a7ee155135e112da7a9bd738e5ebb22180c4bdbad8071c9c9574e945897bf6a608c7260d envoy/service/rate_limit_quota/v3/rlqs.proto +shake256:d2ae1ae11068ba99047618b4f3355c6c63b0cadb7f2b92b62ecaa418d6012a7bd2590ffd8ac4f1d30b9586b3eec6d14a8dacf67d7f4edf7f3946eb606609f962 envoy/service/ratelimit/v2/rls.proto +shake256:9641a91435e6e6b8c64e8e68adb42c0ce592170cc68972d4724169361766892b4d2a00b16e4dc9a2863d7b4d05ff1ebd27e820622355d2de4f5d09b7d71983ef envoy/service/ratelimit/v3/rls.proto +shake256:216d9b8b599926c745c66f9213c7158da4d4578f3a014d92900ba387032b086041bf6ecb1335a93d113fa08c10fc5d7f0601f5d13977d11e718820a5f9e30d15 envoy/service/redis_auth/v3/redis_external_auth.proto +shake256:d8c032e24b649e9bcd34a34c1aa7a3301636cac0d28ba8f2f66bf913f4020518c7147c5258ae7456b2c2a9098238e7d348682e510eec4b22b89ef0a6083b97ee envoy/service/route/v3/rds.proto +shake256:851029f814d9f06c8ddce15d14758f3b6bd3a12fc22f94abddb181a557e345053c6d99cef3f5fe00629e1c9880c606a677b3e146a0bc416e771eb63a32928c30 envoy/service/route/v3/srds.proto +shake256:bc3b113db998b71b675b735aacef60a5a44c4e5b4ae806c3451609adaa29d1abde505591df5e59afa71256aaadd47954750fc8d52b23dfb1a77b14a979e3195c envoy/service/runtime/v3/rtds.proto +shake256:224273be92cff332779fbc3c4cc05e9d896f07f7399755eaef09d4393c823c1417db21551aba27d8d638e9d2c5b2faa0ec7be818a80f669bf0bb3f2c050f3bf5 envoy/service/secret/v3/sds.proto +shake256:2e52093226a25dcfa49f732d9eb94d4e0cf45ea33ffaba69d33e237e1b3b57a1c09125dfe84aea26cf027949c665e65a1e0c3816a0f7632bfc1a27e60164afa1 envoy/service/status/v2/csds.proto +shake256:ac4a57cb2f25fbfce2a8daef2546317e33d09d8162447b82d56491df84b4847880ea6fa7048a0d82380191fced4f1caa1490773c8584aac1251b274429a8335b envoy/service/status/v3/csds.proto +shake256:8c3cdd75a9d29c3cab6409ef44c6560d04b701a5fbb750110a3c690cceed6579eebfa31ba1d3c24220fd30311fc3b1fc71382fd75b87617289584cb89614a8af envoy/service/tap/v2alpha/common.proto +shake256:9238348d1c026eaae1bbcb2eaf891214f11caa40506ac196f09635cef0d600b3fff85c7940f470bdfd0c77ede8b043bd595ef40fb49ef1d570d09b974ae3aee8 envoy/service/tap/v2alpha/tap.proto +shake256:7b68954434433606940c6fa3e32b470dfd6bd645d00e45d70292b0590be710452082946dd19eeaed41fe1a01395c093b0b2c5d5b4b5d25d8ed3d758b854dc629 envoy/service/tap/v3/tap.proto +shake256:690a4716c9c4c5360fc02c82ae8293203c13be4e1134f4d0cc335d6a5da7215b3c0d5448c04926e3e06a790c0a4d012054fff23ac609209e9c1cc3c2a32319ec envoy/type/hash_policy.proto +shake256:d19e024e24adeec5f0b76401119a091029122e4ac3f8a3294b47dca1ec8f8f65ae752c85d68375097421fdd0a5d5cb795603e2d721c5be802b8425f2ffae6755 envoy/type/http.proto +shake256:f6c1ee6c7e0835c3eb5f79a4b6c82fe6cc0875db25649420b9b074f0de7457c89892acc979e2fc37a5ee1b46f441635d19ed243505f0fe47c67ab56472d02474 envoy/type/http/v3/cookie.proto +shake256:0ae546ed47fc0e7f7067fe017de48efd5de4d88d4aa1fa4df6b9eaa51531830675076ff50f13011b4e5d1244aefaa3475e4102f25c9c07fe5fd4f93cdc1e9f92 envoy/type/http/v3/path_transformation.proto +shake256:9809a923db1af1a7ddc5ce050f7cdb9161e42b486765f9dc4c278ca55245897e524ece578d9200cbc16e5dc558b6e62ae0ad9bbbb28f0256444977007d125bf6 envoy/type/http_status.proto +shake256:c72973b0f8238dcde807395ef1b3722004a0fdd34c3e08118914285246babaa837ab4e1614f9a1cbeb93d3d8942f316bc870fc9d40afd1df9f4e08362694a784 envoy/type/matcher/metadata.proto +shake256:4a704a75f9c4816bfa4ab17ae4e9672b1b7e2e5a89177d4413ec3c13296e02918fc511aea1ca3e67bd4927691065b038392f5f6370780b78bb0b3c4fdc77e4b4 envoy/type/matcher/node.proto +shake256:0f00d2d7c167ff88b003036b0cc735fa7d839ab1a914fa03e38f9e67f8fc010fc50b7e743322141d3932169ed51fea1481af7bf5494ba47bb8793d932fba51d0 envoy/type/matcher/number.proto +shake256:4b05ff8e5ecf96d4a5fe628207d9ebf496207b03bdf7a4ca919821744ca76c715799b5f9bfad2caa1dce7d9d1941cc89fa84272603bf7081200f4ba059a7cdba envoy/type/matcher/path.proto +shake256:f64d77676fe9afb578981a25087575bd5473a0339bf128c008b266f89eeafe4615208e0ff2f3b82f9a3a77152c7f8ce49adf14fddd1c52e67362b44a3ab464cd envoy/type/matcher/regex.proto +shake256:cbd2eeb817c033f1083f650aa40e899eccbd5fb928901b2b7d00090a3255adfd14ee71f696ee01cd5db9ea298c9dd1a080ec578d94cdfaa0326b0cc014bcba63 envoy/type/matcher/string.proto +shake256:839ad15eb02acdb2dae9af33fa54e09d1681db3309c2cc28a5a83ab7490f8881d34487caa3e13c1cb2a10749f5f8d7c3c0ae43a69c2c1a9e6c11e0f91ef0834c envoy/type/matcher/struct.proto +shake256:b8aeb0435ab80c4f331ede8ee6367cf5eb25df2219c291e177b1be3dae38269671d7d2c2855e045c88058f0e973fdd447875a154228148abb5f00e94f4c47281 envoy/type/matcher/v3/address.proto +shake256:368384c1f18c40e250a3c223bad867c16c2171e4f3e81dc0e64f95ab0ac8ffa138e3615f975ff473c19ac9cc1de304ce6de23935424d7246b15449a70c8a1f55 envoy/type/matcher/v3/filter_state.proto +shake256:5f019ed81965c01108460610edac0725a6870e0fb85ffd2a1f64af152acb81e1333c24ae15f1c4aef42584271bac8bc6b70e1101ecbcaea42bce4661ed61604f envoy/type/matcher/v3/http_inputs.proto +shake256:125f10e793bed8cf67953b7f5509561afaf62088e12d3e09e386e745a351a7c907684a4978bf06333d9016ca027f19f4dda33385651c8ddefabf97f5809324c6 envoy/type/matcher/v3/metadata.proto +shake256:80fa673ba90f13a4986f6e6119784a9c59c841826227c38ed3ff837bd8213e9cb9a831a890f524b01f180664bbc8318ba8ecc52f7ef10fef2e5c55024681fca0 envoy/type/matcher/v3/node.proto +shake256:5cdefb24c00ba89be1cfd0ff3f0d1e191b0679d13a1dbaef9fcf16075c0d8d5e4f29ee460c29514b12074b53343198695873edacd165261d7ccccd4a4f590acb envoy/type/matcher/v3/number.proto +shake256:6332bfd31883dd3f0adb9cf32312f33ed4405ad8c371f60d6c325b8c7ca490760c0900c78c141b38b46d042b8155f141cefad9a6b3575f8a218ac653b8c4158a envoy/type/matcher/v3/path.proto +shake256:e34e7701305faf83076adebc1d9369573633e627a0e88a9c53fea1ab24a0e2dd400fd6772d75babdcac0174f54562e006792d65bf9c36565453b229ef02e0ad5 envoy/type/matcher/v3/regex.proto +shake256:262bde80e71fe6a168dd1b6a9ee1d1b27d3bbfe0e9e1e91129921cc0732f28380f5bb1cb18c041c29d57c93848b8c2ce35a16b0d4428d4df4e044c0fd6624bf0 envoy/type/matcher/v3/status_code_input.proto +shake256:5fddb73ab97242cae4a7799462d4ff64408489e07cbf4443cb5409f4cb666c8aa5165bafde373670a5db0084f80cca5797b63aba31f893174715e3be15c1dab5 envoy/type/matcher/v3/string.proto +shake256:0f38a58bd6eeba1aa88f3a5abdac8668f2540c620fcff2170763d93a5f764ef6694c0630c311d919fd8bc89735a5effcf50ac43fa77b2073392eaa206dcf501a envoy/type/matcher/v3/struct.proto +shake256:ad88cc2e97d5cd12d8392a43fa42460b65a2a3b23825c4e14ef43fa2f559eba6fb9fa12e9d07072fb67fd3c15db9339ce70bcdd1e88476a0864441e122395bab envoy/type/matcher/v3/value.proto +shake256:2894818b159d82e436454b897303459c693593507e5ddfd71291a3aafd6f5e5ff829b72738d56910423f1f06c8712d6c0968db606d275420b4ff2d333d7e8b34 envoy/type/matcher/value.proto +shake256:c61a778022e769b7b86a6f2cf3311fa799234b4b8e8ca8645031605c6c6879b72dfef9928703ec02fdd24618b3afe1adcd0524d60af763d35dfb0c81c7c08c4b envoy/type/metadata/v2/metadata.proto +shake256:35ee01ad69132a5e671569227885b005ffee1364d7c60a3ebbf8c630872d444446d0bd4c964168d2d81d91806800ebdcfaa0b18a79dd436725295d0d9842fcaa envoy/type/metadata/v3/metadata.proto +shake256:ddfe76d43d5adbe5f2cbab06d966d142799b6cda620586672398c31f0ce34c0573112c6c55d9bc01e71782626d3808ad13f7c9ec79b00b430e3c77b788903156 envoy/type/percent.proto +shake256:17b206d1bff0fd1139d6be415b51e54947515ebbaf3ef6cefbe3849d2038eada9ff6bf7b1297066f624711966a9637ff3e78086274a5209f9d053c4ed7e04a6b envoy/type/range.proto +shake256:161720c94d007dfc3bd529c5a702119b85ba308622708caa6f942415e70c5df4615d58692574fcc217f07c11556c64982d94408ca3a1f78659dccbb96f31e8ff envoy/type/semantic_version.proto +shake256:b135fdd513959ff7a4e66d9935e9cb29f5ddeb4fca8e2e342fcf382c6f8e850126491d37a6ef8e234713490e4e95e8ed8d043399fce783d0398652f3c8af0667 envoy/type/token_bucket.proto +shake256:d201238906946214da41f85403023182139eb36c964414993bb659243aded648f4988b0a16875a6ee6e1e0bb1211a2c86a85b416cad62d4d00417a69fcca5d85 envoy/type/tracing/v2/custom_tag.proto +shake256:3f94e4dff884970471a386922110c7a611caf0c07dc38f6e3cd84209bdaf289951530a79b3864f7939cf335dd57a2e7896682479decce7921fc2bdac3b5d35d3 envoy/type/tracing/v3/custom_tag.proto +shake256:884e6803443363459542a1df859f5172ebdf5cae23fba2b2695a471af539c472d410bae54566813d865f05e079978a26c3406e174bc4076aed578ee6b690f5a1 envoy/type/v3/hash_policy.proto +shake256:406e55d1c3c28926cdcec7950f4e1ddac8f71fe9524f26df66e5f04e865b7fe37ec881c2c2ea96ee5928856a4f07ffc8b05e95a9987b99edc58ca8bf01668c04 envoy/type/v3/http.proto +shake256:d202ec6e99b45a8e9a5671718b070c368e6a5067194ab1c73da32705d28d45802db75994b6e5fb938b9bf4bd2eff59d52dddc8797e085ee99ca6a8d6db475de8 envoy/type/v3/http_status.proto +shake256:93083c00b1962447c795b3c85e8f291fb8fe80688209e48f07f1924b717fed0f76daac681f35b9da6f8719e77156feaf858694e8181df4174e450b46d499a478 envoy/type/v3/percent.proto +shake256:2a803a46ac7d02d32b5208db241509bda30e370014f07f211863e6086ac7ff1ae0cb1966cd60a32ca0cfed5aa2f35415cf676ea8c4120e0fd6fec7ad5dda2bfa envoy/type/v3/range.proto +shake256:e6fddcc8548f308a8bbc564bf1e302e640c95e2c1089a91891eac9711084b3d6b0d69341d9d9bbf7b49f485768df4b6454fb8778d3a76b7a732e0107b2e2b1b6 envoy/type/v3/ratelimit_strategy.proto +shake256:927bc95f9752bc98d44dac7bd56fc63f2e8fd8d8d4416704c396f5b4480c2f5d07ecb0b431050d0f9dc76af34d05731c18a28e62853a4787a9f0e95ca94891a2 envoy/type/v3/ratelimit_unit.proto +shake256:e802325fe5d940c76aab0881202db793985b6b26cbbe58d478363f1145a0c68b400754bd7b96d589d6a441a8f4a8eef8edb2409a202b0ee288818f0db3bcb726 envoy/type/v3/semantic_version.proto +shake256:cdd6fe9a656c7bde8194e9107f48f520b6f73ad7bc8a01b61df2fc56a9a79a09338503cbbcf457e0a9ec23b069851eb6deac656ba2ef31ef19bcc0b5b7fdb69d envoy/type/v3/token_bucket.proto +shake256:b85a6a8a18ed14fd96fa1d81be0f8d40a5f1a873f7dee40f037c004f5d77b5930dbbb9058bceee6ea5a1679cbec098795d13a261aa13afaf4d7e6b29fd7d19fb envoy/watchdog/v3/abort_action.proto diff --git a/modules/sync/envoyproxy/envoy/cas/7f89d816c9b3dd99415e179c26bc1a20c9404b6bfeee89f0e0f6449ecfe84964676d13b594b72f0ae8a8506128500e1e16f933ce8df9d394d1c0c4b45813aa17 b/modules/sync/envoyproxy/envoy/cas/7f89d816c9b3dd99415e179c26bc1a20c9404b6bfeee89f0e0f6449ecfe84964676d13b594b72f0ae8a8506128500e1e16f933ce8df9d394d1c0c4b45813aa17 new file mode 100644 index 00000000..45ee3839 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/7f89d816c9b3dd99415e179c26bc1a20c9404b6bfeee89f0e0f6449ecfe84964676d13b594b72f0ae8a8506128500e1e16f933ce8df9d394d1c0c4b45813aa17 @@ -0,0 +1,19 @@ +syntax = "proto3"; + +package envoy.extensions.grpc_service.call_credentials.access_token.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.grpc_service.call_credentials.access_token.v3"; +option java_outer_classname = "AccessTokenCredentialsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/grpc_service/call_credentials/access_token/v3;access_tokenv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC Access Token Credentials] + +// [#not-implemented-hide:] +message AccessTokenCredentials { + // The access token. + string token = 1; +} diff --git a/modules/sync/envoyproxy/envoy/cas/8118f88a7d299a9b7a57a7a94aa210aca62d813d5e4d64cca7c913cbe8334daa5bf391ae923972f6abbbee1e223d62dcb39d823d26c5a1d487d1730c552bc10c b/modules/sync/envoyproxy/envoy/cas/8118f88a7d299a9b7a57a7a94aa210aca62d813d5e4d64cca7c913cbe8334daa5bf391ae923972f6abbbee1e223d62dcb39d823d26c5a1d487d1730c552bc10c new file mode 100644 index 00000000..f37feaa9 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/8118f88a7d299a9b7a57a7a94aa210aca62d813d5e4d64cca7c913cbe8334daa5bf391ae923972f6abbbee1e223d62dcb39d823d26c5a1d487d1730c552bc10c @@ -0,0 +1,108 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.ext_proc.v3; + +import "envoy/config/core/v3/grpc_service.proto"; + +import "google/protobuf/duration.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.ext_proc.v3"; +option java_outer_classname = "ExtProcProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/ext_proc/v3;ext_procv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: External Processing Filter] +// External Processing Filter: Process network traffic using an external service. +// [#extension: envoy.filters.network.ext_proc] + +// The Network External Processing filter allows an external service to process raw TCP/UDP traffic +// in a flexible way using a bidirectional gRPC stream. Unlike the HTTP External Processing filter, +// this filter operates at the L4 (transport) layer, giving access to raw network traffic. +// +// The filter communicates with an external gRPC service that can: +// +// 1. Inspect traffic in both directions +// 2. Modify the network traffic +// 3. Control connection lifecycle (continue, close, or reset) +// +// By using the filter's processing mode, you can selectively choose which data +// directions to process (read, write or both), allowing for efficient processing. +// [#next-free-field: 7] +message NetworkExternalProcessor { + // The gRPC service that will process network traffic. + // This service must implement the NetworkExternalProcessor service + // defined in the proto file /envoy/service/network_ext_proc/v3/external_processor.proto. + config.core.v3.GrpcService grpc_service = 1; + + // By default, if the gRPC stream cannot be established, or if it is closed + // prematurely with an error, the filter will fail, leading to the close of connection. + // With this parameter set to true, however, then if the gRPC stream is prematurely closed + // or could not be opened, processing continues without error. + bool failure_mode_allow = 2; + + // Options for controlling processing behavior. + ProcessingMode processing_mode = 3; + + // Specifies the timeout for each individual message sent on the stream and + // when the filter is running in synchronous mode. Whenever + // the proxy sends a message on the stream that requires a response, it will + // reset this timer, and will stop processing and return an error (subject + // to the processing mode) if the timer expires. Default is 200 ms. + google.protobuf.Duration message_timeout = 4 [(validate.rules).duration = { + lte {seconds: 3600} + gte {} + }]; + + string stat_prefix = 5 [(validate.rules).string = {min_len: 1}]; + + // Options related to the sending and receiving of dynamic metadata. + MetadataOptions metadata_options = 6; +} + +// Options for controlling processing behavior. +// Filter will reject the config if both read and write are SKIP mode. +message ProcessingMode { + // Defines how traffic should be handled by the external processor. + enum DataSendMode { + // Send the data to the external processor for processing whenever the data is ready. + STREAMED = 0; + + // Skip sending the data to the external processor. + SKIP = 1; + } + + // Controls whether inbound (read) data from the client is sent to the external processor. + // Default: STREAMED + DataSendMode process_read = 1; + + // Controls whether outbound (write) data to the client is sent to the external processor. + // Default: STREAMED + DataSendMode process_write = 2; +} + +// The MetadataOptions structure defines options for sending dynamic metadata. Specifically, +// which namespaces to send to the server. +message MetadataOptions { + message MetadataNamespaces { + // Specifies a list of metadata namespaces whose values, if present, + // will be passed to the ext_proc service as an opaque *protobuf::Struct*. + repeated string untyped = 1; + + // Specifies a list of metadata namespaces whose values, if present, + // will be passed to the ext_proc service as a *protobuf::Any*. This allows + // envoy and the external processing server to share the protobuf message + // definition for safe parsing. + repeated string typed = 2; + } + + // Describes which typed or untyped dynamic metadata namespaces to forward to + // the external processing server. + MetadataNamespaces forwarding_namespaces = 1; +} diff --git a/modules/sync/envoyproxy/envoy/cas/81791ad5ea2a3098874b479dccc17f83f0c81af3589b0c1edc99b99fef85ff69ee544e25b234ba6a3dc717e49df5a45f0adba27df13f5d1d56a6c8a4c7e6246f b/modules/sync/envoyproxy/envoy/cas/81791ad5ea2a3098874b479dccc17f83f0c81af3589b0c1edc99b99fef85ff69ee544e25b234ba6a3dc717e49df5a45f0adba27df13f5d1d56a6c8a4c7e6246f new file mode 100644 index 00000000..7e679380 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/81791ad5ea2a3098874b479dccc17f83f0c81af3589b0c1edc99b99fef85ff69ee544e25b234ba6a3dc717e49df5a45f0adba27df13f5d1d56a6c8a4c7e6246f @@ -0,0 +1,203 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.compressor.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; + +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.compressor.v3"; +option java_outer_classname = "CompressorProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/compressor/v3;compressorv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Compressor] +// Compressor :ref:`configuration overview `. +// [#extension: envoy.filters.http.compressor] + +// [#next-free-field: 10] +message Compressor { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.compressor.v2.Compressor"; + + message CommonDirectionConfig { + // Runtime flag that controls whether compression is enabled for the direction this + // common config is applied to. When this field is ``false``, the filter will operate as a + // pass-through filter in the chosen direction, unless overridden by ``CompressorPerRoute``. + // If this field is not specified, the filter will be enabled. + config.core.v3.RuntimeFeatureFlag enabled = 1; + + // Minimum value of the ``Content-Length`` header in request or response messages (depending on the + // direction this common config is applied to), in bytes, that will trigger compression. Defaults to 30. + google.protobuf.UInt32Value min_content_length = 2; + + // Set of strings that allows specifying which mime-types yield compression; e.g., + // ``application/json``, ``text/html``, etc. + // + // When this field is not specified, compression will be applied to these following mime-types + // and their synonyms: + // + // * ``application/javascript`` + // * ``application/json`` + // * ``application/xhtml+xml`` + // * ``image/svg+xml`` + // * ``text/css`` + // * ``text/html`` + // * ``text/plain`` + // * ``text/xml`` + // + repeated string content_type = 3; + } + + // Configuration for filter behavior on the request direction. + message RequestDirectionConfig { + CommonDirectionConfig common_config = 1; + } + + // Configuration for filter behavior on the response direction. + // [#next-free-field: 6] + message ResponseDirectionConfig { + CommonDirectionConfig common_config = 1; + + // When this field is ``true``, disables compression when the response contains an ``ETag`` header. + // When this field is ``false``, the filter will preserve weak ``ETag`` values and remove those that + // require strong validation. + bool disable_on_etag_header = 2; + + // When this field is ``true``, removes ``Accept-Encoding`` from the request headers before dispatching + // the request to the upstream so that responses do not get compressed before reaching the filter. + // + // .. attention:: + // + // To avoid interfering with other compression filters in the same chain, use this option in + // the filter closest to the upstream. + bool remove_accept_encoding_header = 3; + + // Set of response codes for which compression is disabled; e.g., 206 Partial Content should not + // be compressed. + repeated uint32 uncompressible_response_codes = 4 [(validate.rules).repeated = { + unique: true + items {uint32 {lt: 600 gte: 200}} + }]; + + // If true, the filter adds the ``x-envoy-compression-status`` response + // header to indicate whether the compression occurred and, if not, provide + // the reason why. The header's value format is + // ``;[;]``, where ```` is + // ``Compressed`` or the reason compression was skipped (e.g., + // ``ContentLengthTooSmall``). When this field is enabled, the compressor + // filter alters the order of the compression eligibility checks to report + // the most valid reason for skipping the compression. + bool status_header_enabled = 5; + } + + // Minimum response length, in bytes, which will trigger compression. The default value is 30. + google.protobuf.UInt32Value content_length = 1 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Set of strings that allows specifying which mime-types yield compression; e.g., + // ``application/json``, ``text/html``, etc. + // + // When this field is not specified, compression will be applied to these following mime-types + // and their synonyms: + // + // * ``application/javascript`` + // * ``application/json`` + // * ``application/xhtml+xml`` + // * ``image/svg+xml`` + // * ``text/css`` + // * ``text/html`` + // * ``text/plain`` + // * ``text/xml`` + // + repeated string content_type = 2 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // When this field is ``true``, disables compression when the response contains an ``ETag`` header. + // When this field is ``false``, the filter will preserve weak ``ETag`` values and remove those that + // require strong validation. + bool disable_on_etag_header = 3 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // When this field is ``true``, removes ``Accept-Encoding`` from the request headers before dispatching + // the request to the upstream so that responses do not get compressed before reaching the filter. + // + // .. attention:: + // + // To avoid interfering with other compression filters in the same chain, use this option in + // the filter closest to the upstream. + bool remove_accept_encoding_header = 4 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Runtime flag that controls whether the filter is enabled. When this field is ``false``, the + // filter will operate as a pass-through filter, unless overridden by ``CompressorPerRoute``. + // If this field is not specified, the filter is enabled by default. + config.core.v3.RuntimeFeatureFlag runtime_enabled = 5 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // A compressor library to use for compression. + // [#extension-category: envoy.compression.compressor] + config.core.v3.TypedExtensionConfig compressor_library = 6 + [(validate.rules).message = {required: true}]; + + // Configuration for request compression. If this field is not specified, request compression is disabled. + RequestDirectionConfig request_direction_config = 7; + + // Configuration for response compression. If this field is not specified, response compression is enabled. + // + // .. attention:: + // + // When this field is set, duplicate deprecated fields of the ``Compressor`` message, + // such as ``content_length``, ``content_type``, ``disable_on_etag_header``, + // ``remove_accept_encoding_header``, and ``runtime_enabled``, are ignored. + // + // Additionally, all statistics related to response compression will be rooted in + // ``.compressor...response.*`` + // instead of + // ``.compressor...*``. + ResponseDirectionConfig response_direction_config = 8; + + // When this field is ``true``, this compressor is preferred when q-values in ``Accept-Encoding`` are equal. + // If multiple compressor filters set ``choose_first`` to ``true``, the last one in the filter chain is chosen. + bool choose_first = 9; +} + +// Per-route overrides of ``ResponseDirectionConfig``. Anything added here should be optional, +// to allow overriding arbitrary subsets of configuration. Omitted fields must have no effect. +message ResponseDirectionOverrides { + // If set, overrides the filter-level + // :ref:`remove_accept_encoding_header`. + google.protobuf.BoolValue remove_accept_encoding_header = 1; +} + +// Per-route overrides. As per-route overrides are needed, they should be +// added here, mirroring the structure of ``Compressor``. All fields should be +// optional, to allow overriding arbitrary subsets of configuration. +message CompressorOverrides { + // If present, response compression is enabled. + ResponseDirectionOverrides response_direction_config = 1; + + // A compressor library to use for compression. If specified, this overrides + // the filter-level ``compressor_library`` configuration for this route. + config.core.v3.TypedExtensionConfig compressor_library = 2; +} + +message CompressorPerRoute { + oneof override { + option (validate.required) = true; + + // If set, the filter will operate as a pass-through filter. + // Overrides ``Compressor.runtime_enabled`` and ``CommonDirectionConfig.enabled``. + bool disabled = 1 [(validate.rules).bool = {const: true}]; + + // Per-route overrides. Fields set here will override corresponding fields in ``Compressor``. + CompressorOverrides overrides = 2; + } +} diff --git a/modules/sync/envoyproxy/envoy/cas/87692495bfc4ebe3af7e717827ef318d02ea70d14321bdb6a752efb7b21fb7ea727e7c085cfbac1b698eab1506a9ac73b97ba663a8ddb5d1a24eea0dc07fd5c4 b/modules/sync/envoyproxy/envoy/cas/87692495bfc4ebe3af7e717827ef318d02ea70d14321bdb6a752efb7b21fb7ea727e7c085cfbac1b698eab1506a9ac73b97ba663a8ddb5d1a24eea0dc07fd5c4 new file mode 100644 index 00000000..22faf11b --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/87692495bfc4ebe3af7e717827ef318d02ea70d14321bdb6a752efb7b21fb7ea727e7c085cfbac1b698eab1506a9ac73b97ba663a8ddb5d1a24eea0dc07fd5c4 @@ -0,0 +1,161 @@ +syntax = "proto3"; + +package envoy.extensions.load_balancing_policies.common.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/route/v3/route_components.proto"; +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.load_balancing_policies.common.v3"; +option java_outer_classname = "CommonProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/load_balancing_policies/common/v3;commonv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Common configuration for two or more load balancing policy extensions] + +message LocalityLbConfig { + // Configuration for :ref:`zone aware routing + // `. + // [#next-free-field: 7] + message ZoneAwareLbConfig { + // Basis for computing per-locality percentages in zone-aware routing. + enum LocalityBasis { + // Use the number of healthy hosts in each locality. + HEALTHY_HOSTS_NUM = 0; + + // Use the weights of healthy hosts in each locality. + HEALTHY_HOSTS_WEIGHT = 1; + } + + // Configures Envoy to always route requests to the local zone regardless of the + // upstream zone structure. In Envoy's default configuration, traffic is distributed proportionally + // across all upstream hosts while trying to maximize local routing when possible. The approach + // with force_local_zone aims to be more predictable and if there are upstream hosts in the local + // zone, they will receive all traffic. + // * :ref:`runtime values `. + // * :ref:`Zone aware routing support `. + message ForceLocalZone { + // Configures the minimum number of upstream hosts in the local zone required when force_local_zone + // is enabled. If the number of upstream hosts in the local zone is less than the specified value, + // Envoy will fall back to the default proportional-based distribution across localities. + // If not specified, the default is 1. + // * :ref:`runtime values `. + // * :ref:`Zone aware routing support `. + google.protobuf.UInt32Value min_size = 1; + } + + // Configures percentage of requests that will be considered for zone aware routing + // if zone aware routing is configured. If not specified, the default is 100%. + // * :ref:`runtime values `. + // * :ref:`Zone aware routing support `. + type.v3.Percent routing_enabled = 1; + + // Configures minimum upstream cluster size required for zone aware routing + // If upstream cluster size is less than specified, zone aware routing is not performed + // even if zone aware routing is configured. If not specified, the default is 6. + // * :ref:`runtime values `. + // * :ref:`Zone aware routing support `. + google.protobuf.UInt64Value min_cluster_size = 2; + + // If set to true, Envoy will not consider any hosts when the cluster is in :ref:`panic + // mode`. Instead, the cluster will fail all + // requests as if all hosts are unhealthy. This can help avoid potentially overwhelming a + // failing service. + bool fail_traffic_on_panic = 3; + + // If set to true, Envoy will force LocalityDirect routing if a local locality exists. + bool force_locality_direct_routing = 4 + [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + ForceLocalZone force_local_zone = 5; + + // Determines how locality percentages are computed: + // - HEALTHY_HOSTS_NUM: proportional to the count of healthy hosts. + // - HEALTHY_HOSTS_WEIGHT: proportional to the weights of healthy hosts. + // Default value is HEALTHY_HOSTS_NUM if unset. + LocalityBasis locality_basis = 6; + } + + // Configuration for :ref:`locality weighted load balancing + // ` + message LocalityWeightedLbConfig { + } + + oneof locality_config_specifier { + option (validate.required) = true; + + // Configuration for local zone aware load balancing. + ZoneAwareLbConfig zone_aware_lb_config = 1; + + // Enable locality weighted load balancing. + LocalityWeightedLbConfig locality_weighted_lb_config = 2; + } +} + +// Configuration for :ref:`slow start mode `. +message SlowStartConfig { + // Represents the size of slow start window. + // If set, the newly created host remains in slow start mode starting from its creation time + // for the duration of slow start window. + google.protobuf.Duration slow_start_window = 1; + + // This parameter controls the speed of traffic increase over the slow start window. Defaults to 1.0, + // so that endpoint would get linearly increasing amount of traffic. + // When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly. + // The value of aggression parameter should be greater than 0.0. + // By tuning the parameter, is possible to achieve polynomial or exponential shape of ramp-up curve. + // + // During slow start window, effective weight of an endpoint would be scaled with time factor and aggression: + // ``new_weight = weight * max(min_weight_percent, time_factor ^ (1 / aggression))``, + // where ``time_factor=(time_since_start_seconds / slow_start_time_seconds)``. + // + // As time progresses, more and more traffic would be sent to endpoint, which is in slow start window. + // Once host exits slow start, time_factor and aggression no longer affect its weight. + config.core.v3.RuntimeDouble aggression = 2; + + // Configures the minimum percentage of origin weight that avoids too small new weight, + // which may cause endpoints in slow start mode receive no traffic in slow start window. + // If not specified, the default is 10%. + type.v3.Percent min_weight_percent = 3; +} + +// Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.) +message ConsistentHashingLbConfig { + // If set to ``true``, the cluster will use hostname instead of the resolved + // address as the key to consistently hash to an upstream host. Only valid for StrictDNS clusters with hostnames which resolve to a single IP address. + bool use_hostname_for_hashing = 1; + + // Configures percentage of average cluster load to bound per upstream host. For example, with a value of 150 + // no upstream host will get a load more than 1.5 times the average load of all the hosts in the cluster. + // If not specified, the load is not bounded for any upstream host. Typical value for this parameter is between 120 and 200. + // Minimum is 100. + // + // Applies to both Ring Hash and Maglev load balancers. + // + // This is implemented based on the method described in the paper https://arxiv.org/abs/1608.01350. For the specified + // ``hash_balance_factor``, requests to any upstream host are capped at ``hash_balance_factor/100`` times the average number of requests + // across the cluster. When a request arrives for an upstream host that is currently serving at its max capacity, linear probing + // is used to identify an eligible host. Further, the linear probe is implemented using a random jump in hosts ring/table to identify + // the eligible host (this technique is as described in the paper https://arxiv.org/abs/1908.08762 - the random jump avoids the + // cascading overflow effect when choosing the next host in the ring/table). + // + // If weights are specified on the hosts, they are respected. + // + // This is an O(N) algorithm, unlike other load balancers. Using a lower ``hash_balance_factor`` results in more hosts + // being probed, so use a higher value if you require better performance. + google.protobuf.UInt32Value hash_balance_factor = 2 [(validate.rules).uint32 = {gte: 100}]; + + // Specifies a list of hash policies to use for ring hash load balancing. If ``hash_policy`` is + // set, then + // :ref:`route level hash policy ` + // will be ignored. + repeated config.route.v3.RouteAction.HashPolicy hash_policy = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/8a58afa18cfd1cbde48136072f331fe02420900d28cff068cca484cb2dff09f3b12409f8ba400ddd9452a4b355431eb52a493c17b870ddf9bd539c0ebd29de0e b/modules/sync/envoyproxy/envoy/cas/8a58afa18cfd1cbde48136072f331fe02420900d28cff068cca484cb2dff09f3b12409f8ba400ddd9452a4b355431eb52a493c17b870ddf9bd539c0ebd29de0e new file mode 100644 index 00000000..fac25959 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/8a58afa18cfd1cbde48136072f331fe02420900d28cff068cca484cb2dff09f3b12409f8ba400ddd9452a4b355431eb52a493c17b870ddf9bd539c0ebd29de0e @@ -0,0 +1,79 @@ +syntax = "proto3"; + +package envoy.extensions.quic.connection_id_generator.quic_lb.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/extensions/transport_sockets/tls/v3/secret.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.quic.connection_id_generator.quic_lb.v3"; +option java_outer_classname = "QuicLbProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/quic/connection_id_generator/quic_lb/v3;quic_lbv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: QUIC-LB connection ID generator config] +// [#extension: envoy.quic.connection_id_generator.quic_lb] + +// Configuration for a connection ID generator implementation for the QUIC-LB draft RFC for +// routable connection IDs. +// +// Connection IDs always have the length self encoded, as described in +// https://datatracker.ietf.org/doc/html/draft-ietf-quic-load-balancers#name-length-self-description. +// +// See https://datatracker.ietf.org/doc/html/draft-ietf-quic-load-balancers for details. +// +// .. warning:: +// +// This is still a work in progress. Interoperability testing has not yet been performed. +// [#next-free-field: 7] +message Config { + option (xds.annotations.v3.message_status).work_in_progress = true; + + // Must be at least 1 octet. + // The length of server_id and nonce_length_bytes must be 18 or less. + // See https://datatracker.ietf.org/doc/html/draft-ietf-quic-load-balancers#name-server-id-allocation. + config.core.v3.DataSource server_id = 2 [(validate.rules).message = {required: true}]; + + // If true, indicates that the :ref:`server_id + // ` is base64 encoded. + // + // This can be useful if the ID may contain binary data and must be transmitted as a string, for example in + // an environment variable. + bool server_id_base64_encoded = 6; + + // Optional validation of the expected server ID length. If this is non-zero and the value in ``server_id`` + // does not have a matching length, a configuration error is generated. This can be useful for validating + // that the server ID is valid. + uint32 expected_server_id_length = 3 [(validate.rules).uint32 = {lte: 18}]; + + // The nonce length must be at least 4 bytes. + // The length of server_id and nonce_length_bytes must be 18 bytes or less. + uint32 nonce_length_bytes = 4 [(validate.rules).uint32 = {lte: 16 gte: 4}]; + + // Configuration to fetch the encryption key and configuration version. + // + // The SDS service is for a :ref:`GenericSecret `. + // The data should populate :ref:`secrets `: + // + // "encryption_key" must contain the 16 byte encryption key. + // + // "configuration_version" must contain a 1 byte unsigned integer of value less than 7. + // See https://datatracker.ietf.org/doc/html/draft-ietf-quic-load-balancers#name-config-rotation. + transport_sockets.tls.v3.SdsSecretConfig encryption_parameters = 5 + [(validate.rules).message = {required: true}]; + + // Use the unencrypted mode. This is useful for testing or a simplified implementation of the + // downstream load balancer, but allows for linking different CIDs for the same connection, and + // leaks information about the valid server IDs in use. This mode does not comply with the RFC. + // + // Note that in this mode, :ref:`encryption_parameters + // ` + // is still required because it contains ``configuration_version``, which is still + // needed. ``encryption_key`` can be set to ``inline_string: '0000000000000000'``. + bool unencrypted_mode = 1; +} diff --git a/modules/sync/envoyproxy/envoy/cas/8a596f09ecb0f753602be53fa65fd5f2ed09ec10e1e420f9d13439170a94a16c005769fb5784a80d12f834bdd8bc22043f448c8872b1df65fefa22bde57f8cb9 b/modules/sync/envoyproxy/envoy/cas/8a596f09ecb0f753602be53fa65fd5f2ed09ec10e1e420f9d13439170a94a16c005769fb5784a80d12f834bdd8bc22043f448c8872b1df65fefa22bde57f8cb9 new file mode 100644 index 00000000..0108434a --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/8a596f09ecb0f753602be53fa65fd5f2ed09ec10e1e420f9d13439170a94a16c005769fb5784a80d12f834bdd8bc22043f448c8872b1df65fefa22bde57f8cb9 @@ -0,0 +1,491 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.ext_proc.v3; + +import "envoy/config/common/mutation_rules/v3/mutation_rules.proto"; +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/grpc_service.proto"; +import "envoy/config/core/v3/http_service.proto"; +import "envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto"; +import "envoy/type/matcher/v3/string.proto"; +import "envoy/type/v3/http_status.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/annotations/v3/status.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/migrate.proto"; +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.ext_proc.v3"; +option java_outer_classname = "ExtProcProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ext_proc/v3;ext_procv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: External Processing Filter] +// External Processing Filter +// [#extension: envoy.filters.http.ext_proc] + +// The External Processing filter allows an external service to act on HTTP traffic in a flexible way. + +// The filter communicates with an external gRPC service called an "external processor" +// that can do a variety of things with the request and response: +// +// * Access and modify the HTTP headers on the request, response, or both. +// * Access and modify the HTTP request and response bodies. +// * Access and modify the dynamic stream metadata. +// * Immediately send an HTTP response downstream and terminate other processing. +// +// The filter communicates with the server using a gRPC bidirectional stream. After the initial +// request, the external server is in control over what additional data is sent to it +// and how it should be processed. +// +// By implementing the protocol specified by the stream, the external server can choose: +// +// * Whether it receives the response message at all. +// * Whether it receives the message body at all, in separate chunks, or as a single buffer. +// * To modify request or response trailers if they already exist. +// +// The filter supports up to six different processing steps. Each is represented by +// a gRPC stream message that is sent to the external processor. For each message, the +// processor must send a matching response. +// +// * Request headers: Contains the headers from the original HTTP request. +// * Request body: If the body is present, the behavior depends on the +// body send mode. In ``BUFFERED`` or ``BUFFERED_PARTIAL`` mode, the body is sent to the external +// processor in a single message. In ``STREAMED`` or ``FULL_DUPLEX_STREAMED`` mode, the body will +// be split across multiple messages sent to the external processor. In ``NONE`` mode, the body +// will not be sent to the external processor. +// * Request trailers: Delivered if they are present and if the trailer mode is set +// to ``SEND``. +// * Response headers: Contains the headers from the HTTP response. Keep in mind +// that if the upstream system sends them before processing the request body that +// this message may arrive before the complete body. +// * Response body: Sent according to the processing mode like the request body. +// * Response trailers: Delivered according to the processing mode like the +// request trailers. +// +// By default, the processor sends only the request and response headers messages. +// This may be changed to include any of the six steps by changing the ``processing_mode`` +// setting of the filter configuration, or by setting the ``mode_override`` of any response +// from the external processor. The latter is only enabled if ``allow_mode_override`` is +// set to true. This way, a processor may, for example, use information +// in the request header to determine whether the message body must be examined, or whether +// the data plane should simply stream it straight through. +// +// All of this together allows a server to process the filter traffic in fairly +// sophisticated ways. For example: +// +// * A server may choose to examine all or part of the HTTP message bodies depending +// on the content of the headers. +// * A server may choose to immediately reject some messages based on their HTTP +// headers (or other dynamic metadata) and more carefully examine others. +// +// The protocol itself is based on a bidirectional gRPC stream. The data plane will send the server +// :ref:`ProcessingRequest ` +// messages, and the server must reply with +// :ref:`ProcessingResponse `. +// +// Stats about each gRPC call are recorded in a :ref:`dynamic filter state +// ` object in a namespace matching the filter +// name. +// +// [#next-free-field: 26] +message ExternalProcessor { + // Describes the route cache action to be taken when an external processor response + // is received in response to request headers. + enum RouteCacheAction { + // The default behavior is to clear the route cache only when the + // :ref:`clear_route_cache ` + // field is set in an external processor response. + DEFAULT = 0; + + // Always clear the route cache irrespective of the ``clear_route_cache`` bit in + // the external processor response. + CLEAR = 1; + + // Do not clear the route cache irrespective of the ``clear_route_cache`` bit in + // the external processor response. Setting to ``RETAIN`` is equivalent to setting the + // :ref:`disable_clear_route_cache ` + // to true. + RETAIN = 2; + } + + reserved 4; + + reserved "async_mode"; + + // Configuration for the gRPC service that the filter will communicate with. + // Only one of ``grpc_service`` or ``http_service`` can be set. + // It is required that one of them must be set. + config.core.v3.GrpcService grpc_service = 1 + [(udpa.annotations.field_migrate).oneof_promotion = "ext_proc_service_type"]; + + // Configuration for the HTTP service that the filter will communicate with. + // Only one of ``http_service`` or + // :ref:`grpc_service ` + // can be set. It is required that one of them must be set. + // + // If ``http_service`` is set, the + // :ref:`processing_mode ` + // cannot be configured to send any body or trailers. i.e., ``http_service`` only supports + // sending request or response headers to the side stream server. + // + // With this configuration, the data plane behavior is: + // + // 1. The headers are first put in a proto message + // :ref:`ProcessingRequest `. + // + // 2. This proto message is then transcoded into a JSON text. + // + // 3. The data plane then sends an HTTP POST message with content-type as "application/json", + // and this JSON text as body to the side stream server. + // + // After the side-stream receives this HTTP request message, it is expected to do as follows: + // + // 1. It converts the body, which is a JSON string, into a ``ProcessingRequest`` + // proto message to examine and mutate the headers. + // + // 2. It then sets the mutated headers into a new proto message + // :ref:`ProcessingResponse `. + // + // 3. It converts the ``ProcessingResponse`` proto message into a JSON text. + // + // 4. It then sends an HTTP response back to the data plane with status code as ``"200"``, + // ``content-type`` as ``"application/json"`` and sets the JSON text as the body. + // + ExtProcHttpService http_service = 20 [ + (udpa.annotations.field_migrate).oneof_promotion = "ext_proc_service_type", + (xds.annotations.v3.field_status).work_in_progress = true + ]; + + // By default, if in the following cases: + // + // 1. The gRPC stream cannot be established. + // + // 2. The gRPC stream is closed prematurely with an error. + // + // 3. The external processing timeouts. + // + // 4. The ext_proc server sends back spurious response messages. + // + // The filter will fail and a local reply with error code + // 504(for timeout case) or 500(for all other cases), will be sent to the downstream. + // + // However, with this parameter set to true and if the above cases happen, the processing + // continues without error. + // + bool failure_mode_allow = 2; + + // Specifies default options for how HTTP headers, trailers, and bodies are + // sent. See ``ProcessingMode`` for details. + ProcessingMode processing_mode = 3; + + // The data plane provides a number of :ref:`attributes ` + // for expressive policies. Each attribute name provided in this field will be + // matched against that list and populated in the + // :ref:`ProcessingRequest.attributes ` field. + // See the :ref:`attribute documentation ` + // for the list of supported attributes and their types. + repeated string request_attributes = 5; + + // The data plane provides a number of :ref:`attributes ` + // for expressive policies. Each attribute name provided in this field will be + // matched against that list and populated in the + // :ref:`ProcessingRequest.attributes ` field. + // See the :ref:`attribute documentation ` + // for the list of supported attributes and their types. + repeated string response_attributes = 6; + + // Specifies the timeout for each individual message sent on the stream. + // Whenever the data plane sends a message on the stream that requires a + // response, it will reset this timer, and will stop processing and return + // an error (subject to the processing mode) if the timer expires before a + // matching response is received. There is no timeout when the filter is + // running in observability mode or when the body send mode is + // ``FULL_DUPLEX_STREAMED``. Zero is a valid config which means the timer + // will be triggered immediately. If not configured, default is 200 + // milliseconds. + google.protobuf.Duration message_timeout = 7 [(validate.rules).duration = { + lte {seconds: 3600} + gte {} + }]; + + // Optional additional prefix to use when emitting statistics. This allows to distinguish + // emitted statistics between configured ``ext_proc`` filters in an HTTP filter chain. + string stat_prefix = 8; + + // Rules that determine what modifications an external processing server may + // make to message headers. If not set, all headers may be modified except + // for "host", ":authority", ":scheme", ":method", and headers that start + // with the header prefix set via + // :ref:`header_prefix ` + // (which is usually "x-envoy"). + // Note that changing headers such as "host" or ":authority" may not in itself + // change the data plane's routing decision, as routes can be cached. To also force the + // route to be recomputed, set the + // :ref:`clear_route_cache ` + // field to true in the same response. + config.common.mutation_rules.v3.HeaderMutationRules mutation_rules = 9; + + // Specify the upper bound of + // :ref:`override_message_timeout ` + // If not specified, by default it is 0, which will effectively disable the ``override_message_timeout`` API. + google.protobuf.Duration max_message_timeout = 10 [(validate.rules).duration = { + lte {seconds: 3600} + gte {} + }]; + + // Allow headers matching the ``forward_rules`` to be forwarded to the external processing server. + // If not set, all headers are forwarded to the external processing server. + HeaderForwardingRules forward_rules = 12; + + // Additional metadata to be added to the filter state for logging purposes. The metadata + // will be added to StreamInfo's filter state under the namespace corresponding to the + // ext_proc filter name. + google.protobuf.Struct filter_metadata = 13; + + // If ``allow_mode_override`` is set to true, the filter config :ref:`processing_mode + // ` + // can be overridden by the response message from the external processing server + // :ref:`mode_override `. + // If not set, ``mode_override`` API in the response message will be ignored. + // Mode override is not supported if the body send mode is ``FULL_DUPLEX_STREAMED``. + bool allow_mode_override = 14; + + // If set to true, ignore the + // :ref:`immediate_response ` + // message in an external processor response. In such case, no local reply will be sent. + // Instead, the stream to the external processor will be closed. There will be no + // more external processing for this stream from now on. + bool disable_immediate_response = 15; + + // Options related to the sending and receiving of dynamic metadata. + MetadataOptions metadata_options = 16; + + // If true, send each part of the HTTP request or response specified by ``ProcessingMode`` + // without pausing on filter chain iteration. It is "Send and Go" mode that can be used + // by external processor to observe the request's data and status. In this mode: + // + // 1. Only ``STREAMED`` and ``NONE`` body processing modes are supported; for any other body + // processing mode, the body will not be sent. + // + // 2. External processor should not send back processing response, as any responses will be ignored. + // This also means that + // :ref:`message_timeout ` + // restriction doesn't apply to this mode. + // + // 3. External processor may still close the stream to indicate that no more messages are needed. + // + // .. warning:: + // + // Flow control is a necessary mechanism to prevent the fast sender (either downstream client or upstream server) + // from overwhelming the external processor when its processing speed is slower. + // This protective measure is being explored and developed but has not been ready yet, so please use your own + // discretion when enabling this feature. + // This work is currently tracked under https://github.com/envoyproxy/envoy/issues/33319. + // + bool observability_mode = 17; + + // Prevents clearing the route-cache when the + // :ref:`clear_route_cache ` + // field is set in an external processor response. + // Only one of ``disable_clear_route_cache`` or ``route_cache_action`` can be set. + // It is recommended to set ``route_cache_action`` which supersedes ``disable_clear_route_cache``. + bool disable_clear_route_cache = 11 + [(udpa.annotations.field_migrate).oneof_promotion = "clear_route_cache_type"]; + + // Specifies the action to be taken when an external processor response is + // received in response to request headers. It is recommended to set this field rather than set + // :ref:`disable_clear_route_cache `. + // Only one of ``disable_clear_route_cache`` or ``route_cache_action`` can be set. + RouteCacheAction route_cache_action = 18 + [(udpa.annotations.field_migrate).oneof_promotion = "clear_route_cache_type"]; + + // Specifies the deferred closure timeout for gRPC stream that connects to external processor. Currently, the deferred stream closure + // is only used in :ref:`observability_mode `. + // In observability mode, gRPC streams may be held open to the external processor longer than the lifetime of the regular client to + // backend stream lifetime. In this case, the data plane will eventually timeout the external processor stream according to this time limit. + // The default value is 5000 milliseconds (5 seconds) if not specified. + google.protobuf.Duration deferred_close_timeout = 19; + + // Send body to the side stream server once it arrives without waiting for the header response from that server. + // It only works for ``STREAMED`` body processing mode. For any other body + // processing modes, it is ignored. + // The server has two options upon receiving a header request: + // + // 1. Instant Response: send the header response as soon as the header request is received. + // + // 2. Delayed Response: wait for the body before sending any response. + // + // In all scenarios, the header-body ordering must always be maintained. + // + // If enabled the data plane will ignore the + // :ref:`mode_override ` + // value that the server sends in the header response. This is because the data plane may have already + // sent the body to the server, prior to processing the header response. + bool send_body_without_waiting_for_header_response = 21; + + // When :ref:`allow_mode_override + // ` is enabled and + // ``allowed_override_modes`` is configured, the filter config :ref:`processing_mode + // ` + // can only be overridden by the response message from the external processing server iff the + // :ref:`mode_override ` is allowed by + // the ``allowed_override_modes`` allow-list below. + // Since ``request_header_mode`` is not applicable in any way, it's ignored in comparison. + repeated ProcessingMode allowed_override_modes = 22; + + // Decorator to introduce custom logic that runs after the ``ProcessingRequest`` is constructed, but + // before it is sent to the External Processor. The ``ProcessingRequest`` may be modified. + // + // .. note:: + // Processing request modifiers are currently in alpha. + // + // [#extension-category: envoy.http.ext_proc.processing_request_modifiers] + config.core.v3.TypedExtensionConfig processing_request_modifier = 25 + [(xds.annotations.v3.field_status).work_in_progress = true]; + + // Decorator to introduce custom logic that runs after a message received from + // the External Processor is processed, but before continuing filter chain iteration. + // + // .. note:: + // Response processors are currently in alpha. + // + // [#extension-category: envoy.http.ext_proc.response_processors] + config.core.v3.TypedExtensionConfig on_processing_response = 23 + [(xds.annotations.v3.field_status).work_in_progress = true]; + + // Sets the HTTP status code that is returned to the client when the external processing server returns + // an error, fails to respond, or cannot be reached. + // + // The default status is ``HTTP 500 Internal Server Error``. + type.v3.HttpStatus status_on_error = 24; +} + +// ExtProcHttpService is used for HTTP communication between the filter and the external processing service. +message ExtProcHttpService { + // Sets the HTTP service which the external processing requests must be sent to. + config.core.v3.HttpService http_service = 1; +} + +// The MetadataOptions structure defines options for the sending and receiving of +// dynamic metadata. Specifically, which namespaces to send to the server, whether +// metadata returned by the server may be written, and how that metadata may be written. +message MetadataOptions { + message MetadataNamespaces { + // Specifies a list of metadata namespaces whose values, if present, + // will be passed to the ``ext_proc`` service as an opaque ``protobuf::Struct``. + repeated string untyped = 1; + + // Specifies a list of metadata namespaces whose values, if present, + // will be passed to the ``ext_proc`` service as a ``protobuf::Any``. This allows + // envoy and the external processing server to share the protobuf message + // definition for safe parsing. + repeated string typed = 2; + } + + // Describes which typed or untyped dynamic metadata namespaces to forward to + // the external processing server. + MetadataNamespaces forwarding_namespaces = 1; + + // Describes which typed or untyped dynamic metadata namespaces to accept from + // the external processing server. Set to empty or leave unset to disallow writing + // any received dynamic metadata. Receiving of typed metadata is not supported. + MetadataNamespaces receiving_namespaces = 2; +} + +// The HeaderForwardingRules structure specifies what headers are +// allowed to be forwarded to the external processing server. +// +// This works as below: +// +// 1. If neither ``allowed_headers`` nor ``disallowed_headers`` is set, all headers are forwarded. +// 2. If both ``allowed_headers`` and ``disallowed_headers`` are set, only headers in the +// ``allowed_headers`` but not in the ``disallowed_headers`` are forwarded. +// 3. If ``allowed_headers`` is set, and ``disallowed_headers`` is not set, only headers in +// the ``allowed_headers`` are forwarded. +// 4. If ``disallowed_headers`` is set, and ``allowed_headers`` is not set, all headers except +// headers in the ``disallowed_headers`` are forwarded. +message HeaderForwardingRules { + // If set, specifically allow any header in this list to be forwarded to the external + // processing server. This can be overridden by the below ``disallowed_headers``. + type.matcher.v3.ListStringMatcher allowed_headers = 1; + + // If set, specifically disallow any header in this list to be forwarded to the external + // processing server. This overrides the above ``allowed_headers`` if a header matches both. + type.matcher.v3.ListStringMatcher disallowed_headers = 2; +} + +// Extra settings that may be added to per-route configuration for a +// virtual host or cluster. +message ExtProcPerRoute { + oneof override { + option (validate.required) = true; + + // Disable the filter for this particular vhost or route. + // If disabled is specified in multiple per-filter-configs, the most specific one will be used. + bool disabled = 1 [(validate.rules).bool = {const: true}]; + + // Override aspects of the configuration for this route. A set of + // overrides in a more specific configuration will override a "disabled" + // flag set in a less-specific one. + ExtProcOverrides overrides = 2; + } +} + +// Overrides that may be set on a per-route basis +// [#next-free-field: 10] +message ExtProcOverrides { + // Set a different processing mode for this route than the default. + ProcessingMode processing_mode = 1; + + // [#not-implemented-hide:] + // Set a different asynchronous processing option than the default. + // Deprecated and not implemented. + bool async_mode = 2 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // [#not-implemented-hide:] + // Set different optional attributes than the default setting of the + // ``request_attributes`` field. + repeated string request_attributes = 3; + + // [#not-implemented-hide:] + // Set different optional properties than the default setting of the + // ``response_attributes`` field. + repeated string response_attributes = 4; + + // Set a different gRPC service for this route than the default. + config.core.v3.GrpcService grpc_service = 5; + + // Options related to the sending and receiving of dynamic metadata. + // Lists of forwarding and receiving namespaces will be overridden in their entirety, + // meaning the most-specific config that specifies this override will be the final + // config used. It is the prerogative of the control plane to ensure this + // most-specific config contains the correct final overrides. + MetadataOptions metadata_options = 6; + + // Additional metadata to include into streams initiated to the ``ext_proc`` gRPC + // service. This can be used for scenarios in which additional ad hoc + // authorization headers (e.g. ``x-foo-bar: baz-key``) are to be injected or + // when a route needs to partially override inherited metadata. + repeated config.core.v3.HeaderValue grpc_initial_metadata = 7; + + // If true, the filter will not fail closed if the gRPC stream is prematurely closed + // or could not be opened. This field is the per-route override of + // :ref:`failure_mode_allow `. + google.protobuf.BoolValue failure_mode_allow = 8; + + // Decorator to introduce custom logic that runs after the ``ProcessingRequest`` is constructed, but + // before it is sent to the External Processor. The ``ProcessingRequest`` may be modified. + // This is a per-route override of + // :ref:`processing_request_modifier `. + config.core.v3.TypedExtensionConfig processing_request_modifier = 9 + [(xds.annotations.v3.field_status).work_in_progress = true]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/8b7b3951df953ac62dfacfadbdb599faeb1072f96527f5ed8455463046d8a62c2ea0932dd5a3bd9feaabfd4812de4c0bf0515be825714cdfa27e1e934e736692 b/modules/sync/envoyproxy/envoy/cas/8b7b3951df953ac62dfacfadbdb599faeb1072f96527f5ed8455463046d8a62c2ea0932dd5a3bd9feaabfd4812de4c0bf0515be825714cdfa27e1e934e736692 new file mode 100644 index 00000000..2ba83ac8 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/8b7b3951df953ac62dfacfadbdb599faeb1072f96527f5ed8455463046d8a62c2ea0932dd5a3bd9feaabfd4812de4c0bf0515be825714cdfa27e1e934e736692 @@ -0,0 +1,32 @@ +syntax = "proto3"; + +package envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.bootstrap.reverse_tunnel.upstream_socket_interface.v3"; +option java_outer_classname = "UpstreamReverseConnectionSocketInterfaceProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/bootstrap/reverse_tunnel/upstream_socket_interface/v3;upstream_socket_interfacev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Upstream reverse connection socket interface] +// [#extension: envoy.bootstrap.reverse_tunnel.upstream_socket_interface] + +// Configuration for the upstream reverse connection socket interface. +message UpstreamReverseConnectionSocketInterface { + // Stat prefix for upstream reverse connection socket interface stats. + string stat_prefix = 1; + + // Number of consecutive ping failures before an idle reverse connection socket is marked dead. + // Defaults to 3 if unset. Must be at least 1. + google.protobuf.UInt32Value ping_failure_threshold = 2 [(validate.rules).uint32 = {gte: 1}]; + + // Enable detailed per-node and per-cluster statistics. + // When enabled, emits hidden statistics for individual nodes and clusters. + // Defaults to false. + bool enable_detailed_stats = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/8c73bfaf4c0aa348a088e9c432b16703dca8ebd6e0227c4301076f7c64cb1af98bd0a1e395b05f2d4c311d10f57baf851dba7c19dca1e5e447dee7b4b6f9fd81 b/modules/sync/envoyproxy/envoy/cas/8c73bfaf4c0aa348a088e9c432b16703dca8ebd6e0227c4301076f7c64cb1af98bd0a1e395b05f2d4c311d10f57baf851dba7c19dca1e5e447dee7b4b6f9fd81 new file mode 100644 index 00000000..f8feb2f5 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/8c73bfaf4c0aa348a088e9c432b16703dca8ebd6e0227c4301076f7c64cb1af98bd0a1e395b05f2d4c311d10f57baf851dba7c19dca1e5e447dee7b4b6f9fd81 @@ -0,0 +1,335 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/base.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/empty.proto"; +import "google/protobuf/struct.proto"; +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/sensitive.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "GrpcServiceProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC services] + +// gRPC service configuration. This is used by :ref:`ApiConfigSource +// ` and filter configurations. +// [#next-free-field: 7] +message GrpcService { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.GrpcService"; + + // [#next-free-field: 6] + message EnvoyGrpc { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.EnvoyGrpc"; + + // The name of the upstream gRPC cluster. SSL credentials will be supplied + // in the :ref:`Cluster ` :ref:`transport_socket + // `. + string cluster_name = 1 [(validate.rules).string = {min_len: 1}]; + + // The ``:authority`` header in the grpc request. If this field is not set, the authority header value will be ``cluster_name``. + // Note that this authority does not override the SNI. The SNI is provided by the transport socket of the cluster. + string authority = 2 + [(validate.rules).string = + {min_len: 0 max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}]; + + // Indicates the retry policy for re-establishing the gRPC stream + // This field is optional. If max interval is not provided, it will be set to ten times the provided base interval. + // Currently only supported for xDS gRPC streams. + // If not set, xDS gRPC streams default base interval:500ms, maximum interval:30s will be applied. + RetryPolicy retry_policy = 3; + + // Maximum gRPC message size that is allowed to be received. + // If a message over this limit is received, the gRPC stream is terminated with the RESOURCE_EXHAUSTED error. + // This limit is applied to individual messages in the streaming response and not the total size of streaming response. + // Defaults to 0, which means unlimited. + google.protobuf.UInt32Value max_receive_message_length = 4; + + // This provides gRPC client level control over envoy generated headers. + // If false, the header will be sent but it can be overridden by per stream option. + // If true, the header will be removed and can not be overridden by per stream option. + // Default to false. + bool skip_envoy_headers = 5; + } + + // [#next-free-field: 11] + message GoogleGrpc { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc"; + + // See https://grpc.io/grpc/cpp/structgrpc_1_1_ssl_credentials_options.html. + message SslCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.SslCredentials"; + + // PEM encoded server root certificates. + DataSource root_certs = 1; + + // PEM encoded client private key. + DataSource private_key = 2 [(udpa.annotations.sensitive) = true]; + + // PEM encoded client certificate chain. + DataSource cert_chain = 3; + } + + // Local channel credentials. Only UDS is supported for now. + // See https://github.com/grpc/grpc/pull/15909. + message GoogleLocalCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.GoogleLocalCredentials"; + } + + // See https://grpc.io/docs/guides/auth.html#credential-types to understand Channel and Call + // credential types. + message ChannelCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.ChannelCredentials"; + + oneof credential_specifier { + option (validate.required) = true; + + SslCredentials ssl_credentials = 1; + + // https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61 + google.protobuf.Empty google_default = 2; + + GoogleLocalCredentials local_credentials = 3; + } + } + + // [#next-free-field: 8] + message CallCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials"; + + message ServiceAccountJWTAccessCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials." + "ServiceAccountJWTAccessCredentials"; + + string json_key = 1; + + uint64 token_lifetime_seconds = 2; + } + + message GoogleIAMCredentials { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.GoogleIAMCredentials"; + + string authorization_token = 1; + + string authority_selector = 2; + } + + message MetadataCredentialsFromPlugin { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials." + "MetadataCredentialsFromPlugin"; + + reserved 2; + + reserved "config"; + + string name = 1; + + // [#extension-category: envoy.grpc_credentials] + oneof config_type { + google.protobuf.Any typed_config = 3; + } + } + + // Security token service configuration that allows Google gRPC to + // fetch security token from an OAuth 2.0 authorization server. + // See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 and + // https://github.com/grpc/grpc/pull/19587. + // [#next-free-field: 10] + message StsService { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.StsService"; + + // URI of the token exchange service that handles token exchange requests. + // [#comment:TODO(asraa): Add URI validation when implemented. Tracked by + // https://github.com/bufbuild/protoc-gen-validate/issues/303] + string token_exchange_service_uri = 1; + + // Location of the target service or resource where the client + // intends to use the requested security token. + string resource = 2; + + // Logical name of the target service where the client intends to + // use the requested security token. + string audience = 3; + + // The desired scope of the requested security token in the + // context of the service or resource where the token will be used. + string scope = 4; + + // Type of the requested security token. + string requested_token_type = 5; + + // The path of subject token, a security token that represents the + // identity of the party on behalf of whom the request is being made. + string subject_token_path = 6 [(validate.rules).string = {min_len: 1}]; + + // Type of the subject token. + string subject_token_type = 7 [(validate.rules).string = {min_len: 1}]; + + // The path of actor token, a security token that represents the identity + // of the acting party. The acting party is authorized to use the + // requested security token and act on behalf of the subject. + string actor_token_path = 8; + + // Type of the actor token. + string actor_token_type = 9; + } + + oneof credential_specifier { + option (validate.required) = true; + + // Access token credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#ad3a80da696ffdaea943f0f858d7a360d. + string access_token = 1; + + // Google Compute Engine credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61 + google.protobuf.Empty google_compute_engine = 2; + + // Google refresh token credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#a96901c997b91bc6513b08491e0dca37c. + string google_refresh_token = 3; + + // Service Account JWT Access credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#a92a9f959d6102461f66ee973d8e9d3aa. + ServiceAccountJWTAccessCredentials service_account_jwt_access = 4; + + // Google IAM credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#a9fc1fc101b41e680d47028166e76f9d0. + GoogleIAMCredentials google_iam = 5; + + // Custom authenticator credentials. + // https://grpc.io/grpc/cpp/namespacegrpc.html#a823c6a4b19ffc71fb33e90154ee2ad07. + // https://grpc.io/docs/guides/auth.html#extending-grpc-to-support-other-authentication-mechanisms. + MetadataCredentialsFromPlugin from_plugin = 6; + + // Custom security token service which implements OAuth 2.0 token exchange. + // https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 + // See https://github.com/grpc/grpc/pull/19587. + StsService sts_service = 7; + } + } + + // Channel arguments. + message ChannelArgs { + message Value { + // Pointer values are not supported, since they don't make any sense when + // delivered via the API. + oneof value_specifier { + option (validate.required) = true; + + string string_value = 1; + + int64 int_value = 2; + } + } + + // See grpc_types.h GRPC_ARG #defines for keys that work here. + map args = 1; + } + + // The target URI when using the `Google C++ gRPC client + // `_. + string target_uri = 1 [(validate.rules).string = {min_len: 1}]; + + // The channel credentials to use. See `channel credentials + // `_. + // Ignored if ``channel_credentials_plugin`` is set. + ChannelCredentials channel_credentials = 2; + + // A list of channel credentials plugins. + // The data plane will iterate over the list in order and stop at the first credential type + // that it supports. This provides a mechanism for starting to use new credential types that + // are not yet supported by all data planes. + // [#not-implemented-hide:] + repeated google.protobuf.Any channel_credentials_plugin = 9; + + // The call credentials to use. See `channel credentials + // `_. + // Ignored if ``call_credentials_plugin`` is set. + repeated CallCredentials call_credentials = 3; + + // A list of call credentials plugins. All supported plugins will be used. + // Unsupported plugin types will be ignored. + // [#not-implemented-hide:] + repeated google.protobuf.Any call_credentials_plugin = 10; + + // The human readable prefix to use when emitting statistics for the gRPC + // service. + // + // .. csv-table:: + // :header: Name, Type, Description + // :widths: 1, 1, 2 + // + // streams_total, Counter, Total number of streams opened + // streams_closed_, Counter, Total streams closed with + string stat_prefix = 4 [(validate.rules).string = {min_len: 1}]; + + // The name of the Google gRPC credentials factory to use. This must have been registered with + // Envoy. If this is empty, a default credentials factory will be used that sets up channel + // credentials based on other configuration parameters. + string credentials_factory_name = 5; + + // Additional configuration for site-specific customizations of the Google + // gRPC library. + google.protobuf.Struct config = 6; + + // How many bytes each stream can buffer internally. + // If not set an implementation defined default is applied (1MiB). + google.protobuf.UInt32Value per_stream_buffer_limit_bytes = 7; + + // Custom channels args. + ChannelArgs channel_args = 8; + } + + reserved 4; + + oneof target_specifier { + option (validate.required) = true; + + // Envoy's in-built gRPC client. + // See the :ref:`gRPC services overview ` + // documentation for discussion on gRPC client selection. + EnvoyGrpc envoy_grpc = 1; + + // `Google C++ gRPC client `_ + // See the :ref:`gRPC services overview ` + // documentation for discussion on gRPC client selection. + GoogleGrpc google_grpc = 2; + } + + // The timeout for the gRPC request. This is the timeout for a specific + // request. + google.protobuf.Duration timeout = 3; + + // Additional metadata to include in streams initiated to the GrpcService. This can be used for + // scenarios in which additional ad hoc authorization headers (e.g. ``x-foo-bar: baz-key``) are to + // be injected. For more information, including details on header value syntax, see the + // documentation on :ref:`custom request headers + // `. + repeated HeaderValue initial_metadata = 5; + + // Optional default retry policy for streams toward the service. + // If an async stream doesn't have retry policy configured in its stream options, this retry policy is used. + RetryPolicy retry_policy = 6; +} diff --git a/modules/sync/envoyproxy/envoy/cas/8ec4fe05b983a78569c3685a50e6b3b64124c431c608c880a3b3af5b0a8b568f131ae9e4edddfc7eaa84ec91097f43aa07587560f2f574bca7a35609a4214a06 b/modules/sync/envoyproxy/envoy/cas/8ec4fe05b983a78569c3685a50e6b3b64124c431c608c880a3b3af5b0a8b568f131ae9e4edddfc7eaa84ec91097f43aa07587560f2f574bca7a35609a4214a06 new file mode 100644 index 00000000..fb447f69 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/8ec4fe05b983a78569c3685a50e6b3b64124c431c608c880a3b3af5b0a8b568f131ae9e4edddfc7eaa84ec91097f43aa07587560f2f574bca7a35609a4214a06 @@ -0,0 +1,79 @@ +syntax = "proto3"; + +package envoy.extensions.filters.network.ext_authz.v3; + +import "envoy/config/core/v3/config_source.proto"; +import "envoy/config/core/v3/grpc_service.proto"; +import "envoy/type/matcher/v3/metadata.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.network.ext_authz.v3"; +option java_outer_classname = "ExtAuthzProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/network/ext_authz/v3;ext_authzv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Network External Authorization ] +// The network layer external authorization service configuration +// :ref:`configuration overview `. +// [#extension: envoy.filters.network.ext_authz] + +// External Authorization filter calls out to an external service over the +// gRPC Authorization API defined by +// :ref:`CheckRequest `. +// A failed check will cause this filter to close the TCP connection. +// [#next-free-field: 10] +message ExtAuthz { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.network.ext_authz.v2.ExtAuthz"; + + // The prefix to use when emitting statistics. + string stat_prefix = 1 [(validate.rules).string = {min_len: 1}]; + + // The external authorization gRPC service configuration. + // The default timeout is set to 200ms by this filter. + config.core.v3.GrpcService grpc_service = 2; + + // The filter's behaviour in case the external authorization service does + // not respond back. When it is set to true, Envoy will also allow traffic in case of + // communication failure between authorization service and the proxy. + // Defaults to false. + bool failure_mode_allow = 3; + + // Specifies if the peer certificate is sent to the external service. + // + // When this field is true, Envoy will include the peer X.509 certificate, if available, in the + // :ref:`certificate`. + bool include_peer_certificate = 4; + + // API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and + // version of Check{Request,Response} used on the wire. + config.core.v3.ApiVersion transport_api_version = 5 + [(validate.rules).enum = {defined_only: true}]; + + // Specifies if the filter is enabled with metadata matcher. + // If this field is not specified, the filter will be enabled for all requests. + type.matcher.v3.MetadataMatcher filter_enabled_metadata = 6; + + // Optional labels that will be passed to :ref:`labels` in + // :ref:`destination`. + // The labels will be read from :ref:`metadata` with the specified key. + string bootstrap_metadata_labels_key = 7; + + // Specifies if the TLS session level details like SNI are sent to the external service. + // + // When this field is true, Envoy will include the SNI name used for TLSClientHello, if available, in the + // :ref:`tls_session`. + bool include_tls_session = 8; + + // When set to ``true``, the filter will send a TLS ``access_denied(49)`` alert before closing + // the connection when authorization is denied. This provides better visibility to TLS clients + // about the reason for connection closure. This alert is only sent for TLS connections. The + // non-TLS connections will be closed without sending an alert. + // + // Defaults to ``false``. + bool send_tls_alert_on_denial = 9; +} diff --git a/modules/sync/envoyproxy/envoy/cas/8fb944b54d8d218ce03755d1846a59dfafc5969a1895651ddb83ae80ed0e8ea08d80d06f55e7c7127cfc90da531d1aef6d6a4c3a17e6d5efcf2e63882c36bcbe b/modules/sync/envoyproxy/envoy/cas/8fb944b54d8d218ce03755d1846a59dfafc5969a1895651ddb83ae80ed0e8ea08d80d06f55e7c7127cfc90da531d1aef6d6a4c3a17e6d5efcf2e63882c36bcbe new file mode 100644 index 00000000..2856a7f9 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/8fb944b54d8d218ce03755d1846a59dfafc5969a1895651ddb83ae80ed0e8ea08d80d06f55e7c7127cfc90da531d1aef6d6a4c3a17e6d5efcf2e63882c36bcbe @@ -0,0 +1,109 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.dynamic_modules.v3; + +import "envoy/extensions/dynamic_modules/v3/dynamic_modules.proto"; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.dynamic_modules.v3"; +option java_outer_classname = "DynamicModulesProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/dynamic_modules/v3;dynamic_modulesv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP filter for dynamic modules] +// [#extension: envoy.filters.http.dynamic_modules] + +// Configuration of the HTTP filter for dynamic modules. This filter allows loading shared object files +// that can be loaded via dlopen by the HTTP filter. +// +// A module can be loaded by multiple HTTP filters, hence the program can be structured in a way that +// the module is loaded only once and shared across multiple filters providing multiple functionalities. +// +// A dynamic module HTTP filter can opt into being a terminal filter with no upstream by setting ``terminal_filter`` to +// true in the configuration. A terminal dynamic module can use ``send_`` ABI methods to send response headers, +// body and trailers to the downstream. +message DynamicModuleFilter { + // Specifies the shared-object level configuration. + envoy.extensions.dynamic_modules.v3.DynamicModuleConfig dynamic_module_config = 1; + + // The name for this filter configuration. This can be used to distinguish between different filter implementations + // inside a dynamic module. For example, a module can have completely different filter implementations. + // When Envoy receives this configuration, it passes the filter_name to the dynamic module's HTTP filter config init function + // together with the filter_config. + // That way a module can decide which in-module filter implementation to use based on the name at load time. + string filter_name = 2; + + // The configuration for the filter chosen by filter_name. This is passed to the module's HTTP filter initialization function. + // Together with the filter_name, the module can decide which in-module filter implementation to use and + // fine-tune the behavior of the filter. + // + // For example, if a module has two filter implementations, one for logging and one for header manipulation, + // filter_name is used to choose either logging or header manipulation. The filter_config can be used to + // configure the logging level or the header manipulation behavior. + // + // ``google.protobuf.Struct`` is serialized as JSON before + // passing it to the plugin. ``google.protobuf.BytesValue`` and + // ``google.protobuf.StringValue`` are passed directly without the wrapper. + // + // .. code-block:: yaml + // + // # Passing in a string + // filter_config: + // "@type": "type.googleapis.com/google.protobuf.StringValue" + // value: hello + // + // # Passing in raw bytes + // filter_config: + // "@type": "type.googleapis.com/google.protobuf.BytesValue" + // value: aGVsbG8= # echo -n "hello" | base64 + // + google.protobuf.Any filter_config = 3; + + // Set true if the dynamic module is a terminal filter to use without an upstream. + // The dynamic module is responsible for creating and sending the response to downstream. + bool terminal_filter = 4; +} + +// Configuration of the HTTP per-route filter for dynamic modules. This filter allows loading shared object files +// that can be loaded via dlopen by the HTTP filter. +message DynamicModuleFilterPerRoute { + // Specifies the shared-object level configuration. + envoy.extensions.dynamic_modules.v3.DynamicModuleConfig dynamic_module_config = 1; + + // The name for this filter configuration. This can be used to distinguish between different filter implementations + // inside a dynamic module. For example, a module can have completely different filter implementations. + // When Envoy receives this configuration, it passes the filter_name to the dynamic module's HTTP per-route filter config init function + // together with the filter_config. + // That way a module can decide which in-module filter implementation to use based on the name at load time. + string per_route_config_name = 2; + + // The configuration for the filter chosen by filter_name. This is passed to the module's HTTP per-route filter initialization function. + // Together with the filter_name, the module can decide which in-module filter implementation to use and + // fine-tune the behavior of the filter on a specific route. + // + // For example, if a module has two filter implementations, one for logging and one for header manipulation, + // filter_name is used to choose either logging or header manipulation. The filter_config can be used to + // configure the logging level or the header manipulation behavior. + // + // ``google.protobuf.Struct`` is serialized as JSON before + // passing it to the plugin. ``google.protobuf.BytesValue`` and + // ``google.protobuf.StringValue`` are passed directly without the wrapper. + // + // .. code-block:: yaml + // + // # Passing in a string + // filter_config: + // "@type": "type.googleapis.com/google.protobuf.StringValue" + // value: hello + // + // # Passing in raw bytes + // filter_config: + // "@type": "type.googleapis.com/google.protobuf.BytesValue" + // value: aGVsbG8= # echo -n "hello" | base64 + // + google.protobuf.Any filter_config = 3; +} diff --git a/modules/sync/envoyproxy/envoy/cas/98b4491dad61ce1a62c98a1e229268e712489637a1dbc034c37dc031d42039921071f4396bf583fdebbc731db21196e192bd4c90f847caf51a90c8c54b84775a b/modules/sync/envoyproxy/envoy/cas/98b4491dad61ce1a62c98a1e229268e712489637a1dbc034c37dc031d42039921071f4396bf583fdebbc731db21196e192bd4c90f847caf51a90c8c54b84775a new file mode 100644 index 00000000..ced34e73 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/98b4491dad61ce1a62c98a1e229268e712489637a1dbc034c37dc031d42039921071f4396bf583fdebbc731db21196e192bd4c90f847caf51a90c8c54b84775a @@ -0,0 +1,56 @@ +syntax = "proto3"; + +package envoy.extensions.formatter.cel.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.formatter.cel.v3"; +option java_outer_classname = "CelProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/formatter/cel/v3;celv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Formatter extension for printing CEL expressions] +// [#extension: envoy.formatter.cel] + +// CEL formatter extension implements CEL command operator that evaluates configured +// symbolic Common Expression Language expressions to generate an access log. +// +// See :ref:`here ` for more information on access log configuration. + +// %CEL(EXPRESSION):Z% +// Expressions are based on the set of Envoy :ref:`attributes `. +// Expression errors are considered `-`. Z is an optional parameter denoting string +// truncation up to Z characters long. +// +// Examples: +// +// * ``%CEL(response.code)%`` +// * ``%CEL(connection.mtls)%`` +// * ``%CEL(request.headers['x-envoy-original-path']):10%`` +// * ``%CEL(request.headers['x-log-mtls'] || request.url_path.contains('v1beta3'))%`` + +// Alternatively: %TYPED_CEL(EXPRESSION):Z% +// When using a non-text access log format like JSON, this format command is +// able to emit values of non-string types, like number, boolean, and null, +// based on the output of the CEL expression. It otherwise functions the same as +// %CEL%. CEL types not native to JSON are coerced as follows: +// +// * Bytes are base64 encoded to produce a string. +// * Durations are stringified as a count of seconds, e.g. `duration("1h30m")` +// becomes "5400s". +// * Timestamps are formatted to UTC, e.g. +// `timestamp("2023-08-26T12:39:00-07:00")` becomes +// "2023-08-26T19:39:00+00:00" +// * Maps become objects, provided all keys can be coerced to strings and that +// all values can coerce to types representable in JSON. +// * Lists become lists, provided all values can coerce to types representable +// in JSON. + +// Configuration for the CEL formatter. +// +// .. warning:: +// This extension is treated as built-in extension and will be enabled by default now. +// It is unnecessary to configure this extension. +message Cel { +} diff --git a/modules/sync/envoyproxy/envoy/cas/99340ca1d2b3bf1eecd55bc3e8512fcf36122a457d52627fac20b274a804c12a75057f95d1f06098fe53e1020007197bc09309bf6c8222a9906662b76bcd024e b/modules/sync/envoyproxy/envoy/cas/99340ca1d2b3bf1eecd55bc3e8512fcf36122a457d52627fac20b274a804c12a75057f95d1f06098fe53e1020007197bc09309bf6c8222a9906662b76bcd024e new file mode 100644 index 00000000..b4fe6d72 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/99340ca1d2b3bf1eecd55bc3e8512fcf36122a457d52627fac20b274a804c12a75057f95d1f06098fe53e1020007197bc09309bf6c8222a9906662b76bcd024e @@ -0,0 +1,51 @@ +syntax = "proto3"; + +package envoy.extensions.filters.listener.tls_inspector.v3; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.listener.tls_inspector.v3"; +option java_outer_classname = "TlsInspectorProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/tls_inspector/v3;tls_inspectorv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: TLS Inspector Filter] +// Allows detecting whether the transport appears to be TLS or plaintext. +// [#extension: envoy.filters.listener.tls_inspector] + +message TlsInspector { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.listener.tls_inspector.v2.TlsInspector"; + + // Populate ``JA3`` fingerprint hash using data from the TLS Client Hello packet. Default is false. + google.protobuf.BoolValue enable_ja3_fingerprinting = 1; + + // Populate ``JA4`` fingerprint hash using data from the TLS Client Hello packet. + // ``JA4`` is an improved version of ``JA3`` that includes TLS version, ciphers, extensions, + // and ALPN information in a hex format. Default is false. + google.protobuf.BoolValue enable_ja4_fingerprinting = 3; + + // The size in bytes of the initial buffer requested by the tls_inspector. + // If the filter needs to read additional bytes from the socket, the + // filter will double the buffer up to it's default maximum of 16KiB. + // If this size is not defined, defaults to maximum 16KiB that the + // tls inspector will consume. + google.protobuf.UInt32Value initial_read_buffer_size = 2 + [(validate.rules).uint32 = {lt: 65537 gt: 255}]; + + // Close connection when TLS ClientHello message could not be parsed. + // This flag should be enabled only if it is known that incoming connections are expected to use + // TLS protocol, as Envoy does not distinguish between a plain text message or a malformed TLS + // ClientHello message. + // By default this flag is false and TLS ClientHello parsing errors are interpreted as a + // plain text connection. + // Setting this to true will cause connections to be terminated and the ``client_hello_too_large`` + // counter to be incremented if the ClientHello message is over implementation defined limit + // (currently 16Kb). + bool close_connection_on_client_hello_parsing_errors = 4; +} diff --git a/modules/sync/envoyproxy/envoy/cas/9b994b424db196e4024393e9773eb91d6c04f40ff51d62ddc3c5be89bf43a44361f944a70c2a1ef8c60e03fd31bf84b4f94a86b60f0ebadc2c8693a8d50bda2b b/modules/sync/envoyproxy/envoy/cas/9b994b424db196e4024393e9773eb91d6c04f40ff51d62ddc3c5be89bf43a44361f944a70c2a1ef8c60e03fd31bf84b4f94a86b60f0ebadc2c8693a8d50bda2b new file mode 100644 index 00000000..d73086b9 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/9b994b424db196e4024393e9773eb91d6c04f40ff51d62ddc3c5be89bf43a44361f944a70c2a1ef8c60e03fd31bf84b4f94a86b60f0ebadc2c8693a8d50bda2b @@ -0,0 +1,17 @@ +syntax = "proto3"; + +package envoy.extensions.grpc_service.call_credentials.google_compute_engine.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.grpc_service.call_credentials.google_compute_engine.v3"; +option java_outer_classname = "GoogleComputeEngineCredentialsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/grpc_service/call_credentials/google_compute_engine/v3;google_compute_enginev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC Google Compute Engine Credentials] + +// [#not-implemented-hide:] +message GoogleComputeEngineCredentials { +} diff --git a/modules/sync/envoyproxy/envoy/cas/ac5ba8062d33e4d5aa748d0361c4432c67fc338e29d9e413c1477e57967de535e1f79f135a7ac836cfbc32678b2ee1862b0d14315c6faa0912e542d24be2c20f b/modules/sync/envoyproxy/envoy/cas/ac5ba8062d33e4d5aa748d0361c4432c67fc338e29d9e413c1477e57967de535e1f79f135a7ac836cfbc32678b2ee1862b0d14315c6faa0912e542d24be2c20f new file mode 100644 index 00000000..ba8d471d --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/ac5ba8062d33e4d5aa748d0361c4432c67fc338e29d9e413c1477e57967de535e1f79f135a7ac836cfbc32678b2ee1862b0d14315c6faa0912e542d24be2c20f @@ -0,0 +1,21 @@ +syntax = "proto3"; + +package envoy.extensions.grpc_service.channel_credentials.xds.v3; + +import "google/protobuf/any.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.grpc_service.channel_credentials.xds.v3"; +option java_outer_classname = "XdsCredentialsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/grpc_service/channel_credentials/xds/v3;xdsv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC xDS Credentials] + +// [#not-implemented-hide:] +message XdsCredentials { + // Fallback credentials. Required. + google.protobuf.Any fallback_credentials = 1; +} diff --git a/modules/sync/envoyproxy/envoy/cas/ad88cc2e97d5cd12d8392a43fa42460b65a2a3b23825c4e14ef43fa2f559eba6fb9fa12e9d07072fb67fd3c15db9339ce70bcdd1e88476a0864441e122395bab b/modules/sync/envoyproxy/envoy/cas/ad88cc2e97d5cd12d8392a43fa42460b65a2a3b23825c4e14ef43fa2f559eba6fb9fa12e9d07072fb67fd3c15db9339ce70bcdd1e88476a0864441e122395bab new file mode 100644 index 00000000..8d65c457 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/ad88cc2e97d5cd12d8392a43fa42460b65a2a3b23825c4e14ef43fa2f559eba6fb9fa12e9d07072fb67fd3c15db9339ce70bcdd1e88476a0864441e122395bab @@ -0,0 +1,80 @@ +syntax = "proto3"; + +package envoy.type.matcher.v3; + +import "envoy/type/matcher/v3/number.proto"; +import "envoy/type/matcher/v3/string.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.type.matcher.v3"; +option java_outer_classname = "ValueProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/type/matcher/v3;matcherv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Value matcher] + +// Specifies the way to match a Protobuf::Value. Primitive values and ListValue are supported. +// StructValue is not supported and is always not matched. +// [#next-free-field: 8] +message ValueMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.ValueMatcher"; + + // NullMatch is an empty message to specify a null value. + message NullMatch { + option (udpa.annotations.versioning).previous_message_type = + "envoy.type.matcher.ValueMatcher.NullMatch"; + } + + // Specifies how to match a value. + oneof match_pattern { + option (validate.required) = true; + + // If specified, a match occurs if and only if the target value is a NullValue. + NullMatch null_match = 1; + + // If specified, a match occurs if and only if the target value is a double value and is + // matched to this field. + DoubleMatcher double_match = 2; + + // If specified, a match occurs if and only if the target value is a string value and is + // matched to this field. + StringMatcher string_match = 3; + + // If specified, a match occurs if and only if the target value is a bool value and is equal + // to this field. + bool bool_match = 4; + + // If specified, value match will be performed based on whether the path is referring to a + // valid primitive value in the metadata. If the path is referring to a non-primitive value, + // the result is always not matched. + bool present_match = 5; + + // If specified, a match occurs if and only if the target value is a list value and + // is matched to this field. + ListMatcher list_match = 6; + + // If specified, a match occurs if and only if any of the alternatives in the match accept the value. + OrMatcher or_match = 7; + } +} + +// Specifies the way to match a list value. +message ListMatcher { + option (udpa.annotations.versioning).previous_message_type = "envoy.type.matcher.ListMatcher"; + + oneof match_pattern { + option (validate.required) = true; + + // If specified, at least one of the values in the list must match the value specified. + ValueMatcher one_of = 1; + } +} + +// Specifies a list of alternatives for the match. +message OrMatcher { + repeated ValueMatcher value_matchers = 1 [(validate.rules).repeated = {min_items: 2}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/b22fb32e8f220cb821a316a53743bd76e1b451f2cd1ee36a8ddb9f3ff52f1f6d3ea9512edd7df45bba24f80b6af8b23de34793e48672ff2d384b675883aa5a7c b/modules/sync/envoyproxy/envoy/cas/b22fb32e8f220cb821a316a53743bd76e1b451f2cd1ee36a8ddb9f3ff52f1f6d3ea9512edd7df45bba24f80b6af8b23de34793e48672ff2d384b675883aa5a7c new file mode 100644 index 00000000..b62690b4 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/b22fb32e8f220cb821a316a53743bd76e1b451f2cd1ee36a8ddb9f3ff52f1f6d3ea9512edd7df45bba24f80b6af8b23de34793e48672ff2d384b675883aa5a7c @@ -0,0 +1,164 @@ +syntax = "proto3"; + +package envoy.extensions.matching.common_inputs.network.v3; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.matching.common_inputs.network.v3"; +option java_outer_classname = "NetworkInputsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/matching/common_inputs/network/v3;networkv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Common network matching inputs] + +// Specifies that matching should be performed by the destination IP address. +// [#extension: envoy.matching.inputs.destination_ip] +message DestinationIPInput { +} + +// Specifies that matching should be performed by the destination port. +// [#extension: envoy.matching.inputs.destination_port] +message DestinationPortInput { +} + +// Specifies that matching should be performed by the source IP address. +// [#extension: envoy.matching.inputs.source_ip] +message SourceIPInput { +} + +// Specifies that matching should be performed by the source port. +// [#extension: envoy.matching.inputs.source_port] +message SourcePortInput { +} + +// Input that matches by the directly connected source IP address (this +// will only be different from the source IP address when using a listener +// filter that overrides the source address, such as the :ref:`Proxy Protocol +// listener filter `). +// [#extension: envoy.matching.inputs.direct_source_ip] +message DirectSourceIPInput { +} + +// Input that matches by the source IP type. +// Specifies the source IP match type. The values include: +// +// * ``local`` - matches a connection originating from the same host, +// [#extension: envoy.matching.inputs.source_type] +message SourceTypeInput { +} + +// Input that matches by the requested server name (e.g. SNI in TLS). +// +// :ref:`TLS Inspector ` provides the requested server name based on SNI, +// when TLS protocol is detected. +// [#extension: envoy.matching.inputs.server_name] +message ServerNameInput { +} + +// Input that matches by the transport protocol. +// +// Suggested values include: +// +// * ``raw_buffer`` - default, used when no transport protocol is detected, +// * ``tls`` - set by :ref:`envoy.filters.listener.tls_inspector ` +// when TLS protocol is detected. +// [#extension: envoy.matching.inputs.transport_protocol] +message TransportProtocolInput { +} + +// List of quoted and comma-separated requested application protocols. The list consists of a +// single negotiated application protocol once the network stream is established. +// +// Examples: +// +// * ``'h2','http/1.1'`` +// * ``'h2c'`` +// +// Suggested values in the list include: +// +// * ``http/1.1`` - set by :ref:`envoy.filters.listener.tls_inspector +// ` and :ref:`envoy.filters.listener.http_inspector +// `, +// * ``h2`` - set by :ref:`envoy.filters.listener.tls_inspector ` +// * ``h2c`` - set by :ref:`envoy.filters.listener.http_inspector ` +// +// .. attention:: +// +// Currently, :ref:`TLS Inspector ` provides +// application protocol detection based on the requested +// `ALPN `_ values. +// +// However, the use of ALPN is pretty much limited to the HTTP/2 traffic on the Internet, +// and matching on values other than ``h2`` is going to lead to a lot of false negatives, +// unless all connecting clients are known to use ALPN. +// [#extension: envoy.matching.inputs.application_protocol] +message ApplicationProtocolInput { +} + +// Input that matches by a specific filter state key. +// The value of the provided filter state key will be the raw string representation of the filter state object +// [#extension: envoy.matching.inputs.filter_state] +message FilterStateInput { + string key = 1 [(validate.rules).string = {min_len: 1}]; +} + +// Input that matches dynamic metadata by key. +// DynamicMetadataInput provides a general interface using ``filter`` and ``path`` to retrieve value from +// :ref:`Metadata `. +// +// For example, for the following Metadata: +// +// .. code-block:: yaml +// +// filter_metadata: +// envoy.xxx: +// prop: +// foo: bar +// xyz: +// hello: envoy +// +// The following DynamicMetadataInput will retrieve a string value "bar" from the Metadata. +// +// .. code-block:: yaml +// +// filter: envoy.xxx +// path: +// - key: prop +// - key: foo +// +// [#extension: envoy.matching.inputs.dynamic_metadata] +message DynamicMetadataInput { + // Specifies the segment in a path to retrieve value from Metadata. + // Note: Currently it's not supported to retrieve a value from a list in Metadata. This means that + // if the segment key refers to a list, it has to be the last segment in a path. + message PathSegment { + oneof segment { + option (validate.required) = true; + + // If specified, use the key to retrieve the value in a Struct. + string key = 1 [(validate.rules).string = {min_len: 1}]; + } + } + + // The filter name to retrieve the Struct from the Metadata. + string filter = 1 [(validate.rules).string = {min_len: 1}]; + + // The path to retrieve the Value from the Struct. + repeated PathSegment path = 2 [(validate.rules).repeated = {min_items: 1}]; +} + +// Input that matches by the network namespace of the listener address. +// This input returns the network namespace filepath that was used to create the listening socket. +// On Linux systems, this corresponds to the ``network_namespace_filepath`` field in the +// :ref:`SocketAddress ` configuration. +// +// .. note:: +// +// This input is only meaningful on Linux systems where network namespaces are supported. +// On other platforms, this input will always return an empty value. +// +// [#extension: envoy.matching.inputs.network_namespace] +message NetworkNamespaceInput { +} diff --git a/modules/sync/envoyproxy/envoy/cas/b9baf36cbd39c8e4c3a3b4699a19240971d6076ceda83fe3dabebaa96f691c352be85d73dfd0fe9f2e3af7b6a75d4e22dfd9ded65e58c2122537dde25c74ae8d b/modules/sync/envoyproxy/envoy/cas/b9baf36cbd39c8e4c3a3b4699a19240971d6076ceda83fe3dabebaa96f691c352be85d73dfd0fe9f2e3af7b6a75d4e22dfd9ded65e58c2122537dde25c74ae8d new file mode 100644 index 00000000..cd71bc31 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/b9baf36cbd39c8e4c3a3b4699a19240971d6076ceda83fe3dabebaa96f691c352be85d73dfd0fe9f2e3af7b6a75d4e22dfd9ded65e58c2122537dde25c74ae8d @@ -0,0 +1,78 @@ +syntax = "proto3"; + +package envoy.extensions.stat_sinks.open_telemetry.v3; + +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/grpc_service.proto"; + +import "google/protobuf/wrappers.proto"; + +import "opentelemetry/proto/common/v1/common.proto"; +import "xds/type/matcher/v3/matcher.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.stat_sinks.open_telemetry.v3"; +option java_outer_classname = "OpenTelemetryProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/stat_sinks/open_telemetry/v3;open_telemetryv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Open Telemetry Stats Sink] +// Stats configuration proto schema for ``envoy.stat_sinks.open_telemetry`` sink. +// [#extension: envoy.stat_sinks.open_telemetry] + +// [#next-free-field: 9] +message SinkConfig { + // ConversionAction is used to convert a stat to a metric. If a stat matches, + // the metric_name and static_metric_labels will be + // used to create the metric. This can be used to rename a + // stat, add static labels, and aggregate multiple stats into a single metric. + message ConversionAction { + // The metric name to use for the stat. + string metric_name = 2; + + // Static metric labels to use for the metric. + repeated opentelemetry.proto.common.v1.KeyValue static_metric_labels = 3; + } + + oneof protocol_specifier { + option (validate.required) = true; + + // The upstream gRPC cluster that implements the OTLP/gRPC collector. + config.core.v3.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}]; + } + + // Attributes to be associated with the resource in the OTLP message. + // [#extension-category: envoy.tracers.opentelemetry.resource_detectors] + repeated config.core.v3.TypedExtensionConfig resource_detectors = 7; + + // If set to true, counters will be emitted as deltas, and the OTLP message will have + // ``AGGREGATION_TEMPORALITY_DELTA`` set as AggregationTemporality. + bool report_counters_as_deltas = 2; + + // If set to true, histograms will be emitted as deltas, and the OTLP message will have + // ``AGGREGATION_TEMPORALITY_DELTA`` set as AggregationTemporality. + bool report_histograms_as_deltas = 3; + + // If set to true, metrics will have their tags emitted as OTLP attributes, which may + // contain values used by the tag extractor or additional tags added during stats creation. + // Otherwise, no attributes will be associated with the export message. Default value is true. + google.protobuf.BoolValue emit_tags_as_attributes = 4; + + // If set to true, metric names will be represented as the tag extracted name instead + // of the full metric name. Default value is true. + google.protobuf.BoolValue use_tag_extracted_name = 5; + + // If set, emitted stats names will be prepended with a prefix, so full stat name will be + // .. For example, if the stat name is "foo.bar" and prefix is + // "pre", the full stat name will be "pre.foo.bar". If this field is not set, there is no + // prefix added. According to the example, the full stat name will remain "foo.bar". + string prefix = 6; + + // The custom conversion from a stat to a metric. Currently, the only supported input is + // ``envoy.extensions.matching.common_inputs.stats.v3.StatFullNameMatchInput`` and the only support action is + // ``envoy.extensions.stat_sinks.open_telemetry.v3.SinkConfig.ConversionAction``. + xds.type.matcher.v3.Matcher custom_metric_conversions = 8; +} diff --git a/modules/sync/envoyproxy/envoy/cas/baaa05a38dbd4935506087fa463cfc3a8835aa79213b713885956c4176beea297948117e5ed8dc6a3d1dbb56730ee3f9af5dd3e452dcbc366fc9ef4bb1387570 b/modules/sync/envoyproxy/envoy/cas/baaa05a38dbd4935506087fa463cfc3a8835aa79213b713885956c4176beea297948117e5ed8dc6a3d1dbb56730ee3f9af5dd3e452dcbc366fc9ef4bb1387570 new file mode 100644 index 00000000..77c3af41 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/baaa05a38dbd4935506087fa463cfc3a8835aa79213b713885956c4176beea297948117e5ed8dc6a3d1dbb56730ee3f9af5dd3e452dcbc366fc9ef4bb1387570 @@ -0,0 +1,17 @@ +syntax = "proto3"; + +package envoy.extensions.grpc_service.channel_credentials.google_default.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.grpc_service.channel_credentials.google_default.v3"; +option java_outer_classname = "GoogleDefaultCredentialsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/grpc_service/channel_credentials/google_default/v3;google_defaultv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC Google Default Credentials] + +// [#not-implemented-hide:] +message GoogleDefaultCredentials { +} diff --git a/modules/sync/envoyproxy/envoy/cas/bb28c723bc3100a46e0f6df343066f7360925ecf2fc8e6c85b07bf99d452c1777085d39e189ebc8c38142048aa9b0881481de9b10ce0c667c18fc0f12a6dfefc b/modules/sync/envoyproxy/envoy/cas/bb28c723bc3100a46e0f6df343066f7360925ecf2fc8e6c85b07bf99d452c1777085d39e189ebc8c38142048aa9b0881481de9b10ce0c667c18fc0f12a6dfefc new file mode 100644 index 00000000..00514a0e --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/bb28c723bc3100a46e0f6df343066f7360925ecf2fc8e6c85b07bf99d452c1777085d39e189ebc8c38142048aa9b0881481de9b10ce0c667c18fc0f12a6dfefc @@ -0,0 +1,17 @@ +syntax = "proto3"; + +package envoy.extensions.grpc_service.channel_credentials.local.v3; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.grpc_service.channel_credentials.local.v3"; +option java_outer_classname = "LocalCredentialsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/grpc_service/channel_credentials/local/v3;localv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC Local Credentials] + +// [#not-implemented-hide:] +message LocalCredentials { +} diff --git a/modules/sync/envoyproxy/envoy/cas/c4f207e0dd455917f2d2ff262738b2251f0ad9e2089ee7eede8bb1db6616c30ab66a50aefa73b453651d3354aff71bb825481afce3d128202e1e1df32242e949 b/modules/sync/envoyproxy/envoy/cas/c4f207e0dd455917f2d2ff262738b2251f0ad9e2089ee7eede8bb1db6616c30ab66a50aefa73b453651d3354aff71bb825481afce3d128202e1e1df32242e949 new file mode 100644 index 00000000..09c686f1 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/c4f207e0dd455917f2d2ff262738b2251f0ad9e2089ee7eede8bb1db6616c30ab66a50aefa73b453651d3354aff71bb825481afce3d128202e1e1df32242e949 @@ -0,0 +1,24 @@ +syntax = "proto3"; + +package envoy.extensions.grpc_service.call_credentials.service_account_jwt_access.v3; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.grpc_service.call_credentials.service_account_jwt_access.v3"; +option java_outer_classname = "ServiceAccountJwtAccessCredentialsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/grpc_service/call_credentials/service_account_jwt_access/v3;service_account_jwt_accessv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC Service Account JWT Access Credentials] + +// [#not-implemented-hide:] +message ServiceAccountJwtAccessCredentials { + // JSON key. + string json_key = 1; + + // Token lifetime. + google.protobuf.Duration token_lifetime = 2; +} diff --git a/modules/sync/envoyproxy/envoy/cas/cfa0377e1e757d077ba5ce2367ce376d2e02fa8af8e9d17081ce3501c15672485aae78a5096e34615fde5d4c26f3e7074e17e16de774ac82e240d9da8c4cf97b b/modules/sync/envoyproxy/envoy/cas/cfa0377e1e757d077ba5ce2367ce376d2e02fa8af8e9d17081ce3501c15672485aae78a5096e34615fde5d4c26f3e7074e17e16de774ac82e240d9da8c4cf97b new file mode 100644 index 00000000..c421e573 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/cfa0377e1e757d077ba5ce2367ce376d2e02fa8af8e9d17081ce3501c15672485aae78a5096e34615fde5d4c26f3e7074e17e16de774ac82e240d9da8c4cf97b @@ -0,0 +1,51 @@ +syntax = "proto3"; + +package envoy.extensions.filters.listener.tls_inspector.v3; + +import "google/protobuf/wrappers.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.listener.tls_inspector.v3"; +option java_outer_classname = "TlsInspectorProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/listener/tls_inspector/v3;tls_inspectorv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: TLS Inspector Filter] +// Allows detecting whether the transport appears to be TLS or plaintext. +// [#extension: envoy.filters.listener.tls_inspector] + +message TlsInspector { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.listener.tls_inspector.v2.TlsInspector"; + + // Populate ``JA3`` fingerprint hash using data from the TLS Client Hello packet. Default is false. + google.protobuf.BoolValue enable_ja3_fingerprinting = 1; + + // Populate ``JA4`` fingerprint hash using data from the TLS Client Hello packet. + // ``JA4`` is an improved version of ``JA3`` that includes TLS version, ciphers, extensions, + // and ALPN information in a hex format. Default is false. + google.protobuf.BoolValue enable_ja4_fingerprinting = 3; + + // The size in bytes of the initial buffer requested by the tls_inspector. + // If the filter needs to read additional bytes from the socket, the + // filter will double the buffer up to it's default maximum of 64KiB. + // If this size is not defined, defaults to maximum 64KiB that the + // tls inspector will consume. + google.protobuf.UInt32Value initial_read_buffer_size = 2 + [(validate.rules).uint32 = {lt: 65537 gt: 255}]; + + // Close connection when TLS ClientHello message could not be parsed. + // This flag should be enabled only if it is known that incoming connections are expected to use + // TLS protocol, as Envoy does not distinguish between a plain text message or a malformed TLS + // ClientHello message. + // By default this flag is false and TLS ClientHello parsing errors are interpreted as a + // plain text connection. + // Setting this to true will cause connections to be terminated and the ``client_hello_too_large`` + // counter to be incremented if the ClientHello message is over implementation defined limit + // (currently 16Kb). + bool close_connection_on_client_hello_parsing_errors = 4; +} diff --git a/modules/sync/envoyproxy/envoy/cas/d6f4e5d1f41fc974dd3c4e1da68df1cb72b8479132c0e5c469c22658c20bb64000b74a159e7662bd33f6fa597be541cbde8e6bc687823c1854ca56c1253dc34b b/modules/sync/envoyproxy/envoy/cas/d6f4e5d1f41fc974dd3c4e1da68df1cb72b8479132c0e5c469c22658c20bb64000b74a159e7662bd33f6fa597be541cbde8e6bc687823c1854ca56c1253dc34b new file mode 100644 index 00000000..517f532f --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/d6f4e5d1f41fc974dd3c4e1da68df1cb72b8479132c0e5c469c22658c20bb64000b74a159e7662bd33f6fa597be541cbde8e6bc687823c1854ca56c1253dc34b @@ -0,0 +1,188 @@ +syntax = "proto3"; + +package envoy.extensions.upstreams.http.v3; + +import "envoy/config/common/matcher/v3/matcher.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/protocol.proto"; +import "envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.upstreams.http.v3"; +option java_outer_classname = "HttpProtocolOptionsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/upstreams/http/v3;httpv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP Protocol Options] +// [#extension: envoy.upstreams.http.http_protocol_options] + +// HttpProtocolOptions specifies Http upstream protocol options. This object +// is used in +// :ref:`typed_extension_protocol_options`, +// keyed by the name ``envoy.extensions.upstreams.http.v3.HttpProtocolOptions``. +// +// This controls what protocol(s) should be used for upstream and how said protocol(s) are configured. +// +// This replaces the prior pattern of explicit protocol configuration directly +// in the cluster. So a configuration like this, explicitly configuring the use of HTTP/2 upstream: +// +// .. code:: +// +// clusters: +// - name: some_service +// connect_timeout: 5s +// upstream_http_protocol_options: +// auto_sni: true +// common_http_protocol_options: +// idle_timeout: 1s +// http2_protocol_options: +// max_concurrent_streams: 100 +// .... [further cluster config] +// +// Would now look like this: +// +// .. code:: +// +// clusters: +// - name: some_service +// connect_timeout: 5s +// typed_extension_protocol_options: +// envoy.extensions.upstreams.http.v3.HttpProtocolOptions: +// "@type": type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions +// upstream_http_protocol_options: +// auto_sni: true +// common_http_protocol_options: +// idle_timeout: 1s +// explicit_http_config: +// http2_protocol_options: +// max_concurrent_streams: 100 +// .... [further cluster config] +// [#next-free-field: 9] +message HttpProtocolOptions { + // If this is used, the cluster will only operate on one of the possible upstream protocols. + // Note that HTTP/2 or above should generally be used for upstream gRPC clusters. + message ExplicitHttpConfig { + oneof protocol_config { + option (validate.required) = true; + + config.core.v3.Http1ProtocolOptions http_protocol_options = 1; + + config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; + + // .. warning:: + // QUIC upstream support is currently not ready for internet use. + // Please see :ref:`here ` for details. + config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; + } + } + + // If this is used, the cluster can use either of the configured protocols, and + // will use whichever protocol was used by the downstream connection. + // + // If HTTP/3 is configured for downstream and not configured for upstream, + // HTTP/3 requests will fail over to HTTP/2. + message UseDownstreamHttpConfig { + config.core.v3.Http1ProtocolOptions http_protocol_options = 1; + + config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; + + // .. warning:: + // QUIC upstream support is currently not ready for internet use. + // Please see :ref:`here ` for details. + config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; + } + + // If this is used, the cluster can use either HTTP/1 or HTTP/2, and will use whichever + // protocol is negotiated by ALPN with the upstream. + // Clusters configured with ``AutoHttpConfig`` will use the highest available + // protocol; HTTP/2 if supported, otherwise HTTP/1. + // If the upstream does not support ALPN, ``AutoHttpConfig`` will fail over to HTTP/1. + // This can only be used with transport sockets which support ALPN. Using a + // transport socket which does not support ALPN will result in configuration + // failure. The transport layer may be configured with custom ALPN, but the default ALPN + // for the cluster (or if custom ALPN fails) will be "h2,http/1.1". + message AutoHttpConfig { + config.core.v3.Http1ProtocolOptions http_protocol_options = 1; + + config.core.v3.Http2ProtocolOptions http2_protocol_options = 2; + + // Unlike HTTP/1 and HTTP/2, HTTP/3 will not be configured unless it is + // present, and (soon) only if there is an indication of server side + // support. + // See :ref:`here ` for more information on + // when HTTP/3 will be used, and when Envoy will fail over to TCP. + // + // .. warning:: + // QUIC upstream support is currently not ready for internet use. + // Please see :ref:`here ` for details. + config.core.v3.Http3ProtocolOptions http3_protocol_options = 3; + + // The presence of alternate protocols cache options causes the use of the + // alternate protocols cache, which is responsible for parsing and caching + // HTTP Alt-Svc headers. This enables the use of HTTP/3 for origins that + // advertise supporting it. + // + // .. note:: + // This is required when HTTP/3 is enabled. + config.core.v3.AlternateProtocolsCacheOptions alternate_protocols_cache_options = 4; + } + + message OutlierDetection { + // If specified, only responses matching the matcher will be treated by outlier detection as errors. + // If not specified, only 5xx codes are treated by outlier detection as errors. + config.common.matcher.v3.MatchPredicate error_matcher = 1 + [(validate.rules).message = {required: true}]; + } + + // This contains options common across HTTP/1 and HTTP/2 + config.core.v3.HttpProtocolOptions common_http_protocol_options = 1; + + // This contains common protocol options which are only applied upstream. + config.core.v3.UpstreamHttpProtocolOptions upstream_http_protocol_options = 2; + + // This controls the actual protocol to be used upstream. + oneof upstream_protocol_options { + option (validate.required) = true; + + // To explicitly configure either HTTP/1 or HTTP/2 (but not both!) use ``explicit_http_config``. + ExplicitHttpConfig explicit_http_config = 3; + + // This allows switching on protocol based on what protocol the downstream + // connection used. + UseDownstreamHttpConfig use_downstream_protocol_config = 4; + + // This allows switching on protocol based on ALPN + AutoHttpConfig auto_config = 5; + } + + // Optional HTTP filters for the upstream HTTP filter chain. + // + // .. note:: + // Upstream HTTP filters are currently in alpha. + // + // + // These filters will be applied for all HTTP streams which flow through this + // cluster. Unlike downstream HTTP filters, they will *not* be applied to terminated CONNECT requests. + // + // If using upstream HTTP filters, please be aware that local errors sent by + // upstream HTTP filters will not trigger retries, and local errors sent by + // upstream HTTP filters will count as a final response if hedging is configured. + // [#extension-category: envoy.filters.http.upstream] + repeated filters.network.http_connection_manager.v3.HttpFilter http_filters = 6; + + // Configuration options for Unified Header Validation (UHV). + // UHV is an extensible mechanism for checking validity of HTTP responses. + // + // [#comment:TODO(yanavlasov): Make it a link to the default header validator doc when it becomes visible.] + // Leaving this field unspecified, selects the default header validator ``envoy.http.header_validators.envoy_default``. + // + // [#not-implemented-hide:] + // [#extension-category: envoy.http.header_validators] + config.core.v3.TypedExtensionConfig header_validation_config = 7; + + // Defines http specific outlier detection parameters. + OutlierDetection outlier_detection = 8; +} diff --git a/modules/sync/envoyproxy/envoy/cas/da97c315f9061cb3ed2e89bd696f2f6adc39416b878ae97e5727af3f7b85523eb976d0ff80b28d93cd51923fb49113b14fd54ea90861caed40e570ae541899da b/modules/sync/envoyproxy/envoy/cas/da97c315f9061cb3ed2e89bd696f2f6adc39416b878ae97e5727af3f7b85523eb976d0ff80b28d93cd51923fb49113b14fd54ea90861caed40e570ae541899da new file mode 100644 index 00000000..b3e5e53a --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/da97c315f9061cb3ed2e89bd696f2f6adc39416b878ae97e5727af3f7b85523eb976d0ff80b28d93cd51923fb49113b14fd54ea90861caed40e570ae541899da @@ -0,0 +1,54 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.stateful_session.v3; + +import "envoy/config/core/v3/extension.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.stateful_session.v3"; +option java_outer_classname = "StatefulSessionProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/stateful_session/v3;stateful_sessionv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Stateful session filter] +// Stateful session :ref:`configuration overview `. +// [#extension: envoy.filters.http.stateful_session] + +message StatefulSession { + // Specifies the implementation of session state. This session state is used to store and retrieve the address of the + // upstream host assigned to the session. + // + // [#extension-category: envoy.http.stateful_session] + config.core.v3.TypedExtensionConfig session_state = 1; + + // Determines whether the HTTP request must be strictly routed to the requested destination. When set to ``true``, + // if the requested destination is unavailable, Envoy will return a 503 status code. The default value is ``false``, + // which allows Envoy to fall back to its load balancing mechanism. In this case, if the requested destination is not + // found, the request will be routed according to the load balancing algorithm. + bool strict = 2; + + // Optional stat prefix. If specified, the filter will emit statistics in the + // ``http..stateful_session..`` namespace. If not specified, no statistics will be emitted. + // + // .. note:: + // + // Per-route configuration overrides do not support statistics and will not emit stats even if this field is set + // in the per-route config. + string stat_prefix = 3; +} + +message StatefulSessionPerRoute { + oneof override { + option (validate.required) = true; + + // Disable the stateful session filter for this particular vhost or route. If disabled is + // specified in multiple per-filter-configs, the most specific one will be used. + bool disabled = 1 [(validate.rules).bool = {const: true}]; + + // Per-route stateful session configuration that can be served by RDS or static route table. + StatefulSession stateful_session = 2; + } +} diff --git a/modules/sync/envoyproxy/envoy/cas/df1206e2109fc9b8c5709f4ca2b97bee1b542246208dfade5d301f75f7c2465784191d253bfd96459324e467aed1de28e7af8b1940363ebce406534008fbd60a b/modules/sync/envoyproxy/envoy/cas/df1206e2109fc9b8c5709f4ca2b97bee1b542246208dfade5d301f75f7c2465784191d253bfd96459324e467aed1de28e7af8b1940363ebce406534008fbd60a new file mode 100644 index 00000000..f47546be --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/df1206e2109fc9b8c5709f4ca2b97bee1b542246208dfade5d301f75f7c2465784191d253bfd96459324e467aed1de28e7af8b1940363ebce406534008fbd60a @@ -0,0 +1,131 @@ +syntax = "proto3"; + +package envoy.extensions.http.cache_v2.file_system_http_cache.v3; + +import "envoy/extensions/common/async_files/v3/async_file_manager.proto"; + +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/annotations/v3/status.proto"; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.http.cache_v2.file_system_http_cache.v3"; +option java_outer_classname = "FileSystemHttpCacheProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/http/cache_v2/file_system_http_cache/v3;file_system_http_cachev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; +option (xds.annotations.v3.file_status).work_in_progress = true; + +// [#protodoc-title: FileSystemHttpCacheV2Config] +// [#extension: envoy.extensions.http.cache_v2.file_system_http_cache] + +// Configuration for a cache implementation that caches in the local file system. +// +// By default this cache uses a least-recently-used eviction strategy. +// +// For implementation details, see `DESIGN.md `_. +// [#next-free-field: 11] +message FileSystemHttpCacheV2Config { + // Configuration of a manager for how the file system is used asynchronously. + common.async_files.v3.AsyncFileManagerConfig manager_config = 1 + [(validate.rules).message = {required: true}]; + + // Path at which the cache files will be stored. + // + // This also doubles as the unique identifier for a cache, so a cache can be shared + // between different routes, or separate paths can be used to specify separate caches. + // + // If the same ``cache_path`` is used in more than one ``CacheV2Config``, the rest of the + // ``FileSystemHttpCacheV2Config`` must also match, and will refer to the same cache + // instance. + string cache_path = 2 [(validate.rules).string = {min_len: 1}]; + + // The maximum size of the cache in bytes - when reached, cache eviction is triggered. + // + // This is measured as the sum of file sizes, such that it includes headers, trailers, + // and metadata, but does not include e.g. file system overhead and block size padding. + // + // If unset there is no limit except file system failure. + google.protobuf.UInt64Value max_cache_size_bytes = 3; + + // The maximum size of a cache entry in bytes - larger responses will not be cached. + // + // This is measured as the file size for the cache entry, such that it includes + // headers, trailers, and metadata. + // + // If unset there is no limit. + // + // [#not-implemented-hide:] + google.protobuf.UInt64Value max_individual_cache_entry_size_bytes = 4; + + // The maximum number of cache entries - when reached, cache eviction is triggered. + // + // If unset there is no limit. + google.protobuf.UInt64Value max_cache_entry_count = 5; + + // A number of folders into which to subdivide the cache. + // + // Setting this can help with performance in file systems where a large number of inodes + // in a single branch degrades performance. The optimal value in that case would be + // ``sqrt(expected_cache_entry_count)``. + // + // On file systems that perform well with many inodes, the default value of 1 should be used. + // + // [#not-implemented-hide:] + uint32 cache_subdivisions = 6; + + // The amount of the maximum cache size or count to evict when cache eviction is + // triggered. For example, if ``max_cache_size_bytes`` is 10000000 and ``evict_fraction`` + // is 0.2, then when the cache exceeds 10MB, entries will be evicted until the cache size is + // less than or equal to 8MB. + // + // The default value of 0 means when the cache exceeds 10MB, entries will be evicted only + // until the cache is less than or equal to 10MB. + // + // Evicting a larger fraction will mean the eviction thread will run less often (sparing + // CPU load) at the cost of more cache misses due to the extra evicted entries. + // + // [#not-implemented-hide:] + float evict_fraction = 7; + + // The longest amount of time to wait before running a cache eviction pass. An eviction + // pass may not necessarily remove any files, but it will update the cache state to match + // the on-disk state. This can be important if multiple instances are accessing the same + // cache in parallel. (e.g. if two instances each independently added non-overlapping 10MB + // of content to a cache with a 15MB limit, neither instance would be aware that the limit + // was exceeded without this synchronizing pass.) + // + // If an eviction pass has not happened within this duration, the eviction thread will + // be awoken and perform an eviction pass. + // + // If unset, there will be no eviction passes except those triggered by cache limits. + // + // [#not-implemented-hide:] + google.protobuf.Duration max_eviction_period = 8; + + // The shortest amount of time between cache eviction passes. This can be used to reduce + // eviction churn, if your cache max size can be flexible. If a cache eviction pass already + // occurred more recently than this period when another would be triggered, that new + // pass is cancelled. + // + // This means the cache can potentially grow beyond ``max_cache_size_bytes`` by as much as + // can be written within the duration specified. + // + // Generally you would use *either* ``min_eviction_period`` *or* ``evict_fraction`` to + // reduce churn. Both together will work but since they're both aiming for the same goal, + // it's simpler not to. + // + // [#not-implemented-hide:] + google.protobuf.Duration min_eviction_period = 9; + + // If true, and the cache path does not exist, attempt to create the cache path, including + // any missing directories leading up to it. On failure, the config is rejected. + // + // If false, and the cache path does not exist, the config is rejected. + // + // [#not-implemented-hide:] + bool create_cache_path = 10; +} diff --git a/modules/sync/envoyproxy/envoy/cas/e15b227bff5203ad4e5f26f97f15b19a8737d04089d7548c23a541220080f846ad5c4417fd874560786f53863bc4c76a04dca54138758749257029360097bac3 b/modules/sync/envoyproxy/envoy/cas/e15b227bff5203ad4e5f26f97f15b19a8737d04089d7548c23a541220080f846ad5c4417fd874560786f53863bc4c76a04dca54138758749257029360097bac3 new file mode 100644 index 00000000..12f285df --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/e15b227bff5203ad4e5f26f97f15b19a8737d04089d7548c23a541220080f846ad5c4417fd874560786f53863bc4c76a04dca54138758749257029360097bac3 @@ -0,0 +1,57 @@ +syntax = "proto3"; + +package envoy.extensions.grpc_service.call_credentials.sts_service.v3; + +import "udpa/annotations/status.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.grpc_service.call_credentials.sts_service.v3"; +option java_outer_classname = "StsServiceCredentialsProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/grpc_service/call_credentials/sts_service/v3;sts_servicev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: gRPC STS Credentials] + +// Security token service configuration that allows Google gRPC to +// fetch security token from an OAuth 2.0 authorization server. +// See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 and +// https://github.com/grpc/grpc/pull/19587. +// [#not-implemented-hide:] +// [#next-free-field: 10] +message StsServiceCredentials { + // URI of the token exchange service that handles token exchange requests. + // [#comment:TODO(asraa): Add URI validation when implemented. Tracked by + // https://github.com/bufbuild/protoc-gen-validate/issues/303] + string token_exchange_service_uri = 1; + + // Location of the target service or resource where the client + // intends to use the requested security token. + string resource = 2; + + // Logical name of the target service where the client intends to + // use the requested security token. + string audience = 3; + + // The desired scope of the requested security token in the + // context of the service or resource where the token will be used. + string scope = 4; + + // Type of the requested security token. + string requested_token_type = 5; + + // The path of subject token, a security token that represents the + // identity of the party on behalf of whom the request is being made. + string subject_token_path = 6 [(validate.rules).string = {min_len: 1}]; + + // Type of the subject token. + string subject_token_type = 7 [(validate.rules).string = {min_len: 1}]; + + // The path of actor token, a security token that represents the identity + // of the acting party. The acting party is authorized to use the + // requested security token and act on behalf of the subject. + string actor_token_path = 8; + + // Type of the actor token. + string actor_token_type = 9; +} diff --git a/modules/sync/envoyproxy/envoy/cas/e2127d379ca4b3095227bfca37afce4626c1f19c0f12fb5750cb96e102ad44a4b69ef87a9ffe1871025355f89b4c2a4ac2c099ff53da65237672a923c2625006 b/modules/sync/envoyproxy/envoy/cas/e2127d379ca4b3095227bfca37afce4626c1f19c0f12fb5750cb96e102ad44a4b69ef87a9ffe1871025355f89b4c2a4ac2c099ff53da65237672a923c2625006 new file mode 100644 index 00000000..b5bc2c4d --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/e2127d379ca4b3095227bfca37afce4626c1f19c0f12fb5750cb96e102ad44a4b69ef87a9ffe1871025355f89b4c2a4ac2c099ff53da65237672a923c2625006 @@ -0,0 +1,227 @@ +syntax = "proto3"; + +package envoy.config.overload.v3; + +import "envoy/type/v3/percent.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.overload.v3"; +option java_outer_classname = "OverloadProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/overload/v3;overloadv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Overload Manager] + +// The Overload Manager provides an extensible framework to protect Envoy instances +// from overload of various resources (memory, cpu, file descriptors, etc). +// It monitors a configurable set of resources and notifies registered listeners +// when triggers related to those resources fire. + +message ResourceMonitor { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.overload.v2alpha.ResourceMonitor"; + + reserved 2; + + reserved "config"; + + // The name of the resource monitor to instantiate. Must match a registered + // resource monitor type. + // See the :ref:`extensions listed in typed_config below ` for the default list of available resource monitor. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // Configuration for the resource monitor being instantiated. + // [#extension-category: envoy.resource_monitors] + oneof config_type { + google.protobuf.Any typed_config = 3; + } +} + +message ThresholdTrigger { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.overload.v2alpha.ThresholdTrigger"; + + // If the resource pressure is greater than or equal to this value, the trigger + // will enter saturation. + double value = 1 [(validate.rules).double = {lte: 1.0 gte: 0.0}]; +} + +message ScaledTrigger { + // If the resource pressure is greater than this value, the trigger will be in the + // :ref:`scaling ` state with value + // ``(pressure - scaling_threshold) / (saturation_threshold - scaling_threshold)``. + double scaling_threshold = 1 [(validate.rules).double = {lte: 1.0 gte: 0.0}]; + + // If the resource pressure is greater than this value, the trigger will enter saturation. + double saturation_threshold = 2 [(validate.rules).double = {lte: 1.0 gte: 0.0}]; +} + +message Trigger { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.overload.v2alpha.Trigger"; + + // The name of the resource this is a trigger for. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + oneof trigger_oneof { + option (validate.required) = true; + + ThresholdTrigger threshold = 2; + + ScaledTrigger scaled = 3; + } +} + +// Typed configuration for the "envoy.overload_actions.reduce_timeouts" action. See +// :ref:`the docs ` for an example of how to configure +// the action with different timeouts and minimum values. +message ScaleTimersOverloadActionConfig { + enum TimerType { + // Unsupported value; users must explicitly specify the timer they want scaled. + UNSPECIFIED = 0; + + // Adjusts the idle timer for downstream HTTP connections that takes effect when there are no active streams. + // This affects the value of :ref:`HttpConnectionManager.common_http_protocol_options.idle_timeout + // ` + HTTP_DOWNSTREAM_CONNECTION_IDLE = 1; + + // Adjusts the idle timer for HTTP streams initiated by downstream clients. + // This affects the value of :ref:`RouteAction.idle_timeout ` and + // :ref:`HttpConnectionManager.stream_idle_timeout + // ` + HTTP_DOWNSTREAM_STREAM_IDLE = 2; + + // Adjusts the timer for how long downstream clients have to finish transport-level negotiations + // before the connection is closed. + // This affects the value of + // :ref:`FilterChain.transport_socket_connect_timeout `. + TRANSPORT_SOCKET_CONNECT = 3; + + // Adjusts the max connection duration timer for downstream HTTP connections. + // This affects the value of + // :ref:`HttpConnectionManager.common_http_protocol_options.max_connection_duration + // `. + HTTP_DOWNSTREAM_CONNECTION_MAX = 4; + + // Adjusts the timeout for the downstream codec to flush an ended stream. + // This affects the value of :ref:`RouteAction.flush_timeout + // ` and + // :ref:`HttpConnectionManager.stream_flush_timeout + // ` + HTTP_DOWNSTREAM_STREAM_FLUSH = 5; + } + + message ScaleTimer { + // The type of timer this minimum applies to. + TimerType timer = 1 [(validate.rules).enum = {defined_only: true not_in: 0}]; + + oneof overload_adjust { + option (validate.required) = true; + + // Sets the minimum duration as an absolute value. + google.protobuf.Duration min_timeout = 2; + + // Sets the minimum duration as a percentage of the maximum value. + type.v3.Percent min_scale = 3; + } + } + + // A set of timer scaling rules to be applied. + repeated ScaleTimer timer_scale_factors = 1 [(validate.rules).repeated = {min_items: 1}]; +} + +message OverloadAction { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.overload.v2alpha.OverloadAction"; + + // The name of the overload action. This is just a well-known string that + // listeners can use for registering callbacks. + // Valid known overload actions include: + // - envoy.overload_actions.stop_accepting_requests + // - envoy.overload_actions.disable_http_keepalive + // - envoy.overload_actions.stop_accepting_connections + // - envoy.overload_actions.reject_incoming_connections + // - envoy.overload_actions.shrink_heap + // - envoy.overload_actions.reduce_timeouts + // - envoy.overload_actions.reset_high_memory_stream + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // A set of triggers for this action. The state of the action is the maximum + // state of all triggers, which can be scalar values between 0 and 1 or + // saturated. Listeners are notified when the overload action changes state. + // An overload manager action can only have one trigger for a given resource + // e.g. :ref:`Trigger.name + // ` must be unique + // in this list. + repeated Trigger triggers = 2 [(validate.rules).repeated = {min_items: 1}]; + + // Configuration for the action being instantiated if applicable. + google.protobuf.Any typed_config = 3; +} + +// A point within the connection or request lifecycle that provides context on +// whether to shed load at that given stage for the current entity at the +// point. +message LoadShedPoint { + // This is just a well-known string for the LoadShedPoint. + // Deployment specific LoadShedPoints e.g. within a custom extension should + // be prefixed by the company / deployment name to avoid colliding with any + // open source LoadShedPoints. + string name = 1 [(validate.rules).string = {min_len: 1}]; + + // A set of triggers for this LoadShedPoint. The LoadShedPoint will use the + // the maximum state of all triggers, which can be scalar values between 0 and + // 1 or saturated. A LoadShedPoint can only have one trigger for a given + // resource e.g. :ref:`Trigger.name + // ` must be unique in + // this list. + repeated Trigger triggers = 2 [(validate.rules).repeated = {min_items: 1}]; +} + +// Configuration for which accounts the WatermarkBuffer Factories should +// track. +message BufferFactoryConfig { + // The minimum power of two at which Envoy starts tracking an account. + // + // Envoy has 8 power of two buckets starting with the provided exponent below. + // Concretely the 1st bucket contains accounts for streams that use + // [2^minimum_account_to_track_power_of_two, + // 2^(minimum_account_to_track_power_of_two + 1)) bytes. + // With the 8th bucket tracking accounts + // >= 128 * 2^minimum_account_to_track_power_of_two. + // + // The maximum value is 56, since we're using uint64_t for bytes counting, + // and that's the last value that would use the 8 buckets. In practice, + // we don't expect the proxy to be holding 2^56 bytes. + // + // If omitted, Envoy should not do any tracking. + uint32 minimum_account_to_track_power_of_two = 1 [(validate.rules).uint32 = {lte: 56 gte: 10}]; +} + +// [#next-free-field: 6] +message OverloadManager { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.overload.v2alpha.OverloadManager"; + + // The interval for refreshing resource usage. + google.protobuf.Duration refresh_interval = 1; + + // The set of resources to monitor. + repeated ResourceMonitor resource_monitors = 2 [(validate.rules).repeated = {min_items: 1}]; + + // The set of overload actions. + repeated OverloadAction actions = 3; + + // The set of load shed points. + repeated LoadShedPoint loadshed_points = 5; + + // Configuration for buffer factory. + BufferFactoryConfig buffer_factory_config = 4; +} diff --git a/modules/sync/envoyproxy/envoy/cas/f3cb7e88d65a8b2d19c1255815c37f61b708887327f5b3a58fe5b6bf8c0c1607d12b7bcabf156947db5c9108c041599af9f6a25ac22d0225326cc1c4418a343d b/modules/sync/envoyproxy/envoy/cas/f3cb7e88d65a8b2d19c1255815c37f61b708887327f5b3a58fe5b6bf8c0c1607d12b7bcabf156947db5c9108c041599af9f6a25ac22d0225326cc1c4418a343d new file mode 100644 index 00000000..430562aa --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/f3cb7e88d65a8b2d19c1255815c37f61b708887327f5b3a58fe5b6bf8c0c1607d12b7bcabf156947db5c9108c041599af9f6a25ac22d0225326cc1c4418a343d @@ -0,0 +1,283 @@ +syntax = "proto3"; + +package envoy.config.core.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/core/v3/extension.proto"; +import "envoy/config/core/v3/grpc_service.proto"; + +import "google/protobuf/any.proto"; +import "google/protobuf/duration.proto"; +import "google/protobuf/wrappers.proto"; + +import "xds/core/v3/authority.proto"; + +import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.config.core.v3"; +option java_outer_classname = "ConfigSourceProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Configuration sources] + +// xDS API and non-xDS services version. This is used to describe both resource and transport +// protocol versions (in distinct configuration fields). +enum ApiVersion { + // When not specified, we assume v3; it is the only supported version. + AUTO = 0; + + // Use xDS v2 API. This is no longer supported. + V2 = 1 [deprecated = true, (envoy.annotations.deprecated_at_minor_version_enum) = "3.0"]; + + // Use xDS v3 API. + V3 = 2; +} + +// API configuration source. This identifies the API type and cluster that Envoy +// will use to fetch an xDS API. +// [#next-free-field: 10] +message ApiConfigSource { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.ApiConfigSource"; + + // APIs may be fetched via either REST or gRPC. + enum ApiType { + // Ideally this would be 'reserved 0' but one can't reserve the default + // value. Instead we throw an exception if this is ever used. + DEPRECATED_AND_UNAVAILABLE_DO_NOT_USE = 0 + [deprecated = true, (envoy.annotations.disallowed_by_default_enum) = true]; + + // REST-JSON v2 API. The `canonical JSON encoding + // `_ for + // the v2 protos is used. + REST = 1; + + // SotW gRPC service. + GRPC = 2; + + // Using the delta xDS gRPC service, i.e. DeltaDiscovery{Request,Response} + // rather than Discovery{Request,Response}. Rather than sending Envoy the entire state + // with every update, the xDS server only sends what has changed since the last update. + DELTA_GRPC = 3; + + // SotW xDS gRPC with ADS. All resources which resolve to this configuration source will be + // multiplexed on a single connection to an ADS endpoint. + // [#not-implemented-hide:] + AGGREGATED_GRPC = 5; + + // Delta xDS gRPC with ADS. All resources which resolve to this configuration source will be + // multiplexed on a single connection to an ADS endpoint. + // [#not-implemented-hide:] + AGGREGATED_DELTA_GRPC = 6; + } + + // API type (gRPC, REST, delta gRPC) + ApiType api_type = 1 [(validate.rules).enum = {defined_only: true}]; + + // API version for xDS transport protocol. This describes the xDS gRPC/REST + // endpoint and version of [Delta]DiscoveryRequest/Response used on the wire. + ApiVersion transport_api_version = 8 [(validate.rules).enum = {defined_only: true}]; + + // Cluster names should be used only with REST. If > 1 + // cluster is defined, clusters will be cycled through if any kind of failure + // occurs. + // + // .. note:: + // + // The cluster with name ``cluster_name`` must be statically defined and its + // type must not be ``EDS``. + repeated string cluster_names = 2; + + // Multiple gRPC services be provided for GRPC. If > 1 cluster is defined, + // services will be cycled through if any kind of failure occurs. + repeated GrpcService grpc_services = 4; + + // For REST APIs, the delay between successive polls. + google.protobuf.Duration refresh_delay = 3; + + // For REST APIs, the request timeout. If not set, a default value of 1s will be used. + google.protobuf.Duration request_timeout = 5 [(validate.rules).duration = {gt {}}]; + + // For GRPC APIs, the rate limit settings. If present, discovery requests made by Envoy will be + // rate limited. + RateLimitSettings rate_limit_settings = 6; + + // Skip the node identifier in subsequent discovery requests for streaming gRPC config types. + bool set_node_on_first_message_only = 7; + + // A list of config validators that will be executed when a new update is + // received from the ApiConfigSource. Note that each validator handles a + // specific xDS service type, and only the validators corresponding to the + // type url (in ``:ref: DiscoveryResponse`` or ``:ref: DeltaDiscoveryResponse``) + // will be invoked. + // If the validator returns false or throws an exception, the config will be rejected by + // the client, and a NACK will be sent. + // [#extension-category: envoy.config.validators] + repeated TypedExtensionConfig config_validators = 9; +} + +// Aggregated Discovery Service (ADS) options. This is currently empty, but when +// set in :ref:`ConfigSource ` can be used to +// specify that ADS is to be used. +message AggregatedConfigSource { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.AggregatedConfigSource"; +} + +// [#not-implemented-hide:] +// Self-referencing config source options. This is currently empty, but when +// set in :ref:`ConfigSource ` can be used to +// specify that other data can be obtained from the same server. +message SelfConfigSource { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.SelfConfigSource"; + + // API version for xDS transport protocol. This describes the xDS gRPC/REST + // endpoint and version of [Delta]DiscoveryRequest/Response used on the wire. + ApiVersion transport_api_version = 1 [(validate.rules).enum = {defined_only: true}]; +} + +// Rate Limit settings to be applied for discovery requests made by Envoy. +message RateLimitSettings { + option (udpa.annotations.versioning).previous_message_type = + "envoy.api.v2.core.RateLimitSettings"; + + // Maximum number of tokens to be used for rate limiting discovery request calls. If not set, a + // default value of 100 will be used. + google.protobuf.UInt32Value max_tokens = 1; + + // Rate at which tokens will be filled per second. If not set, a default fill rate of 10 tokens + // per second will be used. The minimal fill rate is once per year. Lower + // fill rates will be set to once per year. + google.protobuf.DoubleValue fill_rate = 2 [(validate.rules).double = {gt: 0.0}]; +} + +// Local filesystem path configuration source. +message PathConfigSource { + // Path on the filesystem to source and watch for configuration updates. + // When sourcing configuration for a :ref:`secret `, + // the certificate and key files are also watched for updates. + // + // .. note:: + // + // The path to the source must exist at config load time. + // + // .. note:: + // + // If ``watched_directory`` is *not* configured, Envoy will watch the file path for *moves*. + // This is because in general only moves are atomic. The same method of swapping files as is + // demonstrated in the :ref:`runtime documentation ` can be + // used here also. If ``watched_directory`` is configured, no watch will be placed directly on + // this path. Instead, the configured ``watched_directory`` will be used to trigger reloads of + // this path. This is required in certain deployment scenarios. See below for more information. + string path = 1 [(validate.rules).string = {min_len: 1}]; + + // If configured, this directory will be watched for *moves*. When an entry in this directory is + // moved to, the ``path`` will be reloaded. This is required in certain deployment scenarios. + // + // Specifically, if trying to load an xDS resource using a + // `Kubernetes ConfigMap `_, the + // following configuration might be used: + // 1. Store xds.yaml inside a ConfigMap. + // 2. Mount the ConfigMap to ``/config_map/xds`` + // 3. Configure path ``/config_map/xds/xds.yaml`` + // 4. Configure watched directory ``/config_map/xds`` + // + // The above configuration will ensure that Envoy watches the owning directory for moves which is + // required due to how Kubernetes manages ConfigMap symbolic links during atomic updates. + WatchedDirectory watched_directory = 2; +} + +// Configuration for :ref:`listeners `, :ref:`clusters +// `, :ref:`routes +// `, :ref:`endpoints +// ` etc. may either be sourced from the +// filesystem or from an xDS API source. Filesystem configs are watched with +// inotify for updates. +// [#next-free-field: 9] +message ConfigSource { + option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.ConfigSource"; + + // Authorities that this config source may be used for. An authority specified in a xdstp:// URL + // is resolved to a ``ConfigSource`` prior to configuration fetch. This field provides the + // association between authority name and configuration source. + // [#not-implemented-hide:] + repeated xds.core.v3.Authority authorities = 7; + + oneof config_source_specifier { + option (validate.required) = true; + + // Deprecated in favor of ``path_config_source``. Use that field instead. + string path = 1 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"]; + + // Local filesystem path configuration source. + PathConfigSource path_config_source = 8; + + // API configuration source. + ApiConfigSource api_config_source = 2; + + // When set, ADS will be used to fetch resources. The ADS API configuration + // source in the bootstrap configuration is used. + AggregatedConfigSource ads = 3; + + // [#not-implemented-hide:] + // When set, the client will access the resources from the same server it got the + // ConfigSource from, although not necessarily from the same stream. This is similar to the + // :ref:`ads` field, except that the client may use a + // different stream to the same server. As a result, this field can be used for things + // like LRS that cannot be sent on an ADS stream. It can also be used to link from (e.g.) + // LDS to RDS on the same server without requiring the management server to know its name + // or required credentials. + // [#next-major-version: In xDS v3, consider replacing the ads field with this one, since + // this field can implicitly mean to use the same stream in the case where the ConfigSource + // is provided via ADS and the specified data can also be obtained via ADS.] + SelfConfigSource self = 5; + } + + // When this timeout is specified, Envoy will wait no longer than the specified time for first + // config response on this xDS subscription during the :ref:`initialization process + // `. After reaching the timeout, Envoy will move to the next + // initialization phase, even if the first config is not delivered yet. The timer is activated + // when the xDS API subscription starts, and is disarmed on first config update or on error. 0 + // means no timeout - Envoy will wait indefinitely for the first xDS config (unless another + // timeout applies). The default is 15s. + google.protobuf.Duration initial_fetch_timeout = 4; + + // API version for xDS resources. This implies the type URLs that the client + // will request for resources and the resource type that the client will in + // turn expect to be delivered. + ApiVersion resource_api_version = 6 [(validate.rules).enum = {defined_only: true}]; +} + +// Configuration source specifier for a late-bound extension configuration. The +// parent resource is warmed until all the initial extension configurations are +// received, unless the flag to apply the default configuration is set. +// Subsequent extension updates are atomic on a per-worker basis. Once an +// extension configuration is applied to a request or a connection, it remains +// constant for the duration of processing. If the initial delivery of the +// extension configuration fails, due to a timeout for example, the optional +// default configuration is applied. Without a default configuration, the +// extension is disabled, until an extension configuration is received. The +// behavior of a disabled extension depends on the context. For example, a +// filter chain with a disabled extension filter rejects all incoming streams. +message ExtensionConfigSource { + ConfigSource config_source = 1 [(validate.rules).any = {required: true}]; + + // Optional default configuration to use as the initial configuration if + // there is a failure to receive the initial extension configuration or if + // ``apply_default_config_without_warming`` flag is set. + google.protobuf.Any default_config = 2; + + // Use the default config as the initial configuration without warming and + // waiting for the first discovery response. Requires the default configuration + // to be supplied. + bool apply_default_config_without_warming = 3; + + // A set of permitted extension type URLs for the type encoded inside of the + // :ref:`TypedExtensionConfig `. Extension + // configuration updates are rejected if they do not match any type URL in the set. + repeated string type_urls = 4 [(validate.rules).repeated = {min_items: 1}]; +} diff --git a/modules/sync/envoyproxy/envoy/cas/f6b9dcc9dfb1e6fbaa6b7a84c89c621eb79ec5c7341c179bbe08c3382de9aa3ed34fb549aa090e2c770693b966b3ca9851caf6746064d71c82909c549b2961d7 b/modules/sync/envoyproxy/envoy/cas/f6b9dcc9dfb1e6fbaa6b7a84c89c621eb79ec5c7341c179bbe08c3382de9aa3ed34fb549aa090e2c770693b966b3ca9851caf6746064d71c82909c549b2961d7 new file mode 100644 index 00000000..5c5a9f3e --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/f6b9dcc9dfb1e6fbaa6b7a84c89c621eb79ec5c7341c179bbe08c3382de9aa3ed34fb549aa090e2c770693b966b3ca9851caf6746064d71c82909c549b2961d7 @@ -0,0 +1,250 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.ratelimit.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/config/ratelimit/v3/rls.proto"; +import "envoy/config/route/v3/route_components.proto"; +import "envoy/type/v3/http_status.proto"; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; +import "validate/validate.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.ratelimit.v3"; +option java_outer_classname = "RateLimitProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/ratelimit/v3;ratelimitv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: Rate limit] +// Rate limit :ref:`configuration overview `. +// [#extension: envoy.filters.http.ratelimit] + +// [#next-free-field: 18] +message RateLimit { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.rate_limit.v2.RateLimit"; + + // Defines the version of the standard to use for X-RateLimit headers. + // + // [#next-major-version: unify with local ratelimit, should use common.ratelimit.v3.XRateLimitHeadersRFCVersion instead.] + enum XRateLimitHeadersRFCVersion { + // X-RateLimit headers disabled. + OFF = 0; + + // Use `draft RFC Version 03 `_. + DRAFT_VERSION_03 = 1; + } + + // The rate limit domain to use when calling the rate limit service. + string domain = 1 [(validate.rules).string = {min_len: 1}]; + + // Specifies the rate limit configurations to be applied with the same + // stage number. If not set, the default stage number is 0. + // + // .. note:: + // + // The filter supports a range of 0 - 10 inclusively for stage numbers. + uint32 stage = 2 [(validate.rules).uint32 = {lte: 10}]; + + // The type of requests the filter should apply to. The supported + // types are ``internal``, ``external`` or ``both``. A request is considered internal if + // :ref:`x-envoy-internal` is set to true. If + // :ref:`x-envoy-internal` is not set or false, a + // request is considered external. The filter defaults to ``both``, and it will apply to all request + // types. + string request_type = 3 + [(validate.rules).string = {in: "internal" in: "external" in: "both" in: ""}]; + + // The timeout in milliseconds for the rate limit service RPC. If not + // set, this defaults to 20ms. + google.protobuf.Duration timeout = 4; + + // The filter's behaviour in case the rate limiting service does + // not respond back. When it is set to true, Envoy will not allow traffic in case of + // communication failure between rate limiting service and the proxy. + bool failure_mode_deny = 5; + + // Specifies whether a ``RESOURCE_EXHAUSTED`` gRPC code must be returned instead + // of the default ``UNAVAILABLE`` gRPC code for a rate limited gRPC call. The + // HTTP code will be 200 for a gRPC response. + bool rate_limited_as_resource_exhausted = 6; + + // Configuration for an external rate limit service provider. If not + // specified, any calls to the rate limit service will immediately return + // success. + config.ratelimit.v3.RateLimitServiceConfig rate_limit_service = 7 + [(validate.rules).message = {required: true}]; + + // Defines the standard version to use for X-RateLimit headers emitted by the filter: + // + // * ``X-RateLimit-Limit`` - indicates the request-quota associated to the + // client in the current time-window followed by the description of the + // quota policy. The values are returned by the rate limiting service in + // :ref:`current_limit` + // field. Example: ``10, 10;w=1;name="per-ip", 1000;w=3600``. + // * ``X-RateLimit-Remaining`` - indicates the remaining requests in the + // current time-window. The values are returned by the rate limiting service + // in :ref:`limit_remaining` + // field. + // * ``X-RateLimit-Reset`` - indicates the number of seconds until reset of + // the current time-window. The values are returned by the rate limiting service + // in :ref:`duration_until_reset` + // field. + // + // In case rate limiting policy specifies more than one time window, the values + // above represent the window that is closest to reaching its limit. + // + // For more information about the headers specification see selected version of + // the `draft RFC `_. + // + // Disabled by default. + // + // [#next-major-version: unify with local ratelimit, should use common.ratelimit.v3.XRateLimitHeadersRFCVersion instead.] + XRateLimitHeadersRFCVersion enable_x_ratelimit_headers = 8 + [(validate.rules).enum = {defined_only: true}]; + + // Disables emitting the :ref:`x-envoy-ratelimited` header + // in case of rate limiting (i.e. 429 responses). + // Having this header not present potentially makes the request retriable. + bool disable_x_envoy_ratelimited_header = 9; + + // This field allows for a custom HTTP response status code to the downstream client when + // the request has been rate limited. + // Defaults to 429 (TooManyRequests). + // + // .. note:: + // If this is set to < 400, 429 will be used instead. + type.v3.HttpStatus rate_limited_status = 10; + + // Specifies a list of HTTP headers that should be added to each response for requests that + // have been rate limited. + repeated config.core.v3.HeaderValueOption response_headers_to_add = 11 + [(validate.rules).repeated = {max_items: 10}]; + + // Sets the HTTP status that is returned to the client when the ratelimit server returns an error + // or cannot be reached. The default status is 500. + type.v3.HttpStatus status_on_error = 12; + + // Optional additional prefix to use when emitting statistics. This allows to distinguish + // emitted statistics between configured ``ratelimit`` filters in an HTTP filter chain. + string stat_prefix = 13; + + // If set, this will enable -- but not necessarily enforce -- the rate limit for the given + // fraction of requests. + // + // If not set then ``ratelimit.http_filter_enabled`` runtime key will be used to determine + // the fraction of requests to enforce rate limits on. And the default percentage of the + // runtime key is 100% for backwards compatibility. + config.core.v3.RuntimeFractionalPercent filter_enabled = 14; + + // If set, this will enforce the rate limit decisions for the given fraction of requests. + // + // Note: this only applies to the fraction of enabled requests. + // + // If not set then ``ratelimit.http_filter_enforcing`` runtime key will be used to determine + // the fraction of requests to enforce rate limits on. And the default percentage of the + // runtime key is 100% for backwards compatibility. + config.core.v3.RuntimeFractionalPercent filter_enforced = 15; + + // If set, this will override the failure_mode_deny parameter with a runtime fraction. + // If the runtime key is not specified, the value of failure_mode_deny will be used. + // + // Example: + // + // .. code-block:: yaml + // + // failure_mode_deny: true + // failure_mode_deny_percent: + // default_value: + // numerator: 50 + // denominator: HUNDRED + // runtime_key: ratelimit.failure_mode_deny_percent + // + // This means that when the rate limit service is unavailable, 50% of requests will be denied + // (fail closed) and 50% will be allowed (fail open). + config.core.v3.RuntimeFractionalPercent failure_mode_deny_percent = 16; + + // Rate limit configuration that is used to generate a list of descriptor entries based on + // the request context. The generated entries will be sent to the rate limit service. + // If this is set, then + // :ref:`VirtualHost.rate_limits` or + // :ref:`RouteAction.rate_limits` fields + // will be ignored. However, :ref:`RateLimitPerRoute.rate_limits` + // will take precedence over this field. + // + // .. note:: + // Not all configuration fields of + // :ref:`rate limit config ` is supported at here. + // Following fields are not supported: + // + // 1. :ref:`rate limit stage `. + // 2. :ref:`dynamic metadata `. + // 3. :ref:`disable_key `. + // 4. :ref:`override limit `. + repeated config.route.v3.RateLimit rate_limits = 17; +} + +message RateLimitPerRoute { + // [#next-major-version: unify with local ratelimit, should use common.ratelimit.v3.VhRateLimitsOptions instead.] + enum VhRateLimitsOptions { + // Use the virtual host rate limits unless the route has a rate limit policy. + OVERRIDE = 0; + + // Use the virtual host rate limits even if the route has a rate limit policy. + INCLUDE = 1; + + // Ignore the virtual host rate limits even if the route does not have a rate limit policy. + IGNORE = 2; + } + + // The override option determines how the filter handles the cases where there is an override config at a more specific level than this one (from least to most specific: virtual host, route, cluster weight). + // [#not-implemented-hide:] + enum OverrideOptions { + // Client-defined default, typically OVERRIDE_POLICY. If VhRateLimitsOptions is set, that will be used instead. + DEFAULT = 0; + + // If there is an override config at a more specific level, use that instead of this one. + OVERRIDE_POLICY = 1; + + // If there is an override config at a more specific level, use data from both. + INCLUDE_POLICY = 2; + + // If there is an override config at a more specific level, ignore it and use only this one. + IGNORE_POLICY = 3; + } + + // Specifies if the rate limit filter should include the virtual host rate limits. + // [#next-major-version: unify with local ratelimit, should use common.ratelimit.v3.VhRateLimitsOptions instead.] + VhRateLimitsOptions vh_rate_limits = 1 [(validate.rules).enum = {defined_only: true}]; + + // Specifies if the rate limit filter should include the lower levels (route level, virtual host level or cluster weight level) rate limits override options. + // [#not-implemented-hide:] + OverrideOptions override_option = 2 [(validate.rules).enum = {defined_only: true}]; + + // Rate limit configuration that is used to generate a list of descriptor entries based on + // the request context. The generated entries will be used to find one or multiple matched rate + // limit rule from the ``descriptors``. + // If this is set, then + // :ref:`VirtualHost.rate_limits`, + // :ref:`RouteAction.rate_limits` and + // :ref:`RateLimit.rate_limits` fields + // will be ignored. + // + // .. note:: + // Not all configuration fields of + // :ref:`rate limit config ` is supported at here. + // Following fields are not supported: + // + // 1. :ref:`rate limit stage `. + // 2. :ref:`dynamic metadata `. + // 3. :ref:`disable_key `. + // 4. :ref:`override limit `. + repeated config.route.v3.RateLimit rate_limits = 3; + + // Overrides the domain. If not set, uses the filter-level domain instead. + string domain = 4; +} diff --git a/modules/sync/envoyproxy/envoy/cas/fb758aa0b36e31dccf24f3a64b1621e97ef5d8c80f86e6dfa0844df109d719209dbb6a15d74536f66fcefda9fee5154462dbf640963243a2641b84d17b0a4502 b/modules/sync/envoyproxy/envoy/cas/fb758aa0b36e31dccf24f3a64b1621e97ef5d8c80f86e6dfa0844df109d719209dbb6a15d74536f66fcefda9fee5154462dbf640963243a2641b84d17b0a4502 new file mode 100644 index 00000000..42ba44c1 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/fb758aa0b36e31dccf24f3a64b1621e97ef5d8c80f86e6dfa0844df109d719209dbb6a15d74536f66fcefda9fee5154462dbf640963243a2641b84d17b0a4502 @@ -0,0 +1,86 @@ +syntax = "proto3"; + +package envoy.data.tap.v3; + +import "envoy/config/core/v3/base.proto"; +import "envoy/data/tap/v3/common.proto"; + +import "google/protobuf/timestamp.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.data.tap.v3"; +option java_outer_classname = "HttpProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/data/tap/v3;tapv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: HTTP tap data] + +// A fully buffered HTTP trace message. +message HttpBufferedTrace { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.tap.v2alpha.HttpBufferedTrace"; + + // HTTP message wrapper. + message Message { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.tap.v2alpha.HttpBufferedTrace.Message"; + + // Message headers. + repeated config.core.v3.HeaderValue headers = 1; + + // Message body. + Body body = 2; + + // Message trailers. + repeated config.core.v3.HeaderValue trailers = 3; + + // The timestamp after receiving the message headers. + google.protobuf.Timestamp headers_received_time = 4; + } + + // Request message. + Message request = 1; + + // Response message. + Message response = 2; + + // downstream connection + Connection downstream_connection = 3; + + // upstream connection + Connection upstream_connection = 4; +} + +// A streamed HTTP trace segment. Multiple segments make up a full trace. +// [#next-free-field: 8] +message HttpStreamedTraceSegment { + option (udpa.annotations.versioning).previous_message_type = + "envoy.data.tap.v2alpha.HttpStreamedTraceSegment"; + + // Trace ID unique to the originating Envoy only. Trace IDs can repeat and should not be used + // for long term stable uniqueness. + uint64 trace_id = 1; + + oneof message_piece { + // Request headers. + config.core.v3.HeaderMap request_headers = 2; + + // Request body chunk. + Body request_body_chunk = 3; + + // Request trailers. + config.core.v3.HeaderMap request_trailers = 4; + + // Response headers. + config.core.v3.HeaderMap response_headers = 5; + + // Response body chunk. + Body response_body_chunk = 6; + + // Response trailers. + config.core.v3.HeaderMap response_trailers = 7; + } +} diff --git a/modules/sync/envoyproxy/envoy/cas/fd2c273b62f3393a47ba7268781f55343d960d6d73d11f37fadb455f1dd4c1d4180fa119a5599ba3434e1032314cc1bf08482ade1ec956fdde963c996aacdb10 b/modules/sync/envoyproxy/envoy/cas/fd2c273b62f3393a47ba7268781f55343d960d6d73d11f37fadb455f1dd4c1d4180fa119a5599ba3434e1032314cc1bf08482ade1ec956fdde963c996aacdb10 new file mode 100644 index 00000000..3e23afe0 --- /dev/null +++ b/modules/sync/envoyproxy/envoy/cas/fd2c273b62f3393a47ba7268781f55343d960d6d73d11f37fadb455f1dd4c1d4180fa119a5599ba3434e1032314cc1bf08482ade1ec956fdde963c996aacdb10 @@ -0,0 +1,63 @@ +syntax = "proto3"; + +package envoy.extensions.filters.http.on_demand.v3; + +import "envoy/config/core/v3/config_source.proto"; + +import "google/protobuf/duration.proto"; + +import "udpa/annotations/status.proto"; +import "udpa/annotations/versioning.proto"; + +option java_package = "io.envoyproxy.envoy.extensions.filters.http.on_demand.v3"; +option java_outer_classname = "OnDemandProto"; +option java_multiple_files = true; +option go_package = "github.com/envoyproxy/go-control-plane/envoy/extensions/filters/http/on_demand/v3;on_demandv3"; +option (udpa.annotations.file_status).package_version_status = ACTIVE; + +// [#protodoc-title: On Demand Discovery] +// On Demand Discovery :ref:`configuration overview `. +// [#extension: envoy.filters.http.on_demand] +// +// .. warning:: +// +// Envoy currently only supports On-demand CDS when using Incremental-xDS and not State-of-the-World. +// + +// Configuration of on-demand CDS. +message OnDemandCds { + // A configuration source for the service that will be used for + // on-demand cluster discovery. + config.core.v3.ConfigSource source = 1; + + // xdstp:// resource locator for on-demand cluster collection. + string resources_locator = 2; + + // The timeout for on demand cluster lookup. If not set, defaults to 5 seconds. + google.protobuf.Duration timeout = 3; +} + +// On Demand Discovery filter config. +message OnDemand { + option (udpa.annotations.versioning).previous_message_type = + "envoy.config.filter.http.on_demand.v2.OnDemand"; + + // An optional configuration for on-demand cluster discovery + // service. If not specified, the on-demand cluster discovery will + // be disabled. When it's specified, the filter will pause the + // request to an unknown cluster and will begin a cluster discovery + // process. When the discovery is finished (successfully or not), the + // request will be resumed for further processing. + OnDemandCds odcds = 1; +} + +// Per-route configuration for On Demand Discovery. +message PerRouteConfig { + // An optional configuration for on-demand cluster discovery + // service. If not specified, the on-demand cluster discovery will + // be disabled. When it's specified, the filter will pause the + // request to an unknown cluster and will begin a cluster discovery + // process. When the discovery is finished (successfully or not), the + // request will be resumed for further processing. + OnDemandCds odcds = 1; +} diff --git a/modules/sync/envoyproxy/envoy/state.json b/modules/sync/envoyproxy/envoy/state.json index a5817507..a09dfbdd 100644 --- a/modules/sync/envoyproxy/envoy/state.json +++ b/modules/sync/envoyproxy/envoy/state.json @@ -71,6 +71,30 @@ { "name": "v1.35.3", "digest": "b586adf6eebcb993444a47e6aea8f80c8f5642a18c2cf618fbe0d566a75de1696a707dbc7babb1c30e0546ba31c1e69e791fa5d1f7bf323d19c731b4575e53eb" + }, + { + "name": "v1.35.4", + "digest": "3f412b3191f2a03f0e2ffffc9f45803b3db58bd1e6842a7ec18d509f3623096a4ff7bc8fb2c2305d22d8dc403f4c0b4eca7e4e88c0a8475f952e405525d9ccb7" + }, + { + "name": "v1.35.5", + "digest": "3f412b3191f2a03f0e2ffffc9f45803b3db58bd1e6842a7ec18d509f3623096a4ff7bc8fb2c2305d22d8dc403f4c0b4eca7e4e88c0a8475f952e405525d9ccb7" + }, + { + "name": "v1.35.6", + "digest": "3f412b3191f2a03f0e2ffffc9f45803b3db58bd1e6842a7ec18d509f3623096a4ff7bc8fb2c2305d22d8dc403f4c0b4eca7e4e88c0a8475f952e405525d9ccb7" + }, + { + "name": "v1.36.0", + "digest": "7f087cb09cf323d4b7a6618148870959c3affaded64b3510afbf484eee19791cf12caf80aa4d5721809b6bfef662053913aeff0e8aa92b3f57774d6ed3f86253" + }, + { + "name": "v1.36.1", + "digest": "7f087cb09cf323d4b7a6618148870959c3affaded64b3510afbf484eee19791cf12caf80aa4d5721809b6bfef662053913aeff0e8aa92b3f57774d6ed3f86253" + }, + { + "name": "v1.36.2", + "digest": "7f087cb09cf323d4b7a6618148870959c3affaded64b3510afbf484eee19791cf12caf80aa4d5721809b6bfef662053913aeff0e8aa92b3f57774d6ed3f86253" } ] } \ No newline at end of file diff --git a/modules/sync/googleapis/googleapis/state.json b/modules/sync/googleapis/googleapis/state.json index ed26ac25..78285371 100644 --- a/modules/sync/googleapis/googleapis/state.json +++ b/modules/sync/googleapis/googleapis/state.json @@ -20351,6 +20351,178 @@ { "name": "7186b66aac6d5b1f9eec99d394e472d216e4ff73", "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "9215671dbc32a2bb26be3fe0678f7942ca12b365", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "4823efd0b9944891ec5c387104dcc2ec401307a8", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "1ff0474145dbec6d3383d2cf13f5ff9ffa0b9076", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "a23c95636dae08dfc8f536a766eb56e935ab5455", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "bd4166c4286c811921664b073d1b49f60a16f92b", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "8dc86c1605c2ad127b5cd1ef48fb0275930f9eea", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "9da837b53027792b642ef5240527217f2863c505", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "27786089a84bb9fa799ef01d3bd1e4234ba1790f", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "102d9f92ac6ed649a61efd9b208e4d1de278e9bb", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "27cca3c8e987448afe8514412d5deb5c425a2b1f", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "d03473687a9a0a5b1948b0d2d95936fab7201a35", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "8d338e28962b1df3764460e2855520c3aa67a320", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "eadc8746857a29a0060df90867e198fa15cb9211", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "251a3d8be55f1c4f4b700817a7a26384e99825c3", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "1135291431e84c77bad208b5a78b20914cb7f488", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "0509f5df22c35606062249a2ce2b00877ab2f445", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "6821943108fe3284f483defc9b60774a3752de2b", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "4b1fe4dbb4156c42e9d09c294d74f36c7a3fc4ac", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "db61975fe3b3edabed32fda8056d08e79a93a59e", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "91d2fc62957fbcbc868da1adcb033f7259e003c4", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "3403a38bb54bf2a259a18500febf7a85a7738644", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "bd5f32d634d0dfd6a367c1ea707643ab99161d4e", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "63281f4aefb15e92e95109e84ff7542cc5ed7483", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "7e90a532b8fc4a127ffda6932dc0af894c2ac3c8", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "9ee628bb8316d96cf2a9059d602a4c85136594bc", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "a9ebc23947a515fab3de97ff326c86fc8f03fae1", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "a32b926f35bf473f7ba31383e5247175beccd576", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "4c5d582e991ca0b60299343b44ecabe80eae1a69", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "fd84be8a8b7b2da061b91b753506f773e2fc9ec4", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "f495b4597a94f9289d7f84a4d057c5a157f14043", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "a245a40be67d28af43821756e4b3b2183e929169", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "ac02e45c23e8f55b81fd1425190dd7d4e11390f7", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "e9389923bc69ee18417b47085d09191224638282", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "4591295cdf3e25890919115dde0e546c94046e2c", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "fef700942b6a3ef8bbaf253306a0a652a1858552", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "ed1d7ff27c33621b2a52eb55b7d6222650ec348f", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "979af4bd0c12f882dfeb87e89461aa7ccd1ea4b4", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "3322511885371d2b2253f209ccc3aa60d4100cfd", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "50d4eb9c778c4cfe10c6cf407bb25c9ef0bab349", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "59aac0a6555b532c36d18a9c30c557db9676c745", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "b153a9181ce3a5e76009ab69988889cc91fa4530", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "d9bfa3b37fe3be55e77bf06d625ab9a5000456c1", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" + }, + { + "name": "c288189b43c016dd3cf1ec73ce3cadee8b732f07", + "digest": "b3ac4d383db09f92ab0ca85d12bff8c49eddf7031bd3a854c260b6ac4ed6a2bb85b52b3393c316d28f8038bf3b8e70cb3d16470e8cc4423007678fb6d89d36d4" } ] } \ No newline at end of file diff --git a/modules/sync/googlechrome/lighthouse/cas/57c88dfb9c8994262426a3278d9e5d41f2b998b28a4c2858564aa67a235a8c5fce21bed2ffa85bcb09224a6b928f58e421b96a70db98774154f1036717455ac9 b/modules/sync/googlechrome/lighthouse/cas/57c88dfb9c8994262426a3278d9e5d41f2b998b28a4c2858564aa67a235a8c5fce21bed2ffa85bcb09224a6b928f58e421b96a70db98774154f1036717455ac9 new file mode 100644 index 00000000..59a78fdc --- /dev/null +++ b/modules/sync/googlechrome/lighthouse/cas/57c88dfb9c8994262426a3278d9e5d41f2b998b28a4c2858564aa67a235a8c5fce21bed2ffa85bcb09224a6b928f58e421b96a70db98774154f1036717455ac9 @@ -0,0 +1,4 @@ +shake256:a9c4ad5b20a2946a25d5efb7f096b32ffaa567e3e9a7d89984870104aab45f08d7f6f10c7c72affdc4aabab0471066958ae97c3bb5925b7cb268f8afde27ebbf LICENSE +shake256:d8212dfc1045f25113320b2ed03bcd0d0f8866d0ef3e8984889cdc88df66c4581e0e8b4a8f34dae238f9e787846076ee2ccb0a6856904ad239a49464ef849215 buf.md +shake256:d024c12a538435fe1f0e5e2c6c8d228e9783b14fdbdefd6366f8bef0388f036ad27a246cded19418b4a172d0d50f087b54bbcadf53793a402b650b35e38de79b buf.yaml +shake256:a9787064905e7bd489b965d12d788ade794891f1c5ab2cd16c0183d125faec86051fc1c068914b4ca6242ab945631fca9e57b445a534d697b14553ce977e048f lighthouse-result.proto diff --git a/modules/sync/googlechrome/lighthouse/cas/a9787064905e7bd489b965d12d788ade794891f1c5ab2cd16c0183d125faec86051fc1c068914b4ca6242ab945631fca9e57b445a534d697b14553ce977e048f b/modules/sync/googlechrome/lighthouse/cas/a9787064905e7bd489b965d12d788ade794891f1c5ab2cd16c0183d125faec86051fc1c068914b4ca6242ab945631fca9e57b445a534d697b14553ce977e048f new file mode 100644 index 00000000..c33695a2 --- /dev/null +++ b/modules/sync/googlechrome/lighthouse/cas/a9787064905e7bd489b965d12d788ade794891f1c5ab2cd16c0183d125faec86051fc1c068914b4ca6242ab945631fca9e57b445a534d697b14553ce977e048f @@ -0,0 +1,852 @@ +syntax = "proto3"; + +package googlechrome.lighthouse; + +// This comment required for Lightrider import compatibility # header + +import "google/protobuf/struct.proto"; +import "google/protobuf/timestamp.proto"; +import "google/protobuf/wrappers.proto"; + +// This comment required for LightRider import compatibility # suffix + +// Canonical list of errors created by Lighthouse. +enum LighthouseError { + // No error in Lighthouse; the results are reliable. + NO_ERROR = 0; + // An uncategorized error occurred, likely a JavaScript exception. + UNKNOWN_ERROR = 1; + // The trace did not contain any screenshot events. + NO_SPEEDLINE_FRAMES = 2; + // No visual change between the beginning and end of load. + SPEEDINDEX_OF_ZERO = 3; + // The trace did not contain any screenshot events. + NO_SCREENSHOTS = 4; + // The computed speedindex results are non-finite. + INVALID_SPEEDLINE = 5; + // The trace did not contain a TracingStartedInPage event. + NO_TRACING_STARTED = 6; + // The trace did not contain a navigationStart event. + NO_NAVSTART = 7; + // The trace did not contain a firstContentfulPaint event. + NO_FCP = 8; + // The trace did not contain a domContentLoaded event. + NO_DCL = 9; + // No network request could be identified as the primary HTML document. + NO_DOCUMENT_REQUEST = 10; + // The HTML document's network request failed due to Chrome-internal reasons + // (canceled, blocked, etc). + FAILED_DOCUMENT_REQUEST = 11; + // The HTML document's network request completed, but returned an HTTP status + // code of 4xx or 5xx. + ERRORED_DOCUMENT_REQUEST = 12; + // Chromium's tracing controller did not manage to begin tracing across + // processes. Typically fixed by restarting Chromium. + TRACING_ALREADY_STARTED = 13; + // The trace data wasn't parsed correctly. + PARSING_PROBLEM = 14; + // The trace data failed to stream over the protocol. + READ_FAILED = 15; + // Used when security error prevents page load. + INSECURE_DOCUMENT_REQUEST = 16; + // Used when protocol command times out. + PROTOCOL_TIMEOUT = 17; + // Used when the page is not responding after maxWaitForLoad. + PAGE_HUNG = 18; + // DNS failure on main document (no resolution, timed out, etc) + DNS_FAILURE = 19; + // A timeout in the initial connection to the debugger protocol. + CRI_TIMEOUT = 20; + // The page requested was not HTML. + NOT_HTML = 21; + // The trace did not contain a ResourceSendRequest event. + NO_RESOURCE_REQUEST = 22; + // Used when any Chrome interstitial error prevents page load. + CHROME_INTERSTITIAL_ERROR = 23; + // The page has crashed and will no longer respond to 99% of CDP commmands. + TARGET_CRASHED = 24; +} + +// The overarching Lighthouse Response object (LHR) +// https://github.com/GoogleChrome/lighthouse/blob/main/types/lhr.d.ts +message LighthouseResult { + // The timestamp of when the results were generated. + google.protobuf.Timestamp fetch_time = 1; + + // The url requested to lightrider. + string requested_url = 2; + + // The final analyzed URL, differs from requested_url when there were + // redirects. + string final_url = 3; + + // The version of Lighthouse with which these results were generated. + string lighthouse_version = 4; + + // Message containing environment configuration for a LH run + message Environment { + // The user agent that was used by the network + string network_user_agent = 1; + + // The user agent used by the host + string host_user_agent = 2; + + // The benchmark index that indicates rough device class + google.protobuf.DoubleValue benchmark_index = 3; + + // The version of libraries with which these results were generated. Ex: + // axe-core. + map credits = 4; + } + + // The environment that the audit was run in + Environment environment = 5; + + // The user agent that was used to run the audit + string user_agent = 6; + + // Any top level warnings that this run encountered + // default is [] hence ListValue + google.protobuf.ListValue run_warnings = 7; + + // Message containing a runtime error config + message RuntimeError { + // The text repr of the error type + LighthouseError code = 1; + + // The error explanitory message + string message = 2; + } + + // A runtime error that was encountered during the run + RuntimeError runtime_error = 8; + + // A map containing the results of the audits, keyed by audit id. Audits may + // be referenced within more than one category. + map audits = 9; + + // A map containing the categories of audits, keyed by category id. + map categories = 10; + + // A map containing groups that categories can belong to, keyed by group id + map category_groups = 11; + + // Message containing the configuration settings for the LH run + // Next ID: 33 + message ConfigSettings { + // The possible form factors an audit can be run in. + // This enum served the emulated_form_factor field, but in v7, that field + // was deprecated. Meanwhile in v7, the form_factor field was added and has + // a mobile/desktop enum, so we simplify reuse, minus the `none` option. + // See + // https://github.com/GoogleChrome/lighthouse/blob/main/docs/emulation.md#changes-made-in-v7 + enum EmulatedFormFactor { + UNKNOWN_FORM_FACTOR = 0; + mobile = 1; + desktop = 2; + none = 3 [deprecated = true]; + } + + // Removed in v7. Do not use. + EmulatedFormFactor emulated_form_factor = 1 [deprecated = true]; + + // How Lighthouse should interpret this run in regards to scoring + // performance metrics and skipping mobile-only tests in desktop. + EmulatedFormFactor form_factor = 5; + + // The locale that was active during the audit + string locale = 2; + + // List of the categories that were run, empty if all were run + // nullable list of strings + google.protobuf.Value only_categories = 3; + + // How Lighthouse was run, e.g. from the Chrome extension or from the npm + // module + string channel = 4; + + // Next ID: 7 + message ThrottlingSettings { + // The round trip time in milliseconds. + double rtt_ms = 1; + + // The network throughput in kilobits per second. + double throughput_kbps = 2; + + // The network request latency in milliseconds. + double request_latency_ms = 3; + + // The network download throughput in kilobits per second. + double download_throughput_kbps = 4; + + // The network upload throughput in kilobits per second. + double upload_throughput_kbps = 5; + + // The amount of slowdown applied to the cpu (1/). + double cpu_slowdown_multiplier = 6; + } + + // The throttling config settings. + ThrottlingSettings throttling = 7; + + // The method used to throttle the network. + string throttling_method = 8; + + message ScreenEmulation { + // Overriding width value in pixels (minimum 0, maximum 10000000). + // 0 disables the override. + double width = 1; + // Overriding height value in pixels (minimum 0, maximum 10000000). + // 0 disables the override. + double height = 2; + // Overriding device scale factor value. 0 disables the override. + double deviceScaleFactor = 3; + // Whether to emulate mobile device. This includes viewport meta tag, + // overlay scrollbars, text autosizing and more. + bool mobile = 4; + // Whether screen emulation is disabled. If true, the other emulation + // settings are ignored. + bool disabled = 5; + } + + // Screen emulation properties (width, height, dpr, mobile viewport) to + // apply or an object of `{disabled: true}` if Lighthouse should avoid + // applying screen emulation. If either emulation is applied outside of + // Lighthouse, or it's being run on a mobile device, it typically should be + // set to disabled. For desktop, we recommend applying consistent desktop + // screen emulation. + ScreenEmulation screen_emulation = 9; + + + // Indicating whether Lighthouse should ignore status codes. + bool ignore_status_code = 10; + + // The type(s) of report output to be produced. + // Can be a string of 'json' | 'html' | 'csv' + // Or an array of those strings + google.protobuf.Value output = 11; + + // The maximum amount of time to wait for a page content render, in ms. If + // no content is rendered within this limit, the run is aborted with an + // error. + int32 max_wait_for_fcp = 12; + // The maximum amount of time to wait for a page to load, in ms. + int32 max_wait_for_load = 13; + // The number of milliseconds to wait after FCP until the page should be + // considered loaded. + int32 pause_after_fcp_ms = 14; + // The number of milliseconds to wait after the load event until the page + // should be considered loaded. + int32 pause_after_load_ms = 15; + // The number of milliseconds to wait between high priority network requests + // or 3 simultaneous requests before the page should be considered loaded. + int32 network_quiet_threshold_ms = 16; + // The number of milliseconds to wait between long tasks until the page + // should be considered loaded. + int32 cpu_quiet_threshold_ms = 17; + + // User Agent string to apply, `false` to not change the host's UA string, + // or `true` to use Lighthouse's default UA string. + string emulated_user_agent = 18; + + // audit_mode and gather_mode are excluded from the proto, as they are boolean/string and niche enough that we don't want to deal with them. + + // Flag indicating that the browser storage should not be reset for the + // audit. + bool disable_storage_reset = 19; + // Flag indicating that Lighthouse should pause after page load to wait for + // the user's permission to continue the audit. + bool debug_navigation = 20; + // If set to true, gatherers should avoid any behavior that may be + // destructive to the page state. (e.g. extra navigations, resizing the + // viewport) + bool use_passive_gathering = 21; + // Disables collection of the full page screenshot, which can be rather + // large and possibly leave the page in an undesirable state. + bool disable_full_page_screenshot = 22; + // If set to true, will skip the initial navigation to about:blank. + bool skip_about_blank = 23; + // The URL to use for the "blank" neutral page in between navigations. + // Defaults to `about:blank`. + string blank_page = 24; + + // List of URL patterns to block. + repeated string blocked_url_patterns = 25; + + // Comma-delimited list of trace categories to include. + string additional_trace_categories = 26; + + // If present, the run should only conduct this list of audits. + repeated string only_audits = 27; + // If present, the run should skip this list of audits. + repeated string skip_audits = 28; + + // Flag indicating which kinds of browser storage should be reset for the audit. + // Cookies are not cleared by default, so the user isn't logged out. + // indexeddb, websql, and localstorage are not cleared by default to prevent + // loss of potentially important data. + // https://chromedevtools.github.io/debugger-protocol-viewer/tot/Storage/#type-StorageType + repeated string clear_storage_types = 29; + + // List of extra HTTP Headers to include + map extra_headers = 30; + + // The budget.json object for LightWallet + repeated google.protobuf.Struct budgets = 31 [deprecated = true]; + + // Precomputed lantern estimates to use instead of observed analysis. + google.protobuf.Struct precomputed_lantern_data = 32; + } + + // The settings that were used to run this audit + ConfigSettings config_settings = 12; + + // i18n info in version 1 message format + I18n i18n = 13; + + // Message containing the performance timing data for the Lighthouse run + message Timing { + // Corresponds to: + // https://www.w3.org/TR/performance-timeline-2/#dom-performanceentry + message PerformanceEntry { + string name = 1; + string entry_type = 2; + google.protobuf.DoubleValue start_time = 3; + google.protobuf.DoubleValue duration = 4; + + // Whether timing entry was collected during artifact gathering. + bool gather = 5; + } + + // The total duration of Lighthouse's run + google.protobuf.DoubleValue total = 1; + + // Corresponds to: + // https://www.w3.org/TR/performance-timeline-2/#idl-def-performanceentrylist + repeated PerformanceEntry entries = 2; + } + + // The performance timing data for the Lighthouse run + Timing timing = 14; + + // The Stack Pack data used by audits in this run. + repeated StackPack stack_packs = 15; + + // Gather mode used to collect artifacts. + string gather_mode = 16; + + // URL of the main document request of the final navigation. + string main_document_url = 17; + + // URL displayed on the page after Lighthouse finishes. + string final_displayed_url = 18; + + // Screenshot data of the full page, along with node rects relevant to the + // audit results. + google.protobuf.Value full_page_screenshot = 19; + + // Entity classification data. + repeated LhrEntity entities = 20; +} + +// Message containing a category +message CategoryGroup { + // The human readable title of the group + string title = 1; + + // The description of what the category is grouping + string description = 2; +} + +// Message containing a category of audits and their combined weighted score. +message LhrCategory { + // the internal id of the category + string id = 1; + + // The human-friendly name of the category. + string title = 2; + + // A description of what this category is about (e.g. these help you validate + // your seo). + string description = 3; + + // The overall score of the category, the weighted average of all its audits, + // from 0-1. + // This value is nullable, so is a `Value` type + google.protobuf.Value score = 4; + + // A description for manual audits within this category. + string manual_description = 5; + + // A Category's reference to an AuditResult, with a weight for category + // scoring. + message AuditRef { + // Matches a key in the top-level `audits` map. + string id = 1; + + // The weight of the audit's score in the overall category score. + google.protobuf.DoubleValue weight = 2; + + // The category group that the audit belongs to. + string group = 3; + + // The conventional acronym for the audit/metric. + string acronym = 4; + + // Any audit IDs closely relevant to this one. + repeated string relevant_audits = 5; + } + + // References to all the audit members and their weight in this category. + repeated AuditRef audit_refs = 6; + + // List of gather modes this category is available in. + repeated string supported_modes = 7; +} + +// The ways an audit score should be interpreted: +enum ScoreDisplayMode { + // Unknown mode. This should not be used. + SCORE_DISPLAY_MODE_UNSPECIFIED = 0; + // Pass/fail audit (0 and 1 are the only possible scores). + binary = 1; + // Scores of 0-1, inclusive. + numeric = 2; + // Audit result score is determined by the metric savings and product score. + // 1 - audit passed + // 0.5 - audit failed and had no metric savings + // 0 - audit failed and had metric savings + metricSavings = 8; + // The audit is an FYI only, and can't be interpreted as pass/fail. Score is + // NaN and should be ignored. + informative = 3; + // The audit turned out to not apply to the page. Score is NaN and should be + // ignored. + not_applicable = 4; + notApplicable = 7; + // The audit exists only to tell you to review something yourself. Score is + // NaN and should be ignored + manual = 5; + // There was an error while running the audit (check `error_message` for + // details). Score is NaN and should be ignored. + error = 6; +} + +// Message containing the result of an individual Lighthouse audit. +message AuditResult { + // The internal audit id + string id = 1; + + // A brief description of the audit. The text can change depending on if the + // audit passed or failed. + string title = 2; + + // A more detailed description that describes why the audit is important and + // links to Lighthouse documentation on the audit; markdown links supported. + string description = 3; + + // The scored value determined by the audit, in the range `0-1`, or NaN if + // `score_display_mode` indicates not scored. + // This value is nullable, so is a `Value` type + google.protobuf.Value score = 4; + + // The mode for how the score should be interpreted. + ScoreDisplayMode score_display_mode = 5; + + // The human readable value that is displayed as the audit's result + string display_value = 6; + + // An explanation of audit-related issues encountered on the test page. + string explanation = 7; + + // Error message from any exception thrown while running this audit. + string error_message = 8; + + // Extra information provided by some types of audits. Given as an arbitrary + // object. + google.protobuf.Struct details = 9; + + // List of warnings associated with this audit + // type of `Value` since this can be null + google.protobuf.Value warnings = 10; + + // A numeric value that has a meaning specific to the audit, e.g. the number + // of nodes in the DOM or the timestamp of a specific load event. More + // information can be found in the audit details, if present. + google.protobuf.DoubleValue numeric_value = 11; + + // The unit of the numeric_value field. Used to format the numeric value for + // display. + string numeric_unit = 12; + + // Stacktrace of error, if any occurred while processing the audit. + string errorStack = 13; + + // Message containing the audit's MetricSavings. + message MetricSavings { + // Optional numeric value representing the audit's savings for the LCP + // metric. + optional google.protobuf.DoubleValue LCP = 1; + + // Optional numeric value representing the audit's savings for the FCP + // metric. + optional google.protobuf.DoubleValue FCP = 2; + + // Optional numeric value representing the audit's savings for the CLS + // metric. + optional google.protobuf.DoubleValue CLS = 3; + + // Optional numeric value representing the audit's savings for the TBT + // metric. + optional google.protobuf.DoubleValue TBT = 4; + + // Optional numeric value representing the audit's savings for the INP + // metric. + optional google.protobuf.DoubleValue INP = 5; + } + + // The audit's MetricSavings. + MetricSavings metricSavings = 14; + + // Message containing ScoringOptions. + message ScoringOptions { + // Scoring option's p10. + google.protobuf.DoubleValue p10 = 1; + + // Scoring option's median. + google.protobuf.DoubleValue median = 2; + } + + // The audit's ScoringOption. + ScoringOptions scoringOptions = 15; + + // An audit's guidance level. + google.protobuf.DoubleValue guidanceLevel = 16; + + // Audits that this audit replaces. + google.protobuf.Value replacesAudits = 17; +} + +// Message containing the i18n data for the LHR - Version 1 +message I18n { + // Message holding the formatted strings used in the renderer + message RendererFormattedStrings { + // The disclaimer shown below a performance metric value + string variance_disclaimer = 1; + + // The heading for the estimated page load savings opportunity of an audit + string opportunity_resource_column_label = 2; + + // The heading for the estimated page load savings of opportunitu audits + string opportunity_savings_column_label = 3; + + // The error string shown next to an erroring audit + string error_missing_audit_info = 4; + + // The label shown next to an audit or metric that has had an error + string error_label = 5; + + // The label shown above a bulleted list of warnings + string warning_header = 6; + + // The tooltip text on an expandable chevron icon + string audit_group_expand_tooltip = 7; + + // The heading that is shown above a list of audits that are passing + string passed_audits_group_title = 8; + + // The heading shown above a list of audits that do not apply to a page + string not_applicable_audits_group_title = 9; + + // The heading shown above a list of audits that were not computerd in the + // run + string manual_audits_group_title = 10; + + // The label shown preceding important warnings that may have invalidated an + // entire report + string toplevel_warnings_message = 11; + + // The label that explains the score gauges scale (0-49, 50-89, 90-100) + string scorescale_label = 12; + + // The label for values shown in the summary of critical request chains + string crc_longest_duration_label = 13; + + // The label for the initial request in a critical request chain + string crc_initial_navigation = 14; + + // The disclaimer shown under performance explaining that the network can + // vary + string ls_performance_category_description = 15; + + // The title of the lab data performance category + string lab_data_title = 16; + + // The heading that is shown above a list of audits that have warnings + string warning_audits_group_title = 17; + + // The label for the button to show all lines of a snippet + string snippet_expand_button_label = 18; + + // The label for the button to show only a few lines of a snippet + string snippet_collapse_button_label = 19; + + // This label is for a filter checkbox above a table of items + string third_party_resources_label = 20; + + // Descriptive explanation for emulation setting when emulating a generic + // desktop form factor, as opposed to a mobile-device like form factor. + string runtime_desktop_emulation = 21; + + // Descriptive explanation for emulation setting when emulating a Nexus 5X + // mobile device. + string runtime_mobile_emulation = 22; + + // Descriptive explanation for emulation setting when no device emulation is + // set. + string runtime_no_emulation = 23; + + // Label for a row in a table that shows the estimated CPU power of the + // machine running Lighthouse. Example row values: 532, 1492, 783. + string runtime_settings_benchmark = 24; + + // Label for a row in a table that describes the CPU throttling conditions + // that were used during a Lighthouse run, if any. + string runtime_settings_CPU_throttling = 25; + + // Label for a row in a table that describes the kind of device that was + // emulated for the Lighthouse run. Example values for row elements: 'No + // Emulation', 'Emulated Desktop', etc. + string runtime_settings_device = 26; + + // Label for a row in a table that shows the time at which a Lighthouse run + // was conducted; formatted as a timestamp, e.g. Jan 1, 1970 12:00 AM UTC. + string runtime_settings_fetch_time = 27 [deprecated = true]; + + // Label for a row in a table that describes the network throttling + // conditions that were used during a Lighthouse run, if any. + string runtime_settings_network_throttling = 28; + + // Title of the Runtime settings table in a Lighthouse report. Runtime + // settings are the environment configurations that a specific report used + // at auditing time. + string runtime_settings_title = 29 [deprecated = true]; + + // Label for a row in a table that shows the User Agent that was detected on + // the Host machine that ran Lighthouse. + string runtime_settings_UA = 30 [deprecated = true]; + + // Label for a row in a table that shows the User Agent that was used to + // send out all network requests during the Lighthouse run. + string runtime_settings_UA_network = 31; + + // Label for a row in a table that shows the URL that was audited during a + // Lighthouse run. + string runtime_settings_Url = 32 [deprecated = true]; + + // Descriptive explanation for a runtime setting that is set to an unknown + // value. + string runtime_unknown = 33; + + // Option in a dropdown menu that copies the Lighthouse JSON object to the + // system clipboard. + string dropdown_copy_JSON = 34; + + // Option in a dropdown menu that toggles the themeing of the report between + // Light(default) and Dark themes. + string dropdown_dark_theme = 35; + + // Option in a dropdown menu that opens a full Lighthouse report in a print + // dialog. + string dropdown_print_expanded = 36; + + // Option in a dropdown menu that opens a small, summary report in a print + // dialog. + string dropdown_print_summary = 37; + + // Option in a dropdown menu that saves the current report as a new GitHub + // Gist. + string dropdown_save_gist = 38; + + // Option in a dropdown menu that saves the Lighthouse report HTML locally + // to the system as a '.html' file. + string dropdown_save_HTML = 39; + + // Option in a dropdown menu that saves the Lighthouse JSON object to the + // local system as a '.json' file. + string dropdown_save_JSON = 40; + + // Option in a dropdown menu that opens the current report in the Lighthouse + // Viewer Application. + string dropdown_viewer = 41; + + // Label for button to create an issue against the Lighthouse GitHub + // project. + string footer_issue = 42; + + // Descriptive explanation for environment throttling that was provided by + // the runtime environment instead of provided by Lighthouse throttling. + string throttling_provided = 43; + + // Label for a row in a table that shows in what tool Lighthouse is being + // run (e.g. The lighthouse CLI, Chrome DevTools, Lightrider, WebPageTest, + // etc). + string runtime_settings_channel = 44 [deprecated = true]; + + // Text link pointing to the Lighthouse scoring calculator. This link + // immediately follows a sentence stating the performance score is + // calculated from the perf metrics. + string calculator_link = 45; + + // Label for a row in a table that shows the version of the Axe library used + string runtime_settings_axe_version = 46; + + // Label for a button that opens the Treemap App + string view_treemap_label = 47; + + // Label preceding a radio control for filtering the list of audits. The + // radio choices are various performance metrics (FCP, LCP, TBT), and if + // chosen, the audits in the report are hidden if they are not relevant to + // the selected metric. + string show_relevant_audits = 48; + + // Descriptive label that this analysis run was from a single pageload + // of a browser (not a summary of hundreds of loads) + string runtime_single_load = 49; + + // Descriptive explanation that this analysis run was from a single pageload + // of a browser, whereas field data often summarizes hundreds+ of page loads + string runtime_single_load_tooltip = 50; + + // Descriptive label that this analysis only considers the initial load of + // the page, and no interaction beyond when the page had "fully loaded" + string runtime_analysis_window = 51; + + // Label for an interactive control that will reveal or hide a group of + // content. This control toggles between the text 'Show' and 'Hide'. + string show = 52; + + // Label for an interactive control that will reveal or hide a group of + // content. This control toggles between the text 'Show' and 'Hide'. + string hide = 53; + + // Label for an interactive control that will reveal or hide a group of + // content. This control toggles between the text 'Expand view' and + // 'Collapse view'. + string expand_view = 54; + + // Label for an interactive control that will reveal or hide a group of + // content. This control toggles between the text 'Expand view' and + // 'Collapse view'. + string collapse_view = 55; + + // Label indicating that Lighthouse throttled the page to emulate a slow 4G + // network connection. + string runtime_slow_4g = 56; + + // Label indicating that Lighthouse throttled the page using custom + // throttling settings. + string runtime_custom = 57; + + // This label is for a button that will show the user a trace of the page. + string view_trace_label = 58; + + // This label is for a button that will show the user a trace of the page. + string view_original_trace_label = 59 [deprecated = true]; + + // Label for a row in a table that shows the screen emulation used + string runtime_settings_screen_emulation = 60; + + // Label for a row decorative chip indiciating entity is first-party. + string first_party_chip_label = 61; + + // Label for a link tooltip indicating that it will be opened in a new tab + // of the browser. + string open_in_a_new_tab_tooltip = 62; + + // Label for a generic category for all resources that could not be + // attributed against a 1st or 3rd party entity. + string unattributable = 63; + + // This label is for a button that will show the user a trace of the page. + string dropdown_view_unthrottled_trace = 64; + + // Descriptive label that this analysis considers some arbitrary period of + // time containing user interactions + string runtime_analysis_window_timespan = 65; + + // Descriptive label that this analysis considers a snapshot of the page at + // a single point in time + string runtime_analysis_window_snapshot = 66; + + // Message for PWA deprecation. + string pwa_removal_message = 67; + + // Option in a dropdown menu that toggles the performance audits between + // new insights from RPP and legacy perf audits. + string dropdown_insights_toggle = 68; + + // Notice about upcoming planned changes to Lighthouse, to replace most + // performance audits with a new set of "insight" audits. + string insights_notice = 69; + + // Text for a button to try out "Performance insight audits", a new set of + // performance advice that will replace performance audits. + string try_insights = 70; + + // Text for a button for going back to normal "Performance audits", instead of + // using the new set of performance insight audits that will replace performance + // audits. + string go_back_to_audits = 71; + + // Descriptive explanation used when an audit is not part of the calculated score. + string unscored_label = 72; + + // Descriptive explanation used when an audit is not part of the calculated score. + string unscored_title = 73; + } + + // The message holding all formatted strings used in the renderer. + RendererFormattedStrings renderer_formatted_strings = 1; + + // Holds all message paths used. The locale of the report has already be used + // to translated the strings in this LighthouseResult, but this field can be + // used to translate into another language. + map icu_message_paths = 2; +} + +// Message containing Stack Pack information. +message StackPack { + // The human readable id of the Stack Pack. + string id = 1; + + // The user facing title of the Stack Pack. + string title = 2; + + // The icon as a data url. + string icon_data_URL = 3; + + // Map of audit-ids to Stack Pack descriptions. + map descriptions = 4; +} + +// Message containing an Entity. +message LhrEntity { + // Name of the entity. + string name = 1; + + // An optional homepage URL of the entity. + optional string homepage = 2; + + // An optional category name for the entity. + optional string category = 3; + + // An optional flag indicating if the entity is the first party. + optional bool is_first_party = 4; + + // An optional flag indicating if the entity is not recognized. + optional bool is_unrecognized = 5; + + // A list of URL origin strings that belong to this entity. + repeated string origins = 6; +} diff --git a/modules/sync/googlechrome/lighthouse/state.json b/modules/sync/googlechrome/lighthouse/state.json index 12c86115..72609aa3 100644 --- a/modules/sync/googlechrome/lighthouse/state.json +++ b/modules/sync/googlechrome/lighthouse/state.json @@ -67,6 +67,10 @@ { "name": "v12.8.2", "digest": "777545866d08a8b7429e76cc2ed48dbe63092c19244c3884a31b22dac0cb19b849d55e4fc14ccb7ae24daa0936004cbea89713c5a2ba0812ddbed9833cd55faf" + }, + { + "name": "v13.0.0", + "digest": "57c88dfb9c8994262426a3278d9e5d41f2b998b28a4c2858564aa67a235a8c5fce21bed2ffa85bcb09224a6b928f58e421b96a70db98774154f1036717455ac9" } ] } \ No newline at end of file diff --git a/modules/sync/protocolbuffers/wellknowntypes/cas/49b3059e6608c257ea7cf60926a16fb8bb1f3d37f39862e66db55338a4ebf59a4aebff39fdfd1f6d4e66ece567db327ff5846a09b51762574b857a27e77a2b55 b/modules/sync/protocolbuffers/wellknowntypes/cas/49b3059e6608c257ea7cf60926a16fb8bb1f3d37f39862e66db55338a4ebf59a4aebff39fdfd1f6d4e66ece567db327ff5846a09b51762574b857a27e77a2b55 new file mode 100644 index 00000000..640ca862 --- /dev/null +++ b/modules/sync/protocolbuffers/wellknowntypes/cas/49b3059e6608c257ea7cf60926a16fb8bb1f3d37f39862e66db55338a4ebf59a4aebff39fdfd1f6d4e66ece567db327ff5846a09b51762574b857a27e77a2b55 @@ -0,0 +1,18 @@ +shake256:0daa29e1d15482bc5f25f3fc93d658073240f23e3d2c2a72829ba55ff32aa02ff321a604b4dcb49bbb97c4b6f157db6d2fa455f53d531d651b67755dc305f6be LICENSE +shake256:3ce5a81127a805cd15b1003159b504229a725bbb03c099905a26bcef1bcfe535beee30b1107e7301d368866f5a28c27e2bc3d79a606022d3060d86b251f10ffa buf.md +shake256:50583b7f140a92c3c9a43b8cfa612bd990e1ac70922d3ee83b4804da09bc5f1360e0d6518afdbc3d6760e237a7449658adac7931b9e3d39036d4a57972b5f8e7 buf.yaml +shake256:1c6874c26892049275074aff5b9f87e59b45a2a6d6c25782ac827d5e64f43f35a5b497e912e0d36ac30eeda2d09363bd9b19e95918d740a98bed15037df65622 google/protobuf/any.proto +shake256:bed6cb44b4bcd2fb5553d64742db714e1134a729d5a8b5b38e2335fea6eeb2125311e9d98bdaec9323d038ee17e054da737e1b8ad2173273231209f14891375e google/protobuf/api.proto +shake256:059f945bf1dd19f3d535b8c380cb1e2798c867820dd719ee32384f7fd635acd077d410716410646c72442f7bef4a920120af2dcddb1fb6c0e435798de4a7ba82 google/protobuf/compiler/plugin.proto +shake256:7e7b42c4681a54c57930d9d33422e44a91bd97fdd319042030184345a11d9b973629ab9f1145fdf198fbb3c5c7a330c7ed93ad44db3536a161bbd0e949f8d17f google/protobuf/cpp_features.proto +shake256:7e550defb267c9883ff6dcba8508103a6afa788695de0b3344103ab8f233e3dc457792a9d6f8dd439107e66a3439cd87b7c138f53a16432216a465cffab6720a google/protobuf/descriptor.proto +shake256:95d1785a8277c3f6758e3f188e9432d820e93a99de99d1b45452ed2c8c8b1fecbef49efa8f553641d9bba716993420e255ddbc564d8796d1e480877f8c0c1aec google/protobuf/duration.proto +shake256:836c327709e30d7fcf6c35c8cff70c863130e3de6962b6337027f38513a672f1dc0496dd84538ee2c53994cc865fa3d68e0c4a87a4fc974601c7a6ebcdc05fe4 google/protobuf/empty.proto +shake256:d1706fd968269712822f6b51b3ffab303ccdd33c58b4d6c8414083a4fadb448bfd858d77088649165adfe9a08847f007611a3584718e63884e61f75c8bca7a5c google/protobuf/field_mask.proto +shake256:da1dc4060f405ccda4033e045769b64c29d39b2fa0acd8a17800f371e9df6761a5f4fb09ae3a17b2457724c29177cf8b92849f3faba00522bd693c734ddd4340 google/protobuf/go_features.proto +shake256:062035772c41937d8709c37cc101d9a6d197f0c64ee53e6db6fdd421faf47d7ce30ad78f9413deef4c66943a69811443790f52c2d213abd8fb501e1dadd555c6 google/protobuf/java_features.proto +shake256:0fe143d11828bc7a117e201c6643612944849f9547e9a8c4ec748ca230dc8d78312123b3accb8f433c19c3cb30b5849fe46021d217da0db7a557648942c87cd3 google/protobuf/source_context.proto +shake256:a949db8740c3d3ef65e7787a779db1bd1342767cbd053b510273849cf7cf996f65bd08b9c26086f44d310157b1eee784bac7d0b8f68559a7382132875ed1f30d google/protobuf/struct.proto +shake256:93a810721dfe089dd61b6a954cbab842c3c6cb9c814cb6286589f66fd148151151847291fd5668bcb8002f6f298364721e1c7c474e1be5d0d184ff37a635d8ce google/protobuf/timestamp.proto +shake256:3f84f0f8298ff02f92800f4aa6819cf5eb39065940089748cda71c03c279d40249c1a02f239057300ac862b06682f5e748d20f42adcb8621f941cc5c71155947 google/protobuf/type.proto +shake256:b054ff1cc611396c870819dacb044768ce18826e0163be0bd41e3f55a9fddb7cd2ae262557249af137282cafc01f14be6e73f6338b4b8a74dc3227a876859094 google/protobuf/wrappers.proto diff --git a/modules/sync/protocolbuffers/wellknowntypes/cas/7e550defb267c9883ff6dcba8508103a6afa788695de0b3344103ab8f233e3dc457792a9d6f8dd439107e66a3439cd87b7c138f53a16432216a465cffab6720a b/modules/sync/protocolbuffers/wellknowntypes/cas/7e550defb267c9883ff6dcba8508103a6afa788695de0b3344103ab8f233e3dc457792a9d6f8dd439107e66a3439cd87b7c138f53a16432216a465cffab6720a new file mode 100644 index 00000000..333b7e99 --- /dev/null +++ b/modules/sync/protocolbuffers/wellknowntypes/cas/7e550defb267c9883ff6dcba8508103a6afa788695de0b3344103ab8f233e3dc457792a9d6f8dd439107e66a3439cd87b7c138f53a16432216a465cffab6720a @@ -0,0 +1,1426 @@ +// Protocol Buffers - Google's data interchange format +// Copyright 2008 Google Inc. All rights reserved. +// https://developers.google.com/protocol-buffers/ +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +// Author: kenton@google.com (Kenton Varda) +// Based on original Protocol Buffers design by +// Sanjay Ghemawat, Jeff Dean, and others. +// +// The messages in this file describe the definitions found in .proto files. +// A valid .proto file can be translated directly to a FileDescriptorProto +// without any other information (e.g. without reading its imports). + +syntax = "proto2"; + +package google.protobuf; + +option go_package = "google.golang.org/protobuf/types/descriptorpb"; +option java_package = "com.google.protobuf"; +option java_outer_classname = "DescriptorProtos"; +option csharp_namespace = "Google.Protobuf.Reflection"; +option objc_class_prefix = "GPB"; +option cc_enable_arenas = true; + +// descriptor.proto must be optimized for speed because reflection-based +// algorithms don't work during bootstrapping. +option optimize_for = SPEED; + +// The protocol compiler can output a FileDescriptorSet containing the .proto +// files it parses. +message FileDescriptorSet { + repeated FileDescriptorProto file = 1; + + // Extensions for tooling. + extensions 536000000 [declaration = { + number: 536000000 + type: ".buf.descriptor.v1.FileDescriptorSetExtension" + full_name: ".buf.descriptor.v1.buf_file_descriptor_set_extension" + }]; +} + +// The full set of known editions. +enum Edition { + // A placeholder for an unknown edition value. + EDITION_UNKNOWN = 0; + + // A placeholder edition for specifying default behaviors *before* a feature + // was first introduced. This is effectively an "infinite past". + EDITION_LEGACY = 900; + + // Legacy syntax "editions". These pre-date editions, but behave much like + // distinct editions. These can't be used to specify the edition of proto + // files, but feature definitions must supply proto2/proto3 defaults for + // backwards compatibility. + EDITION_PROTO2 = 998; + EDITION_PROTO3 = 999; + + // Editions that have been released. The specific values are arbitrary and + // should not be depended on, but they will always be time-ordered for easy + // comparison. + EDITION_2023 = 1000; + EDITION_2024 = 1001; + + // Placeholder editions for testing feature resolution. These should not be + // used or relied on outside of tests. + EDITION_1_TEST_ONLY = 1; + EDITION_2_TEST_ONLY = 2; + EDITION_99997_TEST_ONLY = 99997; + EDITION_99998_TEST_ONLY = 99998; + EDITION_99999_TEST_ONLY = 99999; + + // Placeholder for specifying unbounded edition support. This should only + // ever be used by plugins that can expect to never require any changes to + // support a new edition. + EDITION_MAX = 0x7FFFFFFF; +} + +// Describes a complete .proto file. +message FileDescriptorProto { + optional string name = 1; // file name, relative to root of source tree + optional string package = 2; // e.g. "foo", "foo.bar", etc. + + // Names of files imported by this file. + repeated string dependency = 3; + // Indexes of the public imported files in the dependency list above. + repeated int32 public_dependency = 10; + // Indexes of the weak imported files in the dependency list. + // For Google-internal migration only. Do not use. + repeated int32 weak_dependency = 11; + + // Names of files imported by this file purely for the purpose of providing + // option extensions. These are excluded from the dependency list above. + repeated string option_dependency = 15; + + // All top-level definitions in this file. + repeated DescriptorProto message_type = 4; + repeated EnumDescriptorProto enum_type = 5; + repeated ServiceDescriptorProto service = 6; + repeated FieldDescriptorProto extension = 7; + + optional FileOptions options = 8; + + // This field contains optional information about the original source code. + // You may safely remove this entire field without harming runtime + // functionality of the descriptors -- the information is needed only by + // development tools. + optional SourceCodeInfo source_code_info = 9; + + // The syntax of the proto file. + // The supported values are "proto2", "proto3", and "editions". + // + // If `edition` is present, this value must be "editions". + // WARNING: This field should only be used by protobuf plugins or special + // cases like the proto compiler. Other uses are discouraged and + // developers should rely on the protoreflect APIs for their client language. + optional string syntax = 12; + + // The edition of the proto file. + // WARNING: This field should only be used by protobuf plugins or special + // cases like the proto compiler. Other uses are discouraged and + // developers should rely on the protoreflect APIs for their client language. + optional Edition edition = 14; +} + +// Describes a message type. +message DescriptorProto { + optional string name = 1; + + repeated FieldDescriptorProto field = 2; + repeated FieldDescriptorProto extension = 6; + + repeated DescriptorProto nested_type = 3; + repeated EnumDescriptorProto enum_type = 4; + + message ExtensionRange { + optional int32 start = 1; // Inclusive. + optional int32 end = 2; // Exclusive. + + optional ExtensionRangeOptions options = 3; + } + repeated ExtensionRange extension_range = 5; + + repeated OneofDescriptorProto oneof_decl = 8; + + optional MessageOptions options = 7; + + // Range of reserved tag numbers. Reserved tag numbers may not be used by + // fields or extension ranges in the same message. Reserved ranges may + // not overlap. + message ReservedRange { + optional int32 start = 1; // Inclusive. + optional int32 end = 2; // Exclusive. + } + repeated ReservedRange reserved_range = 9; + // Reserved field names, which may not be used by fields in the same message. + // A given name may only be reserved once. + repeated string reserved_name = 10; + + // Support for `export` and `local` keywords on enums. + optional SymbolVisibility visibility = 11; +} + +message ExtensionRangeOptions { + // The parser stores options it doesn't recognize here. See above. + repeated UninterpretedOption uninterpreted_option = 999; + + message Declaration { + // The extension number declared within the extension range. + optional int32 number = 1; + + // The fully-qualified name of the extension field. There must be a leading + // dot in front of the full name. + optional string full_name = 2; + + // The fully-qualified type name of the extension field. Unlike + // Metadata.type, Declaration.type must have a leading dot for messages + // and enums. + optional string type = 3; + + // If true, indicates that the number is reserved in the extension range, + // and any extension field with the number will fail to compile. Set this + // when a declared extension field is deleted. + optional bool reserved = 5; + + // If true, indicates that the extension must be defined as repeated. + // Otherwise the extension must be defined as optional. + optional bool repeated = 6; + + reserved 4; // removed is_repeated + } + + // For external users: DO NOT USE. We are in the process of open sourcing + // extension declaration and executing internal cleanups before it can be + // used externally. + repeated Declaration declaration = 2 [retention = RETENTION_SOURCE]; + + // Any features defined in the specific edition. + optional FeatureSet features = 50; + + // The verification state of the extension range. + enum VerificationState { + // All the extensions of the range must be declared. + DECLARATION = 0; + UNVERIFIED = 1; + } + + // The verification state of the range. + // TODO: flip the default to DECLARATION once all empty ranges + // are marked as UNVERIFIED. + optional VerificationState verification = 3 + [default = UNVERIFIED, retention = RETENTION_SOURCE]; + + // Clients can define custom options in extensions of this message. See above. + extensions 1000 to max; +} + +// Describes a field within a message. +message FieldDescriptorProto { + enum Type { + // 0 is reserved for errors. + // Order is weird for historical reasons. + TYPE_DOUBLE = 1; + TYPE_FLOAT = 2; + // Not ZigZag encoded. Negative numbers take 10 bytes. Use TYPE_SINT64 if + // negative values are likely. + TYPE_INT64 = 3; + TYPE_UINT64 = 4; + // Not ZigZag encoded. Negative numbers take 10 bytes. Use TYPE_SINT32 if + // negative values are likely. + TYPE_INT32 = 5; + TYPE_FIXED64 = 6; + TYPE_FIXED32 = 7; + TYPE_BOOL = 8; + TYPE_STRING = 9; + // Tag-delimited aggregate. + // Group type is deprecated and not supported after google.protobuf. However, Proto3 + // implementations should still be able to parse the group wire format and + // treat group fields as unknown fields. In Editions, the group wire format + // can be enabled via the `message_encoding` feature. + TYPE_GROUP = 10; + TYPE_MESSAGE = 11; // Length-delimited aggregate. + + // New in version 2. + TYPE_BYTES = 12; + TYPE_UINT32 = 13; + TYPE_ENUM = 14; + TYPE_SFIXED32 = 15; + TYPE_SFIXED64 = 16; + TYPE_SINT32 = 17; // Uses ZigZag encoding. + TYPE_SINT64 = 18; // Uses ZigZag encoding. + } + + enum Label { + // 0 is reserved for errors + LABEL_OPTIONAL = 1; + LABEL_REPEATED = 3; + // The required label is only allowed in google.protobuf. In proto3 and Editions + // it's explicitly prohibited. In Editions, the `field_presence` feature + // can be used to get this behavior. + LABEL_REQUIRED = 2; + } + + optional string name = 1; + optional int32 number = 3; + optional Label label = 4; + + // If type_name is set, this need not be set. If both this and type_name + // are set, this must be one of TYPE_ENUM, TYPE_MESSAGE or TYPE_GROUP. + optional Type type = 5; + + // For message and enum types, this is the name of the type. If the name + // starts with a '.', it is fully-qualified. Otherwise, C++-like scoping + // rules are used to find the type (i.e. first the nested types within this + // message are searched, then within the parent, on up to the root + // namespace). + optional string type_name = 6; + + // For extensions, this is the name of the type being extended. It is + // resolved in the same manner as type_name. + optional string extendee = 2; + + // For numeric types, contains the original text representation of the value. + // For booleans, "true" or "false". + // For strings, contains the default text contents (not escaped in any way). + // For bytes, contains the C escaped value. All bytes >= 128 are escaped. + optional string default_value = 7; + + // If set, gives the index of a oneof in the containing type's oneof_decl + // list. This field is a member of that oneof. + optional int32 oneof_index = 9; + + // JSON name of this field. The value is set by protocol compiler. If the + // user has set a "json_name" option on this field, that option's value + // will be used. Otherwise, it's deduced from the field's name by converting + // it to camelCase. + optional string json_name = 10; + + optional FieldOptions options = 8; + + // If true, this is a proto3 "optional". When a proto3 field is optional, it + // tracks presence regardless of field type. + // + // When proto3_optional is true, this field must belong to a oneof to signal + // to old proto3 clients that presence is tracked for this field. This oneof + // is known as a "synthetic" oneof, and this field must be its sole member + // (each proto3 optional field gets its own synthetic oneof). Synthetic oneofs + // exist in the descriptor only, and do not generate any API. Synthetic oneofs + // must be ordered after all "real" oneofs. + // + // For message fields, proto3_optional doesn't create any semantic change, + // since non-repeated message fields always track presence. However it still + // indicates the semantic detail of whether the user wrote "optional" or not. + // This can be useful for round-tripping the .proto file. For consistency we + // give message fields a synthetic oneof also, even though it is not required + // to track presence. This is especially important because the parser can't + // tell if a field is a message or an enum, so it must always create a + // synthetic oneof. + // + // Proto2 optional fields do not set this flag, because they already indicate + // optional with `LABEL_OPTIONAL`. + optional bool proto3_optional = 17; +} + +// Describes a oneof. +message OneofDescriptorProto { + optional string name = 1; + optional OneofOptions options = 2; +} + +// Describes an enum type. +message EnumDescriptorProto { + optional string name = 1; + + repeated EnumValueDescriptorProto value = 2; + + optional EnumOptions options = 3; + + // Range of reserved numeric values. Reserved values may not be used by + // entries in the same enum. Reserved ranges may not overlap. + // + // Note that this is distinct from DescriptorProto.ReservedRange in that it + // is inclusive such that it can appropriately represent the entire int32 + // domain. + message EnumReservedRange { + optional int32 start = 1; // Inclusive. + optional int32 end = 2; // Inclusive. + } + + // Range of reserved numeric values. Reserved numeric values may not be used + // by enum values in the same enum declaration. Reserved ranges may not + // overlap. + repeated EnumReservedRange reserved_range = 4; + + // Reserved enum value names, which may not be reused. A given name may only + // be reserved once. + repeated string reserved_name = 5; + + // Support for `export` and `local` keywords on enums. + optional SymbolVisibility visibility = 6; +} + +// Describes a value within an enum. +message EnumValueDescriptorProto { + optional string name = 1; + optional int32 number = 2; + + optional EnumValueOptions options = 3; +} + +// Describes a service. +message ServiceDescriptorProto { + optional string name = 1; + repeated MethodDescriptorProto method = 2; + + optional ServiceOptions options = 3; + + reserved 4; + reserved "stream"; +} + +// Describes a method of a service. +message MethodDescriptorProto { + optional string name = 1; + + // Input and output type names. These are resolved in the same way as + // FieldDescriptorProto.type_name, but must refer to a message type. + optional string input_type = 2; + optional string output_type = 3; + + optional MethodOptions options = 4; + + // Identifies if client streams multiple client messages + optional bool client_streaming = 5 [default = false]; + // Identifies if server streams multiple server messages + optional bool server_streaming = 6 [default = false]; +} + +// =================================================================== +// Options + +// Each of the definitions above may have "options" attached. These are +// just annotations which may cause code to be generated slightly differently +// or may contain hints for code that manipulates protocol messages. +// +// Clients may define custom options as extensions of the *Options messages. +// These extensions may not yet be known at parsing time, so the parser cannot +// store the values in them. Instead it stores them in a field in the *Options +// message called uninterpreted_option. This field must have the same name +// across all *Options messages. We then use this field to populate the +// extensions when we build a descriptor, at which point all protos have been +// parsed and so all extensions are known. +// +// Extension numbers for custom options may be chosen as follows: +// * For options which will only be used within a single application or +// organization, or for experimental options, use field numbers 50000 +// through 99999. It is up to you to ensure that you do not use the +// same number for multiple options. +// * For options which will be published and used publicly by multiple +// independent entities, e-mail protobuf-global-extension-registry@google.com +// to reserve extension numbers. Simply provide your project name (e.g. +// Objective-C plugin) and your project website (if available) -- there's no +// need to explain how you intend to use them. Usually you only need one +// extension number. You can declare multiple options with only one extension +// number by putting them in a sub-message. See the Custom Options section of +// the docs for examples: +// https://developers.google.com/protocol-buffers/docs/proto#options +// If this turns out to be popular, a web service will be set up +// to automatically assign option numbers. + +message FileOptions { + + // Sets the Java package where classes generated from this .proto will be + // placed. By default, the proto package is used, but this is often + // inappropriate because proto packages do not normally start with backwards + // domain names. + optional string java_package = 1; + + // Controls the name of the wrapper Java class generated for the .proto file. + // That class will always contain the .proto file's getDescriptor() method as + // well as any top-level extensions defined in the .proto file. + // If java_multiple_files is disabled, then all the other classes from the + // .proto file will be nested inside the single wrapper outer class. + optional string java_outer_classname = 8; + + // If enabled, then the Java code generator will generate a separate .java + // file for each top-level message, enum, and service defined in the .proto + // file. Thus, these types will *not* be nested inside the wrapper class + // named by java_outer_classname. However, the wrapper class will still be + // generated to contain the file's getDescriptor() method as well as any + // top-level extensions defined in the file. + optional bool java_multiple_files = 10 [default = false]; + + // This option does nothing. + optional bool java_generate_equals_and_hash = 20 [deprecated=true]; + + // A proto2 file can set this to true to opt in to UTF-8 checking for Java, + // which will throw an exception if invalid UTF-8 is parsed from the wire or + // assigned to a string field. + // + // TODO: clarify exactly what kinds of field types this option + // applies to, and update these docs accordingly. + // + // Proto3 files already perform these checks. Setting the option explicitly to + // false has no effect: it cannot be used to opt proto3 files out of UTF-8 + // checks. + optional bool java_string_check_utf8 = 27 [default = false]; + + // Generated classes can be optimized for speed or code size. + enum OptimizeMode { + SPEED = 1; // Generate complete code for parsing, serialization, + // etc. + CODE_SIZE = 2; // Use ReflectionOps to implement these methods. + LITE_RUNTIME = 3; // Generate code using MessageLite and the lite runtime. + } + optional OptimizeMode optimize_for = 9 [default = SPEED]; + + // Sets the Go package where structs generated from this .proto will be + // placed. If omitted, the Go package will be derived from the following: + // - The basename of the package import path, if provided. + // - Otherwise, the package statement in the .proto file, if present. + // - Otherwise, the basename of the .proto file, without extension. + optional string go_package = 11; + + // Should generic services be generated in each language? "Generic" services + // are not specific to any particular RPC system. They are generated by the + // main code generators in each language (without additional plugins). + // Generic services were the only kind of service generation supported by + // early versions of google.protobuf. + // + // Generic services are now considered deprecated in favor of using plugins + // that generate code specific to your particular RPC system. Therefore, + // these default to false. Old code which depends on generic services should + // explicitly set them to true. + optional bool cc_generic_services = 16 [default = false]; + optional bool java_generic_services = 17 [default = false]; + optional bool py_generic_services = 18 [default = false]; + reserved 42; // removed php_generic_services + reserved "php_generic_services"; + + // Is this file deprecated? + // Depending on the target platform, this can emit Deprecated annotations + // for everything in the file, or it will be completely ignored; in the very + // least, this is a formalization for deprecating files. + optional bool deprecated = 23 [default = false]; + + // Enables the use of arenas for the proto messages in this file. This applies + // only to generated classes for C++. + optional bool cc_enable_arenas = 31 [default = true]; + + // Sets the objective c class prefix which is prepended to all objective c + // generated classes from this .proto. There is no default. + optional string objc_class_prefix = 36; + + // Namespace for generated classes; defaults to the package. + optional string csharp_namespace = 37; + + // By default Swift generators will take the proto package and CamelCase it + // replacing '.' with underscore and use that to prefix the types/symbols + // defined. When this options is provided, they will use this value instead + // to prefix the types/symbols defined. + optional string swift_prefix = 39; + + // Sets the php class prefix which is prepended to all php generated classes + // from this .proto. Default is empty. + optional string php_class_prefix = 40; + + // Use this option to change the namespace of php generated classes. Default + // is empty. When this option is empty, the package name will be used for + // determining the namespace. + optional string php_namespace = 41; + + // Use this option to change the namespace of php generated metadata classes. + // Default is empty. When this option is empty, the proto file name will be + // used for determining the namespace. + optional string php_metadata_namespace = 44; + + // Use this option to change the package of ruby generated classes. Default + // is empty. When this option is not set, the package name will be used for + // determining the ruby package. + optional string ruby_package = 45; + + // Any features defined in the specific edition. + // WARNING: This field should only be used by protobuf plugins or special + // cases like the proto compiler. Other uses are discouraged and + // developers should rely on the protoreflect APIs for their client language. + optional FeatureSet features = 50; + + // The parser stores options it doesn't recognize here. + // See the documentation for the "Options" section above. + repeated UninterpretedOption uninterpreted_option = 999; + + // Clients can define custom options in extensions of this message. + // See the documentation for the "Options" section above. + extensions 1000 to max; + + reserved 38; +} + +message MessageOptions { + // Set true to use the old proto1 MessageSet wire format for extensions. + // This is provided for backwards-compatibility with the MessageSet wire + // format. You should not use this for any other reason: It's less + // efficient, has fewer features, and is more complicated. + // + // The message must be defined exactly as follows: + // message Foo { + // option message_set_wire_format = true; + // extensions 4 to max; + // } + // Note that the message cannot have any defined fields; MessageSets only + // have extensions. + // + // All extensions of your type must be singular messages; e.g. they cannot + // be int32s, enums, or repeated messages. + // + // Because this is an option, the above two restrictions are not enforced by + // the protocol compiler. + optional bool message_set_wire_format = 1 [default = false]; + + // Disables the generation of the standard "descriptor()" accessor, which can + // conflict with a field of the same name. This is meant to make migration + // from proto1 easier; new code should avoid fields named "descriptor". + optional bool no_standard_descriptor_accessor = 2 [default = false]; + + // Is this message deprecated? + // Depending on the target platform, this can emit Deprecated annotations + // for the message, or it will be completely ignored; in the very least, + // this is a formalization for deprecating messages. + optional bool deprecated = 3 [default = false]; + + reserved 4, 5, 6; + + // Whether the message is an automatically generated map entry type for the + // maps field. + // + // For maps fields: + // map map_field = 1; + // The parsed descriptor looks like: + // message MapFieldEntry { + // option map_entry = true; + // optional KeyType key = 1; + // optional ValueType value = 2; + // } + // repeated MapFieldEntry map_field = 1; + // + // Implementations may choose not to generate the map_entry=true message, but + // use a native map in the target language to hold the keys and values. + // The reflection APIs in such implementations still need to work as + // if the field is a repeated message field. + // + // NOTE: Do not set the option in .proto files. Always use the maps syntax + // instead. The option should only be implicitly set by the proto compiler + // parser. + optional bool map_entry = 7; + + reserved 8; // javalite_serializable + reserved 9; // javanano_as_lite + + // Enable the legacy handling of JSON field name conflicts. This lowercases + // and strips underscored from the fields before comparison in proto3 only. + // The new behavior takes `json_name` into account and applies to proto2 as + // well. + // + // This should only be used as a temporary measure against broken builds due + // to the change in behavior for JSON field name conflicts. + // + // TODO This is legacy behavior we plan to remove once downstream + // teams have had time to migrate. + optional bool deprecated_legacy_json_field_conflicts = 11 [deprecated = true]; + + // Any features defined in the specific edition. + // WARNING: This field should only be used by protobuf plugins or special + // cases like the proto compiler. Other uses are discouraged and + // developers should rely on the protoreflect APIs for their client language. + optional FeatureSet features = 12; + + // The parser stores options it doesn't recognize here. See above. + repeated UninterpretedOption uninterpreted_option = 999; + + // Clients can define custom options in extensions of this message. See above. + extensions 1000 to max; +} + +message FieldOptions { + // NOTE: ctype is deprecated. Use `features.(pb.cpp).string_type` instead. + // The ctype option instructs the C++ code generator to use a different + // representation of the field than it normally would. See the specific + // options below. This option is only implemented to support use of + // [ctype=CORD] and [ctype=STRING] (the default) on non-repeated fields of + // type "bytes" in the open source release. + // TODO: make ctype actually deprecated. + optional CType ctype = 1 [/*deprecated = true,*/ default = STRING]; + enum CType { + // Default mode. + STRING = 0; + + // The option [ctype=CORD] may be applied to a non-repeated field of type + // "bytes". It indicates that in C++, the data should be stored in a Cord + // instead of a string. For very large strings, this may reduce memory + // fragmentation. It may also allow better performance when parsing from a + // Cord, or when parsing with aliasing enabled, as the parsed Cord may then + // alias the original buffer. + CORD = 1; + + STRING_PIECE = 2; + } + // The packed option can be enabled for repeated primitive fields to enable + // a more efficient representation on the wire. Rather than repeatedly + // writing the tag and type for each element, the entire array is encoded as + // a single length-delimited blob. In proto3, only explicit setting it to + // false will avoid using packed encoding. This option is prohibited in + // Editions, but the `repeated_field_encoding` feature can be used to control + // the behavior. + optional bool packed = 2; + + // The jstype option determines the JavaScript type used for values of the + // field. The option is permitted only for 64 bit integral and fixed types + // (int64, uint64, sint64, fixed64, sfixed64). A field with jstype JS_STRING + // is represented as JavaScript string, which avoids loss of precision that + // can happen when a large value is converted to a floating point JavaScript. + // Specifying JS_NUMBER for the jstype causes the generated JavaScript code to + // use the JavaScript "number" type. The behavior of the default option + // JS_NORMAL is implementation dependent. + // + // This option is an enum to permit additional types to be added, e.g. + // goog.math.Integer. + optional JSType jstype = 6 [default = JS_NORMAL]; + enum JSType { + // Use the default type. + JS_NORMAL = 0; + + // Use JavaScript strings. + JS_STRING = 1; + + // Use JavaScript numbers. + JS_NUMBER = 2; + } + + // Should this field be parsed lazily? Lazy applies only to message-type + // fields. It means that when the outer message is initially parsed, the + // inner message's contents will not be parsed but instead stored in encoded + // form. The inner message will actually be parsed when it is first accessed. + // + // This is only a hint. Implementations are free to choose whether to use + // eager or lazy parsing regardless of the value of this option. However, + // setting this option true suggests that the protocol author believes that + // using lazy parsing on this field is worth the additional bookkeeping + // overhead typically needed to implement it. + // + // This option does not affect the public interface of any generated code; + // all method signatures remain the same. Furthermore, thread-safety of the + // interface is not affected by this option; const methods remain safe to + // call from multiple threads concurrently, while non-const methods continue + // to require exclusive access. + // + // Note that lazy message fields are still eagerly verified to check + // ill-formed wireformat or missing required fields. Calling IsInitialized() + // on the outer message would fail if the inner message has missing required + // fields. Failed verification would result in parsing failure (except when + // uninitialized messages are acceptable). + optional bool lazy = 5 [default = false]; + + // unverified_lazy does no correctness checks on the byte stream. This should + // only be used where lazy with verification is prohibitive for performance + // reasons. + optional bool unverified_lazy = 15 [default = false]; + + // Is this field deprecated? + // Depending on the target platform, this can emit Deprecated annotations + // for accessors, or it will be completely ignored; in the very least, this + // is a formalization for deprecating fields. + optional bool deprecated = 3 [default = false]; + + // DEPRECATED. DO NOT USE! + // For Google-internal migration only. Do not use. + optional bool weak = 10 [default = false, deprecated = true]; + + // Indicate that the field value should not be printed out when using debug + // formats, e.g. when the field contains sensitive credentials. + optional bool debug_redact = 16 [default = false]; + + // If set to RETENTION_SOURCE, the option will be omitted from the binary. + enum OptionRetention { + RETENTION_UNKNOWN = 0; + RETENTION_RUNTIME = 1; + RETENTION_SOURCE = 2; + } + + optional OptionRetention retention = 17; + + // This indicates the types of entities that the field may apply to when used + // as an option. If it is unset, then the field may be freely used as an + // option on any kind of entity. + enum OptionTargetType { + TARGET_TYPE_UNKNOWN = 0; + TARGET_TYPE_FILE = 1; + TARGET_TYPE_EXTENSION_RANGE = 2; + TARGET_TYPE_MESSAGE = 3; + TARGET_TYPE_FIELD = 4; + TARGET_TYPE_ONEOF = 5; + TARGET_TYPE_ENUM = 6; + TARGET_TYPE_ENUM_ENTRY = 7; + TARGET_TYPE_SERVICE = 8; + TARGET_TYPE_METHOD = 9; + } + + repeated OptionTargetType targets = 19; + + message EditionDefault { + optional Edition edition = 3; + optional string value = 2; // Textproto value. + } + repeated EditionDefault edition_defaults = 20; + + // Any features defined in the specific edition. + // WARNING: This field should only be used by protobuf plugins or special + // cases like the proto compiler. Other uses are discouraged and + // developers should rely on the protoreflect APIs for their client language. + optional FeatureSet features = 21; + + // Information about the support window of a feature. + message FeatureSupport { + // The edition that this feature was first available in. In editions + // earlier than this one, the default assigned to EDITION_LEGACY will be + // used, and proto files will not be able to override it. + optional Edition edition_introduced = 1; + + // The edition this feature becomes deprecated in. Using this after this + // edition may trigger warnings. + optional Edition edition_deprecated = 2; + + // The deprecation warning text if this feature is used after the edition it + // was marked deprecated in. + optional string deprecation_warning = 3; + + // The edition this feature is no longer available in. In editions after + // this one, the last default assigned will be used, and proto files will + // not be able to override it. + optional Edition edition_removed = 4; + } + optional FeatureSupport feature_support = 22; + + // The parser stores options it doesn't recognize here. See above. + repeated UninterpretedOption uninterpreted_option = 999; + + // Clients can define custom options in extensions of this message. See above. + extensions 1000 to max; + + reserved 4; // removed jtype + reserved 18; // reserve target, target_obsolete_do_not_use +} + +message OneofOptions { + // Any features defined in the specific edition. + // WARNING: This field should only be used by protobuf plugins or special + // cases like the proto compiler. Other uses are discouraged and + // developers should rely on the protoreflect APIs for their client language. + optional FeatureSet features = 1; + + // The parser stores options it doesn't recognize here. See above. + repeated UninterpretedOption uninterpreted_option = 999; + + // Clients can define custom options in extensions of this message. See above. + extensions 1000 to max; +} + +message EnumOptions { + + // Set this option to true to allow mapping different tag names to the same + // value. + optional bool allow_alias = 2; + + // Is this enum deprecated? + // Depending on the target platform, this can emit Deprecated annotations + // for the enum, or it will be completely ignored; in the very least, this + // is a formalization for deprecating enums. + optional bool deprecated = 3 [default = false]; + + reserved 5; // javanano_as_lite + + // Enable the legacy handling of JSON field name conflicts. This lowercases + // and strips underscored from the fields before comparison in proto3 only. + // The new behavior takes `json_name` into account and applies to proto2 as + // well. + // TODO Remove this legacy behavior once downstream teams have + // had time to migrate. + optional bool deprecated_legacy_json_field_conflicts = 6 [deprecated = true]; + + // Any features defined in the specific edition. + // WARNING: This field should only be used by protobuf plugins or special + // cases like the proto compiler. Other uses are discouraged and + // developers should rely on the protoreflect APIs for their client language. + optional FeatureSet features = 7; + + // The parser stores options it doesn't recognize here. See above. + repeated UninterpretedOption uninterpreted_option = 999; + + // Clients can define custom options in extensions of this message. See above. + extensions 1000 to max; +} + +message EnumValueOptions { + // Is this enum value deprecated? + // Depending on the target platform, this can emit Deprecated annotations + // for the enum value, or it will be completely ignored; in the very least, + // this is a formalization for deprecating enum values. + optional bool deprecated = 1 [default = false]; + + // Any features defined in the specific edition. + // WARNING: This field should only be used by protobuf plugins or special + // cases like the proto compiler. Other uses are discouraged and + // developers should rely on the protoreflect APIs for their client language. + optional FeatureSet features = 2; + + // Indicate that fields annotated with this enum value should not be printed + // out when using debug formats, e.g. when the field contains sensitive + // credentials. + optional bool debug_redact = 3 [default = false]; + + // Information about the support window of a feature value. + optional FieldOptions.FeatureSupport feature_support = 4; + + // The parser stores options it doesn't recognize here. See above. + repeated UninterpretedOption uninterpreted_option = 999; + + // Clients can define custom options in extensions of this message. See above. + extensions 1000 to max; +} + +message ServiceOptions { + + // Any features defined in the specific edition. + // WARNING: This field should only be used by protobuf plugins or special + // cases like the proto compiler. Other uses are discouraged and + // developers should rely on the protoreflect APIs for their client language. + optional FeatureSet features = 34; + + // Note: Field numbers 1 through 32 are reserved for Google's internal RPC + // framework. We apologize for hoarding these numbers to ourselves, but + // we were already using them long before we decided to release Protocol + // Buffers. + + // Is this service deprecated? + // Depending on the target platform, this can emit Deprecated annotations + // for the service, or it will be completely ignored; in the very least, + // this is a formalization for deprecating services. + optional bool deprecated = 33 [default = false]; + + // The parser stores options it doesn't recognize here. See above. + repeated UninterpretedOption uninterpreted_option = 999; + + // Clients can define custom options in extensions of this message. See above. + extensions 1000 to max; +} + +message MethodOptions { + + // Note: Field numbers 1 through 32 are reserved for Google's internal RPC + // framework. We apologize for hoarding these numbers to ourselves, but + // we were already using them long before we decided to release Protocol + // Buffers. + + // Is this method deprecated? + // Depending on the target platform, this can emit Deprecated annotations + // for the method, or it will be completely ignored; in the very least, + // this is a formalization for deprecating methods. + optional bool deprecated = 33 [default = false]; + + // Is this method side-effect-free (or safe in HTTP parlance), or idempotent, + // or neither? HTTP based RPC implementation may choose GET verb for safe + // methods, and PUT verb for idempotent methods instead of the default POST. + enum IdempotencyLevel { + IDEMPOTENCY_UNKNOWN = 0; + NO_SIDE_EFFECTS = 1; // implies idempotent + IDEMPOTENT = 2; // idempotent, but may have side effects + } + optional IdempotencyLevel idempotency_level = 34 + [default = IDEMPOTENCY_UNKNOWN]; + + // Any features defined in the specific edition. + // WARNING: This field should only be used by protobuf plugins or special + // cases like the proto compiler. Other uses are discouraged and + // developers should rely on the protoreflect APIs for their client language. + optional FeatureSet features = 35; + + // The parser stores options it doesn't recognize here. See above. + repeated UninterpretedOption uninterpreted_option = 999; + + // Clients can define custom options in extensions of this message. See above. + extensions 1000 to max; +} + +// A message representing a option the parser does not recognize. This only +// appears in options protos created by the compiler::Parser class. +// DescriptorPool resolves these when building Descriptor objects. Therefore, +// options protos in descriptor objects (e.g. returned by Descriptor::options(), +// or produced by Descriptor::CopyTo()) will never have UninterpretedOptions +// in them. +message UninterpretedOption { + // The name of the uninterpreted option. Each string represents a segment in + // a dot-separated name. is_extension is true iff a segment represents an + // extension (denoted with parentheses in options specs in .proto files). + // E.g.,{ ["foo", false], ["bar.baz", true], ["moo", false] } represents + // "foo.(bar.baz).moo". + message NamePart { + required string name_part = 1; + required bool is_extension = 2; + } + repeated NamePart name = 2; + + // The value of the uninterpreted option, in whatever type the tokenizer + // identified it as during parsing. Exactly one of these should be set. + optional string identifier_value = 3; + optional uint64 positive_int_value = 4; + optional int64 negative_int_value = 5; + optional double double_value = 6; + optional bytes string_value = 7; + optional string aggregate_value = 8; +} + +// =================================================================== +// Features + +// TODO Enums in C++ gencode (and potentially other languages) are +// not well scoped. This means that each of the feature enums below can clash +// with each other. The short names we've chosen maximize call-site +// readability, but leave us very open to this scenario. A future feature will +// be designed and implemented to handle this, hopefully before we ever hit a +// conflict here. +message FeatureSet { + enum FieldPresence { + FIELD_PRESENCE_UNKNOWN = 0; + EXPLICIT = 1; + IMPLICIT = 2; + LEGACY_REQUIRED = 3; + } + optional FieldPresence field_presence = 1 [ + retention = RETENTION_RUNTIME, + targets = TARGET_TYPE_FIELD, + targets = TARGET_TYPE_FILE, + feature_support = { + edition_introduced: EDITION_2023, + }, + edition_defaults = { edition: EDITION_LEGACY, value: "EXPLICIT" }, + edition_defaults = { edition: EDITION_PROTO3, value: "IMPLICIT" }, + edition_defaults = { edition: EDITION_2023, value: "EXPLICIT" } + ]; + + enum EnumType { + ENUM_TYPE_UNKNOWN = 0; + OPEN = 1; + CLOSED = 2; + } + optional EnumType enum_type = 2 [ + retention = RETENTION_RUNTIME, + targets = TARGET_TYPE_ENUM, + targets = TARGET_TYPE_FILE, + feature_support = { + edition_introduced: EDITION_2023, + }, + edition_defaults = { edition: EDITION_LEGACY, value: "CLOSED" }, + edition_defaults = { edition: EDITION_PROTO3, value: "OPEN" } + ]; + + enum RepeatedFieldEncoding { + REPEATED_FIELD_ENCODING_UNKNOWN = 0; + PACKED = 1; + EXPANDED = 2; + } + optional RepeatedFieldEncoding repeated_field_encoding = 3 [ + retention = RETENTION_RUNTIME, + targets = TARGET_TYPE_FIELD, + targets = TARGET_TYPE_FILE, + feature_support = { + edition_introduced: EDITION_2023, + }, + edition_defaults = { edition: EDITION_LEGACY, value: "EXPANDED" }, + edition_defaults = { edition: EDITION_PROTO3, value: "PACKED" } + ]; + + enum Utf8Validation { + UTF8_VALIDATION_UNKNOWN = 0; + VERIFY = 2; + NONE = 3; + reserved 1; + } + optional Utf8Validation utf8_validation = 4 [ + retention = RETENTION_RUNTIME, + targets = TARGET_TYPE_FIELD, + targets = TARGET_TYPE_FILE, + feature_support = { + edition_introduced: EDITION_2023, + }, + edition_defaults = { edition: EDITION_LEGACY, value: "NONE" }, + edition_defaults = { edition: EDITION_PROTO3, value: "VERIFY" } + ]; + + enum MessageEncoding { + MESSAGE_ENCODING_UNKNOWN = 0; + LENGTH_PREFIXED = 1; + DELIMITED = 2; + } + optional MessageEncoding message_encoding = 5 [ + retention = RETENTION_RUNTIME, + targets = TARGET_TYPE_FIELD, + targets = TARGET_TYPE_FILE, + feature_support = { + edition_introduced: EDITION_2023, + }, + edition_defaults = { edition: EDITION_LEGACY, value: "LENGTH_PREFIXED" } + ]; + + enum JsonFormat { + JSON_FORMAT_UNKNOWN = 0; + ALLOW = 1; + LEGACY_BEST_EFFORT = 2; + } + optional JsonFormat json_format = 6 [ + retention = RETENTION_RUNTIME, + targets = TARGET_TYPE_MESSAGE, + targets = TARGET_TYPE_ENUM, + targets = TARGET_TYPE_FILE, + feature_support = { + edition_introduced: EDITION_2023, + }, + edition_defaults = { edition: EDITION_LEGACY, value: "LEGACY_BEST_EFFORT" }, + edition_defaults = { edition: EDITION_PROTO3, value: "ALLOW" } + ]; + + enum EnforceNamingStyle { + ENFORCE_NAMING_STYLE_UNKNOWN = 0; + STYLE2024 = 1; + STYLE_LEGACY = 2; + } + optional EnforceNamingStyle enforce_naming_style = 7 [ + retention = RETENTION_SOURCE, + targets = TARGET_TYPE_FILE, + targets = TARGET_TYPE_EXTENSION_RANGE, + targets = TARGET_TYPE_MESSAGE, + targets = TARGET_TYPE_FIELD, + targets = TARGET_TYPE_ONEOF, + targets = TARGET_TYPE_ENUM, + targets = TARGET_TYPE_ENUM_ENTRY, + targets = TARGET_TYPE_SERVICE, + targets = TARGET_TYPE_METHOD, + feature_support = { + edition_introduced: EDITION_2024, + }, + edition_defaults = { edition: EDITION_LEGACY, value: "STYLE_LEGACY" }, + edition_defaults = { edition: EDITION_2024, value: "STYLE2024" } + ]; + + message VisibilityFeature { + enum DefaultSymbolVisibility { + DEFAULT_SYMBOL_VISIBILITY_UNKNOWN = 0; + + // Default pre-EDITION_2024, all UNSET visibility are export. + EXPORT_ALL = 1; + + // All top-level symbols default to export, nested default to local. + EXPORT_TOP_LEVEL = 2; + + // All symbols default to local. + LOCAL_ALL = 3; + + // All symbols local by default. Nested types cannot be exported. + // With special case caveat for message { enum {} reserved 1 to max; } + // This is the recommended setting for new protos. + STRICT = 4; + } + reserved 1 to max; + } + optional VisibilityFeature.DefaultSymbolVisibility default_symbol_visibility = + 8 [ + retention = RETENTION_SOURCE, + targets = TARGET_TYPE_FILE, + feature_support = { + edition_introduced: EDITION_2024, + }, + edition_defaults = { edition: EDITION_LEGACY, value: "EXPORT_ALL" }, + edition_defaults = { edition: EDITION_2024, value: "EXPORT_TOP_LEVEL" } + ]; + + reserved 999; + + extensions 1000 to 9994 [ + declaration = { + number: 1000, + full_name: ".pb.cpp", + type: ".pb.CppFeatures" + }, + declaration = { + number: 1001, + full_name: ".pb.java", + type: ".pb.JavaFeatures" + }, + declaration = { number: 1002, full_name: ".pb.go", type: ".pb.GoFeatures" }, + declaration = { + number: 1003, + full_name: ".pb.python", + type: ".pb.PythonFeatures" + }, + declaration = { + number: 9989, + full_name: ".pb.java_mutable", + type: ".pb.JavaMutableFeatures" + }, + declaration = { + number: 9990, + full_name: ".pb.proto1", + type: ".pb.Proto1Features" + } + ]; + + extensions 9995 to 9999; // For internal testing + extensions 10000; // for https://github.com/bufbuild/protobuf-es +} + +// A compiled specification for the defaults of a set of features. These +// messages are generated from FeatureSet extensions and can be used to seed +// feature resolution. The resolution with this object becomes a simple search +// for the closest matching edition, followed by proto merges. +message FeatureSetDefaults { + // A map from every known edition with a unique set of defaults to its + // defaults. Not all editions may be contained here. For a given edition, + // the defaults at the closest matching edition ordered at or before it should + // be used. This field must be in strict ascending order by edition. + message FeatureSetEditionDefault { + optional Edition edition = 3; + + // Defaults of features that can be overridden in this edition. + optional FeatureSet overridable_features = 4; + + // Defaults of features that can't be overridden in this edition. + optional FeatureSet fixed_features = 5; + + reserved 1, 2; + reserved "features"; + } + repeated FeatureSetEditionDefault defaults = 1; + + // The minimum supported edition (inclusive) when this was constructed. + // Editions before this will not have defaults. + optional Edition minimum_edition = 4; + + // The maximum known edition (inclusive) when this was constructed. Editions + // after this will not have reliable defaults. + optional Edition maximum_edition = 5; +} + +// =================================================================== +// Optional source code info + +// Encapsulates information about the original source file from which a +// FileDescriptorProto was generated. +message SourceCodeInfo { + // A Location identifies a piece of source code in a .proto file which + // corresponds to a particular definition. This information is intended + // to be useful to IDEs, code indexers, documentation generators, and similar + // tools. + // + // For example, say we have a file like: + // message Foo { + // optional string foo = 1; + // } + // Let's look at just the field definition: + // optional string foo = 1; + // ^ ^^ ^^ ^ ^^^ + // a bc de f ghi + // We have the following locations: + // span path represents + // [a,i) [ 4, 0, 2, 0 ] The whole field definition. + // [a,b) [ 4, 0, 2, 0, 4 ] The label (optional). + // [c,d) [ 4, 0, 2, 0, 5 ] The type (string). + // [e,f) [ 4, 0, 2, 0, 1 ] The name (foo). + // [g,h) [ 4, 0, 2, 0, 3 ] The number (1). + // + // Notes: + // - A location may refer to a repeated field itself (i.e. not to any + // particular index within it). This is used whenever a set of elements are + // logically enclosed in a single code segment. For example, an entire + // extend block (possibly containing multiple extension definitions) will + // have an outer location whose path refers to the "extensions" repeated + // field without an index. + // - Multiple locations may have the same path. This happens when a single + // logical declaration is spread out across multiple places. The most + // obvious example is the "extend" block again -- there may be multiple + // extend blocks in the same scope, each of which will have the same path. + // - A location's span is not always a subset of its parent's span. For + // example, the "extendee" of an extension declaration appears at the + // beginning of the "extend" block and is shared by all extensions within + // the block. + // - Just because a location's span is a subset of some other location's span + // does not mean that it is a descendant. For example, a "group" defines + // both a type and a field in a single declaration. Thus, the locations + // corresponding to the type and field and their components will overlap. + // - Code which tries to interpret locations should probably be designed to + // ignore those that it doesn't understand, as more types of locations could + // be recorded in the future. + repeated Location location = 1; + message Location { + // Identifies which part of the FileDescriptorProto was defined at this + // location. + // + // Each element is a field number or an index. They form a path from + // the root FileDescriptorProto to the place where the definition appears. + // For example, this path: + // [ 4, 3, 2, 7, 1 ] + // refers to: + // file.message_type(3) // 4, 3 + // .field(7) // 2, 7 + // .name() // 1 + // This is because FileDescriptorProto.message_type has field number 4: + // repeated DescriptorProto message_type = 4; + // and DescriptorProto.field has field number 2: + // repeated FieldDescriptorProto field = 2; + // and FieldDescriptorProto.name has field number 1: + // optional string name = 1; + // + // Thus, the above path gives the location of a field name. If we removed + // the last element: + // [ 4, 3, 2, 7 ] + // this path refers to the whole field declaration (from the beginning + // of the label to the terminating semicolon). + repeated int32 path = 1 [packed = true]; + + // Always has exactly three or four elements: start line, start column, + // end line (optional, otherwise assumed same as start line), end column. + // These are packed into a single field for efficiency. Note that line + // and column numbers are zero-based -- typically you will want to add + // 1 to each before displaying to a user. + repeated int32 span = 2 [packed = true]; + + // If this SourceCodeInfo represents a complete declaration, these are any + // comments appearing before and after the declaration which appear to be + // attached to the declaration. + // + // A series of line comments appearing on consecutive lines, with no other + // tokens appearing on those lines, will be treated as a single comment. + // + // leading_detached_comments will keep paragraphs of comments that appear + // before (but not connected to) the current element. Each paragraph, + // separated by empty lines, will be one comment element in the repeated + // field. + // + // Only the comment content is provided; comment markers (e.g. //) are + // stripped out. For block comments, leading whitespace and an asterisk + // will be stripped from the beginning of each line other than the first. + // Newlines are included in the output. + // + // Examples: + // + // optional int32 foo = 1; // Comment attached to foo. + // // Comment attached to bar. + // optional int32 bar = 2; + // + // optional string baz = 3; + // // Comment attached to baz. + // // Another line attached to baz. + // + // // Comment attached to moo. + // // + // // Another line attached to moo. + // optional double moo = 4; + // + // // Detached comment for corge. This is not leading or trailing comments + // // to moo or corge because there are blank lines separating it from + // // both. + // + // // Detached comment for corge paragraph 2. + // + // optional string corge = 5; + // /* Block comment attached + // * to corge. Leading asterisks + // * will be removed. */ + // /* Block comment attached to + // * grault. */ + // optional int32 grault = 6; + // + // // ignored detached comments. + optional string leading_comments = 3; + optional string trailing_comments = 4; + repeated string leading_detached_comments = 6; + } + + // Extensions for tooling. + extensions 536000000 [declaration = { + number: 536000000 + type: ".buf.descriptor.v1.SourceCodeInfoExtension" + full_name: ".buf.descriptor.v1.buf_source_code_info_extension" + }]; +} + +// Describes the relationship between generated code and its original source +// file. A GeneratedCodeInfo message is associated with only one generated +// source file, but may contain references to different source .proto files. +message GeneratedCodeInfo { + // An Annotation connects some span of text in generated code to an element + // of its generating .proto file. + repeated Annotation annotation = 1; + message Annotation { + // Identifies the element in the original source .proto file. This field + // is formatted the same as SourceCodeInfo.Location.path. + repeated int32 path = 1 [packed = true]; + + // Identifies the filesystem path to the original source .proto. + optional string source_file = 2; + + // Identifies the starting offset in bytes in the generated code + // that relates to the identified object. + optional int32 begin = 3; + + // Identifies the ending offset in bytes in the generated code that + // relates to the identified object. The end offset should be one past + // the last relevant byte (so the length of the text = end - begin). + optional int32 end = 4; + + // Represents the identified object's effect on the element in the original + // .proto file. + enum Semantic { + // There is no effect or the effect is indescribable. + NONE = 0; + // The element is set or otherwise mutated. + SET = 1; + // An alias to the element is returned. + ALIAS = 2; + } + optional Semantic semantic = 5; + } +} + +// Describes the 'visibility' of a symbol with respect to the proto import +// system. Symbols can only be imported when the visibility rules do not prevent +// it (ex: local symbols cannot be imported). Visibility modifiers can only set +// on `message` and `enum` as they are the only types available to be referenced +// from other files. +enum SymbolVisibility { + VISIBILITY_UNSET = 0; + VISIBILITY_LOCAL = 1; + VISIBILITY_EXPORT = 2; +} diff --git a/modules/sync/protocolbuffers/wellknowntypes/cas/93a810721dfe089dd61b6a954cbab842c3c6cb9c814cb6286589f66fd148151151847291fd5668bcb8002f6f298364721e1c7c474e1be5d0d184ff37a635d8ce b/modules/sync/protocolbuffers/wellknowntypes/cas/93a810721dfe089dd61b6a954cbab842c3c6cb9c814cb6286589f66fd148151151847291fd5668bcb8002f6f298364721e1c7c474e1be5d0d184ff37a635d8ce new file mode 100644 index 00000000..fd308bd4 --- /dev/null +++ b/modules/sync/protocolbuffers/wellknowntypes/cas/93a810721dfe089dd61b6a954cbab842c3c6cb9c814cb6286589f66fd148151151847291fd5668bcb8002f6f298364721e1c7c474e1be5d0d184ff37a635d8ce @@ -0,0 +1,145 @@ +// Protocol Buffers - Google's data interchange format +// Copyright 2008 Google Inc. All rights reserved. +// https://developers.google.com/protocol-buffers/ +// +// Redistribution and use in source and binary forms, with or without +// modification, are permitted provided that the following conditions are +// met: +// +// * Redistributions of source code must retain the above copyright +// notice, this list of conditions and the following disclaimer. +// * Redistributions in binary form must reproduce the above +// copyright notice, this list of conditions and the following disclaimer +// in the documentation and/or other materials provided with the +// distribution. +// * Neither the name of Google Inc. nor the names of its +// contributors may be used to endorse or promote products derived from +// this software without specific prior written permission. +// +// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR +// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT +// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT +// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE +// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + +syntax = "proto3"; + +package google.protobuf; + +option cc_enable_arenas = true; +option go_package = "google.golang.org/protobuf/types/known/timestamppb"; +option java_package = "com.google.protobuf"; +option java_outer_classname = "TimestampProto"; +option java_multiple_files = true; +option objc_class_prefix = "GPB"; +option csharp_namespace = "Google.Protobuf.WellKnownTypes"; + +// A Timestamp represents a point in time independent of any time zone or local +// calendar, encoded as a count of seconds and fractions of seconds at +// nanosecond resolution. The count is relative to an epoch at UTC midnight on +// January 1, 1970, in the proleptic Gregorian calendar which extends the +// Gregorian calendar backwards to year one. +// +// All minutes are 60 seconds long. Leap seconds are "smeared" so that no leap +// second table is needed for interpretation, using a [24-hour linear +// smear](https://developers.google.com/time/smear). +// +// The range is from 0001-01-01T00:00:00Z to 9999-12-31T23:59:59.999999999Z. By +// restricting to that range, we ensure that we can convert to and from [RFC +// 3339](https://www.ietf.org/rfc/rfc3339.txt) date strings. +// +// # Examples +// +// Example 1: Compute Timestamp from POSIX `time()`. +// +// Timestamp timestamp; +// timestamp.set_seconds(time(NULL)); +// timestamp.set_nanos(0); +// +// Example 2: Compute Timestamp from POSIX `gettimeofday()`. +// +// struct timeval tv; +// gettimeofday(&tv, NULL); +// +// Timestamp timestamp; +// timestamp.set_seconds(tv.tv_sec); +// timestamp.set_nanos(tv.tv_usec * 1000); +// +// Example 3: Compute Timestamp from Win32 `GetSystemTimeAsFileTime()`. +// +// FILETIME ft; +// GetSystemTimeAsFileTime(&ft); +// UINT64 ticks = (((UINT64)ft.dwHighDateTime) << 32) | ft.dwLowDateTime; +// +// // A Windows tick is 100 nanoseconds. Windows epoch 1601-01-01T00:00:00Z +// // is 11644473600 seconds before Unix epoch 1970-01-01T00:00:00Z. +// Timestamp timestamp; +// timestamp.set_seconds((INT64) ((ticks / 10000000) - 11644473600LL)); +// timestamp.set_nanos((INT32) ((ticks % 10000000) * 100)); +// +// Example 4: Compute Timestamp from Java `System.currentTimeMillis()`. +// +// long millis = System.currentTimeMillis(); +// +// Timestamp timestamp = Timestamp.newBuilder().setSeconds(millis / 1000) +// .setNanos((int) ((millis % 1000) * 1000000)).build(); +// +// Example 5: Compute Timestamp from Java `Instant.now()`. +// +// Instant now = Instant.now(); +// +// Timestamp timestamp = +// Timestamp.newBuilder().setSeconds(now.getEpochSecond()) +// .setNanos(now.getNano()).build(); +// +// Example 6: Compute Timestamp from current time in Python. +// +// timestamp = Timestamp() +// timestamp.GetCurrentTime() +// +// # JSON Mapping +// +// In JSON format, the Timestamp type is encoded as a string in the +// [RFC 3339](https://www.ietf.org/rfc/rfc3339.txt) format. That is, the +// format is "{year}-{month}-{day}T{hour}:{min}:{sec}[.{frac_sec}]Z" +// where {year} is always expressed using four digits while {month}, {day}, +// {hour}, {min}, and {sec} are zero-padded to two digits each. The fractional +// seconds, which can go up to 9 digits (i.e. up to 1 nanosecond resolution), +// are optional. The "Z" suffix indicates the timezone ("UTC"); the timezone +// is required. A proto3 JSON serializer should always use UTC (as indicated by +// "Z") when printing the Timestamp type and a proto3 JSON parser should be +// able to accept both UTC and other timezones (as indicated by an offset). +// +// For example, "2017-01-15T01:30:15.01Z" encodes 15.01 seconds past +// 01:30 UTC on January 15, 2017. +// +// In JavaScript, one can convert a Date object to this format using the +// standard +// [toISOString()](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/toISOString) +// method. In Python, a standard `datetime.datetime` object can be converted +// to this format using +// [`strftime`](https://docs.python.org/2/library/time.html#time.strftime) with +// the time format spec '%Y-%m-%dT%H:%M:%S.%fZ'. Likewise, in Java, one can use +// the Joda Time's [`ISODateTimeFormat.dateTime()`]( +// http://joda-time.sourceforge.net/apidocs/org/joda/time/format/ISODateTimeFormat.html#dateTime() +// ) to obtain a formatter capable of generating timestamps in this format. +// +message Timestamp { + // Represents seconds of UTC time since Unix epoch 1970-01-01T00:00:00Z. Must + // be between -315576000000 and 315576000000 inclusive (which corresponds to + // 0001-01-01T00:00:00Z to 9999-12-31T23:59:59Z). + int64 seconds = 1; + + // Non-negative fractions of a second at nanosecond resolution. This field is + // the nanosecond portion of the duration, not an alternative to seconds. + // Negative second values with fractions must still have non-negative nanos + // values that count forward in time. Must be between 0 and 999,999,999 + // inclusive. + int32 nanos = 2; +} diff --git a/modules/sync/protocolbuffers/wellknowntypes/state.json b/modules/sync/protocolbuffers/wellknowntypes/state.json index b975a50c..4a511bec 100644 --- a/modules/sync/protocolbuffers/wellknowntypes/state.json +++ b/modules/sync/protocolbuffers/wellknowntypes/state.json @@ -459,6 +459,10 @@ { "name": "v32.1", "digest": "7e2aa4fb37e2be8dc8a4bcbebaec00635abbcc7333df40ba6412a666335f66c5c0705ce4cc5c207e728412ac3d81850545f90e8535da66712a17ab42923be6bd" + }, + { + "name": "v33.0", + "digest": "49b3059e6608c257ea7cf60926a16fb8bb1f3d37f39862e66db55338a4ebf59a4aebff39fdfd1f6d4e66ece567db327ff5846a09b51762574b857a27e77a2b55" } ] } \ No newline at end of file diff --git a/modules/sync/state.json b/modules/sync/state.json index 1adf2fa6..fa1debe5 100644 --- a/modules/sync/state.json +++ b/modules/sync/state.json @@ -18,11 +18,11 @@ }, { "module_name": "cncf/xds", - "latest_reference": "2ac532fd44436293585084f8d94c6bdb17835af0" + "latest_reference": "2ee22ca5838277e4cff0f0219b1c62e5c0cd3cc1" }, { "module_name": "envoyproxy/envoy", - "latest_reference": "v1.35.3" + "latest_reference": "v1.36.2" }, { "module_name": "envoyproxy/protoc-gen-validate", @@ -42,11 +42,11 @@ }, { "module_name": "googleapis/googleapis", - "latest_reference": "7186b66aac6d5b1f9eec99d394e472d216e4ff73" + "latest_reference": "c288189b43c016dd3cf1ec73ce3cadee8b732f07" }, { "module_name": "googlechrome/lighthouse", - "latest_reference": "v12.8.2" + "latest_reference": "v13.0.0" }, { "module_name": "googlecloudplatform/bq-schema-api", @@ -74,7 +74,7 @@ }, { "module_name": "protocolbuffers/wellknowntypes", - "latest_reference": "v32.1" + "latest_reference": "v33.0" } ] } \ No newline at end of file