async-grpc-xds 0.0.1

data/proto/envoy/config/core/v3/cel.proto

@@ -0,0 +1,63 @@
+syntax = "proto3";
+
+package envoy.config.core.v3;
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.config.core.v3";
+option java_outer_classname = "CelProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: CEL Expression Configuration]
+
+// CEL expression evaluation configuration.
+// These options control the behavior of the Common Expression Language runtime for
+// individual CEL expressions.
+message CelExpressionConfig {
+  // Enable string conversion functions for CEL expressions. When enabled, CEL expressions
+  // can convert values to strings using the ``string()`` function.
+  //
+  // .. attention::
+  //
+  //   This option is disabled by default to avoid unbounded memory allocation.
+  //   CEL evaluation cost is typically bounded by the expression size, but converting
+  //   arbitrary values (e.g., large messages, lists, or maps) to strings may allocate
+  //   memory proportional to input data size, which can be unbounded and lead to
+  //   memory exhaustion.
+  bool enable_string_conversion = 1;
+
+  // Enable string concatenation for CEL expressions. When enabled, CEL expressions
+  // can concatenate strings using the ``+`` operator.
+  //
+  // .. attention::
+  //
+  //   This option is disabled by default to avoid unbounded memory allocation.
+  //   While CEL normally bounds evaluation by expression size, enabling string
+  //   concatenation allows building outputs whose size depends on input data,
+  //   potentially causing large intermediate allocations and memory exhaustion.
+  bool enable_string_concat = 2;
+
+  // Enable string manipulation functions for CEL expressions. When enabled, CEL
+  // expressions can use additional string functions:
+  //
+  // * ``replace(old, new)`` - Replaces all occurrences of ``old`` with ``new``.
+  // * ``split(separator)`` - Splits a string into a list of substrings.
+  // * ``lowerAscii()`` - Converts ASCII characters to lowercase.
+  // * ``upperAscii()`` - Converts ASCII characters to uppercase.
+  //
+  // .. note::
+  //
+  //   Standard CEL string functions like ``contains()``, ``startsWith()``, and
+  //   ``endsWith()`` are always available regardless of this setting.
+  //
+  // .. attention::
+  //
+  //   This option is disabled by default to avoid unbounded memory allocation.
+  //   Although CEL generally bounds evaluation by expression size, functions such as
+  //   ``replace``, ``split``, ``lowerAscii()``, and ``upperAscii()`` can allocate memory
+  //   proportional to input data size. Under adversarial inputs this can lead to
+  //   unbounded allocations and memory exhaustion.
+  bool enable_string_functions = 3;
+}

data/proto/envoy/config/core/v3/config_source.proto

@@ -0,0 +1,283 @@
+syntax = "proto3";
+
+package envoy.config.core.v3;
+
+import "envoy/config/core/v3/base.proto";
+import "envoy/config/core/v3/extension.proto";
+import "envoy/config/core/v3/grpc_service.proto";
+
+import "google/protobuf/any.proto";
+import "google/protobuf/duration.proto";
+import "google/protobuf/wrappers.proto";
+
+import "xds/core/v3/authority.proto";
+
+import "envoy/annotations/deprecation.proto";
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.config.core.v3";
+option java_outer_classname = "ConfigSourceProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Configuration sources]
+
+// xDS API and non-xDS services version. This is used to describe both resource and transport
+// protocol versions (in distinct configuration fields).
+enum ApiVersion {
+  // When not specified, we assume v3; it is the only supported version.
+  AUTO = 0;
+
+  // Use xDS v2 API. This is no longer supported.
+  V2 = 1 [deprecated = true, (envoy.annotations.deprecated_at_minor_version_enum) = "3.0"];
+
+  // Use xDS v3 API.
+  V3 = 2;
+}
+
+// API configuration source. This identifies the API type and cluster that Envoy
+// will use to fetch an xDS API.
+// [#next-free-field: 10]
+message ApiConfigSource {
+  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.ApiConfigSource";
+
+  // APIs may be fetched via either REST or gRPC.
+  enum ApiType {
+    // Ideally this would be 'reserved 0' but one can't reserve the default
+    // value. Instead we throw an exception if this is ever used.
+    DEPRECATED_AND_UNAVAILABLE_DO_NOT_USE = 0
+        [deprecated = true, (envoy.annotations.disallowed_by_default_enum) = true];
+
+    // REST-JSON v2 API. The `canonical JSON encoding
+    // <https://developers.google.com/protocol-buffers/docs/proto3#json>`_ for
+    // the v2 protos is used.
+    REST = 1;
+
+    // SotW gRPC service.
+    GRPC = 2;
+
+    // Using the delta xDS gRPC service, i.e. DeltaDiscovery{Request,Response}
+    // rather than Discovery{Request,Response}. Rather than sending Envoy the entire state
+    // with every update, the xDS server only sends what has changed since the last update.
+    DELTA_GRPC = 3;
+
+    // SotW xDS gRPC with ADS. All resources which resolve to this configuration source will be
+    // multiplexed on a single connection to an ADS endpoint.
+    // [#not-implemented-hide:]
+    AGGREGATED_GRPC = 5;
+
+    // Delta xDS gRPC with ADS. All resources which resolve to this configuration source will be
+    // multiplexed on a single connection to an ADS endpoint.
+    // [#not-implemented-hide:]
+    AGGREGATED_DELTA_GRPC = 6;
+  }
+
+  // API type (gRPC, REST, delta gRPC)
+  ApiType api_type = 1 [(validate.rules).enum = {defined_only: true}];
+
+  // API version for xDS transport protocol. This describes the xDS gRPC/REST
+  // endpoint and version of [Delta]DiscoveryRequest/Response used on the wire.
+  ApiVersion transport_api_version = 8 [(validate.rules).enum = {defined_only: true}];
+
+  // Cluster names should be used only with REST. If > 1
+  // cluster is defined, clusters will be cycled through if any kind of failure
+  // occurs.
+  //
+  // .. note::
+  //
+  //  The cluster with name ``cluster_name`` must be statically defined and its
+  //  type must not be ``EDS``.
+  repeated string cluster_names = 2;
+
+  // Multiple gRPC services be provided for GRPC. If > 1 cluster is defined,
+  // services will be cycled through if any kind of failure occurs.
+  repeated GrpcService grpc_services = 4;
+
+  // For REST APIs, the delay between successive polls.
+  google.protobuf.Duration refresh_delay = 3;
+
+  // For REST APIs, the request timeout. If not set, a default value of 1s will be used.
+  google.protobuf.Duration request_timeout = 5 [(validate.rules).duration = {gt {}}];
+
+  // For GRPC APIs, the rate limit settings. If present, discovery requests made by Envoy will be
+  // rate limited.
+  RateLimitSettings rate_limit_settings = 6;
+
+  // Skip the node identifier in subsequent discovery requests for streaming gRPC config types.
+  bool set_node_on_first_message_only = 7;
+
+  // A list of config validators that will be executed when a new update is
+  // received from the ApiConfigSource. Note that each validator handles a
+  // specific xDS service type, and only the validators corresponding to the
+  // type url (in ``:ref: DiscoveryResponse`` or ``:ref: DeltaDiscoveryResponse``)
+  // will be invoked.
+  // If the validator returns false or throws an exception, the config will be rejected by
+  // the client, and a NACK will be sent.
+  // [#extension-category: envoy.config.validators]
+  repeated TypedExtensionConfig config_validators = 9;
+}
+
+// Aggregated Discovery Service (ADS) options. This is currently empty, but when
+// set in :ref:`ConfigSource <envoy_v3_api_msg_config.core.v3.ConfigSource>` can be used to
+// specify that ADS is to be used.
+message AggregatedConfigSource {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.api.v2.core.AggregatedConfigSource";
+}
+
+// [#not-implemented-hide:]
+// Self-referencing config source options. This is currently empty, but when
+// set in :ref:`ConfigSource <envoy_v3_api_msg_config.core.v3.ConfigSource>` can be used to
+// specify that other data can be obtained from the same server.
+message SelfConfigSource {
+  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.SelfConfigSource";
+
+  // API version for xDS transport protocol. This describes the xDS gRPC/REST
+  // endpoint and version of [Delta]DiscoveryRequest/Response used on the wire.
+  ApiVersion transport_api_version = 1 [(validate.rules).enum = {defined_only: true}];
+}
+
+// Rate Limit settings to be applied for discovery requests made by Envoy.
+message RateLimitSettings {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.api.v2.core.RateLimitSettings";
+
+  // Maximum number of tokens to be used for rate limiting discovery request calls. If not set, a
+  // default value of 100 will be used.
+  google.protobuf.UInt32Value max_tokens = 1;
+
+  // Rate at which tokens will be filled per second. If not set, a default fill rate of 10 tokens
+  // per second will be used. The minimal fill rate is once per year. Lower
+  // fill rates will be set to once per year.
+  google.protobuf.DoubleValue fill_rate = 2 [(validate.rules).double = {gt: 0.0}];
+}
+
+// Local filesystem path configuration source.
+message PathConfigSource {
+  // Path on the filesystem to source and watch for configuration updates.
+  // When sourcing configuration for a :ref:`secret <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.Secret>`,
+  // the certificate and key files are also watched for updates.
+  //
+  // .. note::
+  //
+  //  The path to the source must exist at config load time.
+  //
+  // .. note::
+  //
+  //   If ``watched_directory`` is *not* configured, Envoy will watch the file path for *moves*.
+  //   This is because in general only moves are atomic. The same method of swapping files as is
+  //   demonstrated in the :ref:`runtime documentation <config_runtime_symbolic_link_swap>` can be
+  //   used here also. If ``watched_directory`` is configured, no watch will be placed directly on
+  //   this path. Instead, the configured ``watched_directory`` will be used to trigger reloads of
+  //   this path. This is required in certain deployment scenarios. See below for more information.
+  string path = 1 [(validate.rules).string = {min_len: 1}];
+
+  // If configured, this directory will be watched for *moves*. When an entry in this directory is
+  // moved to, the ``path`` will be reloaded. This is required in certain deployment scenarios.
+  //
+  // Specifically, if trying to load an xDS resource using a
+  // `Kubernetes ConfigMap <https://kubernetes.io/docs/concepts/configuration/configmap/>`_, the
+  // following configuration might be used:
+  // 1. Store xds.yaml inside a ConfigMap.
+  // 2. Mount the ConfigMap to ``/config_map/xds``
+  // 3. Configure path ``/config_map/xds/xds.yaml``
+  // 4. Configure watched directory ``/config_map/xds``
+  //
+  // The above configuration will ensure that Envoy watches the owning directory for moves which is
+  // required due to how Kubernetes manages ConfigMap symbolic links during atomic updates.
+  WatchedDirectory watched_directory = 2;
+}
+
+// Configuration for :ref:`listeners <config_listeners>`, :ref:`clusters
+// <config_cluster_manager>`, :ref:`routes
+// <envoy_v3_api_msg_config.route.v3.RouteConfiguration>`, :ref:`endpoints
+// <arch_overview_service_discovery>` etc. may either be sourced from the
+// filesystem or from an xDS API source. Filesystem configs are watched with
+// inotify for updates.
+// [#next-free-field: 9]
+message ConfigSource {
+  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.ConfigSource";
+
+  // Authorities that this config source may be used for. An authority specified in a xdstp:// URL
+  // is resolved to a ``ConfigSource`` prior to configuration fetch. This field provides the
+  // association between authority name and configuration source.
+  // [#not-implemented-hide:]
+  repeated xds.core.v3.Authority authorities = 7;
+
+  oneof config_source_specifier {
+    option (validate.required) = true;
+
+    // Deprecated in favor of ``path_config_source``. Use that field instead.
+    string path = 1 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
+
+    // Local filesystem path configuration source.
+    PathConfigSource path_config_source = 8;
+
+    // API configuration source.
+    ApiConfigSource api_config_source = 2;
+
+    // When set, ADS will be used to fetch resources. The ADS API configuration
+    // source in the bootstrap configuration is used.
+    AggregatedConfigSource ads = 3;
+
+    // [#not-implemented-hide:]
+    // When set, the client will access the resources from the same server it got the
+    // ConfigSource from, although not necessarily from the same stream. This is similar to the
+    // :ref:`ads<envoy_v3_api_field.ConfigSource.ads>` field, except that the client may use a
+    // different stream to the same server. As a result, this field can be used for things
+    // like LRS that cannot be sent on an ADS stream. It can also be used to link from (e.g.)
+    // LDS to RDS on the same server without requiring the management server to know its name
+    // or required credentials.
+    // [#next-major-version: In xDS v3, consider replacing the ads field with this one, since
+    // this field can implicitly mean to use the same stream in the case where the ConfigSource
+    // is provided via ADS and the specified data can also be obtained via ADS.]
+    SelfConfigSource self = 5;
+  }
+
+  // When this timeout is specified, Envoy will wait no longer than the specified time for first
+  // config response on this xDS subscription during the :ref:`initialization process
+  // <arch_overview_initialization>`. After reaching the timeout, Envoy will move to the next
+  // initialization phase, even if the first config is not delivered yet. The timer is activated
+  // when the xDS API subscription starts, and is disarmed on first config update or on error. 0
+  // means no timeout - Envoy will wait indefinitely for the first xDS config (unless another
+  // timeout applies). The default is 15s.
+  google.protobuf.Duration initial_fetch_timeout = 4;
+
+  // API version for xDS resources. This implies the type URLs that the client
+  // will request for resources and the resource type that the client will in
+  // turn expect to be delivered.
+  ApiVersion resource_api_version = 6 [(validate.rules).enum = {defined_only: true}];
+}
+
+// Configuration source specifier for a late-bound extension configuration. The
+// parent resource is warmed until all the initial extension configurations are
+// received, unless the flag to apply the default configuration is set.
+// Subsequent extension updates are atomic on a per-worker basis. Once an
+// extension configuration is applied to a request or a connection, it remains
+// constant for the duration of processing. If the initial delivery of the
+// extension configuration fails, due to a timeout for example, the optional
+// default configuration is applied. Without a default configuration, the
+// extension is disabled, until an extension configuration is received. The
+// behavior of a disabled extension depends on the context. For example, a
+// filter chain with a disabled extension filter rejects all incoming streams.
+message ExtensionConfigSource {
+  ConfigSource config_source = 1 [(validate.rules).any = {required: true}];
+
+  // Optional default configuration to use as the initial configuration if
+  // there is a failure to receive the initial extension configuration or if
+  // ``apply_default_config_without_warming`` flag is set.
+  google.protobuf.Any default_config = 2;
+
+  // Use the default config as the initial configuration without warming and
+  // waiting for the first discovery response. Requires the default configuration
+  // to be supplied.
+  bool apply_default_config_without_warming = 3;
+
+  // A set of permitted extension type URLs for the type encoded inside of the
+  // :ref:`TypedExtensionConfig <envoy_v3_api_msg_config.core.v3.TypedExtensionConfig>`. Extension
+  // configuration updates are rejected if they do not match any type URL in the set.
+  repeated string type_urls = 4 [(validate.rules).repeated = {min_items: 1}];
+}

data/proto/envoy/config/core/v3/event_service_config.proto

@@ -0,0 +1,29 @@
+syntax = "proto3";
+
+package envoy.config.core.v3;
+
+import "envoy/config/core/v3/grpc_service.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.config.core.v3";
+option java_outer_classname = "EventServiceConfigProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#not-implemented-hide:]
+// Configuration of the event reporting service endpoint.
+message EventServiceConfig {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.api.v2.core.EventServiceConfig";
+
+  oneof config_source_specifier {
+    option (validate.required) = true;
+
+    // Specifies the gRPC service that hosts the event reporting service.
+    GrpcService grpc_service = 1;
+  }
+}

data/proto/envoy/config/core/v3/extension.proto

@@ -0,0 +1,32 @@
+syntax = "proto3";
+
+package envoy.config.core.v3;
+
+import "google/protobuf/any.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.config.core.v3";
+option java_outer_classname = "ExtensionProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Extension configuration]
+
+// Message type for extension configuration.
+// [#next-major-version: revisit all existing typed_config that doesn't use this wrapper.].
+message TypedExtensionConfig {
+  // The name of an extension. This is not used to select the extension, instead
+  // it serves the role of an opaque identifier.
+  string name = 1 [(validate.rules).string = {min_len: 1}];
+
+  // The typed config for the extension. The type URL will be used to identify
+  // the extension. In the case that the type URL is ``xds.type.v3.TypedStruct``
+  // (or, for historical reasons, ``udpa.type.v1.TypedStruct``), the inner type
+  // URL of ``TypedStruct`` will be utilized. See the
+  // :ref:`extension configuration overview
+  // <config_overview_extension_configuration>` for further details.
+  google.protobuf.Any typed_config = 2 [(validate.rules).any = {required: true}];
+}

data/proto/envoy/config/core/v3/grpc_method_list.proto

@@ -0,0 +1,33 @@
+syntax = "proto3";
+
+package envoy.config.core.v3;
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.config.core.v3";
+option java_outer_classname = "GrpcMethodListProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: gRPC method list]
+
+// A list of gRPC methods which can be used as an allowlist, for example.
+message GrpcMethodList {
+  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.GrpcMethodList";
+
+  message Service {
+    option (udpa.annotations.versioning).previous_message_type =
+        "envoy.api.v2.core.GrpcMethodList.Service";
+
+    // The name of the gRPC service.
+    string name = 1 [(validate.rules).string = {min_len: 1}];
+
+    // The names of the gRPC methods in this service.
+    repeated string method_names = 2 [(validate.rules).repeated = {min_items: 1}];
+  }
+
+  repeated Service services = 1;
+}