|
|
|
|
# API style guidelines
|
|
|
|
|
|
|
|
|
|
Generally follow guidance at https://cloud.google.com/apis/design/, in
|
|
|
|
|
particular for proto3 as described at:
|
|
|
|
|
|
|
|
|
|
* https://cloud.google.com/apis/design/proto3
|
|
|
|
|
* https://cloud.google.com/apis/design/naming_convention
|
|
|
|
|
* https://developers.google.com/protocol-buffers/docs/style
|
|
|
|
|
|
|
|
|
|
In addition, the following conventions should be followed:
|
|
|
|
|
|
|
|
|
|
* For protos that are [frozen](https://www.envoyproxy.io/docs/envoy/latest/configuration/overview/v2_overview#status),
|
|
|
|
|
the following guidelines are followed:
|
|
|
|
|
|
|
|
|
|
* Fields should not be renumbered or have their types changed. This is standard proto development
|
|
|
|
|
procedure.
|
|
|
|
|
* If fields are deleted, the following syntax should be put in their place:
|
|
|
|
|
|
|
|
|
|
```proto
|
|
|
|
|
reserved <field index>;
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
E.g.,
|
|
|
|
|
|
|
|
|
|
```proto
|
|
|
|
|
reserved 15;
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
* Renaming of fields or package namespaces for a proto must not occur. This is inherently dangerous, since:
|
|
|
|
|
* Fields renames break wire compatibility. This is stricter than standard proto development procedure
|
|
|
|
|
in the sense that it does not break binary wire format. However, it **does** break loading
|
|
|
|
|
of YAML/JSON into protos as well as text protos. Since we consider YAML/JSON to be first class
|
|
|
|
|
inputs, we must not change field names.
|
|
|
|
|
|
|
|
|
|
* For service definitions, the gRPC endpoint URL is inferred from package
|
|
|
|
|
namespace, so this will break client/server communication.
|
|
|
|
|
|
|
|
|
|
* For a message embedded in an `Any` object, the type URL, which the package
|
|
|
|
|
namespace is a part of, may be used by Envoy or other API consuming code.
|
|
|
|
|
Currently, this applies to the top-level resources embedded in
|
|
|
|
|
`DiscoveryResponse` objects, e.g. `Cluster`, `Listener`, etc.
|
|
|
|
|
|
|
|
|
|
* Consuming code will break and require source change to match the changes.
|
|
|
|
|
|
|
|
|
|
* Non-frozen fields should be tagged with `[#not-implemented-hide:]`, `[#not-implemented-warn:]`,
|
|
|
|
|
`[#proto-status: draft]` or `[#proto-status: experimental]`.
|
|
|
|
|
|
|
|
|
|
* Protos for configs and services that are not implemented immediately in
|
|
|
|
|
Envoy, or are under active design and development should be versioned
|
|
|
|
|
"v2alpha". If several iterations of the alpha API are expected, then versions
|
|
|
|
|
"v2alpha1", "v2alpha2", and so on are preferred. Alpha-versioned protos are
|
|
|
|
|
considered experimental and are not required to preserve compatibility.
|
|
|
|
|
|
|
|
|
|
* Every proto directory should have a `README.md` describing its content. See
|
|
|
|
|
for example [envoy.service](envoy/service/README.md).
|
|
|
|
|
|
|
|
|
|
* The data plane APIs are primarily intended for machine generation and consumption.
|
|
|
|
|
It is expected that the management server is responsible for mapping higher
|
|
|
|
|
level configuration concepts to concrete API concepts. Similarly, static configuration
|
|
|
|
|
fragments may be generated by tools and UIs, etc. The APIs and tools used
|
|
|
|
|
to generate xDS configuration are beyond the scope of the definitions in this
|
|
|
|
|
repository.
|
|
|
|
|
|
|
|
|
|
* Use [wrapped scalar
|
|
|
|
|
types](https://github.com/google/protobuf/blob/master/src/google/protobuf/wrappers.proto)
|
|
|
|
|
where there is a real need for the field to have a default value that does not
|
|
|
|
|
match the proto3 defaults (0/false/""). This should not be done for fields
|
|
|
|
|
where the proto3 defaults make sense. All things being equal, pick appropriate
|
|
|
|
|
logic, e.g. enable vs. disable for a `bool` field, such that the proto3
|
|
|
|
|
defaults work, but only where this doesn't result in API gymnastics.
|
|
|
|
|
|
|
|
|
|
* Always use plural field names for `repeated` fields, such as `filters`.
|
|
|
|
|
|
|
|
|
|
* Due to the fact that we consider JSON/YAML to be first class inputs, we cannot easily change a
|
|
|
|
|
a singular field to a repeated field (both due to JSON/YAML array structural differences as well
|
|
|
|
|
as singular vs. plural field naming). If there is a reasonable expectation that a field may need
|
|
|
|
|
to be repeated in the future, but we don't need it to be repeated right away, consider making it
|
|
|
|
|
repeated now but using constraints to enforce a maximum repeated size of 1. E.g.:
|
|
|
|
|
|
|
|
|
|
```proto
|
|
|
|
|
repeated OutputSink sinks = 1 [(validate.rules).repeated = {min_items: 1, max_items: 1}];
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
* Always use upper camel case names for message types and enum types without embedded
|
|
|
|
|
acronyms, such as `HttpRequest`.
|
|
|
|
|
|
|
|
|
|
* Prefer `oneof` selections to boolean overloads of fields, for example, prefer:
|
|
|
|
|
|
|
|
|
|
```proto
|
|
|
|
|
oneof path_specifier {
|
|
|
|
|
string simple_path = 1;
|
|
|
|
|
string regex_path = 2;
|
|
|
|
|
}
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
to
|
|
|
|
|
|
|
|
|
|
```proto
|
|
|
|
|
string path = 1;
|
|
|
|
|
bool path_is_regex = 2;
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
This is more efficient, extendable and self-describing.
|
|
|
|
|
|
|
|
|
|
* The API includes two types for representing [percents](envoy/type/percent.proto). `Percent` is
|
|
|
|
|
effectively a double value in the range 0.0-100.0. `FractionalPercent` is an integral fraction
|
|
|
|
|
that can be used to create a truncated percentage also in the range 0.0-100.0. In high performance
|
|
|
|
|
paths, `FractionalPercent` is preferred as randomness calculations can be performed using integral
|
|
|
|
|
modulo and comparison operations only without any floating point conversions. Typically, most
|
|
|
|
|
users do not need infinite precision in these paths.
|
|
|
|
|
|
|
|
|
|
* For enum types, if one of the enum values is used for most cases, make it the
|
|
|
|
|
first enum value with `0` numeric value. Otherwise, define the first enum
|
|
|
|
|
value like `TYPE_NAME_UNSPECIFIED = 0`, and treat it as an error. This design
|
|
|
|
|
pattern forces developers to explicitly choose the correct enum value for
|
|
|
|
|
their use case, and avoid misunderstanding of the default behavior.
|
|
|
|
|
|
|
|
|
|
* Proto fields should be sorted logically, not by field number. For large protos, place a comment
|
|
|
|
|
at the top that specifies the next free field number. E.g.,
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
// [#comment:next free field: 28]
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
* The [Breaking Change
|
|
|
|
|
Policy](https://github.com/envoyproxy/envoy/blob/master//CONTRIBUTING.md#breaking-change-policy) describes
|
|
|
|
|
API versioning, deprecation and compatibility.
|
|
|
|
|
|
|
|
|
|
## Package organization
|
|
|
|
|
|
|
|
|
|
API definitions are layered hierarchically in packages from top-to-bottom:
|
|
|
|
|
|
|
|
|
|
- `envoy.service` contains gRPC definitions of supporting services;
|
|
|
|
|
- `envoy.config` contains definitions for service configuration, filter
|
|
|
|
|
configuration, and bootstrap;
|
|
|
|
|
- `envoy.api.v2` contains definitions for EDS, CDS, RDS, LDS, and top-level
|
|
|
|
|
resources such as `Cluster`;
|
|
|
|
|
- `envoy.api.v2.endpoint`, `envoy.api.v2.cluster`, `envoy.api.v2.route`,
|
|
|
|
|
`envoy.api.v2.listener`, `envoy.api.v2.ratelimit` define sub-messages of the top-level resources;
|
|
|
|
|
- `envoy.api.v2.core` and `envoy.api.v2.auth` hold core definitions consumed
|
|
|
|
|
throughout the API.
|
|
|
|
|
|
|
|
|
|
Dependencies are enforced from top-to-bottom using visibility constraints in
|
|
|
|
|
the build system to prevent circular dependency formation. Package group
|
|
|
|
|
`//envoy/api/v2:friends` selects consumers of the core API package (services and configs)
|
|
|
|
|
and is the default visibility for the core API packages. The default visibility
|
|
|
|
|
for services and configs should be `//docs` (proto documentation tool).
|
|
|
|
|
|
|
|
|
|
Extensions should use the regular hierarchy. For example, configuration for network filters belongs
|
|
|
|
|
in a package under `envoy.config.filter.network`.
|
