|
|
|
syntax = "proto3";
|
|
|
|
|
|
|
|
package envoy.api.v2;
|
|
|
|
|
|
|
|
import "api/address.proto";
|
|
|
|
import "api/base.proto";
|
|
|
|
import "api/discovery.proto";
|
|
|
|
import "api/sds.proto";
|
|
|
|
|
|
|
|
import "google/api/annotations.proto";
|
|
|
|
import "google/protobuf/struct.proto";
|
|
|
|
import "google/protobuf/wrappers.proto";
|
|
|
|
|
|
|
|
import "validate/validate.proto";
|
|
|
|
|
|
|
|
// [#protodoc-title: Listeners and LDS]
|
|
|
|
// Listener :ref:`configuration overview <config_listeners>`
|
|
|
|
|
|
|
|
// The Envoy instance initiates an RPC at startup to discover a list of
|
|
|
|
// listeners. Updates are delivered via streaming from the LDS server and
|
|
|
|
// consist of a complete update of all listeners. Existing connections will be
|
|
|
|
// allowed to drain from listeners that are no longer present.
|
|
|
|
service ListenerDiscoveryService {
|
|
|
|
rpc StreamListeners(stream DiscoveryRequest) returns (stream DiscoveryResponse) {
|
|
|
|
}
|
|
|
|
|
|
|
|
rpc FetchListeners(DiscoveryRequest) returns (DiscoveryResponse) {
|
|
|
|
option (google.api.http) = {
|
|
|
|
post: "/v2/discovery:listeners"
|
|
|
|
body: "*"
|
|
|
|
};
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
message Listener {
|
|
|
|
// The unique name by which this listener is known. If no name is provided,
|
|
|
|
// Envoy will allocate an internal UUID for the listener. If the listener is to be dynamically
|
|
|
|
// updated or removed via :ref:`LDS <config_listeners_lds>` a unique name must be provided.
|
|
|
|
// By default, the maximum length of a listener's name is limited to 60 characters. This limit can
|
|
|
|
// be increased by setting the :option:`--max-obj-name-len` command line argument to the desired
|
|
|
|
// value.
|
|
|
|
string name = 1;
|
|
|
|
|
|
|
|
// The address that the listener should listen on. In general, the address must be unique, though
|
|
|
|
// that is governed by the bind rules of the OS. E.g., multiple listeners can listen on port 0 on
|
|
|
|
// Linux as the actual port will be allocated by the OS.
|
|
|
|
Address address = 2 [(validate.rules).message.required = true];
|
|
|
|
|
|
|
|
// A list of filter chains to consider for this listener. The
|
|
|
|
// :ref:`FilterChain <envoy_api_msg_FilterChain>` with the most specific :ref:`FilterChainMatch
|
|
|
|
// <envoy_api_msg_FilterChainMatch>` criteria is used on a connection.
|
|
|
|
//
|
|
|
|
// .. attention::
|
|
|
|
//
|
|
|
|
// In the current version, multiple filter chains are supported **only** so that SNI can be
|
|
|
|
// configured. See the :ref:`FAQ entry <faq_how_to_setup_sni>` on how to configure SNI for more
|
|
|
|
// information. When multiple filter chains are configured, each filter chain must have an
|
|
|
|
// **identical** set of :ref:`filters <envoy_api_field_FilterChain.filters>`. If the filters
|
|
|
|
// differ, the configuration will fail to load. In the future, this limitation will be relaxed
|
|
|
|
// such that different filters can be used depending on which filter chain matches (based on SNI
|
|
|
|
// or some other parameter).
|
|
|
|
repeated FilterChain filter_chains = 3 [(validate.rules).repeated .min_items = 1];
|
|
|
|
|
|
|
|
// If a connection is redirected using *iptables*, the port on which the proxy
|
|
|
|
// receives it might be different from the original destination address. When this flag is set to
|
|
|
|
// true, the listener hands off redirected connections to the listener associated with the
|
|
|
|
// original destination address. If there is no listener associated with the original destination
|
|
|
|
// address, the connection is handled by the listener that receives it. Defaults to false.
|
|
|
|
google.protobuf.BoolValue use_original_dst = 4;
|
|
|
|
|
|
|
|
// Soft limit on size of the listener’s new connection read and write buffers.
|
|
|
|
// If unspecified, an implementation defined default is applied (1MiB).
|
|
|
|
google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5;
|
|
|
|
|
|
|
|
// [#not-implemented-hide:] Listener metadata.
|
|
|
|
Metadata metadata = 6;
|
|
|
|
|
|
|
|
// [#not-implemented-hide:]
|
|
|
|
message DeprecatedV1 {
|
|
|
|
// Whether the listener should bind to the port. A listener that doesn’t
|
|
|
|
// bind can only receive connections redirected from other listeners that
|
|
|
|
// set use_original_dst parameter to true. Default is true.
|
|
|
|
//
|
|
|
|
// [V2-API-DIFF] This is deprecated in v2, all Listeners will bind to their
|
|
|
|
// port. An additional filter chain must be created for every original
|
|
|
|
// destination port this listener may redirect to in v2, with the original
|
|
|
|
// port specified in the FilterChainMatch destination_port field.
|
|
|
|
google.protobuf.BoolValue bind_to_port = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
// [#not-implemented-hide:]
|
|
|
|
DeprecatedV1 deprecated_v1 = 7;
|
|
|
|
|
|
|
|
enum DrainType {
|
|
|
|
// Drain in response to calling /healthcheck/fail admin endpoint (along with the health check
|
|
|
|
// filter), listener removal/modification, and hot restart.
|
|
|
|
DEFAULT = 0;
|
|
|
|
// Drain in response to listener removal/modification and hot restart. This setting does not
|
|
|
|
// include /healthcheck/fail. This setting may be desirable if Envoy is hosting both ingress
|
|
|
|
// and egress listeners.
|
|
|
|
MODIFY_ONLY = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
// The type of draining to perform at a listener-wide level.
|
|
|
|
DrainType drain_type = 8;
|
|
|
|
}
|
|
|
|
|
|
|
|
message Filter {
|
|
|
|
// The name of the filter to instantiate. The name must match a supported
|
|
|
|
// filter. The built-in filters are:
|
|
|
|
//
|
|
|
|
// [#comment:TODO(mattklein123): Auto generate the following list]
|
|
|
|
// * :ref:`envoy.client_ssl_auth<config_network_filters_client_ssl_auth>`
|
|
|
|
// * :ref:`envoy.echo <config_network_filters_echo>`
|
|
|
|
// * :ref:`envoy.http_connection_manager <config_http_conn_man>`
|
|
|
|
// * :ref:`envoy.mongo_proxy <config_network_filters_mongo_proxy>`
|
|
|
|
// * :ref:`envoy.ratelimit <config_network_filters_rate_limit>`
|
|
|
|
// * :ref:`envoy.redis_proxy <config_network_filters_redis_proxy>`
|
|
|
|
// * :ref:`envoy.tcp_proxy <config_network_filters_tcp_proxy>`
|
|
|
|
string name = 1 [(validate.rules).string.min_bytes = 1];
|
|
|
|
|
|
|
|
// Filter specific configuration which depends on the filter being
|
|
|
|
// instantiated. See the supported filters for further documentation.
|
|
|
|
google.protobuf.Struct config = 2;
|
|
|
|
|
|
|
|
// [#not-implemented-hide:]
|
|
|
|
message DeprecatedV1 {
|
|
|
|
string type = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
// [#not-implemented-hide:]
|
|
|
|
DeprecatedV1 deprecated_v1 = 3;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Specifies the match criteria for selecting a specific filter chain for a
|
|
|
|
// listener.
|
|
|
|
message FilterChainMatch {
|
|
|
|
// If non-empty, the SNI domains to consider. May contain a wildcard prefix,
|
|
|
|
// e.g. ``*.example.com``.
|
|
|
|
//
|
|
|
|
// .. attention::
|
|
|
|
//
|
|
|
|
// See the :ref:`FAQ entry <faq_how_to_setup_sni>` on how to configure SNI for more
|
|
|
|
// information.
|
|
|
|
repeated string sni_domains = 1;
|
|
|
|
|
|
|
|
// If non-empty, an IP address and prefix length to match addresses when the
|
|
|
|
// listener is bound to 0.0.0.0/:: or when use_original_dst is specified.
|
|
|
|
// [#not-implemented-hide:]
|
|
|
|
repeated CidrRange prefix_ranges = 3;
|
|
|
|
|
|
|
|
// If non-empty, an IP address and suffix length to match addresses when the
|
|
|
|
// listener is bound to 0.0.0.0/:: or when use_original_dst is specified.
|
|
|
|
// [#not-implemented-hide:]
|
|
|
|
string address_suffix = 4;
|
|
|
|
|
|
|
|
// [#not-implemented-hide:]
|
|
|
|
google.protobuf.UInt32Value suffix_len = 5;
|
|
|
|
|
|
|
|
// The criteria is satisfied if the source IP address of the downstream
|
|
|
|
// connection is contained in at least one of the specified subnets. If the
|
|
|
|
// parameter is not specified or the list is empty, the source IP address is
|
|
|
|
// ignored.
|
|
|
|
// [#not-implemented-hide:]
|
|
|
|
repeated CidrRange source_prefix_ranges = 6;
|
|
|
|
|
|
|
|
// The criteria is satisfied if the source port of the downstream connection
|
|
|
|
// is contained in at least one of the specified ports. If the parameter is
|
|
|
|
// not specified, the source port is ignored.
|
|
|
|
// [#not-implemented-hide:]
|
|
|
|
repeated google.protobuf.UInt32Value source_ports = 7;
|
|
|
|
|
|
|
|
// Optional destination port to consider when use_original_dst is set on the
|
|
|
|
// listener in determining a filter chain match.
|
|
|
|
// [#not-implemented-hide:]
|
|
|
|
google.protobuf.UInt32Value destination_port = 8;
|
|
|
|
}
|
|
|
|
|
|
|
|
// A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and
|
|
|
|
// various other parameters.
|
|
|
|
message FilterChain {
|
|
|
|
// The criteria to use when matching a connection to this filter chain.
|
|
|
|
FilterChainMatch filter_chain_match = 1;
|
|
|
|
|
|
|
|
// The TLS context for this filter chain.
|
|
|
|
DownstreamTlsContext tls_context = 2;
|
|
|
|
|
|
|
|
// A list of individual network filters that make up the filter chain for
|
|
|
|
// connections established with the listener. Order matters as the filters are
|
|
|
|
// processed sequentially as connection events happen. Note: If the filter
|
|
|
|
// list is empty, the connection will close by default.
|
|
|
|
repeated Filter filters = 3;
|
|
|
|
|
|
|
|
// Whether the listener should expect a PROXY protocol V1 header on new
|
|
|
|
// connections. If this option is enabled, the listener will assume that that
|
|
|
|
// remote address of the connection is the one specified in the header. Some
|
|
|
|
// load balancers including the AWS ELB support this option. If the option is
|
|
|
|
// absent or set to false, Envoy will use the physical peer address of the
|
|
|
|
// connection as the remote address.
|
|
|
|
google.protobuf.BoolValue use_proxy_proto = 4;
|
|
|
|
|
|
|
|
// [#not-implemented-hide:] filter chain metadata.
|
|
|
|
Metadata metadata = 5;
|
|
|
|
|
|
|
|
// [#not-implemented-hide:] See base.TransportSocket description.
|
|
|
|
TransportSocket transport_socket = 6;
|
|
|
|
}
|