Allow to define API version for extensions that call external services (#11583)

This patch allows configuring the API version for gRPC external services. This specifies the version of the endpoint and message to be used.

Affected extensions:

- filters/http/ext_authz
- filters/network/ext_authz
- filters/http/ratelimit
- filters/network/ratelimit
- access_loggers/grpc
- stat_sinks/metrics_service

Affected upstream services:

- upstream/health_discovery_service
- upstream/load_stats_reporter

Additional Description:

tap
- TapSinkService is not yet implemented.
- TapDiscoveryService uses theconfig.core.v3.ApiConfigSource and is not yet implemented.
trace
- StreamTraces has no implemented client inside the code-base (implemented externally?)

Risk Level: Low
Testing: Added.
Docs Changes: Added.
Release Notes: Added.

Fixes #10609

Signed-off-by: Dhi Aurrahman <dio@tetrate.io>

Mirrored from https://github.com/envoyproxy/envoy @ 96920250a05e62095a68fbaf4f77612179e5af32

envoy/config/core/v3/config_source.proto

@@ -19,7 +19,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 
 // [#protodoc-title: Configuration sources]
 
-// xDS API version. This is used to describe both resource and transport
+// xDS API and non-xDS services version. This is used to describe both resource and transport
 // protocol versions (in distinct configuration fields).
 enum ApiVersion {
   // When not specified, we assume v2, to ease migration to Envoy's stable API

envoy/config/core/v4alpha/config_source.proto

@@ -19,7 +19,7 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO
 
 // [#protodoc-title: Configuration sources]
 
-// xDS API version. This is used to describe both resource and transport
+// xDS API and non-xDS services version. This is used to describe both resource and transport
 // protocol versions (in distinct configuration fields).
 enum ApiVersion {
   // When not specified, we assume v2, to ease migration to Envoy's stable API

envoy/config/metrics/v3/metrics_service.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package envoy.config.metrics.v3;
 
+import "envoy/config/core/v3/config_source.proto";
 import "envoy/config/core/v3/grpc_service.proto";
 
 import "google/protobuf/wrappers.proto";
@@ -28,6 +29,10 @@ message MetricsServiceConfig {
   // The upstream gRPC cluster that hosts the metrics service.
   core.v3.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}];
 
+  // API version for metric service transport protocol. This describes the metric service gRPC
+  // endpoint and version of messages used on the wire.
+  core.v3.ApiVersion transport_api_version = 3 [(validate.rules).enum = {defined_only: true}];
+
   // If true, counters are reported as the delta between flushing intervals. Otherwise, the current
   // counter value is reported. Defaults to false.
   // Eventually (https://github.com/envoyproxy/envoy/issues/10968) if this value is not set, the

envoy/config/metrics/v4alpha/metrics_service.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package envoy.config.metrics.v4alpha;
 
+import "envoy/config/core/v4alpha/config_source.proto";
 import "envoy/config/core/v4alpha/grpc_service.proto";
 
 import "google/protobuf/wrappers.proto";
@@ -28,6 +29,10 @@ message MetricsServiceConfig {
   // The upstream gRPC cluster that hosts the metrics service.
   core.v4alpha.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}];
 
+  // API version for metric service transport protocol. This describes the metric service gRPC
+  // endpoint and version of messages used on the wire.
+  core.v4alpha.ApiVersion transport_api_version = 3 [(validate.rules).enum = {defined_only: true}];
+
   // If true, counters are reported as the delta between flushing intervals. Otherwise, the current
   // counter value is reported. Defaults to false.
   // Eventually (https://github.com/envoyproxy/envoy/issues/10968) if this value is not set, the

envoy/config/ratelimit/v3/rls.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package envoy.config.ratelimit.v3;
 
+import "envoy/config/core/v3/config_source.proto";
 import "envoy/config/core/v3/grpc_service.proto";
 
 import "udpa/annotations/status.proto";
@@ -26,4 +27,8 @@ message RateLimitServiceConfig {
   // will connect to this cluster when it needs to make rate limit service
   // requests.
   core.v3.GrpcService grpc_service = 2 [(validate.rules).message = {required: true}];
+
+  // API version for rate limit transport protocol. This describes the rate limit gRPC endpoint and
+  // version of messages used on the wire.
+  core.v3.ApiVersion transport_api_version = 4 [(validate.rules).enum = {defined_only: true}];
 }

envoy/extensions/access_loggers/grpc/v3/als.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package envoy.extensions.access_loggers.grpc.v3;
 
+import "envoy/config/core/v3/config_source.proto";
 import "envoy/config/core/v3/grpc_service.proto";
 
 import "google/protobuf/duration.proto";
@@ -53,7 +54,7 @@ message TcpGrpcAccessLogConfig {
 }
 
 // Common configuration for gRPC access logs.
-// [#next-free-field: 6]
+// [#next-free-field: 7]
 message CommonGrpcAccessLogConfig {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.accesslog.v2.CommonGrpcAccessLogConfig";
@@ -66,6 +67,11 @@ message CommonGrpcAccessLogConfig {
   // The gRPC service for the access log service.
   config.core.v3.GrpcService grpc_service = 2 [(validate.rules).message = {required: true}];
 
+  // API version for access logs service transport protocol. This describes the access logs service
+  // gRPC endpoint and version of messages used on the wire.
+  config.core.v3.ApiVersion transport_api_version = 6
+      [(validate.rules).enum = {defined_only: true}];
+
   // Interval for flushing access logs to the gRPC stream. Logger will flush requests every time
   // this interval is elapsed, or when batch size limit is hit, whichever comes first. Defaults to
   // 1 second.

envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto

@@ -3,6 +3,7 @@ syntax = "proto3";
 package envoy.extensions.filters.http.ext_authz.v3;
 
 import "envoy/config/core/v3/base.proto";
+import "envoy/config/core/v3/config_source.proto";
 import "envoy/config/core/v3/grpc_service.proto";
 import "envoy/config/core/v3/http_uri.proto";
 import "envoy/type/matcher/v3/string.proto";
@@ -22,7 +23,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 // [#extension: envoy.filters.http.ext_authz]
 
-// [#next-free-field: 12]
+// [#next-free-field: 13]
 message ExtAuthz {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.ext_authz.v2.ExtAuthz";
@@ -40,6 +41,11 @@ message ExtAuthz {
     HttpService http_service = 3;
   }
 
+  // API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
+  // version of messages used on the wire.
+  config.core.v3.ApiVersion transport_api_version = 12
+      [(validate.rules).enum = {defined_only: true}];
+
   //  Changes filter's behaviour on errors:
   //
   //  1. When set to true, the filter will *accept* client request even if the communication with

envoy/extensions/filters/http/ext_authz/v4alpha/ext_authz.proto

@@ -3,6 +3,7 @@ syntax = "proto3";
 package envoy.extensions.filters.http.ext_authz.v4alpha;
 
 import "envoy/config/core/v4alpha/base.proto";
+import "envoy/config/core/v4alpha/config_source.proto";
 import "envoy/config/core/v4alpha/grpc_service.proto";
 import "envoy/config/core/v4alpha/http_uri.proto";
 import "envoy/type/matcher/v4alpha/string.proto";
@@ -22,7 +23,7 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
 // [#extension: envoy.filters.http.ext_authz]
 
-// [#next-free-field: 12]
+// [#next-free-field: 13]
 message ExtAuthz {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.extensions.filters.http.ext_authz.v3.ExtAuthz";
@@ -40,6 +41,11 @@ message ExtAuthz {
     HttpService http_service = 3;
   }
 
+  // API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
+  // version of messages used on the wire.
+  config.core.v4alpha.ApiVersion transport_api_version = 12
+      [(validate.rules).enum = {defined_only: true}];
+
   //  Changes filter's behaviour on errors:
   //
   //  1. When set to true, the filter will *accept* client request even if the communication with

envoy/extensions/filters/network/ext_authz/v3/ext_authz.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package envoy.extensions.filters.network.ext_authz.v3;
 
+import "envoy/config/core/v3/config_source.proto";
 import "envoy/config/core/v3/grpc_service.proto";
 
 import "udpa/annotations/status.proto";
@@ -22,6 +23,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // gRPC Authorization API defined by
 // :ref:`CheckRequest <envoy_api_msg_service.auth.v3.CheckRequest>`.
 // A failed check will cause this filter to close the TCP connection.
+// [#next-free-field: 6]
 message ExtAuthz {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.network.ext_authz.v2.ExtAuthz";
@@ -44,4 +46,9 @@ message ExtAuthz {
   // When this field is true, Envoy will include the peer X.509 certificate, if available, in the
   // :ref:`certificate<envoy_api_field_service.auth.v3.AttributeContext.Peer.certificate>`.
   bool include_peer_certificate = 4;
+
+  // API version for ext_authz transport protocol. This describes the ext_authz gRPC endpoint and
+  // version of Check{Request,Response} used on the wire.
+  config.core.v3.ApiVersion transport_api_version = 5
+      [(validate.rules).enum = {defined_only: true}];
 }