transport socket: api and implementation for startTls transport socket (#13112)

Signed-off-by: Christoph Pakulski <christoph@tetrate.io>

Mirrored from https://github.com/envoyproxy/envoy @ 98e8bf3f09fa2af3735217bfc7046517250cdfd2

BUILD

@@ -244,6 +244,7 @@ proto_library(
         "//envoy/extensions/transport_sockets/proxy_protocol/v3:pkg",
         "//envoy/extensions/transport_sockets/quic/v3:pkg",
         "//envoy/extensions/transport_sockets/raw_buffer/v3:pkg",
+        "//envoy/extensions/transport_sockets/starttls/v3:pkg",
         "//envoy/extensions/transport_sockets/tap/v3:pkg",
         "//envoy/extensions/transport_sockets/tls/v3:pkg",
         "//envoy/extensions/upstreams/http/generic/v3:pkg",

envoy/extensions/transport_sockets/starttls/v3/BUILD

@@ -0,0 +1,13 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/extensions/transport_sockets/raw_buffer/v3:pkg",
+        "//envoy/extensions/transport_sockets/tls/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)

envoy/extensions/transport_sockets/starttls/v3/starttls.proto

@@ -0,0 +1,38 @@
+syntax = "proto3";
+
+package envoy.extensions.transport_sockets.starttls.v3;
+
+import "envoy/extensions/transport_sockets/raw_buffer/v3/raw_buffer.proto";
+import "envoy/extensions/transport_sockets/tls/v3/tls.proto";
+
+import "google/protobuf/wrappers.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.starttls.v3";
+option java_outer_classname = "StarttlsProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: StartTls]
+// [#extension: envoy.transport_sockets.starttls]
+
+// StartTls transport socket addresses situations when a protocol starts in clear-text and
+// negotiates an in-band switch to TLS. StartTls transport socket is protocol agnostic and requires
+// a network filter which understands protocol exchange and a state machine to signal to the StartTls
+// transport socket when a switch to TLS is required.
+
+// Configuration for StartTls transport socket.
+// StartTls transport socket wraps two sockets:
+// - raw_buffer socket which is used at the beginning of the session
+// - TLS socket used when a protocol negotiates a switch to encrypted traffic.
+message StartTlsConfig {
+  // (optional) Configuration for clear-text socket used at the beginning of the session.
+  raw_buffer.v3.RawBuffer cleartext_socket_config = 1;
+
+  // Configuration for TLS socket.
+  transport_sockets.tls.v3.DownstreamTlsContext tls_socket_config = 2
+      [(validate.rules).message = {required: true}];
+}

envoy/extensions/transport_sockets/starttls/v4alpha/BUILD

@@ -0,0 +1,14 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/extensions/transport_sockets/raw_buffer/v3:pkg",
+        "//envoy/extensions/transport_sockets/starttls/v3:pkg",
+        "//envoy/extensions/transport_sockets/tls/v4alpha:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)

envoy/extensions/transport_sockets/starttls/v4alpha/starttls.proto

@@ -0,0 +1,41 @@
+syntax = "proto3";
+
+package envoy.extensions.transport_sockets.starttls.v4alpha;
+
+import "envoy/extensions/transport_sockets/raw_buffer/v3/raw_buffer.proto";
+import "envoy/extensions/transport_sockets/tls/v4alpha/tls.proto";
+
+import "google/protobuf/wrappers.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.transport_sockets.starttls.v4alpha";
+option java_outer_classname = "StarttlsProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE;
+
+// [#protodoc-title: StartTls]
+// [#extension: envoy.transport_sockets.starttls]
+
+// StartTls transport socket addresses situations when a protocol starts in clear-text and
+// negotiates an in-band switch to TLS. StartTls transport socket is protocol agnostic and requires
+// a network filter which understands protocol exchange and a state machine to signal to the StartTls
+// transport socket when a switch to TLS is required.
+
+// Configuration for StartTls transport socket.
+// StartTls transport socket wraps two sockets:
+// - raw_buffer socket which is used at the beginning of the session
+// - TLS socket used when a protocol negotiates a switch to encrypted traffic.
+message StartTlsConfig {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.extensions.transport_sockets.starttls.v3.StartTlsConfig";
+
+  // (optional) Configuration for clear-text socket used at the beginning of the session.
+  raw_buffer.v3.RawBuffer cleartext_socket_config = 1;
+
+  // Configuration for TLS socket.
+  transport_sockets.tls.v4alpha.DownstreamTlsContext tls_socket_config = 2
+      [(validate.rules).message = {required: true}];
+}

versioning/BUILD

@@ -127,6 +127,7 @@ proto_library(
         "//envoy/extensions/transport_sockets/proxy_protocol/v3:pkg",
         "//envoy/extensions/transport_sockets/quic/v3:pkg",
         "//envoy/extensions/transport_sockets/raw_buffer/v3:pkg",
+        "//envoy/extensions/transport_sockets/starttls/v3:pkg",
         "//envoy/extensions/transport_sockets/tap/v3:pkg",
         "//envoy/extensions/transport_sockets/tls/v3:pkg",
         "//envoy/extensions/upstreams/http/generic/v3:pkg",