Move envoy.api.v2 core protos to envoy.api.v2.core and organize filters (#452)

There are several main changes in this PR:

Create envoy.api.v2.core packages to break circular dependencies from xDS on to subpackages on to base protos.
Create individual packages for each filter and add independent versioning to each filter.
Add visibility constraints to prevent formation of dependency cycles.
Add gogoproto annotations to improve go code generation.
After moving xDS service definitions and top-level resource protos back to envoy.core.api.v2, cycles were created, since the second-level definitions depend on base protobuf definitions, and are in turn included from xDS; however xDS and base definitions are in the same package.

The solution is to split the base protos into another package, envoy.api.v2.core. That eliminates dependency cycles (validated using go-control-plane).

Added a few gogoproto annotations to improve golang code generation.

Signed-off-by: Kuat Yessenov <kuat@google.com>

.circleci/config.yml

@@ -1,8 +1,12 @@
+references:
+  envoy-build-image: &envoy-build-image
+    envoyproxy/envoy-build:220e5cb537b5185c953de1aac7d0613f8cf155ac
+
 version: 2
 jobs:
    test:
      docker:
-       - image: envoyproxy/envoy-build:52f6880ffbf761c9b809fc3ac208900956ff16b4
+       - image: *envoy-build-image
      resource_class: xlarge
      working_directory: /source
      steps:
@@ -10,7 +14,7 @@ jobs:
        - run: ci/do_ci.sh bazel.test
    docs:
      docker:
-       - image: lyft/envoy-build:114e24c6fd05fc026492e9d2ca5608694e5ea59d
+       - image: *envoy-build-image
      resource_class: xlarge
      working_directory: /source
      steps:
@@ -22,7 +26,7 @@ jobs:
            path: generated/docs
    format:
      docker:
-       - image: lyft/envoy-build:114e24c6fd05fc026492e9d2ca5608694e5ea59d
+       - image: *envoy-build-image
      resource_class: xlarge
      working_directory: /source
      steps:

STYLE.md

@@ -92,3 +92,23 @@ In addition, the following conventions should be followed:
   value like `TYPE_NAME_UNSPECIFIED = 0`, and treat it as an error. This design
   pattern forces developers to explicitly choose the correct enum value for
   their use case, and avoid misunderstanding of the default behavior.
+
+## Package organization
+
+API definitions are layered hierarchically in packages from top-to-bottom:
+
+- `envoy.service` contains gRPC definitions of supporting services;
+- `envoy.config` contains definitions for service configuration, filter
+configuration, and bootstrap;
+- `envoy.api.v2` contains definitions for EDS, CDS, RDS, LDS, and top-level
+resources such as `Cluster`;
+- `envoy.api.v2.endpoint`, `envoy.api.v2.cluster`, `envoy.api.v2.route`,
+`envoy.api.v2.listener`, `envoy.api.v2.ratelimit` define sub-messages of the top-level resources;
+- `envoy.api.v2.core` and `envoy.api.v2.auth` hold core definitions consumed
+throughout the API.
+
+Dependencies are enforced from top-to-bottom using visibility constraints in
+the build system to prevent circular dependency formation. Package group
+`//envoy/api/v2:friends` selects consumers of the core API package (services and configs)
+and is the default visibility for the core API packages. The default visibility
+for services and configs should be `//docs` (proto documentation tool).

bazel/api_build_system.bzl

@@ -77,13 +77,19 @@ def api_go_grpc_library(name, proto, deps = []):
 # gRPC stub generation.
 # TODO(htuch): Automatically generate go_proto_library and go_grpc_library
 # from api_proto_library.
-def api_proto_library(name, srcs = [], deps = [], has_services = 0, require_py = 1):
+def api_proto_library(name, visibility = ["//visibility:private"], srcs = [], deps = [], has_services = 0, require_py = 1):
     # This is now vestigial, since there are no direct consumers in
     # data-plane-api. However, we want to maintain native proto_library support
     # in the proto graph to (1) support future C++ use of native rules with
     # cc_proto_library (or some Bazel aspect that works on proto_library) when
     # it can play well with the PGV plugin and (2) other language support that
     # can make use of native proto_library.
+
+    if visibility == ["//visibility:private"]:
+      visibility = ["//docs"]
+    elif visibility != ["//visibility:public"]:
+      visibility = visibility + ["//docs"]
+
     native.proto_library(
         name = name,
         srcs = srcs,
@@ -99,7 +105,7 @@ def api_proto_library(name, srcs = [], deps = [], has_services = 0, require_py =
             "@com_github_gogo_protobuf//:gogo_proto",
             "@com_lyft_protoc_gen_validate//validate:validate_proto",
         ],
-        visibility = ["//visibility:public"],
+        visibility = visibility,
     )
     # Under the hood, this is just an extension of the Protobuf library's
     # bespoke cc_proto_library. It doesn't consume proto_library as a proto

bazel/repositories.bzl

@@ -198,6 +198,7 @@ api_proto_library(
     srcs = [
         "metrics.proto",
     ],
+    visibility = ["//visibility:public"],
 )
         """,
     )
@@ -214,6 +215,7 @@ api_proto_library(
     srcs = [
         "trace.proto",
     ],
+    visibility = ["//visibility:public"],
 )
         """,
     )

docs/BUILD

@@ -0,0 +1,53 @@
+licenses(["notice"])  # Apache 2
+
+package_group(
+    name = "docs",
+    packages = [
+        "//docs",
+    ],
+)
+
+# TODO(htuch): Grow this to cover everything we want to generate docs for, so we can just invoke
+# bazel build //docs:protos --aspects tools/protodoc/protodoc.bzl%proto_doc_aspect  --output_groups=rst
+proto_library(
+    name = "protos",
+    deps = [
+        "//envoy/api/v2:cds",
+        "//envoy/api/v2:discovery",
+        "//envoy/api/v2:eds",
+        "//envoy/api/v2:lds",
+        "//envoy/api/v2:rds",
+        "//envoy/api/v2/cluster:circuit_breaker",
+        "//envoy/api/v2/cluster:outlier_detection",
+        "//envoy/api/v2/core:protocol",
+        "//envoy/api/v2/listener",
+        "//envoy/api/v2/ratelimit",
+        "//envoy/api/v2/route",
+        "//envoy/config/bootstrap/v2:bootstrap",
+        "//envoy/config/filter/accesslog/v2:accesslog",
+        "//envoy/config/filter/http/buffer/v2:buffer",
+        "//envoy/config/filter/http/ext_authz/v2:ext_authz",
+        "//envoy/config/filter/http/fault/v2:fault",
+        "//envoy/config/filter/http/gzip/v2:gzip",
+        "//envoy/config/filter/http/health_check/v2:health_check",
+        "//envoy/config/filter/http/lua/v2:lua",
+        "//envoy/config/filter/http/rate_limit/v2:rate_limit",
+        "//envoy/config/filter/http/router/v2:router",
+        "//envoy/config/filter/http/squash/v2:squash",
+        "//envoy/config/filter/http/transcoder/v2:transcoder",
+        "//envoy/config/filter/network/client_ssl_auth/v2:client_ssl_auth",
+        "//envoy/config/filter/network/ext_authz/v2:ext_authz",
+        "//envoy/config/filter/network/http_connection_manager/v2:http_connection_manager",
+        "//envoy/config/filter/network/mongo_proxy/v2:mongo_proxy",
+        "//envoy/config/filter/network/rate_limit/v2:rate_limit",
+        "//envoy/config/filter/network/redis_proxy/v2:redis_proxy",
+        "//envoy/config/filter/network/tcp_proxy/v2:tcp_proxy",
+        "//envoy/config/metrics/v2:metrics_service",
+        "//envoy/config/metrics/v2:stats",
+        "//envoy/config/ratelimit/v2:rls",
+        "//envoy/config/trace/v2:trace",
+        "//envoy/service/discovery/v2:ads",
+        "//envoy/service/load_stats/v2:lrs",
+        "//envoy/service/metrics/v2:metrics_service",
+    ],
+)

docs/build.sh

@@ -20,14 +20,18 @@ fi
 
 source "${BUILD_DIR}"/venv/bin/activate
 
-bazel --batch build ${BAZEL_BUILD_OPTIONS} //envoy --aspects \
+bazel --batch build ${BAZEL_BUILD_OPTIONS} //docs:protos --aspects \
   tools/protodoc/protodoc.bzl%proto_doc_aspect --output_groups=rst --action_env=CPROFILE_ENABLED
 
 # These are the protos we want to put in docs, this list will grow.
 # TODO(htuch): Factor this out of this script.
 PROTO_RST="
-  /envoy/api/v2/address/envoy/api/v2/address.proto.rst
-  /envoy/api/v2/base/envoy/api/v2/base.proto.rst
+  /envoy/api/v2/core/address/envoy/api/v2/core/address.proto.rst
+  /envoy/api/v2/core/base/envoy/api/v2/core/base.proto.rst
+  /envoy/api/v2/core/config_source/envoy/api/v2/core/config_source.proto.rst
+  /envoy/api/v2/core/grpc_service/envoy/api/v2/core/grpc_service.proto.rst
+  /envoy/api/v2/core/health_check/envoy/api/v2/core/health_check.proto.rst
+  /envoy/api/v2/core/protocol/envoy/api/v2/core/protocol.proto.rst
   /envoy/api/v2/auth/cert/envoy/api/v2/auth/cert.proto.rst
   /envoy/api/v2/eds/envoy/api/v2/eds.proto.rst
   /envoy/api/v2/endpoint/endpoint/envoy/api/v2/endpoint/endpoint.proto.rst
@@ -38,10 +42,6 @@ PROTO_RST="
   /envoy/api/v2/route/route/envoy/api/v2/route/route.proto.rst
   /envoy/api/v2/lds/envoy/api/v2/lds.proto.rst
   /envoy/api/v2/listener/listener/envoy/api/v2/listener/listener.proto.rst
-  /envoy/api/v2/config_source/envoy/api/v2/config_source.proto.rst
-  /envoy/api/v2/grpc_service/envoy/api/v2/grpc_service.proto.rst
-  /envoy/api/v2/health_check/envoy/api/v2/health_check.proto.rst
-  /envoy/api/v2/protocol/envoy/api/v2/protocol.proto.rst
   /envoy/api/v2/ratelimit/ratelimit/envoy/api/v2/ratelimit/ratelimit.proto.rst
   /envoy/config/bootstrap/v2/bootstrap/envoy/config/bootstrap/v2/bootstrap.proto.rst
   /envoy/api/v2/discovery/envoy/api/v2/discovery.proto.rst
@@ -49,23 +49,23 @@ PROTO_RST="
   /envoy/config/metrics/v2/metrics_service/envoy/config/metrics/v2/metrics_service.proto.rst
   /envoy/config/metrics/v2/stats/envoy/config/metrics/v2/stats.proto.rst
   /envoy/config/trace/v2/trace/envoy/config/trace/v2/trace.proto.rst
-  /envoy/api/v2/filter/accesslog/accesslog/envoy/api/v2/filter/accesslog/accesslog.proto.rst
-  /envoy/api/v2/filter/fault/envoy/api/v2/filter/fault.proto.rst
-  /envoy/api/v2/filter/http/buffer/envoy/api/v2/filter/http/buffer.proto.rst
-  /envoy/api/v2/filter/http/fault/envoy/api/v2/filter/http/fault.proto.rst
-  /envoy/api/v2/filter/http/gzip/envoy/api/v2/filter/http/gzip.proto.rst
-  /envoy/api/v2/filter/http/health_check/envoy/api/v2/filter/http/health_check.proto.rst
-  /envoy/api/v2/filter/http/lua/envoy/api/v2/filter/http/lua.proto.rst
-  /envoy/api/v2/filter/http/rate_limit/envoy/api/v2/filter/http/rate_limit.proto.rst
-  /envoy/api/v2/filter/http/router/envoy/api/v2/filter/http/router.proto.rst
-  /envoy/api/v2/filter/http/squash/envoy/api/v2/filter/http/squash.proto.rst
-  /envoy/api/v2/filter/http/transcoder/envoy/api/v2/filter/http/transcoder.proto.rst
-  /envoy/api/v2/filter/network/client_ssl_auth/envoy/api/v2/filter/network/client_ssl_auth.proto.rst
-  /envoy/api/v2/filter/network/http_connection_manager/envoy/api/v2/filter/network/http_connection_manager.proto.rst
-  /envoy/api/v2/filter/network/mongo_proxy/envoy/api/v2/filter/network/mongo_proxy.proto.rst
-  /envoy/api/v2/filter/network/rate_limit/envoy/api/v2/filter/network/rate_limit.proto.rst
-  /envoy/api/v2/filter/network/redis_proxy/envoy/api/v2/filter/network/redis_proxy.proto.rst
-  /envoy/api/v2/filter/network/tcp_proxy/envoy/api/v2/filter/network/tcp_proxy.proto.rst
+  /envoy/config/filter/accesslog/v2/accesslog/envoy/config/filter/accesslog/v2/accesslog.proto.rst
+  /envoy/config/filter/fault/v2/fault/envoy/config/filter/fault/v2/fault.proto.rst
+  /envoy/config/filter/http/buffer/v2/buffer/envoy/config/filter/http/buffer/v2/buffer.proto.rst
+  /envoy/config/filter/http/fault/v2/fault/envoy/config/filter/http/fault/v2/fault.proto.rst
+  /envoy/config/filter/http/gzip/v2/gzip/envoy/config/filter/http/gzip/v2/gzip.proto.rst
+  /envoy/config/filter/http/health_check/v2/health_check/envoy/config/filter/http/health_check/v2/health_check.proto.rst
+  /envoy/config/filter/http/lua/v2/lua/envoy/config/filter/http/lua/v2/lua.proto.rst
+  /envoy/config/filter/http/rate_limit/v2/rate_limit/envoy/config/filter/http/rate_limit/v2/rate_limit.proto.rst
+  /envoy/config/filter/http/router/v2/router/envoy/config/filter/http/router/v2/router.proto.rst
+  /envoy/config/filter/http/squash/v2/squash/envoy/config/filter/http/squash/v2/squash.proto.rst
+  /envoy/config/filter/http/transcoder/v2/transcoder/envoy/config/filter/http/transcoder/v2/transcoder.proto.rst
+  /envoy/config/filter/network/client_ssl_auth/v2/client_ssl_auth/envoy/config/filter/network/client_ssl_auth/v2/client_ssl_auth.proto.rst
+  /envoy/config/filter/network/http_connection_manager/v2/http_connection_manager/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto.rst
+  /envoy/config/filter/network/mongo_proxy/v2/mongo_proxy/envoy/config/filter/network/mongo_proxy/v2/mongo_proxy.proto.rst
+  /envoy/config/filter/network/rate_limit/v2/rate_limit/envoy/config/filter/network/rate_limit/v2/rate_limit.proto.rst
+  /envoy/config/filter/network/redis_proxy/v2/redis_proxy/envoy/config/filter/network/redis_proxy/v2/redis_proxy.proto.rst
+  /envoy/config/filter/network/tcp_proxy/v2/tcp_proxy/envoy/config/filter/network/tcp_proxy/v2/tcp_proxy.proto.rst
 "
 
 # Dump all the generated RST so they can be added to PROTO_RST easily.

docs/root/api-v2/api.rst

@@ -8,8 +8,8 @@ v2 API reference
   :maxdepth: 2
 
   config/bootstrap/v2/bootstrap.proto
-  api/v2/config_source.proto
-  api/v2/grpc_service.proto
+  api/v2/core/config_source.proto
+  api/v2/core/grpc_service.proto
   api/v2/lds.proto
   api/v2/listener/listener.proto
   api/v2/cds.proto
@@ -17,17 +17,17 @@ v2 API reference
   api/v2/cluster/circuit_breaker.proto
   api/v2/endpoint/endpoint.proto
   api/v2/eds.proto
-  api/v2/health_check.proto
+  api/v2/core/health_check.proto
   api/v2/route/route.proto
   api/v2/rds.proto
   api/v2/auth/cert.proto
   config/metrics/v2/stats.proto
   config/metrics/v2/metrics_service.proto
   config/trace/v2/trace.proto
-  api/v2/base.proto
-  api/v2/address.proto
-  api/v2/protocol.proto
+  api/v2/core/base.proto
+  api/v2/core/address.proto
+  api/v2/core/protocol.proto
   api/v2/discovery.proto
   api/v2/ratelimit/ratelimit.proto
   config/ratelimit/v2/rls.proto
-  api/v2/filter/filter
+  config/filter/filter

docs/root/api-v2/config/filter/filter.rst

@@ -7,5 +7,5 @@ Filters
 
   network/network
   http/http
-  accesslog/accesslog.proto
-  fault.proto
+  accesslog/v2/accesslog.proto
+  fault/v2/fault.proto

docs/root/api-v2/config/filter/http/http.rst

@@ -5,4 +5,4 @@ HTTP filters
   :glob:
   :maxdepth: 2
 
-  *
+  */v2/*

docs/root/api-v2/config/filter/network/network.rst

@@ -5,4 +5,4 @@ Network filters
   :glob:
   :maxdepth: 2
 
-  *
+  */v2/*

docs/root/configuration/access_log.rst

@@ -10,7 +10,7 @@ Access logs are configured as part of the :ref:`HTTP connection manager config
 <config_http_conn_man>` or :ref:`TCP Proxy <config_network_filters_tcp_proxy>`.
 
 * :ref:`v1 API reference <config_access_log_v1>`
-* :ref:`v2 API reference <envoy_api_msg_filter.accesslog.AccessLog>`
+* :ref:`v2 API reference <envoy_api_msg_config.filter.accesslog.v2.AccessLog>`
 
 .. _config_access_log_format:
 

docs/root/configuration/cluster_manager/cluster_hc.rst

@@ -7,7 +7,7 @@ Health checking
 * If health checking is configured for a cluster, additional statistics are emitted. They are
   documented :ref:`here <config_cluster_manager_cluster_stats>`.
 * :ref:`v1 API documentation <config_cluster_manager_cluster_hc_v1>`.
-* :ref:`v2 API documentation <envoy_api_msg_HealthCheck>`.
+* :ref:`v2 API documentation <envoy_api_msg_core.HealthCheck>`.
 
 .. _config_cluster_manager_cluster_hc_tcp_health_checking:
 

docs/root/configuration/http_conn_man/headers.rst

@@ -205,7 +205,7 @@ following features are available:
 
 * Stable :ref:`access logging <config_access_log>` via the
   :ref:`v1 API runtime filter<config_http_con_manager_access_log_filters_runtime_v1>` or the
-  :ref:`v2 API runtime filter<envoy_api_field_filter.accesslog.AccessLogFilter.runtime_filter>`.
+  :ref:`v2 API runtime filter<envoy_api_field_config.filter.accesslog.v2.AccessLogFilter.runtime_filter>`.
 * Stable tracing when performing random sampling via the :ref:`tracing.random_sampling
   <config_http_conn_man_runtime_random_sampling>` runtime setting or via forced tracing using the
   :ref:`config_http_conn_man_headers_x-envoy-force-trace` and

docs/root/configuration/http_conn_man/http_conn_man.rst

@@ -6,7 +6,7 @@ HTTP connection manager
 * HTTP connection manager :ref:`architecture overview <arch_overview_http_conn_man>`
 * HTTP protocols :ref:`architecture overview <arch_overview_http_protocols>`
 * :ref:`v1 API reference <config_network_filters_http_conn_man_v1>`
-* :ref:`v2 API reference <envoy_api_msg_filter.network.HttpConnectionManager>`
+* :ref:`v2 API reference <envoy_api_msg_config.filter.network.http_connection_manager.v2.HttpConnectionManager>`
 
 .. toctree::
   :hidden:

docs/root/configuration/http_filters/buffer_filter.rst

@@ -8,7 +8,7 @@ This is useful in different situations including protecting some applications fr
 with partial requests and high network latency.
 
 * :ref:`v1 API reference <config_http_filters_buffer_v1>`
-* :ref:`v2 API reference <envoy_api_msg_filter.http.Buffer>`
+* :ref:`v2 API reference <envoy_api_msg_config.filter.http.buffer.v2.Buffer>`
 
 Statistics
 ----------

docs/root/configuration/http_filters/cors_filter.rst

@@ -9,4 +9,4 @@ For the meaning of the headers please refer to the pages below.
 - https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
 - https://www.w3.org/TR/cors/
 - :ref:`v1 API reference <config_http_filters_cors_v1>`
-- :ref:`v2 API reference <envoy_api_field_filter.network.HttpFilter.name>`
+- :ref:`v2 API reference <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpFilter.name>`

docs/root/configuration/http_filters/dynamodb_filter.rst

@@ -5,7 +5,7 @@ DynamoDB
 
 * DynamoDB :ref:`architecture overview <arch_overview_dynamo>`
 * :ref:`v1 API reference <config_http_filters_dynamo_v1>`
-* :ref:`v2 API reference <envoy_api_field_filter.network.HttpFilter.name>`
+* :ref:`v2 API reference <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpFilter.name>`
 
 Statistics
 ----------

docs/root/configuration/http_filters/fault_filter.rst

@@ -34,7 +34,7 @@ Configuration
   including the router filter.
 
 * :ref:`v1 API reference <config_http_filters_fault_injection_v1>`
-* :ref:`v2 API reference <envoy_api_msg_filter.http.HTTPFault>`
+* :ref:`v2 API reference <envoy_api_msg_config.filter.http.fault.v2.HTTPFault>`
 
 Runtime
 -------

docs/root/configuration/http_filters/grpc_http1_bridge_filter.rst

@@ -5,7 +5,7 @@ gRPC HTTP/1.1 bridge
 
 * gRPC :ref:`architecture overview <arch_overview_grpc>`
 * :ref:`v1 API reference <config_http_filters_grpc_bridge_v1>`
-* :ref:`v2 API reference <envoy_api_field_filter.network.HttpFilter.name>`
+* :ref:`v2 API reference <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpFilter.name>`
 
 This is a simple filter which enables the bridging of an HTTP/1.1 client which does not support
 response trailers to a compliant gRPC server. It works by doing the following:

docs/root/configuration/http_filters/grpc_json_transcoder_filter.rst

@@ -5,7 +5,7 @@ gRPC-JSON transcoder
 
 * gRPC :ref:`architecture overview <arch_overview_grpc>`
 * :ref:`v1 API reference <config_http_filters_grpc_json_transcoder_v1>`
-* :ref:`v2 API reference <envoy_api_msg_filter.http.GrpcJsonTranscoder>`
+* :ref:`v2 API reference <envoy_api_msg_config.filter.http.transcoder.v2.GrpcJsonTranscoder>`
 
 This is a filter which allows a RESTful JSON API client to send requests to Envoy over HTTP
 and get proxied to a gRPC service. The HTTP mapping for the gRPC service has to be defined by

docs/root/configuration/http_filters/grpc_web_filter.rst

@@ -5,7 +5,7 @@ gRPC-Web
 
 * gRPC :ref:`architecture overview <arch_overview_grpc>`
 * :ref:`v1 API reference <config_http_filters_grpc_web_v1>`
-* :ref:`v2 API reference <envoy_api_field_filter.network.HttpFilter.name>`
+* :ref:`v2 API reference <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpFilter.name>`
 
 This is a filter which enables the bridging of a gRPC-Web client to a compliant gRPC server by
 following https://github.com/grpc/grpc/blob/master/doc/PROTOCOL-WEB.md.

docs/root/configuration/http_filters/gzip_filter.rst

@@ -9,7 +9,7 @@ compromising the response time.
 
 Configuration
 -------------
-* :ref:`v2 API reference <envoy_api_msg_filter.http.Gzip>`
+* :ref:`v2 API reference <envoy_api_msg_config.filter.http.gzip.v2.Gzip>`
 
 .. attention::
 

docs/root/configuration/http_filters/health_check_filter.rst

@@ -5,7 +5,7 @@ Health check
 
 * Health check filter :ref:`architecture overview <arch_overview_health_checking_filter>`
 * :ref:`v1 API reference <config_http_filters_health_check_v1>`
-* :ref:`v2 API reference <envoy_api_msg_filter.http.HealthCheck>`
+* :ref:`v2 API reference <envoy_api_msg_config.filter.http.health_check.v2.HealthCheck>`
 
 .. note::
 

docs/root/configuration/http_filters/lua_filter.rst

@@ -62,7 +62,7 @@ Configuration
 -------------
 
 * :ref:`v1 API reference <config_http_filters_lua_v1>`
-* :ref:`v2 API reference <envoy_api_msg_filter.http.Lua>`
+* :ref:`v2 API reference <envoy_api_msg_config.filter.http.lua.v2.Lua>`
 
 Script examples
 ---------------

docs/root/configuration/http_filters/rate_limit_filter.rst

@@ -5,7 +5,7 @@ Rate limit
 
 * Global rate limiting :ref:`architecture overview <arch_overview_rate_limit>`
 * :ref:`v1 API reference <config_http_filters_rate_limit_v1>`
-* :ref:`v2 API reference <envoy_api_msg_filter.http.RateLimit>`
+* :ref:`v2 API reference <envoy_api_msg_config.filter.http.rate_limit.v2.RateLimit>`
 
 The HTTP rate limit filter will call the rate limit service when the request's route or virtual host
 has one or more :ref:`rate limit configurations<config_http_conn_man_route_table_route_rate_limits>`

docs/root/configuration/http_filters/router_filter.rst

@@ -9,7 +9,7 @@ configured :ref:`route table <config_http_conn_man_route_table>`. In addition to
 redirection, the filter also handles retry, statistics, etc.
 
 * :ref:`v1 API reference <config_http_filters_router_v1>`
-* :ref:`v2 API reference <envoy_api_msg_filter.http.Router>`
+* :ref:`v2 API reference <envoy_api_msg_config.filter.http.router.v2.Router>`
 
 .. _config_http_filters_router_headers:
 

docs/root/configuration/http_filters/squash_filter.rst

@@ -21,7 +21,7 @@ Configuration
 -------------
 
 * :ref:`v1 API reference <config_http_filters_squash_v1>`
-* :ref:`v2 API reference <envoy_api_msg_filter.http.Squash>`
+* :ref:`v2 API reference <envoy_api_msg_config.filter.http.squash.v2.Squash>`
 
 How it works
 ------------

docs/root/configuration/network_filters/client_ssl_auth_filter.rst

@@ -5,7 +5,7 @@ Client TLS authentication
 
 * Client TLS authentication filter :ref:`architecture overview <arch_overview_ssl_auth_filter>`
 * :ref:`v1 API reference <config_network_filters_client_ssl_auth_v1>`
-* :ref:`v2 API reference <envoy_api_msg_filter.network.ClientSslAuth>`
+* :ref:`v2 API reference <envoy_api_msg_config.filter.network.client_ssl_auth.v2.ClientSslAuth>`
 
 .. _config_network_filters_client_ssl_auth_stats:
 

docs/root/configuration/network_filters/mongo_proxy_filter.rst

@@ -5,7 +5,7 @@ Mongo proxy
 
 - MongoDB :ref:`architecture overview <arch_overview_mongo>`
 - :ref:`v1 API reference <config_network_filters_mongo_proxy_v1>`
-- :ref:`v2 API reference <envoy_api_msg_filter.network.MongoProxy>`
+- :ref:`v2 API reference <envoy_api_msg_config.filter.network.mongo_proxy.v2.MongoProxy>`
 
 .. _config_network_filters_mongo_proxy_fault_injection:
 

docs/root/configuration/network_filters/rate_limit_filter.rst

@@ -5,7 +5,7 @@ Rate limit
 
 * Global rate limiting :ref:`architecture overview <arch_overview_rate_limit>`
 * :ref:`v1 API reference <config_network_filters_rate_limit_v1>`
-* :ref:`v2 API reference <envoy_api_msg_filter.network.RateLimit>`
+* :ref:`v2 API reference <envoy_api_msg_config.filter.network.rate_limit.v2.RateLimit>`
 
 .. _config_network_filters_rate_limit_stats:
 

docs/root/configuration/network_filters/redis_proxy_filter.rst

@@ -5,7 +5,7 @@ Redis proxy
 
 * Redis :ref:`architecture overview <arch_overview_redis>`
 * :ref:`v1 API reference <config_network_filters_redis_proxy_v1>`
-* :ref:`v2 API reference <envoy_api_msg_filter.network.RedisProxy>`
+* :ref:`v2 API reference <envoy_api_msg_config.filter.network.redis_proxy.v2.RedisProxy>`
 
 .. _config_network_filters_redis_proxy_stats:
 

docs/root/configuration/network_filters/tcp_proxy_filter.rst

@@ -5,7 +5,7 @@ TCP proxy
 
 * TCP proxy :ref:`architecture overview <arch_overview_tcp_proxy>`
 * :ref:`v1 API reference <config_network_filters_tcp_proxy_v1>`
-* :ref:`v2 API reference <envoy_api_msg_filter.network.TcpProxy>`
+* :ref:`v2 API reference <envoy_api_msg_config.filter.network.tcp_proxy.v2.TcpProxy>`
 
 .. _config_network_filters_tcp_proxy_stats:
 

docs/root/configuration/overview/v2_overview.rst

@@ -368,8 +368,8 @@ for the service definition. This is used by Envoy as a client when
         cluster_names: [some_xds_cluster]
 
 is set in the :ref:`rds
-<envoy_api_field_filter.network.HttpConnectionManager.rds>` field of the :ref:`HttpConnectionManager
-<envoy_api_msg_filter.network.HttpConnectionManager>` config.
+<envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.rds>` field of the :ref:`HttpConnectionManager
+<envoy_api_msg_config.filter.network.http_connection_manager.v2.HttpConnectionManager>` config.
 
 REST endpoints
 ^^^^^^^^^^^^^^
@@ -440,8 +440,8 @@ for the service definition. This is used by Envoy as a client when
         cluster_names: [some_xds_cluster]
 
 is set in the :ref:`rds
-<envoy_api_field_filter.network.HttpConnectionManager.rds>` field of the :ref:`HttpConnectionManager
-<envoy_api_msg_filter.network.HttpConnectionManager>` config.
+<envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.rds>` field of the :ref:`HttpConnectionManager
+<envoy_api_msg_config.filter.network.http_connection_manager.v2.HttpConnectionManager>` config.
 
 .. _config_overview_v2_ads:
 

docs/root/intro/arch_overview/grpc.rst

@@ -37,8 +37,8 @@ control plane, where it :ref:`fetches configuration from management server(s)
 *gRPC services*.
 
 When specifying gRPC services, it's necessary to specify the use of either the
-:ref:`Envoy gRPC client <envoy_api_field_GrpcService.envoy_grpc>` or the
-:ref:`Google C++ gRPC client <envoy_api_field_GrpcSErvice.google_grpc>`. We
+:ref:`Envoy gRPC client <envoy_api_field_core.GrpcService.envoy_grpc>` or the
+:ref:`Google C++ gRPC client <envoy_api_field_core.GrpcSErvice.google_grpc>`. We
 discuss the tradeoffs in this choice below.
 
 The Envoy gRPC client is a minimal custom implementation of gRPC that makes use

docs/root/intro/arch_overview/health_checking.rst

@@ -46,7 +46,7 @@ operation:
   Envoy will respond with a 200 or a 503 depending on the current draining state of the server.
 * **No pass through, computed from upstream cluster health**: In this mode, the health checking
   filter will return a 200 or a 503 depending on whether at least a :ref:`specified percentage
-  <envoy_api_field_filter.http.HealthCheck.cluster_min_healthy_percentages>` of the
+  <envoy_api_field_config.filter.http.health_check.v2.HealthCheck.cluster_min_healthy_percentages>` of the
   servers are healthy in one or more upstream clusters. (If the Envoy server is in a draining
   state, though, it will respond with a 503 regardless of the upstream cluster health.)
 * **Pass through**: In this mode, Envoy will pass every health check request to the local service.

docs/root/intro/version_history.rst

@@ -15,7 +15,7 @@ Version history
 * cors: added :ref:`CORS filter <config_http_filters_cors>`.
 * health check: added :ref:`x-envoy-immediate-health-check-fail
   <config_http_filters_router_x-envoy-immediate-health-check-fail>` header support.
-* health check: added :ref:`reuse_connection <envoy_api_field_HealthCheck.reuse_connection>` option.
+* health check: added :ref:`reuse_connection <envoy_api_field_core.HealthCheck.reuse_connection>` option.
 * http: added :ref:`per-listener stats <config_http_conn_man_stats_per_listener>`.
 * http: end-to-end HTTP flow control is now complete across both connections, streams, and filters.
 * load balancer: added :ref:`subset load balancer <arch_overview_load_balancer_subsets>`.
@@ -41,9 +41,9 @@ Version history
 * router: added :ref:`downstream IP hashing
   <envoy_api_field_route.RouteAction.HashPolicy.connection_properties>` for HTTP ketama routing.
 * router: added :ref:`cookie hashing <envoy_api_field_route.RouteAction.HashPolicy.cookie>`.
-* router: added :ref:`start_child_span <envoy_api_field_filter.http.Router.start_child_span>` option
+* router: added :ref:`start_child_span <envoy_api_field_config.filter.http.router.v2.Router.start_child_span>` option
   to create child span for egress calls.
-* router: added optional :ref:`upstream logs <envoy_api_field_filter.http.Router.upstream_log>`.
+* router: added optional :ref:`upstream logs <envoy_api_field_config.filter.http.router.v2.Router.upstream_log>`.
 * router: added complete :ref:`custom append/override/remove support
   <config_http_conn_man_headers_custom_request_headers>` of request/response headers.
 * router: added support to :ref:`specify response code during redirect
@@ -54,9 +54,9 @@ Version history
 * server: change default log level (:option:`-l`) to `info`.
 * stats: maximum stat/name sizes and maximum number of stats are now variable via the
   :option:`--max-obj-name-len` and :option:`--max-stats` options.
-* tcp proxy: added :ref:`access logging <envoy_api_field_filter.network.TcpProxy.access_log>`.
+* tcp proxy: added :ref:`access logging <envoy_api_field_config.filter.network.tcp_proxy.v2.TcpProxy.access_log>`.
 * tcp proxy: added :ref:`configurable connect retries
-  <envoy_api_field_filter.network.TcpProxy.max_connect_attempts>`.
+  <envoy_api_field_config.filter.network.tcp_proxy.v2.TcpProxy.max_connect_attempts>`.
 * tcp proxy: enable use of :ref:`outlier detector <arch_overview_outlier_detection>`.
 * tls: added :ref:`SNI support <faq_how_to_setup_sni>`.
 * tls: added support for specifying :ref:`TLS session ticket keys

docs/root/operations/cli.rst

@@ -91,7 +91,7 @@ following are the command line options that Envoy supports.
   *(optional)* Defines the local service cluster name where Envoy is running. The
   local service cluster name is first sourced from the :ref:`Bootstrap node
   <envoy_api_field_config.bootstrap.v2.Bootstrap.node>` message's :ref:`cluster
-  <envoy_api_field_Node.cluster>` field. This CLI option provides an alternative
+  <envoy_api_field_core.Node.cluster>` field. This CLI option provides an alternative
   method for specifying this value and will override any value set in bootstrap
   configuration. It should be set if any of the following features are used:
   :ref:`statsd <arch_overview_statistics>`, :ref:`health check cluster
@@ -108,7 +108,7 @@ following are the command line options that Envoy supports.
   *(optional)* Defines the local service node name where Envoy is running. The
   local service node name is first sourced from the :ref:`Bootstrap node
   <envoy_api_field_config.bootstrap.v2.Bootstrap.node>` message's :ref:`id
-  <envoy_api_field_Node.id>` field. This CLI option provides an alternative
+  <envoy_api_field_core.Node.id>` field. This CLI option provides an alternative
   method for specifying this value and will override any value set in bootstrap
   configuration. It should be set if any of the following features are used:
   :ref:`statsd <arch_overview_statistics>`, :ref:`CDS
@@ -121,7 +121,7 @@ following are the command line options that Envoy supports.
   *(optional)* Defines the local service zone where Envoy is running. The local
   service zone is first sourced from the :ref:`Bootstrap node
   <envoy_api_field_config.bootstrap.v2.Bootstrap.node>` message's :ref:`locality.zone
-  <envoy_api_field_Locality.zone>` field. This CLI option provides an
+  <envoy_api_field_core.Locality.zone>` field. This CLI option provides an
   alternative method for specifying this value and will override any value set
   in bootstrap configuration. It should be set if discovery service routing is
   used and the discovery service exposes :ref:`zone data

envoy/BUILD

@@ -1,27 +0,0 @@
-licenses(["notice"])  # Apache 2
-
-# TODO(htuch): Grow this to cover everything we want to generate docs for, so we can just invoke
-# bazel build //envoy/api --aspects tools/protodoc/protodoc.bzl%proto_doc_aspect  --output_groups=rst
-proto_library(
-    name = "envoy",
-    deps = [
-        "//envoy/api/v2",
-        "//envoy/api/v2:cds",
-        "//envoy/api/v2/cluster:circuit_breaker",
-        "//envoy/api/v2/cluster:outlier_detection",
-        "//envoy/api/v2/filter/accesslog",
-        "//envoy/api/v2/filter/http",
-        "//envoy/api/v2/filter/network",
-        "//envoy/api/v2/listener",
-        "//envoy/api/v2/ratelimit",
-        "//envoy/api/v2/route",
-        "//envoy/config/bootstrap/v2:bootstrap",
-        "//envoy/config/metrics/v2:metrics_service",
-        "//envoy/config/metrics/v2:stats",
-        "//envoy/config/ratelimit/v2:rls",
-        "//envoy/config/trace/v2:trace",
-        "//envoy/service/discovery/v2:ads",
-        "//envoy/service/load_stats",
-        "//envoy/service/metrics",
-    ],
-)

envoy/api/v2/BUILD

@@ -2,100 +2,41 @@ load("//bazel:api_build_system.bzl", "api_proto_library", "api_go_proto_library"
 
 licenses(["notice"])  # Apache 2
 
-api_proto_library(
-    name = "address",
-    srcs = ["address.proto"],
-)
-
-api_go_proto_library(
-    name = "address",
-    proto = ":address",
-)
-
-api_proto_library(
-    name = "base",
-    srcs = ["base.proto"],
-)
-
-api_go_proto_library(
-    name = "base",
-    proto = ":base",
-    deps = [":address_go_proto"],
-)
-
-api_proto_library(
-    name = "health_check",
-    srcs = ["health_check.proto"],
-    deps = [":base"],
-)
-
-api_go_proto_library(
-    name = "health_check",
-    proto = ":health_check",
-    deps = [":base_go_proto"],
-)
-
-api_proto_library(
-    name = "config_source",
-    srcs = ["config_source.proto"],
-    deps = [
-        ":base",
-        ":grpc_service",
-    ],
-)
-
-api_go_proto_library(
-    name = "config_source",
-    proto = ":config_source",
-    deps = [
-        ":base_go_proto",
-        ":grpc_service_go_proto",
+# Friends of core API packages - filters, services, service configs.
+# Package //envoy/api/v2 contains xDS and discovery definitions that should
+# be in //envoy/service/discovery, but remain here for backwards compatibility.
+package_group(
+    name = "friends",
+    packages = [
+        "//envoy/api/v2",
+        "//envoy/config/...",
+        "//envoy/service/...",
     ],
 )
 
-api_proto_library(
-    name = "grpc_service",
-    srcs = ["grpc_service.proto"],
-    deps = [":base"],
-)
-
-api_go_proto_library(
-    name = "grpc_service",
-    proto = ":grpc_service",
-    deps = [":base_go_proto"],
-)
-
-api_proto_library(
-    name = "protocol",
-    srcs = ["protocol.proto"],
-)
-
-api_go_proto_library(
-    name = "protocol",
-    proto = ":protocol",
-)
-
 api_proto_library(
     name = "discovery",
     srcs = ["discovery.proto"],
-    deps = ["//envoy/api/v2:base"],
+    visibility = [":friends"],
+    deps = ["//envoy/api/v2/core:base"],
 )
 
 api_go_proto_library(
     name = "discovery",
     proto = ":discovery",
-    deps = ["//envoy/api/v2:base_go_proto"],
+    deps = ["//envoy/api/v2/core:base_go_proto"],
 )
 
 api_proto_library(
     name = "eds",
     srcs = ["eds.proto"],
     has_services = 1,
+    visibility = [":friends"],
     deps = [
-        ":address",
-        ":base",
         ":discovery",
-        ":health_check",
+        "//envoy/api/v2/core:address",
+        "//envoy/api/v2/core:base",
+        "//envoy/api/v2/core:health_check",
         "//envoy/api/v2/endpoint",
     ],
 )
@@ -104,10 +45,10 @@ api_go_grpc_library(
     name = "eds",
     proto = ":eds",
     deps = [
-        ":address_go_proto",
-        ":base_go_proto",
         ":discovery_go_proto",
-        ":health_check_go_proto",
+        "//envoy/api/v2/core:address_go_proto",
+        "//envoy/api/v2/core:base_go_proto",
+        "//envoy/api/v2/core:health_check_go_proto",
         "//envoy/api/v2/endpoint:endpoint_go_proto",
     ],
 )
@@ -116,16 +57,17 @@ api_proto_library(
     name = "cds",
     srcs = ["cds.proto"],
     has_services = 1,
+    visibility = [":friends"],
     deps = [
-        ":address",
-        ":base",
-        ":config_source",
         ":discovery",
-        ":health_check",
-        ":protocol",
         "//envoy/api/v2/auth:cert",
         "//envoy/api/v2/cluster:circuit_breaker",
         "//envoy/api/v2/cluster:outlier_detection",
+        "//envoy/api/v2/core:address",
+        "//envoy/api/v2/core:base",
+        "//envoy/api/v2/core:config_source",
+        "//envoy/api/v2/core:health_check",
+        "//envoy/api/v2/core:protocol",
     ],
 )
 
@@ -133,15 +75,15 @@ api_go_grpc_library(
     name = "cds",
     proto = ":cds",
     deps = [
-        ":base_go_proto",
-        ":config_source_go_proto",
         ":discovery_go_proto",
-        ":health_check_go_proto",
-        ":protocol_go_proto",
-        "//envoy/api/v2:address_go_proto",
         "//envoy/api/v2/auth:cert_go_proto",
         "//envoy/api/v2/cluster:circuit_breaker_go_proto",
         "//envoy/api/v2/cluster:outlier_detection_go_proto",
+        "//envoy/api/v2/core:address_go_proto",
+        "//envoy/api/v2/core:base_go_proto",
+        "//envoy/api/v2/core:config_source_go_proto",
+        "//envoy/api/v2/core:health_check_go_proto",
+        "//envoy/api/v2/core:protocol_go_proto",
     ],
 )
 
@@ -149,10 +91,11 @@ api_proto_library(
     name = "lds",
     srcs = ["lds.proto"],
     has_services = 1,
+    visibility = [":friends"],
     deps = [
-        ":address",
-        ":base",
         ":discovery",
+        "//envoy/api/v2/core:address",
+        "//envoy/api/v2/core:base",
         "//envoy/api/v2/listener",
     ],
 )
@@ -161,9 +104,9 @@ api_go_grpc_library(
     name = "lds",
     proto = ":lds",
     deps = [
-        ":address_go_proto",
-        ":base_go_proto",
         ":discovery_go_proto",
+        "//envoy/api/v2/core:address_go_proto",
+        "//envoy/api/v2/core:base_go_proto",
         "//envoy/api/v2/listener:listener_go_proto",
     ],
 )
@@ -172,9 +115,10 @@ api_proto_library(
     name = "rds",
     srcs = ["rds.proto"],
     has_services = 1,
+    visibility = [":friends"],
     deps = [
-        ":base",
         ":discovery",
+        "//envoy/api/v2/core:base",
         "//envoy/api/v2/route",
     ],
 )
@@ -183,21 +127,8 @@ api_go_grpc_library(
     name = "rds",
     proto = ":rds",
     deps = [
-        ":base_go_proto",
         ":discovery_go_proto",
+        "//envoy/api/v2/core:base_go_proto",
         "//envoy/api/v2/route:route_go_proto",
     ],
 )
-
-proto_library(
-    name = "v2",
-    visibility = ["//envoy:__pkg__"],
-    deps = [
-        ":cds",
-        ":discovery",
-        ":eds",
-        ":lds",
-        ":protocol",
-        ":rds",
-    ],
-)

envoy/api/v2/README.md

@@ -1 +1,9 @@
-Protocol buffer definitions for core API messages.
+Protocol buffer definitions for xDS and top-level resource API messages.
+
+Package group `//envoy/api/v2:friends` enumerates all consumers of the shared
+API messages. That includes package envoy.api.v2 itself, which contains several
+xDS definitions. Default visibility for all shared definitions should be set to
+`//envoy/api/v2:friends`.
+
+Additionally, packages envoy.api.v2.core and envoy.api.v2.auth are also
+consumed throughout the subpackages of `//envoy/api/v2`.

envoy/api/v2/auth/BUILD

@@ -2,9 +2,23 @@ load("//bazel:api_build_system.bzl", "api_proto_library", "api_go_proto_library"
 
 licenses(["notice"])  # Apache 2
 
+package_group(
+    name = "friends",
+    includes = [
+        "//envoy/api/v2:friends",
+    ],
+    packages = [
+        "//envoy/api/v2/cluster",
+        "//envoy/api/v2/endpoint",
+        "//envoy/api/v2/listener",
+        "//envoy/api/v2/route",
+    ],
+)
+
 api_proto_library(
     name = "auth",
     srcs = ["auth.proto"],
+    visibility = [":friends"],
     deps = [
         ":cert",
     ],
@@ -21,9 +35,10 @@ api_go_proto_library(
 api_proto_library(
     name = "cert",
     srcs = ["cert.proto"],
+    visibility = [":friends"],
     deps = [
-        "//envoy/api/v2:base",
-        "//envoy/api/v2:config_source",
+        "//envoy/api/v2/core:base",
+        "//envoy/api/v2/core:config_source",
     ],
 )
 
@@ -31,7 +46,7 @@ api_go_proto_library(
     name = "cert",
     proto = ":cert",
     deps = [
-        "//envoy/api/v2:base_go_proto",
-        "//envoy/api/v2:config_source_go_proto",
+        "//envoy/api/v2/core:base_go_proto",
+        "//envoy/api/v2/core:config_source_go_proto",
     ],
 )

envoy/api/v2/auth/auth.proto

@@ -7,6 +7,10 @@ option go_package = "auth";
 
 import "envoy/api/v2/auth/cert.proto";
 
+import "gogoproto/gogo.proto";
+
+option (gogoproto.equal_all) = true;
+
 message AuthAction {
   // Should we do white-list or black-list style access control.
   enum ActionType {

envoy/api/v2/auth/cert.proto

@@ -2,12 +2,15 @@ syntax = "proto3";
 
 package envoy.api.v2.auth;
 
-import "envoy/api/v2/base.proto";
-import "envoy/api/v2/config_source.proto";
+import "envoy/api/v2/core/base.proto";
+import "envoy/api/v2/core/config_source.proto";
 
 import "google/protobuf/wrappers.proto";
 
 import "validate/validate.proto";
+import "gogoproto/gogo.proto";
+
+option (gogoproto.equal_all) = true;
 
 // [#protodoc-title: Common TLS configuration]
 
@@ -70,19 +73,19 @@ message TlsParameters {
 
 message TlsCertificate {
   // The TLS certificate chain.
-  DataSource certificate_chain = 1;
+  core.DataSource certificate_chain = 1;
 
   // The TLS private key.
-  DataSource private_key = 2;
+  core.DataSource private_key = 2;
 
   // [#not-implemented-hide:]
-  DataSource password = 3;
+  core.DataSource password = 3;
 
   // [#not-implemented-hide:]
-  DataSource ocsp_staple = 4;
+  core.DataSource ocsp_staple = 4;
 
   // [#not-implemented-hide:]
-  repeated DataSource signed_certificate_timestamp = 5;
+  repeated core.DataSource signed_certificate_timestamp = 5;
 }
 
 message TlsSessionTicketKeys {
@@ -109,7 +112,7 @@ message TlsSessionTicketKeys {
   //   * Keep the session ticket keys at least as secure as your TLS certificate private keys
   //   * Rotate session ticket keys at least daily, and preferably hourly
   //   * Always generate keys using a cryptographically-secure random data source
-  repeated DataSource keys = 1 [(validate.rules).repeated .min_items = 1];
+  repeated core.DataSource keys = 1 [(validate.rules).repeated .min_items = 1];
 }
 
 message CertificateValidationContext {
@@ -127,7 +130,7 @@ message CertificateValidationContext {
   //
   // See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common
   // system CA locations.
-  DataSource trusted_ca = 1;
+  core.DataSource trusted_ca = 1;
 
   // If specified, Envoy will verify (pin) the hex-encoded SHA-256 hash of
   // the presented certificate.
@@ -154,7 +157,7 @@ message CertificateValidationContext {
   // (in PEM format). If specified, Envoy will verify that the presented peer
   // certificate has not been revoked by this CRL. If this DataSource contains
   // multiple CRLs, all of them will be used.
-  DataSource crl = 7;
+  core.DataSource crl = 7;
 }
 
 // TLS context shared by both client and server TLS contexts.
@@ -235,7 +238,7 @@ message SdsSecretConfig {
   // When both name and config are specified, then secret can be fetched and/or reloaded via SDS.
   // When only name is specified, then secret will be loaded from static resources [V2-API-DIFF].
   string name = 1;
-  ConfigSource sds_config = 2;
+  core.ConfigSource sds_config = 2;
 }
 
 // [#proto-status: experimental]

envoy/api/v2/cds.proto

@@ -2,13 +2,13 @@ syntax = "proto3";
 
 package envoy.api.v2;
 
-import "envoy/api/v2/address.proto";
+import "envoy/api/v2/core/address.proto";
 import "envoy/api/v2/auth/cert.proto";
-import "envoy/api/v2/base.proto";
-import "envoy/api/v2/config_source.proto";
+import "envoy/api/v2/core/base.proto";
+import "envoy/api/v2/core/config_source.proto";
 import "envoy/api/v2/discovery.proto";
-import "envoy/api/v2/health_check.proto";
-import "envoy/api/v2/protocol.proto";
+import "envoy/api/v2/core/health_check.proto";
+import "envoy/api/v2/core/protocol.proto";
 import "envoy/api/v2/cluster/circuit_breaker.proto";
 import "envoy/api/v2/cluster/outlier_detection.proto";
 
@@ -20,6 +20,8 @@ import "google/protobuf/wrappers.proto";
 import "validate/validate.proto";
 import "gogoproto/gogo.proto";
 
+option (gogoproto.equal_all) = true;
+
 // Return list of all clusters this proxy will load balance to.
 service ClusterDiscoveryService {
   rpc StreamClusters(stream DiscoveryRequest) returns (stream DiscoveryResponse) {
@@ -78,7 +80,7 @@ message Cluster {
   // Only valid when discovery type is EDS.
   message EdsClusterConfig {
     // Configuration for the source of EDS updates for this Cluster.
-    ConfigSource eds_config = 1;
+    core.ConfigSource eds_config = 1;
 
     // Optional alternative to cluster name to present to EDS. This does not
     // have the same restrictions as cluster name, i.e. it may be arbitrary
@@ -137,13 +139,13 @@ message Cluster {
   // :ref:`STRICT_DNS<envoy_api_enum_value_Cluster.DiscoveryType.STRICT_DNS>`
   // or :ref:`LOGICAL_DNS<envoy_api_enum_value_Cluster.DiscoveryType.LOGICAL_DNS>`,
   // then hosts is required.
-  repeated Address hosts = 7;
+  repeated core.Address hosts = 7;
 
   // Optional :ref:`active health checking <arch_overview_health_checking>`
   // configuration for the cluster. If no
   // configuration is specified no health checking will be done and all cluster
   // members will be considered healthy at all times.
-  repeated HealthCheck health_checks = 8;
+  repeated core.HealthCheck health_checks = 8;
 
   // Optional maximum requests for a single upstream connection. This parameter
   // is respected by both the HTTP/1.1 and HTTP/2 connection pool
@@ -152,7 +154,7 @@ message Cluster {
   google.protobuf.UInt32Value max_requests_per_connection = 9;
 
   // Optional :ref:`circuit breaking <arch_overview_circuit_break>` for the cluster.
-  envoy.api.v2.cluster.CircuitBreakers circuit_breakers = 10;
+  cluster.CircuitBreakers circuit_breakers = 10;
 
   // The TLS configuration for connections to the upstream cluster. If no TLS
   // configuration is specified, TLS will not be used for new connections.
@@ -167,7 +169,7 @@ message Cluster {
   reserved 12;
 
   // Additional options when handling HTTP1 requests.
-  Http1ProtocolOptions http_protocol_options = 13;
+  core.Http1ProtocolOptions http_protocol_options = 13;
 
   // Even if default HTTP2 protocol options are desired, this field must be
   // set so that Envoy will assume that the upstream supports HTTP/2 when
@@ -175,7 +177,7 @@ message Cluster {
   // supports prior knowledge for upstream connections. Even if TLS is used
   // with ALPN, `http2_protocol_options` must be specified. As an aside this allows HTTP/2
   // connections to happen over plain text.
-  Http2ProtocolOptions http2_protocol_options = 14;
+  core.Http2ProtocolOptions http2_protocol_options = 14;
 
   reserved 15;
 
@@ -222,12 +224,12 @@ message Cluster {
   // :ref:`STRICT_DNS<envoy_api_enum_value_Cluster.DiscoveryType.STRICT_DNS>`
   // and :ref:`LOGICAL_DNS<envoy_api_enum_value_Cluster.DiscoveryType.LOGICAL_DNS>`
   // this setting is ignored.
-  repeated Address dns_resolvers = 18;
+  repeated core.Address dns_resolvers = 18;
 
   // If specified, outlier detection will be enabled for this upstream cluster.
   // Each of the configuration values can be overridden via
   // :ref:`runtime values <config_cluster_manager_cluster_runtime_outlier_detection>`.
-  envoy.api.v2.cluster.OutlierDetection outlier_detection = 19;
+  cluster.OutlierDetection outlier_detection = 19;
 
   // The interval for removing stale hosts from a cluster type
   // :ref:`ORIGINAL_DST<envoy_api_enum_value_Cluster.DiscoveryType.ORIGINAL_DST>`.
@@ -248,7 +250,7 @@ message Cluster {
   // Optional configuration used to bind newly established upstream connections.
   // This overrides any bind_config specified in the bootstrap proto.
   // If the addres and port are empty, no bind will be performed.
-  BindConfig upstream_bind_config = 21;
+  core.BindConfig upstream_bind_config = 21;
 
   // Optionally divide the endpoints in this cluster into subsets defined by
   // endpoint metadata and selected by route and weighted cluster metadata.
@@ -341,15 +343,15 @@ message Cluster {
     RingHashLbConfig ring_hash_lb_config = 23;
   }
 
-  // See :ref:`base.TransportSocket<envoy_api_msg_TransportSocket>` description.
-  TransportSocket transport_socket = 24;
+  // See :ref:`base.TransportSocket<envoy_api_msg_core.TransportSocket>` description.
+  core.TransportSocket transport_socket = 24;
 
   // The Metadata field can be used to provide additional information about the
   // cluster. It can be used for stats, logging, and varying filter behavior.
   // Fields should use reverse DNS notation to denote which entity within Envoy
   // will need the information. For instance, if the metadata is intended for
   // the Router filter, the filter name should be specified as *envoy.router*.
-  Metadata metadata = 25;
+  core.Metadata metadata = 25;
 
   enum ClusterProtocolSelection {
     // Cluster can only operate on one of the possible upstream protocols (HTTP1.1, HTTP2).
@@ -366,5 +368,5 @@ message Cluster {
 // establishing upstream connections.
 message UpstreamBindConfig {
   // The address Envoy should bind to when establishing upstream connections.
-  Address source_address = 1;
+  core.Address source_address = 1;
 }

envoy/api/v2/cluster/BUILD

@@ -5,8 +5,11 @@ licenses(["notice"])  # Apache 2
 api_proto_library(
     name = "circuit_breaker",
     srcs = ["circuit_breaker.proto"],
+    visibility = [
+        "//envoy/api/v2:__pkg__",
+    ],
     deps = [
-        "//envoy/api/v2:base",
+        "//envoy/api/v2/core:base",
     ],
 )
 
@@ -14,13 +17,16 @@ api_go_proto_library(
     name = "circuit_breaker",
     proto = ":circuit_breaker",
     deps = [
-        "//envoy/api/v2:base_go_proto",
+        "//envoy/api/v2/core:base_go_proto",
     ],
 )
 
 api_proto_library(
     name = "outlier_detection",
     srcs = ["outlier_detection.proto"],
+    visibility = [
+        "//envoy/api/v2:__pkg__",
+    ],
 )
 
 api_go_proto_library(

envoy/api/v2/cluster/circuit_breaker.proto

@@ -3,10 +3,14 @@ syntax = "proto3";
 package envoy.api.v2.cluster;
 option go_package = "cluster";
 
-import "envoy/api/v2/base.proto";
+import "envoy/api/v2/core/base.proto";
 
 import "google/protobuf/wrappers.proto";
 
+import "gogoproto/gogo.proto";
+
+option (gogoproto.equal_all) = true;
+
 // [#protodoc-title: Circuit breakers]
 
 // :ref:`Circuit breaking<arch_overview_circuit_break>` settings can be
@@ -14,13 +18,13 @@ import "google/protobuf/wrappers.proto";
 message CircuitBreakers {
 
   // A Thresholds defines CircuitBreaker settings for a
-  // :ref:`RoutingPriority<envoy_api_enum_RoutingPriority>`.
+  // :ref:`RoutingPriority<envoy_api_enum_core.RoutingPriority>`.
   message Thresholds {
-    // The :ref:`RoutingPriority<envoy_api_enum_RoutingPriority>`
+    // The :ref:`RoutingPriority<envoy_api_enum_core.RoutingPriority>`
     // the specified CircuitBreaker settings apply to.
     // [#comment:TODO(htuch): add (validate.rules).enum.defined_only = true once
     // https://github.com/lyft/protoc-gen-validate/issues/42 is resolved.]
-    RoutingPriority priority = 1;
+    core.RoutingPriority priority = 1;
 
     // The maximum number of connections that Envoy will make to the upstream
     // cluster. If not specified, the default is 1024.
@@ -40,9 +44,9 @@ message CircuitBreakers {
   }
 
   // If multiple :ref:`Thresholds<envoy_api_msg_cluster.CircuitBreakers.Thresholds>`
-  // are defined with the same :ref:`RoutingPriority<envoy_api_enum_RoutingPriority>`,
+  // are defined with the same :ref:`RoutingPriority<envoy_api_enum_core.RoutingPriority>`,
   // the first one in the list is used. If no Thresholds is defined for a given
-  // :ref:`RoutingPriority<envoy_api_enum_RoutingPriority>`, the default values
+  // :ref:`RoutingPriority<envoy_api_enum_core.RoutingPriority>`, the default values
   // are used.
   repeated Thresholds thresholds = 1;
 }

envoy/api/v2/cluster/outlier_detection.proto

@@ -6,6 +6,9 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 
 import "validate/validate.proto";
+import "gogoproto/gogo.proto";
+
+option (gogoproto.equal_all) = true;
 
 // [#protodoc-title: Outlier detection]
 

envoy/api/v2/core/BUILD

@@ -0,0 +1,108 @@
+load("//bazel:api_build_system.bzl", "api_proto_library", "api_go_proto_library", "api_go_grpc_library")
+
+licenses(["notice"])  # Apache 2
+
+package_group(
+    name = "friends",
+    includes = [
+        "//envoy/api/v2:friends",
+    ],
+    packages = [
+        "//envoy/api/v2/auth",
+        "//envoy/api/v2/cluster",
+        "//envoy/api/v2/endpoint",
+        "//envoy/api/v2/listener",
+        "//envoy/api/v2/route",
+    ],
+)
+
+api_proto_library(
+    name = "address",
+    srcs = ["address.proto"],
+    visibility = [
+        ":friends",
+    ],
+)
+
+api_go_proto_library(
+    name = "address",
+    proto = ":address",
+)
+
+api_proto_library(
+    name = "base",
+    srcs = ["base.proto"],
+    visibility = [
+        ":friends",
+    ],
+)
+
+api_go_proto_library(
+    name = "base",
+    proto = ":base",
+    deps = [":address_go_proto"],
+)
+
+api_proto_library(
+    name = "health_check",
+    srcs = ["health_check.proto"],
+    visibility = [
+        ":friends",
+    ],
+    deps = [":base"],
+)
+
+api_go_proto_library(
+    name = "health_check",
+    proto = ":health_check",
+    deps = [":base_go_proto"],
+)
+
+api_proto_library(
+    name = "config_source",
+    srcs = ["config_source.proto"],
+    visibility = [
+        ":friends",
+    ],
+    deps = [
+        ":base",
+        ":grpc_service",
+    ],
+)
+
+api_go_proto_library(
+    name = "config_source",
+    proto = ":config_source",
+    deps = [
+        ":base_go_proto",
+        ":grpc_service_go_proto",
+    ],
+)
+
+api_proto_library(
+    name = "grpc_service",
+    srcs = ["grpc_service.proto"],
+    visibility = [
+        ":friends",
+    ],
+    deps = [":base"],
+)
+
+api_go_proto_library(
+    name = "grpc_service",
+    proto = ":grpc_service",
+    deps = [":base_go_proto"],
+)
+
+api_proto_library(
+    name = "protocol",
+    srcs = ["protocol.proto"],
+    visibility = [
+        ":friends",
+    ],
+)
+
+api_go_proto_library(
+    name = "protocol",
+    proto = ":protocol",
+)

envoy/api/v2/core/address.proto

@@ -1,12 +1,14 @@
 syntax = "proto3";
 
-package envoy.api.v2;
+package envoy.api.v2.core;
 
 import "google/protobuf/wrappers.proto";
 
 import "validate/validate.proto";
 import "gogoproto/gogo.proto";
 
+option (gogoproto.equal_all) = true;
+
 // [#protodoc-title: Network addresses]
 // [#v2-api-diff: Addresses now have .proto structure.]
 
@@ -17,6 +19,7 @@ message Pipe {
 
 message SocketAddress {
   enum Protocol {
+    option (gogoproto.goproto_enum_prefix) = false;
     TCP = 0;
     // [#not-implemented-hide:]
     UDP = 1;
@@ -29,14 +32,14 @@ message SocketAddress {
   // FilterChainMatch after connection. For :ref:`clusters
   // <config_cluster_manager_cluster>`, an address may be either an IP or
   // hostname to be resolved via DNS. If it is a hostname, :ref:`resolver_name
-  // <envoy_api_field_SocketAddress.resolver_name>` should be set unless default
+  // <envoy_api_field_core.SocketAddress.resolver_name>` should be set unless default
   // (i.e. DNS) resolution is expected.
   string address = 2 [(validate.rules).string.min_bytes = 1];
   oneof port_specifier {
     option (validate.required) = true;
     uint32 port_value = 3;
     // This is only valid if :ref:`resolver_name
-    // <envoy_api_field_SocketAddress.resolver_name>` is specified below and the
+    // <envoy_api_field_core.SocketAddress.resolver_name>` is specified below and the
     // named resolver is capable of named port resolution.
     string named_port = 4;
   }

envoy/api/v2/core/base.proto

@@ -1,7 +1,7 @@
 syntax = "proto3";
 
-package envoy.api.v2;
-option go_package = "api";
+package envoy.api.v2.core;
+option go_package = "core";
 
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
@@ -9,11 +9,13 @@ import "google/protobuf/wrappers.proto";
 import "validate/validate.proto";
 import "gogoproto/gogo.proto";
 
+option (gogoproto.equal_all) = true;
+
 // [#protodoc-title: Common types]
 
 // Identifies location of where either Envoy runs or where upstream hosts run.
 message Locality {
-  // Region this :ref:`zone <envoy_api_field_Locality.zone>` belongs to.
+  // Region this :ref:`zone <envoy_api_field_core.Locality.zone>` belongs to.
   string region = 1;
 
   // Defines the local service zone where Envoy is running. Though optional, it
@@ -121,6 +123,7 @@ enum RoutingPriority {
 
 // HTTP request method.
 enum RequestMethod {
+  option (gogoproto.goproto_enum_prefix) = false;
   METHOD_UNSPECIFIED = 0;
   GET = 1;
   HEAD = 2;

envoy/api/v2/core/config_source.proto

@@ -1,14 +1,16 @@
 syntax = "proto3";
 
-package envoy.api.v2;
+package envoy.api.v2.core;
 
-import "envoy/api/v2/grpc_service.proto";
+import "envoy/api/v2/core/grpc_service.proto";
 
 import "google/protobuf/duration.proto";
 
 import "validate/validate.proto";
 import "gogoproto/gogo.proto";
 
+option (gogoproto.equal_all) = true;
+
 // [#protodoc-title: Configuration sources]
 
 // API configuration source. This identifies the API type and cluster that Envoy
@@ -50,7 +52,7 @@ message ApiConfigSource {
 }
 
 // Aggregated Discovery Service (ADS) options. This is currently empty, but when
-// set in :ref:`ConfigSource <envoy_api_msg_ConfigSource>` can be used to
+// set in :ref:`ConfigSource <envoy_api_msg_core.ConfigSource>` can be used to
 // specify that ADS is to be used.
 message AggregatedConfigSource {
 }

envoy/api/v2/core/grpc_service.proto

@@ -1,18 +1,21 @@
 syntax = "proto3";
 
-package envoy.api.v2;
+package envoy.api.v2.core;
 
-import "envoy/api/v2/base.proto";
+import "envoy/api/v2/core/base.proto";
 
 import "google/protobuf/duration.proto";
 
 import "validate/validate.proto";
+import "gogoproto/gogo.proto";
+
+option (gogoproto.equal_all) = true;
 
 // [#protodoc-title: gRPC services]
 // [#proto-status: draft]
 
 // gRPC service configuration. This is used by :ref:`ApiConfigSource
-// <envoy_api_msg_ApiConfigSource>` and filter configurations.
+// <envoy_api_msg_core.ApiConfigSource>` and filter configurations.
 message GrpcService {
   message EnvoyGrpc {
     // The name of the upstream gRPC cluster. SSL credentials will be supplied
@@ -24,7 +27,7 @@ message GrpcService {
   message GoogleGrpc {
     // The target URI when using the `Google C++ gRPC client
     // <https://github.com/grpc/grpc>`_. SSL credentials will be supplied in
-    // :ref:`credentials <envoy_api_field_GrpcService.credentials>`.
+    // :ref:`credentials <envoy_api_field_core.GrpcService.credentials>`.
     string target_uri = 1 [(validate.rules).string.min_bytes = 1];
 
     // See https://grpc.io/grpc/cpp/structgrpc_1_1_ssl_credentials_options.html.

envoy/api/v2/core/health_check.proto

@@ -1,11 +1,14 @@
 syntax = "proto3";
 
-package envoy.api.v2;
+package envoy.api.v2.core;
 
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 
 import "validate/validate.proto";
+import "gogoproto/gogo.proto";
+
+option (gogoproto.equal_all) = true;
 
 // [#protodoc-title: Health check]
 // * Health checking :ref:`architecture overview <arch_overview_health_checking>`.

envoy/api/v2/core/protocol.proto

@@ -2,11 +2,14 @@
 
 syntax = "proto3";
 
-package envoy.api.v2;
+package envoy.api.v2.core;
 
 import "google/protobuf/wrappers.proto";
 
 import "validate/validate.proto";
+import "gogoproto/gogo.proto";
+
+option (gogoproto.equal_all) = true;
 
 // [#protodoc-title: Protocol options]
 

envoy/api/v2/discovery.proto

@@ -1,10 +1,14 @@
 syntax = "proto3";
 
 package envoy.api.v2;
+option go_package = "v2";
 
-import "envoy/api/v2/base.proto";
+import "envoy/api/v2/core/base.proto";
 
 import "google/protobuf/any.proto";
+import "gogoproto/gogo.proto";
+
+option (gogoproto.equal_all) = true;
 
 // [#protodoc-title: Common discovery API components]
 
@@ -21,7 +25,7 @@ message DiscoveryRequest {
   string version_info = 1;
 
   // The node making the request.
-  Node node = 2;
+  core.Node node = 2;
 
   // List of resources to subscribe to, e.g. list of cluster names or a route
   // configuration name. If this is empty, all resources for the API are
@@ -49,7 +53,7 @@ message DiscoveryResponse {
   string version_info = 1;
 
   // The response resources. These resources are typed and depend on the API being called.
-  repeated google.protobuf.Any resources = 2;
+  repeated google.protobuf.Any resources = 2 [(gogoproto.nullable) = false];
 
   // [#not-implemented-hide:]
   // Canary is used to support two Envoy command line flags:

envoy/api/v2/eds.proto

@@ -8,6 +8,9 @@ import "envoy/api/v2/endpoint/endpoint.proto";
 import "google/api/annotations.proto";
 
 import "validate/validate.proto";
+import "gogoproto/gogo.proto";
+
+option (gogoproto.equal_all) = true;
 
 // [#protodoc-title: EDS]
 
@@ -41,7 +44,7 @@ message ClusterLoadAssignment {
   string cluster_name = 1 [(validate.rules).string.min_bytes = 1];
 
   // List of endpoints to load balance to.
-  repeated endpoint.LocalityLbEndpoints endpoints = 2;
+  repeated endpoint.LocalityLbEndpoints endpoints = 2 [(gogoproto.nullable) = false];
 
   // Load balancing policy settings.
   message Policy {

envoy/api/v2/endpoint/BUILD

@@ -5,13 +5,14 @@ licenses(["notice"])  # Apache 2
 api_proto_library(
     name = "endpoint",
     srcs = ["endpoint.proto"],
+    visibility = ["//envoy/api/v2:friends"],
     deps = [
-        "//envoy/api/v2:address",
-        "//envoy/api/v2:base",
-        "//envoy/api/v2:config_source",
-        "//envoy/api/v2:health_check",
-        "//envoy/api/v2:protocol",
         "//envoy/api/v2/auth:cert",
+        "//envoy/api/v2/core:address",
+        "//envoy/api/v2/core:base",
+        "//envoy/api/v2/core:config_source",
+        "//envoy/api/v2/core:health_check",
+        "//envoy/api/v2/core:protocol",
     ],
 )
 
@@ -19,20 +20,21 @@ api_go_proto_library(
     name = "endpoint",
     proto = ":endpoint",
     deps = [
-        "//envoy/api/v2:address_go_proto",
-        "//envoy/api/v2:base_go_proto",
-        "//envoy/api/v2:config_source_go_proto",
-        "//envoy/api/v2:health_check_go_proto",
-        "//envoy/api/v2:protocol_go_proto",
         "//envoy/api/v2/auth:cert_go_proto",
+        "//envoy/api/v2/core:address_go_proto",
+        "//envoy/api/v2/core:base_go_proto",
+        "//envoy/api/v2/core:config_source_go_proto",
+        "//envoy/api/v2/core:health_check_go_proto",
+        "//envoy/api/v2/core:protocol_go_proto",
     ],
 )
 
 api_proto_library(
     name = "load_report",
     srcs = ["load_report.proto"],
+    visibility = ["//envoy/api/v2:friends"],
     deps = [
-        "//envoy/api/v2:base",
+        "//envoy/api/v2/core:base",
     ],
 )
 
@@ -40,6 +42,6 @@ api_go_proto_library(
     name = "load_report",
     proto = ":load_report",
     deps = [
-        "//envoy/api/v2:base_go_proto",
+        "//envoy/api/v2/core:base_go_proto",
     ],
 )

envoy/api/v2/endpoint/endpoint.proto

@@ -3,20 +3,22 @@ syntax = "proto3";
 package envoy.api.v2.endpoint;
 option go_package = "endpoint";
 
-import "envoy/api/v2/address.proto";
-import "envoy/api/v2/base.proto";
-import "envoy/api/v2/health_check.proto";
+import "envoy/api/v2/core/address.proto";
+import "envoy/api/v2/core/base.proto";
+import "envoy/api/v2/core/health_check.proto";
 
 import "google/protobuf/wrappers.proto";
 
 import "validate/validate.proto";
 import "gogoproto/gogo.proto";
 
+option (gogoproto.equal_all) = true;
+
 // [#protodoc-title: Endpoints]
 
 // Upstream host identifier.
 message Endpoint {
-  Address address = 1;
+  core.Address address = 1;
 }
 
 // An Endpoint that Envoy can route traffic to.
@@ -26,7 +28,7 @@ message LbEndpoint {
 
   // [#not-implemented-hide:] Optional health status when known and supplied by
   // EDS server.
-  HealthStatus health_status = 2;
+  core.HealthStatus health_status = 2;
 
   // The endpoint metadata specifies values that may be used by the load
   // balancer to select endpoints in a cluster for a given request. The filter
@@ -34,7 +36,7 @@ message LbEndpoint {
   // is *canary*, providing the optional canary status of the upstream host.
   // This may be matched against in a route's ForwardAction metadata_match field
   // to subset the endpoints considered in cluster load balancing.
-  Metadata metadata = 3;
+  core.Metadata metadata = 3;
 
   // The optional load balancing weight of the upstream host, in the range 1 -
   // 128. Envoy uses the load balancing weight in some of the built in load
@@ -60,10 +62,10 @@ message LbEndpoint {
 // balancing weights or different priorities.
 message LocalityLbEndpoints {
   // Identifies location of where the upstream hosts run.
-  Locality locality = 1;
+  core.Locality locality = 1;
 
   // The group of endpoints belonging to the locality specified.
-  repeated LbEndpoint lb_endpoints = 2;
+  repeated LbEndpoint lb_endpoints = 2 [(gogoproto.nullable) = false];
 
   // Optional: Per priority/region/zone/sub_zone weight - range 1-128. The load
   // balancing weight for a locality is divided by the sum of the weights of all

envoy/api/v2/endpoint/load_report.proto

@@ -2,7 +2,7 @@ syntax = "proto3";
 
 package envoy.api.v2.endpoint;
 
-import "envoy/api/v2/base.proto";
+import "envoy/api/v2/core/base.proto";
 
 import "validate/validate.proto";
 import "gogoproto/gogo.proto";
@@ -15,7 +15,7 @@ import "gogoproto/gogo.proto";
 message UpstreamLocalityStats {
   // Name of zone, region and optionally endpoint group these metrics were
   // collected from. Zone and region names could be empty if unknown.
-  envoy.api.v2.Locality locality = 1;
+  core.Locality locality = 1;
 
   // The total number of requests sent by this Envoy since the last report. A
   // single HTTP or gRPC request or stream is counted as one request. A TCP

envoy/api/v2/filter/accesslog/BUILD

@@ -1,13 +0,0 @@
-load("//bazel:api_build_system.bzl", "api_proto_library")
-
-licenses(["notice"])  # Apache 2
-
-api_proto_library(
-    name = "accesslog",
-    srcs = ["accesslog.proto"],
-    deps = [
-        "//envoy/api/v2:address",
-        "//envoy/api/v2:base",
-        "//envoy/api/v2:grpc_service",
-    ],
-)

envoy/api/v2/filter/http/BUILD

@@ -1,85 +0,0 @@
-load("//bazel:api_build_system.bzl", "api_proto_library")
-
-licenses(["notice"])  # Apache 2
-
-api_proto_library(
-    name = "router",
-    srcs = ["router.proto"],
-    deps = ["//envoy/api/v2/filter/accesslog"],
-)
-
-api_proto_library(
-    name = "lua",
-    srcs = ["lua.proto"],
-)
-
-api_proto_library(
-    name = "buffer",
-    srcs = ["buffer.proto"],
-)
-
-api_proto_library(
-    name = "transcoder",
-    srcs = ["transcoder.proto"],
-)
-
-api_proto_library(
-    name = "rate_limit",
-    srcs = ["rate_limit.proto"],
-)
-
-api_proto_library(
-    name = "ip_tagging",
-    srcs = ["ip_tagging.proto"],
-    deps = ["//envoy/api/v2:address"],
-)
-
-api_proto_library(
-    name = "health_check",
-    srcs = ["health_check.proto"],
-    deps = [
-        "//envoy/api/v2:base",
-    ],
-)
-
-api_proto_library(
-    name = "fault",
-    srcs = ["fault.proto"],
-    deps = [
-        "//envoy/api/v2/filter:fault",
-        "//envoy/api/v2/route",
-    ],
-)
-
-api_proto_library(
-    name = "gzip",
-    srcs = ["gzip.proto"],
-)
-
-api_proto_library(
-    name = "squash",
-    srcs = ["squash.proto"],
-)
-
-api_proto_library(
-    name = "ext_authz",
-    srcs = ["ext_authz.proto"],
-    deps = ["//envoy/api/v2:grpc_service"],
-)
-
-proto_library(
-    name = "http",
-    visibility = ["//envoy:__pkg__"],
-    deps = [
-        ":buffer",
-        ":ext_authz",
-        ":fault",
-        ":gzip",
-        ":health_check",
-        ":lua",
-        ":rate_limit",
-        ":router",
-        ":squash",
-        ":transcoder",
-    ],
-)

envoy/api/v2/filter/network/BUILD

@@ -1,67 +0,0 @@
-load("//bazel:api_build_system.bzl", "api_proto_library")
-
-licenses(["notice"])  # Apache 2
-
-api_proto_library(
-    name = "http_connection_manager",
-    srcs = ["http_connection_manager.proto"],
-    deps = [
-        "//envoy/api/v2:base",
-        "//envoy/api/v2:config_source",
-        "//envoy/api/v2:protocol",
-        "//envoy/api/v2:rds",
-        "//envoy/api/v2/filter/accesslog",
-    ],
-)
-
-api_proto_library(
-    name = "mongo_proxy",
-    srcs = ["mongo_proxy.proto"],
-    deps = ["//envoy/api/v2/filter:fault"],
-)
-
-api_proto_library(
-    name = "tcp_proxy",
-    srcs = ["tcp_proxy.proto"],
-    deps = [
-        "//envoy/api/v2:address",
-        "//envoy/api/v2/filter/accesslog",
-    ],
-)
-
-api_proto_library(
-    name = "redis_proxy",
-    srcs = ["redis_proxy.proto"],
-)
-
-api_proto_library(
-    name = "client_ssl_auth",
-    srcs = ["client_ssl_auth.proto"],
-    deps = ["//envoy/api/v2:address"],
-)
-
-api_proto_library(
-    name = "rate_limit",
-    srcs = ["rate_limit.proto"],
-    deps = ["//envoy/api/v2/ratelimit"],
-)
-
-api_proto_library(
-    name = "ext_authz",
-    srcs = ["ext_authz.proto"],
-    deps = ["//envoy/api/v2:grpc_service"],
-)
-
-proto_library(
-    name = "network",
-    visibility = ["//envoy:__pkg__"],
-    deps = [
-        ":client_ssl_auth",
-        ":ext_authz",
-        ":http_connection_manager",
-        ":mongo_proxy",
-        ":rate_limit",
-        ":redis_proxy",
-        ":tcp_proxy",
-    ],
-)

envoy/api/v2/lds.proto

@@ -2,8 +2,8 @@ syntax = "proto3";
 
 package envoy.api.v2;
 
-import "envoy/api/v2/address.proto";
-import "envoy/api/v2/base.proto";
+import "envoy/api/v2/core/address.proto";
+import "envoy/api/v2/core/base.proto";
 import "envoy/api/v2/discovery.proto";
 import "envoy/api/v2/listener/listener.proto";
 
@@ -11,6 +11,9 @@ import "google/api/annotations.proto";
 import "google/protobuf/wrappers.proto";
 
 import "validate/validate.proto";
+import "gogoproto/gogo.proto";
+
+option (gogoproto.equal_all) = true;
 
 // [#protodoc-title: LDS]
 
@@ -42,7 +45,7 @@ message Listener {
   // The address that the listener should listen on. In general, the address must be unique, though
   // that is governed by the bind rules of the OS. E.g., multiple listeners can listen on port 0 on
   // Linux as the actual port will be allocated by the OS.
-  Address address = 2 [(validate.rules).message.required = true];
+  core.Address address = 2 [(validate.rules).message.required = true, (gogoproto.nullable) = false];
 
   // A list of filter chains to consider for this listener. The
   // :ref:`FilterChain <envoy_api_msg_listener.FilterChain>` with the most specific
@@ -58,7 +61,8 @@ message Listener {
   //   filters differ, the configuration will fail to load. In the future, this limitation will be
   //   relaxed such that different filters can be used depending on which filter chain matches
   //   (based on SNI or some other parameter).
-  repeated listener.FilterChain filter_chains = 3 [(validate.rules).repeated .min_items = 1];
+  repeated listener.FilterChain filter_chains = 3
+      [(validate.rules).repeated .min_items = 1, (gogoproto.nullable) = false];
 
   // If a connection is redirected using *iptables*, the port on which the proxy
   // receives it might be different from the original destination address. When this flag is set to
@@ -82,7 +86,7 @@ message Listener {
   google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5;
 
   // Listener metadata.
-  Metadata metadata = 6;
+  core.Metadata metadata = 6;
 
   // [#not-implemented-hide:]
   message DeprecatedV1 {
@@ -118,5 +122,5 @@ message Listener {
   // :ref:`filter_chains <envoy_api_field_Listener.filter_chains>`. Order matters as the
   // filters are processed sequentially right after a socket has been accepted by the listener, and
   // before a connection is created.
-  repeated listener.ListenerFilter listener_filters = 9;
+  repeated listener.ListenerFilter listener_filters = 9 [(gogoproto.nullable) = false];
 }

envoy/api/v2/listener/BUILD

@@ -5,10 +5,11 @@ licenses(["notice"])  # Apache 2
 api_proto_library(
     name = "listener",
     srcs = ["listener.proto"],
+    visibility = ["//envoy/api/v2:friends"],
     deps = [
-        "//envoy/api/v2:address",
-        "//envoy/api/v2:base",
         "//envoy/api/v2/auth:cert",
+        "//envoy/api/v2/core:address",
+        "//envoy/api/v2/core:base",
     ],
 )
 
@@ -16,8 +17,8 @@ api_go_proto_library(
     name = "listener",
     proto = ":listener",
     deps = [
-        "//envoy/api/v2:address_go_proto",
-        "//envoy/api/v2:base_go_proto",
         "//envoy/api/v2/auth:cert_go_proto",
+        "//envoy/api/v2/core:address_go_proto",
+        "//envoy/api/v2/core:base_go_proto",
     ],
 )

envoy/api/v2/listener/listener.proto

@@ -3,14 +3,17 @@ syntax = "proto3";
 package envoy.api.v2.listener;
 option go_package = "listener";
 
-import "envoy/api/v2/address.proto";
+import "envoy/api/v2/core/address.proto";
 import "envoy/api/v2/auth/cert.proto";
-import "envoy/api/v2/base.proto";
+import "envoy/api/v2/core/base.proto";
 
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 
 import "validate/validate.proto";
+import "gogoproto/gogo.proto";
+
+option (gogoproto.equal_all) = true;
 
 // [#protodoc-title: Listeners]
 // Listener :ref:`configuration overview <config_listeners>`
@@ -57,7 +60,7 @@ message FilterChainMatch {
   // If non-empty, an IP address and prefix length to match addresses when the
   // listener is bound to 0.0.0.0/:: or when use_original_dst is specified.
   // [#not-implemented-hide:]
-  repeated CidrRange prefix_ranges = 3;
+  repeated core.CidrRange prefix_ranges = 3;
 
   // If non-empty, an IP address and suffix length to match addresses when the
   // listener is bound to 0.0.0.0/:: or when use_original_dst is specified.
@@ -72,7 +75,7 @@ message FilterChainMatch {
   // parameter is not specified or the list is empty, the source IP address is
   // ignored.
   // [#not-implemented-hide:]
-  repeated CidrRange source_prefix_ranges = 6;
+  repeated core.CidrRange source_prefix_ranges = 6;
 
   // The criteria is satisfied if the source port of the downstream connection
   // is contained in at least one of the specified ports. If the parameter is
@@ -99,7 +102,7 @@ message FilterChain {
   // connections established with the listener. Order matters as the filters are
   // processed sequentially as connection events happen. Note: If the filter
   // list is empty, the connection will close by default.
-  repeated Filter filters = 3;
+  repeated Filter filters = 3 [(gogoproto.nullable) = false];
 
   // Whether the listener should expect a PROXY protocol V1 header on new
   // connections. If this option is enabled, the listener will assume that that
@@ -110,10 +113,10 @@ message FilterChain {
   google.protobuf.BoolValue use_proxy_proto = 4;
 
   // [#not-implemented-hide:] filter chain metadata.
-  Metadata metadata = 5;
+  core.Metadata metadata = 5;
 
-  // [#not-implemented-hide:] See base.TransportSocket description.
-  TransportSocket transport_socket = 6;
+  // See :ref:`base.TransportSocket<envoy_api_msg_core.TransportSocket>` description.
+  core.TransportSocket transport_socket = 6;
 }
 
 message ListenerFilter {

envoy/api/v2/ratelimit/BUILD

@@ -5,6 +5,7 @@ licenses(["notice"])  # Apache 2
 api_proto_library(
     name = "ratelimit",
     srcs = ["ratelimit.proto"],
+    visibility = ["//envoy/api/v2:friends"],
 )
 
 api_go_proto_library(

envoy/api/v2/rds.proto

@@ -2,13 +2,17 @@ syntax = "proto3";
 
 package envoy.api.v2;
 
-import "envoy/api/v2/base.proto";
+import "envoy/api/v2/core/base.proto";
 import "envoy/api/v2/discovery.proto";
 import "envoy/api/v2/route/route.proto";
 
 import "google/api/annotations.proto";
 import "google/protobuf/wrappers.proto";
 
+import "gogoproto/gogo.proto";
+
+option (gogoproto.equal_all) = true;
+
 // [#protodoc-title: RDS]
 
 // The resource_names field in DiscoveryRequest specifies a route configuration.
@@ -30,12 +34,13 @@ service RouteDiscoveryService {
 
 message RouteConfiguration {
   // The name of the route configuration. For example, it might match
-  // :ref:`route_config_name <envoy_api_field_filter.network.Rds.route_config_name>` in
-  // :ref:`envoy_api_msg_filter.network.Rds`.
+  // :ref:`route_config_name
+  // <envoy_api_field_config.filter.network.http_connection_manager.v2.Rds.route_config_name>` in
+  // :ref:`envoy_api_msg_config.filter.network.http_connection_manager.v2.Rds`.
   string name = 1;
 
   // An array of virtual hosts that make up the route table.
-  repeated route.VirtualHost virtual_hosts = 2;
+  repeated route.VirtualHost virtual_hosts = 2 [(gogoproto.nullable) = false];
 
   // Optionally specifies a list of HTTP headers that the connection manager
   // will consider to be internal only. If they are found on external requests they will be cleaned
@@ -49,7 +54,7 @@ message RouteConfiguration {
   // :ref:`envoy_api_msg_route.RouteAction`. For more information, including details on
   // header value syntax, see the documentation on :ref:`custom request headers
   // <config_http_conn_man_headers_custom_request_headers>`.
-  repeated HeaderValueOption response_headers_to_add = 4;
+  repeated core.HeaderValueOption response_headers_to_add = 4;
 
   // Specifies a list of HTTP headers that should be removed from each response
   // that the connection manager encodes.
@@ -61,7 +66,7 @@ message RouteConfiguration {
   // :ref:`envoy_api_msg_route.RouteAction`. For more information, including details on
   // header value syntax, see the documentation on :ref:`custom request headers
   // <config_http_conn_man_headers_custom_request_headers>`.
-  repeated HeaderValueOption request_headers_to_add = 6;
+  repeated core.HeaderValueOption request_headers_to_add = 6;
 
   // An optional boolean that specifies whether the clusters that the route
   // table refers to will be validated by the cluster manager. If set to true
@@ -70,10 +75,11 @@ message RouteConfiguration {
   // route table will load and the router filter will return a 404 if the route
   // is selected at runtime. This setting defaults to true if the route table
   // is statically defined via the :ref:`route_config
-  // <envoy_api_field_filter.network.HttpConnectionManager.route_config>` option. This setting
-  // default to false if the route table is loaded dynamically via the :ref:`rds
-  // <envoy_api_field_filter.network.HttpConnectionManager.rds>` option. Users
-  // may which to override the default behavior in certain cases (for example
-  // when using CDS with a static route table).
+  // <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.route_config>`
+  // option. This setting default to false if the route table is loaded dynamically via the
+  // :ref:`rds
+  // <envoy_api_field_config.filter.network.http_connection_manager.v2.HttpConnectionManager.rds>`
+  // option. Users may which to override the default behavior in certain cases (for example when
+  // using CDS with a static route table).
   google.protobuf.BoolValue validate_clusters = 7;
 }

envoy/api/v2/route/BUILD

@@ -5,9 +5,10 @@ licenses(["notice"])  # Apache 2
 api_proto_library(
     name = "route",
     srcs = ["route.proto"],
+    visibility = ["//envoy/api/v2:friends"],
     deps = [
-        "//envoy/api/v2:base",
         "//envoy/api/v2/auth",
+        "//envoy/api/v2/core:base",
     ],
 )
 
@@ -15,7 +16,7 @@ api_go_proto_library(
     name = "route",
     proto = ":route",
     deps = [
-        "//envoy/api/v2:base_go_proto",
         "//envoy/api/v2/auth:auth_go_proto",
+        "//envoy/api/v2/core:base_go_proto",
     ],
 )

envoy/api/v2/route/route.proto

@@ -3,7 +3,7 @@ syntax = "proto3";
 package envoy.api.v2.route;
 option go_package = "route";
 
-import "envoy/api/v2/base.proto";
+import "envoy/api/v2/core/base.proto";
 import "envoy/api/v2/auth/auth.proto";
 
 import "google/protobuf/duration.proto";
@@ -12,6 +12,8 @@ import "google/protobuf/wrappers.proto";
 import "validate/validate.proto";
 import "gogoproto/gogo.proto";
 
+option (gogoproto.equal_all) = true;
+
 // [#protodoc-title: HTTP route management]
 
 // * Routing :ref:`architecture overview <arch_overview_http_routing>`
@@ -43,7 +45,7 @@ message VirtualHost {
 
   // The list of routes that will be matched, in order, for incoming requests.
   // The first route that matches will be used.
-  repeated Route routes = 3;
+  repeated Route routes = 3 [(gogoproto.nullable) = false];
 
   enum TlsRequirementType {
     // No TLS requirement for the virtual host.
@@ -76,7 +78,7 @@ message VirtualHost {
   // enclosing :ref:`envoy_api_msg_RouteConfiguration`. For more information, including
   // details on header value syntax, see the documentation on :ref:`custom request headers
   // <config_http_conn_man_headers_custom_request_headers>`.
-  repeated HeaderValueOption request_headers_to_add = 7;
+  repeated core.HeaderValueOption request_headers_to_add = 7;
 
   // Specifies a list of HTTP headers that should be added to each response
   // handled by this virtual host. Headers specified at this level are applied
@@ -84,7 +86,7 @@ message VirtualHost {
   // enclosing :ref:`envoy_api_msg_RouteConfiguration`. For more information, including
   // details on header value syntax, see the documentation on :ref:`custom request headers
   // <config_http_conn_man_headers_custom_request_headers>`.
-  repeated HeaderValueOption response_headers_to_add = 10;
+  repeated core.HeaderValueOption response_headers_to_add = 10;
 
   // Specifies a list of HTTP headers that should be removed from each response
   // handle by this virtual host.
@@ -107,7 +109,7 @@ message VirtualHost {
 //   <envoy_api_msg_route.HeaderMatcher>`.
 message Route {
   // Route matching parameters.
-  RouteMatch match = 1 [(validate.rules).message.required = true];
+  RouteMatch match = 1 [(validate.rules).message.required = true, (gogoproto.nullable) = false];
 
   oneof action {
     option (validate.required) = true;
@@ -127,7 +129,7 @@ message Route {
   // The metadata should go under the filter namespace that will need it.
   // For instance, if the metadata is intended for the Router filter,
   // the filter name should be specified as *envoy.router*.
-  Metadata metadata = 4;
+  core.Metadata metadata = 4;
 
   // Decorator for the matched route.
   Decorator decorator = 5;
@@ -158,7 +160,7 @@ message WeightedCluster {
     // Optional endpoint metadata match criteria. Only endpoints in the upstream
     // cluster with metadata matching that set in metadata_match will be
     // considered. The filter name should be specified as *envoy.lb*.
-    Metadata metadata_match = 3;
+    core.Metadata metadata_match = 3;
 
     // [#not-implemented-hide:]
     // Specifies a list of headers to be added to requests when this cluster is selected
@@ -169,7 +171,7 @@ message WeightedCluster {
     // :ref:`envoy_api_msg_route.RouteConfiguration`. For more information, including details on
     // header value syntax, see the documentation on :ref:`custom request headers
     // <config_http_conn_man_headers_custom_request_headers>`.
-    repeated HeaderValueOption request_headers_to_add = 4;
+    repeated core.HeaderValueOption request_headers_to_add = 4;
 
     // [#not-implemented-hide:]
     // Specifies a list of headers to be added to responses when this cluster is selected
@@ -180,7 +182,7 @@ message WeightedCluster {
     // :ref:`envoy_api_msg_route.RouteConfiguration`. For more information, including details on
     // header value syntax, see the documentation on :ref:`custom request headers
     // <config_http_conn_man_headers_custom_request_headers>`.
-    repeated HeaderValueOption response_headers_to_add = 5;
+    repeated core.HeaderValueOption response_headers_to_add = 5;
 
     // [#not-implemented-hide:]
     // Specifies a list of headers to be removed from responses when this cluster is selected
@@ -246,7 +248,7 @@ message RouteMatch {
   // gradual manner without full code/config deploys. Refer to the
   // :ref:`traffic shifting <config_http_conn_man_route_table_traffic_splitting_shift>` docs
   // for additional documentation.
-  RuntimeUInt32 runtime = 5;
+  core.RuntimeUInt32 runtime = 5;
 
   // Specifies a set of headers that the route should match on. The router will
   // check the request’s headers against all the specified headers in the route
@@ -329,7 +331,7 @@ message RouteAction {
   // Optional endpoint metadata match criteria. Only endpoints in the upstream
   // cluster with metadata matching that set in metadata_match will be
   // considered. The filter name should be specified as *envoy.lb*.
-  Metadata metadata_match = 4;
+  core.Metadata metadata_match = 4;
 
   // Indicates that during forwarding, the matched prefix (or path) should be
   // swapped with this value. This option allows application URLs to be rooted
@@ -415,7 +417,7 @@ message RouteAction {
   // Optionally specifies the :ref:`routing priority <arch_overview_http_routing_priority>`.
   // [#comment:TODO(htuch): add (validate.rules).enum.defined_only = true once
   // https://github.com/lyft/protoc-gen-validate/issues/42 is resolved.]
-  RoutingPriority priority = 11;
+  core.RoutingPriority priority = 11;
 
   // Specifies a set of headers that will be added to requests matching this
   // route. Headers specified at this level are applied before headers from the
@@ -423,7 +425,7 @@ message RouteAction {
   // :ref:`envoy_api_msg_RouteConfiguration`. For more information, including details on
   // header value syntax, see the documentation on :ref:`custom request headers
   // <config_http_conn_man_headers_custom_request_headers>`.
-  repeated HeaderValueOption request_headers_to_add = 12;
+  repeated core.HeaderValueOption request_headers_to_add = 12;
 
   // Specifies a set of headers that will be added to responses to requests
   // matching this route. Headers specified at this level are applied before
@@ -431,7 +433,7 @@ message RouteAction {
   // :ref:`envoy_api_msg_RouteConfiguration`. For more information, including
   // details on header value syntax, see the documentation on
   // :ref:`custom request headers <config_http_conn_man_headers_custom_request_headers>`.
-  repeated HeaderValueOption response_headers_to_add = 18;
+  repeated core.HeaderValueOption response_headers_to_add = 18;
 
   // Specifies a list of HTTP headers that should be removed from each response
   // to requests matching this route.
@@ -577,7 +579,7 @@ message DirectResponseAction {
   //
   //   Headers can be specified using *response_headers_to_add* in
   //   :ref:`envoy_api_msg_RouteConfiguration`.
-  DataSource body = 2;
+  core.DataSource body = 2;
 }
 
 message Decorator {
@@ -630,7 +632,7 @@ message VirtualCluster {
   // etc.
   // [#comment:TODO(htuch): add (validate.rules).enum.defined_only = true once
   // https://github.com/lyft/protoc-gen-validate/issues/42 is resolved.]
-  RequestMethod method = 3;
+  core.RequestMethod method = 3;
 }
 
 // Global rate limiting :ref:`architecture overview <arch_overview_rate_limit>`.

envoy/config/README.md

@@ -1 +1,3 @@
-Protocol buffer definitions for Envoy's bootstrap and service configuration.
+Protocol buffer definitions for Envoy's bootstrap, filter, and service configuration.
+
+Visibility should be constrained to none or `//envoy/config/bootstrap/v2` by default.

envoy/config/accesslog/v2/BUILD

@@ -6,6 +6,6 @@ api_proto_library(
     name = "als",
     srcs = ["als.proto"],
     deps = [
-        "//envoy/api/v2:grpc_service",
+        "//envoy/api/v2/core:grpc_service",
     ],
 )

envoy/config/accesslog/v2/als.proto

@@ -1,9 +1,9 @@
 syntax = "proto3";
 
 package envoy.config.accesslog.v2;
-option go_package = "accesslog";
+option go_package = "v2";
 
-import "envoy/api/v2/grpc_service.proto";
+import "envoy/api/v2/core/grpc_service.proto";
 
 import "validate/validate.proto";
 
@@ -38,5 +38,5 @@ message CommonGrpcAccessLogConfig {
   string log_name = 1 [(validate.rules).string.min_bytes = 1];
 
   // The gRPC service for the access log service.
-  envoy.api.v2.GrpcService grpc_service = 2 [(validate.rules).message.required = true];
+  envoy.api.v2.core.GrpcService grpc_service = 2 [(validate.rules).message.required = true];
 }

envoy/config/bootstrap/v2/BUILD

@@ -6,12 +6,12 @@ api_proto_library(
     name = "bootstrap",
     srcs = ["bootstrap.proto"],
     deps = [
-        "//envoy/api/v2:address",
-        "//envoy/api/v2:base",
         "//envoy/api/v2:cds",
-        "//envoy/api/v2:config_source",
         "//envoy/api/v2:lds",
         "//envoy/api/v2/auth:cert",
+        "//envoy/api/v2/core:address",
+        "//envoy/api/v2/core:base",
+        "//envoy/api/v2/core:config_source",
         "//envoy/config/metrics/v2:metrics_service",
         "//envoy/config/metrics/v2:stats",
         "//envoy/config/ratelimit/v2:rls",
@@ -23,12 +23,12 @@ api_go_proto_library(
     name = "bootstrap",
     proto = ":bootstrap",
     deps = [
-        "//envoy/api/v2:address_go_proto",
-        "//envoy/api/v2:base_go_proto",
         "//envoy/api/v2:cds_go_grpc",
-        "//envoy/api/v2:config_source_go_proto",
         "//envoy/api/v2:lds_go_grpc",
         "//envoy/api/v2/auth:cert_go_proto",
+        "//envoy/api/v2/core:address_go_proto",
+        "//envoy/api/v2/core:base_go_proto",
+        "//envoy/api/v2/core:config_source_go_proto",
         "//envoy/config/metrics/v2:metrics_service_go_proto",
         "//envoy/config/metrics/v2:stats_go_proto",
         "//envoy/config/ratelimit/v2:rls_go_grpc",

envoy/config/bootstrap/v2/bootstrap.proto

@@ -6,12 +6,12 @@
 syntax = "proto3";
 
 package envoy.config.bootstrap.v2;
-option go_package = "bootstrap";
+option go_package = "v2";
 
-import "envoy/api/v2/address.proto";
-import "envoy/api/v2/base.proto";
+import "envoy/api/v2/core/address.proto";
+import "envoy/api/v2/core/base.proto";
 import "envoy/api/v2/auth/cert.proto";
-import "envoy/api/v2/config_source.proto";
+import "envoy/api/v2/core/config_source.proto";
 import "envoy/api/v2/cds.proto";
 import "envoy/api/v2/lds.proto";
 import "envoy/config/trace/v2/trace.proto";
@@ -27,12 +27,12 @@ import "gogoproto/gogo.proto";
 message Bootstrap {
   // Node identity to present to the management server and for instance
   // identification purposes (e.g. in generated headers).
-  envoy.api.v2.Node node = 1;
+  envoy.api.v2.core.Node node = 1;
 
   message StaticResources {
     // Static :ref:`Listeners <envoy_api_msg_Listener>`. These listeners are
     // available regardless of LDS configuration.
-    repeated envoy.api.v2.Listener listeners = 1;
+    repeated envoy.api.v2.Listener listeners = 1 [(gogoproto.nullable) = false];
 
     // If a network based configuration source is specified for :ref:`cds_config
     // <envoy_api_field_config.bootstrap.v2.Bootstrap.DynamicResources.cds_config>`, it's necessary
@@ -40,10 +40,10 @@ message Bootstrap {
     // how to speak to the management server. These cluster definitions may not
     // use :ref:`EDS <arch_overview_dynamic_config_sds>` (i.e. they should be static
     // IP or DNS-based).
-    repeated envoy.api.v2.Cluster clusters = 2;
+    repeated envoy.api.v2.Cluster clusters = 2 [(gogoproto.nullable) = false];
 
     // [#not-implemented-hide:]
-    repeated envoy.api.v2.auth.Secret secrets = 3;
+    repeated envoy.api.v2.auth.Secret secrets = 3 [(gogoproto.nullable) = false];
   }
   // Statically specified resources.
   StaticResources static_resources = 2;
@@ -51,28 +51,28 @@ message Bootstrap {
   message DynamicResources {
     // All :ref:`Listeners <envoy_api_msg_Listener>` are provided by a single
     // :ref:`LDS <arch_overview_dynamic_config_lds>` configuration source.
-    envoy.api.v2.ConfigSource lds_config = 1;
+    envoy.api.v2.core.ConfigSource lds_config = 1;
 
     // All post-bootstrap :ref:`Cluster <envoy_api_msg_Cluster>` definitions are
     // provided by a single :ref:`CDS <arch_overview_dynamic_config_cds>`
     // configuration source.
-    envoy.api.v2.ConfigSource cds_config = 2;
+    envoy.api.v2.core.ConfigSource cds_config = 2;
 
     // A single :ref:`ADS <config_overview_v2_ads>` source may be optionally
     // specified. This must have :ref:`api_type
-    // <envoy_api_field_ApiConfigSource.api_type>` :ref:`GRPC
-    // <envoy_api_enum_value_ApiConfigSource.ApiType.GRPC>`. Only
-    // :ref:`ConfigSources <envoy_api_msg_ConfigSource>` that have
-    // the :ref:`ads <envoy_api_field_ConfigSource.ads>` field set will be
+    // <envoy_api_field_core.ApiConfigSource.api_type>` :ref:`GRPC
+    // <envoy_api_enum_value_core.ApiConfigSource.ApiType.GRPC>`. Only
+    // :ref:`ConfigSources <envoy_api_msg_core.ConfigSource>` that have
+    // the :ref:`ads <envoy_api_field_core.ConfigSource.ads>` field set will be
     // streamed on the ADS channel.
-    envoy.api.v2.ApiConfigSource ads_config = 3;
+    envoy.api.v2.core.ApiConfigSource ads_config = 3;
 
     message DeprecatedV1 {
       // This is the global :ref:`SDS <arch_overview_dynamic_config_sds>` config
       // when using v1 REST for :ref:`CDS
       // <arch_overview_dynamic_config_cds>`/:ref:`EDS
       // <arch_overview_dynamic_config_sds>`.
-      envoy.api.v2.ConfigSource sds_config = 1;
+      envoy.api.v2.core.ConfigSource sds_config = 1;
     }
 
     // [#not-implemented-hide:]
@@ -132,7 +132,7 @@ message Admin {
   string profile_path = 2;
 
   // The TCP address that the administration server will listen on.
-  envoy.api.v2.Address address = 3
+  envoy.api.v2.core.Address address = 3
       [(validate.rules).message.required = true, (gogoproto.nullable) = false];
 }
 
@@ -158,12 +158,13 @@ message ClusterManager {
 
   // Optional configuration used to bind newly established upstream connections.
   // This may be overridden on a per-cluster basis by upstream_bind_config in the cds_config.
-  envoy.api.v2.BindConfig upstream_bind_config = 3;
+  envoy.api.v2.core.BindConfig upstream_bind_config = 3;
 
   // A management server endpoint to stream load stats to via
-  // *StreamLoadStats*. This must have :ref:`api_type <envoy_api_field_ApiConfigSource.api_type>`
-  // :ref:`GRPC <envoy_api_enum_value_ApiConfigSource.ApiType.GRPC>`.
-  envoy.api.v2.ApiConfigSource load_stats_config = 4;
+  // *StreamLoadStats*. This must have :ref:`api_type
+  // <envoy_api_field_core.ApiConfigSource.api_type>` :ref:`GRPC
+  // <envoy_api_enum_value_core.ApiConfigSource.ApiType.GRPC>`.
+  envoy.api.v2.core.ApiConfigSource load_stats_config = 4;
 }
 
 // Envoy process watchdog configuration. When configured, this monitors for

envoy/config/filter/README.md

@@ -1,5 +1,8 @@
 Protocol buffer definitions for filters.
 
+Visibility of the definitions should be constrained to none except for
+shared definitions between explicitly enumerated filters (e.g. accesslog and fault definitions).
+
 ## NOTE
 
 If a filter configuration is not captured in the proto specification, you

envoy/config/filter/accesslog/v2/BUILD

@@ -0,0 +1,19 @@
+load("//bazel:api_build_system.bzl", "api_proto_library")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_library(
+    name = "accesslog",
+    srcs = ["accesslog.proto"],
+    visibility = [
+        "//envoy/config/filter/http/router/v2:__pkg__",
+        "//envoy/config/filter/network/http_connection_manager/v2:__pkg__",
+        "//envoy/config/filter/network/tcp_proxy/v2:__pkg__",
+        "//envoy/service/accesslog/v2:__pkg__",
+    ],
+    deps = [
+        "//envoy/api/v2/core:address",
+        "//envoy/api/v2/core:base",
+        "//envoy/api/v2/core:grpc_service",
+    ],
+)

envoy/config/filter/accesslog/v2/accesslog.proto

@@ -1,10 +1,10 @@
 syntax = "proto3";
 
-package envoy.api.v2.filter.accesslog;
-option go_package = "accesslog";
+package envoy.config.filter.accesslog.v2;
+option go_package = "v2";
 
-import "envoy/api/v2/address.proto";
-import "envoy/api/v2/base.proto";
+import "envoy/api/v2/core/address.proto";
+import "envoy/api/v2/core/base.proto";
 
 import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
@@ -12,6 +12,7 @@ import "google/protobuf/timestamp.proto";
 import "google/protobuf/wrappers.proto";
 
 import "validate/validate.proto";
+import "gogoproto/gogo.proto";
 
 // [#protodoc-title: Common access log types]
 // Envoy access logs describe incoming interaction with Envoy over a fixed
@@ -35,47 +36,47 @@ message AccessLogCommon {
   // This field is the remote/origin address on which the request from the user was received.
   // Note: This may not be the physical peer. E.g, if the remote address is inferred from for
   //       example the x-forwarder-for header, proxy protocol, etc.
-  Address downstream_remote_address = 2;
+  envoy.api.v2.core.Address downstream_remote_address = 2;
 
   // This field is the local/destination address on which the request from the user was received.
-  Address downstream_local_address = 3;
+  envoy.api.v2.core.Address downstream_local_address = 3;
 
   // If the connection is secure, this field will contain TLS properties.
   TLSProperties tls_properties = 4;
 
   // The time that Envoy started servicing this request. This is effectively the time that the first
   // downstream byte is received.
-  google.protobuf.Timestamp start_time = 5;
+  google.protobuf.Timestamp start_time = 5 [(gogoproto.stdtime) = true];
 
   // Interval between the first downstream byte received and the last
   // downstream byte received (i.e. time it takes to receive a request).
-  google.protobuf.Duration time_to_last_rx_byte = 6;
+  google.protobuf.Duration time_to_last_rx_byte = 6 [(gogoproto.stdduration) = true];
 
   // Interval between the first downstream byte received and the first upstream byte sent. There may
   // by considerable delta between *time_to_last_rx_byte* and this value due to filters.
   // Additionally, the same caveats apply as documented in *time_to_last_downstream_tx_byte* about
   // not accounting for kernel socket buffer time, etc.
-  google.protobuf.Duration time_to_first_upstream_tx_byte = 7;
+  google.protobuf.Duration time_to_first_upstream_tx_byte = 7 [(gogoproto.stdduration) = true];
 
   // Interval between the first downstream byte received and the last upstream byte sent. There may
   // by considerable delta between *time_to_last_rx_byte* and this value due to filters.
   // Additionally, the same caveats apply as documented in *time_to_last_downstream_tx_byte* about
   // not accounting for kernel socket buffer time, etc.
-  google.protobuf.Duration time_to_last_upstream_tx_byte = 8;
+  google.protobuf.Duration time_to_last_upstream_tx_byte = 8 [(gogoproto.stdduration) = true];
 
   // Interval between the first downstream byte received and the first upstream
   // byte received (i.e. time it takes to start receiving a response).
-  google.protobuf.Duration time_to_first_upstream_rx_byte = 9;
+  google.protobuf.Duration time_to_first_upstream_rx_byte = 9 [(gogoproto.stdduration) = true];
 
   // Interval between the first downstream byte received and the last upstream
   // byte received (i.e. time it takes to receive a complete response).
-  google.protobuf.Duration time_to_last_upstream_rx_byte = 10;
+  google.protobuf.Duration time_to_last_upstream_rx_byte = 10 [(gogoproto.stdduration) = true];
 
   // Interval between the first downstream byte received and the first downstream byte sent.
   // There may be a considerable delta between the *time_to_first_upstream_rx_byte* and this field
   // due to filters. Additionally, the same caveats apply as documented in
   // *time_to_last_downstream_tx_byte* about not accounting for kernel socket buffer time, etc.
-  google.protobuf.Duration time_to_first_downstream_tx_byte = 11;
+  google.protobuf.Duration time_to_first_downstream_tx_byte = 11 [(gogoproto.stdduration) = true];
 
   // Interval between the first downstream byte received and the last downstream byte sent.
   // Depending on protocol, buffering, windowing, filters, etc. there may be a considerable delta
@@ -83,14 +84,14 @@ message AccessLogCommon {
   // time. In the current implementation it does not include kernel socket buffer time. In the
   // current implementation it also does not include send window buffering inside the HTTP/2 codec.
   // In the future it is likely that work will be done to make this duration more accurate.
-  google.protobuf.Duration time_to_last_downstream_tx_byte = 12;
+  google.protobuf.Duration time_to_last_downstream_tx_byte = 12 [(gogoproto.stdduration) = true];
 
   // The upstream remote/destination address that handles this exchange. This does not include
   // retries.
-  Address upstream_remote_address = 13;
+  envoy.api.v2.core.Address upstream_remote_address = 13;
 
   // The upstream local/origin address that handles this exchange. This does not include retries.
-  Address upstream_local_address = 14;
+  envoy.api.v2.core.Address upstream_local_address = 14;
 
   // The upstream cluster that *upstream_remote_address* belongs to.
   string upstream_cluster = 15;
@@ -106,7 +107,7 @@ message AccessLogCommon {
   // route created from a higher level forwarding rule with some ID can place
   // that ID in this field and cross reference later. It can also be used to
   // determine if a canary endpoint was used or not.
-  Metadata metadata = 17;
+  envoy.api.v2.core.Metadata metadata = 17;
 }
 
 // [#proto-status: draft]
@@ -188,7 +189,7 @@ message HTTPRequestProperties {
   // The request method (RFC 7231/2616).
   // [#comment:TODO(htuch): add (validate.rules).enum.defined_only = true once
   // https://github.com/lyft/protoc-gen-validate/issues/42 is resolved.]
-  RequestMethod request_method = 1;
+  envoy.api.v2.core.RequestMethod request_method = 1;
 
   // The scheme portion of the incoming request URI.
   string scheme = 2;
@@ -293,7 +294,8 @@ message AccessLog {
 
   // Custom configuration that depends on the access log being instantiated. built-in configurations
   // include:
-  // 1) "envoy.file_access_log": :ref:`FileAccessLog <envoy_api_msg_filter.accesslog.FileAccessLog>`
+  // 1) "envoy.file_access_log": :ref:`FileAccessLog
+  // <envoy_api_msg_config.filter.accesslog.v2.FileAccessLog>`
   google.protobuf.Struct config = 3;
 }
 
@@ -338,7 +340,7 @@ message ComparisonFilter {
   Op op = 1 [(validate.rules).enum.defined_only = true];
 
   // Value to compare against.
-  RuntimeUInt32 value = 2;
+  envoy.api.v2.core.RuntimeUInt32 value = 2;
 }
 
 // Filters on HTTP response/status code.

envoy/config/filter/fault/v2/BUILD

@@ -0,0 +1,12 @@
+load("//bazel:api_build_system.bzl", "api_proto_library")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_library(
+    name = "fault",
+    srcs = ["fault.proto"],
+    visibility = [
+        "//envoy/config/filter/http/fault/v2:__pkg__",
+        "//envoy/config/filter/network/mongo_proxy/v2:__pkg__",
+    ],
+)

envoy/config/filter/fault/v2/fault.proto

@@ -1,7 +1,7 @@
 syntax = "proto3";
 
-package envoy.api.v2.filter;
-option go_package = "filter";
+package envoy.config.filter.fault.v2;
+option go_package = "v2";
 
 import "google/protobuf/duration.proto";
 

envoy/config/filter/http/buffer/v2/BUILD

@@ -0,0 +1,8 @@
+load("//bazel:api_build_system.bzl", "api_proto_library")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_library(
+    name = "buffer",
+    srcs = ["buffer.proto"],
+)

envoy/config/filter/http/buffer/v2/buffer.proto

@@ -1,11 +1,13 @@
 syntax = "proto3";
 
-package envoy.api.v2.filter.http;
+package envoy.config.filter.http.buffer.v2;
+option go_package = "v2";
 
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 
 import "validate/validate.proto";
+import "gogoproto/gogo.proto";
 
 // [#protodoc-title: Buffer]
 // Buffer :ref:`configuration overview <config_http_filters_buffer>`.
@@ -18,5 +20,5 @@ message Buffer {
   // The maximum number of seconds that the filter will wait for a complete
   // request before returning a 408 response.
   google.protobuf.Duration max_request_time = 2
-      [(validate.rules).duration = {required: true, gt: {}}];
+      [(validate.rules).duration = {required: true, gt: {}}, (gogoproto.stdduration) = true];
 }

envoy/config/filter/http/ext_authz/v2/BUILD

@@ -0,0 +1,9 @@
+load("//bazel:api_build_system.bzl", "api_proto_library")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_library(
+    name = "ext_authz",
+    srcs = ["ext_authz.proto"],
+    deps = ["//envoy/api/v2/core:grpc_service"],
+)

envoy/config/filter/http/ext_authz/v2/ext_authz.proto

@@ -1,8 +1,9 @@
 syntax = "proto3";
 
-package envoy.api.v2.filter.http;
+package envoy.config.filter.http.ext_authz.v2;
+option go_package = "v2";
 
-import "envoy/api/v2/grpc_service.proto";
+import "envoy/api/v2/core/grpc_service.proto";
 
 import "validate/validate.proto";
 
@@ -13,7 +14,7 @@ import "validate/validate.proto";
 message ExtAuthz {
 
   // The external authorization gRPC service configuration.
-  GrpcService grpc_service = 1;
+  envoy.api.v2.core.GrpcService grpc_service = 1;
 
   // The filter's behaviour in case the external authorization service does
   // not respond back. If set to true then in case of failure to get a

envoy/config/filter/http/fault/v2/BUILD

@@ -0,0 +1,12 @@
+load("//bazel:api_build_system.bzl", "api_proto_library")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_library(
+    name = "fault",
+    srcs = ["fault.proto"],
+    deps = [
+        "//envoy/api/v2/route",
+        "//envoy/config/filter/fault/v2:fault",
+    ],
+)

envoy/config/filter/http/fault/v2/fault.proto

@@ -1,8 +1,9 @@
 syntax = "proto3";
 
-package envoy.api.v2.filter.http;
+package envoy.config.filter.http.fault.v2;
+option go_package = "v2";
 
-import "envoy/api/v2/filter/fault.proto";
+import "envoy/config/filter/fault/v2/fault.proto";
 import "envoy/api/v2/route/route.proto";
 
 import "validate/validate.proto";
@@ -26,7 +27,7 @@ message FaultAbort {
 message HTTPFault {
   // If specified, the filter will inject delays based on the values in the
   // object. At least *abort* or *delay* must be specified.
-  FaultDelay delay = 1;
+  envoy.config.filter.fault.v2.FaultDelay delay = 1;
 
   // If specified, the filter will abort requests based on the values in
   // the object. At least *abort* or *delay* must be specified.
@@ -41,12 +42,12 @@ message HTTPFault {
   // injection filter can be applied selectively to requests that match a set of
   // headers specified in the fault filter config. The chances of actual fault
   // injection further depend on the value of the :ref:`percent
-  // <envoy_api_field_filter.http.FaultAbort.percent>` field. The filter will
+  // <envoy_api_field_config.filter.http.fault.v2.FaultAbort.percent>` field. The filter will
   // check the request's headers against all the specified headers in the filter
   // config. A match will happen if all the headers in the config are present in
   // the request with the same values (or based on presence if the *value* field
   // is not in the config).
-  repeated route.HeaderMatcher headers = 4;
+  repeated envoy.api.v2.route.HeaderMatcher headers = 4;
 
   // Faults are injected for the specified list of downstream hosts. If this
   // setting is not set, faults are injected for all downstream nodes.

envoy/config/filter/http/gzip/v2/BUILD

@@ -3,6 +3,6 @@ load("//bazel:api_build_system.bzl", "api_proto_library")
 licenses(["notice"])  # Apache 2
 
 api_proto_library(
-    name = "fault",
-    srcs = ["fault.proto"],
+    name = "gzip",
+    srcs = ["gzip.proto"],
 )

envoy/config/filter/http/gzip/v2/gzip.proto

@@ -1,10 +1,12 @@
 syntax = "proto3";
 
-package envoy.api.v2.filter.http;
+package envoy.config.filter.http.gzip.v2;
+option go_package = "v2";
 
 import "google/protobuf/wrappers.proto";
 
 import "validate/validate.proto";
+import "gogoproto/gogo.proto";
 
 // [#protodoc-title: Gzip]
 // Gzip :ref:`configuration overview <config_http_filters_gzip>`.

envoy/config/filter/http/health_check/v2/BUILD

@@ -0,0 +1,11 @@
+load("//bazel:api_build_system.bzl", "api_proto_library")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_library(
+    name = "health_check",
+    srcs = ["health_check.proto"],
+    deps = [
+        "//envoy/api/v2/core:base",
+    ],
+)

envoy/config/filter/http/health_check/v2/health_check.proto

@@ -1,12 +1,15 @@
 syntax = "proto3";
 
-package envoy.api.v2.filter.http;
+package envoy.config.filter.http.health_check.v2;
+option go_package = "v2";
 
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 
-import "envoy/api/v2/base.proto";
+import "envoy/api/v2/core/base.proto";
+
 import "validate/validate.proto";
+import "gogoproto/gogo.proto";
 
 // [#protodoc-title: Health check]
 // Health check :ref:`configuration overview <config_http_filters_health_check>`.
@@ -21,10 +24,10 @@ message HealthCheck {
 
   // If operating in pass through mode, the amount of time in milliseconds
   // that the filter should cache the upstream response.
-  google.protobuf.Duration cache_time = 3;
+  google.protobuf.Duration cache_time = 3 [(gogoproto.stdduration) = true];
 
   // If operating in non-pass-through mode, specifies a set of upstream cluster
   // names and the minimum percentage of servers in each of those clusters that
   // must be healthy in order for the filter to return a 200.
-  map<string, Percent> cluster_min_healthy_percentages = 4;
+  map<string, envoy.api.v2.core.Percent> cluster_min_healthy_percentages = 4;
 }

envoy/config/filter/http/ip_tagging/v2/BUILD

@@ -0,0 +1,9 @@
+load("//bazel:api_build_system.bzl", "api_proto_library")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_library(
+    name = "ip_tagging",
+    srcs = ["ip_tagging.proto"],
+    deps = ["//envoy/api/v2/core:address"],
+)

envoy/config/filter/http/ip_tagging/v2/ip_tagging.proto

@@ -2,9 +2,10 @@ syntax = "proto3";
 
 // [#proto-status: experimental]
 
-package envoy.api.v2.filter.http;
+package envoy.config.filter.http.ip_tagging.v2;
+option go_package = "v2";
 
-import "envoy/api/v2/address.proto";
+import "envoy/api/v2/core/address.proto";
 
 // This is an HTTP filter which enables Envoy to tag requests with extra
 // information such as location, cloud source, and any extra data. This is
@@ -31,6 +32,6 @@ message IPTagging {
 
     // A list of IP address and subnet masks that will be tagged with the
     // ip_tag_name. Both IPv4 and IPv6 CIDR addresses are allowed here.
-    repeated CidrRange ip_list = 2;
+    repeated envoy.api.v2.core.CidrRange ip_list = 2;
   }
 }

envoy/config/filter/http/lua/v2/BUILD

@@ -0,0 +1,8 @@
+load("//bazel:api_build_system.bzl", "api_proto_library")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_library(
+    name = "lua",
+    srcs = ["lua.proto"],
+)

envoy/config/filter/http/lua/v2/lua.proto

@@ -1,6 +1,7 @@
 syntax = "proto3";
 
-package envoy.api.v2.filter.http;
+package envoy.config.filter.http.lua.v2;
+option go_package = "v2";
 
 import "validate/validate.proto";
 

envoy/config/filter/http/rate_limit/v2/BUILD

@@ -0,0 +1,8 @@
+load("//bazel:api_build_system.bzl", "api_proto_library")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_library(
+    name = "rate_limit",
+    srcs = ["rate_limit.proto"],
+)

envoy/config/filter/http/rate_limit/v2/rate_limit.proto

@@ -1,10 +1,12 @@
 syntax = "proto3";
 
-package envoy.api.v2.filter.http;
+package envoy.config.filter.http.rate_limit.v2;
+option go_package = "v2";
 
 import "google/protobuf/duration.proto";
 
 import "validate/validate.proto";
+import "gogoproto/gogo.proto";
 
 // [#protodoc-title: Rate limit]
 // Rate limit :ref:`configuration overview <config_http_filters_rate_limit>`.
@@ -31,5 +33,5 @@ message RateLimit {
 
   // The timeout in milliseconds for the rate limit service RPC. If not
   // set, this defaults to 20ms.
-  google.protobuf.Duration timeout = 4;
+  google.protobuf.Duration timeout = 4 [(gogoproto.stdduration) = true];
 }

envoy/config/filter/http/router/v2/BUILD

@@ -0,0 +1,9 @@
+load("//bazel:api_build_system.bzl", "api_proto_library")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_library(
+    name = "router",
+    srcs = ["router.proto"],
+    deps = ["//envoy/config/filter/accesslog/v2:accesslog"],
+)

envoy/config/filter/http/router/v2/router.proto

@@ -1,9 +1,9 @@
 syntax = "proto3";
 
-package envoy.api.v2.filter.http;
-option go_package = "http";
+package envoy.config.filter.http.router.v2;
+option go_package = "v2";
 
-import "envoy/api/v2/filter/accesslog/accesslog.proto";
+import "envoy/config/filter/accesslog/v2/accesslog.proto";
 
 import "google/protobuf/wrappers.proto";
 
@@ -25,5 +25,5 @@ message Router {
   // are configured in the same way as access logs, but each log entry represents
   // an upstream request. Presuming retries are configured, multiple upstream
   // requests may be made for each downstream (inbound) request.
-  repeated accesslog.AccessLog upstream_log = 3;
+  repeated envoy.config.filter.accesslog.v2.AccessLog upstream_log = 3;
 }

envoy/config/filter/http/squash/v2/BUILD

@@ -0,0 +1,8 @@
+load("//bazel:api_build_system.bzl", "api_proto_library")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_library(
+    name = "squash",
+    srcs = ["squash.proto"],
+)

envoy/config/filter/http/squash/v2/squash.proto

@@ -1,10 +1,13 @@
 syntax = "proto3";
 
-package envoy.api.v2.filter.http;
+package envoy.config.filter.http.squash.v2;
+option go_package = "v2";
 
 import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
+
 import "validate/validate.proto";
+import "gogoproto/gogo.proto";
 
 // [#protodoc-title: Squash]
 // Squash :ref:`configuration overview <config_http_filters_squash>`.
@@ -36,13 +39,13 @@ message Squash {
   google.protobuf.Struct attachment_template = 2;
 
   // The timeout for individual requests sent to the Squash cluster. Defaults to 1 second.
-  google.protobuf.Duration request_timeout = 3;
+  google.protobuf.Duration request_timeout = 3 [(gogoproto.stdduration) = true];
 
   // The total timeout Squash will delay a request and wait for it to be attached. Defaults to 60
   // seconds.
-  google.protobuf.Duration attachment_timeout = 4;
+  google.protobuf.Duration attachment_timeout = 4 [(gogoproto.stdduration) = true];
 
   // Amount of time to poll for the status of the attachment object in the Squash server
   // (to check if has been attached). Defaults to 1 second.
-  google.protobuf.Duration attachment_poll_period = 5;
+  google.protobuf.Duration attachment_poll_period = 5 [(gogoproto.stdduration) = true];
 }

envoy/config/filter/http/transcoder/v2/BUILD

@@ -0,0 +1,8 @@
+load("//bazel:api_build_system.bzl", "api_proto_library")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_library(
+    name = "transcoder",
+    srcs = ["transcoder.proto"],
+)