api: populate secure edge defaults manifest. (#11364)

Adding API annotations and manifest entries to match https://www.envoyproxy.io/docs/envoy/latest/configuration/best_practices/edge#best-practices-edge. Risk level: Low (API/docs only change) Testing: Docs build and inspection. Fixes #11085 Signed-off-by: Harvey Tuch <htuch@google.com> Mirrored from https://github.com/envoyproxy/envoy @ f5753e5d9aa2a201991ab6abcdb494eb5d483733
5 years ago · 50cef8fcab
parent 1f1a6a498b
commit 50cef8fcab
4 changed files with 32 additions and 14 deletions
--- a/envoy/config/cluster/v3/cluster.proto
+++ b/envoy/config/cluster/v3/cluster.proto
@ -19,6 +19,7 @@ import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";

 import "envoy/annotations/deprecation.proto";
+import "udpa/annotations/security.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
@ -584,7 +585,8 @@ message Cluster {

  // Soft limit on size of the cluster’s connections read and write buffers. If
  // unspecified, an implementation defined default is applied (1MiB).
-  google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5;
+  google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5
+      [(udpa.annotations.security).configure_for_untrusted_upstream = true];

  // The :ref:`load balancer type <arch_overview_load_balancing_types>` to use
  // when picking a host in the cluster.
@ -635,7 +637,8 @@ message Cluster {
  // supports prior knowledge for upstream connections. Even if TLS is used
  // with ALPN, `http2_protocol_options` must be specified. As an aside this allows HTTP/2
  // connections to happen over plain text.
-  core.v3.Http2ProtocolOptions http2_protocol_options = 14;
+  core.v3.Http2ProtocolOptions http2_protocol_options = 14
+      [(udpa.annotations.security).configure_for_untrusted_upstream = true];

  // The extension_protocol_options field is used to provide extension-specific protocol options
  // for upstream connections. The key should match the extension filter name, such as
--- a/envoy/config/cluster/v4alpha/cluster.proto
+++ b/envoy/config/cluster/v4alpha/cluster.proto
@ -19,6 +19,7 @@ import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";

 import "envoy/annotations/deprecation.proto";
+import "udpa/annotations/security.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
@ -585,7 +586,8 @@ message Cluster {

  // Soft limit on size of the cluster’s connections read and write buffers. If
  // unspecified, an implementation defined default is applied (1MiB).
-  google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5;
+  google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5
+      [(udpa.annotations.security).configure_for_untrusted_upstream = true];

  // The :ref:`load balancer type <arch_overview_load_balancing_types>` to use
  // when picking a host in the cluster.
@ -636,7 +638,8 @@ message Cluster {
  // supports prior knowledge for upstream connections. Even if TLS is used
  // with ALPN, `http2_protocol_options` must be specified. As an aside this allows HTTP/2
  // connections to happen over plain text.
-  core.v4alpha.Http2ProtocolOptions http2_protocol_options = 14;
+  core.v4alpha.Http2ProtocolOptions http2_protocol_options = 14
+      [(udpa.annotations.security).configure_for_untrusted_upstream = true];

  // The extension_protocol_options field is used to provide extension-specific protocol options
  // for upstream connections. The key should match the extension filter name, such as
--- a/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
+++ b/envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto
@ -19,6 +19,7 @@ import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";

 import "envoy/annotations/deprecation.proto";
+import "udpa/annotations/security.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
@ -281,13 +282,15 @@ message HttpConnectionManager {

  // Additional settings for HTTP requests handled by the connection manager. These will be
  // applicable to both HTTP1 and HTTP2 requests.
-  config.core.v3.HttpProtocolOptions common_http_protocol_options = 35;
+  config.core.v3.HttpProtocolOptions common_http_protocol_options = 35
+      [(udpa.annotations.security).configure_for_untrusted_downstream = true];

  // Additional HTTP/1 settings that are passed to the HTTP/1 codec.
  config.core.v3.Http1ProtocolOptions http_protocol_options = 8;

  // Additional HTTP/2 settings that are passed directly to the HTTP/2 codec.
-  config.core.v3.Http2ProtocolOptions http2_protocol_options = 9;
+  config.core.v3.Http2ProtocolOptions http2_protocol_options = 9
+      [(udpa.annotations.security).configure_for_untrusted_downstream = true];

  // An optional override that the connection manager will write to the server
  // header in responses. If not set, the default is *envoy*.
@ -332,13 +335,15 @@ message HttpConnectionManager {
  //
  // A value of 0 will completely disable the connection manager stream idle
  // timeout, although per-route idle timeout overrides will continue to apply.
-  google.protobuf.Duration stream_idle_timeout = 24;
+  google.protobuf.Duration stream_idle_timeout = 24
+      [(udpa.annotations.security).configure_for_untrusted_downstream = true];

  // The amount of time that Envoy will wait for the entire request to be received.
  // The timer is activated when the request is initiated, and is disarmed when the last byte of the
  // request is sent upstream (i.e. all decoding filters have processed the request), OR when the
  // response is initiated. If not specified or set to 0, this timeout is disabled.
-  google.protobuf.Duration request_timeout = 28;
+  google.protobuf.Duration request_timeout = 28
+      [(udpa.annotations.security).configure_for_untrusted_downstream = true];

  // The time that Envoy will wait between sending an HTTP/2 “shutdown
  // notification” (GOAWAY frame with max stream ID) and a final GOAWAY frame.
@ -394,7 +399,8 @@ message HttpConnectionManager {
  // :ref:`config_http_conn_man_headers_x-forwarded-for`,
  // :ref:`config_http_conn_man_headers_x-envoy-internal`, and
  // :ref:`config_http_conn_man_headers_x-envoy-external-address` for more information.
-  google.protobuf.BoolValue use_remote_address = 14;
+  google.protobuf.BoolValue use_remote_address = 14
+      [(udpa.annotations.security).configure_for_untrusted_downstream = true];

  // The number of additional ingress proxy hops from the right side of the
  // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header to trust when
--- a/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto
+++ b/envoy/extensions/filters/network/http_connection_manager/v4alpha/http_connection_manager.proto
@ -19,6 +19,7 @@ import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";

 import "envoy/annotations/deprecation.proto";
+import "udpa/annotations/security.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
@ -281,13 +282,15 @@ message HttpConnectionManager {

  // Additional settings for HTTP requests handled by the connection manager. These will be
  // applicable to both HTTP1 and HTTP2 requests.
-  config.core.v4alpha.HttpProtocolOptions common_http_protocol_options = 35;
+  config.core.v4alpha.HttpProtocolOptions common_http_protocol_options = 35
+      [(udpa.annotations.security).configure_for_untrusted_downstream = true];

  // Additional HTTP/1 settings that are passed to the HTTP/1 codec.
  config.core.v4alpha.Http1ProtocolOptions http_protocol_options = 8;

  // Additional HTTP/2 settings that are passed directly to the HTTP/2 codec.
-  config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 9;
+  config.core.v4alpha.Http2ProtocolOptions http2_protocol_options = 9
+      [(udpa.annotations.security).configure_for_untrusted_downstream = true];

  // An optional override that the connection manager will write to the server
  // header in responses. If not set, the default is *envoy*.
@ -332,13 +335,15 @@ message HttpConnectionManager {
  //
  // A value of 0 will completely disable the connection manager stream idle
  // timeout, although per-route idle timeout overrides will continue to apply.
-  google.protobuf.Duration stream_idle_timeout = 24;
+  google.protobuf.Duration stream_idle_timeout = 24
+      [(udpa.annotations.security).configure_for_untrusted_downstream = true];

  // The amount of time that Envoy will wait for the entire request to be received.
  // The timer is activated when the request is initiated, and is disarmed when the last byte of the
  // request is sent upstream (i.e. all decoding filters have processed the request), OR when the
  // response is initiated. If not specified or set to 0, this timeout is disabled.
-  google.protobuf.Duration request_timeout = 28;
+  google.protobuf.Duration request_timeout = 28
+      [(udpa.annotations.security).configure_for_untrusted_downstream = true];

  // The time that Envoy will wait between sending an HTTP/2 “shutdown
  // notification” (GOAWAY frame with max stream ID) and a final GOAWAY frame.
@ -394,7 +399,8 @@ message HttpConnectionManager {
  // :ref:`config_http_conn_man_headers_x-forwarded-for`,
  // :ref:`config_http_conn_man_headers_x-envoy-internal`, and
  // :ref:`config_http_conn_man_headers_x-envoy-external-address` for more information.
-  google.protobuf.BoolValue use_remote_address = 14;
+  google.protobuf.BoolValue use_remote_address = 14
+      [(udpa.annotations.security).configure_for_untrusted_downstream = true];

  // The number of additional ingress proxy hops from the right side of the
  // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header to trust when