config: v2 transport API fatal-by-default. (#14223)

This is a followup to #13950 in which the transport API is also
fatal-by-default.

Risk level: High (this will break anyone who is still using v2 and has
not enabled CLI or runtime override)
Testing: Various tests updated as described above. New unit test added
for bootstrap to server_test and to ads_integration_test for
dynamic rejection behavior. api_version_integration_test continues to
provide the definitive cross-version transport API integration test.
Release Notes: Same as #13950.

Signed-off-by: Harvey Tuch <htuch@google.com>

Mirrored from https://github.com/envoyproxy/envoy @ 9093131e2a01d368566741943e112fa629c96725

envoy/api/v2/core/config_source.proto

@@ -26,10 +26,10 @@ enum ApiVersion {
   // When not specified, we assume v2, to ease migration to Envoy's stable API
   // versioning. If a client does not support v2 (e.g. due to deprecation), this
   // is an invalid value.
-  AUTO = 0;
+  AUTO = 0 [deprecated = true];
 
   // Use xDS v2 API.
-  V2 = 1;
+  V2 = 1 [deprecated = true];
 
   // Use xDS v3 API.
   V3 = 2;

envoy/config/accesslog/v4alpha/accesslog.proto

@@ -47,9 +47,9 @@ message AccessLog {
   // #. "envoy.access_loggers.file": :ref:`FileAccessLog
   //    <envoy_api_msg_extensions.access_loggers.file.v4alpha.FileAccessLog>`
   // #. "envoy.access_loggers.http_grpc": :ref:`HttpGrpcAccessLogConfig
-  //    <envoy_api_msg_extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig>`
+  //    <envoy_api_msg_extensions.access_loggers.grpc.v4alpha.HttpGrpcAccessLogConfig>`
   // #. "envoy.access_loggers.tcp_grpc": :ref:`TcpGrpcAccessLogConfig
-  //    <envoy_api_msg_extensions.access_loggers.grpc.v3.TcpGrpcAccessLogConfig>`
+  //    <envoy_api_msg_extensions.access_loggers.grpc.v4alpha.TcpGrpcAccessLogConfig>`
   oneof config_type {
     google.protobuf.Any typed_config = 4;
   }

envoy/config/core/v3/config_source.proto

@@ -27,10 +27,10 @@ enum ApiVersion {
   // When not specified, we assume v2, to ease migration to Envoy's stable API
   // versioning. If a client does not support v2 (e.g. due to deprecation), this
   // is an invalid value.
-  AUTO = 0;
+  AUTO = 0 [deprecated = true];
 
   // Use xDS v2 API.
-  V2 = 1;
+  V2 = 1 [deprecated = true];
 
   // Use xDS v3 API.
   V3 = 2;

envoy/config/core/v4alpha/config_source.proto

@@ -24,13 +24,14 @@ option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSIO
 // xDS API and non-xDS services version. This is used to describe both resource and transport
 // protocol versions (in distinct configuration fields).
 enum ApiVersion {
+  reserved 1;
+
+  reserved "V2";
+
   // When not specified, we assume v2, to ease migration to Envoy's stable API
   // versioning. If a client does not support v2 (e.g. due to deprecation), this
   // is an invalid value.
-  AUTO = 0;
-
-  // Use xDS v2 API.
-  V2 = 1;
+  DEPRECATED_AND_UNAVAILABLE_DO_NOT_USE = 0 [deprecated = true];
 
   // Use xDS v3 API.
   V3 = 2;

envoy/config/ratelimit/v4alpha/BUILD

@@ -0,0 +1,13 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v4alpha:pkg",
+        "//envoy/config/ratelimit/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)

envoy/config/ratelimit/v4alpha/rls.proto

@@ -0,0 +1,34 @@
+syntax = "proto3";
+
+package envoy.config.ratelimit.v4alpha;
+
+import "envoy/config/core/v4alpha/config_source.proto";
+import "envoy/config/core/v4alpha/grpc_service.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.config.ratelimit.v4alpha";
+option java_outer_classname = "RlsProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE;
+
+// [#protodoc-title: Rate limit service]
+
+// Rate limit :ref:`configuration overview <config_rate_limit_service>`.
+message RateLimitServiceConfig {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.config.ratelimit.v3.RateLimitServiceConfig";
+
+  reserved 1, 3;
+
+  // Specifies the gRPC service that hosts the rate limit service. The client
+  // will connect to this cluster when it needs to make rate limit service
+  // requests.
+  core.v4alpha.GrpcService grpc_service = 2 [(validate.rules).message = {required: true}];
+
+  // API version for rate limit transport protocol. This describes the rate limit gRPC endpoint and
+  // version of messages used on the wire.
+  core.v4alpha.ApiVersion transport_api_version = 4 [(validate.rules).enum = {defined_only: true}];
+}

envoy/extensions/access_loggers/grpc/v4alpha/BUILD

@@ -0,0 +1,13 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/core/v4alpha:pkg",
+        "//envoy/extensions/access_loggers/grpc/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)

envoy/extensions/access_loggers/grpc/v4alpha/als.proto

@@ -0,0 +1,89 @@
+syntax = "proto3";
+
+package envoy.extensions.access_loggers.grpc.v4alpha;
+
+import "envoy/config/core/v4alpha/config_source.proto";
+import "envoy/config/core/v4alpha/grpc_service.proto";
+
+import "google/protobuf/duration.proto";
+import "google/protobuf/wrappers.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.access_loggers.grpc.v4alpha";
+option java_outer_classname = "AlsProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE;
+
+// [#protodoc-title: gRPC Access Log Service (ALS)]
+
+// Configuration for the built-in *envoy.access_loggers.http_grpc*
+// :ref:`AccessLog <envoy_api_msg_config.accesslog.v4alpha.AccessLog>`. This configuration will
+// populate :ref:`StreamAccessLogsMessage.http_logs
+// <envoy_api_field_service.accesslog.v4alpha.StreamAccessLogsMessage.http_logs>`.
+// [#extension: envoy.access_loggers.http_grpc]
+message HttpGrpcAccessLogConfig {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig";
+
+  CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];
+
+  // Additional request headers to log in :ref:`HTTPRequestProperties.request_headers
+  // <envoy_api_field_data.accesslog.v3.HTTPRequestProperties.request_headers>`.
+  repeated string additional_request_headers_to_log = 2;
+
+  // Additional response headers to log in :ref:`HTTPResponseProperties.response_headers
+  // <envoy_api_field_data.accesslog.v3.HTTPResponseProperties.response_headers>`.
+  repeated string additional_response_headers_to_log = 3;
+
+  // Additional response trailers to log in :ref:`HTTPResponseProperties.response_trailers
+  // <envoy_api_field_data.accesslog.v3.HTTPResponseProperties.response_trailers>`.
+  repeated string additional_response_trailers_to_log = 4;
+}
+
+// Configuration for the built-in *envoy.access_loggers.tcp_grpc* type. This configuration will
+// populate *StreamAccessLogsMessage.tcp_logs*.
+// [#extension: envoy.access_loggers.tcp_grpc]
+message TcpGrpcAccessLogConfig {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.extensions.access_loggers.grpc.v3.TcpGrpcAccessLogConfig";
+
+  CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];
+}
+
+// Common configuration for gRPC access logs.
+// [#next-free-field: 7]
+message CommonGrpcAccessLogConfig {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.extensions.access_loggers.grpc.v3.CommonGrpcAccessLogConfig";
+
+  // The friendly name of the access log to be returned in :ref:`StreamAccessLogsMessage.Identifier
+  // <envoy_api_msg_service.accesslog.v4alpha.StreamAccessLogsMessage.Identifier>`. This allows the
+  // access log server to differentiate between different access logs coming from the same Envoy.
+  string log_name = 1 [(validate.rules).string = {min_len: 1}];
+
+  // The gRPC service for the access log service.
+  config.core.v4alpha.GrpcService grpc_service = 2 [(validate.rules).message = {required: true}];
+
+  // API version for access logs service transport protocol. This describes the access logs service
+  // gRPC endpoint and version of messages used on the wire.
+  config.core.v4alpha.ApiVersion transport_api_version = 6
+      [(validate.rules).enum = {defined_only: true}];
+
+  // Interval for flushing access logs to the gRPC stream. Logger will flush requests every time
+  // this interval is elapsed, or when batch size limit is hit, whichever comes first. Defaults to
+  // 1 second.
+  google.protobuf.Duration buffer_flush_interval = 3 [(validate.rules).duration = {gt {}}];
+
+  // Soft size limit in bytes for access log entries buffer. Logger will buffer requests until
+  // this limit it hit, or every time flush interval is elapsed, whichever comes first. Setting it
+  // to zero effectively disables the batching. Defaults to 16384.
+  google.protobuf.UInt32Value buffer_size_bytes = 4;
+
+  // Additional filter state objects to log in :ref:`filter_state_objects
+  // <envoy_api_field_data.accesslog.v3.AccessLogCommon.filter_state_objects>`.
+  // Logger will call `FilterState::Object::serializeAsProto` to serialize the filter state object.
+  repeated string filter_state_objects_to_log = 5;
+}

envoy/extensions/filters/http/ratelimit/v4alpha/BUILD

@@ -0,0 +1,13 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/ratelimit/v4alpha:pkg",
+        "//envoy/extensions/filters/http/ratelimit/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)

envoy/extensions/filters/http/ratelimit/v4alpha/rate_limit.proto

@@ -0,0 +1,125 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.http.ratelimit.v4alpha;
+
+import "envoy/config/ratelimit/v4alpha/rls.proto";
+
+import "google/protobuf/duration.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.http.ratelimit.v4alpha";
+option java_outer_classname = "RateLimitProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE;
+
+// [#protodoc-title: Rate limit]
+// Rate limit :ref:`configuration overview <config_http_filters_rate_limit>`.
+// [#extension: envoy.filters.http.ratelimit]
+
+// [#next-free-field: 10]
+message RateLimit {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.extensions.filters.http.ratelimit.v3.RateLimit";
+
+  // Defines the version of the standard to use for X-RateLimit headers.
+  enum XRateLimitHeadersRFCVersion {
+    // X-RateLimit headers disabled.
+    OFF = 0;
+
+    // Use `draft RFC Version 03 <https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html>`_.
+    DRAFT_VERSION_03 = 1;
+  }
+
+  // The rate limit domain to use when calling the rate limit service.
+  string domain = 1 [(validate.rules).string = {min_len: 1}];
+
+  // Specifies the rate limit configurations to be applied with the same
+  // stage number. If not set, the default stage number is 0.
+  //
+  // .. note::
+  //
+  //  The filter supports a range of 0 - 10 inclusively for stage numbers.
+  uint32 stage = 2 [(validate.rules).uint32 = {lte: 10}];
+
+  // The type of requests the filter should apply to. The supported
+  // types are *internal*, *external* or *both*. A request is considered internal if
+  // :ref:`x-envoy-internal<config_http_conn_man_headers_x-envoy-internal>` is set to true. If
+  // :ref:`x-envoy-internal<config_http_conn_man_headers_x-envoy-internal>` is not set or false, a
+  // request is considered external. The filter defaults to *both*, and it will apply to all request
+  // types.
+  string request_type = 3
+      [(validate.rules).string = {in: "internal" in: "external" in: "both" in: ""}];
+
+  // The timeout in milliseconds for the rate limit service RPC. If not
+  // set, this defaults to 20ms.
+  google.protobuf.Duration timeout = 4;
+
+  // The filter's behaviour in case the rate limiting service does
+  // not respond back. When it is set to true, Envoy will not allow traffic in case of
+  // communication failure between rate limiting service and the proxy.
+  bool failure_mode_deny = 5;
+
+  // Specifies whether a `RESOURCE_EXHAUSTED` gRPC code must be returned instead
+  // of the default `UNAVAILABLE` gRPC code for a rate limited gRPC call. The
+  // HTTP code will be 200 for a gRPC response.
+  bool rate_limited_as_resource_exhausted = 6;
+
+  // Configuration for an external rate limit service provider. If not
+  // specified, any calls to the rate limit service will immediately return
+  // success.
+  config.ratelimit.v4alpha.RateLimitServiceConfig rate_limit_service = 7
+      [(validate.rules).message = {required: true}];
+
+  // Defines the standard version to use for X-RateLimit headers emitted by the filter:
+  //
+  // * ``X-RateLimit-Limit`` - indicates the request-quota associated to the
+  //   client in the current time-window followed by the description of the
+  //   quota policy. The values are returned by the rate limiting service in
+  //   :ref:`current_limit<envoy_v3_api_field_service.ratelimit.v3.RateLimitResponse.DescriptorStatus.current_limit>`
+  //   field. Example: `10, 10;w=1;name="per-ip", 1000;w=3600`.
+  // * ``X-RateLimit-Remaining`` - indicates the remaining requests in the
+  //   current time-window. The values are returned by the rate limiting service
+  //   in :ref:`limit_remaining<envoy_v3_api_field_service.ratelimit.v3.RateLimitResponse.DescriptorStatus.limit_remaining>`
+  //   field.
+  // * ``X-RateLimit-Reset`` - indicates the number of seconds until reset of
+  //   the current time-window. The values are returned by the rate limiting service
+  //   in :ref:`duration_until_reset<envoy_v3_api_field_service.ratelimit.v3.RateLimitResponse.DescriptorStatus.duration_until_reset>`
+  //   field.
+  //
+  // In case rate limiting policy specifies more then one time window, the values
+  // above represent the window that is closest to reaching its limit.
+  //
+  // For more information about the headers specification see selected version of
+  // the `draft RFC <https://tools.ietf.org/id/draft-polli-ratelimit-headers-03.html>`_.
+  //
+  // Disabled by default.
+  XRateLimitHeadersRFCVersion enable_x_ratelimit_headers = 8
+      [(validate.rules).enum = {defined_only: true}];
+
+  // Disables emitting the :ref:`x-envoy-ratelimited<config_http_filters_router_x-envoy-ratelimited>` header
+  // in case of rate limiting (i.e. 429 responses).
+  // Having this header not present potentially makes the request retriable.
+  bool disable_x_envoy_ratelimited_header = 9;
+}
+
+message RateLimitPerRoute {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.extensions.filters.http.ratelimit.v3.RateLimitPerRoute";
+
+  enum VhRateLimitsOptions {
+    // Use the virtual host rate limits unless the route has a rate limit policy.
+    OVERRIDE = 0;
+
+    // Use the virtual host rate limits even if the route has a rate limit policy.
+    INCLUDE = 1;
+
+    // Ignore the virtual host rate limits even if the route does not have a rate limit policy.
+    IGNORE = 2;
+  }
+
+  // Specifies if the rate limit filter should include the virtual host rate limits.
+  VhRateLimitsOptions vh_rate_limits = 1 [(validate.rules).enum = {defined_only: true}];
+}

envoy/extensions/filters/network/ratelimit/v4alpha/BUILD

@@ -0,0 +1,14 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/ratelimit/v4alpha:pkg",
+        "//envoy/extensions/common/ratelimit/v3:pkg",
+        "//envoy/extensions/filters/network/ratelimit/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)

envoy/extensions/filters/network/ratelimit/v4alpha/rate_limit.proto

@@ -0,0 +1,53 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.network.ratelimit.v4alpha;
+
+import "envoy/config/ratelimit/v4alpha/rls.proto";
+import "envoy/extensions/common/ratelimit/v3/ratelimit.proto";
+
+import "google/protobuf/duration.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.network.ratelimit.v4alpha";
+option java_outer_classname = "RateLimitProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE;
+
+// [#protodoc-title: Rate limit]
+// Rate limit :ref:`configuration overview <config_network_filters_rate_limit>`.
+// [#extension: envoy.filters.network.ratelimit]
+
+// [#next-free-field: 7]
+message RateLimit {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.extensions.filters.network.ratelimit.v3.RateLimit";
+
+  // The prefix to use when emitting :ref:`statistics <config_network_filters_rate_limit_stats>`.
+  string stat_prefix = 1 [(validate.rules).string = {min_len: 1}];
+
+  // The rate limit domain to use in the rate limit service request.
+  string domain = 2 [(validate.rules).string = {min_len: 1}];
+
+  // The rate limit descriptor list to use in the rate limit service request.
+  repeated common.ratelimit.v3.RateLimitDescriptor descriptors = 3
+      [(validate.rules).repeated = {min_items: 1}];
+
+  // The timeout in milliseconds for the rate limit service RPC. If not
+  // set, this defaults to 20ms.
+  google.protobuf.Duration timeout = 4;
+
+  // The filter's behaviour in case the rate limiting service does
+  // not respond back. When it is set to true, Envoy will not allow traffic in case of
+  // communication failure between rate limiting service and the proxy.
+  // Defaults to false.
+  bool failure_mode_deny = 5;
+
+  // Configuration for an external rate limit service provider. If not
+  // specified, any calls to the rate limit service will immediately return
+  // success.
+  config.ratelimit.v4alpha.RateLimitServiceConfig rate_limit_service = 6
+      [(validate.rules).message = {required: true}];
+}

envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v4alpha/BUILD

@@ -0,0 +1,13 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = [
+        "//envoy/config/ratelimit/v4alpha:pkg",
+        "//envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v3:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
+)

envoy/extensions/filters/network/thrift_proxy/filters/ratelimit/v4alpha/rate_limit.proto

@@ -0,0 +1,56 @@
+syntax = "proto3";
+
+package envoy.extensions.filters.network.thrift_proxy.filters.ratelimit.v4alpha;
+
+import "envoy/config/ratelimit/v4alpha/rls.proto";
+
+import "google/protobuf/duration.proto";
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.filters.network.thrift_proxy.filters.ratelimit.v4alpha";
+option java_outer_classname = "RateLimitProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE;
+
+// [#protodoc-title: Rate limit]
+// Rate limit :ref:`configuration overview <config_thrift_filters_rate_limit>`.
+// [#extension: envoy.filters.thrift.ratelimit]
+
+// [#next-free-field: 6]
+message RateLimit {
+  option (udpa.annotations.versioning).previous_message_type =
+      "envoy.extensions.filters.network.thrift_proxy.filters.ratelimit.v3.RateLimit";
+
+  // The rate limit domain to use in the rate limit service request.
+  string domain = 1 [(validate.rules).string = {min_len: 1}];
+
+  // Specifies the rate limit configuration stage. Each configured rate limit filter performs a
+  // rate limit check using descriptors configured in the
+  // :ref:`envoy_api_msg_extensions.filters.network.thrift_proxy.v4alpha.RouteAction` for the request.
+  // Only those entries with a matching stage number are used for a given filter. If not set, the
+  // default stage number is 0.
+  //
+  // .. note::
+  //
+  //  The filter supports a range of 0 - 10 inclusively for stage numbers.
+  uint32 stage = 2 [(validate.rules).uint32 = {lte: 10}];
+
+  // The timeout in milliseconds for the rate limit service RPC. If not
+  // set, this defaults to 20ms.
+  google.protobuf.Duration timeout = 3;
+
+  // The filter's behaviour in case the rate limiting service does
+  // not respond back. When it is set to true, Envoy will not allow traffic in case of
+  // communication failure between rate limiting service and the proxy.
+  // Defaults to false.
+  bool failure_mode_deny = 4;
+
+  // Configuration for an external rate limit service provider. If not
+  // specified, any calls to the rate limit service will immediately return
+  // success.
+  config.ratelimit.v4alpha.RateLimitServiceConfig rate_limit_service = 5
+      [(validate.rules).message = {required: true}];
+}

envoy/service/accesslog/v4alpha/als.proto

@@ -49,7 +49,7 @@ message StreamAccessLogsMessage {
     config.core.v4alpha.Node node = 1 [(validate.rules).message = {required: true}];
 
     // The friendly name of the log configured in :ref:`CommonGrpcAccessLogConfig
-    // <envoy_api_msg_extensions.access_loggers.grpc.v3.CommonGrpcAccessLogConfig>`.
+    // <envoy_api_msg_extensions.access_loggers.grpc.v4alpha.CommonGrpcAccessLogConfig>`.
     string log_name = 2 [(validate.rules).string = {min_len: 1}];
   }