accesslogs: add CEL-based extension filter (#18363)

This PR establishes the ability to filter access log production via CEL expressions over the set of Envoy attributes. This can simply the creation of Envoy access log filters, allowing complex tailoring.

Risk Level: low
Testing: unit
Docs Changes: included
Release Notes: updated

Signed-off-by: Douglas Reid <douglas-reid@users.noreply.github.com>

Mirrored from https://github.com/envoyproxy/envoy @ 77ca6cc0d9aaf0892aec3e2025fe2ad7cf0c39ff

BUILD

@@ -112,6 +112,7 @@ proto_library(
         "//envoy/data/dns/v3:pkg",
         "//envoy/data/tap/v3:pkg",
         "//envoy/extensions/access_loggers/file/v3:pkg",
+        "//envoy/extensions/access_loggers/filters/cel/v3:pkg",
         "//envoy/extensions/access_loggers/grpc/v3:pkg",
         "//envoy/extensions/access_loggers/open_telemetry/v3:pkg",
         "//envoy/extensions/access_loggers/stream/v3:pkg",

envoy/config/accesslog/v3/accesslog.proto

@@ -83,6 +83,7 @@ message AccessLogFilter {
     GrpcStatusFilter grpc_status_filter = 10;
 
     // Extension filter.
+    // [#extension-category: envoy.access_loggers.extension_filters]
     ExtensionFilter extension_filter = 11;
 
     // Metadata Filter

envoy/extensions/access_loggers/filters/cel/v3/BUILD

@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"],
+)

envoy/extensions/access_loggers/filters/cel/v3/cel.proto

@@ -0,0 +1,26 @@
+syntax = "proto3";
+
+package envoy.extensions.access_loggers.filters.cel.v3;
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.access_loggers.filters.cel.v3";
+option java_outer_classname = "CelProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: ExpressionFilter]
+// [#extension: envoy.access_loggers.extension_filters.cel]
+
+// ExpressionFilter is an access logging filter that evaluates configured
+// symbolic Common Expression Language expressions to inform the decision
+// to generate an access log.
+message ExpressionFilter {
+  // Expression that, when evaluated, will be used to filter access logs.
+  // Expressions are based on the set of Envoy :ref:`attributes <arch_overview_attributes>`.
+  // The provided expression must evaluate to true for logging (expression errors are considered false).
+  // Examples:
+  // - `response.code >= 400`
+  // - `(connection.mtls && request.headers['x-log-mtls'] == 'true') || request.url_path.contains('v1beta3')`
+  string expression = 1;
+}

versioning/BUILD

@@ -49,6 +49,7 @@ proto_library(
         "//envoy/data/dns/v3:pkg",
         "//envoy/data/tap/v3:pkg",
         "//envoy/extensions/access_loggers/file/v3:pkg",
+        "//envoy/extensions/access_loggers/filters/cel/v3:pkg",
         "//envoy/extensions/access_loggers/grpc/v3:pkg",
         "//envoy/extensions/access_loggers/open_telemetry/v3:pkg",
         "//envoy/extensions/access_loggers/stream/v3:pkg",