grpc_stats filter: Add config options to restrict number of stats (#10467)

Add options to either put all methods into the same per-cluster
stat, or to whitelist which methods to create stats for.

Additionally, start a deprecation process for the default mode
being to create a stat for all methods, to remove an unsafe
default.

Risk Level: Low
Testing: Unit tests added
Docs Changes: done
Release Notes: added
Fixes #10445
Deprecated: added

Mirrored from https://github.com/envoyproxy/envoy @ 715992f3ac891d87e67566ffbfd6b3af8d8a4e1d

envoy/api/v2/core/grpc_method_list.proto

@@ -0,0 +1,28 @@
+syntax = "proto3";
+
+package envoy.api.v2.core;
+
+import "udpa/annotations/migrate.proto";
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.api.v2.core";
+option java_outer_classname = "GrpcMethodListProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_migrate).move_to_package = "envoy.config.core.v3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: gRPC method list]
+
+// A list of gRPC methods which can be used as an allowlist, for example.
+message GrpcMethodList {
+  message Service {
+    // The name of the gRPC service.
+    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+    // The names of the gRPC methods in this service.
+    repeated string method_names = 2 [(validate.rules).repeated = {min_items: 1}];
+  }
+
+  repeated Service services = 1;
+}

envoy/config/core/v3/grpc_method_list.proto

@@ -0,0 +1,32 @@
+syntax = "proto3";
+
+package envoy.config.core.v3;
+
+import "udpa/annotations/status.proto";
+import "udpa/annotations/versioning.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.config.core.v3";
+option java_outer_classname = "GrpcMethodListProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = NEXT_MAJOR_VERSION_CANDIDATE;
+
+// [#protodoc-title: gRPC method list]
+
+// A list of gRPC methods which can be used as an allowlist, for example.
+message GrpcMethodList {
+  option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.GrpcMethodList";
+
+  message Service {
+    option (udpa.annotations.versioning).previous_message_type =
+        "envoy.api.v2.core.GrpcMethodList.Service";
+
+    // The name of the gRPC service.
+    string name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+    // The names of the gRPC methods in this service.
+    repeated string method_names = 2 [(validate.rules).repeated = {min_items: 1}];
+  }
+
+  repeated Service services = 1;
+}

envoy/config/filter/http/grpc_stats/v2alpha/BUILD

@@ -5,5 +5,8 @@ load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
 licenses(["notice"])  # Apache 2
 
 api_proto_package(
-    deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"],
+    deps = [
+        "//envoy/api/v2/core:pkg",
+        "@com_github_cncf_udpa//udpa/annotations:pkg",
+    ],
 )

envoy/config/filter/http/grpc_stats/v2alpha/config.proto

@@ -2,6 +2,10 @@ syntax = "proto3";
 
 package envoy.config.filter.http.grpc_stats.v2alpha;
 
+import "envoy/api/v2/core/grpc_method_list.proto";
+
+import "google/protobuf/wrappers.proto";
+
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/status.proto";
 import "validate/validate.proto";
@@ -22,6 +26,33 @@ message FilterConfig {
   // If true, the filter maintains a filter state object with the request and response message
   // counts.
   bool emit_filter_state = 1;
+
+  oneof per_method_stat_specifier {
+    // If set, specifies an allowlist of service/methods that will have individual stats
+    // emitted for them. Any call that does not match the allowlist will be counted
+    // in a stat with no method specifier: `cluster.<name>.grpc.*`.
+    api.v2.core.GrpcMethodList individual_method_stats_allowlist = 2;
+
+    // If set to true, emit stats for all service/method names.
+    //
+    // If set to false, emit stats for all service/message types to the same stats without including
+    // the service/method in the name, with prefix `cluster.<name>.grpc`. This can be useful if
+    // service/method granularity is not needed, or if each cluster only receives a single method.
+    //
+    // .. attention::
+    //   This option is only safe if all clients are trusted. If this option is enabled
+    //   with untrusted clients, the clients could cause unbounded growth in the number of stats in
+    //   Envoy, using unbounded memory and potentially slowing down stats pipelines.
+    //
+    // .. attention::
+    //   If neither `individual_method_stats_allowlist` nor `stats_for_all_methods` is set, the
+    //   behavior will default to `stats_for_all_methods=true`. This default value is deprecated,
+    //   and in a future release, if neither field is set, it will default to
+    //   `stats_for_all_methods=false` in order to be safe by default. This behavior can be
+    //   controlled with runtime override
+    //   `envoy.deprecated_features.grpc_stats_filter_enable_stats_for_all_methods_by_default`.
+    google.protobuf.BoolValue stats_for_all_methods = 3;
+  }
 }
 
 // gRPC statistics filter state object in protobuf form.

envoy/extensions/filters/http/grpc_stats/v3/BUILD

@@ -6,6 +6,7 @@ licenses(["notice"])  # Apache 2
 
 api_proto_package(
     deps = [
+        "//envoy/config/core/v3:pkg",
         "//envoy/config/filter/http/grpc_stats/v2alpha:pkg",
         "@com_github_cncf_udpa//udpa/annotations:pkg",
     ],

envoy/extensions/filters/http/grpc_stats/v3/config.proto

@@ -2,6 +2,10 @@ syntax = "proto3";
 
 package envoy.extensions.filters.http.grpc_stats.v3;
 
+import "envoy/config/core/v3/grpc_method_list.proto";
+
+import "google/protobuf/wrappers.proto";
+
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
@@ -23,6 +27,33 @@ message FilterConfig {
   // If true, the filter maintains a filter state object with the request and response message
   // counts.
   bool emit_filter_state = 1;
+
+  oneof per_method_stat_specifier {
+    // If set, specifies an allowlist of service/methods that will have individual stats
+    // emitted for them. Any call that does not match the allowlist will be counted
+    // in a stat with no method specifier: `cluster.<name>.grpc.*`.
+    config.core.v3.GrpcMethodList individual_method_stats_allowlist = 2;
+
+    // If set to true, emit stats for all service/method names.
+    //
+    // If set to false, emit stats for all service/message types to the same stats without including
+    // the service/method in the name, with prefix `cluster.<name>.grpc`. This can be useful if
+    // service/method granularity is not needed, or if each cluster only receives a single method.
+    //
+    // .. attention::
+    //   This option is only safe if all clients are trusted. If this option is enabled
+    //   with untrusted clients, the clients could cause unbounded growth in the number of stats in
+    //   Envoy, using unbounded memory and potentially slowing down stats pipelines.
+    //
+    // .. attention::
+    //   If neither `individual_method_stats_allowlist` nor `stats_for_all_methods` is set, the
+    //   behavior will default to `stats_for_all_methods=true`. This default value is deprecated,
+    //   and in a future release, if neither field is set, it will default to
+    //   `stats_for_all_methods=false` in order to be safe by default. This behavior can be
+    //   controlled with runtime override
+    //   `envoy.deprecated_features.grpc_stats_filter_enable_stats_for_all_methods_by_default`.
+    google.protobuf.BoolValue stats_for_all_methods = 3;
+  }
 }
 
 // gRPC statistics filter state object in protobuf form.