security: document threat model. (#8906)

* Add an explicit threat model to the end user facing docs, link to this from SECURITY.md * Switch all Envoy extensions to use a new macro `envoy_cc_extension`, mandating that extensions declare a security posture. Extensions can also optionally declare `alpha` or `wip` status. * Tag all documentation sites with their well-known Envoy names. * Introduce tooling to automagically populate a list of known trusted/untrusted extensions in the threat model docs. * Generate API docs for extensions that depend on `google.protobuf.Empty`. This pattern is deprecated as per https://github.com/envoyproxy/envoy/issues/8933, but we need these for tooling support meanwhile. This work was motivated by oss-fuzz issue https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=18370 Signed-off-by: Harvey Tuch <htuch@google.com> Mirrored from https://github.com/envoyproxy/envoy @ 90d1094b32aa017f90cc8efcd379aeb143acabfc
6 years ago · a3a901298a
parent cd96bf6960
commit a3a901298a
84 changed files with 104 additions and 3 deletions
--- a/docs/BUILD
+++ b/docs/BUILD
@ -56,11 +56,13 @@ proto_library(
        "//envoy/config/filter/network/ext_authz/v2:pkg",
        "//envoy/config/filter/network/http_connection_manager/v2:pkg",
        "//envoy/config/filter/network/mongo_proxy/v2:pkg",
+        "//envoy/config/filter/network/mysql_proxy/v1alpha1:pkg",
        "//envoy/config/filter/network/rate_limit/v2:pkg",
        "//envoy/config/filter/network/rbac/v2:pkg",
        "//envoy/config/filter/network/redis_proxy/v2:pkg",
        "//envoy/config/filter/network/tcp_proxy/v2:pkg",
        "//envoy/config/filter/network/thrift_proxy/v2alpha1:pkg",
+        "//envoy/config/filter/network/zookeeper_proxy/v1alpha1:pkg",
        "//envoy/config/filter/thrift/rate_limit/v2alpha1:pkg",
        "//envoy/config/filter/thrift/router/v2alpha1:pkg",
        "//envoy/config/grpc_credential/v2alpha:pkg",
@ -72,6 +74,7 @@ proto_library(
        "//envoy/config/rbac/v2:pkg",
        "//envoy/config/resource_monitor/fixed_heap/v2alpha:pkg",
        "//envoy/config/resource_monitor/injected_resource/v2alpha:pkg",
+        "//envoy/config/retry/previous_priorities:pkg",
        "//envoy/config/trace/v2:pkg",
        "//envoy/config/transport_socket/alts/v2alpha:pkg",
        "//envoy/config/transport_socket/tap/v2alpha:pkg",
--- a/envoy/config/accesslog/v2/als.proto
+++ b/envoy/config/accesslog/v2/als.proto
@ -19,6 +19,7 @@ import "validate/validate.proto";
 // :ref:`AccessLog <envoy_api_msg_config.filter.accesslog.v2.AccessLog>`. This configuration will
 // populate :ref:`StreamAccessLogsMessage.http_logs
 // <envoy_api_field_service.accesslog.v2.StreamAccessLogsMessage.http_logs>`.
+// [#extension: envoy.access_loggers.http_grpc]
 message HttpGrpcAccessLogConfig {
  CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];

@ -37,6 +38,7 @@ message HttpGrpcAccessLogConfig {

 // Configuration for the built-in *envoy.tcp_grpc_access_log* type. This configuration will
 // populate *StreamAccessLogsMessage.tcp_logs*.
+// [#extension: envoy.access_loggers.tcp_grpc]
 message TcpGrpcAccessLogConfig {
  CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];
 }
--- a/envoy/config/accesslog/v2/file.proto
+++ b/envoy/config/accesslog/v2/file.proto
@ -11,6 +11,7 @@ import "google/protobuf/struct.proto";
 import "validate/validate.proto";

 // [#protodoc-title: File access log]
+// [#extension: envoy.access_loggers.file]

 // Custom configuration for an :ref:`AccessLog <envoy_api_msg_config.filter.accesslog.v2.AccessLog>`
 // that writes log entries directly to a file. Configures the built-in *envoy.file_access_log*
--- a/envoy/config/accesslog/v3alpha/als.proto
+++ b/envoy/config/accesslog/v3alpha/als.proto
@ -19,6 +19,7 @@ import "validate/validate.proto";
 // :ref:`AccessLog <envoy_api_msg_config.filter.accesslog.v3alpha.AccessLog>`. This configuration
 // will populate :ref:`StreamAccessLogsMessage.http_logs
 // <envoy_api_field_service.accesslog.v3alpha.StreamAccessLogsMessage.http_logs>`.
+// [#extension: envoy.access_loggers.http_grpc]
 message HttpGrpcAccessLogConfig {
  CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];

@ -37,6 +38,7 @@ message HttpGrpcAccessLogConfig {

 // Configuration for the built-in *envoy.tcp_grpc_access_log* type. This configuration will
 // populate *StreamAccessLogsMessage.tcp_logs*.
+// [#extension: envoy.access_loggers.tcp_grpc]
 message TcpGrpcAccessLogConfig {
  CommonGrpcAccessLogConfig common_config = 1 [(validate.rules).message = {required: true}];
 }
--- a/envoy/config/accesslog/v3alpha/file.proto
+++ b/envoy/config/accesslog/v3alpha/file.proto
@ -11,6 +11,7 @@ import "google/protobuf/struct.proto";
 import "validate/validate.proto";

 // [#protodoc-title: File access log]
+// [#extension: envoy.access_loggers.file]

 // Custom configuration for an :ref:`AccessLog
 // <envoy_api_msg_config.filter.accesslog.v3alpha.AccessLog>` that writes log entries directly to a
--- a/envoy/config/cluster/dynamic_forward_proxy/v2alpha/cluster.proto
+++ b/envoy/config/cluster/dynamic_forward_proxy/v2alpha/cluster.proto
@ -14,6 +14,7 @@ import "validate/validate.proto";

 // Configuration for the dynamic forward proxy cluster. See the :ref:`architecture overview
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
+// [#extension: envoy.clusters.dynamic_forward_proxy]
 message ClusterConfig {
  // The DNS cache configuration that the cluster will attach to. Note this configuration must
  // match that of associated :ref:`dynamic forward proxy HTTP filter configuration
--- a/envoy/config/cluster/dynamic_forward_proxy/v3alpha/cluster.proto
+++ b/envoy/config/cluster/dynamic_forward_proxy/v3alpha/cluster.proto
@ -14,6 +14,7 @@ import "validate/validate.proto";

 // Configuration for the dynamic forward proxy cluster. See the :ref:`architecture overview
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
+// [#extension: envoy.clusters.dynamic_forward_proxy]
 message ClusterConfig {
  // The DNS cache configuration that the cluster will attach to. Note this configuration must
  // match that of associated :ref:`dynamic forward proxy HTTP filter configuration
--- a/envoy/config/cluster/redis/redis_cluster.proto
+++ b/envoy/config/cluster/redis/redis_cluster.proto
@ -48,6 +48,7 @@ import "validate/validate.proto";
 //         cluster_refresh_timeout: 0.5s
 //         redirect_refresh_interval: 10s
 //         redirect_refresh_threshold: 10
+// [#extension: envoy.clusters.redis]

 message RedisClusterConfig {
  // Interval between successive topology refresh requests. If not set, this defaults to 5s.
--- a/envoy/config/filter/http/adaptive_concurrency/v2alpha/adaptive_concurrency.proto
+++ b/envoy/config/filter/http/adaptive_concurrency/v2alpha/adaptive_concurrency.proto
@ -18,6 +18,7 @@ import "validate/validate.proto";
 // [#protodoc-title: Adaptive Concurrency]
 // Adaptive Concurrency Control :ref:`configuration overview
 // <config_http_filters_adaptive_concurrency>`.
+// [#extension: envoy.filters.http.adaptive_concurrency]

 // Configuration parameters for the gradient controller.
 message GradientControllerConfig {
--- a/envoy/config/filter/http/adaptive_concurrency/v3alpha/adaptive_concurrency.proto
+++ b/envoy/config/filter/http/adaptive_concurrency/v3alpha/adaptive_concurrency.proto
@ -18,6 +18,7 @@ import "validate/validate.proto";
 // [#protodoc-title: Adaptive Concurrency]
 // Adaptive Concurrency Control :ref:`configuration overview
 // <config_http_filters_adaptive_concurrency>`.
+// [#extension: envoy.filters.http.adaptive_concurrency]

 // Configuration parameters for the gradient controller.
 message GradientControllerConfig {
--- a/envoy/config/filter/http/buffer/v2/buffer.proto
+++ b/envoy/config/filter/http/buffer/v2/buffer.proto
@ -12,6 +12,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Buffer]
 // Buffer :ref:`configuration overview <config_http_filters_buffer>`.
+// [#extension: envoy.filters.http.buffer]

 message Buffer {
  reserved 2;
--- a/envoy/config/filter/http/csrf/v2/csrf.proto
+++ b/envoy/config/filter/http/csrf/v2/csrf.proto
@ -13,6 +13,7 @@ import "validate/validate.proto";

 // [#protodoc-title: CSRF]
 // Cross-Site Request Forgery :ref:`configuration overview <config_http_filters_csrf>`.
+// [#extension: envoy.filters.http.csrf]

 // CSRF filter config.
 message CsrfPolicy {
--- a/envoy/config/filter/http/csrf/v3alpha/csrf.proto
+++ b/envoy/config/filter/http/csrf/v3alpha/csrf.proto
@ -13,6 +13,7 @@ import "validate/validate.proto";

 // [#protodoc-title: CSRF]
 // Cross-Site Request Forgery :ref:`configuration overview <config_http_filters_csrf>`.
+// [#extension: envoy.filters.http.csrf]

 // CSRF filter config.
 message CsrfPolicy {
--- a/envoy/config/filter/http/dynamic_forward_proxy/v2alpha/dynamic_forward_proxy.proto
+++ b/envoy/config/filter/http/dynamic_forward_proxy/v2alpha/dynamic_forward_proxy.proto
@ -14,6 +14,7 @@ import "validate/validate.proto";

 // Configuration for the dynamic forward proxy HTTP filter. See the :ref:`architecture overview
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
+// [#extension: envoy.filters.http.dynamic_forward_proxy]
 message FilterConfig {
  // The DNS cache configuration that the filter will attach to. Note this configuration must
  // match that of associated :ref:`dynamic forward proxy cluster configuration
--- a/envoy/config/filter/http/dynamic_forward_proxy/v3alpha/dynamic_forward_proxy.proto
+++ b/envoy/config/filter/http/dynamic_forward_proxy/v3alpha/dynamic_forward_proxy.proto
@ -14,6 +14,7 @@ import "validate/validate.proto";

 // Configuration for the dynamic forward proxy HTTP filter. See the :ref:`architecture overview
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
+// [#extension: envoy.filters.http.dynamic_forward_proxy]
 message FilterConfig {
  // The DNS cache configuration that the filter will attach to. Note this configuration must
  // match that of associated :ref:`dynamic forward proxy cluster configuration
--- a/envoy/config/filter/http/ext_authz/v2/ext_authz.proto
+++ b/envoy/config/filter/http/ext_authz/v2/ext_authz.proto
@ -16,6 +16,7 @@ import "validate/validate.proto";

 // [#protodoc-title: External Authorization]
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
+// [#extension: envoy.filters.http.ext_authz]

 // [#next-free-field: 11]
 message ExtAuthz {
--- a/envoy/config/filter/http/ext_authz/v3alpha/ext_authz.proto
+++ b/envoy/config/filter/http/ext_authz/v3alpha/ext_authz.proto
@ -16,6 +16,7 @@ import "validate/validate.proto";

 // [#protodoc-title: External Authorization]
 // External Authorization :ref:`configuration overview <config_http_filters_ext_authz>`.
+// [#extension: envoy.filters.http.ext_authz]

 // [#next-free-field: 11]
 message ExtAuthz {
--- a/envoy/config/filter/http/fault/v2/fault.proto
+++ b/envoy/config/filter/http/fault/v2/fault.proto
@ -16,6 +16,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Fault Injection]
 // Fault Injection :ref:`configuration overview <config_http_filters_fault_injection>`.
+// [#extension: envoy.filters.http.fault]

 message FaultAbort {
  reserved 1;
--- a/envoy/config/filter/http/fault/v3alpha/fault.proto
+++ b/envoy/config/filter/http/fault/v3alpha/fault.proto
@ -16,6 +16,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Fault Injection]
 // Fault Injection :ref:`configuration overview <config_http_filters_fault_injection>`.
+// [#extension: envoy.filters.http.fault]

 message FaultAbort {
  reserved 1;
--- a/envoy/config/filter/http/grpc_http1_reverse_bridge/v2alpha1/config.proto
+++ b/envoy/config/filter/http/grpc_http1_reverse_bridge/v2alpha1/config.proto
@ -11,6 +11,7 @@ import "validate/validate.proto";
 // [#protodoc-title: gRPC HTTP/1.1 Reverse Bridge]
 // gRPC HTTP/1.1 Reverse Bridge :ref:`configuration overview
 // <config_http_filters_grpc_http1_reverse_bridge>`.
+// [#extension: envoy.filters.http.grpc_http1_reverse_bridge]

 // gRPC reverse bridge filter configuration
 message FilterConfig {
--- a/envoy/config/filter/http/grpc_stats/v2alpha/config.proto
+++ b/envoy/config/filter/http/grpc_stats/v2alpha/config.proto
@ -10,6 +10,7 @@ import "validate/validate.proto";

 // [#protodoc-title: gRPC statistics] gRPC statistics filter
 // :ref:`configuration overview <config_http_filters_grpc_stats>`.
+// [#extension: envoy.filters.http.grpc_stats]

 // gRPC statistics filter configuration
 message FilterConfig {
--- a/envoy/config/filter/http/gzip/v2/gzip.proto
+++ b/envoy/config/filter/http/gzip/v2/gzip.proto
@ -12,6 +12,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Gzip]
 // Gzip :ref:`configuration overview <config_http_filters_gzip>`.
+// [#extension: envoy.filters.http.gzip]

 // [#next-free-field: 10]
 message Gzip {
--- a/envoy/config/filter/http/header_to_metadata/v2/header_to_metadata.proto
+++ b/envoy/config/filter/http/header_to_metadata/v2/header_to_metadata.proto
@ -14,6 +14,7 @@ import "validate/validate.proto";
 // for matching load balancer subsets, logging, etc.
 //
 // Header to Metadata :ref:`configuration overview <config_http_filters_header_to_metadata>`.
+// [#extension: envoy.filters.http.header_to_metadata]

 message Config {
  enum ValueType {
--- a/envoy/config/filter/http/health_check/v2/health_check.proto
+++ b/envoy/config/filter/http/health_check/v2/health_check.proto
@ -16,6 +16,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Health check]
 // Health check :ref:`configuration overview <config_http_filters_health_check>`.
+// [#extension: envoy.filters.http.health_check]

 // [#next-free-field: 6]
 message HealthCheck {
--- a/envoy/config/filter/http/health_check/v3alpha/health_check.proto
+++ b/envoy/config/filter/http/health_check/v3alpha/health_check.proto
@ -16,6 +16,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Health check]
 // Health check :ref:`configuration overview <config_http_filters_health_check>`.
+// [#extension: envoy.filters.http.health_check]

 // [#next-free-field: 6]
 message HealthCheck {
--- a/envoy/config/filter/http/ip_tagging/v2/ip_tagging.proto
+++ b/envoy/config/filter/http/ip_tagging/v2/ip_tagging.proto
@ -12,6 +12,7 @@ import "validate/validate.proto";

 // [#protodoc-title: IP tagging]
 // IP tagging :ref:`configuration overview <config_http_filters_ip_tagging>`.
+// [#extension: envoy.filters.http.ip_tagging]

 message IPTagging {
  // The type of requests the filter should apply to. The supported types
--- a/envoy/config/filter/http/ip_tagging/v3alpha/ip_tagging.proto
+++ b/envoy/config/filter/http/ip_tagging/v3alpha/ip_tagging.proto
@ -12,6 +12,7 @@ import "validate/validate.proto";

 // [#protodoc-title: IP tagging]
 // IP tagging :ref:`configuration overview <config_http_filters_ip_tagging>`.
+// [#extension: envoy.filters.http.ip_tagging]

 message IPTagging {
  // The type of requests the filter should apply to. The supported types
--- a/envoy/config/filter/http/jwt_authn/v2alpha/config.proto
+++ b/envoy/config/filter/http/jwt_authn/v2alpha/config.proto
@ -17,6 +17,7 @@ import "validate/validate.proto";

 // [#protodoc-title: JWT Authentication]
 // JWT Authentication :ref:`configuration overview <config_http_filters_jwt_authn>`.
+// [#extension: envoy.filters.http.jwt_authn]

 // Please see following for JWT authentication flow:
 //
--- a/envoy/config/filter/http/jwt_authn/v3alpha/config.proto
+++ b/envoy/config/filter/http/jwt_authn/v3alpha/config.proto
@ -17,6 +17,7 @@ import "validate/validate.proto";

 // [#protodoc-title: JWT Authentication]
 // JWT Authentication :ref:`configuration overview <config_http_filters_jwt_authn>`.
+// [#extension: envoy.filters.http.jwt_authn]

 // Please see following for JWT authentication flow:
 //
--- a/envoy/config/filter/http/lua/v2/lua.proto
+++ b/envoy/config/filter/http/lua/v2/lua.proto
@ -10,6 +10,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Lua]
 // Lua :ref:`configuration overview <config_http_filters_lua>`.
+// [#extension: envoy.filters.http.lua]

 message Lua {
  // The Lua code that Envoy will execute. This can be a very small script that
--- a/envoy/config/filter/http/original_src/v2alpha1/original_src.proto
+++ b/envoy/config/filter/http/original_src/v2alpha1/original_src.proto
@ -14,6 +14,7 @@ import "validate/validate.proto";
 // The Original Src filter binds upstream connections to the original source address determined
 // for the request. This address could come from something like the Proxy Protocol filter, or it
 // could come from trusted http headers.
+// [#extension: envoy.filters.http.original_src]
 message OriginalSrc {
  // Sets the SO_MARK option on the upstream connection's socket to the provided value. Used to
  // ensure that non-local addresses may be routed back through envoy when binding to the original
--- a/envoy/config/filter/http/rate_limit/v2/rate_limit.proto
+++ b/envoy/config/filter/http/rate_limit/v2/rate_limit.proto
@ -14,6 +14,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Rate limit]
 // Rate limit :ref:`configuration overview <config_http_filters_rate_limit>`.
+// [#extension: envoy.filters.http.ratelimit]

 // [#next-free-field: 8]
 message RateLimit {
--- a/envoy/config/filter/http/rate_limit/v3alpha/rate_limit.proto
+++ b/envoy/config/filter/http/rate_limit/v3alpha/rate_limit.proto
@ -14,6 +14,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Rate limit]
 // Rate limit :ref:`configuration overview <config_http_filters_rate_limit>`.
+// [#extension: envoy.filters.http.ratelimit]

 // [#next-free-field: 8]
 message RateLimit {
--- a/envoy/config/filter/http/rbac/v2/rbac.proto
+++ b/envoy/config/filter/http/rbac/v2/rbac.proto
@ -12,6 +12,7 @@ import "validate/validate.proto";

 // [#protodoc-title: RBAC]
 // Role-Based Access Control :ref:`configuration overview <config_http_filters_rbac>`.
+// [#extension: envoy.filters.http.rbac]

 // RBAC filter config.
 message RBAC {
--- a/envoy/config/filter/http/rbac/v3alpha/rbac.proto
+++ b/envoy/config/filter/http/rbac/v3alpha/rbac.proto
@ -12,6 +12,7 @@ import "validate/validate.proto";

 // [#protodoc-title: RBAC]
 // Role-Based Access Control :ref:`configuration overview <config_http_filters_rbac>`.
+// [#extension: envoy.filters.http.rbac]

 // RBAC filter config.
 message RBAC {
--- a/envoy/config/filter/http/router/v2/router.proto
+++ b/envoy/config/filter/http/router/v2/router.proto
@ -14,6 +14,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Router]
 // Router :ref:`configuration overview <config_http_filters_router>`.
+// [#extension: envoy.filters.http.router]

 // [#next-free-field: 7]
 message Router {
--- a/envoy/config/filter/http/router/v3alpha/router.proto
+++ b/envoy/config/filter/http/router/v3alpha/router.proto
@ -14,6 +14,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Router]
 // Router :ref:`configuration overview <config_http_filters_router>`.
+// [#extension: envoy.filters.http.router]

 // [#next-free-field: 7]
 message Router {
--- a/envoy/config/filter/http/squash/v2/squash.proto
+++ b/envoy/config/filter/http/squash/v2/squash.proto
@ -13,6 +13,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Squash]
 // Squash :ref:`configuration overview <config_http_filters_squash>`.
+// [#extension: envoy.filters.http.squash]

 // [#next-free-field: 6]
 message Squash {
--- a/envoy/config/filter/http/tap/v2alpha/tap.proto
+++ b/envoy/config/filter/http/tap/v2alpha/tap.proto
@ -12,6 +12,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Tap]
 // Tap :ref:`configuration overview <config_http_filters_tap>`.
+// [#extension: envoy.filters.http.tap]

 // Top level configuration for the tap filter.
 message Tap {
--- a/envoy/config/filter/http/tap/v3alpha/tap.proto
+++ b/envoy/config/filter/http/tap/v3alpha/tap.proto
@ -12,6 +12,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Tap]
 // Tap :ref:`configuration overview <config_http_filters_tap>`.
+// [#extension: envoy.filters.http.tap]

 // Top level configuration for the tap filter.
 message Tap {
--- a/envoy/config/filter/http/transcoder/v2/transcoder.proto
+++ b/envoy/config/filter/http/transcoder/v2/transcoder.proto
@ -10,6 +10,7 @@ import "validate/validate.proto";

 // [#protodoc-title: gRPC-JSON transcoder]
 // gRPC-JSON transcoder :ref:`configuration overview <config_http_filters_grpc_json_transcoder>`.
+// [#extension: envoy.filters.http.grpc_json_transcoder]

 // [#next-free-field: 10]
 message GrpcJsonTranscoder {
--- a/envoy/config/filter/listener/original_src/v2alpha1/original_src.proto
+++ b/envoy/config/filter/listener/original_src/v2alpha1/original_src.proto
@ -10,6 +10,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Original Src Filter]
 // Use the Original source address on upstream connections.
+// [#extension: envoy.filters.listener.original_src]

 // The Original Src filter binds upstream connections to the original source address determined
 // for the connection. This address could come from something like the Proxy Protocol filter, or it
--- a/envoy/config/filter/network/client_ssl_auth/v2/client_ssl_auth.proto
+++ b/envoy/config/filter/network/client_ssl_auth/v2/client_ssl_auth.proto
@ -15,6 +15,7 @@ import "validate/validate.proto";
 // [#protodoc-title: Client TLS authentication]
 // Client TLS authentication
 // :ref:`configuration overview <config_network_filters_client_ssl_auth>`.
+// [#extension: envoy.filters.network.client_ssl_auth]

 message ClientSSLAuth {
  // The :ref:`cluster manager <arch_overview_cluster_manager>` cluster that runs
--- a/envoy/config/filter/network/client_ssl_auth/v3alpha/client_ssl_auth.proto
+++ b/envoy/config/filter/network/client_ssl_auth/v3alpha/client_ssl_auth.proto
@ -15,6 +15,7 @@ import "validate/validate.proto";
 // [#protodoc-title: Client TLS authentication]
 // Client TLS authentication
 // :ref:`configuration overview <config_network_filters_client_ssl_auth>`.
+// [#extension: envoy.filters.network.client_ssl_auth]

 message ClientSSLAuth {
  // The :ref:`cluster manager <arch_overview_cluster_manager>` cluster that runs
--- a/envoy/config/filter/network/dubbo_proxy/v2alpha1/dubbo_proxy.proto
+++ b/envoy/config/filter/network/dubbo_proxy/v2alpha1/dubbo_proxy.proto
@ -14,6 +14,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Dubbo Proxy]
 // Dubbo Proxy :ref:`configuration overview <config_network_filters_dubbo_proxy>`.
+// [#extension: envoy.filters.network.dubbo_proxy]

 // Dubbo Protocol types supported by Envoy.
 enum ProtocolType {
--- a/envoy/config/filter/network/dubbo_proxy/v3alpha/dubbo_proxy.proto
+++ b/envoy/config/filter/network/dubbo_proxy/v3alpha/dubbo_proxy.proto
@ -14,6 +14,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Dubbo Proxy]
 // Dubbo Proxy :ref:`configuration overview <config_network_filters_dubbo_proxy>`.
+// [#extension: envoy.filters.network.dubbo_proxy]

 // Dubbo Protocol types supported by Envoy.
 enum ProtocolType {
--- a/envoy/config/filter/network/ext_authz/v2/ext_authz.proto
+++ b/envoy/config/filter/network/ext_authz/v2/ext_authz.proto
@ -13,6 +13,7 @@ import "validate/validate.proto";
 // [#protodoc-title: Network External Authorization ]
 // The network layer external authorization service configuration
 // :ref:`configuration overview <config_network_filters_ext_authz>`.
+// [#extension: envoy.filters.network.ext_authz]

 // External Authorization filter calls out to an external service over the
 // gRPC Authorization API defined by
--- a/envoy/config/filter/network/ext_authz/v3alpha/ext_authz.proto
+++ b/envoy/config/filter/network/ext_authz/v3alpha/ext_authz.proto
@ -13,6 +13,7 @@ import "validate/validate.proto";
 // [#protodoc-title: Network External Authorization ]
 // The network layer external authorization service configuration
 // :ref:`configuration overview <config_network_filters_ext_authz>`.
+// [#extension: envoy.filters.network.ext_authz]

 // External Authorization filter calls out to an external service over the
 // gRPC Authorization API defined by
--- a/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
+++ b/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
@ -22,6 +22,7 @@ import "validate/validate.proto";

 // [#protodoc-title: HTTP connection manager]
 // HTTP connection manager :ref:`configuration overview <config_http_conn_man>`.
+// [#extension: envoy.filters.network.http_connection_manager]

 // [#next-free-field: 36]
 message HttpConnectionManager {
--- a/envoy/config/filter/network/http_connection_manager/v3alpha/http_connection_manager.proto
+++ b/envoy/config/filter/network/http_connection_manager/v3alpha/http_connection_manager.proto
@ -22,6 +22,7 @@ import "validate/validate.proto";

 // [#protodoc-title: HTTP connection manager]
 // HTTP connection manager :ref:`configuration overview <config_http_conn_man>`.
+// [#extension: envoy.filters.network.http_connection_manager]

 // [#next-free-field: 36]
 message HttpConnectionManager {
--- a/envoy/config/filter/network/mongo_proxy/v2/mongo_proxy.proto
+++ b/envoy/config/filter/network/mongo_proxy/v2/mongo_proxy.proto
@ -12,6 +12,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Mongo proxy]
 // MongoDB :ref:`configuration overview <config_network_filters_mongo_proxy>`.
+// [#extension: envoy.filters.network.mongo_proxy]

 message MongoProxy {
  // The human readable prefix to use when emitting :ref:`statistics
--- a/envoy/config/filter/network/mongo_proxy/v3alpha/mongo_proxy.proto
+++ b/envoy/config/filter/network/mongo_proxy/v3alpha/mongo_proxy.proto
@ -12,6 +12,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Mongo proxy]
 // MongoDB :ref:`configuration overview <config_network_filters_mongo_proxy>`.
+// [#extension: envoy.filters.network.mongo_proxy]

 message MongoProxy {
  // The human readable prefix to use when emitting :ref:`statistics
--- a/envoy/config/filter/network/mysql_proxy/v1alpha1/mysql_proxy.proto
+++ b/envoy/config/filter/network/mysql_proxy/v1alpha1/mysql_proxy.proto
@ -10,10 +10,11 @@ import "validate/validate.proto";

 // [#protodoc-title: MySQL proxy]
 // MySQL Proxy :ref:`configuration overview <config_network_filters_mysql_proxy>`.
+// [#extension: envoy.filters.network.mysql_proxy]
 message MySQLProxy {
  // The human readable prefix to use when emitting :ref:`statistics
  // <config_network_filters_mysql_proxy_stats>`.
-  string stat_prefix = 1 [(validate.rules).string.min_bytes = 1];
+  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];

  // [#not-implemented-hide:] The optional path to use for writing MySQL access logs.
  // If the access log field is empty, access logs will not be written.
--- a/envoy/config/filter/network/rate_limit/v2/rate_limit.proto
+++ b/envoy/config/filter/network/rate_limit/v2/rate_limit.proto
@ -15,6 +15,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Rate limit]
 // Rate limit :ref:`configuration overview <config_network_filters_rate_limit>`.
+// [#extension: envoy.filters.network.ratelimit]

 // [#next-free-field: 7]
 message RateLimit {
--- a/envoy/config/filter/network/rate_limit/v3alpha/rate_limit.proto
+++ b/envoy/config/filter/network/rate_limit/v3alpha/rate_limit.proto
@ -15,6 +15,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Rate limit]
 // Rate limit :ref:`configuration overview <config_network_filters_rate_limit>`.
+// [#extension: envoy.filters.network.ratelimit]

 // [#next-free-field: 7]
 message RateLimit {
--- a/envoy/config/filter/network/rbac/v2/rbac.proto
+++ b/envoy/config/filter/network/rbac/v2/rbac.proto
@ -12,6 +12,7 @@ import "validate/validate.proto";

 // [#protodoc-title: RBAC]
 // Role-Based Access Control :ref:`configuration overview <config_network_filters_rbac>`.
+// [#extension: envoy.filters.network.rbac]

 // RBAC network filter config.
 //
--- a/envoy/config/filter/network/rbac/v3alpha/rbac.proto
+++ b/envoy/config/filter/network/rbac/v3alpha/rbac.proto
@ -12,6 +12,7 @@ import "validate/validate.proto";

 // [#protodoc-title: RBAC]
 // Role-Based Access Control :ref:`configuration overview <config_network_filters_rbac>`.
+// [#extension: envoy.filters.network.rbac]

 // RBAC network filter config.
 //
--- a/envoy/config/filter/network/redis_proxy/v2/redis_proxy.proto
+++ b/envoy/config/filter/network/redis_proxy/v2/redis_proxy.proto
@ -15,6 +15,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Redis Proxy]
 // Redis Proxy :ref:`configuration overview <config_network_filters_redis_proxy>`.
+// [#extension: envoy.filters.network.redis_proxy]

 // [#next-free-field: 7]
 message RedisProxy {
--- a/envoy/config/filter/network/redis_proxy/v3alpha/redis_proxy.proto
+++ b/envoy/config/filter/network/redis_proxy/v3alpha/redis_proxy.proto
@ -15,6 +15,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Redis Proxy]
 // Redis Proxy :ref:`configuration overview <config_network_filters_redis_proxy>`.
+// [#extension: envoy.filters.network.redis_proxy]

 // [#next-free-field: 7]
 message RedisProxy {
--- a/envoy/config/filter/network/tcp_proxy/v2/tcp_proxy.proto
+++ b/envoy/config/filter/network/tcp_proxy/v2/tcp_proxy.proto
@ -18,6 +18,7 @@ import "validate/validate.proto";

 // [#protodoc-title: TCP Proxy]
 // TCP Proxy :ref:`configuration overview <config_network_filters_tcp_proxy>`.
+// [#extension: envoy.filters.network.tcp_proxy]

 // [#next-free-field: 12]
 message TcpProxy {
--- a/envoy/config/filter/network/tcp_proxy/v3alpha/tcp_proxy.proto
+++ b/envoy/config/filter/network/tcp_proxy/v3alpha/tcp_proxy.proto
@ -18,6 +18,7 @@ import "validate/validate.proto";

 // [#protodoc-title: TCP Proxy]
 // TCP Proxy :ref:`configuration overview <config_network_filters_tcp_proxy>`.
+// [#extension: envoy.filters.network.tcp_proxy]

 // [#next-free-field: 12]
 message TcpProxy {
--- a/envoy/config/filter/network/thrift_proxy/v2alpha1/thrift_proxy.proto
+++ b/envoy/config/filter/network/thrift_proxy/v2alpha1/thrift_proxy.proto
@ -15,6 +15,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Thrift Proxy]
 // Thrift Proxy :ref:`configuration overview <config_network_filters_thrift_proxy>`.
+// [#extension: envoy.filters.network.thrift_proxy]

 // Thrift transport types supported by Envoy.
 enum TransportType {
--- a/envoy/config/filter/network/thrift_proxy/v3alpha/thrift_proxy.proto
+++ b/envoy/config/filter/network/thrift_proxy/v3alpha/thrift_proxy.proto
@ -15,6 +15,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Thrift Proxy]
 // Thrift Proxy :ref:`configuration overview <config_network_filters_thrift_proxy>`.
+// [#extension: envoy.filters.network.thrift_proxy]

 // Thrift transport types supported by Envoy.
 enum TransportType {
--- a/envoy/config/filter/network/zookeeper_proxy/v1alpha1/zookeeper_proxy.proto
+++ b/envoy/config/filter/network/zookeeper_proxy/v1alpha1/zookeeper_proxy.proto
@ -6,15 +6,17 @@ option java_outer_classname = "ZookeeperProxyProto";
 option java_multiple_files = true;
 option java_package = "io.envoyproxy.envoy.config.filter.network.zookeeper_proxy.v1alpha1";

-import "validate/validate.proto";
 import "google/protobuf/wrappers.proto";

+import "validate/validate.proto";
+
 // [#protodoc-title: ZooKeeper proxy]
 // ZooKeeper Proxy :ref:`configuration overview <config_network_filters_zookeeper_proxy>`.
+// [#extension: envoy.filters.network.zookeeper_proxy]
 message ZooKeeperProxy {
  // The human readable prefix to use when emitting :ref:`statistics
  // <config_network_filters_zookeeper_proxy_stats>`.
-  string stat_prefix = 1 [(validate.rules).string.min_bytes = 1];
+  string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];

  // [#not-implemented-hide:] The optional path to use for writing ZooKeeper access logs.
  // If the access log field is empty, access logs will not be written.
--- a/envoy/config/filter/thrift/rate_limit/v2alpha1/rate_limit.proto
+++ b/envoy/config/filter/thrift/rate_limit/v2alpha1/rate_limit.proto
@ -14,6 +14,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Rate limit]
 // Rate limit :ref:`configuration overview <config_thrift_filters_rate_limit>`.
+// [#extension: envoy.filters.thrift.ratelimit]

 // [#next-free-field: 6]
 message RateLimit {
--- a/envoy/config/filter/thrift/rate_limit/v3alpha/rate_limit.proto
+++ b/envoy/config/filter/thrift/rate_limit/v3alpha/rate_limit.proto
@ -14,6 +14,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Rate limit]
 // Rate limit :ref:`configuration overview <config_thrift_filters_rate_limit>`.
+// [#extension: envoy.filters.thrift.ratelimit]

 // [#next-free-field: 6]
 message RateLimit {
--- a/envoy/config/filter/thrift/router/v2alpha1/router.proto
+++ b/envoy/config/filter/thrift/router/v2alpha1/router.proto
@ -8,6 +8,7 @@ option java_package = "io.envoyproxy.envoy.config.filter.thrift.router.v2alpha1"

 // [#protodoc-title: Router]
 // Thrift router :ref:`configuration overview <config_thrift_filters_router>`.
+// [#extension: envoy.filters.thrift.router]

 message Router {
 }
--- a/envoy/config/grpc_credential/v2alpha/aws_iam.proto
+++ b/envoy/config/grpc_credential/v2alpha/aws_iam.proto
@ -10,6 +10,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Grpc Credentials AWS IAM]
 // Configuration for AWS IAM Grpc Credentials Plugin
+// [#extension: envoy.grpc_credentials.aws_iam]

 message AwsIamConfig {
  // The `service namespace
--- a/envoy/config/grpc_credential/v2alpha/file_based_metadata.proto
+++ b/envoy/config/grpc_credential/v2alpha/file_based_metadata.proto
@ -10,6 +10,7 @@ import "envoy/api/v2/core/base.proto";

 // [#protodoc-title: Grpc Credentials File Based Metadata]
 // Configuration for File Based Metadata Grpc Credentials Plugin
+// [#extension: envoy.grpc_credentials.file_based_metadata]

 message FileBasedMetadataConfig {
  // Location or inline data of secret to use for authentication of the Google gRPC connection
--- a/envoy/config/grpc_credential/v3alpha/aws_iam.proto
+++ b/envoy/config/grpc_credential/v3alpha/aws_iam.proto
@ -10,6 +10,7 @@ import "validate/validate.proto";

 // [#protodoc-title: Grpc Credentials AWS IAM]
 // Configuration for AWS IAM Grpc Credentials Plugin
+// [#extension: envoy.grpc_credentials.aws_iam]

 message AwsIamConfig {
  // The `service namespace
--- a/envoy/config/grpc_credential/v3alpha/file_based_metadata.proto
+++ b/envoy/config/grpc_credential/v3alpha/file_based_metadata.proto
@ -10,6 +10,7 @@ import "envoy/api/v3alpha/core/base.proto";

 // [#protodoc-title: Grpc Credentials File Based Metadata]
 // Configuration for File Based Metadata Grpc Credentials Plugin
+// [#extension: envoy.grpc_credentials.file_based_metadata]

 message FileBasedMetadataConfig {
  // Location or inline data of secret to use for authentication of the Google gRPC connection
--- a/envoy/config/health_checker/redis/v2/redis.proto
+++ b/envoy/config/health_checker/redis/v2/redis.proto
@ -8,6 +8,7 @@ option java_package = "io.envoyproxy.envoy.config.health_checker.redis.v2";

 // [#protodoc-title: Redis]
 // Redis health checker :ref:`configuration overview <config_health_checkers_redis>`.
+// [#extension: envoy.health_checkers.redis]

 message Redis {
  // If set, optionally perform ``EXISTS <key>`` instead of ``PING``. A return value
--- a/envoy/config/metrics/v2/metrics_service.proto
+++ b/envoy/config/metrics/v2/metrics_service.proto
@ -15,6 +15,7 @@ import "validate/validate.proto";
 // Metrics Service is configured as a built-in *envoy.metrics_service* :ref:`StatsSink
 // <envoy_api_msg_config.metrics.v2.StatsSink>`. This opaque configuration will be used to create
 // Metrics Service.
+// [#extension: envoy.stat_sinks.metrics_service]
 message MetricsServiceConfig {
  // The upstream gRPC cluster that hosts the metrics service.
  api.v2.core.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}];
--- a/envoy/config/metrics/v2/stats.proto
+++ b/envoy/config/metrics/v2/stats.proto
@ -240,6 +240,7 @@ message TagSpecifier {

 // Stats configuration proto schema for built-in *envoy.statsd* sink. This sink does not support
 // tagged metrics.
+// [#extension: envoy.stat_sinks.statsd]
 message StatsdSink {
  oneof statsd_specifier {
    option (validate.required) = true;
@ -288,6 +289,7 @@ message StatsdSink {
 // The sink emits stats with `DogStatsD <https://docs.datadoghq.com/guides/dogstatsd/>`_
 // compatible tags. Tags are configurable via :ref:`StatsConfig
 // <envoy_api_msg_config.metrics.v2.StatsConfig>`.
+// [#extension: envoy.stat_sinks.dog_statsd]
 message DogStatsdSink {
  reserved 2;

@ -313,6 +315,7 @@ message DogStatsdSink {
 // Note that only a single HystrixSink should be configured.
 //
 // Streaming is started through an admin endpoint :http:get:`/hystrix_event_stream`.
+// [#extension: envoy.stat_sinks.hystrix]
 message HystrixSink {
  // The number of buckets the rolling statistical window is divided into.
  //
--- a/envoy/config/metrics/v3alpha/metrics_service.proto
+++ b/envoy/config/metrics/v3alpha/metrics_service.proto
@ -15,6 +15,7 @@ import "validate/validate.proto";
 // Metrics Service is configured as a built-in *envoy.metrics_service* :ref:`StatsSink
 // <envoy_api_msg_config.metrics.v3alpha.StatsSink>`. This opaque configuration will be used to
 // create Metrics Service.
+// [#extension: envoy.stat_sinks.metrics_service]
 message MetricsServiceConfig {
  // The upstream gRPC cluster that hosts the metrics service.
  api.v3alpha.core.GrpcService grpc_service = 1 [(validate.rules).message = {required: true}];
--- a/envoy/config/metrics/v3alpha/stats.proto
+++ b/envoy/config/metrics/v3alpha/stats.proto
@ -243,6 +243,7 @@ message TagSpecifier {

 // Stats configuration proto schema for built-in *envoy.statsd* sink. This sink does not support
 // tagged metrics.
+// [#extension: envoy.stat_sinks.statsd]
 message StatsdSink {
  oneof statsd_specifier {
    option (validate.required) = true;
@ -291,6 +292,7 @@ message StatsdSink {
 // The sink emits stats with `DogStatsD <https://docs.datadoghq.com/guides/dogstatsd/>`_
 // compatible tags. Tags are configurable via :ref:`StatsConfig
 // <envoy_api_msg_config.metrics.v3alpha.StatsConfig>`.
+// [#extension: envoy.stat_sinks.dog_statsd]
 message DogStatsdSink {
  reserved 2;

@ -316,6 +318,7 @@ message DogStatsdSink {
 // Note that only a single HystrixSink should be configured.
 //
 // Streaming is started through an admin endpoint :http:get:`/hystrix_event_stream`.
+// [#extension: envoy.stat_sinks.hystrix]
 message HystrixSink {
  // The number of buckets the rolling statistical window is divided into.
  //
--- a/envoy/config/resource_monitor/fixed_heap/v2alpha/fixed_heap.proto
+++ b/envoy/config/resource_monitor/fixed_heap/v2alpha/fixed_heap.proto
@ -9,6 +9,7 @@ option java_package = "io.envoyproxy.envoy.config.resource_monitor.fixed_heap.v2
 import "validate/validate.proto";

 // [#protodoc-title: Fixed heap]
+// [#extension: envoy.resource_monitors.fixed_heap]

 // The fixed heap resource monitor reports the Envoy process memory pressure, computed as a
 // fraction of currently reserved heap memory divided by a statically configured maximum
--- a/envoy/config/resource_monitor/injected_resource/v2alpha/injected_resource.proto
+++ b/envoy/config/resource_monitor/injected_resource/v2alpha/injected_resource.proto
@ -9,6 +9,7 @@ option java_package = "io.envoyproxy.envoy.config.resource_monitor.injected_reso
 import "validate/validate.proto";

 // [#protodoc-title: Injected resource]
+// [#extension: envoy.resource_monitors.injected_resource]

 // The injected resource monitor allows injecting a synthetic resource pressure into Envoy
 // via a text file, which must contain a floating-point number in the range [0..1] representing
--- a/envoy/config/retry/previous_priorities/previous_priorities_config.proto
+++ b/envoy/config/retry/previous_priorities/previous_priorities_config.proto
@ -30,6 +30,7 @@ option java_package = "io.envoyproxy.envoy.config.retry.previous_priorities";
 //
 // Using this PriorityFilter requires rebuilding the priority load, which runs in O(# of
 // priorities), which might incur significant overhead for clusters with many priorities.
+// [#extension: envoy.retry_priorities.previous_priorities]
 message PreviousPrioritiesConfig {
  // How often the priority load should be updated based on previously attempted priorities. Useful
  // to allow each priorities to receive more than one request before being excluded or to reduce
--- a/envoy/config/trace/v2/trace.proto
+++ b/envoy/config/trace/v2/trace.proto
@ -60,6 +60,7 @@ message Tracing {
 }

 // Configuration for the LightStep tracer.
+// [#extension: envoy.tracers.lightstep]
 message LightstepConfig {
  // The cluster manager cluster that hosts the LightStep collectors.
  string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
@ -70,6 +71,7 @@ message LightstepConfig {
 }

 // Configuration for the Zipkin tracer.
+// [#extension: envoy.tracers.zipkin]
 // [#next-free-field: 6]
 message ZipkinConfig {
  // Available Zipkin collector endpoint versions.
@ -119,6 +121,7 @@ message ZipkinConfig {
 // DynamicOtConfig is used to dynamically load a tracer from a shared library
 // that implements the `OpenTracing dynamic loading API
 // <https://github.com/opentracing/opentracing-cpp>`_.
+// [#extension: envoy.tracers.dynamic_ot]
 message DynamicOtConfig {
  // Dynamic library implementing the `OpenTracing API
  // <https://github.com/opentracing/opentracing-cpp>`_.
@ -130,6 +133,7 @@ message DynamicOtConfig {
 }

 // Configuration for the Datadog tracer.
+// [#extension: envoy.tracers.datadog]
 message DatadogConfig {
  // The cluster to use for submitting traces to the Datadog agent.
  string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
@ -140,6 +144,7 @@ message DatadogConfig {

 // Configuration for the OpenCensus tracer.
 // [#next-free-field: 13]
+// [#extension: envoy.tracers.opencensus]
 message OpenCensusConfig {
  enum TraceContext {
    // No-op default, no trace context is utilized.
--- a/envoy/config/trace/v3alpha/trace.proto
+++ b/envoy/config/trace/v3alpha/trace.proto
@ -62,6 +62,7 @@ message Tracing {
 }

 // Configuration for the LightStep tracer.
+// [#extension: envoy.tracers.lightstep]
 message LightstepConfig {
  // The cluster manager cluster that hosts the LightStep collectors.
  string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
@ -72,6 +73,7 @@ message LightstepConfig {
 }

 // Configuration for the Zipkin tracer.
+// [#extension: envoy.tracers.zipkin]
 // [#next-free-field: 6]
 message ZipkinConfig {
  // Available Zipkin collector endpoint versions.
@ -121,6 +123,7 @@ message ZipkinConfig {
 // DynamicOtConfig is used to dynamically load a tracer from a shared library
 // that implements the `OpenTracing dynamic loading API
 // <https://github.com/opentracing/opentracing-cpp>`_.
+// [#extension: envoy.tracers.dynamic_ot]
 message DynamicOtConfig {
  // Dynamic library implementing the `OpenTracing API
  // <https://github.com/opentracing/opentracing-cpp>`_.
@ -132,6 +135,7 @@ message DynamicOtConfig {
 }

 // Configuration for the Datadog tracer.
+// [#extension: envoy.tracers.datadog]
 message DatadogConfig {
  // The cluster to use for submitting traces to the Datadog agent.
  string collector_cluster = 1 [(validate.rules).string = {min_bytes: 1}];
@ -142,6 +146,7 @@ message DatadogConfig {

 // Configuration for the OpenCensus tracer.
 // [#next-free-field: 13]
+// [#extension: envoy.tracers.opencensus]
 message OpenCensusConfig {
  enum TraceContext {
    // No-op default, no trace context is utilized.
--- a/envoy/config/transport_socket/alts/v2alpha/alts.proto
+++ b/envoy/config/transport_socket/alts/v2alpha/alts.proto
@ -9,6 +9,7 @@ option java_package = "io.envoyproxy.envoy.config.transport_socket.alts.v2alpha"
 import "validate/validate.proto";

 // [#protodoc-title: ALTS]
+// [#extension: envoy.transport_sockets.alts]

 // Configuration for ALTS transport socket. This provides Google's ALTS protocol to Envoy.
 // https://cloud.google.com/security/encryption-in-transit/application-layer-transport-security/
--- a/envoy/config/transport_socket/tap/v2alpha/tap.proto
+++ b/envoy/config/transport_socket/tap/v2alpha/tap.proto
@ -12,6 +12,7 @@ import "envoy/config/common/tap/v2alpha/common.proto";
 import "validate/validate.proto";

 // [#protodoc-title: Tap]
+// [#extension: envoy.transport_sockets.tap]

 // Configuration for tap transport socket. This wraps another transport socket, providing the
 // ability to interpose and record in plain text any traffic that is surfaced to Envoy.
--- a/envoy/config/transport_socket/tap/v3alpha/tap.proto
+++ b/envoy/config/transport_socket/tap/v3alpha/tap.proto
@ -12,6 +12,7 @@ import "envoy/config/common/tap/v3alpha/common.proto";
 import "validate/validate.proto";

 // [#protodoc-title: Tap]
+// [#extension: envoy.transport_sockets.tap]

 // Configuration for tap transport socket. This wraps another transport socket, providing the
 // ability to interpose and record in plain text any traffic that is surfaced to Envoy.