From b4cdc2be93283b5dd59723c4c3f3387580a7031f Mon Sep 17 00:00:00 2001 From: "data-plane-api(CircleCI)" Date: Sun, 17 May 2020 19:50:07 +0000 Subject: [PATCH] api: manifest based edge default documentation. (#11151) This PR replaces #11058, taking a slightly different approach. We utilize field options to annotate fields that should be set for untrusted environments with [configure_for_untrusted_downstream, configure_for_untrusted_downstream]. Defaults are provided out-of-band, in a manifest files in docs/edge_defaults_manifest.yaml. Protodoc glues the manifest and options together when generating field documentation, providing an additional notice for sensitive fields. This PR depends on #11108 first merging to provide the pip3 build infrastructure. Risk level: Low (docs only). Testing: Inspection of generated docs. Signed-off-by: Harvey Tuch Mirrored from https://github.com/envoyproxy/envoy @ 31128e7dc22355876020188bc8feb99304663041 --- bazel/repository_locations.bzl | 4 ++-- envoy/config/bootstrap/v3/bootstrap.proto | 6 +++++- envoy/config/bootstrap/v4alpha/bootstrap.proto | 6 +++++- envoy/config/listener/v3/listener.proto | 4 +++- envoy/config/listener/v4alpha/listener.proto | 4 +++- 5 files changed, 18 insertions(+), 6 deletions(-) diff --git a/bazel/repository_locations.bzl b/bazel/repository_locations.bzl index c275a8c6..77539ee9 100644 --- a/bazel/repository_locations.bzl +++ b/bazel/repository_locations.bzl @@ -13,8 +13,8 @@ GOOGLEAPIS_SHA = "a45019af4d3290f02eaeb1ce10990166978c807cb33a9692141a076ba46d14 PROMETHEUS_GIT_SHA = "99fa1f4be8e564e8a6b613da7fa6f46c9edafc6c" # Nov 17, 2017 PROMETHEUS_SHA = "783bdaf8ee0464b35ec0c8704871e1e72afa0005c3f3587f65d9d6694bf3911b" -UDPA_GIT_SHA = "e8cd3a4bb307e2c810cffff99f93e96e6d7fee85" # Mar 27, 2020 -UDPA_SHA256 = "1fd7857cb61daee7726fca8f4d55e4923774a8d00a53007a4093830dc0482685" +UDPA_GIT_SHA = "9f54a527e3bf4d1f4a6527f93d329fb1cc4516ac" # May 8, 2020 +UDPA_SHA256 = "7edae88586a84360203e5a4c724080c740b7b6002d5d56f5e806f27c912895cd" ZIPKINAPI_RELEASE = "0.2.2" # Aug 23, 2019 ZIPKINAPI_SHA256 = "688c4fe170821dd589f36ec45aaadc03a618a40283bc1f97da8fa11686fc816b" diff --git a/envoy/config/bootstrap/v3/bootstrap.proto b/envoy/config/bootstrap/v3/bootstrap.proto index c2010988..8eba15a5 100644 --- a/envoy/config/bootstrap/v3/bootstrap.proto +++ b/envoy/config/bootstrap/v3/bootstrap.proto @@ -19,6 +19,7 @@ import "google/protobuf/struct.proto"; import "google/protobuf/wrappers.proto"; import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/security.proto"; import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; import "validate/validate.proto"; @@ -145,7 +146,10 @@ message Bootstrap { Admin admin = 12; // Optional overload manager configuration. - overload.v3.OverloadManager overload_manager = 15; + overload.v3.OverloadManager overload_manager = 15 [ + (udpa.annotations.security).configure_for_untrusted_downstream = true, + (udpa.annotations.security).configure_for_untrusted_upstream = true + ]; // Enable :ref:`stats for event dispatcher `, defaults to false. // Note that this records a value for each iteration of the event loop on every thread. This diff --git a/envoy/config/bootstrap/v4alpha/bootstrap.proto b/envoy/config/bootstrap/v4alpha/bootstrap.proto index ce6aa147..bd416935 100644 --- a/envoy/config/bootstrap/v4alpha/bootstrap.proto +++ b/envoy/config/bootstrap/v4alpha/bootstrap.proto @@ -18,6 +18,7 @@ import "google/protobuf/struct.proto"; import "google/protobuf/wrappers.proto"; import "envoy/annotations/deprecation.proto"; +import "udpa/annotations/security.proto"; import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; import "validate/validate.proto"; @@ -137,7 +138,10 @@ message Bootstrap { Admin admin = 12; // Optional overload manager configuration. - overload.v3.OverloadManager overload_manager = 15; + overload.v3.OverloadManager overload_manager = 15 [ + (udpa.annotations.security).configure_for_untrusted_downstream = true, + (udpa.annotations.security).configure_for_untrusted_upstream = true + ]; // Enable :ref:`stats for event dispatcher `, defaults to false. // Note that this records a value for each iteration of the event loop on every thread. This diff --git a/envoy/config/listener/v3/listener.proto b/envoy/config/listener/v3/listener.proto index 473a5eb2..03214150 100644 --- a/envoy/config/listener/v3/listener.proto +++ b/envoy/config/listener/v3/listener.proto @@ -14,6 +14,7 @@ import "google/api/annotations.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; +import "udpa/annotations/security.proto"; import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; import "validate/validate.proto"; @@ -108,7 +109,8 @@ message Listener { // Soft limit on size of the listener’s new connection read and write buffers. // If unspecified, an implementation defined default is applied (1MiB). - google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5; + google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5 + [(udpa.annotations.security).configure_for_untrusted_downstream = true]; // Listener metadata. core.v3.Metadata metadata = 6; diff --git a/envoy/config/listener/v4alpha/listener.proto b/envoy/config/listener/v4alpha/listener.proto index 4438bd29..b7f32a82 100644 --- a/envoy/config/listener/v4alpha/listener.proto +++ b/envoy/config/listener/v4alpha/listener.proto @@ -14,6 +14,7 @@ import "google/api/annotations.proto"; import "google/protobuf/duration.proto"; import "google/protobuf/wrappers.proto"; +import "udpa/annotations/security.proto"; import "udpa/annotations/status.proto"; import "udpa/annotations/versioning.proto"; import "validate/validate.proto"; @@ -108,7 +109,8 @@ message Listener { // Soft limit on size of the listener’s new connection read and write buffers. // If unspecified, an implementation defined default is applied (1MiB). - google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5; + google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5 + [(udpa.annotations.security).configure_for_untrusted_downstream = true]; // Listener metadata. core.v4alpha.Metadata metadata = 6;