Compare commits

...

7 Commits

Author SHA1 Message Date
update-envoy[bot] 6ac3cd177b Enhance ext_proc filter to support MXN streaming (#34942) 3 weeks ago
update-envoy[bot] 2f2e77908f docs/proto: Adding comments to fields/enums that have no comments (#37018) 3 weeks ago
update-envoy[bot] cbb7b6e3fb dns resolver: add options to initialize c-ares with custom timeout an… (#36947) 3 weeks ago
update-envoy[bot] e143288608 docs: add and fix license URLs (#37029) 3 weeks ago
update-envoy[bot] 4ace91458e ip-tagging filter: add support for an optional ip-tag-header field (#36434) 3 weeks ago
update-envoy[bot] 51ab040126 kafka: close connection when rejectable request appears (#36979) 3 weeks ago
update-envoy[bot] c4ccd87ef7 deps/api: Bump `envoy_toolshed` -> 0.1.15 (#36969) 3 weeks ago
  1. 12
      bazel/repository_locations.bzl
  2. 12
      contrib/envoy/extensions/filters/network/kafka_broker/v3/kafka_broker.proto
  3. 1
      envoy/config/core/v3/base.proto
  4. 12
      envoy/config/filter/network/kafka_broker/v2alpha1/kafka_broker.proto
  5. 34
      envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto
  6. 38
      envoy/extensions/filters/http/ip_tagging/v3/ip_tagging.proto
  7. 16
      envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto
  8. 76
      envoy/service/ext_proc/v3/external_processor.proto
  9. 56
      envoy/type/v3/http_status.proto

@ -163,6 +163,8 @@ REPOSITORY_LOCATIONS_SPEC = dict(
urls = ["https://github.com/norbjd/protoc-gen-jsonschema/archive/{version}.zip"],
use_category = ["build"],
release_date = "2023-05-30",
license = "Apache-2.0",
license_url = "https://github.com/norbjd/protoc-gen-jsonschema/blob/{version}/LICENSE",
),
dev_cel = dict(
project_name = "CEL",
@ -174,19 +176,21 @@ REPOSITORY_LOCATIONS_SPEC = dict(
urls = ["https://github.com/google/cel-spec/archive/v{version}.tar.gz"],
use_category = ["api"],
release_date = "2024-10-23",
license = "Apache-2.0",
license_url = "https://github.com/google/cel-spec/blob/v{version}/LICENSE",
),
envoy_toolshed = dict(
project_name = "envoy_toolshed",
project_desc = "Tooling, libraries, runners and checkers for Envoy proxy's CI",
project_url = "https://github.com/envoyproxy/toolshed",
version = "0.1.13",
sha256 = "5210866866fccb8e94f2a921c8452d7ea2ae1bf2b2b9520ab0e0cd1df36e7ad5",
version = "0.1.15",
sha256 = "b235526a20ef7a74e908c8827da40c32182bf18635a70e836dcad2a561eb3e6d",
strip_prefix = "toolshed-bazel-v{version}/bazel",
urls = ["https://github.com/envoyproxy/toolshed/archive/bazel-v{version}.tar.gz"],
use_category = ["build"],
release_date = "2024-10-29",
release_date = "2024-11-04",
cpe = "N/A",
license = "Apache-2.0",
license_url = "https://github.com/envoyproxy/envoy/blob/bazel-v{version}/LICENSE",
license_url = "https://github.com/envoyproxy/toolshed/blob/bazel-v{version}/LICENSE",
),
)

@ -15,7 +15,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#protodoc-title: Kafka Broker]
// Kafka Broker :ref:`configuration overview <config_network_filters_kafka_broker>`.
// [#extension: envoy.filters.network.kafka_broker]
// [#next-free-field: 6]
message KafkaBroker {
option (udpa.annotations.versioning).previous_message_type =
"envoy.config.filter.network.kafka_broker.v2alpha1.KafkaBroker";
@ -39,6 +39,16 @@ message KafkaBroker {
// Broker address rewrite rules that match by broker ID.
IdBasedBrokerRewriteSpec id_based_broker_address_rewrite_spec = 3;
}
// Optional list of allowed Kafka API keys. Only requests with provided API keys will be
// routed, otherwise the connection will be closed. No effect if empty.
repeated uint32 api_keys_allowed = 4
[(validate.rules).repeated = {items {uint32 {lte: 32767 gte: 0}}}];
// Optional list of denied Kafka API keys. Requests with API keys matching this list will have
// the connection closed. No effect if empty.
repeated uint32 api_keys_denied = 5
[(validate.rules).repeated = {items {uint32 {lte: 32767 gte: 0}}}];
}
// Collection of rules matching by broker ID.

@ -453,6 +453,7 @@ message HeaderValueOption {
message HeaderMap {
option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HeaderMap";
// A list of header names and their values.
repeated HeaderValue headers = 1;
}

@ -17,7 +17,7 @@ option (udpa.annotations.file_status).package_version_status = FROZEN;
// [#protodoc-title: Kafka Broker]
// Kafka Broker :ref:`configuration overview <config_network_filters_kafka_broker>`.
// [#extension: envoy.filters.network.kafka_broker]
// [#next-free-field: 6]
message KafkaBroker {
// The prefix to use when emitting :ref:`statistics <config_network_filters_kafka_broker_stats>`.
string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
@ -38,6 +38,16 @@ message KafkaBroker {
// Broker address rewrite rules that match by broker ID.
IdBasedBrokerRewriteSpec id_based_broker_address_rewrite_spec = 3;
}
// Optional list of allowed Kafka API keys. Only requests with provided API keys will be
// routed, otherwise the connection will be closed. No effect if empty.
repeated uint32 api_keys_allowed = 4
[(validate.rules).repeated = {items {uint32 {lte: 32767 gte: 0}}}];
// Optional list of denied Kafka API keys. Requests with API keys matching this list will have
// the connection closed. No effect if empty.
repeated uint32 api_keys_denied = 5
[(validate.rules).repeated = {items {uint32 {lte: 32767 gte: 0}}}];
}
// Collection of rules matching by broker ID.

@ -36,11 +36,12 @@ message ProcessingMode {
// Control how the request and response bodies are handled
// When body mutation by external processor is enabled, ext_proc filter will always remove
// the content length header in three cases below because content length can not be guaranteed
// the content length header in four cases below because content length can not be guaranteed
// to be set correctly:
// 1) STREAMED BodySendMode: header processing completes before body mutation comes back.
// 2) BUFFERED_PARTIAL BodySendMode: body is buffered and could be injected in different phases.
// 3) BUFFERED BodySendMode + SKIP HeaderSendMode: header processing (e.g., update content-length) is skipped.
// 4) FULL_DUPLEX_STREAMED BodySendMode: header processing completes before body mutation comes back.
//
// In Envoy's http1 codec implementation, removing content length will enable chunked transfer
// encoding whenever feasible. The recipient (either client or server) must be able
@ -68,6 +69,37 @@ message ProcessingMode {
// chunk. If the body exceeds the configured buffer limit, then the body contents
// up to the buffer limit will be sent.
BUFFERED_PARTIAL = 3;
// [#not-implemented-hide:]
// Envoy streams the body to the server in pieces as they arrive.
//
// 1) The server may choose to buffer any number chunks of data before processing them.
// After it finishes buffering, the server processes the buffered data. Then it splits the processed
// data into any number of chunks, and streams them back to Envoy one by one.
// The server may continuously do so until the complete body is processed.
// The individual response chunk size is recommended to be no greater than 64K bytes, or
// :ref:`max_receive_message_length <envoy_v3_api_field_config.core.v3.GrpcService.EnvoyGrpc.max_receive_message_length>`
// if EnvoyGrpc is used.
//
// 2) The server may also choose to buffer the entire message, including the headers (if header mode is
// ``SEND``), the entire body, and the trailers (if present), before sending back any response.
// The server response has to maintain the headers-body-trailers ordering.
//
// 3) Note that the server might also choose not to buffer data. That is, upon receiving a
// body request, it could process the data and send back a body response immediately.
//
// In this body mode:
// * The corresponding trailer mode has to be set to ``SEND``.
// * Envoy will send body and trailers (if present) to the server as they arrive.
// Sending the trailers (if present) is to inform the server the complete body arrives.
// In case there are no trailers, then Envoy will set
// :ref:`end_of_stream <envoy_v3_api_field_service.ext_proc.v3.HttpBody.end_of_stream>`
// to true as part of the last body chunk request to notify the server that no other data is to be sent.
// * The server needs to send
// :ref:`StreamedBodyResponse <envoy_v3_api_msg_service.ext_proc.v3.StreamedBodyResponse>`
// to Envoy in the body response.
// * Envoy will stream the body chunks in the responses from the server to the upstream/downstream as they arrive.
FULL_DUPLEX_STREAMED = 4;
}
// How to handle the request header. Default is "SEND".

@ -18,6 +18,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// IP tagging :ref:`configuration overview <config_http_filters_ip_tagging>`.
// [#extension: envoy.filters.http.ip_tagging]
// [#next-free-field: 6]
message IPTagging {
option (udpa.annotations.versioning).previous_message_type =
"envoy.config.filter.http.ip_tagging.v2.IPTagging";
@ -52,6 +53,38 @@ message IPTagging {
repeated config.core.v3.CidrRange ip_list = 2;
}
// Specify to which header the tags will be written.
message IpTagHeader {
// Describes how to apply the tags to the headers.
enum HeaderAction {
// (DEFAULT) The header specified in :ref:`ip_tag_header <envoy_v3_api_field_extensions.filters.http.ip_tagging.v3.IPTagging.ip_tag_header>`
// will be dropped, before the tags are applied. The incoming header will be "sanitized" regardless of whether the request is internal or external.
//
// Note that the header will be visible unsanitized to any filters that are invoked before the ip-tag-header filter, unless it has an *x-envoy* prefix.
SANITIZE = 0;
// Tags will be appended to the header specified in
// :ref:`ip_tag_header <envoy_v3_api_field_extensions.filters.http.ip_tagging.v3.IPTagging.ip_tag_header>`.
//
// Please note that this could cause the header to retain values set by the http client regardless of whether the request is internal or external.
APPEND_IF_EXISTS_OR_ADD = 1;
}
// Header to use for ip-tagging.
//
// This header will be sanitized based on the config in
// :ref:`action <envoy_v3_api_field_extensions.filters.http.ip_tagging.v3.IPTagging.IpTagHeader.action>`
// rather than the defaults for x-envoy prefixed headers.
string header = 1
[(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
// Control if the :ref:`header <envoy_v3_api_field_extensions.filters.http.ip_tagging.v3.IPTagging.IpTagHeader.header>`
// will be sanitized, or be appended to.
//
// Default: *SANITIZE*.
HeaderAction action = 2;
}
// The type of request the filter should apply to.
RequestType request_type = 1 [(validate.rules).enum = {defined_only: true}];
@ -59,4 +92,9 @@ message IPTagging {
// Tracked by issue https://github.com/envoyproxy/envoy/issues/2695]
// The set of IP tags for the filter.
repeated IPTag ip_tags = 4 [(validate.rules).repeated = {min_items: 1}];
// Specify to which header the tags will be written.
//
// If left unspecified, the tags will be appended to the ``x-envoy-ip-tags`` header.
IpTagHeader ip_tag_header = 5;
}

@ -8,6 +8,7 @@ import "envoy/config/core/v3/resolver.proto";
import "google/protobuf/wrappers.proto";
import "udpa/annotations/status.proto";
import "validate/validate.proto";
option java_package = "io.envoyproxy.envoy.extensions.network.dns_resolver.cares.v3";
option java_outer_classname = "CaresDnsResolverProto";
@ -19,7 +20,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// [#extension: envoy.network.dns_resolver.cares]
// Configuration for c-ares DNS resolver.
// [#next-free-field: 6]
// [#next-free-field: 8]
message CaresDnsResolverConfig {
// A list of dns resolver addresses.
// :ref:`use_resolvers_as_fallback<envoy_v3_api_field_extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig.use_resolvers_as_fallback>`
@ -47,4 +48,17 @@ message CaresDnsResolverConfig {
// This option allows for number of UDP based DNS queries to be capped. Note, this
// is only applicable to c-ares DNS resolver currently.
google.protobuf.UInt32Value udp_max_queries = 5;
// The number of seconds each name server is given to respond to a query on the first try of any given server.
//
// Note: While the c-ares library defaults to 2 seconds, Envoy's default (if this field is unset) is 5 seconds.
// This adjustment was made to maintain the previous behavior after users reported an increase in DNS resolution times.
google.protobuf.UInt64Value query_timeout_seconds = 6 [(validate.rules).uint64 = {gte: 1}];
// The maximum number of query attempts the resolver will make before giving up.
// Each attempt may use a different name server.
//
// Note: While the c-ares library defaults to 3 attempts, Envoy's default (if this field is unset) is 4 attempts.
// This adjustment was made to maintain the previous behavior after users reported an increase in DNS resolution times.
google.protobuf.UInt32Value query_tries = 7 [(validate.rules).uint32 = {gte: 1}];
}

@ -45,7 +45,6 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
// In other words, the process is a request/response conversation, but
// using a gRPC stream to make it easier for the server to
// maintain state.
service ExternalProcessor {
// This begins the bidirectional stream that Envoy will use to
// give the server control over what the filter does. The actual
@ -129,6 +128,7 @@ message ProcessingRequest {
// set to false, the server must send back exactly one ProcessingResponse message.
// [#next-free-field: 11]
message ProcessingResponse {
// The response type that is sent by the server.
oneof response {
option (validate.required) = true;
@ -220,19 +220,25 @@ message HttpHeaders {
map<string, google.protobuf.Struct> attributes = 2
[deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
// If true, then there is no message body associated with this
// If ``true``, then there is no message body associated with this
// request or response.
bool end_of_stream = 3;
}
// This message contains the message body that Envoy sends to the external server.
// This message is sent to the external server when the HTTP request and
// response bodies are received.
message HttpBody {
// The contents of the body in the HTTP request/response. Note that in
// streaming mode multiple ``HttpBody`` messages may be sent.
bytes body = 1;
// If ``true``, this will be the last ``HttpBody`` message that will be sent and no
// trailers will be sent for the current request/response.
bool end_of_stream = 2;
}
// This message contains the trailers.
// This message is sent to the external server when the HTTP request and
// response trailers are received.
message HttpTrailers {
// The header value is encoded in the
// :ref:`raw_value <envoy_v3_api_field_config.core.v3.HeaderValue.raw_value>` field.
@ -241,25 +247,34 @@ message HttpTrailers {
// The following are messages that may be sent back by the server.
// This message must be sent in response to an HttpHeaders message.
// This message is sent by the external server to Envoy after ``HttpHeaders`` was
// sent to it.
message HeadersResponse {
// Details the modifications (if any) to be made by Envoy to the current
// request/response.
CommonResponse response = 1;
}
// This message must be sent in response to an HttpTrailers message.
message TrailersResponse {
// Instructions on how to manipulate the trailers
HeaderMutation header_mutation = 1;
}
// This message must be sent in response to an HttpBody message.
// This message is sent by the external server to Envoy after ``HttpBody`` was
// sent to it.
message BodyResponse {
// Details the modifications (if any) to be made by Envoy to the current
// request/response.
CommonResponse response = 1;
}
// This message is sent by the external server to Envoy after ``HttpTrailers`` was
// sent to it.
message TrailersResponse {
// Details the modifications (if any) to be made by Envoy to the current
// request/response trailers.
HeaderMutation header_mutation = 1;
}
// This message contains common fields between header and body responses.
// [#next-free-field: 6]
message CommonResponse {
// The status of the response.
enum ResponseStatus {
// Apply the mutation instructions in this message to the
// request or response, and then continue processing the filter
@ -322,7 +337,7 @@ message CommonResponse {
// to the downstream codec, or reset the stream.
// [#next-free-field: 6]
message ImmediateResponse {
// The response code to return
// The response code to return.
type.v3.HttpStatus status = 1 [(validate.rules).message = {required: true}];
// Apply changes to the default headers, which will include content-type.
@ -343,7 +358,7 @@ message ImmediateResponse {
// This message specifies a gRPC status for an ImmediateResponse message.
message GrpcStatus {
// The actual gRPC status
// The actual gRPC status.
uint32 status = 1;
}
@ -362,14 +377,39 @@ message HeaderMutation {
repeated string remove_headers = 2;
}
// Replace the entire message body chunk received in the corresponding
// HttpBody message with this new body, or clear the body.
// [#not-implemented-hide:]
// The body response message corresponding to FULL_DUPLEX_STREAMED body mode.
message StreamedBodyResponse {
// The body response chunk that will be passed to the upstream/downstream by Envoy.
bytes body = 1;
// The server sets this flag to true if it has received a body request with
// :ref:`end_of_stream <envoy_v3_api_field_service.ext_proc.v3.HttpBody.end_of_stream>` set to true,
// and this is the last chunk of body responses.
bool end_of_stream = 2;
}
// This message specifies the body mutation the server sends to Envoy.
message BodyMutation {
// The type of mutation for the body.
oneof mutation {
// The entire body to replace
// The entire body to replace.
// Should only be used when the corresponding ``BodySendMode`` in the
// :ref:`processing_mode <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.processing_mode>`
// is not set to ``FULL_DUPLEX_STREAMED``.
bytes body = 1;
// Clear the corresponding body chunk
// Clear the corresponding body chunk.
// Should only be used when the corresponding ``BodySendMode`` in the
// :ref:`processing_mode <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.processing_mode>`
// is not set to ``FULL_DUPLEX_STREAMED``.
// Clear the corresponding body chunk.
bool clear_body = 2;
// [#not-implemented-hide:]
// Must be used when the corresponding ``BodySendMode`` in the
// :ref:`processing_mode <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.processing_mode>`
// is set to ``FULL_DUPLEX_STREAMED``.
StreamedBodyResponse streamed_response = 3;
}
}

@ -21,116 +21,172 @@ enum StatusCode {
// `enum` type.
Empty = 0;
// Continue - ``100`` status code.
Continue = 100;
// OK - ``200`` status code.
OK = 200;
// Created - ``201`` status code.
Created = 201;
// Accepted - ``202`` status code.
Accepted = 202;
// NonAuthoritativeInformation - ``203`` status code.
NonAuthoritativeInformation = 203;
// NoContent - ``204`` status code.
NoContent = 204;
// ResetContent - ``205`` status code.
ResetContent = 205;
// PartialContent - ``206`` status code.
PartialContent = 206;
// MultiStatus - ``207`` status code.
MultiStatus = 207;
// AlreadyReported - ``208`` status code.
AlreadyReported = 208;
// IMUsed - ``226`` status code.
IMUsed = 226;
// MultipleChoices - ``300`` status code.
MultipleChoices = 300;
// MovedPermanently - ``301`` status code.
MovedPermanently = 301;
// Found - ``302`` status code.
Found = 302;
// SeeOther - ``303`` status code.
SeeOther = 303;
// NotModified - ``304`` status code.
NotModified = 304;
// UseProxy - ``305`` status code.
UseProxy = 305;
// TemporaryRedirect - ``307`` status code.
TemporaryRedirect = 307;
// PermanentRedirect - ``308`` status code.
PermanentRedirect = 308;
// BadRequest - ``400`` status code.
BadRequest = 400;
// Unauthorized - ``401`` status code.
Unauthorized = 401;
// PaymentRequired - ``402`` status code.
PaymentRequired = 402;
// Forbidden - ``403`` status code.
Forbidden = 403;
// NotFound - ``404`` status code.
NotFound = 404;
// MethodNotAllowed - ``405`` status code.
MethodNotAllowed = 405;
// NotAcceptable - ``406`` status code.
NotAcceptable = 406;
// ProxyAuthenticationRequired - ``407`` status code.
ProxyAuthenticationRequired = 407;
// RequestTimeout - ``408`` status code.
RequestTimeout = 408;
// Conflict - ``409`` status code.
Conflict = 409;
// Gone - ``410`` status code.
Gone = 410;
// LengthRequired - ``411`` status code.
LengthRequired = 411;
// PreconditionFailed - ``412`` status code.
PreconditionFailed = 412;
// PayloadTooLarge - ``413`` status code.
PayloadTooLarge = 413;
// URITooLong - ``414`` status code.
URITooLong = 414;
// UnsupportedMediaType - ``415`` status code.
UnsupportedMediaType = 415;
// RangeNotSatisfiable - ``416`` status code.
RangeNotSatisfiable = 416;
// ExpectationFailed - ``417`` status code.
ExpectationFailed = 417;
// MisdirectedRequest - ``421`` status code.
MisdirectedRequest = 421;
// UnprocessableEntity - ``422`` status code.
UnprocessableEntity = 422;
// Locked - ``423`` status code.
Locked = 423;
// FailedDependency - ``424`` status code.
FailedDependency = 424;
// UpgradeRequired - ``426`` status code.
UpgradeRequired = 426;
// PreconditionRequired - ``428`` status code.
PreconditionRequired = 428;
// TooManyRequests - ``429`` status code.
TooManyRequests = 429;
// RequestHeaderFieldsTooLarge - ``431`` status code.
RequestHeaderFieldsTooLarge = 431;
// InternalServerError - ``500`` status code.
InternalServerError = 500;
// NotImplemented - ``501`` status code.
NotImplemented = 501;
// BadGateway - ``502`` status code.
BadGateway = 502;
// ServiceUnavailable - ``503`` status code.
ServiceUnavailable = 503;
// GatewayTimeout - ``504`` status code.
GatewayTimeout = 504;
// HTTPVersionNotSupported - ``505`` status code.
HTTPVersionNotSupported = 505;
// VariantAlsoNegotiates - ``506`` status code.
VariantAlsoNegotiates = 506;
// InsufficientStorage - ``507`` status code.
InsufficientStorage = 507;
// LoopDetected - ``508`` status code.
LoopDetected = 508;
// NotExtended - ``510`` status code.
NotExtended = 510;
// NetworkAuthenticationRequired - ``511`` status code.
NetworkAuthenticationRequired = 511;
}

Loading…
Cancel
Save