diff --git a/xds/src/generated/main/grpc/io/envoyproxy/envoy/api/v2/ScopedRoutesDiscoveryServiceGrpc.java b/xds/src/generated/main/grpc/io/envoyproxy/envoy/api/v2/ScopedRoutesDiscoveryServiceGrpc.java
new file mode 100644
index 00000000000..c19809f816e
--- /dev/null
+++ b/xds/src/generated/main/grpc/io/envoyproxy/envoy/api/v2/ScopedRoutesDiscoveryServiceGrpc.java
@@ -0,0 +1,459 @@
+package io.envoyproxy.envoy.api.v2;
+
+import static io.grpc.MethodDescriptor.generateFullMethodName;
+import static io.grpc.stub.ClientCalls.asyncBidiStreamingCall;
+import static io.grpc.stub.ClientCalls.asyncClientStreamingCall;
+import static io.grpc.stub.ClientCalls.asyncServerStreamingCall;
+import static io.grpc.stub.ClientCalls.asyncUnaryCall;
+import static io.grpc.stub.ClientCalls.blockingServerStreamingCall;
+import static io.grpc.stub.ClientCalls.blockingUnaryCall;
+import static io.grpc.stub.ClientCalls.futureUnaryCall;
+import static io.grpc.stub.ServerCalls.asyncBidiStreamingCall;
+import static io.grpc.stub.ServerCalls.asyncClientStreamingCall;
+import static io.grpc.stub.ServerCalls.asyncServerStreamingCall;
+import static io.grpc.stub.ServerCalls.asyncUnaryCall;
+import static io.grpc.stub.ServerCalls.asyncUnimplementedStreamingCall;
+import static io.grpc.stub.ServerCalls.asyncUnimplementedUnaryCall;
+
+/**
+ *
+ * [#protodoc-title: HTTP scoped routing configuration]
+ * * Routing :ref:`architecture overview <arch_overview_http_routing>`
+ * The Scoped Routes Discovery Service (SRDS) API distributes
+ * :ref:`ScopedRouteConfiguration<envoy_api_msg.ScopedRouteConfiguration>`
+ * resources. Each ScopedRouteConfiguration resource represents a "routing
+ * scope" containing a mapping that allows the HTTP connection manager to
+ * dynamically assign a routing table (specified via a
+ * :ref:`RouteConfiguration<envoy_api_msg_RouteConfiguration>` message) to each
+ * HTTP request.
+ *
+ */
+@javax.annotation.Generated(
+ value = "by gRPC proto compiler",
+ comments = "Source: envoy/api/v2/srds.proto")
+public final class ScopedRoutesDiscoveryServiceGrpc {
+
+ private ScopedRoutesDiscoveryServiceGrpc() {}
+
+ public static final String SERVICE_NAME = "envoy.api.v2.ScopedRoutesDiscoveryService";
+
+ // Static method descriptors that strictly reflect the proto.
+ private static volatile io.grpc.MethodDescriptor getStreamScopedRoutesMethod;
+
+ @io.grpc.stub.annotations.RpcMethod(
+ fullMethodName = SERVICE_NAME + '/' + "StreamScopedRoutes",
+ requestType = io.envoyproxy.envoy.api.v2.DiscoveryRequest.class,
+ responseType = io.envoyproxy.envoy.api.v2.DiscoveryResponse.class,
+ methodType = io.grpc.MethodDescriptor.MethodType.BIDI_STREAMING)
+ public static io.grpc.MethodDescriptor getStreamScopedRoutesMethod() {
+ io.grpc.MethodDescriptor getStreamScopedRoutesMethod;
+ if ((getStreamScopedRoutesMethod = ScopedRoutesDiscoveryServiceGrpc.getStreamScopedRoutesMethod) == null) {
+ synchronized (ScopedRoutesDiscoveryServiceGrpc.class) {
+ if ((getStreamScopedRoutesMethod = ScopedRoutesDiscoveryServiceGrpc.getStreamScopedRoutesMethod) == null) {
+ ScopedRoutesDiscoveryServiceGrpc.getStreamScopedRoutesMethod = getStreamScopedRoutesMethod =
+ io.grpc.MethodDescriptor.newBuilder()
+ .setType(io.grpc.MethodDescriptor.MethodType.BIDI_STREAMING)
+ .setFullMethodName(generateFullMethodName(SERVICE_NAME, "StreamScopedRoutes"))
+ .setSampledToLocalTracing(true)
+ .setRequestMarshaller(io.grpc.protobuf.ProtoUtils.marshaller(
+ io.envoyproxy.envoy.api.v2.DiscoveryRequest.getDefaultInstance()))
+ .setResponseMarshaller(io.grpc.protobuf.ProtoUtils.marshaller(
+ io.envoyproxy.envoy.api.v2.DiscoveryResponse.getDefaultInstance()))
+ .setSchemaDescriptor(new ScopedRoutesDiscoveryServiceMethodDescriptorSupplier("StreamScopedRoutes"))
+ .build();
+ }
+ }
+ }
+ return getStreamScopedRoutesMethod;
+ }
+
+ private static volatile io.grpc.MethodDescriptor getDeltaScopedRoutesMethod;
+
+ @io.grpc.stub.annotations.RpcMethod(
+ fullMethodName = SERVICE_NAME + '/' + "DeltaScopedRoutes",
+ requestType = io.envoyproxy.envoy.api.v2.DeltaDiscoveryRequest.class,
+ responseType = io.envoyproxy.envoy.api.v2.DeltaDiscoveryResponse.class,
+ methodType = io.grpc.MethodDescriptor.MethodType.BIDI_STREAMING)
+ public static io.grpc.MethodDescriptor getDeltaScopedRoutesMethod() {
+ io.grpc.MethodDescriptor getDeltaScopedRoutesMethod;
+ if ((getDeltaScopedRoutesMethod = ScopedRoutesDiscoveryServiceGrpc.getDeltaScopedRoutesMethod) == null) {
+ synchronized (ScopedRoutesDiscoveryServiceGrpc.class) {
+ if ((getDeltaScopedRoutesMethod = ScopedRoutesDiscoveryServiceGrpc.getDeltaScopedRoutesMethod) == null) {
+ ScopedRoutesDiscoveryServiceGrpc.getDeltaScopedRoutesMethod = getDeltaScopedRoutesMethod =
+ io.grpc.MethodDescriptor.newBuilder()
+ .setType(io.grpc.MethodDescriptor.MethodType.BIDI_STREAMING)
+ .setFullMethodName(generateFullMethodName(SERVICE_NAME, "DeltaScopedRoutes"))
+ .setSampledToLocalTracing(true)
+ .setRequestMarshaller(io.grpc.protobuf.ProtoUtils.marshaller(
+ io.envoyproxy.envoy.api.v2.DeltaDiscoveryRequest.getDefaultInstance()))
+ .setResponseMarshaller(io.grpc.protobuf.ProtoUtils.marshaller(
+ io.envoyproxy.envoy.api.v2.DeltaDiscoveryResponse.getDefaultInstance()))
+ .setSchemaDescriptor(new ScopedRoutesDiscoveryServiceMethodDescriptorSupplier("DeltaScopedRoutes"))
+ .build();
+ }
+ }
+ }
+ return getDeltaScopedRoutesMethod;
+ }
+
+ private static volatile io.grpc.MethodDescriptor getFetchScopedRoutesMethod;
+
+ @io.grpc.stub.annotations.RpcMethod(
+ fullMethodName = SERVICE_NAME + '/' + "FetchScopedRoutes",
+ requestType = io.envoyproxy.envoy.api.v2.DiscoveryRequest.class,
+ responseType = io.envoyproxy.envoy.api.v2.DiscoveryResponse.class,
+ methodType = io.grpc.MethodDescriptor.MethodType.UNARY)
+ public static io.grpc.MethodDescriptor getFetchScopedRoutesMethod() {
+ io.grpc.MethodDescriptor getFetchScopedRoutesMethod;
+ if ((getFetchScopedRoutesMethod = ScopedRoutesDiscoveryServiceGrpc.getFetchScopedRoutesMethod) == null) {
+ synchronized (ScopedRoutesDiscoveryServiceGrpc.class) {
+ if ((getFetchScopedRoutesMethod = ScopedRoutesDiscoveryServiceGrpc.getFetchScopedRoutesMethod) == null) {
+ ScopedRoutesDiscoveryServiceGrpc.getFetchScopedRoutesMethod = getFetchScopedRoutesMethod =
+ io.grpc.MethodDescriptor.newBuilder()
+ .setType(io.grpc.MethodDescriptor.MethodType.UNARY)
+ .setFullMethodName(generateFullMethodName(SERVICE_NAME, "FetchScopedRoutes"))
+ .setSampledToLocalTracing(true)
+ .setRequestMarshaller(io.grpc.protobuf.ProtoUtils.marshaller(
+ io.envoyproxy.envoy.api.v2.DiscoveryRequest.getDefaultInstance()))
+ .setResponseMarshaller(io.grpc.protobuf.ProtoUtils.marshaller(
+ io.envoyproxy.envoy.api.v2.DiscoveryResponse.getDefaultInstance()))
+ .setSchemaDescriptor(new ScopedRoutesDiscoveryServiceMethodDescriptorSupplier("FetchScopedRoutes"))
+ .build();
+ }
+ }
+ }
+ return getFetchScopedRoutesMethod;
+ }
+
+ /**
+ * Creates a new async stub that supports all call types for the service
+ */
+ public static ScopedRoutesDiscoveryServiceStub newStub(io.grpc.Channel channel) {
+ io.grpc.stub.AbstractStub.StubFactory factory =
+ new io.grpc.stub.AbstractStub.StubFactory() {
+ @java.lang.Override
+ public ScopedRoutesDiscoveryServiceStub newStub(io.grpc.Channel channel, io.grpc.CallOptions callOptions) {
+ return new ScopedRoutesDiscoveryServiceStub(channel, callOptions);
+ }
+ };
+ return ScopedRoutesDiscoveryServiceStub.newStub(factory, channel);
+ }
+
+ /**
+ * Creates a new blocking-style stub that supports unary and streaming output calls on the service
+ */
+ public static ScopedRoutesDiscoveryServiceBlockingStub newBlockingStub(
+ io.grpc.Channel channel) {
+ io.grpc.stub.AbstractStub.StubFactory factory =
+ new io.grpc.stub.AbstractStub.StubFactory() {
+ @java.lang.Override
+ public ScopedRoutesDiscoveryServiceBlockingStub newStub(io.grpc.Channel channel, io.grpc.CallOptions callOptions) {
+ return new ScopedRoutesDiscoveryServiceBlockingStub(channel, callOptions);
+ }
+ };
+ return ScopedRoutesDiscoveryServiceBlockingStub.newStub(factory, channel);
+ }
+
+ /**
+ * Creates a new ListenableFuture-style stub that supports unary calls on the service
+ */
+ public static ScopedRoutesDiscoveryServiceFutureStub newFutureStub(
+ io.grpc.Channel channel) {
+ io.grpc.stub.AbstractStub.StubFactory factory =
+ new io.grpc.stub.AbstractStub.StubFactory() {
+ @java.lang.Override
+ public ScopedRoutesDiscoveryServiceFutureStub newStub(io.grpc.Channel channel, io.grpc.CallOptions callOptions) {
+ return new ScopedRoutesDiscoveryServiceFutureStub(channel, callOptions);
+ }
+ };
+ return ScopedRoutesDiscoveryServiceFutureStub.newStub(factory, channel);
+ }
+
+ /**
+ *
+ * [#protodoc-title: HTTP scoped routing configuration]
+ * * Routing :ref:`architecture overview <arch_overview_http_routing>`
+ * The Scoped Routes Discovery Service (SRDS) API distributes
+ * :ref:`ScopedRouteConfiguration<envoy_api_msg.ScopedRouteConfiguration>`
+ * resources. Each ScopedRouteConfiguration resource represents a "routing
+ * scope" containing a mapping that allows the HTTP connection manager to
+ * dynamically assign a routing table (specified via a
+ * :ref:`RouteConfiguration<envoy_api_msg_RouteConfiguration>` message) to each
+ * HTTP request.
+ *
+ */
+ public static abstract class ScopedRoutesDiscoveryServiceImplBase implements io.grpc.BindableService {
+
+ /**
+ */
+ public io.grpc.stub.StreamObserver streamScopedRoutes(
+ io.grpc.stub.StreamObserver responseObserver) {
+ return asyncUnimplementedStreamingCall(getStreamScopedRoutesMethod(), responseObserver);
+ }
+
+ /**
+ */
+ public io.grpc.stub.StreamObserver deltaScopedRoutes(
+ io.grpc.stub.StreamObserver responseObserver) {
+ return asyncUnimplementedStreamingCall(getDeltaScopedRoutesMethod(), responseObserver);
+ }
+
+ /**
+ */
+ public void fetchScopedRoutes(io.envoyproxy.envoy.api.v2.DiscoveryRequest request,
+ io.grpc.stub.StreamObserver responseObserver) {
+ asyncUnimplementedUnaryCall(getFetchScopedRoutesMethod(), responseObserver);
+ }
+
+ @java.lang.Override public final io.grpc.ServerServiceDefinition bindService() {
+ return io.grpc.ServerServiceDefinition.builder(getServiceDescriptor())
+ .addMethod(
+ getStreamScopedRoutesMethod(),
+ asyncBidiStreamingCall(
+ new MethodHandlers<
+ io.envoyproxy.envoy.api.v2.DiscoveryRequest,
+ io.envoyproxy.envoy.api.v2.DiscoveryResponse>(
+ this, METHODID_STREAM_SCOPED_ROUTES)))
+ .addMethod(
+ getDeltaScopedRoutesMethod(),
+ asyncBidiStreamingCall(
+ new MethodHandlers<
+ io.envoyproxy.envoy.api.v2.DeltaDiscoveryRequest,
+ io.envoyproxy.envoy.api.v2.DeltaDiscoveryResponse>(
+ this, METHODID_DELTA_SCOPED_ROUTES)))
+ .addMethod(
+ getFetchScopedRoutesMethod(),
+ asyncUnaryCall(
+ new MethodHandlers<
+ io.envoyproxy.envoy.api.v2.DiscoveryRequest,
+ io.envoyproxy.envoy.api.v2.DiscoveryResponse>(
+ this, METHODID_FETCH_SCOPED_ROUTES)))
+ .build();
+ }
+ }
+
+ /**
+ *
+ * [#protodoc-title: HTTP scoped routing configuration]
+ * * Routing :ref:`architecture overview <arch_overview_http_routing>`
+ * The Scoped Routes Discovery Service (SRDS) API distributes
+ * :ref:`ScopedRouteConfiguration<envoy_api_msg.ScopedRouteConfiguration>`
+ * resources. Each ScopedRouteConfiguration resource represents a "routing
+ * scope" containing a mapping that allows the HTTP connection manager to
+ * dynamically assign a routing table (specified via a
+ * :ref:`RouteConfiguration<envoy_api_msg_RouteConfiguration>` message) to each
+ * HTTP request.
+ *
+ */
+ public static final class ScopedRoutesDiscoveryServiceStub extends io.grpc.stub.AbstractAsyncStub {
+ private ScopedRoutesDiscoveryServiceStub(
+ io.grpc.Channel channel, io.grpc.CallOptions callOptions) {
+ super(channel, callOptions);
+ }
+
+ @java.lang.Override
+ protected ScopedRoutesDiscoveryServiceStub build(
+ io.grpc.Channel channel, io.grpc.CallOptions callOptions) {
+ return new ScopedRoutesDiscoveryServiceStub(channel, callOptions);
+ }
+
+ /**
+ */
+ public io.grpc.stub.StreamObserver streamScopedRoutes(
+ io.grpc.stub.StreamObserver responseObserver) {
+ return asyncBidiStreamingCall(
+ getChannel().newCall(getStreamScopedRoutesMethod(), getCallOptions()), responseObserver);
+ }
+
+ /**
+ */
+ public io.grpc.stub.StreamObserver deltaScopedRoutes(
+ io.grpc.stub.StreamObserver responseObserver) {
+ return asyncBidiStreamingCall(
+ getChannel().newCall(getDeltaScopedRoutesMethod(), getCallOptions()), responseObserver);
+ }
+
+ /**
+ */
+ public void fetchScopedRoutes(io.envoyproxy.envoy.api.v2.DiscoveryRequest request,
+ io.grpc.stub.StreamObserver responseObserver) {
+ asyncUnaryCall(
+ getChannel().newCall(getFetchScopedRoutesMethod(), getCallOptions()), request, responseObserver);
+ }
+ }
+
+ /**
+ *
+ * [#protodoc-title: HTTP scoped routing configuration]
+ * * Routing :ref:`architecture overview <arch_overview_http_routing>`
+ * The Scoped Routes Discovery Service (SRDS) API distributes
+ * :ref:`ScopedRouteConfiguration<envoy_api_msg.ScopedRouteConfiguration>`
+ * resources. Each ScopedRouteConfiguration resource represents a "routing
+ * scope" containing a mapping that allows the HTTP connection manager to
+ * dynamically assign a routing table (specified via a
+ * :ref:`RouteConfiguration<envoy_api_msg_RouteConfiguration>` message) to each
+ * HTTP request.
+ *
+ */
+ public static final class ScopedRoutesDiscoveryServiceBlockingStub extends io.grpc.stub.AbstractBlockingStub {
+ private ScopedRoutesDiscoveryServiceBlockingStub(
+ io.grpc.Channel channel, io.grpc.CallOptions callOptions) {
+ super(channel, callOptions);
+ }
+
+ @java.lang.Override
+ protected ScopedRoutesDiscoveryServiceBlockingStub build(
+ io.grpc.Channel channel, io.grpc.CallOptions callOptions) {
+ return new ScopedRoutesDiscoveryServiceBlockingStub(channel, callOptions);
+ }
+
+ /**
+ */
+ public io.envoyproxy.envoy.api.v2.DiscoveryResponse fetchScopedRoutes(io.envoyproxy.envoy.api.v2.DiscoveryRequest request) {
+ return blockingUnaryCall(
+ getChannel(), getFetchScopedRoutesMethod(), getCallOptions(), request);
+ }
+ }
+
+ /**
+ *
+ * [#protodoc-title: HTTP scoped routing configuration]
+ * * Routing :ref:`architecture overview <arch_overview_http_routing>`
+ * The Scoped Routes Discovery Service (SRDS) API distributes
+ * :ref:`ScopedRouteConfiguration<envoy_api_msg.ScopedRouteConfiguration>`
+ * resources. Each ScopedRouteConfiguration resource represents a "routing
+ * scope" containing a mapping that allows the HTTP connection manager to
+ * dynamically assign a routing table (specified via a
+ * :ref:`RouteConfiguration<envoy_api_msg_RouteConfiguration>` message) to each
+ * HTTP request.
+ *
+ */
+ public static final class ScopedRoutesDiscoveryServiceFutureStub extends io.grpc.stub.AbstractFutureStub {
+ private ScopedRoutesDiscoveryServiceFutureStub(
+ io.grpc.Channel channel, io.grpc.CallOptions callOptions) {
+ super(channel, callOptions);
+ }
+
+ @java.lang.Override
+ protected ScopedRoutesDiscoveryServiceFutureStub build(
+ io.grpc.Channel channel, io.grpc.CallOptions callOptions) {
+ return new ScopedRoutesDiscoveryServiceFutureStub(channel, callOptions);
+ }
+
+ /**
+ */
+ public com.google.common.util.concurrent.ListenableFuture fetchScopedRoutes(
+ io.envoyproxy.envoy.api.v2.DiscoveryRequest request) {
+ return futureUnaryCall(
+ getChannel().newCall(getFetchScopedRoutesMethod(), getCallOptions()), request);
+ }
+ }
+
+ private static final int METHODID_FETCH_SCOPED_ROUTES = 0;
+ private static final int METHODID_STREAM_SCOPED_ROUTES = 1;
+ private static final int METHODID_DELTA_SCOPED_ROUTES = 2;
+
+ private static final class MethodHandlers implements
+ io.grpc.stub.ServerCalls.UnaryMethod,
+ io.grpc.stub.ServerCalls.ServerStreamingMethod,
+ io.grpc.stub.ServerCalls.ClientStreamingMethod,
+ io.grpc.stub.ServerCalls.BidiStreamingMethod {
+ private final ScopedRoutesDiscoveryServiceImplBase serviceImpl;
+ private final int methodId;
+
+ MethodHandlers(ScopedRoutesDiscoveryServiceImplBase serviceImpl, int methodId) {
+ this.serviceImpl = serviceImpl;
+ this.methodId = methodId;
+ }
+
+ @java.lang.Override
+ @java.lang.SuppressWarnings("unchecked")
+ public void invoke(Req request, io.grpc.stub.StreamObserver responseObserver) {
+ switch (methodId) {
+ case METHODID_FETCH_SCOPED_ROUTES:
+ serviceImpl.fetchScopedRoutes((io.envoyproxy.envoy.api.v2.DiscoveryRequest) request,
+ (io.grpc.stub.StreamObserver) responseObserver);
+ break;
+ default:
+ throw new AssertionError();
+ }
+ }
+
+ @java.lang.Override
+ @java.lang.SuppressWarnings("unchecked")
+ public io.grpc.stub.StreamObserver invoke(
+ io.grpc.stub.StreamObserver responseObserver) {
+ switch (methodId) {
+ case METHODID_STREAM_SCOPED_ROUTES:
+ return (io.grpc.stub.StreamObserver) serviceImpl.streamScopedRoutes(
+ (io.grpc.stub.StreamObserver) responseObserver);
+ case METHODID_DELTA_SCOPED_ROUTES:
+ return (io.grpc.stub.StreamObserver) serviceImpl.deltaScopedRoutes(
+ (io.grpc.stub.StreamObserver) responseObserver);
+ default:
+ throw new AssertionError();
+ }
+ }
+ }
+
+ private static abstract class ScopedRoutesDiscoveryServiceBaseDescriptorSupplier
+ implements io.grpc.protobuf.ProtoFileDescriptorSupplier, io.grpc.protobuf.ProtoServiceDescriptorSupplier {
+ ScopedRoutesDiscoveryServiceBaseDescriptorSupplier() {}
+
+ @java.lang.Override
+ public com.google.protobuf.Descriptors.FileDescriptor getFileDescriptor() {
+ return io.envoyproxy.envoy.api.v2.SrdsProto.getDescriptor();
+ }
+
+ @java.lang.Override
+ public com.google.protobuf.Descriptors.ServiceDescriptor getServiceDescriptor() {
+ return getFileDescriptor().findServiceByName("ScopedRoutesDiscoveryService");
+ }
+ }
+
+ private static final class ScopedRoutesDiscoveryServiceFileDescriptorSupplier
+ extends ScopedRoutesDiscoveryServiceBaseDescriptorSupplier {
+ ScopedRoutesDiscoveryServiceFileDescriptorSupplier() {}
+ }
+
+ private static final class ScopedRoutesDiscoveryServiceMethodDescriptorSupplier
+ extends ScopedRoutesDiscoveryServiceBaseDescriptorSupplier
+ implements io.grpc.protobuf.ProtoMethodDescriptorSupplier {
+ private final String methodName;
+
+ ScopedRoutesDiscoveryServiceMethodDescriptorSupplier(String methodName) {
+ this.methodName = methodName;
+ }
+
+ @java.lang.Override
+ public com.google.protobuf.Descriptors.MethodDescriptor getMethodDescriptor() {
+ return getServiceDescriptor().findMethodByName(methodName);
+ }
+ }
+
+ private static volatile io.grpc.ServiceDescriptor serviceDescriptor;
+
+ public static io.grpc.ServiceDescriptor getServiceDescriptor() {
+ io.grpc.ServiceDescriptor result = serviceDescriptor;
+ if (result == null) {
+ synchronized (ScopedRoutesDiscoveryServiceGrpc.class) {
+ result = serviceDescriptor;
+ if (result == null) {
+ serviceDescriptor = result = io.grpc.ServiceDescriptor.newBuilder(SERVICE_NAME)
+ .setSchemaDescriptor(new ScopedRoutesDiscoveryServiceFileDescriptorSupplier())
+ .addMethod(getStreamScopedRoutesMethod())
+ .addMethod(getDeltaScopedRoutesMethod())
+ .addMethod(getFetchScopedRoutesMethod())
+ .build();
+ }
+ }
+ }
+ return result;
+ }
+}
diff --git a/xds/third_party/envoy/import.sh b/xds/third_party/envoy/import.sh
index dab909c62fe..3088c312719 100755
--- a/xds/third_party/envoy/import.sh
+++ b/xds/third_party/envoy/import.sh
@@ -45,6 +45,9 @@ envoy/api/v2/listener/listener.proto
envoy/api/v2/listener/udp_listener_config.proto
envoy/api/v2/rds.proto
envoy/api/v2/route/route.proto
+envoy/api/v2/srds.proto
+envoy/config/filter/accesslog/v2/accesslog.proto
+envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
envoy/config/listener/v2/api_listener.proto
envoy/service/discovery/v2/ads.proto
envoy/service/load_stats/v2/lrs.proto
diff --git a/xds/third_party/envoy/src/main/proto/envoy/api/v2/srds.proto b/xds/third_party/envoy/src/main/proto/envoy/api/v2/srds.proto
new file mode 100644
index 00000000000..224ae070774
--- /dev/null
+++ b/xds/third_party/envoy/src/main/proto/envoy/api/v2/srds.proto
@@ -0,0 +1,133 @@
+syntax = "proto3";
+
+package envoy.api.v2;
+
+option java_outer_classname = "SrdsProto";
+option java_multiple_files = true;
+option java_package = "io.envoyproxy.envoy.api.v2";
+option java_generic_services = true;
+
+import "envoy/api/v2/discovery.proto";
+
+import "google/api/annotations.proto";
+
+import "validate/validate.proto";
+
+// [#protodoc-title: HTTP scoped routing configuration]
+// * Routing :ref:`architecture overview `
+//
+// The Scoped Routes Discovery Service (SRDS) API distributes
+// :ref:`ScopedRouteConfiguration`
+// resources. Each ScopedRouteConfiguration resource represents a "routing
+// scope" containing a mapping that allows the HTTP connection manager to
+// dynamically assign a routing table (specified via a
+// :ref:`RouteConfiguration` message) to each
+// HTTP request.
+service ScopedRoutesDiscoveryService {
+ rpc StreamScopedRoutes(stream DiscoveryRequest) returns (stream DiscoveryResponse) {
+ }
+
+ rpc DeltaScopedRoutes(stream DeltaDiscoveryRequest) returns (stream DeltaDiscoveryResponse) {
+ }
+
+ rpc FetchScopedRoutes(DiscoveryRequest) returns (DiscoveryResponse) {
+ option (google.api.http) = {
+ post: "/v2/discovery:scoped-routes"
+ body: "*"
+ };
+ }
+}
+
+// Specifies a routing scope, which associates a
+// :ref:`Key` to a
+// :ref:`envoy_api_msg_RouteConfiguration` (identified by its resource name).
+//
+// The HTTP connection manager builds up a table consisting of these Key to
+// RouteConfiguration mappings, and looks up the RouteConfiguration to use per
+// request according to the algorithm specified in the
+// :ref:`scope_key_builder`
+// assigned to the HttpConnectionManager.
+//
+// For example, with the following configurations (in YAML):
+//
+// HttpConnectionManager config:
+//
+// .. code::
+//
+// ...
+// scoped_routes:
+// name: foo-scoped-routes
+// scope_key_builder:
+// fragments:
+// - header_value_extractor:
+// name: X-Route-Selector
+// element_separator: ,
+// element:
+// separator: =
+// key: vip
+//
+// ScopedRouteConfiguration resources (specified statically via
+// :ref:`scoped_route_configurations_list`
+// or obtained dynamically via SRDS):
+//
+// .. code::
+//
+// (1)
+// name: route-scope1
+// route_configuration_name: route-config1
+// key:
+// fragments:
+// - string_key: 172.10.10.20
+//
+// (2)
+// name: route-scope2
+// route_configuration_name: route-config2
+// key:
+// fragments:
+// - string_key: 172.20.20.30
+//
+// A request from a client such as:
+//
+// .. code::
+//
+// GET / HTTP/1.1
+// Host: foo.com
+// X-Route-Selector: vip=172.10.10.20
+//
+// would result in the routing table defined by the `route-config1`
+// RouteConfiguration being assigned to the HTTP request/stream.
+//
+// [#comment:next free field: 4]
+message ScopedRouteConfiguration {
+ // Specifies a key which is matched against the output of the
+ // :ref:`scope_key_builder`
+ // specified in the HttpConnectionManager. The matching is done per HTTP
+ // request and is dependent on the order of the fragments contained in the
+ // Key.
+ message Key {
+ message Fragment {
+ oneof type {
+ option (validate.required) = true;
+
+ // A string to match against.
+ string string_key = 1;
+ }
+ }
+
+ // The ordered set of fragments to match against. The order must match the
+ // fragments in the corresponding
+ // :ref:`scope_key_builder`.
+ repeated Fragment fragments = 1 [(validate.rules).repeated = {min_items: 1}];
+ }
+
+ // The name assigned to the routing scope.
+ string name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+ // The resource name to use for a :ref:`envoy_api_msg_DiscoveryRequest` to an
+ // RDS server to fetch the :ref:`envoy_api_msg_RouteConfiguration` associated
+ // with this scope.
+ string route_configuration_name = 2 [(validate.rules).string = {min_bytes: 1}];
+
+ // The key to match against.
+ Key key = 3 [(validate.rules).message = {required: true}];
+}
diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/filter/accesslog/v2/accesslog.proto b/xds/third_party/envoy/src/main/proto/envoy/config/filter/accesslog/v2/accesslog.proto
new file mode 100644
index 00000000000..8810e050e95
--- /dev/null
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/filter/accesslog/v2/accesslog.proto
@@ -0,0 +1,250 @@
+syntax = "proto3";
+
+package envoy.config.filter.accesslog.v2;
+
+option java_outer_classname = "AccesslogProto";
+option java_multiple_files = true;
+option java_package = "io.envoyproxy.envoy.config.filter.accesslog.v2";
+
+import "envoy/api/v2/core/base.proto";
+import "envoy/api/v2/route/route.proto";
+import "envoy/type/percent.proto";
+
+import "google/protobuf/any.proto";
+import "google/protobuf/struct.proto";
+
+import "validate/validate.proto";
+
+// [#protodoc-title: Common access log types]
+
+message AccessLog {
+ // The name of the access log implementation to instantiate. The name must
+ // match a statically registered access log. Current built-in loggers include:
+ //
+ // #. "envoy.file_access_log"
+ // #. "envoy.http_grpc_access_log"
+ // #. "envoy.tcp_grpc_access_log"
+ string name = 1;
+
+ // Filter which is used to determine if the access log needs to be written.
+ AccessLogFilter filter = 2;
+
+ // Custom configuration that depends on the access log being instantiated. Built-in
+ // configurations include:
+ //
+ // #. "envoy.file_access_log": :ref:`FileAccessLog
+ // `
+ // #. "envoy.http_grpc_access_log": :ref:`HttpGrpcAccessLogConfig
+ // `
+ // #. "envoy.tcp_grpc_access_log": :ref:`TcpGrpcAccessLogConfig
+ // `
+ oneof config_type {
+ google.protobuf.Struct config = 3;
+
+ google.protobuf.Any typed_config = 4;
+ }
+}
+
+message AccessLogFilter {
+ oneof filter_specifier {
+ option (validate.required) = true;
+
+ // Status code filter.
+ StatusCodeFilter status_code_filter = 1;
+
+ // Duration filter.
+ DurationFilter duration_filter = 2;
+
+ // Not health check filter.
+ NotHealthCheckFilter not_health_check_filter = 3;
+
+ // Traceable filter.
+ TraceableFilter traceable_filter = 4;
+
+ // Runtime filter.
+ RuntimeFilter runtime_filter = 5;
+
+ // And filter.
+ AndFilter and_filter = 6;
+
+ // Or filter.
+ OrFilter or_filter = 7;
+
+ // Header filter.
+ HeaderFilter header_filter = 8;
+
+ // Response flag filter.
+ ResponseFlagFilter response_flag_filter = 9;
+
+ // gRPC status filter.
+ GrpcStatusFilter grpc_status_filter = 10;
+
+ // Extension filter.
+ ExtensionFilter extension_filter = 11;
+ }
+}
+
+// Filter on an integer comparison.
+message ComparisonFilter {
+ enum Op {
+ // =
+ EQ = 0;
+
+ // >=
+ GE = 1;
+
+ // <=
+ LE = 2;
+ }
+
+ // Comparison operator.
+ Op op = 1 [(validate.rules).enum = {defined_only: true}];
+
+ // Value to compare against.
+ api.v2.core.RuntimeUInt32 value = 2;
+}
+
+// Filters on HTTP response/status code.
+message StatusCodeFilter {
+ // Comparison.
+ ComparisonFilter comparison = 1 [(validate.rules).message = {required: true}];
+}
+
+// Filters on total request duration in milliseconds.
+message DurationFilter {
+ // Comparison.
+ ComparisonFilter comparison = 1 [(validate.rules).message = {required: true}];
+}
+
+// Filters for requests that are not health check requests. A health check
+// request is marked by the health check filter.
+message NotHealthCheckFilter {
+}
+
+// Filters for requests that are traceable. See the tracing overview for more
+// information on how a request becomes traceable.
+message TraceableFilter {
+}
+
+// Filters for random sampling of requests.
+message RuntimeFilter {
+ // Runtime key to get an optional overridden numerator for use in the *percent_sampled* field.
+ // If found in runtime, this value will replace the default numerator.
+ string runtime_key = 1 [(validate.rules).string = {min_bytes: 1}];
+
+ // The default sampling percentage. If not specified, defaults to 0% with denominator of 100.
+ type.FractionalPercent percent_sampled = 2;
+
+ // By default, sampling pivots on the header
+ // :ref:`x-request-id` being present. If
+ // :ref:`x-request-id` is present, the filter will
+ // consistently sample across multiple hosts based on the runtime key value and the value
+ // extracted from :ref:`x-request-id`. If it is
+ // missing, or *use_independent_randomness* is set to true, the filter will randomly sample based
+ // on the runtime key value alone. *use_independent_randomness* can be used for logging kill
+ // switches within complex nested :ref:`AndFilter
+ // ` and :ref:`OrFilter
+ // ` blocks that are easier to reason about
+ // from a probability perspective (i.e., setting to true will cause the filter to behave like
+ // an independent random variable when composed within logical operator filters).
+ bool use_independent_randomness = 3;
+}
+
+// Performs a logical “and” operation on the result of each filter in filters.
+// Filters are evaluated sequentially and if one of them returns false, the
+// filter returns false immediately.
+message AndFilter {
+ repeated AccessLogFilter filters = 1 [(validate.rules).repeated = {min_items: 2}];
+}
+
+// Performs a logical “or” operation on the result of each individual filter.
+// Filters are evaluated sequentially and if one of them returns true, the
+// filter returns true immediately.
+message OrFilter {
+ repeated AccessLogFilter filters = 2 [(validate.rules).repeated = {min_items: 2}];
+}
+
+// Filters requests based on the presence or value of a request header.
+message HeaderFilter {
+ // Only requests with a header which matches the specified HeaderMatcher will pass the filter
+ // check.
+ api.v2.route.HeaderMatcher header = 1 [(validate.rules).message = {required: true}];
+}
+
+// Filters requests that received responses with an Envoy response flag set.
+// A list of the response flags can be found
+// in the access log formatter :ref:`documentation`.
+message ResponseFlagFilter {
+ // Only responses with the any of the flags listed in this field will be logged.
+ // This field is optional. If it is not specified, then any response flag will pass
+ // the filter check.
+ repeated string flags = 1 [(validate.rules).repeated = {
+ items {
+ string {
+ in: "LH"
+ in: "UH"
+ in: "UT"
+ in: "LR"
+ in: "UR"
+ in: "UF"
+ in: "UC"
+ in: "UO"
+ in: "NR"
+ in: "DI"
+ in: "FI"
+ in: "RL"
+ in: "UAEX"
+ in: "RLSE"
+ in: "DC"
+ in: "URX"
+ in: "SI"
+ in: "IH"
+ }
+ }
+ }];
+}
+
+// Filters gRPC requests based on their response status. If a gRPC status is not provided, the
+// filter will infer the status from the HTTP status code.
+message GrpcStatusFilter {
+ enum Status {
+ OK = 0;
+ CANCELED = 1;
+ UNKNOWN = 2;
+ INVALID_ARGUMENT = 3;
+ DEADLINE_EXCEEDED = 4;
+ NOT_FOUND = 5;
+ ALREADY_EXISTS = 6;
+ PERMISSION_DENIED = 7;
+ RESOURCE_EXHAUSTED = 8;
+ FAILED_PRECONDITION = 9;
+ ABORTED = 10;
+ OUT_OF_RANGE = 11;
+ UNIMPLEMENTED = 12;
+ INTERNAL = 13;
+ UNAVAILABLE = 14;
+ DATA_LOSS = 15;
+ UNAUTHENTICATED = 16;
+ }
+
+ // Logs only responses that have any one of the gRPC statuses in this field.
+ repeated Status statuses = 1 [(validate.rules).repeated = {items {enum {defined_only: true}}}];
+
+ // If included and set to true, the filter will instead block all responses with a gRPC status or
+ // inferred gRPC status enumerated in statuses, and allow all other responses.
+ bool exclude = 2;
+}
+
+// Extension filter is statically registered at runtime.
+message ExtensionFilter {
+ // The name of the filter implementation to instantiate. The name must
+ // match a statically registered filter.
+ string name = 1;
+
+ // Custom configuration that depends on the filter being instantiated.
+ oneof config_type {
+ google.protobuf.Struct config = 2;
+
+ google.protobuf.Any typed_config = 3;
+ }
+}
diff --git a/xds/third_party/envoy/src/main/proto/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto b/xds/third_party/envoy/src/main/proto/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
new file mode 100644
index 00000000000..efdfb4be939
--- /dev/null
+++ b/xds/third_party/envoy/src/main/proto/envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto
@@ -0,0 +1,604 @@
+syntax = "proto3";
+
+package envoy.config.filter.network.http_connection_manager.v2;
+
+option java_outer_classname = "HttpConnectionManagerProto";
+option java_multiple_files = true;
+option java_package = "io.envoyproxy.envoy.config.filter.network.http_connection_manager.v2";
+
+import "envoy/api/v2/core/config_source.proto";
+import "envoy/api/v2/core/protocol.proto";
+import "envoy/api/v2/rds.proto";
+import "envoy/api/v2/srds.proto";
+import "envoy/config/filter/accesslog/v2/accesslog.proto";
+import "envoy/type/percent.proto";
+
+import "google/protobuf/any.proto";
+import "google/protobuf/duration.proto";
+import "google/protobuf/struct.proto";
+import "google/protobuf/wrappers.proto";
+
+import "validate/validate.proto";
+
+// [#protodoc-title: HTTP connection manager]
+// HTTP connection manager :ref:`configuration overview `.
+
+// [#comment:next free field: 35]
+message HttpConnectionManager {
+ enum CodecType {
+ // For every new connection, the connection manager will determine which
+ // codec to use. This mode supports both ALPN for TLS listeners as well as
+ // protocol inference for plaintext listeners. If ALPN data is available, it
+ // is preferred, otherwise protocol inference is used. In almost all cases,
+ // this is the right option to choose for this setting.
+ AUTO = 0;
+
+ // The connection manager will assume that the client is speaking HTTP/1.1.
+ HTTP1 = 1;
+
+ // The connection manager will assume that the client is speaking HTTP/2
+ // (Envoy does not require HTTP/2 to take place over TLS or to use ALPN.
+ // Prior knowledge is allowed).
+ HTTP2 = 2;
+ }
+
+ enum ServerHeaderTransformation {
+ // Overwrite any Server header with the contents of server_name.
+ OVERWRITE = 0;
+
+ // If no Server header is present, append Server server_name
+ // If a Server header is present, pass it through.
+ APPEND_IF_ABSENT = 1;
+
+ // Pass through the value of the server header, and do not append a header
+ // if none is present.
+ PASS_THROUGH = 2;
+ }
+
+ // How to handle the :ref:`config_http_conn_man_headers_x-forwarded-client-cert` (XFCC) HTTP
+ // header.
+ enum ForwardClientCertDetails {
+ // Do not send the XFCC header to the next hop. This is the default value.
+ SANITIZE = 0;
+
+ // When the client connection is mTLS (Mutual TLS), forward the XFCC header
+ // in the request.
+ FORWARD_ONLY = 1;
+
+ // When the client connection is mTLS, append the client certificate
+ // information to the request’s XFCC header and forward it.
+ APPEND_FORWARD = 2;
+
+ // When the client connection is mTLS, reset the XFCC header with the client
+ // certificate information and send it to the next hop.
+ SANITIZE_SET = 3;
+
+ // Always forward the XFCC header in the request, regardless of whether the
+ // client connection is mTLS.
+ ALWAYS_FORWARD_ONLY = 4;
+ }
+
+ message Tracing {
+ enum OperationName {
+ // The HTTP listener is used for ingress/incoming requests.
+ INGRESS = 0;
+
+ // The HTTP listener is used for egress/outgoing requests.
+ EGRESS = 1;
+ }
+
+ // The span name will be derived from this field. If
+ // :ref:`traffic_direction ` is
+ // specified on the parent listener, then it is used instead of this field.
+ //
+ // .. attention::
+ // This field has been deprecated in favor of `traffic_direction`.
+ OperationName operation_name = 1
+ [(validate.rules).enum = {defined_only: true}, deprecated = true];
+
+ // A list of header names used to create tags for the active span. The header name is used to
+ // populate the tag name, and the header value is used to populate the tag value. The tag is
+ // created if the specified header name is present in the request's headers.
+ repeated string request_headers_for_tags = 2;
+
+ // Target percentage of requests managed by this HTTP connection manager that will be force
+ // traced if the :ref:`x-client-trace-id `
+ // header is set. This field is a direct analog for the runtime variable
+ // 'tracing.client_sampling' in the :ref:`HTTP Connection Manager
+ // `.
+ // Default: 100%
+ type.Percent client_sampling = 3;
+
+ // Target percentage of requests managed by this HTTP connection manager that will be randomly
+ // selected for trace generation, if not requested by the client or not forced. This field is
+ // a direct analog for the runtime variable 'tracing.random_sampling' in the
+ // :ref:`HTTP Connection Manager `.
+ // Default: 100%
+ type.Percent random_sampling = 4;
+
+ // Target percentage of requests managed by this HTTP connection manager that will be traced
+ // after all other sampling checks have been applied (client-directed, force tracing, random
+ // sampling). This field functions as an upper limit on the total configured sampling rate. For
+ // instance, setting client_sampling to 100% but overall_sampling to 1% will result in only 1%
+ // of client requests with the appropriate headers to be force traced. This field is a direct
+ // analog for the runtime variable 'tracing.global_enabled' in the
+ // :ref:`HTTP Connection Manager `.
+ // Default: 100%
+ type.Percent overall_sampling = 5;
+
+ // Whether to annotate spans with additional data. If true, spans will include logs for stream
+ // events.
+ bool verbose = 6;
+
+ // Maximum length of the request path to extract and include in the HttpUrl tag. Used to
+ // truncate lengthy request paths to meet the needs of a tracing backend.
+ // Default: 256
+ google.protobuf.UInt32Value max_path_tag_length = 7;
+ }
+
+ message InternalAddressConfig {
+ // Whether unix socket addresses should be considered internal.
+ bool unix_sockets = 1;
+ }
+
+ // [#comment:next free field: 7]
+ message SetCurrentClientCertDetails {
+ reserved 2;
+
+ // Whether to forward the subject of the client cert. Defaults to false.
+ google.protobuf.BoolValue subject = 1;
+
+ // Whether to forward the entire client cert in URL encoded PEM format. This will appear in the
+ // XFCC header comma separated from other values with the value Cert="PEM".
+ // Defaults to false.
+ bool cert = 3;
+
+ // Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM
+ // format. This will appear in the XFCC header comma separated from other values with the value
+ // Chain="PEM".
+ // Defaults to false.
+ bool chain = 6;
+
+ // Whether to forward the DNS type Subject Alternative Names of the client cert.
+ // Defaults to false.
+ bool dns = 4;
+
+ // Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to
+ // false.
+ bool uri = 5;
+ }
+
+ // The configuration for HTTP upgrades.
+ // For each upgrade type desired, an UpgradeConfig must be added.
+ //
+ // .. warning::
+ //
+ // The current implementation of upgrade headers does not handle
+ // multi-valued upgrade headers. Support for multi-valued headers may be
+ // added in the future if needed.
+ //
+ // .. warning::
+ // The current implementation of upgrade headers does not work with HTTP/2
+ // upstreams.
+ message UpgradeConfig {
+ // The case-insensitive name of this upgrade, e.g. "websocket".
+ // For each upgrade type present in upgrade_configs, requests with
+ // Upgrade: [upgrade_type]
+ // will be proxied upstream.
+ string upgrade_type = 1;
+
+ // If present, this represents the filter chain which will be created for
+ // this type of upgrade. If no filters are present, the filter chain for
+ // HTTP connections will be used for this upgrade type.
+ repeated HttpFilter filters = 2;
+
+ // Determines if upgrades are enabled or disabled by default. Defaults to true.
+ // This can be overridden on a per-route basis with :ref:`cluster
+ // ` as documented in the
+ // :ref:`upgrade documentation `.
+ google.protobuf.BoolValue enabled = 3;
+ }
+
+ reserved 27;
+
+ // Supplies the type of codec that the connection manager should use.
+ CodecType codec_type = 1 [(validate.rules).enum = {defined_only: true}];
+
+ // The human readable prefix to use when emitting statistics for the
+ // connection manager. See the :ref:`statistics documentation ` for
+ // more information.
+ string stat_prefix = 2 [(validate.rules).string = {min_bytes: 1}];
+
+ oneof route_specifier {
+ option (validate.required) = true;
+
+ // The connection manager’s route table will be dynamically loaded via the RDS API.
+ Rds rds = 3;
+
+ // The route table for the connection manager is static and is specified in this property.
+ api.v2.RouteConfiguration route_config = 4;
+
+ // A route table will be dynamically assigned to each request based on request attributes
+ // (e.g., the value of a header). The "routing scopes" (i.e., route tables) and "scope keys" are
+ // specified in this message.
+ ScopedRoutes scoped_routes = 31;
+ }
+
+ // A list of individual HTTP filters that make up the filter chain for
+ // requests made to the connection manager. Order matters as the filters are
+ // processed sequentially as request events happen.
+ repeated HttpFilter http_filters = 5;
+
+ // Whether the connection manager manipulates the :ref:`config_http_conn_man_headers_user-agent`
+ // and :ref:`config_http_conn_man_headers_downstream-service-cluster` headers. See the linked
+ // documentation for more information. Defaults to false.
+ google.protobuf.BoolValue add_user_agent = 6;
+
+ // Presence of the object defines whether the connection manager
+ // emits :ref:`tracing ` data to the :ref:`configured tracing provider
+ // `.
+ Tracing tracing = 7;
+
+ // Additional HTTP/1 settings that are passed to the HTTP/1 codec.
+ api.v2.core.Http1ProtocolOptions http_protocol_options = 8;
+
+ // Additional HTTP/2 settings that are passed directly to the HTTP/2 codec.
+ api.v2.core.Http2ProtocolOptions http2_protocol_options = 9;
+
+ // An optional override that the connection manager will write to the server
+ // header in responses. If not set, the default is *envoy*.
+ string server_name = 10;
+
+ // Defines the action to be applied to the Server header on the response path.
+ // By default, Envoy will overwrite the header with the value specified in
+ // server_name.
+ ServerHeaderTransformation server_header_transformation = 34
+ [(validate.rules).enum = {defined_only: true}];
+
+ // The maximum request headers size for incoming connections.
+ // If unconfigured, the default max request headers allowed is 60 KiB.
+ // Requests that exceed this limit will receive a 431 response.
+ // The max configurable limit is 96 KiB, based on current implementation
+ // constraints.
+ google.protobuf.UInt32Value max_request_headers_kb = 29
+ [(validate.rules).uint32 = {lte: 96 gt: 0}];
+
+ // The idle timeout for connections managed by the connection manager. The
+ // idle timeout is defined as the period in which there are no active
+ // requests. If not set, there is no idle timeout. When the idle timeout is
+ // reached the connection will be closed. If the connection is an HTTP/2
+ // connection a drain sequence will occur prior to closing the connection. See
+ // :ref:`drain_timeout
+ // `.
+ google.protobuf.Duration idle_timeout = 11;
+
+ // The stream idle timeout for connections managed by the connection manager.
+ // If not specified, this defaults to 5 minutes. The default value was selected
+ // so as not to interfere with any smaller configured timeouts that may have
+ // existed in configurations prior to the introduction of this feature, while
+ // introducing robustness to TCP connections that terminate without a FIN.
+ //
+ // This idle timeout applies to new streams and is overridable by the
+ // :ref:`route-level idle_timeout
+ // `. Even on a stream in
+ // which the override applies, prior to receipt of the initial request
+ // headers, the :ref:`stream_idle_timeout
+ // `
+ // applies. Each time an encode/decode event for headers or data is processed
+ // for the stream, the timer will be reset. If the timeout fires, the stream
+ // is terminated with a 408 Request Timeout error code if no upstream response
+ // header has been received, otherwise a stream reset occurs.
+ //
+ // Note that it is possible to idle timeout even if the wire traffic for a stream is non-idle, due
+ // to the granularity of events presented to the connection manager. For example, while receiving
+ // very large request headers, it may be the case that there is traffic regularly arriving on the
+ // wire while the connection manage is only able to observe the end-of-headers event, hence the
+ // stream may still idle timeout.
+ //
+ // A value of 0 will completely disable the connection manager stream idle
+ // timeout, although per-route idle timeout overrides will continue to apply.
+ google.protobuf.Duration stream_idle_timeout = 24;
+
+ // A timeout for idle requests managed by the connection manager.
+ // The timer is activated when the request is initiated, and is disarmed when the last byte of the
+ // request is sent upstream (i.e. all decoding filters have processed the request), OR when the
+ // response is initiated. If not specified or set to 0, this timeout is disabled.
+ google.protobuf.Duration request_timeout = 28;
+
+ // The time that Envoy will wait between sending an HTTP/2 “shutdown
+ // notification” (GOAWAY frame with max stream ID) and a final GOAWAY frame.
+ // This is used so that Envoy provides a grace period for new streams that
+ // race with the final GOAWAY frame. During this grace period, Envoy will
+ // continue to accept new streams. After the grace period, a final GOAWAY
+ // frame is sent and Envoy will start refusing new streams. Draining occurs
+ // both when a connection hits the idle timeout or during general server
+ // draining. The default grace period is 5000 milliseconds (5 seconds) if this
+ // option is not specified.
+ google.protobuf.Duration drain_timeout = 12;
+
+ // The delayed close timeout is for downstream connections managed by the HTTP connection manager.
+ // It is defined as a grace period after connection close processing has been locally initiated
+ // during which Envoy will wait for the peer to close (i.e., a TCP FIN/RST is received by Envoy
+ // from the downstream connection) prior to Envoy closing the socket associated with that
+ // connection.
+ // NOTE: This timeout is enforced even when the socket associated with the downstream connection
+ // is pending a flush of the write buffer. However, any progress made writing data to the socket
+ // will restart the timer associated with this timeout. This means that the total grace period for
+ // a socket in this state will be
+ // +.
+ //
+ // Delaying Envoy's connection close and giving the peer the opportunity to initiate the close
+ // sequence mitigates a race condition that exists when downstream clients do not drain/process
+ // data in a connection's receive buffer after a remote close has been detected via a socket
+ // write(). This race leads to such clients failing to process the response code sent by Envoy,
+ // which could result in erroneous downstream processing.
+ //
+ // If the timeout triggers, Envoy will close the connection's socket.
+ //
+ // The default timeout is 1000 ms if this option is not specified.
+ //
+ // .. NOTE::
+ // To be useful in avoiding the race condition described above, this timeout must be set
+ // to *at least* +<100ms to account for
+ // a reasonsable "worst" case processing time for a full iteration of Envoy's event loop>.
+ //
+ // .. WARNING::
+ // A value of 0 will completely disable delayed close processing. When disabled, the downstream
+ // connection's socket will be closed immediately after the write flush is completed or will
+ // never close if the write flush does not complete.
+ google.protobuf.Duration delayed_close_timeout = 26;
+
+ // Configuration for :ref:`HTTP access logs `
+ // emitted by the connection manager.
+ repeated accesslog.v2.AccessLog access_log = 13;
+
+ // If set to true, the connection manager will use the real remote address
+ // of the client connection when determining internal versus external origin and manipulating
+ // various headers. If set to false or absent, the connection manager will use the
+ // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header. See the documentation for
+ // :ref:`config_http_conn_man_headers_x-forwarded-for`,
+ // :ref:`config_http_conn_man_headers_x-envoy-internal`, and
+ // :ref:`config_http_conn_man_headers_x-envoy-external-address` for more information.
+ google.protobuf.BoolValue use_remote_address = 14;
+
+ // The number of additional ingress proxy hops from the right side of the
+ // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header to trust when
+ // determining the origin client's IP address. The default is zero if this option
+ // is not specified. See the documentation for
+ // :ref:`config_http_conn_man_headers_x-forwarded-for` for more information.
+ uint32 xff_num_trusted_hops = 19;
+
+ // Configures what network addresses are considered internal for stats and header sanitation
+ // purposes. If unspecified, only RFC1918 IP addresses will be considered internal.
+ // See the documentation for :ref:`config_http_conn_man_headers_x-envoy-internal` for more
+ // information about internal/external addresses.
+ InternalAddressConfig internal_address_config = 25;
+
+ // If set, Envoy will not append the remote address to the
+ // :ref:`config_http_conn_man_headers_x-forwarded-for` HTTP header. This may be used in
+ // conjunction with HTTP filters that explicitly manipulate XFF after the HTTP connection manager
+ // has mutated the request headers. While :ref:`use_remote_address
+ // `
+ // will also suppress XFF addition, it has consequences for logging and other
+ // Envoy uses of the remote address, so *skip_xff_append* should be used
+ // when only an elision of XFF addition is intended.
+ bool skip_xff_append = 21;
+
+ // Via header value to append to request and response headers. If this is
+ // empty, no via header will be appended.
+ string via = 22;
+
+ // Whether the connection manager will generate the :ref:`x-request-id
+ // ` header if it does not exist. This defaults to
+ // true. Generating a random UUID4 is expensive so in high throughput scenarios where this feature
+ // is not desired it can be disabled.
+ google.protobuf.BoolValue generate_request_id = 15;
+
+ // Whether the connection manager will keep the :ref:`x-request-id
+ // ` header if passed for a request that is edge
+ // (Edge request is the request from external clients to front Envoy) and not reset it, which
+ // is the current Envoy behaviour. This defaults to false.
+ bool preserve_external_request_id = 32;
+
+ // How to handle the :ref:`config_http_conn_man_headers_x-forwarded-client-cert` (XFCC) HTTP
+ // header.
+ ForwardClientCertDetails forward_client_cert_details = 16
+ [(validate.rules).enum = {defined_only: true}];
+
+ // This field is valid only when :ref:`forward_client_cert_details
+ // `
+ // is APPEND_FORWARD or SANITIZE_SET and the client connection is mTLS. It specifies the fields in
+ // the client certificate to be forwarded. Note that in the
+ // :ref:`config_http_conn_man_headers_x-forwarded-client-cert` header, *Hash* is always set, and
+ // *By* is always set when the client certificate presents the URI type Subject Alternative Name
+ // value.
+ SetCurrentClientCertDetails set_current_client_cert_details = 17;
+
+ // If proxy_100_continue is true, Envoy will proxy incoming "Expect:
+ // 100-continue" headers upstream, and forward "100 Continue" responses
+ // downstream. If this is false or not set, Envoy will instead strip the
+ // "Expect: 100-continue" header, and send a "100 Continue" response itself.
+ bool proxy_100_continue = 18;
+
+ // If
+ // :ref:`use_remote_address
+ // `
+ // is true and represent_ipv4_remote_address_as_ipv4_mapped_ipv6 is true and the remote address is
+ // an IPv4 address, the address will be mapped to IPv6 before it is appended to *x-forwarded-for*.
+ // This is useful for testing compatibility of upstream services that parse the header value. For
+ // example, 50.0.0.1 is represented as ::FFFF:50.0.0.1. See `IPv4-Mapped IPv6 Addresses
+ // `_ for details. This will also affect the
+ // :ref:`config_http_conn_man_headers_x-envoy-external-address` header. See
+ // :ref:`http_connection_manager.represent_ipv4_remote_address_as_ipv4_mapped_ipv6
+ // ` for runtime
+ // control.
+ // [#not-implemented-hide:]
+ bool represent_ipv4_remote_address_as_ipv4_mapped_ipv6 = 20;
+
+ repeated UpgradeConfig upgrade_configs = 23;
+
+ // Should paths be normalized according to RFC 3986 before any processing of
+ // requests by HTTP filters or routing? This affects the upstream *:path* header
+ // as well. For paths that fail this check, Envoy will respond with 400 to
+ // paths that are malformed. This defaults to false currently but will default
+ // true in the future. When not specified, this value may be overridden by the
+ // runtime variable
+ // :ref:`http_connection_manager.normalize_path`.
+ // See `Normalization and Comparison `
+ // for details of normalization.
+ // Note that Envoy does not perform
+ // `case normalization `
+ google.protobuf.BoolValue normalize_path = 30;
+
+ // Determines if adjacent slashes in the path are merged into one before any processing of
+ // requests by HTTP filters or routing. This affects the upstream *:path* header as well. Without
+ // setting this option, incoming requests with path `//dir///file` will not match against route
+ // with `prefix` match set to `/dir`. Defaults to `false`. Note that slash merging is not part of
+ // `HTTP spec ` and is provided for convenience.
+ bool merge_slashes = 33;
+}
+
+message Rds {
+ // Configuration source specifier for RDS.
+ api.v2.core.ConfigSource config_source = 1 [(validate.rules).message = {required: true}];
+
+ // The name of the route configuration. This name will be passed to the RDS
+ // API. This allows an Envoy configuration with multiple HTTP listeners (and
+ // associated HTTP connection manager filters) to use different route
+ // configurations.
+ string route_config_name = 2 [(validate.rules).string = {min_bytes: 1}];
+}
+
+// This message is used to work around the limitations with 'oneof' and repeated fields.
+message ScopedRouteConfigurationsList {
+ repeated api.v2.ScopedRouteConfiguration scoped_route_configurations = 1
+ [(validate.rules).repeated = {min_items: 1}];
+}
+
+message ScopedRoutes {
+ // Specifies the mechanism for constructing "scope keys" based on HTTP request attributes. These
+ // keys are matched against a set of :ref:`Key`
+ // objects assembled from :ref:`ScopedRouteConfiguration`
+ // messages distributed via SRDS (the Scoped Route Discovery Service) or assigned statically via
+ // :ref:`scoped_route_configurations_list`.
+ //
+ // Upon receiving a request's headers, the Router will build a key using the algorithm specified
+ // by this message. This key will be used to look up the routing table (i.e., the
+ // :ref:`RouteConfiguration`) to use for the request.
+ message ScopeKeyBuilder {
+ // Specifies the mechanism for constructing key fragments which are composed into scope keys.
+ message FragmentBuilder {
+ // Specifies how the value of a header should be extracted.
+ // The following example maps the structure of a header to the fields in this message.
+ //
+ // .. code::
+ //
+ // <0> <1> <-- index
+ // X-Header: a=b;c=d
+ // | || |
+ // | || \---->
+ // | ||
+ // | |\---->
+ // | |
+ // | \---->
+ // |
+ // \---->
+ //
+ // Each 'a=b' key-value pair constitutes an 'element' of the header field.
+ message HeaderValueExtractor {
+ // Specifies a header field's key value pair to match on.
+ message KvElement {
+ // The separator between key and value (e.g., '=' separates 'k=v;...').
+ // If an element is an empty string, the element is ignored.
+ // If an element contains no separator, the whole element is parsed as key and the
+ // fragment value is an empty string.
+ // If there are multiple values for a matched key, the first value is returned.
+ string separator = 1 [(validate.rules).string = {min_bytes: 1}];
+
+ // The key to match on.
+ string key = 2 [(validate.rules).string = {min_bytes: 1}];
+ }
+
+ // The name of the header field to extract the value from.
+ string name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+ // The element separator (e.g., ';' separates 'a;b;c;d').
+ // Default: empty string. This causes the entirety of the header field to be extracted.
+ // If this field is set to an empty string and 'index' is used in the oneof below, 'index'
+ // must be set to 0.
+ string element_separator = 2;
+
+ oneof extract_type {
+ // Specifies the zero based index of the element to extract.
+ // Note Envoy concatenates multiple values of the same header key into a comma separated
+ // string, the splitting always happens after the concatenation.
+ uint32 index = 3;
+
+ // Specifies the key value pair to extract the value from.
+ KvElement element = 4;
+ }
+ }
+
+ oneof type {
+ option (validate.required) = true;
+
+ // Specifies how a header field's value should be extracted.
+ HeaderValueExtractor header_value_extractor = 1;
+ }
+ }
+
+ // The final scope key consists of the ordered union of these fragments.
+ repeated FragmentBuilder fragments = 1 [(validate.rules).repeated = {min_items: 1}];
+ }
+
+ // The name assigned to the scoped routing configuration.
+ string name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+ // The algorithm to use for constructing a scope key for each request.
+ ScopeKeyBuilder scope_key_builder = 2 [(validate.rules).message = {required: true}];
+
+ // Configuration source specifier for RDS.
+ // This config source is used to subscribe to RouteConfiguration resources specified in
+ // ScopedRouteConfiguration messages.
+ api.v2.core.ConfigSource rds_config_source = 3 [(validate.rules).message = {required: true}];
+
+ oneof config_specifier {
+ option (validate.required) = true;
+
+ // The set of routing scopes corresponding to the HCM. A scope is assigned to a request by
+ // matching a key constructed from the request's attributes according to the algorithm specified
+ // by the
+ // :ref:`ScopeKeyBuilder`
+ // in this message.
+ ScopedRouteConfigurationsList scoped_route_configurations_list = 4;
+
+ // The set of routing scopes associated with the HCM will be dynamically loaded via the SRDS
+ // API. A scope is assigned to a request by matching a key constructed from the request's
+ // attributes according to the algorithm specified by the
+ // :ref:`ScopeKeyBuilder`
+ // in this message.
+ ScopedRds scoped_rds = 5;
+ }
+}
+
+message ScopedRds {
+ // Configuration source specifier for scoped RDS.
+ api.v2.core.ConfigSource scoped_rds_config_source = 1
+ [(validate.rules).message = {required: true}];
+}
+
+message HttpFilter {
+ reserved 3;
+
+ // The name of the filter to instantiate. The name must match a
+ // :ref:`supported filter `.
+ string name = 1 [(validate.rules).string = {min_bytes: 1}];
+
+ // Filter specific configuration which depends on the filter being instantiated. See the supported
+ // filters for further documentation.
+ oneof config_type {
+ google.protobuf.Struct config = 2;
+
+ google.protobuf.Any typed_config = 4;
+ }
+}