xds: add protos for composite filter

Author: AgraVator

xds/third_party/envoy/import.sh

@@ -17,7 +17,7 @@
 
 set -e
 # import VERSION from the google internal go/envoy-import-status
-VERSION=b6df993feef0340391e6dbf6ad957ab42884ad05
+VERSION=a0b3df32ba54c92a08d3636a9a36013cb920e471
 DOWNLOAD_URL="https://github.com/envoyproxy/envoy/archive/${VERSION}.tar.gz"
 DOWNLOAD_BASE_DIR="envoy-${VERSION}"
 SOURCE_PROTO_BASE_DIR="${DOWNLOAD_BASE_DIR}/api"
@@ -37,6 +37,7 @@ envoy/config/common/mutation_rules/v3/mutation_rules.proto
 envoy/config/core/v3/address.proto
 envoy/config/core/v3/backoff.proto
 envoy/config/core/v3/base.proto
+envoy/config/core/v3/cel.proto
 envoy/config/core/v3/config_source.proto
 envoy/config/core/v3/event_service_config.proto
 envoy/config/core/v3/extension.proto
@@ -76,7 +77,9 @@ envoy/data/accesslog/v3/accesslog.proto
 envoy/extensions/clusters/aggregate/v3/cluster.proto
 envoy/extensions/filters/common/fault/v3/fault.proto
 envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto
+envoy/extensions/common/matching/v3/extension_matcher.proto
 envoy/extensions/filters/http/fault/v3/fault.proto
+envoy/extensions/filters/http/composite/v3/composite.proto
 envoy/extensions/filters/http/rate_limit_quota/v3/rate_limit_quota.proto
 envoy/extensions/filters/http/gcp_authn/v3/gcp_authn.proto
 envoy/extensions/filters/http/rbac/v3/rbac.proto
@@ -113,6 +116,7 @@ envoy/type/matcher/v3/filter_state.proto
 envoy/type/matcher/v3/http_inputs.proto
 envoy/type/matcher/v3/metadata.proto
 envoy/type/matcher/v3/node.proto
+envoy/config/common/matcher/v3/matcher.proto
 envoy/type/matcher/v3/number.proto
 envoy/type/matcher/v3/path.proto
 envoy/type/matcher/v3/regex.proto
@@ -129,6 +133,7 @@ envoy/type/v3/ratelimit_strategy.proto
 envoy/type/v3/ratelimit_unit.proto
 envoy/type/v3/semantic_version.proto
 envoy/type/v3/token_bucket.proto
+envoy/extensions/matching/common_inputs/network/v3/network_inputs.proto
 )
 
 pushd "$(git rev-parse --show-toplevel)/xds/third_party/envoy" > /dev/null

xds/third_party/envoy/src/main/proto/envoy/config/accesslog/v3/accesslog.proto

@@ -108,6 +108,9 @@ message ComparisonFilter {
 
     // <=
     LE = 2;
+
+    // !=
+    NE = 3;
   }
 
   // Comparison operator.

xds/third_party/envoy/src/main/proto/envoy/config/bootstrap/v3/bootstrap.proto

@@ -22,6 +22,7 @@ import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 
 import "xds/core/v3/collection_entry.proto";
+import "xds/type/matcher/v3/matcher.proto";
 
 import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/migrate.proto";
@@ -45,7 +46,7 @@ message ClusterCollection {
 }
 
 // Configuration for a single upstream cluster.
-// [#next-free-field: 59]
+// [#next-free-field: 60]
 message Cluster {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.Cluster";
 
@@ -747,6 +748,9 @@ message Cluster {
     // If both this and preconnect_ratio are set, Envoy will make sure both predicted needs are met,
     // basically preconnecting max(predictive-preconnect, per-upstream-preconnect), for each
     // upstream.
+    //
+    // This is limited somewhat arbitrarily to 3 because preconnecting too aggressively can
+    // harm latency more than the preconnecting helps.
     google.protobuf.DoubleValue predictive_preconnect_ratio = 2
         [(validate.rules).double = {lte: 3.0 gte: 1.0}];
   }
@@ -809,6 +813,41 @@ message Cluster {
   // [#comment:TODO(incfly): add a detailed architecture doc on intended usage.]
   repeated TransportSocketMatch transport_socket_matches = 43;
 
+  // Optional matcher that selects a transport socket from
+  // :ref:`transport_socket_matches <envoy_v3_api_field_config.cluster.v3.Cluster.transport_socket_matches>`.
+  //
+  // This matcher uses the generic xDS matcher framework to select a named transport socket
+  // based on various inputs available at transport socket selection time.
+  //
+  // Supported matching inputs:
+  //
+  // * ``endpoint_metadata``: Extract values from the selected endpoint's metadata.
+  // * ``locality_metadata``: Extract values from the endpoint's locality metadata.
+  // * ``transport_socket_filter_state``: Extract values from filter state that was explicitly shared from
+  //   downstream to upstream via ``TransportSocketOptions``. This enables flexible
+  //   downstream-connection-based matching, such as:
+  //
+  //   - Network namespace matching.
+  //   - Custom connection attributes.
+  //   - Any data explicitly passed via filter state.
+  //
+  // .. note::
+  //   Filter state sharing follows the same pattern as tunneling in Envoy. Filters must explicitly
+  //   share data by setting filter state with the appropriate sharing mode. The filter state is
+  //   then accessible via the ``transport_socket_filter_state`` input during transport socket selection.
+  //
+  // If this field is set, it takes precedence over legacy metadata-based selection
+  // performed by :ref:`transport_socket_matches
+  // <envoy_v3_api_field_config.cluster.v3.Cluster.transport_socket_matches>` alone.
+  // If the matcher does not yield a match, Envoy uses the default transport socket
+  // configured for the cluster.
+  //
+  // When using this field, each entry in
+  // :ref:`transport_socket_matches <envoy_v3_api_field_config.cluster.v3.Cluster.transport_socket_matches>`
+  // must have a unique ``name``. The matcher outcome is expected to reference one of
+  // these names.
+  xds.type.matcher.v3.Matcher transport_socket_matcher = 59;
+
   // Supplies the name of the cluster which must be unique across all clusters.
   // The cluster name is used when emitting
   // :ref:`statistics <config_cluster_manager_cluster_stats>` if :ref:`alt_stat_name

xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/cluster.proto

@@ -0,0 +1,239 @@
+syntax = "proto3";
+
+package envoy.config.common.matcher.v3;
+
+import "envoy/config/core/v3/extension.proto";
+import "envoy/config/route/v3/route_components.proto";
+import "envoy/type/matcher/v3/string.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.config.common.matcher.v3";
+option java_outer_classname = "MatcherProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/common/matcher/v3;matcherv3";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Unified Matcher API]
+
+// A matcher, which may traverse a matching tree in order to result in a match action.
+// During matching, the tree will be traversed until a match is found, or if no match
+// is found the action specified by the most specific on_no_match will be evaluated.
+// As an on_no_match might result in another matching tree being evaluated, this process
+// might repeat several times until the final OnMatch (or no match) is decided.
+//
+// .. note::
+//   Please use the syntactically equivalent :ref:`matching API <envoy_v3_api_msg_.xds.type.matcher.v3.Matcher>`
+message Matcher {
+  // What to do if a match is successful.
+  message OnMatch {
+    oneof on_match {
+      option (validate.required) = true;
+
+      // Nested matcher to evaluate.
+      // If the nested matcher does not match and does not specify
+      // on_no_match, then this matcher is considered not to have
+      // matched, even if a predicate at this level or above returned
+      // true.
+      Matcher matcher = 1;
+
+      // Protocol-specific action to take.
+      core.v3.TypedExtensionConfig action = 2;
+    }
+
+    // If true, the action will be taken but the caller will behave as if no
+    // match was found. This applies both to actions directly encoded in the
+    // action field and to actions returned from a nested matcher tree in the
+    // matcher field. A subsequent matcher on_no_match action will be used
+    // instead.
+    //
+    // This field is not supported in all contexts in which the matcher API is
+    // used. If this field is set in a context in which it's not supported,
+    // the resource will be rejected.
+    bool keep_matching = 3;
+  }
+
+  // A linear list of field matchers.
+  // The field matchers are evaluated in order, and the first match
+  // wins.
+  message MatcherList {
+    // Predicate to determine if a match is successful.
+    message Predicate {
+      // Predicate for a single input field.
+      message SinglePredicate {
+        // Protocol-specific specification of input field to match on.
+        // [#extension-category: envoy.matching.common_inputs]
+        core.v3.TypedExtensionConfig input = 1 [(validate.rules).message = {required: true}];
+
+        oneof matcher {
+          option (validate.required) = true;
+
+          // Built-in string matcher.
+          type.matcher.v3.StringMatcher value_match = 2;
+
+          // Extension for custom matching logic.
+          // [#extension-category: envoy.matching.input_matchers]
+          core.v3.TypedExtensionConfig custom_match = 3;
+        }
+      }
+
+      // A list of two or more matchers. Used to allow using a list within a oneof.
+      message PredicateList {
+        repeated Predicate predicate = 1 [(validate.rules).repeated = {min_items: 2}];
+      }
+
+      oneof match_type {
+        option (validate.required) = true;
+
+        // A single predicate to evaluate.
+        SinglePredicate single_predicate = 1;
+
+        // A list of predicates to be OR-ed together.
+        PredicateList or_matcher = 2;
+
+        // A list of predicates to be AND-ed together.
+        PredicateList and_matcher = 3;
+
+        // The inverse of a predicate
+        Predicate not_matcher = 4;
+      }
+    }
+
+    // An individual matcher.
+    message FieldMatcher {
+      // Determines if the match succeeds.
+      Predicate predicate = 1 [(validate.rules).message = {required: true}];
+
+      // What to do if the match succeeds.
+      OnMatch on_match = 2 [(validate.rules).message = {required: true}];
+    }
+
+    // A list of matchers. First match wins.
+    repeated FieldMatcher matchers = 1 [(validate.rules).repeated = {min_items: 1}];
+  }
+
+  message MatcherTree {
+    // A map of configured matchers. Used to allow using a map within a oneof.
+    message MatchMap {
+      map<string, OnMatch> map = 1 [(validate.rules).map = {min_pairs: 1}];
+    }
+
+    // Protocol-specific specification of input field to match on.
+    core.v3.TypedExtensionConfig input = 1 [(validate.rules).message = {required: true}];
+
+    // Exact or prefix match maps in which to look up the input value.
+    // If the lookup succeeds, the match is considered successful, and
+    // the corresponding OnMatch is used.
+    oneof tree_type {
+      option (validate.required) = true;
+
+      MatchMap exact_match_map = 2;
+
+      // Longest matching prefix wins.
+      MatchMap prefix_match_map = 3;
+
+      // Extension for custom matching logic.
+      core.v3.TypedExtensionConfig custom_match = 4;
+    }
+  }
+
+  oneof matcher_type {
+    option (validate.required) = true;
+
+    // A linear list of matchers to evaluate.
+    MatcherList matcher_list = 1;
+
+    // A match tree to evaluate.
+    MatcherTree matcher_tree = 2;
+  }
+
+  // Optional ``OnMatch`` to use if the matcher failed.
+  // If specified, the ``OnMatch`` is used, and the matcher is considered
+  // to have matched.
+  // If not specified, the matcher is considered not to have matched.
+  OnMatch on_no_match = 3;
+}
+
+// Match configuration. This is a recursive structure which allows complex nested match
+// configurations to be built using various logical operators.
+// [#next-free-field: 11]
+message MatchPredicate {
+  // A set of match configurations used for logical operations.
+  message MatchSet {
+    // The list of rules that make up the set.
+    repeated MatchPredicate rules = 1 [(validate.rules).repeated = {min_items: 2}];
+  }
+
+  oneof rule {
+    option (validate.required) = true;
+
+    // A set that describes a logical OR. If any member of the set matches, the match configuration
+    // matches.
+    MatchSet or_match = 1;
+
+    // A set that describes a logical AND. If all members of the set match, the match configuration
+    // matches.
+    MatchSet and_match = 2;
+
+    // A negation match. The match configuration will match if the negated match condition matches.
+    MatchPredicate not_match = 3;
+
+    // The match configuration will always match.
+    bool any_match = 4 [(validate.rules).bool = {const: true}];
+
+    // HTTP request headers match configuration.
+    HttpHeadersMatch http_request_headers_match = 5;
+
+    // HTTP request trailers match configuration.
+    HttpHeadersMatch http_request_trailers_match = 6;
+
+    // HTTP response headers match configuration.
+    HttpHeadersMatch http_response_headers_match = 7;
+
+    // HTTP response trailers match configuration.
+    HttpHeadersMatch http_response_trailers_match = 8;
+
+    // HTTP request generic body match configuration.
+    HttpGenericBodyMatch http_request_generic_body_match = 9;
+
+    // HTTP response generic body match configuration.
+    HttpGenericBodyMatch http_response_generic_body_match = 10;
+  }
+}
+
+// HTTP headers match configuration.
+message HttpHeadersMatch {
+  // HTTP headers to match.
+  repeated route.v3.HeaderMatcher headers = 1;
+}
+
+// HTTP generic body match configuration.
+// List of text strings and hex strings to be located in HTTP body.
+// All specified strings must be found in the HTTP body for positive match.
+// The search may be limited to specified number of bytes from the body start.
+//
+// .. attention::
+//
+//   Searching for patterns in HTTP body is potentially CPU-intensive. For each specified pattern, HTTP body is scanned byte by byte to find a match.
+//   If multiple patterns are specified, the process is repeated for each pattern. If location of a pattern is known, ``bytes_limit`` should be specified
+//   to scan only part of the HTTP body.
+message HttpGenericBodyMatch {
+  message GenericTextMatch {
+    oneof rule {
+      option (validate.required) = true;
+
+      // Text string to be located in HTTP body.
+      string string_match = 1 [(validate.rules).string = {min_len: 1}];
+
+      // Sequence of bytes to be located in HTTP body.
+      bytes binary_match = 2 [(validate.rules).bytes = {min_len: 1}];
+    }
+  }
+
+  // Limits search to specified number of bytes - default zero (no limit - match entire captured buffer).
+  uint32 bytes_limit = 1;
+
+  // List of patterns to match.
+  repeated GenericTextMatch patterns = 2 [(validate.rules).repeated = {min_items: 1}];
+}

xds/third_party/envoy/src/main/proto/envoy/config/common/matcher/v3/matcher.proto

@@ -115,16 +115,18 @@ message TcpKeepalive {
 
   // Maximum number of keepalive probes to send without response before deciding
   // the connection is dead. Default is to use the OS level configuration (unless
-  // overridden, Linux defaults to 9.)
+  // overridden, Linux defaults to 9.) Setting this to ``0`` disables TCP keepalive.
   google.protobuf.UInt32Value keepalive_probes = 1;
 
   // The number of seconds a connection needs to be idle before keep-alive probes
   // start being sent. Default is to use the OS level configuration (unless
-  // overridden, Linux defaults to 7200s (i.e., 2 hours.)
+  // overridden, Linux defaults to 7200s (i.e., 2 hours.) Setting this to ``0`` disables
+  // TCP keepalive.
   google.protobuf.UInt32Value keepalive_time = 2;
 
   // The number of seconds between keep-alive probes. Default is to use the OS
-  // level configuration (unless overridden, Linux defaults to 75s.)
+  // level configuration (unless overridden, Linux defaults to 75s.) Setting this to
+  // ``0`` disables TCP keepalive.
   google.protobuf.UInt32Value keepalive_interval = 3;
 }