forked from envoyproxy/data-plane-api
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathlds.proto
205 lines (171 loc) · 8.67 KB
/
lds.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
syntax = "proto3";
package envoy.api.v2;
import "api/address.proto";
import "api/base.proto";
import "api/discovery.proto";
import "api/sds.proto";
import "google/api/annotations.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "validate/validate.proto";
// [#protodoc-title: Listeners and LDS]
// Listener :ref:`configuration overview <config_listeners>`
// The Envoy instance initiates an RPC at startup to discover a list of
// listeners. Updates are delivered via streaming from the LDS server and
// consist of a complete update of all listeners. Existing connections will be
// allowed to drain from listeners that are no longer present.
service ListenerDiscoveryService {
rpc StreamListeners(stream DiscoveryRequest) returns (stream DiscoveryResponse) {
}
rpc FetchListeners(DiscoveryRequest) returns (DiscoveryResponse) {
option (google.api.http) = {
post: "/v2/discovery:listeners"
body: "*"
};
}
}
message Listener {
// The unique name by which this listener is known. If no name is provided,
// Envoy will allocate an internal UUID for the listener. If the listener is to be dynamically
// updated or removed via :ref:`LDS <config_listeners_lds>` a unique name must be provided.
// By default, the maximum length of a listener's name is limited to 60 characters. This limit can
// be increased by setting the :option:`--max-obj-name-len` command line argument to the desired
// value.
string name = 1;
// The address that the listener should listen on. In general, the address must be unique, though
// that is governed by the bind rules of the OS. E.g., multiple listeners can listen on port 0 on
// Linux as the actual port will be allocated by the OS.
Address address = 2 [(validate.rules).message.required = true];
// A list of filter chains to consider for this listener. The
// :ref:`FilterChain <envoy_api_msg_FilterChain>` with the most specific :ref:`FilterChainMatch
// <envoy_api_msg_FilterChainMatch>` criteria is used on a connection.
//
// .. attention::
//
// In the current version, multiple filter chains are supported **only** so that SNI can be
// configured. See the :ref:`FAQ entry <faq_how_to_setup_sni>` on how to configure SNI for more
// information. When multiple filter chains are configured, each filter chain must have an
// **identical** set of :ref:`filters <envoy_api_field_FilterChain.filters>`. If the filters
// differ, the configuration will fail to load. In the future, this limitation will be relaxed
// such that different filters can be used depending on which filter chain matches (based on SNI
// or some other parameter).
repeated FilterChain filter_chains = 3 [(validate.rules).repeated .min_items = 1];
// If a connection is redirected using *iptables*, the port on which the proxy
// receives it might be different from the original destination address. When this flag is set to
// true, the listener hands off redirected connections to the listener associated with the
// original destination address. If there is no listener associated with the original destination
// address, the connection is handled by the listener that receives it. Defaults to false.
google.protobuf.BoolValue use_original_dst = 4;
// Soft limit on size of the listener’s new connection read and write buffers.
// If unspecified, an implementation defined default is applied (1MiB).
google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 5;
// [#not-implemented-hide:] Listener metadata.
Metadata metadata = 6;
// [#not-implemented-hide:]
message DeprecatedV1 {
// Whether the listener should bind to the port. A listener that doesn’t
// bind can only receive connections redirected from other listeners that
// set use_original_dst parameter to true. Default is true.
//
// [V2-API-DIFF] This is deprecated in v2, all Listeners will bind to their
// port. An additional filter chain must be created for every original
// destination port this listener may redirect to in v2, with the original
// port specified in the FilterChainMatch destination_port field.
google.protobuf.BoolValue bind_to_port = 1;
}
// [#not-implemented-hide:]
DeprecatedV1 deprecated_v1 = 7;
enum DrainType {
// Drain in response to calling /healthcheck/fail admin endpoint (along with the health check
// filter), listener removal/modification, and hot restart.
DEFAULT = 0;
// Drain in response to listener removal/modification and hot restart. This setting does not
// include /healthcheck/fail. This setting may be desirable if Envoy is hosting both ingress
// and egress listeners.
MODIFY_ONLY = 1;
}
// The type of draining to perform at a listener-wide level.
DrainType drain_type = 8;
}
message Filter {
// The name of the filter to instantiate. The name must match a supported
// filter. The built-in filters are:
//
// [#comment:TODO(mattklein123): Auto generate the following list]
// * :ref:`envoy.echo <config_network_filters_echo>`
// * :ref:`envoy.http_connection_manager <config_http_conn_man>`
// * :ref:`envoy.mongo_proxy <config_network_filters_mongo_proxy>`
// * :ref:`envoy.redis_proxy <config_network_filters_redis_proxy>`
// * :ref:`envoy.tcp_proxy <config_network_filters_tcp_proxy>`
string name = 1 [(validate.rules).string.min_bytes = 1];
// Filter specific configuration which depends on the filter being
// instantiated. See the supported filters for further documentation.
google.protobuf.Struct config = 2;
// [#not-implemented-hide:]
message DeprecatedV1 {
string type = 1;
}
// [#not-implemented-hide:]
DeprecatedV1 deprecated_v1 = 3;
}
// Specifies the match criteria for selecting a specific filter chain for a
// listener.
message FilterChainMatch {
// If non-empty, the SNI domains to consider. May contain a wildcard prefix,
// e.g. ``*.example.com``.
//
// .. attention::
//
// See the :ref:`FAQ entry <faq_how_to_setup_sni>` on how to configure SNI for more
// information.
repeated string sni_domains = 1;
// If non-empty, an IP address and prefix length to match addresses when the
// listener is bound to 0.0.0.0/:: or when use_original_dst is specified.
// [#not-implemented-hide:]
repeated CidrRange prefix_ranges = 3;
// If non-empty, an IP address and suffix length to match addresses when the
// listener is bound to 0.0.0.0/:: or when use_original_dst is specified.
// [#not-implemented-hide:]
string address_suffix = 4;
// [#not-implemented-hide:]
google.protobuf.UInt32Value suffix_len = 5;
// The criteria is satisfied if the source IP address of the downstream
// connection is contained in at least one of the specified subnets. If the
// parameter is not specified or the list is empty, the source IP address is
// ignored.
// [#not-implemented-hide:]
repeated CidrRange source_prefix_ranges = 6;
// The criteria is satisfied if the source port of the downstream connection
// is contained in at least one of the specified ports. If the parameter is
// not specified, the source port is ignored.
// [#not-implemented-hide:]
repeated google.protobuf.UInt32Value source_ports = 7;
// Optional destination port to consider when use_original_dst is set on the
// listener in determining a filter chain match.
// [#not-implemented-hide:]
google.protobuf.UInt32Value destination_port = 8;
}
// A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and
// various other parameters.
message FilterChain {
// The criteria to use when matching a connection to this filter chain.
FilterChainMatch filter_chain_match = 1;
// The TLS context for this filter chain.
DownstreamTlsContext tls_context = 2;
// A list of individual network filters that make up the filter chain for
// connections established with the listener. Order matters as the filters are
// processed sequentially as connection events happen. Note: If the filter
// list is empty, the connection will close by default.
repeated Filter filters = 3;
// Whether the listener should expect a PROXY protocol V1 header on new
// connections. If this option is enabled, the listener will assume that that
// remote address of the connection is the one specified in the header. Some
// load balancers including the AWS ELB support this option. If the option is
// absent or set to false, Envoy will use the physical peer address of the
// connection as the remote address.
google.protobuf.BoolValue use_proxy_proto = 4;
// [#not-implemented-hide:] filter chain metadata.
Metadata metadata = 5;
// [#not-implemented-hide:] See base.TransportSocket description.
TransportSocket transport_socket = 6;
}