diff --git a/packages/grpc-js-xds/deps/envoy-api b/packages/grpc-js-xds/deps/envoy-api index 78f198cf9..f8b75d1ef 160000 --- a/packages/grpc-js-xds/deps/envoy-api +++ b/packages/grpc-js-xds/deps/envoy-api @@ -1 +1 @@ -Subproject commit 78f198cf96ecdc7120ef640406770aa01af775c4 +Subproject commit f8b75d1efa92bbf534596a013d9ca5873f79dd30 diff --git a/packages/grpc-js-xds/gulpfile.ts b/packages/grpc-js-xds/gulpfile.ts index 47ca71324..7fd4a3677 100644 --- a/packages/grpc-js-xds/gulpfile.ts +++ b/packages/grpc-js-xds/gulpfile.ts @@ -21,6 +21,10 @@ import * as mocha from 'gulp-mocha'; import * as path from 'path'; import * as execa from 'execa'; import * as semver from 'semver'; +import { ncp } from 'ncp'; +import { promisify } from 'util'; + +const ncpP = promisify(ncp); Error.stackTraceLimit = Infinity; @@ -60,6 +64,10 @@ const cleanAll = gulp.parallel(clean); */ const compile = checkTask(() => execNpmCommand('compile')); +const copyTestFixtures = checkTask(() => + ncpP(`${jsCoreDir}/test/fixtures`, `${outDir}/test/fixtures`) +); + const runTests = checkTask(() => { process.env.GRPC_EXPERIMENTAL_XDS_FEDERATION = 'true'; process.env.GRPC_EXPERIMENTAL_PICKFIRST_LB_CONFIG = 'true'; @@ -71,7 +79,7 @@ const runTests = checkTask(() => { require: ['ts-node/register']})); }); -const test = gulp.series(install, runTests); +const test = gulp.series(install, copyTestFixtures, runTests); export { install, diff --git a/packages/grpc-js-xds/package.json b/packages/grpc-js-xds/package.json index b5321bd02..d6fbf8705 100644 --- a/packages/grpc-js-xds/package.json +++ b/packages/grpc-js-xds/package.json @@ -12,7 +12,7 @@ "prepare": "npm run generate-types && npm run compile", "pretest": "npm run compile", "posttest": "npm run check", - "generate-types": "proto-loader-gen-types --keepCase --longs String --enums String --defaults --oneofs --includeComments --includeDirs deps/envoy-api/ deps/xds/ deps/googleapis/ deps/protoc-gen-validate/ -O src/generated/ --grpcLib @grpc/grpc-js envoy/service/discovery/v3/ads.proto envoy/service/load_stats/v3/lrs.proto envoy/config/listener/v3/listener.proto envoy/config/route/v3/route.proto envoy/config/cluster/v3/cluster.proto envoy/config/endpoint/v3/endpoint.proto envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto udpa/type/v1/typed_struct.proto xds/type/v3/typed_struct.proto envoy/extensions/filters/http/fault/v3/fault.proto envoy/service/status/v3/csds.proto envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.proto envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.proto envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.proto envoy/extensions/clusters/aggregate/v3/cluster.proto", + "generate-types": "proto-loader-gen-types --keepCase --longs String --enums String --defaults --oneofs --includeComments --includeDirs deps/envoy-api/ deps/xds/ deps/googleapis/ deps/protoc-gen-validate/ -O src/generated/ --grpcLib @grpc/grpc-js envoy/service/discovery/v3/ads.proto envoy/service/load_stats/v3/lrs.proto envoy/config/listener/v3/listener.proto envoy/config/route/v3/route.proto envoy/config/cluster/v3/cluster.proto envoy/config/endpoint/v3/endpoint.proto envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto udpa/type/v1/typed_struct.proto xds/type/v3/typed_struct.proto envoy/extensions/filters/http/fault/v3/fault.proto envoy/service/status/v3/csds.proto envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.proto envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.proto envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.proto envoy/extensions/clusters/aggregate/v3/cluster.proto envoy/extensions/transport_sockets/tls/v3/tls.proto", "generate-interop-types": "proto-loader-gen-types --keep-case --longs String --enums String --defaults --oneofs --json --includeComments --includeDirs proto/ -O interop/generated --grpcLib @grpc/grpc-js grpc/testing/test.proto", "generate-test-types": "proto-loader-gen-types --keep-case --longs String --enums String --defaults --oneofs --json --includeComments --includeDirs proto/ -O test/generated --grpcLib @grpc/grpc-js grpc/testing/echo.proto" }, @@ -41,6 +41,7 @@ "@types/yargs": "^15.0.5", "find-free-ports": "^3.1.1", "gts": "^5.0.1", + "ncp": "^2.0.0", "typescript": "^5.1.3", "yargs": "^15.4.1" }, diff --git a/packages/grpc-js-xds/src/generated/ads.ts b/packages/grpc-js-xds/src/generated/ads.ts index 8b63ba848..e2a22f839 100644 --- a/packages/grpc-js-xds/src/generated/ads.ts +++ b/packages/grpc-js-xds/src/generated/ads.ts @@ -29,6 +29,9 @@ export interface ProtoGrpcType { HeaderValue: MessageTypeDefinition HeaderValueOption: MessageTypeDefinition HttpUri: MessageTypeDefinition + KeyValue: MessageTypeDefinition + KeyValueAppend: MessageTypeDefinition + KeyValueMutation: MessageTypeDefinition Locality: MessageTypeDefinition Metadata: MessageTypeDefinition Node: MessageTypeDefinition diff --git a/packages/grpc-js-xds/src/generated/cluster.ts b/packages/grpc-js-xds/src/generated/cluster.ts index 6e6a4e981..2e12420e3 100644 --- a/packages/grpc-js-xds/src/generated/cluster.ts +++ b/packages/grpc-js-xds/src/generated/cluster.ts @@ -59,11 +59,16 @@ export interface ProtoGrpcType { HttpProtocolOptions: MessageTypeDefinition HttpUri: MessageTypeDefinition KeepaliveSettings: MessageTypeDefinition + KeyValue: MessageTypeDefinition + KeyValueAppend: MessageTypeDefinition + KeyValueMutation: MessageTypeDefinition Locality: MessageTypeDefinition Metadata: MessageTypeDefinition Node: MessageTypeDefinition PathConfigSource: MessageTypeDefinition Pipe: MessageTypeDefinition + ProxyProtocolConfig: MessageTypeDefinition + ProxyProtocolPassThroughTLVs: MessageTypeDefinition QueryParameter: MessageTypeDefinition QuicKeepAliveSettings: MessageTypeDefinition QuicProtocolOptions: MessageTypeDefinition @@ -230,6 +235,7 @@ export interface ProtoGrpcType { CollectionEntry: MessageTypeDefinition ContextParams: MessageTypeDefinition ResourceLocator: MessageTypeDefinition + TypedExtensionConfig: MessageTypeDefinition } } } diff --git a/packages/grpc-js-xds/src/generated/csds.ts b/packages/grpc-js-xds/src/generated/csds.ts index 760e2d307..2078485b6 100644 --- a/packages/grpc-js-xds/src/generated/csds.ts +++ b/packages/grpc-js-xds/src/generated/csds.ts @@ -41,6 +41,9 @@ export interface ProtoGrpcType { HeaderValue: MessageTypeDefinition HeaderValueOption: MessageTypeDefinition HttpUri: MessageTypeDefinition + KeyValue: MessageTypeDefinition + KeyValueAppend: MessageTypeDefinition + KeyValueMutation: MessageTypeDefinition Locality: MessageTypeDefinition Metadata: MessageTypeDefinition Node: MessageTypeDefinition @@ -203,6 +206,7 @@ export interface ProtoGrpcType { core: { v3: { ContextParams: MessageTypeDefinition + TypedExtensionConfig: MessageTypeDefinition } } } diff --git a/packages/grpc-js-xds/src/generated/endpoint.ts b/packages/grpc-js-xds/src/generated/endpoint.ts index 4fcf914e3..d57055115 100644 --- a/packages/grpc-js-xds/src/generated/endpoint.ts +++ b/packages/grpc-js-xds/src/generated/endpoint.ts @@ -38,11 +38,16 @@ export interface ProtoGrpcType { HealthStatus: EnumTypeDefinition HealthStatusSet: MessageTypeDefinition HttpUri: MessageTypeDefinition + KeyValue: MessageTypeDefinition + KeyValueAppend: MessageTypeDefinition + KeyValueMutation: MessageTypeDefinition Locality: MessageTypeDefinition Metadata: MessageTypeDefinition Node: MessageTypeDefinition PathConfigSource: MessageTypeDefinition Pipe: MessageTypeDefinition + ProxyProtocolConfig: MessageTypeDefinition + ProxyProtocolPassThroughTLVs: MessageTypeDefinition QueryParameter: MessageTypeDefinition RateLimitSettings: MessageTypeDefinition RemoteDataSource: MessageTypeDefinition @@ -186,6 +191,7 @@ export interface ProtoGrpcType { v3: { Authority: MessageTypeDefinition ContextParams: MessageTypeDefinition + TypedExtensionConfig: MessageTypeDefinition } } } diff --git a/packages/grpc-js-xds/src/generated/envoy/config/cluster/v3/Cluster.ts b/packages/grpc-js-xds/src/generated/envoy/config/cluster/v3/Cluster.ts index 467d31f5b..e8047e163 100644 --- a/packages/grpc-js-xds/src/generated/envoy/config/cluster/v3/Cluster.ts +++ b/packages/grpc-js-xds/src/generated/envoy/config/cluster/v3/Cluster.ts @@ -1602,7 +1602,7 @@ export interface _envoy_config_cluster_v3_Cluster_TransportSocketMatch { */ 'name'?: (string); /** - * Optional endpoint metadata match criteria. + * Optional metadata match criteria. * The connection to the endpoint with metadata matching what is set in this field * will use the transport socket configuration specified here. * The endpoint's metadata entry in ``envoy.transport_socket_match`` is used to match @@ -1626,7 +1626,7 @@ export interface _envoy_config_cluster_v3_Cluster_TransportSocketMatch__Output { */ 'name': (string); /** - * Optional endpoint metadata match criteria. + * Optional metadata match criteria. * The connection to the endpoint with metadata matching what is set in this field * will use the transport socket configuration specified here. * The endpoint's metadata entry in ``envoy.transport_socket_match`` is used to match @@ -1700,7 +1700,7 @@ export interface _envoy_config_cluster_v3_Cluster_CommonLbConfig_ZoneAwareLbConf /** * Configuration for a single upstream cluster. - * [#next-free-field: 57] + * [#next-free-field: 58] */ export interface Cluster { /** @@ -2004,12 +2004,14 @@ export interface Cluster { */ 'lrs_server'?: (_envoy_config_core_v3_ConfigSource | null); /** - * Configuration to use different transport sockets for different endpoints. - * The entry of ``envoy.transport_socket_match`` in the - * :ref:`LbEndpoint.Metadata ` - * is used to match against the transport sockets as they appear in the list. The first - * :ref:`match ` is used. - * For example, with the following match + * Configuration to use different transport sockets for different endpoints. The entry of + * ``envoy.transport_socket_match`` in the :ref:`LbEndpoint.Metadata + * ` is used to match against the + * transport sockets as they appear in the list. If a match is not found, the search continues in + * :ref:`LocalityLbEndpoints.Metadata + * `. The first :ref:`match + * ` is used. For example, with + * the following match * * .. code-block:: yaml * @@ -2033,8 +2035,9 @@ export interface Cluster { * socket match in case above. * * If an endpoint metadata's value under ``envoy.transport_socket_match`` does not match any - * ``TransportSocketMatch``, socket configuration fallbacks to use the ``tls_context`` or - * ``transport_socket`` specified in this cluster. + * ``TransportSocketMatch``, the locality metadata is then checked for a match. Barring any + * matches in the endpoint or locality metadata, the socket configuration fallbacks to use the + * ``tls_context`` or ``transport_socket`` specified in this cluster. * * This field allows gradual and flexible transport socket configuration changes. * @@ -2173,6 +2176,23 @@ export interface Cluster { * Optional configuration for the RoundRobin load balancing policy. */ 'round_robin_lb_config'?: (_envoy_config_cluster_v3_Cluster_RoundRobinLbConfig | null); + /** + * [#not-implemented-hide:] + * A list of metric names from ORCA load reports to propagate to LRS. + * + * For map fields in the ORCA proto, the string will be of the form ``.``. + * For example, the string ``named_metrics.foo`` will mean to look for the key ``foo`` in the ORCA + * ``named_metrics`` field. + * + * The special map key ``*`` means to report all entries in the map (e.g., ``named_metrics.*`` means to + * report all entries in the ORCA named_metrics field). Note that this should be used only with trusted + * backends. + * + * The metric names in LRS will follow the same semantics as this field. In other words, if this field + * contains ``named_metrics.foo``, then the LRS load report will include the data with that same string + * as the key. + */ + 'lrs_report_endpoint_metrics'?: (string)[]; 'cluster_discovery_type'?: "type"|"cluster_type"; /** * Optional configuration for the load balancing algorithm selected by @@ -2189,7 +2209,7 @@ export interface Cluster { /** * Configuration for a single upstream cluster. - * [#next-free-field: 57] + * [#next-free-field: 58] */ export interface Cluster__Output { /** @@ -2493,12 +2513,14 @@ export interface Cluster__Output { */ 'lrs_server': (_envoy_config_core_v3_ConfigSource__Output | null); /** - * Configuration to use different transport sockets for different endpoints. - * The entry of ``envoy.transport_socket_match`` in the - * :ref:`LbEndpoint.Metadata ` - * is used to match against the transport sockets as they appear in the list. The first - * :ref:`match ` is used. - * For example, with the following match + * Configuration to use different transport sockets for different endpoints. The entry of + * ``envoy.transport_socket_match`` in the :ref:`LbEndpoint.Metadata + * ` is used to match against the + * transport sockets as they appear in the list. If a match is not found, the search continues in + * :ref:`LocalityLbEndpoints.Metadata + * `. The first :ref:`match + * ` is used. For example, with + * the following match * * .. code-block:: yaml * @@ -2522,8 +2544,9 @@ export interface Cluster__Output { * socket match in case above. * * If an endpoint metadata's value under ``envoy.transport_socket_match`` does not match any - * ``TransportSocketMatch``, socket configuration fallbacks to use the ``tls_context`` or - * ``transport_socket`` specified in this cluster. + * ``TransportSocketMatch``, the locality metadata is then checked for a match. Barring any + * matches in the endpoint or locality metadata, the socket configuration fallbacks to use the + * ``tls_context`` or ``transport_socket`` specified in this cluster. * * This field allows gradual and flexible transport socket configuration changes. * @@ -2662,6 +2685,23 @@ export interface Cluster__Output { * Optional configuration for the RoundRobin load balancing policy. */ 'round_robin_lb_config'?: (_envoy_config_cluster_v3_Cluster_RoundRobinLbConfig__Output | null); + /** + * [#not-implemented-hide:] + * A list of metric names from ORCA load reports to propagate to LRS. + * + * For map fields in the ORCA proto, the string will be of the form ``.``. + * For example, the string ``named_metrics.foo`` will mean to look for the key ``foo`` in the ORCA + * ``named_metrics`` field. + * + * The special map key ``*`` means to report all entries in the map (e.g., ``named_metrics.*`` means to + * report all entries in the ORCA named_metrics field). Note that this should be used only with trusted + * backends. + * + * The metric names in LRS will follow the same semantics as this field. In other words, if this field + * contains ``named_metrics.foo``, then the LRS load report will include the data with that same string + * as the key. + */ + 'lrs_report_endpoint_metrics': (string)[]; 'cluster_discovery_type': "type"|"cluster_type"; /** * Optional configuration for the load balancing algorithm selected by diff --git a/packages/grpc-js-xds/src/generated/envoy/config/cluster/v3/OutlierDetection.ts b/packages/grpc-js-xds/src/generated/envoy/config/cluster/v3/OutlierDetection.ts index 38b9286be..96a82b7d3 100644 --- a/packages/grpc-js-xds/src/generated/envoy/config/cluster/v3/OutlierDetection.ts +++ b/packages/grpc-js-xds/src/generated/envoy/config/cluster/v3/OutlierDetection.ts @@ -3,11 +3,12 @@ import type { UInt32Value as _google_protobuf_UInt32Value, UInt32Value__Output as _google_protobuf_UInt32Value__Output } from '../../../../google/protobuf/UInt32Value'; import type { Duration as _google_protobuf_Duration, Duration__Output as _google_protobuf_Duration__Output } from '../../../../google/protobuf/Duration'; import type { BoolValue as _google_protobuf_BoolValue, BoolValue__Output as _google_protobuf_BoolValue__Output } from '../../../../google/protobuf/BoolValue'; +import type { TypedExtensionConfig as _envoy_config_core_v3_TypedExtensionConfig, TypedExtensionConfig__Output as _envoy_config_core_v3_TypedExtensionConfig__Output } from '../../../../envoy/config/core/v3/TypedExtensionConfig'; /** * See the :ref:`architecture overview ` for * more information on outlier detection. - * [#next-free-field: 24] + * [#next-free-field: 26] */ export interface OutlierDetection { /** @@ -30,8 +31,8 @@ export interface OutlierDetection { */ 'base_ejection_time'?: (_google_protobuf_Duration | null); /** - * The maximum % of an upstream cluster that can be ejected due to outlier - * detection. Defaults to 10% but will eject at least one host regardless of the value. + * The maximum % of an upstream cluster that can be ejected due to outlier detection. Defaults to 10% . + * Will eject at least one host regardless of the value if :ref:`always_eject_one_host` is enabled. */ 'max_ejection_percent'?: (_google_protobuf_UInt32Value | null); /** @@ -171,12 +172,22 @@ export interface OutlierDetection { * Defaults to true. */ 'successful_active_health_check_uneject_host'?: (_google_protobuf_BoolValue | null); + /** + * Set of host's passive monitors. + * [#not-implemented-hide:] + */ + 'monitors'?: (_envoy_config_core_v3_TypedExtensionConfig)[]; + /** + * If enabled, at least one host is ejected regardless of the value of :ref:`max_ejection_percent`. + * Defaults to false. + */ + 'always_eject_one_host'?: (_google_protobuf_BoolValue | null); } /** * See the :ref:`architecture overview ` for * more information on outlier detection. - * [#next-free-field: 24] + * [#next-free-field: 26] */ export interface OutlierDetection__Output { /** @@ -199,8 +210,8 @@ export interface OutlierDetection__Output { */ 'base_ejection_time': (_google_protobuf_Duration__Output | null); /** - * The maximum % of an upstream cluster that can be ejected due to outlier - * detection. Defaults to 10% but will eject at least one host regardless of the value. + * The maximum % of an upstream cluster that can be ejected due to outlier detection. Defaults to 10% . + * Will eject at least one host regardless of the value if :ref:`always_eject_one_host` is enabled. */ 'max_ejection_percent': (_google_protobuf_UInt32Value__Output | null); /** @@ -340,4 +351,14 @@ export interface OutlierDetection__Output { * Defaults to true. */ 'successful_active_health_check_uneject_host': (_google_protobuf_BoolValue__Output | null); + /** + * Set of host's passive monitors. + * [#not-implemented-hide:] + */ + 'monitors': (_envoy_config_core_v3_TypedExtensionConfig__Output)[]; + /** + * If enabled, at least one host is ejected regardless of the value of :ref:`max_ejection_percent`. + * Defaults to false. + */ + 'always_eject_one_host': (_google_protobuf_BoolValue__Output | null); } diff --git a/packages/grpc-js-xds/src/generated/envoy/config/cluster/v3/UpstreamConnectionOptions.ts b/packages/grpc-js-xds/src/generated/envoy/config/cluster/v3/UpstreamConnectionOptions.ts index cda367641..f77cfe553 100644 --- a/packages/grpc-js-xds/src/generated/envoy/config/cluster/v3/UpstreamConnectionOptions.ts +++ b/packages/grpc-js-xds/src/generated/envoy/config/cluster/v3/UpstreamConnectionOptions.ts @@ -1,6 +1,59 @@ // Original file: deps/envoy-api/envoy/config/cluster/v3/cluster.proto import type { TcpKeepalive as _envoy_config_core_v3_TcpKeepalive, TcpKeepalive__Output as _envoy_config_core_v3_TcpKeepalive__Output } from '../../../../envoy/config/core/v3/TcpKeepalive'; +import type { UInt32Value as _google_protobuf_UInt32Value, UInt32Value__Output as _google_protobuf_UInt32Value__Output } from '../../../../google/protobuf/UInt32Value'; + +// Original file: deps/envoy-api/envoy/config/cluster/v3/cluster.proto + +export const _envoy_config_cluster_v3_UpstreamConnectionOptions_FirstAddressFamilyVersion = { + /** + * respect the native ranking of destination ip addresses returned from dns + * resolution + */ + DEFAULT: 'DEFAULT', + V4: 'V4', + V6: 'V6', +} as const; + +export type _envoy_config_cluster_v3_UpstreamConnectionOptions_FirstAddressFamilyVersion = + /** + * respect the native ranking of destination ip addresses returned from dns + * resolution + */ + | 'DEFAULT' + | 0 + | 'V4' + | 1 + | 'V6' + | 2 + +export type _envoy_config_cluster_v3_UpstreamConnectionOptions_FirstAddressFamilyVersion__Output = typeof _envoy_config_cluster_v3_UpstreamConnectionOptions_FirstAddressFamilyVersion[keyof typeof _envoy_config_cluster_v3_UpstreamConnectionOptions_FirstAddressFamilyVersion] + +export interface _envoy_config_cluster_v3_UpstreamConnectionOptions_HappyEyeballsConfig { + /** + * Specify the IP address family to attempt connection first in happy + * eyeballs algorithm according to RFC8305#section-4. + */ + 'first_address_family_version'?: (_envoy_config_cluster_v3_UpstreamConnectionOptions_FirstAddressFamilyVersion); + /** + * Specify the number of addresses of the first_address_family_version being + * attempted for connection before the other address family. + */ + 'first_address_family_count'?: (_google_protobuf_UInt32Value | null); +} + +export interface _envoy_config_cluster_v3_UpstreamConnectionOptions_HappyEyeballsConfig__Output { + /** + * Specify the IP address family to attempt connection first in happy + * eyeballs algorithm according to RFC8305#section-4. + */ + 'first_address_family_version': (_envoy_config_cluster_v3_UpstreamConnectionOptions_FirstAddressFamilyVersion__Output); + /** + * Specify the number of addresses of the first_address_family_version being + * attempted for connection before the other address family. + */ + 'first_address_family_count': (_google_protobuf_UInt32Value__Output | null); +} export interface UpstreamConnectionOptions { /** @@ -13,6 +66,12 @@ export interface UpstreamConnectionOptions { * implementation specific. Defaults to false due to performance concerns. */ 'set_local_interface_name_on_upstream_connections'?: (boolean); + /** + * Configurations for happy eyeballs algorithm. + * Add configs for first_address_family_version and first_address_family_count + * when sorting destination ip addresses. + */ + 'happy_eyeballs_config'?: (_envoy_config_cluster_v3_UpstreamConnectionOptions_HappyEyeballsConfig | null); } export interface UpstreamConnectionOptions__Output { @@ -26,4 +85,10 @@ export interface UpstreamConnectionOptions__Output { * implementation specific. Defaults to false due to performance concerns. */ 'set_local_interface_name_on_upstream_connections': (boolean); + /** + * Configurations for happy eyeballs algorithm. + * Add configs for first_address_family_version and first_address_family_count + * when sorting destination ip addresses. + */ + 'happy_eyeballs_config': (_envoy_config_cluster_v3_UpstreamConnectionOptions_HappyEyeballsConfig__Output | null); } diff --git a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/ApiVersion.ts b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/ApiVersion.ts index d3bad5d4e..03c29024e 100644 --- a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/ApiVersion.ts +++ b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/ApiVersion.ts @@ -6,14 +6,11 @@ */ export const ApiVersion = { /** - * When not specified, we assume v2, to ease migration to Envoy's stable API - * versioning. If a client does not support v2 (e.g. due to deprecation), this - * is an invalid value. - * @deprecated + * When not specified, we assume v3; it is the only supported version. */ AUTO: 'AUTO', /** - * Use xDS v2 API. + * Use xDS v2 API. This is no longer supported. * @deprecated */ V2: 'V2', @@ -29,14 +26,12 @@ export const ApiVersion = { */ export type ApiVersion = /** - * When not specified, we assume v2, to ease migration to Envoy's stable API - * versioning. If a client does not support v2 (e.g. due to deprecation), this - * is an invalid value. + * When not specified, we assume v3; it is the only supported version. */ | 'AUTO' | 0 /** - * Use xDS v2 API. + * Use xDS v2 API. This is no longer supported. */ | 'V2' | 1 diff --git a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/DataSource.ts b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/DataSource.ts index 0774fb844..ba76b086b 100644 --- a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/DataSource.ts +++ b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/DataSource.ts @@ -1,8 +1,10 @@ // Original file: deps/envoy-api/envoy/config/core/v3/base.proto +import type { WatchedDirectory as _envoy_config_core_v3_WatchedDirectory, WatchedDirectory__Output as _envoy_config_core_v3_WatchedDirectory__Output } from '../../../../envoy/config/core/v3/WatchedDirectory'; /** * Data source consisting of a file, an inline value, or an environment variable. + * [#next-free-field: 6] */ export interface DataSource { /** @@ -21,11 +23,29 @@ export interface DataSource { * Environment variable data source. */ 'environment_variable'?: (string); + /** + * Watched directory that is watched for file changes. If this is set explicitly, the file + * specified in the ``filename`` field will be reloaded when relevant file move events occur. + * + * .. note:: + * This field only makes sense when the ``filename`` field is set. + * + * .. note:: + * Envoy only updates when the file is replaced by a file move, and not when the file is + * edited in place. + * + * .. note:: + * Not all use cases of ``DataSource`` support watching directories. It depends on the + * specific usage of the ``DataSource``. See the documentation of the parent message for + * details. + */ + 'watched_directory'?: (_envoy_config_core_v3_WatchedDirectory | null); 'specifier'?: "filename"|"inline_bytes"|"inline_string"|"environment_variable"; } /** * Data source consisting of a file, an inline value, or an environment variable. + * [#next-free-field: 6] */ export interface DataSource__Output { /** @@ -44,5 +64,22 @@ export interface DataSource__Output { * Environment variable data source. */ 'environment_variable'?: (string); + /** + * Watched directory that is watched for file changes. If this is set explicitly, the file + * specified in the ``filename`` field will be reloaded when relevant file move events occur. + * + * .. note:: + * This field only makes sense when the ``filename`` field is set. + * + * .. note:: + * Envoy only updates when the file is replaced by a file move, and not when the file is + * edited in place. + * + * .. note:: + * Not all use cases of ``DataSource`` support watching directories. It depends on the + * specific usage of the ``DataSource``. See the documentation of the parent message for + * details. + */ + 'watched_directory': (_envoy_config_core_v3_WatchedDirectory__Output | null); 'specifier': "filename"|"inline_bytes"|"inline_string"|"environment_variable"; } diff --git a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/GrpcService.ts b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/GrpcService.ts index eaeeff52c..a1ec91fd6 100644 --- a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/GrpcService.ts +++ b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/GrpcService.ts @@ -3,8 +3,8 @@ import type { Duration as _google_protobuf_Duration, Duration__Output as _google_protobuf_Duration__Output } from '../../../../google/protobuf/Duration'; import type { HeaderValue as _envoy_config_core_v3_HeaderValue, HeaderValue__Output as _envoy_config_core_v3_HeaderValue__Output } from '../../../../envoy/config/core/v3/HeaderValue'; import type { RetryPolicy as _envoy_config_core_v3_RetryPolicy, RetryPolicy__Output as _envoy_config_core_v3_RetryPolicy__Output } from '../../../../envoy/config/core/v3/RetryPolicy'; -import type { Struct as _google_protobuf_Struct, Struct__Output as _google_protobuf_Struct__Output } from '../../../../google/protobuf/Struct'; import type { UInt32Value as _google_protobuf_UInt32Value, UInt32Value__Output as _google_protobuf_UInt32Value__Output } from '../../../../google/protobuf/UInt32Value'; +import type { Struct as _google_protobuf_Struct, Struct__Output as _google_protobuf_Struct__Output } from '../../../../google/protobuf/Struct'; import type { DataSource as _envoy_config_core_v3_DataSource, DataSource__Output as _envoy_config_core_v3_DataSource__Output } from '../../../../envoy/config/core/v3/DataSource'; import type { Empty as _google_protobuf_Empty, Empty__Output as _google_protobuf_Empty__Output } from '../../../../google/protobuf/Empty'; import type { Any as _google_protobuf_Any, Any__Output as _google_protobuf_Any__Output } from '../../../../google/protobuf/Any'; @@ -146,6 +146,9 @@ export interface _envoy_config_core_v3_GrpcService_GoogleGrpc_ChannelCredentials 'credential_specifier': "ssl_credentials"|"google_default"|"local_credentials"; } +/** + * [#next-free-field: 6] + */ export interface _envoy_config_core_v3_GrpcService_EnvoyGrpc { /** * The name of the upstream gRPC cluster. SSL credentials will be supplied @@ -165,8 +168,25 @@ export interface _envoy_config_core_v3_GrpcService_EnvoyGrpc { * If not set, xDS gRPC streams default base interval:500ms, maximum interval:30s will be applied. */ 'retry_policy'?: (_envoy_config_core_v3_RetryPolicy | null); + /** + * Maximum gRPC message size that is allowed to be received. + * If a message over this limit is received, the gRPC stream is terminated with the RESOURCE_EXHAUSTED error. + * This limit is applied to individual messages in the streaming response and not the total size of streaming response. + * Defaults to 0, which means unlimited. + */ + 'max_receive_message_length'?: (_google_protobuf_UInt32Value | null); + /** + * This provides gRPC client level control over envoy generated headers. + * If false, the header will be sent but it can be overridden by per stream option. + * If true, the header will be removed and can not be overridden by per stream option. + * Default to false. + */ + 'skip_envoy_headers'?: (boolean); } +/** + * [#next-free-field: 6] + */ export interface _envoy_config_core_v3_GrpcService_EnvoyGrpc__Output { /** * The name of the upstream gRPC cluster. SSL credentials will be supplied @@ -186,6 +206,20 @@ export interface _envoy_config_core_v3_GrpcService_EnvoyGrpc__Output { * If not set, xDS gRPC streams default base interval:500ms, maximum interval:30s will be applied. */ 'retry_policy': (_envoy_config_core_v3_RetryPolicy__Output | null); + /** + * Maximum gRPC message size that is allowed to be received. + * If a message over this limit is received, the gRPC stream is terminated with the RESOURCE_EXHAUSTED error. + * This limit is applied to individual messages in the streaming response and not the total size of streaming response. + * Defaults to 0, which means unlimited. + */ + 'max_receive_message_length': (_google_protobuf_UInt32Value__Output | null); + /** + * This provides gRPC client level control over envoy generated headers. + * If false, the header will be sent but it can be overridden by per stream option. + * If true, the header will be removed and can not be overridden by per stream option. + * Default to false. + */ + 'skip_envoy_headers': (boolean); } /** @@ -507,7 +541,7 @@ export interface _envoy_config_core_v3_GrpcService_GoogleGrpc_ChannelArgs_Value_ /** * gRPC service configuration. This is used by :ref:`ApiConfigSource * ` and filter configurations. - * [#next-free-field: 6] + * [#next-free-field: 7] */ export interface GrpcService { /** @@ -535,13 +569,18 @@ export interface GrpcService { * `. */ 'initial_metadata'?: (_envoy_config_core_v3_HeaderValue)[]; + /** + * Optional default retry policy for streams toward the service. + * If an async stream doesn't have retry policy configured in its stream options, this retry policy is used. + */ + 'retry_policy'?: (_envoy_config_core_v3_RetryPolicy | null); 'target_specifier'?: "envoy_grpc"|"google_grpc"; } /** * gRPC service configuration. This is used by :ref:`ApiConfigSource * ` and filter configurations. - * [#next-free-field: 6] + * [#next-free-field: 7] */ export interface GrpcService__Output { /** @@ -569,5 +608,10 @@ export interface GrpcService__Output { * `. */ 'initial_metadata': (_envoy_config_core_v3_HeaderValue__Output)[]; + /** + * Optional default retry policy for streams toward the service. + * If an async stream doesn't have retry policy configured in its stream options, this retry policy is used. + */ + 'retry_policy': (_envoy_config_core_v3_RetryPolicy__Output | null); 'target_specifier': "envoy_grpc"|"google_grpc"; } diff --git a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/HealthCheck.ts b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/HealthCheck.ts index f6605412e..2a3c9027c 100644 --- a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/HealthCheck.ts +++ b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/HealthCheck.ts @@ -12,6 +12,7 @@ import type { Int64Range as _envoy_type_v3_Int64Range, Int64Range__Output as _en import type { CodecClientType as _envoy_type_v3_CodecClientType, CodecClientType__Output as _envoy_type_v3_CodecClientType__Output } from '../../../../envoy/type/v3/CodecClientType'; import type { StringMatcher as _envoy_type_matcher_v3_StringMatcher, StringMatcher__Output as _envoy_type_matcher_v3_StringMatcher__Output } from '../../../../envoy/type/matcher/v3/StringMatcher'; import type { RequestMethod as _envoy_config_core_v3_RequestMethod, RequestMethod__Output as _envoy_config_core_v3_RequestMethod__Output } from '../../../../envoy/config/core/v3/RequestMethod'; +import type { ProxyProtocolConfig as _envoy_config_core_v3_ProxyProtocolConfig, ProxyProtocolConfig__Output as _envoy_config_core_v3_ProxyProtocolConfig__Output } from '../../../../envoy/config/core/v3/ProxyProtocolConfig'; import type { Any as _google_protobuf_Any, Any__Output as _google_protobuf_Any__Output } from '../../../../google/protobuf/Any'; /** @@ -349,6 +350,14 @@ export interface _envoy_config_core_v3_HealthCheck_TcpHealthCheck { * necessarily contiguous. */ 'receive'?: (_envoy_config_core_v3_HealthCheck_Payload)[]; + /** + * When setting this value, it tries to attempt health check request with ProxyProtocol. + * When ``send`` is presented, they are sent after preceding ProxyProtocol header. + * Only ProxyProtocol header is sent when ``send`` is not presented. + * It allows to use both ProxyProtocol V1 and V2. In V1, it presents L3/L4. In V2, it includes + * LOCAL command and doesn't include L3/L4. + */ + 'proxy_protocol_config'?: (_envoy_config_core_v3_ProxyProtocolConfig | null); } export interface _envoy_config_core_v3_HealthCheck_TcpHealthCheck__Output { @@ -362,6 +371,14 @@ export interface _envoy_config_core_v3_HealthCheck_TcpHealthCheck__Output { * necessarily contiguous. */ 'receive': (_envoy_config_core_v3_HealthCheck_Payload__Output)[]; + /** + * When setting this value, it tries to attempt health check request with ProxyProtocol. + * When ``send`` is presented, they are sent after preceding ProxyProtocol header. + * Only ProxyProtocol header is sent when ``send`` is not presented. + * It allows to use both ProxyProtocol V1 and V2. In V1, it presents L3/L4. In V2, it includes + * LOCAL command and doesn't include L3/L4. + */ + 'proxy_protocol_config': (_envoy_config_core_v3_ProxyProtocolConfig__Output | null); } /** @@ -397,7 +414,7 @@ export interface _envoy_config_core_v3_HealthCheck_TlsOptions__Output { } /** - * [#next-free-field: 26] + * [#next-free-field: 27] */ export interface HealthCheck { /** @@ -584,11 +601,17 @@ export interface HealthCheck { * [#extension-category: envoy.health_check.event_sinks] */ 'event_logger'?: (_envoy_config_core_v3_TypedExtensionConfig)[]; + /** + * If set to true, health check success events will always be logged. If set to false, only host addition event will be logged + * if it is the first successful health check, or if the healthy threshold is reached. + * The default value is false. + */ + 'always_log_health_check_success'?: (boolean); 'health_checker'?: "http_health_check"|"tcp_health_check"|"grpc_health_check"|"custom_health_check"; } /** - * [#next-free-field: 26] + * [#next-free-field: 27] */ export interface HealthCheck__Output { /** @@ -775,5 +798,11 @@ export interface HealthCheck__Output { * [#extension-category: envoy.health_check.event_sinks] */ 'event_logger': (_envoy_config_core_v3_TypedExtensionConfig__Output)[]; + /** + * If set to true, health check success events will always be logged. If set to false, only host addition event will be logged + * if it is the first successful health check, or if the healthy threshold is reached. + * The default value is false. + */ + 'always_log_health_check_success': (boolean); 'health_checker': "http_health_check"|"tcp_health_check"|"grpc_health_check"|"custom_health_check"; } diff --git a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/Http2ProtocolOptions.ts b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/Http2ProtocolOptions.ts index 9e0ae3d6e..8c545db40 100644 --- a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/Http2ProtocolOptions.ts +++ b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/Http2ProtocolOptions.ts @@ -83,10 +83,10 @@ export interface Http2ProtocolOptions { */ 'allow_connect'?: (boolean); /** - * [#not-implemented-hide:] Hiding until envoy has full metadata support. + * [#not-implemented-hide:] Hiding until Envoy has full metadata support. * Still under implementation. DO NOT USE. * - * Allows metadata. See [metadata + * Allows sending and receiving HTTP/2 METADATA frames. See [metadata * docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more * information. */ @@ -264,10 +264,10 @@ export interface Http2ProtocolOptions__Output { */ 'allow_connect': (boolean); /** - * [#not-implemented-hide:] Hiding until envoy has full metadata support. + * [#not-implemented-hide:] Hiding until Envoy has full metadata support. * Still under implementation. DO NOT USE. * - * Allows metadata. See [metadata + * Allows sending and receiving HTTP/2 METADATA frames. See [metadata * docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more * information. */ diff --git a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/Http3ProtocolOptions.ts b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/Http3ProtocolOptions.ts index 51b31b8e7..63869a273 100644 --- a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/Http3ProtocolOptions.ts +++ b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/Http3ProtocolOptions.ts @@ -5,7 +5,7 @@ import type { BoolValue as _google_protobuf_BoolValue, BoolValue__Output as _goo /** * A message which allows using HTTP/3. - * [#next-free-field: 6] + * [#next-free-field: 7] */ export interface Http3ProtocolOptions { 'quic_protocol_options'?: (_envoy_config_core_v3_QuicProtocolOptions | null); @@ -27,11 +27,20 @@ export interface Http3ProtocolOptions { * Note that HTTP/3 CONNECT is not yet an RFC. */ 'allow_extended_connect'?: (boolean); + /** + * [#not-implemented-hide:] Hiding until Envoy has full metadata support. + * Still under implementation. DO NOT USE. + * + * Allows sending and receiving HTTP/3 METADATA frames. See [metadata + * docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more + * information. + */ + 'allow_metadata'?: (boolean); } /** * A message which allows using HTTP/3. - * [#next-free-field: 6] + * [#next-free-field: 7] */ export interface Http3ProtocolOptions__Output { 'quic_protocol_options': (_envoy_config_core_v3_QuicProtocolOptions__Output | null); @@ -53,4 +62,13 @@ export interface Http3ProtocolOptions__Output { * Note that HTTP/3 CONNECT is not yet an RFC. */ 'allow_extended_connect': (boolean); + /** + * [#not-implemented-hide:] Hiding until Envoy has full metadata support. + * Still under implementation. DO NOT USE. + * + * Allows sending and receiving HTTP/3 METADATA frames. See [metadata + * docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more + * information. + */ + 'allow_metadata': (boolean); } diff --git a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/HttpProtocolOptions.ts b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/HttpProtocolOptions.ts index dfa800c3b..ff32b24f6 100644 --- a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/HttpProtocolOptions.ts +++ b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/HttpProtocolOptions.ts @@ -99,10 +99,9 @@ export interface HttpProtocolOptions { 'max_headers_count'?: (_google_protobuf_UInt32Value | null); /** * The maximum duration of a connection. The duration is defined as a period since a connection - * was established. If not set, there is no max duration. When max_connection_duration is reached - * and if there are no active streams, the connection will be closed. If the connection is a - * downstream connection and there are any active streams, the drain sequence will kick-in, - * and the connection will be force-closed after the drain period. See :ref:`drain_timeout + * was established. If not set, there is no max duration. When max_connection_duration is reached, + * the drain sequence will kick-in. The connection will be closed after the drain timeout period + * if there are no active streams. See :ref:`drain_timeout * `. */ 'max_connection_duration'?: (_google_protobuf_Duration | null); @@ -159,10 +158,9 @@ export interface HttpProtocolOptions__Output { 'max_headers_count': (_google_protobuf_UInt32Value__Output | null); /** * The maximum duration of a connection. The duration is defined as a period since a connection - * was established. If not set, there is no max duration. When max_connection_duration is reached - * and if there are no active streams, the connection will be closed. If the connection is a - * downstream connection and there are any active streams, the drain sequence will kick-in, - * and the connection will be force-closed after the drain period. See :ref:`drain_timeout + * was established. If not set, there is no max duration. When max_connection_duration is reached, + * the drain sequence will kick-in. The connection will be closed after the drain timeout period + * if there are no active streams. See :ref:`drain_timeout * `. */ 'max_connection_duration': (_google_protobuf_Duration__Output | null); diff --git a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/KeyValue.ts b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/KeyValue.ts new file mode 100644 index 000000000..a390de07e --- /dev/null +++ b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/KeyValue.ts @@ -0,0 +1,24 @@ +// Original file: deps/envoy-api/envoy/config/core/v3/base.proto + + +export interface KeyValue { + /** + * The key of the key/value pair. + */ + 'key'?: (string); + /** + * The value of the key/value pair. + */ + 'value'?: (Buffer | Uint8Array | string); +} + +export interface KeyValue__Output { + /** + * The key of the key/value pair. + */ + 'key': (string); + /** + * The value of the key/value pair. + */ + 'value': (Buffer); +} diff --git a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/KeyValueAppend.ts b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/KeyValueAppend.ts new file mode 100644 index 000000000..f0410c2d8 --- /dev/null +++ b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/KeyValueAppend.ts @@ -0,0 +1,109 @@ +// Original file: deps/envoy-api/envoy/config/core/v3/base.proto + +import type { KeyValue as _envoy_config_core_v3_KeyValue, KeyValue__Output as _envoy_config_core_v3_KeyValue__Output } from '../../../../envoy/config/core/v3/KeyValue'; + +// Original file: deps/envoy-api/envoy/config/core/v3/base.proto + +/** + * Describes the supported actions types for key/value pair append action. + */ +export const _envoy_config_core_v3_KeyValueAppend_KeyValueAppendAction = { + /** + * If the key already exists, this action will result in the following behavior: + * + * - Comma-concatenated value if multiple values are not allowed. + * - New value added to the list of values if multiple values are allowed. + * + * If the key doesn't exist then this will add pair with specified key and value. + */ + APPEND_IF_EXISTS_OR_ADD: 'APPEND_IF_EXISTS_OR_ADD', + /** + * This action will add the key/value pair if it doesn't already exist. If the + * key already exists then this will be a no-op. + */ + ADD_IF_ABSENT: 'ADD_IF_ABSENT', + /** + * This action will overwrite the specified value by discarding any existing + * values if the key already exists. If the key doesn't exist then this will add + * the pair with specified key and value. + */ + OVERWRITE_IF_EXISTS_OR_ADD: 'OVERWRITE_IF_EXISTS_OR_ADD', + /** + * This action will overwrite the specified value by discarding any existing + * values if the key already exists. If the key doesn't exist then this will + * be no-op. + */ + OVERWRITE_IF_EXISTS: 'OVERWRITE_IF_EXISTS', +} as const; + +/** + * Describes the supported actions types for key/value pair append action. + */ +export type _envoy_config_core_v3_KeyValueAppend_KeyValueAppendAction = + /** + * If the key already exists, this action will result in the following behavior: + * + * - Comma-concatenated value if multiple values are not allowed. + * - New value added to the list of values if multiple values are allowed. + * + * If the key doesn't exist then this will add pair with specified key and value. + */ + | 'APPEND_IF_EXISTS_OR_ADD' + | 0 + /** + * This action will add the key/value pair if it doesn't already exist. If the + * key already exists then this will be a no-op. + */ + | 'ADD_IF_ABSENT' + | 1 + /** + * This action will overwrite the specified value by discarding any existing + * values if the key already exists. If the key doesn't exist then this will add + * the pair with specified key and value. + */ + | 'OVERWRITE_IF_EXISTS_OR_ADD' + | 2 + /** + * This action will overwrite the specified value by discarding any existing + * values if the key already exists. If the key doesn't exist then this will + * be no-op. + */ + | 'OVERWRITE_IF_EXISTS' + | 3 + +/** + * Describes the supported actions types for key/value pair append action. + */ +export type _envoy_config_core_v3_KeyValueAppend_KeyValueAppendAction__Output = typeof _envoy_config_core_v3_KeyValueAppend_KeyValueAppendAction[keyof typeof _envoy_config_core_v3_KeyValueAppend_KeyValueAppendAction] + +/** + * Key/value pair plus option to control append behavior. This is used to specify + * key/value pairs that should be appended to a set of existing key/value pairs. + */ +export interface KeyValueAppend { + /** + * Key/value pair entry that this option to append or overwrite. + */ + 'entry'?: (_envoy_config_core_v3_KeyValue | null); + /** + * Describes the action taken to append/overwrite the given value for an existing + * key or to only add this key if it's absent. + */ + 'action'?: (_envoy_config_core_v3_KeyValueAppend_KeyValueAppendAction); +} + +/** + * Key/value pair plus option to control append behavior. This is used to specify + * key/value pairs that should be appended to a set of existing key/value pairs. + */ +export interface KeyValueAppend__Output { + /** + * Key/value pair entry that this option to append or overwrite. + */ + 'entry': (_envoy_config_core_v3_KeyValue__Output | null); + /** + * Describes the action taken to append/overwrite the given value for an existing + * key or to only add this key if it's absent. + */ + 'action': (_envoy_config_core_v3_KeyValueAppend_KeyValueAppendAction__Output); +} diff --git a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/KeyValueMutation.ts b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/KeyValueMutation.ts new file mode 100644 index 000000000..53bd6e3d7 --- /dev/null +++ b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/KeyValueMutation.ts @@ -0,0 +1,31 @@ +// Original file: deps/envoy-api/envoy/config/core/v3/base.proto + +import type { KeyValueAppend as _envoy_config_core_v3_KeyValueAppend, KeyValueAppend__Output as _envoy_config_core_v3_KeyValueAppend__Output } from '../../../../envoy/config/core/v3/KeyValueAppend'; + +/** + * Key/value pair to append or remove. + */ +export interface KeyValueMutation { + /** + * Key/value pair to append or overwrite. Only one of ``append`` or ``remove`` can be set. + */ + 'append'?: (_envoy_config_core_v3_KeyValueAppend | null); + /** + * Key to remove. Only one of ``append`` or ``remove`` can be set. + */ + 'remove'?: (string); +} + +/** + * Key/value pair to append or remove. + */ +export interface KeyValueMutation__Output { + /** + * Key/value pair to append or overwrite. Only one of ``append`` or ``remove`` can be set. + */ + 'append': (_envoy_config_core_v3_KeyValueAppend__Output | null); + /** + * Key to remove. Only one of ``append`` or ``remove`` can be set. + */ + 'remove': (string); +} diff --git a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/QuicProtocolOptions.ts b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/QuicProtocolOptions.ts index 478c23e8b..085a2639b 100644 --- a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/QuicProtocolOptions.ts +++ b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/QuicProtocolOptions.ts @@ -2,10 +2,11 @@ import type { UInt32Value as _google_protobuf_UInt32Value, UInt32Value__Output as _google_protobuf_UInt32Value__Output } from '../../../../google/protobuf/UInt32Value'; import type { QuicKeepAliveSettings as _envoy_config_core_v3_QuicKeepAliveSettings, QuicKeepAliveSettings__Output as _envoy_config_core_v3_QuicKeepAliveSettings__Output } from '../../../../envoy/config/core/v3/QuicKeepAliveSettings'; +import type { Duration as _google_protobuf_Duration, Duration__Output as _google_protobuf_Duration__Output } from '../../../../google/protobuf/Duration'; /** * QUIC protocol options which apply to both downstream and upstream connections. - * [#next-free-field: 8] + * [#next-free-field: 9] */ export interface QuicProtocolOptions { /** @@ -16,7 +17,7 @@ export interface QuicProtocolOptions { /** * `Initial stream-level flow-control receive window * `_ size. Valid values range from - * 1 to 16777216 (2^24, maximum supported by QUICHE) and defaults to 65536 (2^16). + * 1 to 16777216 (2^24, maximum supported by QUICHE) and defaults to 16777216 (16 * 1024 * 1024). * * NOTE: 16384 (2^14) is the minimum window size supported in Google QUIC. If configured smaller than it, we will use 16384 instead. * QUICHE IETF Quic implementation supports 1 bytes window. We only support increasing the default window size now, so it's also the minimum. @@ -28,8 +29,8 @@ export interface QuicProtocolOptions { 'initial_stream_window_size'?: (_google_protobuf_UInt32Value | null); /** * Similar to ``initial_stream_window_size``, but for connection-level - * flow-control. Valid values rage from 1 to 25165824 (24MB, maximum supported by QUICHE) and defaults to 65536 (2^16). - * window. Currently, this has the same minimum/default as ``initial_stream_window_size``. + * flow-control. Valid values rage from 1 to 25165824 (24MB, maximum supported by QUICHE) and defaults + * to 25165824 (24 * 1024 * 1024). * * NOTE: 16384 (2^14) is the minimum window size supported in Google QUIC. We only support increasing the default * window size now, so it's also the minimum. @@ -57,11 +58,18 @@ export interface QuicProtocolOptions { * `QUICHE `_ and to be sent by upstream connections. */ 'client_connection_options'?: (string); + /** + * The duration that a QUIC connection stays idle before it closes itself. If this field is not present, QUICHE + * default 600s will be applied. + * For internal corporate network, a long timeout is often fine. + * But for client facing network, 30s is usually a good choice. + */ + 'idle_network_timeout'?: (_google_protobuf_Duration | null); } /** * QUIC protocol options which apply to both downstream and upstream connections. - * [#next-free-field: 8] + * [#next-free-field: 9] */ export interface QuicProtocolOptions__Output { /** @@ -72,7 +80,7 @@ export interface QuicProtocolOptions__Output { /** * `Initial stream-level flow-control receive window * `_ size. Valid values range from - * 1 to 16777216 (2^24, maximum supported by QUICHE) and defaults to 65536 (2^16). + * 1 to 16777216 (2^24, maximum supported by QUICHE) and defaults to 16777216 (16 * 1024 * 1024). * * NOTE: 16384 (2^14) is the minimum window size supported in Google QUIC. If configured smaller than it, we will use 16384 instead. * QUICHE IETF Quic implementation supports 1 bytes window. We only support increasing the default window size now, so it's also the minimum. @@ -84,8 +92,8 @@ export interface QuicProtocolOptions__Output { 'initial_stream_window_size': (_google_protobuf_UInt32Value__Output | null); /** * Similar to ``initial_stream_window_size``, but for connection-level - * flow-control. Valid values rage from 1 to 25165824 (24MB, maximum supported by QUICHE) and defaults to 65536 (2^16). - * window. Currently, this has the same minimum/default as ``initial_stream_window_size``. + * flow-control. Valid values rage from 1 to 25165824 (24MB, maximum supported by QUICHE) and defaults + * to 25165824 (24 * 1024 * 1024). * * NOTE: 16384 (2^14) is the minimum window size supported in Google QUIC. We only support increasing the default * window size now, so it's also the minimum. @@ -113,4 +121,11 @@ export interface QuicProtocolOptions__Output { * `QUICHE `_ and to be sent by upstream connections. */ 'client_connection_options': (string); + /** + * The duration that a QUIC connection stays idle before it closes itself. If this field is not present, QUICHE + * default 600s will be applied. + * For internal corporate network, a long timeout is often fine. + * But for client facing network, 30s is usually a good choice. + */ + 'idle_network_timeout': (_google_protobuf_Duration__Output | null); } diff --git a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/RetryPolicy.ts b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/RetryPolicy.ts index 6e2af23e6..14d41eca2 100644 --- a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/RetryPolicy.ts +++ b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/RetryPolicy.ts @@ -2,9 +2,48 @@ import type { BackoffStrategy as _envoy_config_core_v3_BackoffStrategy, BackoffStrategy__Output as _envoy_config_core_v3_BackoffStrategy__Output } from '../../../../envoy/config/core/v3/BackoffStrategy'; import type { UInt32Value as _google_protobuf_UInt32Value, UInt32Value__Output as _google_protobuf_UInt32Value__Output } from '../../../../google/protobuf/UInt32Value'; +import type { Any as _google_protobuf_Any, Any__Output as _google_protobuf_Any__Output } from '../../../../google/protobuf/Any'; +import type { Long } from '@grpc/proto-loader'; + +/** + * See :ref:`RetryHostPredicate `. + */ +export interface _envoy_config_core_v3_RetryPolicy_RetryHostPredicate { + 'name'?: (string); + 'typed_config'?: (_google_protobuf_Any | null); + 'config_type'?: "typed_config"; +} + +/** + * See :ref:`RetryHostPredicate `. + */ +export interface _envoy_config_core_v3_RetryPolicy_RetryHostPredicate__Output { + 'name': (string); + 'typed_config'?: (_google_protobuf_Any__Output | null); + 'config_type': "typed_config"; +} + +/** + * See :ref:`RetryPriority `. + */ +export interface _envoy_config_core_v3_RetryPolicy_RetryPriority { + 'name'?: (string); + 'typed_config'?: (_google_protobuf_Any | null); + 'config_type'?: "typed_config"; +} + +/** + * See :ref:`RetryPriority `. + */ +export interface _envoy_config_core_v3_RetryPolicy_RetryPriority__Output { + 'name': (string); + 'typed_config'?: (_google_protobuf_Any__Output | null); + 'config_type': "typed_config"; +} /** * The message specifies the retry policy of remote data source when fetching fails. + * [#next-free-field: 7] */ export interface RetryPolicy { /** @@ -18,10 +57,27 @@ export interface RetryPolicy { * defaults to 1. */ 'num_retries'?: (_google_protobuf_UInt32Value | null); + /** + * For details, see :ref:`retry_on `. + */ + 'retry_on'?: (string); + /** + * For details, see :ref:`retry_priority `. + */ + 'retry_priority'?: (_envoy_config_core_v3_RetryPolicy_RetryPriority | null); + /** + * For details, see :ref:`RetryHostPredicate `. + */ + 'retry_host_predicate'?: (_envoy_config_core_v3_RetryPolicy_RetryHostPredicate)[]; + /** + * For details, see :ref:`host_selection_retry_max_attempts `. + */ + 'host_selection_retry_max_attempts'?: (number | string | Long); } /** * The message specifies the retry policy of remote data source when fetching fails. + * [#next-free-field: 7] */ export interface RetryPolicy__Output { /** @@ -35,4 +91,20 @@ export interface RetryPolicy__Output { * defaults to 1. */ 'num_retries': (_google_protobuf_UInt32Value__Output | null); + /** + * For details, see :ref:`retry_on `. + */ + 'retry_on': (string); + /** + * For details, see :ref:`retry_priority `. + */ + 'retry_priority': (_envoy_config_core_v3_RetryPolicy_RetryPriority__Output | null); + /** + * For details, see :ref:`RetryHostPredicate `. + */ + 'retry_host_predicate': (_envoy_config_core_v3_RetryPolicy_RetryHostPredicate__Output)[]; + /** + * For details, see :ref:`host_selection_retry_max_attempts `. + */ + 'host_selection_retry_max_attempts': (string); } diff --git a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/SchemeHeaderTransformation.ts b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/SchemeHeaderTransformation.ts index 95bb4e400..950ce230f 100644 --- a/packages/grpc-js-xds/src/generated/envoy/config/core/v3/SchemeHeaderTransformation.ts +++ b/packages/grpc-js-xds/src/generated/envoy/config/core/v3/SchemeHeaderTransformation.ts @@ -7,8 +7,16 @@ export interface SchemeHeaderTransformation { /** * Overwrite any Scheme header with the contents of this string. + * If set, takes precedence over match_upstream. */ 'scheme_to_overwrite'?: (string); + /** + * Set the Scheme header to match the upstream transport protocol. For example, should a + * request be sent to the upstream over TLS, the scheme header will be set to "https". Should the + * request be sent over plaintext, the scheme header will be set to "http". + * If scheme_to_overwrite is set, this field is not used. + */ + 'match_upstream'?: (boolean); 'transformation'?: "scheme_to_overwrite"; } @@ -18,7 +26,15 @@ export interface SchemeHeaderTransformation { export interface SchemeHeaderTransformation__Output { /** * Overwrite any Scheme header with the contents of this string. + * If set, takes precedence over match_upstream. */ 'scheme_to_overwrite'?: (string); + /** + * Set the Scheme header to match the upstream transport protocol. For example, should a + * request be sent to the upstream over TLS, the scheme header will be set to "https". Should the + * request be sent over plaintext, the scheme header will be set to "http". + * If scheme_to_overwrite is set, this field is not used. + */ + 'match_upstream': (boolean); 'transformation': "scheme_to_overwrite"; } diff --git a/packages/grpc-js-xds/src/generated/envoy/config/endpoint/v3/ClusterLoadAssignment.ts b/packages/grpc-js-xds/src/generated/envoy/config/endpoint/v3/ClusterLoadAssignment.ts index 8f5589479..c06e3e6c0 100644 --- a/packages/grpc-js-xds/src/generated/envoy/config/endpoint/v3/ClusterLoadAssignment.ts +++ b/packages/grpc-js-xds/src/generated/envoy/config/endpoint/v3/ClusterLoadAssignment.ts @@ -56,6 +56,12 @@ export interface _envoy_config_endpoint_v3_ClusterLoadAssignment_Policy { * * Envoy supports only one element and will NACK if more than one element is present. * Other xDS-capable data planes will not necessarily have this limitation. + * + * In Envoy, this ``drop_overloads`` config can be overridden by a runtime key + * "load_balancing_policy.drop_overload_limit" setting. This runtime key can be set to + * any integer number between 0 and 100. 0 means drop 0%. 100 means drop 100%. + * When both ``drop_overloads`` config and "load_balancing_policy.drop_overload_limit" + * setting are in place, the min of these two wins. */ 'drop_overloads'?: (_envoy_config_endpoint_v3_ClusterLoadAssignment_Policy_DropOverload)[]; /** @@ -123,6 +129,12 @@ export interface _envoy_config_endpoint_v3_ClusterLoadAssignment_Policy__Output * * Envoy supports only one element and will NACK if more than one element is present. * Other xDS-capable data planes will not necessarily have this limitation. + * + * In Envoy, this ``drop_overloads`` config can be overridden by a runtime key + * "load_balancing_policy.drop_overload_limit" setting. This runtime key can be set to + * any integer number between 0 and 100. 0 means drop 0%. 100 means drop 100%. + * When both ``drop_overloads`` config and "load_balancing_policy.drop_overload_limit" + * setting are in place, the min of these two wins. */ 'drop_overloads': (_envoy_config_endpoint_v3_ClusterLoadAssignment_Policy_DropOverload__Output)[]; /** diff --git a/packages/grpc-js-xds/src/generated/envoy/config/endpoint/v3/LocalityLbEndpoints.ts b/packages/grpc-js-xds/src/generated/envoy/config/endpoint/v3/LocalityLbEndpoints.ts index b0d518fb5..e935d0e2a 100644 --- a/packages/grpc-js-xds/src/generated/envoy/config/endpoint/v3/LocalityLbEndpoints.ts +++ b/packages/grpc-js-xds/src/generated/envoy/config/endpoint/v3/LocalityLbEndpoints.ts @@ -4,6 +4,7 @@ import type { Locality as _envoy_config_core_v3_Locality, Locality__Output as _e import type { LbEndpoint as _envoy_config_endpoint_v3_LbEndpoint, LbEndpoint__Output as _envoy_config_endpoint_v3_LbEndpoint__Output } from '../../../../envoy/config/endpoint/v3/LbEndpoint'; import type { UInt32Value as _google_protobuf_UInt32Value, UInt32Value__Output as _google_protobuf_UInt32Value__Output } from '../../../../google/protobuf/UInt32Value'; import type { LedsClusterLocalityConfig as _envoy_config_endpoint_v3_LedsClusterLocalityConfig, LedsClusterLocalityConfig__Output as _envoy_config_endpoint_v3_LedsClusterLocalityConfig__Output } from '../../../../envoy/config/endpoint/v3/LedsClusterLocalityConfig'; +import type { Metadata as _envoy_config_core_v3_Metadata, Metadata__Output as _envoy_config_core_v3_Metadata__Output } from '../../../../envoy/config/core/v3/Metadata'; /** * [#not-implemented-hide:] @@ -25,7 +26,7 @@ export interface _envoy_config_endpoint_v3_LocalityLbEndpoints_LbEndpointList__O * A group of endpoints belonging to a Locality. * One can have multiple LocalityLbEndpoints for a locality, but only if * they have different priorities. - * [#next-free-field: 9] + * [#next-free-field: 10] */ export interface LocalityLbEndpoints { /** @@ -83,6 +84,10 @@ export interface LocalityLbEndpoints { * LEDS Configuration for the current locality. */ 'leds_cluster_locality_config'?: (_envoy_config_endpoint_v3_LedsClusterLocalityConfig | null); + /** + * Metadata to provide additional information about the locality endpoints in aggregate. + */ + 'metadata'?: (_envoy_config_core_v3_Metadata | null); /** * [#not-implemented-hide:] */ @@ -93,7 +98,7 @@ export interface LocalityLbEndpoints { * A group of endpoints belonging to a Locality. * One can have multiple LocalityLbEndpoints for a locality, but only if * they have different priorities. - * [#next-free-field: 9] + * [#next-free-field: 10] */ export interface LocalityLbEndpoints__Output { /** @@ -151,6 +156,10 @@ export interface LocalityLbEndpoints__Output { * LEDS Configuration for the current locality. */ 'leds_cluster_locality_config'?: (_envoy_config_endpoint_v3_LedsClusterLocalityConfig__Output | null); + /** + * Metadata to provide additional information about the locality endpoints in aggregate. + */ + 'metadata': (_envoy_config_core_v3_Metadata__Output | null); /** * [#not-implemented-hide:] */ diff --git a/packages/grpc-js-xds/src/generated/envoy/config/endpoint/v3/UnnamedEndpointLoadMetricStats.ts b/packages/grpc-js-xds/src/generated/envoy/config/endpoint/v3/UnnamedEndpointLoadMetricStats.ts new file mode 100644 index 000000000..02cd0eb7a --- /dev/null +++ b/packages/grpc-js-xds/src/generated/envoy/config/endpoint/v3/UnnamedEndpointLoadMetricStats.ts @@ -0,0 +1,33 @@ +// Original file: deps/envoy-api/envoy/config/endpoint/v3/load_report.proto + +import type { Long } from '@grpc/proto-loader'; + +/** + * Same as EndpointLoadMetricStats, except without the metric_name field. + */ +export interface UnnamedEndpointLoadMetricStats { + /** + * Number of calls that finished and included this metric. + */ + 'num_requests_finished_with_metric'?: (number | string | Long); + /** + * Sum of metric values across all calls that finished with this metric for + * load_reporting_interval. + */ + 'total_metric_value'?: (number | string); +} + +/** + * Same as EndpointLoadMetricStats, except without the metric_name field. + */ +export interface UnnamedEndpointLoadMetricStats__Output { + /** + * Number of calls that finished and included this metric. + */ + 'num_requests_finished_with_metric': (string); + /** + * Sum of metric values across all calls that finished with this metric for + * load_reporting_interval. + */ + 'total_metric_value': (number); +} diff --git a/packages/grpc-js-xds/src/generated/envoy/config/endpoint/v3/UpstreamLocalityStats.ts b/packages/grpc-js-xds/src/generated/envoy/config/endpoint/v3/UpstreamLocalityStats.ts index fbfb05ed6..b3cdaa395 100644 --- a/packages/grpc-js-xds/src/generated/envoy/config/endpoint/v3/UpstreamLocalityStats.ts +++ b/packages/grpc-js-xds/src/generated/envoy/config/endpoint/v3/UpstreamLocalityStats.ts @@ -3,13 +3,14 @@ import type { Locality as _envoy_config_core_v3_Locality, Locality__Output as _envoy_config_core_v3_Locality__Output } from '../../../../envoy/config/core/v3/Locality'; import type { EndpointLoadMetricStats as _envoy_config_endpoint_v3_EndpointLoadMetricStats, EndpointLoadMetricStats__Output as _envoy_config_endpoint_v3_EndpointLoadMetricStats__Output } from '../../../../envoy/config/endpoint/v3/EndpointLoadMetricStats'; import type { UpstreamEndpointStats as _envoy_config_endpoint_v3_UpstreamEndpointStats, UpstreamEndpointStats__Output as _envoy_config_endpoint_v3_UpstreamEndpointStats__Output } from '../../../../envoy/config/endpoint/v3/UpstreamEndpointStats'; +import type { UnnamedEndpointLoadMetricStats as _envoy_config_endpoint_v3_UnnamedEndpointLoadMetricStats, UnnamedEndpointLoadMetricStats__Output as _envoy_config_endpoint_v3_UnnamedEndpointLoadMetricStats__Output } from '../../../../envoy/config/endpoint/v3/UnnamedEndpointLoadMetricStats'; import type { Long } from '@grpc/proto-loader'; /** * These are stats Envoy reports to the management server at a frequency defined by * :ref:`LoadStatsResponse.load_reporting_interval`. * Stats per upstream region/zone and optionally per subzone. - * [#next-free-field: 9] + * [#next-free-field: 15] */ export interface UpstreamLocalityStats { /** @@ -32,7 +33,8 @@ export interface UpstreamLocalityStats { */ 'total_error_requests'?: (number | string | Long); /** - * Stats for multi-dimensional load balancing. + * Named stats for multi-dimensional load balancing. + * These typically come from endpoint metrics reported via ORCA. */ 'load_metric_stats'?: (_envoy_config_endpoint_v3_EndpointLoadMetricStats)[]; /** @@ -52,13 +54,56 @@ export interface UpstreamLocalityStats { * upstream endpoints in the locality. */ 'total_issued_requests'?: (number | string | Long); + /** + * The total number of connections in an established state at the time of the + * report. This field is aggregated over all the upstream endpoints in the + * locality. + * In Envoy, this information may be based on ``upstream_cx_active metric``. + * [#not-implemented-hide:] + */ + 'total_active_connections'?: (number | string | Long); + /** + * The total number of connections opened since the last report. + * This field is aggregated over all the upstream endpoints in the locality. + * In Envoy, this information may be based on ``upstream_cx_total`` metric + * compared to itself between start and end of an interval, i.e. + * ``upstream_cx_total``(now) - ``upstream_cx_total``(now - + * load_report_interval). + * [#not-implemented-hide:] + */ + 'total_new_connections'?: (number | string | Long); + /** + * The total number of connection failures since the last report. + * This field is aggregated over all the upstream endpoints in the locality. + * In Envoy, this information may be based on ``upstream_cx_connect_fail`` + * metric compared to itself between start and end of an interval, i.e. + * ``upstream_cx_connect_fail``(now) - ``upstream_cx_connect_fail``(now - + * load_report_interval). + * [#not-implemented-hide:] + */ + 'total_fail_connections'?: (number | string | Long); + /** + * CPU utilization stats for multi-dimensional load balancing. + * This typically comes from endpoint metrics reported via ORCA. + */ + 'cpu_utilization'?: (_envoy_config_endpoint_v3_UnnamedEndpointLoadMetricStats | null); + /** + * Memory utilization for multi-dimensional load balancing. + * This typically comes from endpoint metrics reported via ORCA. + */ + 'mem_utilization'?: (_envoy_config_endpoint_v3_UnnamedEndpointLoadMetricStats | null); + /** + * Blended application-defined utilization for multi-dimensional load balancing. + * This typically comes from endpoint metrics reported via ORCA. + */ + 'application_utilization'?: (_envoy_config_endpoint_v3_UnnamedEndpointLoadMetricStats | null); } /** * These are stats Envoy reports to the management server at a frequency defined by * :ref:`LoadStatsResponse.load_reporting_interval`. * Stats per upstream region/zone and optionally per subzone. - * [#next-free-field: 9] + * [#next-free-field: 15] */ export interface UpstreamLocalityStats__Output { /** @@ -81,7 +126,8 @@ export interface UpstreamLocalityStats__Output { */ 'total_error_requests': (string); /** - * Stats for multi-dimensional load balancing. + * Named stats for multi-dimensional load balancing. + * These typically come from endpoint metrics reported via ORCA. */ 'load_metric_stats': (_envoy_config_endpoint_v3_EndpointLoadMetricStats__Output)[]; /** @@ -101,4 +147,47 @@ export interface UpstreamLocalityStats__Output { * upstream endpoints in the locality. */ 'total_issued_requests': (string); + /** + * The total number of connections in an established state at the time of the + * report. This field is aggregated over all the upstream endpoints in the + * locality. + * In Envoy, this information may be based on ``upstream_cx_active metric``. + * [#not-implemented-hide:] + */ + 'total_active_connections': (string); + /** + * The total number of connections opened since the last report. + * This field is aggregated over all the upstream endpoints in the locality. + * In Envoy, this information may be based on ``upstream_cx_total`` metric + * compared to itself between start and end of an interval, i.e. + * ``upstream_cx_total``(now) - ``upstream_cx_total``(now - + * load_report_interval). + * [#not-implemented-hide:] + */ + 'total_new_connections': (string); + /** + * The total number of connection failures since the last report. + * This field is aggregated over all the upstream endpoints in the locality. + * In Envoy, this information may be based on ``upstream_cx_connect_fail`` + * metric compared to itself between start and end of an interval, i.e. + * ``upstream_cx_connect_fail``(now) - ``upstream_cx_connect_fail``(now - + * load_report_interval). + * [#not-implemented-hide:] + */ + 'total_fail_connections': (string); + /** + * CPU utilization stats for multi-dimensional load balancing. + * This typically comes from endpoint metrics reported via ORCA. + */ + 'cpu_utilization': (_envoy_config_endpoint_v3_UnnamedEndpointLoadMetricStats__Output | null); + /** + * Memory utilization for multi-dimensional load balancing. + * This typically comes from endpoint metrics reported via ORCA. + */ + 'mem_utilization': (_envoy_config_endpoint_v3_UnnamedEndpointLoadMetricStats__Output | null); + /** + * Blended application-defined utilization for multi-dimensional load balancing. + * This typically comes from endpoint metrics reported via ORCA. + */ + 'application_utilization': (_envoy_config_endpoint_v3_UnnamedEndpointLoadMetricStats__Output | null); } diff --git a/packages/grpc-js-xds/src/generated/envoy/config/listener/v3/Listener.ts b/packages/grpc-js-xds/src/generated/envoy/config/listener/v3/Listener.ts index 6089081be..4a5e18ba5 100644 --- a/packages/grpc-js-xds/src/generated/envoy/config/listener/v3/Listener.ts +++ b/packages/grpc-js-xds/src/generated/envoy/config/listener/v3/Listener.ts @@ -148,7 +148,7 @@ export interface _envoy_config_listener_v3_Listener_InternalListenerConfig__Outp } /** - * [#next-free-field: 35] + * [#next-free-field: 36] */ export interface Listener { /** @@ -449,6 +449,10 @@ export interface Listener { * from the kernel. */ 'max_connections_to_accept_per_socket_event'?: (_google_protobuf_UInt32Value | null); + /** + * Whether the listener bypasses configured overload manager actions. + */ + 'bypass_overload_manager'?: (boolean); /** * The exclusive listener type and the corresponding config. */ @@ -456,7 +460,7 @@ export interface Listener { } /** - * [#next-free-field: 35] + * [#next-free-field: 36] */ export interface Listener__Output { /** @@ -757,6 +761,10 @@ export interface Listener__Output { * from the kernel. */ 'max_connections_to_accept_per_socket_event': (_google_protobuf_UInt32Value__Output | null); + /** + * Whether the listener bypasses configured overload manager actions. + */ + 'bypass_overload_manager': (boolean); /** * The exclusive listener type and the corresponding config. */ diff --git a/packages/grpc-js-xds/src/generated/envoy/config/listener/v3/QuicProtocolOptions.ts b/packages/grpc-js-xds/src/generated/envoy/config/listener/v3/QuicProtocolOptions.ts index e88ab26a9..f2d291689 100644 --- a/packages/grpc-js-xds/src/generated/envoy/config/listener/v3/QuicProtocolOptions.ts +++ b/packages/grpc-js-xds/src/generated/envoy/config/listener/v3/QuicProtocolOptions.ts @@ -5,10 +5,11 @@ import type { Duration as _google_protobuf_Duration, Duration__Output as _google import type { RuntimeFeatureFlag as _envoy_config_core_v3_RuntimeFeatureFlag, RuntimeFeatureFlag__Output as _envoy_config_core_v3_RuntimeFeatureFlag__Output } from '../../../../envoy/config/core/v3/RuntimeFeatureFlag'; import type { UInt32Value as _google_protobuf_UInt32Value, UInt32Value__Output as _google_protobuf_UInt32Value__Output } from '../../../../google/protobuf/UInt32Value'; import type { TypedExtensionConfig as _envoy_config_core_v3_TypedExtensionConfig, TypedExtensionConfig__Output as _envoy_config_core_v3_TypedExtensionConfig__Output } from '../../../../envoy/config/core/v3/TypedExtensionConfig'; +import type { BoolValue as _google_protobuf_BoolValue, BoolValue__Output as _google_protobuf_BoolValue__Output } from '../../../../google/protobuf/BoolValue'; /** * Configuration specific to the UDP QUIC listener. - * [#next-free-field: 10] + * [#next-free-field: 12] */ export interface QuicProtocolOptions { 'quic_protocol_options'?: (_envoy_config_core_v3_QuicProtocolOptions | null); @@ -60,16 +61,27 @@ export interface QuicProtocolOptions { 'connection_id_generator_config'?: (_envoy_config_core_v3_TypedExtensionConfig | null); /** * Configure the server's preferred address to advertise so that client can migrate to it. See :ref:`example ` which configures a pair of v4 and v6 preferred addresses. - * The current QUICHE implementation will advertise only one of the preferred IPv4 and IPv6 addresses based on the address family the client initially connects with, and only if the client is also QUICHE-based. + * The current QUICHE implementation will advertise only one of the preferred IPv4 and IPv6 addresses based on the address family the client initially connects with. * If not specified, Envoy will not advertise any server's preferred address. * [#extension-category: envoy.quic.server_preferred_address] */ 'server_preferred_address_config'?: (_envoy_config_core_v3_TypedExtensionConfig | null); + /** + * Configure the server to send transport parameter `disable_active_migration `_. + * Defaults to false (do not send this transport parameter). + */ + 'send_disable_active_migration'?: (_google_protobuf_BoolValue | null); + /** + * Configure which implementation of ``quic::QuicConnectionDebugVisitor`` to be used for this listener. + * If not specified, no debug visitor will be attached to connections. + * [#extension-category: envoy.quic.connection_debug_visitor] + */ + 'connection_debug_visitor_config'?: (_envoy_config_core_v3_TypedExtensionConfig | null); } /** * Configuration specific to the UDP QUIC listener. - * [#next-free-field: 10] + * [#next-free-field: 12] */ export interface QuicProtocolOptions__Output { 'quic_protocol_options': (_envoy_config_core_v3_QuicProtocolOptions__Output | null); @@ -121,9 +133,20 @@ export interface QuicProtocolOptions__Output { 'connection_id_generator_config': (_envoy_config_core_v3_TypedExtensionConfig__Output | null); /** * Configure the server's preferred address to advertise so that client can migrate to it. See :ref:`example ` which configures a pair of v4 and v6 preferred addresses. - * The current QUICHE implementation will advertise only one of the preferred IPv4 and IPv6 addresses based on the address family the client initially connects with, and only if the client is also QUICHE-based. + * The current QUICHE implementation will advertise only one of the preferred IPv4 and IPv6 addresses based on the address family the client initially connects with. * If not specified, Envoy will not advertise any server's preferred address. * [#extension-category: envoy.quic.server_preferred_address] */ 'server_preferred_address_config': (_envoy_config_core_v3_TypedExtensionConfig__Output | null); + /** + * Configure the server to send transport parameter `disable_active_migration `_. + * Defaults to false (do not send this transport parameter). + */ + 'send_disable_active_migration': (_google_protobuf_BoolValue__Output | null); + /** + * Configure which implementation of ``quic::QuicConnectionDebugVisitor`` to be used for this listener. + * If not specified, no debug visitor will be attached to connections. + * [#extension-category: envoy.quic.connection_debug_visitor] + */ + 'connection_debug_visitor_config': (_envoy_config_core_v3_TypedExtensionConfig__Output | null); } diff --git a/packages/grpc-js-xds/src/generated/envoy/config/route/v3/CorsPolicy.ts b/packages/grpc-js-xds/src/generated/envoy/config/route/v3/CorsPolicy.ts index 8a74b0658..6bf0eb904 100644 --- a/packages/grpc-js-xds/src/generated/envoy/config/route/v3/CorsPolicy.ts +++ b/packages/grpc-js-xds/src/generated/envoy/config/route/v3/CorsPolicy.ts @@ -13,7 +13,7 @@ import type { StringMatcher as _envoy_type_matcher_v3_StringMatcher, StringMatch * :ref:`CorsPolicy in filter extension ` * as as alternative. * - * [#next-free-field: 13] + * [#next-free-field: 14] */ export interface CorsPolicy { /** @@ -70,6 +70,11 @@ export interface CorsPolicy { * More details refer to https://developer.chrome.com/blog/private-network-access-preflight. */ 'allow_private_network_access'?: (_google_protobuf_BoolValue | null); + /** + * Specifies if preflight requests not matching the configured allowed origin should be forwarded + * to the upstream. Default is true. + */ + 'forward_not_matching_preflights'?: (_google_protobuf_BoolValue | null); 'enabled_specifier'?: "filter_enabled"; } @@ -82,7 +87,7 @@ export interface CorsPolicy { * :ref:`CorsPolicy in filter extension ` * as as alternative. * - * [#next-free-field: 13] + * [#next-free-field: 14] */ export interface CorsPolicy__Output { /** @@ -139,5 +144,10 @@ export interface CorsPolicy__Output { * More details refer to https://developer.chrome.com/blog/private-network-access-preflight. */ 'allow_private_network_access': (_google_protobuf_BoolValue__Output | null); + /** + * Specifies if preflight requests not matching the configured allowed origin should be forwarded + * to the upstream. Default is true. + */ + 'forward_not_matching_preflights': (_google_protobuf_BoolValue__Output | null); 'enabled_specifier': "filter_enabled"; } diff --git a/packages/grpc-js-xds/src/generated/envoy/config/route/v3/RouteAction.ts b/packages/grpc-js-xds/src/generated/envoy/config/route/v3/RouteAction.ts index 96910696d..f9847cde2 100644 --- a/packages/grpc-js-xds/src/generated/envoy/config/route/v3/RouteAction.ts +++ b/packages/grpc-js-xds/src/generated/envoy/config/route/v3/RouteAction.ts @@ -469,7 +469,8 @@ export interface _envoy_config_route_v3_RouteAction_HashPolicy_QueryParameter__O * collected for the shadow cluster making this feature useful for testing. * * During shadowing, the host/authority header is altered such that ``-shadow`` is appended. This is - * useful for logging. For example, ``cluster1`` becomes ``cluster1-shadow``. + * useful for logging. For example, ``cluster1`` becomes ``cluster1-shadow``. This behavior can be + * disabled by setting ``disable_shadow_host_suffix_append`` to ``true``. * * .. note:: * @@ -478,7 +479,7 @@ export interface _envoy_config_route_v3_RouteAction_HashPolicy_QueryParameter__O * .. note:: * * Shadowing doesn't support Http CONNECT and upgrades. - * [#next-free-field: 6] + * [#next-free-field: 7] */ export interface _envoy_config_route_v3_RouteAction_RequestMirrorPolicy { /** @@ -520,6 +521,10 @@ export interface _envoy_config_route_v3_RouteAction_RequestMirrorPolicy { * Determines if the trace span should be sampled. Defaults to true. */ 'trace_sampled'?: (_google_protobuf_BoolValue | null); + /** + * Disables appending the ``-shadow`` suffix to the shadowed ``Host`` header. Defaults to ``false``. + */ + 'disable_shadow_host_suffix_append'?: (boolean); } /** @@ -529,7 +534,8 @@ export interface _envoy_config_route_v3_RouteAction_RequestMirrorPolicy { * collected for the shadow cluster making this feature useful for testing. * * During shadowing, the host/authority header is altered such that ``-shadow`` is appended. This is - * useful for logging. For example, ``cluster1`` becomes ``cluster1-shadow``. + * useful for logging. For example, ``cluster1`` becomes ``cluster1-shadow``. This behavior can be + * disabled by setting ``disable_shadow_host_suffix_append`` to ``true``. * * .. note:: * @@ -538,7 +544,7 @@ export interface _envoy_config_route_v3_RouteAction_RequestMirrorPolicy { * .. note:: * * Shadowing doesn't support Http CONNECT and upgrades. - * [#next-free-field: 6] + * [#next-free-field: 7] */ export interface _envoy_config_route_v3_RouteAction_RequestMirrorPolicy__Output { /** @@ -580,6 +586,10 @@ export interface _envoy_config_route_v3_RouteAction_RequestMirrorPolicy__Output * Determines if the trace span should be sampled. Defaults to true. */ 'trace_sampled': (_google_protobuf_BoolValue__Output | null); + /** + * Disables appending the ``-shadow`` suffix to the shadowed ``Host`` header. Defaults to ``false``. + */ + 'disable_shadow_host_suffix_append': (boolean); } /** @@ -1010,7 +1020,6 @@ export interface RouteAction { * :ref:`host_rewrite_path_regex `) * causes the original value of the host header, if any, to be appended to the * :ref:`config_http_conn_man_headers_x-forwarded-host` HTTP header if it is different to the last value appended. - * This can be disabled by setting the runtime guard ``envoy_reloadable_features_append_xfh_idempotent`` to false. */ 'append_x_forwarded_host'?: (boolean); /** @@ -1404,7 +1413,6 @@ export interface RouteAction__Output { * :ref:`host_rewrite_path_regex `) * causes the original value of the host header, if any, to be appended to the * :ref:`config_http_conn_man_headers_x-forwarded-host` HTTP header if it is different to the last value appended. - * This can be disabled by setting the runtime guard ``envoy_reloadable_features_append_xfh_idempotent`` to false. */ 'append_x_forwarded_host': (boolean); /** diff --git a/packages/grpc-js-xds/src/generated/envoy/data/accesslog/v3/ResponseFlags.ts b/packages/grpc-js-xds/src/generated/envoy/data/accesslog/v3/ResponseFlags.ts index f42e11ee3..74037a8cf 100644 --- a/packages/grpc-js-xds/src/generated/envoy/data/accesslog/v3/ResponseFlags.ts +++ b/packages/grpc-js-xds/src/generated/envoy/data/accesslog/v3/ResponseFlags.ts @@ -41,7 +41,7 @@ export interface _envoy_data_accesslog_v3_ResponseFlags_Unauthorized__Output { /** * Flags indicating occurrences during request/response processing. - * [#next-free-field: 28] + * [#next-free-field: 29] */ export interface ResponseFlags { /** @@ -153,11 +153,15 @@ export interface ResponseFlags { * Indicates a DNS resolution failed. */ 'dns_resolution_failure'?: (boolean); + /** + * Indicates a downstream remote codec level reset was received on the stream + */ + 'downstream_remote_reset'?: (boolean); } /** * Flags indicating occurrences during request/response processing. - * [#next-free-field: 28] + * [#next-free-field: 29] */ export interface ResponseFlags__Output { /** @@ -269,4 +273,8 @@ export interface ResponseFlags__Output { * Indicates a DNS resolution failed. */ 'dns_resolution_failure': (boolean); + /** + * Indicates a downstream remote codec level reset was received on the stream + */ + 'downstream_remote_reset': (boolean); } diff --git a/packages/grpc-js-xds/src/generated/envoy/extensions/filters/network/http_connection_manager/v3/HttpConnectionManager.ts b/packages/grpc-js-xds/src/generated/envoy/extensions/filters/network/http_connection_manager/v3/HttpConnectionManager.ts index 58a25bb54..0eb4160a6 100644 --- a/packages/grpc-js-xds/src/generated/envoy/extensions/filters/network/http_connection_manager/v3/HttpConnectionManager.ts +++ b/packages/grpc-js-xds/src/generated/envoy/extensions/filters/network/http_connection_manager/v3/HttpConnectionManager.ts @@ -887,7 +887,7 @@ export interface _envoy_extensions_filters_network_http_connection_manager_v3_Ht } /** - * [#next-free-field: 57] + * [#next-free-field: 58] */ export interface HttpConnectionManager { /** @@ -950,9 +950,10 @@ export interface HttpConnectionManager { * race with the final GOAWAY frame. During this grace period, Envoy will * continue to accept new streams. After the grace period, a final GOAWAY * frame is sent and Envoy will start refusing new streams. Draining occurs - * both when a connection hits the idle timeout or during general server - * draining. The default grace period is 5000 milliseconds (5 seconds) if this - * option is not specified. + * either when a connection hits the idle timeout, when :ref:`max_connection_duration + * ` + * is reached, or during general server draining. The default grace period is + * 5000 milliseconds (5 seconds) if this option is not specified. */ 'drain_timeout'?: (_google_protobuf_Duration | null); /** @@ -1408,12 +1409,17 @@ export interface HttpConnectionManager { * Additional access log options for HTTP connection manager. */ 'access_log_options'?: (_envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_HcmAccessLogOptions | null); + /** + * Append the :ref:`config_http_conn_man_headers_x-envoy-local-overloaded` HTTP header in the scenario where + * the Overload Manager has been triggered. + */ + 'append_local_overload'?: (boolean); 'route_specifier'?: "rds"|"route_config"|"scoped_routes"; 'strip_port_mode'?: "strip_any_host_port"; } /** - * [#next-free-field: 57] + * [#next-free-field: 58] */ export interface HttpConnectionManager__Output { /** @@ -1476,9 +1482,10 @@ export interface HttpConnectionManager__Output { * race with the final GOAWAY frame. During this grace period, Envoy will * continue to accept new streams. After the grace period, a final GOAWAY * frame is sent and Envoy will start refusing new streams. Draining occurs - * both when a connection hits the idle timeout or during general server - * draining. The default grace period is 5000 milliseconds (5 seconds) if this - * option is not specified. + * either when a connection hits the idle timeout, when :ref:`max_connection_duration + * ` + * is reached, or during general server draining. The default grace period is + * 5000 milliseconds (5 seconds) if this option is not specified. */ 'drain_timeout': (_google_protobuf_Duration__Output | null); /** @@ -1934,6 +1941,11 @@ export interface HttpConnectionManager__Output { * Additional access log options for HTTP connection manager. */ 'access_log_options': (_envoy_extensions_filters_network_http_connection_manager_v3_HttpConnectionManager_HcmAccessLogOptions__Output | null); + /** + * Append the :ref:`config_http_conn_man_headers_x-envoy-local-overloaded` HTTP header in the scenario where + * the Overload Manager has been triggered. + */ + 'append_local_overload': (boolean); 'route_specifier': "rds"|"route_config"|"scoped_routes"; 'strip_port_mode': "strip_any_host_port"; } diff --git a/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/CertificateProviderPluginInstance.ts b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/CertificateProviderPluginInstance.ts new file mode 100644 index 000000000..3a3100f55 --- /dev/null +++ b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/CertificateProviderPluginInstance.ts @@ -0,0 +1,52 @@ +// Original file: deps/envoy-api/envoy/extensions/transport_sockets/tls/v3/common.proto + + +/** + * Indicates a certificate to be obtained from a named CertificateProvider plugin instance. + * The plugin instances are defined in the client's bootstrap file. + * The plugin allows certificates to be fetched/refreshed over the network asynchronously with + * respect to the TLS handshake. + * [#not-implemented-hide:] + */ +export interface CertificateProviderPluginInstance { + /** + * Provider instance name. If not present, defaults to "default". + * + * Instance names should generally be defined not in terms of the underlying provider + * implementation (e.g., "file_watcher") but rather in terms of the function of the + * certificates (e.g., "foo_deployment_identity"). + */ + 'instance_name'?: (string); + /** + * Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify + * a root-certificate (validation context) or "example.com" to specify a certificate for a + * particular domain. Not all provider instances will actually use this field, so the value + * defaults to the empty string. + */ + 'certificate_name'?: (string); +} + +/** + * Indicates a certificate to be obtained from a named CertificateProvider plugin instance. + * The plugin instances are defined in the client's bootstrap file. + * The plugin allows certificates to be fetched/refreshed over the network asynchronously with + * respect to the TLS handshake. + * [#not-implemented-hide:] + */ +export interface CertificateProviderPluginInstance__Output { + /** + * Provider instance name. If not present, defaults to "default". + * + * Instance names should generally be defined not in terms of the underlying provider + * implementation (e.g., "file_watcher") but rather in terms of the function of the + * certificates (e.g., "foo_deployment_identity"). + */ + 'instance_name': (string); + /** + * Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify + * a root-certificate (validation context) or "example.com" to specify a certificate for a + * particular domain. Not all provider instances will actually use this field, so the value + * defaults to the empty string. + */ + 'certificate_name': (string); +} diff --git a/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/CertificateValidationContext.ts b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/CertificateValidationContext.ts new file mode 100644 index 000000000..80a5607b4 --- /dev/null +++ b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/CertificateValidationContext.ts @@ -0,0 +1,494 @@ +// Original file: deps/envoy-api/envoy/extensions/transport_sockets/tls/v3/common.proto + +import type { DataSource as _envoy_config_core_v3_DataSource, DataSource__Output as _envoy_config_core_v3_DataSource__Output } from '../../../../../envoy/config/core/v3/DataSource'; +import type { BoolValue as _google_protobuf_BoolValue, BoolValue__Output as _google_protobuf_BoolValue__Output } from '../../../../../google/protobuf/BoolValue'; +import type { StringMatcher as _envoy_type_matcher_v3_StringMatcher, StringMatcher__Output as _envoy_type_matcher_v3_StringMatcher__Output } from '../../../../../envoy/type/matcher/v3/StringMatcher'; +import type { WatchedDirectory as _envoy_config_core_v3_WatchedDirectory, WatchedDirectory__Output as _envoy_config_core_v3_WatchedDirectory__Output } from '../../../../../envoy/config/core/v3/WatchedDirectory'; +import type { TypedExtensionConfig as _envoy_config_core_v3_TypedExtensionConfig, TypedExtensionConfig__Output as _envoy_config_core_v3_TypedExtensionConfig__Output } from '../../../../../envoy/config/core/v3/TypedExtensionConfig'; +import type { CertificateProviderPluginInstance as _envoy_extensions_transport_sockets_tls_v3_CertificateProviderPluginInstance, CertificateProviderPluginInstance__Output as _envoy_extensions_transport_sockets_tls_v3_CertificateProviderPluginInstance__Output } from '../../../../../envoy/extensions/transport_sockets/tls/v3/CertificateProviderPluginInstance'; +import type { SubjectAltNameMatcher as _envoy_extensions_transport_sockets_tls_v3_SubjectAltNameMatcher, SubjectAltNameMatcher__Output as _envoy_extensions_transport_sockets_tls_v3_SubjectAltNameMatcher__Output } from '../../../../../envoy/extensions/transport_sockets/tls/v3/SubjectAltNameMatcher'; +import type { UInt32Value as _google_protobuf_UInt32Value, UInt32Value__Output as _google_protobuf_UInt32Value__Output } from '../../../../../google/protobuf/UInt32Value'; + +export interface _envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext_SystemRootCerts { +} + +export interface _envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext_SystemRootCerts__Output { +} + +// Original file: deps/envoy-api/envoy/extensions/transport_sockets/tls/v3/common.proto + +/** + * Peer certificate verification mode. + */ +export const _envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext_TrustChainVerification = { + /** + * Perform default certificate verification (e.g., against CA / verification lists) + */ + VERIFY_TRUST_CHAIN: 'VERIFY_TRUST_CHAIN', + /** + * Connections where the certificate fails verification will be permitted. + * For HTTP connections, the result of certificate verification can be used in route matching. ( + * see :ref:`validated ` ). + */ + ACCEPT_UNTRUSTED: 'ACCEPT_UNTRUSTED', +} as const; + +/** + * Peer certificate verification mode. + */ +export type _envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext_TrustChainVerification = + /** + * Perform default certificate verification (e.g., against CA / verification lists) + */ + | 'VERIFY_TRUST_CHAIN' + | 0 + /** + * Connections where the certificate fails verification will be permitted. + * For HTTP connections, the result of certificate verification can be used in route matching. ( + * see :ref:`validated ` ). + */ + | 'ACCEPT_UNTRUSTED' + | 1 + +/** + * Peer certificate verification mode. + */ +export type _envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext_TrustChainVerification__Output = typeof _envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext_TrustChainVerification[keyof typeof _envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext_TrustChainVerification] + +/** + * [#next-free-field: 18] + */ +export interface CertificateValidationContext { + /** + * TLS certificate data containing certificate authority certificates to use in verifying + * a presented peer certificate (e.g. server certificate for clusters or client certificate + * for listeners). If not specified and a peer certificate is presented it will not be + * verified. By default, a client certificate is optional, unless one of the additional + * options (:ref:`require_client_certificate + * `, + * :ref:`verify_certificate_spki + * `, + * :ref:`verify_certificate_hash + * `, or + * :ref:`match_typed_subject_alt_names + * `) is also + * specified. + * + * It can optionally contain certificate revocation lists, in which case Envoy will verify + * that the presented peer certificate has not been revoked by one of the included CRLs. Note + * that if a CRL is provided for any certificate authority in a trust chain, a CRL must be + * provided for all certificate authorities in that chain. Failure to do so will result in + * verification failure for both revoked and unrevoked certificates from that chain. + * The behavior of requiring all certificates to contain CRLs can be altered by + * setting :ref:`only_verify_leaf_cert_crl ` + * true. If set to true, only the final certificate in the chain undergoes CRL verification. + * + * See :ref:`the TLS overview ` for a list of common + * system CA locations. + * + * If ``trusted_ca`` is a filesystem path, a watch will be added to the parent + * directory for any file moves to support rotation. This currently only + * applies to dynamic secrets, when the ``CertificateValidationContext`` is + * delivered via SDS. + * + * X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` + * can be treated as trust anchor as well. It allows verification with building valid partial chain instead + * of a full chain. + * + * If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``. + */ + 'trusted_ca'?: (_envoy_config_core_v3_DataSource | null); + /** + * An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that + * the SHA-256 of the DER-encoded presented certificate matches one of the specified values. + * + * A hex-encoded SHA-256 of the certificate can be generated with the following command: + * + * .. code-block:: bash + * + * $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 + * df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a + * + * A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate + * can be generated with the following command: + * + * .. code-block:: bash + * + * $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 + * DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A + * + * Both of those formats are acceptable. + * + * When both: + * :ref:`verify_certificate_hash + * ` and + * :ref:`verify_certificate_spki + * ` are specified, + * a hash matching value from either of the lists will result in the certificate being accepted. + */ + 'verify_certificate_hash'?: (string)[]; + /** + * An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the + * SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate + * matches one of the specified values. + * + * A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate + * can be generated with the following command: + * + * .. code-block:: bash + * + * $ openssl x509 -in path/to/client.crt -noout -pubkey + * | openssl pkey -pubin -outform DER + * | openssl dgst -sha256 -binary + * | openssl enc -base64 + * NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= + * + * This is the format used in HTTP Public Key Pinning. + * + * When both: + * :ref:`verify_certificate_hash + * ` and + * :ref:`verify_certificate_spki + * ` are specified, + * a hash matching value from either of the lists will result in the certificate being accepted. + * + * .. attention:: + * + * This option is preferred over :ref:`verify_certificate_hash + * `, + * because SPKI is tied to a private key, so it doesn't change when the certificate + * is renewed using the same private key. + */ + 'verify_certificate_spki'?: (string)[]; + /** + * [#not-implemented-hide:] Must present signed certificate time-stamp. + */ + 'require_signed_certificate_timestamp'?: (_google_protobuf_BoolValue | null); + /** + * An optional `certificate revocation list + * `_ + * (in PEM format). If specified, Envoy will verify that the presented peer + * certificate has not been revoked by this CRL. If this DataSource contains + * multiple CRLs, all of them will be used. Note that if a CRL is provided + * for any certificate authority in a trust chain, a CRL must be provided + * for all certificate authorities in that chain. Failure to do so will + * result in verification failure for both revoked and unrevoked certificates + * from that chain. This default behavior can be altered by setting + * :ref:`only_verify_leaf_cert_crl ` to + * true. + * + * If ``crl`` is a filesystem path, a watch will be added to the parent + * directory for any file moves to support rotation. This currently only + * applies to dynamic secrets, when the ``CertificateValidationContext`` is + * delivered via SDS. + */ + 'crl'?: (_envoy_config_core_v3_DataSource | null); + /** + * If specified, Envoy will not reject expired certificates. + */ + 'allow_expired_certificate'?: (boolean); + /** + * This field is deprecated in favor of + * :ref:`match_typed_subject_alt_names + * `. + * Note that if both this field and :ref:`match_typed_subject_alt_names + * ` + * are specified, the former (deprecated field) is ignored. + * @deprecated + */ + 'match_subject_alt_names'?: (_envoy_type_matcher_v3_StringMatcher)[]; + /** + * Certificate trust chain verification mode. + */ + 'trust_chain_verification'?: (_envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext_TrustChainVerification); + /** + * If specified, updates of a file-based ``trusted_ca`` source will be triggered + * by this watch. This allows explicit control over the path watched, by + * default the parent directory of the filesystem path in ``trusted_ca`` is + * watched if this field is not specified. This only applies when a + * ``CertificateValidationContext`` is delivered by SDS with references to + * filesystem paths. See the :ref:`SDS key rotation ` + * documentation for further details. + */ + 'watched_directory'?: (_envoy_config_core_v3_WatchedDirectory | null); + /** + * The configuration of an extension specific certificate validator. + * If specified, all validation is done by the specified validator, + * and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). + * Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. + * [#extension-category: envoy.tls.cert_validator] + */ + 'custom_validator_config'?: (_envoy_config_core_v3_TypedExtensionConfig | null); + /** + * Certificate provider instance for fetching TLS certificates. + * + * If set, takes precedence over ``trusted_ca``. + * [#not-implemented-hide:] + */ + 'ca_certificate_provider_instance'?: (_envoy_extensions_transport_sockets_tls_v3_CertificateProviderPluginInstance | null); + /** + * If this option is set to true, only the certificate at the end of the + * certificate chain will be subject to validation by :ref:`CRL `. + */ + 'only_verify_leaf_cert_crl'?: (boolean); + /** + * An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the + * Subject Alternative Name of the presented certificate matches one of the specified matchers. + * The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is + * matched. + * + * When a certificate has wildcard DNS SAN entries, to match a specific client, it should be + * configured with exact match type in the :ref:`string matcher `. + * For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", + * it should be configured as shown below. + * + * .. code-block:: yaml + * + * match_typed_subject_alt_names: + * - san_type: DNS + * matcher: + * exact: "api.example.com" + * + * .. attention:: + * + * Subject Alternative Names are easily spoofable and verifying only them is insecure, + * therefore this option must be used together with :ref:`trusted_ca + * `. + */ + 'match_typed_subject_alt_names'?: (_envoy_extensions_transport_sockets_tls_v3_SubjectAltNameMatcher)[]; + /** + * Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. + * This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer + * appears in the chain, but in a depth larger than configured, the certificate validation will fail. + * This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` + * in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. + * Trusted issues are specified by setting :ref:`trusted_ca ` + */ + 'max_verify_depth'?: (_google_protobuf_UInt32Value | null); + /** + * Use system root certs for validation. + * If present, system root certs are used only if neither of the ``trusted_ca`` + * or ``ca_certificate_provider_instance`` fields are set. + * [#not-implemented-hide:] + */ + 'system_root_certs'?: (_envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext_SystemRootCerts | null); +} + +/** + * [#next-free-field: 18] + */ +export interface CertificateValidationContext__Output { + /** + * TLS certificate data containing certificate authority certificates to use in verifying + * a presented peer certificate (e.g. server certificate for clusters or client certificate + * for listeners). If not specified and a peer certificate is presented it will not be + * verified. By default, a client certificate is optional, unless one of the additional + * options (:ref:`require_client_certificate + * `, + * :ref:`verify_certificate_spki + * `, + * :ref:`verify_certificate_hash + * `, or + * :ref:`match_typed_subject_alt_names + * `) is also + * specified. + * + * It can optionally contain certificate revocation lists, in which case Envoy will verify + * that the presented peer certificate has not been revoked by one of the included CRLs. Note + * that if a CRL is provided for any certificate authority in a trust chain, a CRL must be + * provided for all certificate authorities in that chain. Failure to do so will result in + * verification failure for both revoked and unrevoked certificates from that chain. + * The behavior of requiring all certificates to contain CRLs can be altered by + * setting :ref:`only_verify_leaf_cert_crl ` + * true. If set to true, only the final certificate in the chain undergoes CRL verification. + * + * See :ref:`the TLS overview ` for a list of common + * system CA locations. + * + * If ``trusted_ca`` is a filesystem path, a watch will be added to the parent + * directory for any file moves to support rotation. This currently only + * applies to dynamic secrets, when the ``CertificateValidationContext`` is + * delivered via SDS. + * + * X509_V_FLAG_PARTIAL_CHAIN is set by default, so non-root/intermediate ca certificate in ``trusted_ca`` + * can be treated as trust anchor as well. It allows verification with building valid partial chain instead + * of a full chain. + * + * If ``ca_certificate_provider_instance`` is set, it takes precedence over ``trusted_ca``. + */ + 'trusted_ca': (_envoy_config_core_v3_DataSource__Output | null); + /** + * An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that + * the SHA-256 of the DER-encoded presented certificate matches one of the specified values. + * + * A hex-encoded SHA-256 of the certificate can be generated with the following command: + * + * .. code-block:: bash + * + * $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d" " -f2 + * df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a + * + * A long hex-encoded and colon-separated SHA-256 (a.k.a. "fingerprint") of the certificate + * can be generated with the following command: + * + * .. code-block:: bash + * + * $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d"=" -f2 + * DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A + * + * Both of those formats are acceptable. + * + * When both: + * :ref:`verify_certificate_hash + * ` and + * :ref:`verify_certificate_spki + * ` are specified, + * a hash matching value from either of the lists will result in the certificate being accepted. + */ + 'verify_certificate_hash': (string)[]; + /** + * An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the + * SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate + * matches one of the specified values. + * + * A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate + * can be generated with the following command: + * + * .. code-block:: bash + * + * $ openssl x509 -in path/to/client.crt -noout -pubkey + * | openssl pkey -pubin -outform DER + * | openssl dgst -sha256 -binary + * | openssl enc -base64 + * NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A= + * + * This is the format used in HTTP Public Key Pinning. + * + * When both: + * :ref:`verify_certificate_hash + * ` and + * :ref:`verify_certificate_spki + * ` are specified, + * a hash matching value from either of the lists will result in the certificate being accepted. + * + * .. attention:: + * + * This option is preferred over :ref:`verify_certificate_hash + * `, + * because SPKI is tied to a private key, so it doesn't change when the certificate + * is renewed using the same private key. + */ + 'verify_certificate_spki': (string)[]; + /** + * [#not-implemented-hide:] Must present signed certificate time-stamp. + */ + 'require_signed_certificate_timestamp': (_google_protobuf_BoolValue__Output | null); + /** + * An optional `certificate revocation list + * `_ + * (in PEM format). If specified, Envoy will verify that the presented peer + * certificate has not been revoked by this CRL. If this DataSource contains + * multiple CRLs, all of them will be used. Note that if a CRL is provided + * for any certificate authority in a trust chain, a CRL must be provided + * for all certificate authorities in that chain. Failure to do so will + * result in verification failure for both revoked and unrevoked certificates + * from that chain. This default behavior can be altered by setting + * :ref:`only_verify_leaf_cert_crl ` to + * true. + * + * If ``crl`` is a filesystem path, a watch will be added to the parent + * directory for any file moves to support rotation. This currently only + * applies to dynamic secrets, when the ``CertificateValidationContext`` is + * delivered via SDS. + */ + 'crl': (_envoy_config_core_v3_DataSource__Output | null); + /** + * If specified, Envoy will not reject expired certificates. + */ + 'allow_expired_certificate': (boolean); + /** + * This field is deprecated in favor of + * :ref:`match_typed_subject_alt_names + * `. + * Note that if both this field and :ref:`match_typed_subject_alt_names + * ` + * are specified, the former (deprecated field) is ignored. + * @deprecated + */ + 'match_subject_alt_names': (_envoy_type_matcher_v3_StringMatcher__Output)[]; + /** + * Certificate trust chain verification mode. + */ + 'trust_chain_verification': (_envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext_TrustChainVerification__Output); + /** + * If specified, updates of a file-based ``trusted_ca`` source will be triggered + * by this watch. This allows explicit control over the path watched, by + * default the parent directory of the filesystem path in ``trusted_ca`` is + * watched if this field is not specified. This only applies when a + * ``CertificateValidationContext`` is delivered by SDS with references to + * filesystem paths. See the :ref:`SDS key rotation ` + * documentation for further details. + */ + 'watched_directory': (_envoy_config_core_v3_WatchedDirectory__Output | null); + /** + * The configuration of an extension specific certificate validator. + * If specified, all validation is done by the specified validator, + * and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated). + * Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field. + * [#extension-category: envoy.tls.cert_validator] + */ + 'custom_validator_config': (_envoy_config_core_v3_TypedExtensionConfig__Output | null); + /** + * Certificate provider instance for fetching TLS certificates. + * + * If set, takes precedence over ``trusted_ca``. + * [#not-implemented-hide:] + */ + 'ca_certificate_provider_instance': (_envoy_extensions_transport_sockets_tls_v3_CertificateProviderPluginInstance__Output | null); + /** + * If this option is set to true, only the certificate at the end of the + * certificate chain will be subject to validation by :ref:`CRL `. + */ + 'only_verify_leaf_cert_crl': (boolean); + /** + * An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the + * Subject Alternative Name of the presented certificate matches one of the specified matchers. + * The matching uses "any" semantics, that is to say, the SAN is verified if at least one matcher is + * matched. + * + * When a certificate has wildcard DNS SAN entries, to match a specific client, it should be + * configured with exact match type in the :ref:`string matcher `. + * For example if the certificate has "\*.example.com" as DNS SAN entry, to allow only "api.example.com", + * it should be configured as shown below. + * + * .. code-block:: yaml + * + * match_typed_subject_alt_names: + * - san_type: DNS + * matcher: + * exact: "api.example.com" + * + * .. attention:: + * + * Subject Alternative Names are easily spoofable and verifying only them is insecure, + * therefore this option must be used together with :ref:`trusted_ca + * `. + */ + 'match_typed_subject_alt_names': (_envoy_extensions_transport_sockets_tls_v3_SubjectAltNameMatcher__Output)[]; + /** + * Defines maximum depth of a certificate chain accepted in verification, the default limit is 100, though this can be system-dependent. + * This number does not include the leaf but includes the trust anchor, so a depth of 1 allows the leaf and one CA certificate. If a trusted issuer + * appears in the chain, but in a depth larger than configured, the certificate validation will fail. + * This matches the semantics of ``SSL_CTX_set_verify_depth`` in OpenSSL 1.0.x and older versions of BoringSSL. It differs from ``SSL_CTX_set_verify_depth`` + * in OpenSSL 1.1.x and newer versions of BoringSSL in that the trust anchor is included. + * Trusted issues are specified by setting :ref:`trusted_ca ` + */ + 'max_verify_depth': (_google_protobuf_UInt32Value__Output | null); + /** + * Use system root certs for validation. + * If present, system root certs are used only if neither of the ``trusted_ca`` + * or ``ca_certificate_provider_instance`` fields are set. + * [#not-implemented-hide:] + */ + 'system_root_certs': (_envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext_SystemRootCerts__Output | null); +} diff --git a/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/CommonTlsContext.ts b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/CommonTlsContext.ts new file mode 100644 index 000000000..1d49e0d90 --- /dev/null +++ b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/CommonTlsContext.ts @@ -0,0 +1,387 @@ +// Original file: deps/envoy-api/envoy/extensions/transport_sockets/tls/v3/tls.proto + +import type { TlsParameters as _envoy_extensions_transport_sockets_tls_v3_TlsParameters, TlsParameters__Output as _envoy_extensions_transport_sockets_tls_v3_TlsParameters__Output } from '../../../../../envoy/extensions/transport_sockets/tls/v3/TlsParameters'; +import type { TlsCertificate as _envoy_extensions_transport_sockets_tls_v3_TlsCertificate, TlsCertificate__Output as _envoy_extensions_transport_sockets_tls_v3_TlsCertificate__Output } from '../../../../../envoy/extensions/transport_sockets/tls/v3/TlsCertificate'; +import type { CertificateValidationContext as _envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext, CertificateValidationContext__Output as _envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext__Output } from '../../../../../envoy/extensions/transport_sockets/tls/v3/CertificateValidationContext'; +import type { SdsSecretConfig as _envoy_extensions_transport_sockets_tls_v3_SdsSecretConfig, SdsSecretConfig__Output as _envoy_extensions_transport_sockets_tls_v3_SdsSecretConfig__Output } from '../../../../../envoy/extensions/transport_sockets/tls/v3/SdsSecretConfig'; +import type { TypedExtensionConfig as _envoy_config_core_v3_TypedExtensionConfig, TypedExtensionConfig__Output as _envoy_config_core_v3_TypedExtensionConfig__Output } from '../../../../../envoy/config/core/v3/TypedExtensionConfig'; +import type { CertificateProviderPluginInstance as _envoy_extensions_transport_sockets_tls_v3_CertificateProviderPluginInstance, CertificateProviderPluginInstance__Output as _envoy_extensions_transport_sockets_tls_v3_CertificateProviderPluginInstance__Output } from '../../../../../envoy/extensions/transport_sockets/tls/v3/CertificateProviderPluginInstance'; +import type { TlsKeyLog as _envoy_extensions_transport_sockets_tls_v3_TlsKeyLog, TlsKeyLog__Output as _envoy_extensions_transport_sockets_tls_v3_TlsKeyLog__Output } from '../../../../../envoy/extensions/transport_sockets/tls/v3/TlsKeyLog'; + +/** + * Config for Certificate provider to get certificates. This provider should allow certificates to be + * fetched/refreshed over the network asynchronously with respect to the TLS handshake. + * + * DEPRECATED: This message is not currently used, but if we ever do need it, we will want to + * move it out of CommonTlsContext and into common.proto, similar to the existing + * CertificateProviderPluginInstance message. + * + * [#not-implemented-hide:] + */ +export interface _envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProvider { + /** + * opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify + * a root-certificate (validation context) or "TLS" to specify a new tls-certificate. + */ + 'name'?: (string); + 'typed_config'?: (_envoy_config_core_v3_TypedExtensionConfig | null); + /** + * Provider specific config. + * Note: an implementation is expected to dedup multiple instances of the same config + * to maintain a single certificate-provider instance. The sharing can happen, for + * example, among multiple clusters or between the tls_certificate and validation_context + * certificate providers of a cluster. + * This config could be supplied inline or (in future) a named xDS resource. + */ + 'config'?: "typed_config"; +} + +/** + * Config for Certificate provider to get certificates. This provider should allow certificates to be + * fetched/refreshed over the network asynchronously with respect to the TLS handshake. + * + * DEPRECATED: This message is not currently used, but if we ever do need it, we will want to + * move it out of CommonTlsContext and into common.proto, similar to the existing + * CertificateProviderPluginInstance message. + * + * [#not-implemented-hide:] + */ +export interface _envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProvider__Output { + /** + * opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify + * a root-certificate (validation context) or "TLS" to specify a new tls-certificate. + */ + 'name': (string); + 'typed_config'?: (_envoy_config_core_v3_TypedExtensionConfig__Output | null); + /** + * Provider specific config. + * Note: an implementation is expected to dedup multiple instances of the same config + * to maintain a single certificate-provider instance. The sharing can happen, for + * example, among multiple clusters or between the tls_certificate and validation_context + * certificate providers of a cluster. + * This config could be supplied inline or (in future) a named xDS resource. + */ + 'config': "typed_config"; +} + +/** + * Similar to CertificateProvider above, but allows the provider instances to be configured on + * the client side instead of being sent from the control plane. + * + * DEPRECATED: This message was moved outside of CommonTlsContext + * and now lives in common.proto. + * + * [#not-implemented-hide:] + */ +export interface _envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProviderInstance { + /** + * Provider instance name. This name must be defined in the client's configuration (e.g., a + * bootstrap file) to correspond to a provider instance (i.e., the same data in the typed_config + * field that would be sent in the CertificateProvider message if the config was sent by the + * control plane). If not present, defaults to "default". + * + * Instance names should generally be defined not in terms of the underlying provider + * implementation (e.g., "file_watcher") but rather in terms of the function of the + * certificates (e.g., "foo_deployment_identity"). + */ + 'instance_name'?: (string); + /** + * Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify + * a root-certificate (validation context) or "example.com" to specify a certificate for a + * particular domain. Not all provider instances will actually use this field, so the value + * defaults to the empty string. + */ + 'certificate_name'?: (string); +} + +/** + * Similar to CertificateProvider above, but allows the provider instances to be configured on + * the client side instead of being sent from the control plane. + * + * DEPRECATED: This message was moved outside of CommonTlsContext + * and now lives in common.proto. + * + * [#not-implemented-hide:] + */ +export interface _envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProviderInstance__Output { + /** + * Provider instance name. This name must be defined in the client's configuration (e.g., a + * bootstrap file) to correspond to a provider instance (i.e., the same data in the typed_config + * field that would be sent in the CertificateProvider message if the config was sent by the + * control plane). If not present, defaults to "default". + * + * Instance names should generally be defined not in terms of the underlying provider + * implementation (e.g., "file_watcher") but rather in terms of the function of the + * certificates (e.g., "foo_deployment_identity"). + */ + 'instance_name': (string); + /** + * Opaque name used to specify certificate instances or types. For example, "ROOTCA" to specify + * a root-certificate (validation context) or "example.com" to specify a certificate for a + * particular domain. Not all provider instances will actually use this field, so the value + * defaults to the empty string. + */ + 'certificate_name': (string); +} + +export interface _envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CombinedCertificateValidationContext { + /** + * How to validate peer certificates. + */ + 'default_validation_context'?: (_envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext | null); + /** + * Config for fetching validation context via SDS API. Note SDS API allows certificates to be + * fetched/refreshed over the network asynchronously with respect to the TLS handshake. + */ + 'validation_context_sds_secret_config'?: (_envoy_extensions_transport_sockets_tls_v3_SdsSecretConfig | null); + /** + * Certificate provider for fetching CA certs. This will populate the + * ``default_validation_context.trusted_ca`` field. + * [#not-implemented-hide:] + * @deprecated + */ + 'validation_context_certificate_provider'?: (_envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProvider | null); + /** + * Certificate provider instance for fetching CA certs. This will populate the + * ``default_validation_context.trusted_ca`` field. + * [#not-implemented-hide:] + * @deprecated + */ + 'validation_context_certificate_provider_instance'?: (_envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProviderInstance | null); +} + +export interface _envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CombinedCertificateValidationContext__Output { + /** + * How to validate peer certificates. + */ + 'default_validation_context': (_envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext__Output | null); + /** + * Config for fetching validation context via SDS API. Note SDS API allows certificates to be + * fetched/refreshed over the network asynchronously with respect to the TLS handshake. + */ + 'validation_context_sds_secret_config': (_envoy_extensions_transport_sockets_tls_v3_SdsSecretConfig__Output | null); + /** + * Certificate provider for fetching CA certs. This will populate the + * ``default_validation_context.trusted_ca`` field. + * [#not-implemented-hide:] + * @deprecated + */ + 'validation_context_certificate_provider': (_envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProvider__Output | null); + /** + * Certificate provider instance for fetching CA certs. This will populate the + * ``default_validation_context.trusted_ca`` field. + * [#not-implemented-hide:] + * @deprecated + */ + 'validation_context_certificate_provider_instance': (_envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProviderInstance__Output | null); +} + +/** + * TLS context shared by both client and server TLS contexts. + * [#next-free-field: 16] + */ +export interface CommonTlsContext { + /** + * TLS protocol versions, cipher suites etc. + */ + 'tls_params'?: (_envoy_extensions_transport_sockets_tls_v3_TlsParameters | null); + /** + * Only a single TLS certificate is supported in client contexts. In server contexts, + * :ref:`Multiple TLS certificates ` can be associated with the + * same context to allow both RSA and ECDSA certificates and support SNI-based selection. + * + * If ``tls_certificate_provider_instance`` is set, this field is ignored. + * If this field is set, ``tls_certificate_sds_secret_configs`` is ignored. + */ + 'tls_certificates'?: (_envoy_extensions_transport_sockets_tls_v3_TlsCertificate)[]; + /** + * How to validate peer certificates. + */ + 'validation_context'?: (_envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext | null); + /** + * Supplies the list of ALPN protocols that the listener should expose. In + * practice this is likely to be set to one of two values (see the + * :ref:`codec_type + * ` + * parameter in the HTTP connection manager for more information): + * + * * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1. + * * "http/1.1" If the listener is only going to support HTTP/1.1. + * + * There is no default for this parameter. If empty, Envoy will not expose ALPN. + */ + 'alpn_protocols'?: (string)[]; + /** + * Configs for fetching TLS certificates via SDS API. Note SDS API allows certificates to be + * fetched/refreshed over the network asynchronously with respect to the TLS handshake. + * + * The same number and types of certificates as :ref:`tls_certificates ` + * are valid in the the certificates fetched through this setting. + * + * If ``tls_certificates`` or ``tls_certificate_provider_instance`` are set, this field + * is ignored. + */ + 'tls_certificate_sds_secret_configs'?: (_envoy_extensions_transport_sockets_tls_v3_SdsSecretConfig)[]; + /** + * Config for fetching validation context via SDS API. Note SDS API allows certificates to be + * fetched/refreshed over the network asynchronously with respect to the TLS handshake. + */ + 'validation_context_sds_secret_config'?: (_envoy_extensions_transport_sockets_tls_v3_SdsSecretConfig | null); + /** + * Combined certificate validation context holds a default CertificateValidationContext + * and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic + * and default CertificateValidationContext are merged into a new CertificateValidationContext + * for validation. This merge is done by Message::MergeFrom(), so dynamic + * CertificateValidationContext overwrites singular fields in default + * CertificateValidationContext, and concatenates repeated fields to default + * CertificateValidationContext, and logical OR is applied to boolean fields. + */ + 'combined_validation_context'?: (_envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CombinedCertificateValidationContext | null); + /** + * Certificate provider for fetching TLS certificates. + * [#not-implemented-hide:] + * @deprecated + */ + 'tls_certificate_certificate_provider'?: (_envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProvider | null); + /** + * Certificate provider for fetching validation context. + * [#not-implemented-hide:] + * @deprecated + */ + 'validation_context_certificate_provider'?: (_envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProvider | null); + /** + * Certificate provider instance for fetching TLS certificates. + * [#not-implemented-hide:] + * @deprecated + */ + 'tls_certificate_certificate_provider_instance'?: (_envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProviderInstance | null); + /** + * Certificate provider instance for fetching validation context. + * [#not-implemented-hide:] + * @deprecated + */ + 'validation_context_certificate_provider_instance'?: (_envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProviderInstance | null); + /** + * Custom TLS handshaker. If empty, defaults to native TLS handshaking + * behavior. + */ + 'custom_handshaker'?: (_envoy_config_core_v3_TypedExtensionConfig | null); + /** + * Certificate provider instance for fetching TLS certs. + * + * If this field is set, ``tls_certificates`` and ``tls_certificate_provider_instance`` + * are ignored. + * [#not-implemented-hide:] + */ + 'tls_certificate_provider_instance'?: (_envoy_extensions_transport_sockets_tls_v3_CertificateProviderPluginInstance | null); + /** + * TLS key log configuration + */ + 'key_log'?: (_envoy_extensions_transport_sockets_tls_v3_TlsKeyLog | null); + 'validation_context_type'?: "validation_context"|"validation_context_sds_secret_config"|"combined_validation_context"|"validation_context_certificate_provider"|"validation_context_certificate_provider_instance"; +} + +/** + * TLS context shared by both client and server TLS contexts. + * [#next-free-field: 16] + */ +export interface CommonTlsContext__Output { + /** + * TLS protocol versions, cipher suites etc. + */ + 'tls_params': (_envoy_extensions_transport_sockets_tls_v3_TlsParameters__Output | null); + /** + * Only a single TLS certificate is supported in client contexts. In server contexts, + * :ref:`Multiple TLS certificates ` can be associated with the + * same context to allow both RSA and ECDSA certificates and support SNI-based selection. + * + * If ``tls_certificate_provider_instance`` is set, this field is ignored. + * If this field is set, ``tls_certificate_sds_secret_configs`` is ignored. + */ + 'tls_certificates': (_envoy_extensions_transport_sockets_tls_v3_TlsCertificate__Output)[]; + /** + * How to validate peer certificates. + */ + 'validation_context'?: (_envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext__Output | null); + /** + * Supplies the list of ALPN protocols that the listener should expose. In + * practice this is likely to be set to one of two values (see the + * :ref:`codec_type + * ` + * parameter in the HTTP connection manager for more information): + * + * * "h2,http/1.1" If the listener is going to support both HTTP/2 and HTTP/1.1. + * * "http/1.1" If the listener is only going to support HTTP/1.1. + * + * There is no default for this parameter. If empty, Envoy will not expose ALPN. + */ + 'alpn_protocols': (string)[]; + /** + * Configs for fetching TLS certificates via SDS API. Note SDS API allows certificates to be + * fetched/refreshed over the network asynchronously with respect to the TLS handshake. + * + * The same number and types of certificates as :ref:`tls_certificates ` + * are valid in the the certificates fetched through this setting. + * + * If ``tls_certificates`` or ``tls_certificate_provider_instance`` are set, this field + * is ignored. + */ + 'tls_certificate_sds_secret_configs': (_envoy_extensions_transport_sockets_tls_v3_SdsSecretConfig__Output)[]; + /** + * Config for fetching validation context via SDS API. Note SDS API allows certificates to be + * fetched/refreshed over the network asynchronously with respect to the TLS handshake. + */ + 'validation_context_sds_secret_config'?: (_envoy_extensions_transport_sockets_tls_v3_SdsSecretConfig__Output | null); + /** + * Combined certificate validation context holds a default CertificateValidationContext + * and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic + * and default CertificateValidationContext are merged into a new CertificateValidationContext + * for validation. This merge is done by Message::MergeFrom(), so dynamic + * CertificateValidationContext overwrites singular fields in default + * CertificateValidationContext, and concatenates repeated fields to default + * CertificateValidationContext, and logical OR is applied to boolean fields. + */ + 'combined_validation_context'?: (_envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CombinedCertificateValidationContext__Output | null); + /** + * Certificate provider for fetching TLS certificates. + * [#not-implemented-hide:] + * @deprecated + */ + 'tls_certificate_certificate_provider': (_envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProvider__Output | null); + /** + * Certificate provider for fetching validation context. + * [#not-implemented-hide:] + * @deprecated + */ + 'validation_context_certificate_provider'?: (_envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProvider__Output | null); + /** + * Certificate provider instance for fetching TLS certificates. + * [#not-implemented-hide:] + * @deprecated + */ + 'tls_certificate_certificate_provider_instance': (_envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProviderInstance__Output | null); + /** + * Certificate provider instance for fetching validation context. + * [#not-implemented-hide:] + * @deprecated + */ + 'validation_context_certificate_provider_instance'?: (_envoy_extensions_transport_sockets_tls_v3_CommonTlsContext_CertificateProviderInstance__Output | null); + /** + * Custom TLS handshaker. If empty, defaults to native TLS handshaking + * behavior. + */ + 'custom_handshaker': (_envoy_config_core_v3_TypedExtensionConfig__Output | null); + /** + * Certificate provider instance for fetching TLS certs. + * + * If this field is set, ``tls_certificates`` and ``tls_certificate_provider_instance`` + * are ignored. + * [#not-implemented-hide:] + */ + 'tls_certificate_provider_instance': (_envoy_extensions_transport_sockets_tls_v3_CertificateProviderPluginInstance__Output | null); + /** + * TLS key log configuration + */ + 'key_log': (_envoy_extensions_transport_sockets_tls_v3_TlsKeyLog__Output | null); + 'validation_context_type': "validation_context"|"validation_context_sds_secret_config"|"combined_validation_context"|"validation_context_certificate_provider"|"validation_context_certificate_provider_instance"; +} diff --git a/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/DownstreamTlsContext.ts b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/DownstreamTlsContext.ts new file mode 100644 index 000000000..0eb037219 --- /dev/null +++ b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/DownstreamTlsContext.ts @@ -0,0 +1,191 @@ +// Original file: deps/envoy-api/envoy/extensions/transport_sockets/tls/v3/tls.proto + +import type { CommonTlsContext as _envoy_extensions_transport_sockets_tls_v3_CommonTlsContext, CommonTlsContext__Output as _envoy_extensions_transport_sockets_tls_v3_CommonTlsContext__Output } from '../../../../../envoy/extensions/transport_sockets/tls/v3/CommonTlsContext'; +import type { BoolValue as _google_protobuf_BoolValue, BoolValue__Output as _google_protobuf_BoolValue__Output } from '../../../../../google/protobuf/BoolValue'; +import type { TlsSessionTicketKeys as _envoy_extensions_transport_sockets_tls_v3_TlsSessionTicketKeys, TlsSessionTicketKeys__Output as _envoy_extensions_transport_sockets_tls_v3_TlsSessionTicketKeys__Output } from '../../../../../envoy/extensions/transport_sockets/tls/v3/TlsSessionTicketKeys'; +import type { SdsSecretConfig as _envoy_extensions_transport_sockets_tls_v3_SdsSecretConfig, SdsSecretConfig__Output as _envoy_extensions_transport_sockets_tls_v3_SdsSecretConfig__Output } from '../../../../../envoy/extensions/transport_sockets/tls/v3/SdsSecretConfig'; +import type { Duration as _google_protobuf_Duration, Duration__Output as _google_protobuf_Duration__Output } from '../../../../../google/protobuf/Duration'; + +// Original file: deps/envoy-api/envoy/extensions/transport_sockets/tls/v3/tls.proto + +export const _envoy_extensions_transport_sockets_tls_v3_DownstreamTlsContext_OcspStaplePolicy = { + /** + * OCSP responses are optional. If an OCSP response is absent + * or expired, the associated certificate will be used for + * connections without an OCSP staple. + */ + LENIENT_STAPLING: 'LENIENT_STAPLING', + /** + * OCSP responses are optional. If an OCSP response is absent, + * the associated certificate will be used without an + * OCSP staple. If a response is provided but is expired, + * the associated certificate will not be used for + * subsequent connections. If no suitable certificate is found, + * the connection is rejected. + */ + STRICT_STAPLING: 'STRICT_STAPLING', + /** + * OCSP responses are required. Configuration will fail if + * a certificate is provided without an OCSP response. If a + * response expires, the associated certificate will not be + * used connections. If no suitable certificate is found, the + * connection is rejected. + */ + MUST_STAPLE: 'MUST_STAPLE', +} as const; + +export type _envoy_extensions_transport_sockets_tls_v3_DownstreamTlsContext_OcspStaplePolicy = + /** + * OCSP responses are optional. If an OCSP response is absent + * or expired, the associated certificate will be used for + * connections without an OCSP staple. + */ + | 'LENIENT_STAPLING' + | 0 + /** + * OCSP responses are optional. If an OCSP response is absent, + * the associated certificate will be used without an + * OCSP staple. If a response is provided but is expired, + * the associated certificate will not be used for + * subsequent connections. If no suitable certificate is found, + * the connection is rejected. + */ + | 'STRICT_STAPLING' + | 1 + /** + * OCSP responses are required. Configuration will fail if + * a certificate is provided without an OCSP response. If a + * response expires, the associated certificate will not be + * used connections. If no suitable certificate is found, the + * connection is rejected. + */ + | 'MUST_STAPLE' + | 2 + +export type _envoy_extensions_transport_sockets_tls_v3_DownstreamTlsContext_OcspStaplePolicy__Output = typeof _envoy_extensions_transport_sockets_tls_v3_DownstreamTlsContext_OcspStaplePolicy[keyof typeof _envoy_extensions_transport_sockets_tls_v3_DownstreamTlsContext_OcspStaplePolicy] + +/** + * [#next-free-field: 11] + */ +export interface DownstreamTlsContext { + /** + * Common TLS context settings. + */ + 'common_tls_context'?: (_envoy_extensions_transport_sockets_tls_v3_CommonTlsContext | null); + /** + * If specified, Envoy will reject connections without a valid client + * certificate. + */ + 'require_client_certificate'?: (_google_protobuf_BoolValue | null); + /** + * If specified, Envoy will reject connections without a valid and matching SNI. + * [#not-implemented-hide:] + */ + 'require_sni'?: (_google_protobuf_BoolValue | null); + /** + * TLS session ticket key settings. + */ + 'session_ticket_keys'?: (_envoy_extensions_transport_sockets_tls_v3_TlsSessionTicketKeys | null); + /** + * Config for fetching TLS session ticket keys via SDS API. + */ + 'session_ticket_keys_sds_secret_config'?: (_envoy_extensions_transport_sockets_tls_v3_SdsSecretConfig | null); + /** + * If specified, ``session_timeout`` will change the maximum lifetime (in seconds) of the TLS session. + * Currently this value is used as a hint for the `TLS session ticket lifetime (for TLSv1.2) `_. + * Only seconds can be specified (fractional seconds are ignored). + */ + 'session_timeout'?: (_google_protobuf_Duration | null); + /** + * Config for controlling stateless TLS session resumption: setting this to true will cause the TLS + * server to not issue TLS session tickets for the purposes of stateless TLS session resumption. + * If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using + * the keys specified through either :ref:`session_ticket_keys ` + * or :ref:`session_ticket_keys_sds_secret_config `. + * If this config is set to false and no keys are explicitly configured, the TLS server will issue + * TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the + * implication that sessions cannot be resumed across hot restarts or on different hosts. + */ + 'disable_stateless_session_resumption'?: (boolean); + /** + * Config for whether to use certificates if they do not have + * an accompanying OCSP response or if the response expires at runtime. + * Defaults to LENIENT_STAPLING + */ + 'ocsp_staple_policy'?: (_envoy_extensions_transport_sockets_tls_v3_DownstreamTlsContext_OcspStaplePolicy); + /** + * Multiple certificates are allowed in Downstream transport socket to serve different SNI. + * If the client provides SNI but no such cert matched, it will decide to full scan certificates or not based on this config. + * Defaults to false. See more details in :ref:`Multiple TLS certificates `. + */ + 'full_scan_certs_on_sni_mismatch'?: (_google_protobuf_BoolValue | null); + /** + * If set to true, the TLS server will not maintain a session cache of TLS sessions. (This is + * relevant only for TLSv1.2 and earlier.) + */ + 'disable_stateful_session_resumption'?: (boolean); + 'session_ticket_keys_type'?: "session_ticket_keys"|"session_ticket_keys_sds_secret_config"|"disable_stateless_session_resumption"; +} + +/** + * [#next-free-field: 11] + */ +export interface DownstreamTlsContext__Output { + /** + * Common TLS context settings. + */ + 'common_tls_context': (_envoy_extensions_transport_sockets_tls_v3_CommonTlsContext__Output | null); + /** + * If specified, Envoy will reject connections without a valid client + * certificate. + */ + 'require_client_certificate': (_google_protobuf_BoolValue__Output | null); + /** + * If specified, Envoy will reject connections without a valid and matching SNI. + * [#not-implemented-hide:] + */ + 'require_sni': (_google_protobuf_BoolValue__Output | null); + /** + * TLS session ticket key settings. + */ + 'session_ticket_keys'?: (_envoy_extensions_transport_sockets_tls_v3_TlsSessionTicketKeys__Output | null); + /** + * Config for fetching TLS session ticket keys via SDS API. + */ + 'session_ticket_keys_sds_secret_config'?: (_envoy_extensions_transport_sockets_tls_v3_SdsSecretConfig__Output | null); + /** + * If specified, ``session_timeout`` will change the maximum lifetime (in seconds) of the TLS session. + * Currently this value is used as a hint for the `TLS session ticket lifetime (for TLSv1.2) `_. + * Only seconds can be specified (fractional seconds are ignored). + */ + 'session_timeout': (_google_protobuf_Duration__Output | null); + /** + * Config for controlling stateless TLS session resumption: setting this to true will cause the TLS + * server to not issue TLS session tickets for the purposes of stateless TLS session resumption. + * If set to false, the TLS server will issue TLS session tickets and encrypt/decrypt them using + * the keys specified through either :ref:`session_ticket_keys ` + * or :ref:`session_ticket_keys_sds_secret_config `. + * If this config is set to false and no keys are explicitly configured, the TLS server will issue + * TLS session tickets and encrypt/decrypt them using an internally-generated and managed key, with the + * implication that sessions cannot be resumed across hot restarts or on different hosts. + */ + 'disable_stateless_session_resumption'?: (boolean); + /** + * Config for whether to use certificates if they do not have + * an accompanying OCSP response or if the response expires at runtime. + * Defaults to LENIENT_STAPLING + */ + 'ocsp_staple_policy': (_envoy_extensions_transport_sockets_tls_v3_DownstreamTlsContext_OcspStaplePolicy__Output); + /** + * Multiple certificates are allowed in Downstream transport socket to serve different SNI. + * If the client provides SNI but no such cert matched, it will decide to full scan certificates or not based on this config. + * Defaults to false. See more details in :ref:`Multiple TLS certificates `. + */ + 'full_scan_certs_on_sni_mismatch': (_google_protobuf_BoolValue__Output | null); + /** + * If set to true, the TLS server will not maintain a session cache of TLS sessions. (This is + * relevant only for TLSv1.2 and earlier.) + */ + 'disable_stateful_session_resumption': (boolean); + 'session_ticket_keys_type': "session_ticket_keys"|"session_ticket_keys_sds_secret_config"|"disable_stateless_session_resumption"; +} diff --git a/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/GenericSecret.ts b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/GenericSecret.ts new file mode 100644 index 000000000..b206fb13a --- /dev/null +++ b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/GenericSecret.ts @@ -0,0 +1,17 @@ +// Original file: deps/envoy-api/envoy/extensions/transport_sockets/tls/v3/secret.proto + +import type { DataSource as _envoy_config_core_v3_DataSource, DataSource__Output as _envoy_config_core_v3_DataSource__Output } from '../../../../../envoy/config/core/v3/DataSource'; + +export interface GenericSecret { + /** + * Secret of generic type and is available to filters. + */ + 'secret'?: (_envoy_config_core_v3_DataSource | null); +} + +export interface GenericSecret__Output { + /** + * Secret of generic type and is available to filters. + */ + 'secret': (_envoy_config_core_v3_DataSource__Output | null); +} diff --git a/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/PrivateKeyProvider.ts b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/PrivateKeyProvider.ts new file mode 100644 index 000000000..129f8d3e6 --- /dev/null +++ b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/PrivateKeyProvider.ts @@ -0,0 +1,51 @@ +// Original file: deps/envoy-api/envoy/extensions/transport_sockets/tls/v3/common.proto + +import type { Any as _google_protobuf_Any, Any__Output as _google_protobuf_Any__Output } from '../../../../../google/protobuf/Any'; + +/** + * BoringSSL private key method configuration. The private key methods are used for external + * (potentially asynchronous) signing and decryption operations. Some use cases for private key + * methods would be TPM support and TLS acceleration. + */ +export interface PrivateKeyProvider { + /** + * Private key method provider name. The name must match a + * supported private key method provider type. + */ + 'provider_name'?: (string); + 'typed_config'?: (_google_protobuf_Any | null); + /** + * If the private key provider isn't available (eg. the required hardware capability doesn't existed), + * Envoy will fallback to the BoringSSL default implementation when the ``fallback`` is true. + * The default value is ``false``. + */ + 'fallback'?: (boolean); + /** + * Private key method provider specific configuration. + */ + 'config_type'?: "typed_config"; +} + +/** + * BoringSSL private key method configuration. The private key methods are used for external + * (potentially asynchronous) signing and decryption operations. Some use cases for private key + * methods would be TPM support and TLS acceleration. + */ +export interface PrivateKeyProvider__Output { + /** + * Private key method provider name. The name must match a + * supported private key method provider type. + */ + 'provider_name': (string); + 'typed_config'?: (_google_protobuf_Any__Output | null); + /** + * If the private key provider isn't available (eg. the required hardware capability doesn't existed), + * Envoy will fallback to the BoringSSL default implementation when the ``fallback`` is true. + * The default value is ``false``. + */ + 'fallback': (boolean); + /** + * Private key method provider specific configuration. + */ + 'config_type': "typed_config"; +} diff --git a/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/SdsSecretConfig.ts b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/SdsSecretConfig.ts new file mode 100644 index 000000000..38b850c50 --- /dev/null +++ b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/SdsSecretConfig.ts @@ -0,0 +1,23 @@ +// Original file: deps/envoy-api/envoy/extensions/transport_sockets/tls/v3/secret.proto + +import type { ConfigSource as _envoy_config_core_v3_ConfigSource, ConfigSource__Output as _envoy_config_core_v3_ConfigSource__Output } from '../../../../../envoy/config/core/v3/ConfigSource'; + +export interface SdsSecretConfig { + /** + * Name by which the secret can be uniquely referred to. When both name and config are specified, + * then secret can be fetched and/or reloaded via SDS. When only name is specified, then secret + * will be loaded from static resources. + */ + 'name'?: (string); + 'sds_config'?: (_envoy_config_core_v3_ConfigSource | null); +} + +export interface SdsSecretConfig__Output { + /** + * Name by which the secret can be uniquely referred to. When both name and config are specified, + * then secret can be fetched and/or reloaded via SDS. When only name is specified, then secret + * will be loaded from static resources. + */ + 'name': (string); + 'sds_config': (_envoy_config_core_v3_ConfigSource__Output | null); +} diff --git a/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/Secret.ts b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/Secret.ts new file mode 100644 index 000000000..c86957da5 --- /dev/null +++ b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/Secret.ts @@ -0,0 +1,36 @@ +// Original file: deps/envoy-api/envoy/extensions/transport_sockets/tls/v3/secret.proto + +import type { TlsCertificate as _envoy_extensions_transport_sockets_tls_v3_TlsCertificate, TlsCertificate__Output as _envoy_extensions_transport_sockets_tls_v3_TlsCertificate__Output } from '../../../../../envoy/extensions/transport_sockets/tls/v3/TlsCertificate'; +import type { TlsSessionTicketKeys as _envoy_extensions_transport_sockets_tls_v3_TlsSessionTicketKeys, TlsSessionTicketKeys__Output as _envoy_extensions_transport_sockets_tls_v3_TlsSessionTicketKeys__Output } from '../../../../../envoy/extensions/transport_sockets/tls/v3/TlsSessionTicketKeys'; +import type { CertificateValidationContext as _envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext, CertificateValidationContext__Output as _envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext__Output } from '../../../../../envoy/extensions/transport_sockets/tls/v3/CertificateValidationContext'; +import type { GenericSecret as _envoy_extensions_transport_sockets_tls_v3_GenericSecret, GenericSecret__Output as _envoy_extensions_transport_sockets_tls_v3_GenericSecret__Output } from '../../../../../envoy/extensions/transport_sockets/tls/v3/GenericSecret'; + +/** + * [#next-free-field: 6] + */ +export interface Secret { + /** + * Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. + */ + 'name'?: (string); + 'tls_certificate'?: (_envoy_extensions_transport_sockets_tls_v3_TlsCertificate | null); + 'session_ticket_keys'?: (_envoy_extensions_transport_sockets_tls_v3_TlsSessionTicketKeys | null); + 'validation_context'?: (_envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext | null); + 'generic_secret'?: (_envoy_extensions_transport_sockets_tls_v3_GenericSecret | null); + 'type'?: "tls_certificate"|"session_ticket_keys"|"validation_context"|"generic_secret"; +} + +/** + * [#next-free-field: 6] + */ +export interface Secret__Output { + /** + * Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to. + */ + 'name': (string); + 'tls_certificate'?: (_envoy_extensions_transport_sockets_tls_v3_TlsCertificate__Output | null); + 'session_ticket_keys'?: (_envoy_extensions_transport_sockets_tls_v3_TlsSessionTicketKeys__Output | null); + 'validation_context'?: (_envoy_extensions_transport_sockets_tls_v3_CertificateValidationContext__Output | null); + 'generic_secret'?: (_envoy_extensions_transport_sockets_tls_v3_GenericSecret__Output | null); + 'type': "tls_certificate"|"session_ticket_keys"|"validation_context"|"generic_secret"; +} diff --git a/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/SubjectAltNameMatcher.ts b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/SubjectAltNameMatcher.ts new file mode 100644 index 000000000..eb91e4381 --- /dev/null +++ b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/SubjectAltNameMatcher.ts @@ -0,0 +1,102 @@ +// Original file: deps/envoy-api/envoy/extensions/transport_sockets/tls/v3/common.proto + +import type { StringMatcher as _envoy_type_matcher_v3_StringMatcher, StringMatcher__Output as _envoy_type_matcher_v3_StringMatcher__Output } from '../../../../../envoy/type/matcher/v3/StringMatcher'; + +// Original file: deps/envoy-api/envoy/extensions/transport_sockets/tls/v3/common.proto + +/** + * Indicates the choice of GeneralName as defined in section 4.2.1.5 of RFC 5280 to match + * against. + */ +export const _envoy_extensions_transport_sockets_tls_v3_SubjectAltNameMatcher_SanType = { + SAN_TYPE_UNSPECIFIED: 'SAN_TYPE_UNSPECIFIED', + EMAIL: 'EMAIL', + DNS: 'DNS', + URI: 'URI', + IP_ADDRESS: 'IP_ADDRESS', + OTHER_NAME: 'OTHER_NAME', +} as const; + +/** + * Indicates the choice of GeneralName as defined in section 4.2.1.5 of RFC 5280 to match + * against. + */ +export type _envoy_extensions_transport_sockets_tls_v3_SubjectAltNameMatcher_SanType = + | 'SAN_TYPE_UNSPECIFIED' + | 0 + | 'EMAIL' + | 1 + | 'DNS' + | 2 + | 'URI' + | 3 + | 'IP_ADDRESS' + | 4 + | 'OTHER_NAME' + | 5 + +/** + * Indicates the choice of GeneralName as defined in section 4.2.1.5 of RFC 5280 to match + * against. + */ +export type _envoy_extensions_transport_sockets_tls_v3_SubjectAltNameMatcher_SanType__Output = typeof _envoy_extensions_transport_sockets_tls_v3_SubjectAltNameMatcher_SanType[keyof typeof _envoy_extensions_transport_sockets_tls_v3_SubjectAltNameMatcher_SanType] + +/** + * Matcher for subject alternative names, to match both type and value of the SAN. + */ +export interface SubjectAltNameMatcher { + /** + * Specification of type of SAN. Note that the default enum value is an invalid choice. + */ + 'san_type'?: (_envoy_extensions_transport_sockets_tls_v3_SubjectAltNameMatcher_SanType); + /** + * Matcher for SAN value. + * + * The string matching for OTHER_NAME SAN values depends on their ASN.1 type: + * + * * OBJECT: Validated against its dotted numeric notation (e.g., "1.2.3.4") + * * BOOLEAN: Validated against strings "true" or "false" + * * INTEGER/ENUMERATED: Validated against a string containing the integer value + * * NULL: Validated against an empty string + * * Other types: Validated directly against the string value + */ + 'matcher'?: (_envoy_type_matcher_v3_StringMatcher | null); + /** + * OID Value which is required if OTHER_NAME SAN type is used. + * For example, UPN OID is 1.3.6.1.4.1.311.20.2.3 + * (Reference: http://oid-info.com/get/1.3.6.1.4.1.311.20.2.3). + * + * If set for SAN types other than OTHER_NAME, it will be ignored. + */ + 'oid'?: (string); +} + +/** + * Matcher for subject alternative names, to match both type and value of the SAN. + */ +export interface SubjectAltNameMatcher__Output { + /** + * Specification of type of SAN. Note that the default enum value is an invalid choice. + */ + 'san_type': (_envoy_extensions_transport_sockets_tls_v3_SubjectAltNameMatcher_SanType__Output); + /** + * Matcher for SAN value. + * + * The string matching for OTHER_NAME SAN values depends on their ASN.1 type: + * + * * OBJECT: Validated against its dotted numeric notation (e.g., "1.2.3.4") + * * BOOLEAN: Validated against strings "true" or "false" + * * INTEGER/ENUMERATED: Validated against a string containing the integer value + * * NULL: Validated against an empty string + * * Other types: Validated directly against the string value + */ + 'matcher': (_envoy_type_matcher_v3_StringMatcher__Output | null); + /** + * OID Value which is required if OTHER_NAME SAN type is used. + * For example, UPN OID is 1.3.6.1.4.1.311.20.2.3 + * (Reference: http://oid-info.com/get/1.3.6.1.4.1.311.20.2.3). + * + * If set for SAN types other than OTHER_NAME, it will be ignored. + */ + 'oid': (string); +} diff --git a/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/TlsCertificate.ts b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/TlsCertificate.ts new file mode 100644 index 000000000..e91d44fc6 --- /dev/null +++ b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/TlsCertificate.ts @@ -0,0 +1,159 @@ +// Original file: deps/envoy-api/envoy/extensions/transport_sockets/tls/v3/common.proto + +import type { DataSource as _envoy_config_core_v3_DataSource, DataSource__Output as _envoy_config_core_v3_DataSource__Output } from '../../../../../envoy/config/core/v3/DataSource'; +import type { PrivateKeyProvider as _envoy_extensions_transport_sockets_tls_v3_PrivateKeyProvider, PrivateKeyProvider__Output as _envoy_extensions_transport_sockets_tls_v3_PrivateKeyProvider__Output } from '../../../../../envoy/extensions/transport_sockets/tls/v3/PrivateKeyProvider'; +import type { WatchedDirectory as _envoy_config_core_v3_WatchedDirectory, WatchedDirectory__Output as _envoy_config_core_v3_WatchedDirectory__Output } from '../../../../../envoy/config/core/v3/WatchedDirectory'; + +/** + * [#next-free-field: 9] + */ +export interface TlsCertificate { + /** + * The TLS certificate chain. + * + * If ``certificate_chain`` is a filesystem path, a watch will be added to the + * parent directory for any file moves to support rotation. This currently + * only applies to dynamic secrets, when the ``TlsCertificate`` is delivered via + * SDS. + */ + 'certificate_chain'?: (_envoy_config_core_v3_DataSource | null); + /** + * The TLS private key. + * + * If ``private_key`` is a filesystem path, a watch will be added to the parent + * directory for any file moves to support rotation. This currently only + * applies to dynamic secrets, when the ``TlsCertificate`` is delivered via SDS. + */ + 'private_key'?: (_envoy_config_core_v3_DataSource | null); + /** + * The password to decrypt the TLS private key. If this field is not set, it is assumed that the + * TLS private key is not password encrypted. + */ + 'password'?: (_envoy_config_core_v3_DataSource | null); + /** + * The OCSP response to be stapled with this certificate during the handshake. + * The response must be DER-encoded and may only be provided via ``filename`` or + * ``inline_bytes``. The response may pertain to only one certificate. + */ + 'ocsp_staple'?: (_envoy_config_core_v3_DataSource | null); + /** + * [#not-implemented-hide:] + */ + 'signed_certificate_timestamp'?: (_envoy_config_core_v3_DataSource)[]; + /** + * BoringSSL private key method provider. This is an alternative to :ref:`private_key + * ` field. This can't be + * marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key + * ` and + * :ref:`private_key_provider + * ` fields will result in an + * error. + */ + 'private_key_provider'?: (_envoy_extensions_transport_sockets_tls_v3_PrivateKeyProvider | null); + /** + * If specified, updates of file-based ``certificate_chain`` and ``private_key`` + * sources will be triggered by this watch. The certificate/key pair will be + * read together and validated for atomic read consistency (i.e. no + * intervening modification occurred between cert/key read, verified by file + * hash comparisons). This allows explicit control over the path watched, by + * default the parent directories of the filesystem paths in + * ``certificate_chain`` and ``private_key`` are watched if this field is not + * specified. This only applies when a ``TlsCertificate`` is delivered by SDS + * with references to filesystem paths. See the :ref:`SDS key rotation + * ` documentation for further details. + */ + 'watched_directory'?: (_envoy_config_core_v3_WatchedDirectory | null); + /** + * ``Pkcs12`` data containing TLS certificate, chain, and private key. + * + * If ``pkcs12`` is a filesystem path, the file will be read, but no watch will + * be added to the parent directory, since ``pkcs12`` isn't used by SDS. + * This field is mutually exclusive with ``certificate_chain``, ``private_key`` and ``private_key_provider``. + * This can't be marked as ``oneof`` due to API compatibility reasons. Setting + * both :ref:`private_key `, + * :ref:`certificate_chain `, + * or :ref:`private_key_provider ` + * and :ref:`pkcs12 ` + * fields will result in an error. Use :ref:`password + * ` + * to specify the password to unprotect the ``PKCS12`` data, if necessary. + */ + 'pkcs12'?: (_envoy_config_core_v3_DataSource | null); +} + +/** + * [#next-free-field: 9] + */ +export interface TlsCertificate__Output { + /** + * The TLS certificate chain. + * + * If ``certificate_chain`` is a filesystem path, a watch will be added to the + * parent directory for any file moves to support rotation. This currently + * only applies to dynamic secrets, when the ``TlsCertificate`` is delivered via + * SDS. + */ + 'certificate_chain': (_envoy_config_core_v3_DataSource__Output | null); + /** + * The TLS private key. + * + * If ``private_key`` is a filesystem path, a watch will be added to the parent + * directory for any file moves to support rotation. This currently only + * applies to dynamic secrets, when the ``TlsCertificate`` is delivered via SDS. + */ + 'private_key': (_envoy_config_core_v3_DataSource__Output | null); + /** + * The password to decrypt the TLS private key. If this field is not set, it is assumed that the + * TLS private key is not password encrypted. + */ + 'password': (_envoy_config_core_v3_DataSource__Output | null); + /** + * The OCSP response to be stapled with this certificate during the handshake. + * The response must be DER-encoded and may only be provided via ``filename`` or + * ``inline_bytes``. The response may pertain to only one certificate. + */ + 'ocsp_staple': (_envoy_config_core_v3_DataSource__Output | null); + /** + * [#not-implemented-hide:] + */ + 'signed_certificate_timestamp': (_envoy_config_core_v3_DataSource__Output)[]; + /** + * BoringSSL private key method provider. This is an alternative to :ref:`private_key + * ` field. This can't be + * marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key + * ` and + * :ref:`private_key_provider + * ` fields will result in an + * error. + */ + 'private_key_provider': (_envoy_extensions_transport_sockets_tls_v3_PrivateKeyProvider__Output | null); + /** + * If specified, updates of file-based ``certificate_chain`` and ``private_key`` + * sources will be triggered by this watch. The certificate/key pair will be + * read together and validated for atomic read consistency (i.e. no + * intervening modification occurred between cert/key read, verified by file + * hash comparisons). This allows explicit control over the path watched, by + * default the parent directories of the filesystem paths in + * ``certificate_chain`` and ``private_key`` are watched if this field is not + * specified. This only applies when a ``TlsCertificate`` is delivered by SDS + * with references to filesystem paths. See the :ref:`SDS key rotation + * ` documentation for further details. + */ + 'watched_directory': (_envoy_config_core_v3_WatchedDirectory__Output | null); + /** + * ``Pkcs12`` data containing TLS certificate, chain, and private key. + * + * If ``pkcs12`` is a filesystem path, the file will be read, but no watch will + * be added to the parent directory, since ``pkcs12`` isn't used by SDS. + * This field is mutually exclusive with ``certificate_chain``, ``private_key`` and ``private_key_provider``. + * This can't be marked as ``oneof`` due to API compatibility reasons. Setting + * both :ref:`private_key `, + * :ref:`certificate_chain `, + * or :ref:`private_key_provider ` + * and :ref:`pkcs12 ` + * fields will result in an error. Use :ref:`password + * ` + * to specify the password to unprotect the ``PKCS12`` data, if necessary. + */ + 'pkcs12': (_envoy_config_core_v3_DataSource__Output | null); +} diff --git a/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/TlsKeyLog.ts b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/TlsKeyLog.ts new file mode 100644 index 000000000..1b0706e5d --- /dev/null +++ b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/TlsKeyLog.ts @@ -0,0 +1,45 @@ +// Original file: deps/envoy-api/envoy/extensions/transport_sockets/tls/v3/tls.proto + +import type { CidrRange as _envoy_config_core_v3_CidrRange, CidrRange__Output as _envoy_config_core_v3_CidrRange__Output } from '../../../../../envoy/config/core/v3/CidrRange'; + +/** + * TLS key log configuration. + * The key log file format is "format used by NSS for its SSLKEYLOGFILE debugging output" (text taken from openssl man page) + */ +export interface TlsKeyLog { + /** + * The path to save the TLS key log. + */ + 'path'?: (string); + /** + * The local IP address that will be used to filter the connection which should save the TLS key log + * If it is not set, any local IP address will be matched. + */ + 'local_address_range'?: (_envoy_config_core_v3_CidrRange)[]; + /** + * The remote IP address that will be used to filter the connection which should save the TLS key log + * If it is not set, any remote IP address will be matched. + */ + 'remote_address_range'?: (_envoy_config_core_v3_CidrRange)[]; +} + +/** + * TLS key log configuration. + * The key log file format is "format used by NSS for its SSLKEYLOGFILE debugging output" (text taken from openssl man page) + */ +export interface TlsKeyLog__Output { + /** + * The path to save the TLS key log. + */ + 'path': (string); + /** + * The local IP address that will be used to filter the connection which should save the TLS key log + * If it is not set, any local IP address will be matched. + */ + 'local_address_range': (_envoy_config_core_v3_CidrRange__Output)[]; + /** + * The remote IP address that will be used to filter the connection which should save the TLS key log + * If it is not set, any remote IP address will be matched. + */ + 'remote_address_range': (_envoy_config_core_v3_CidrRange__Output)[]; +} diff --git a/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/TlsParameters.ts b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/TlsParameters.ts new file mode 100644 index 000000000..efaebb5a7 --- /dev/null +++ b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/TlsParameters.ts @@ -0,0 +1,304 @@ +// Original file: deps/envoy-api/envoy/extensions/transport_sockets/tls/v3/common.proto + + +// Original file: deps/envoy-api/envoy/extensions/transport_sockets/tls/v3/common.proto + +export const _envoy_extensions_transport_sockets_tls_v3_TlsParameters_TlsProtocol = { + /** + * Envoy will choose the optimal TLS version. + */ + TLS_AUTO: 'TLS_AUTO', + /** + * TLS 1.0 + */ + TLSv1_0: 'TLSv1_0', + /** + * TLS 1.1 + */ + TLSv1_1: 'TLSv1_1', + /** + * TLS 1.2 + */ + TLSv1_2: 'TLSv1_2', + /** + * TLS 1.3 + */ + TLSv1_3: 'TLSv1_3', +} as const; + +export type _envoy_extensions_transport_sockets_tls_v3_TlsParameters_TlsProtocol = + /** + * Envoy will choose the optimal TLS version. + */ + | 'TLS_AUTO' + | 0 + /** + * TLS 1.0 + */ + | 'TLSv1_0' + | 1 + /** + * TLS 1.1 + */ + | 'TLSv1_1' + | 2 + /** + * TLS 1.2 + */ + | 'TLSv1_2' + | 3 + /** + * TLS 1.3 + */ + | 'TLSv1_3' + | 4 + +export type _envoy_extensions_transport_sockets_tls_v3_TlsParameters_TlsProtocol__Output = typeof _envoy_extensions_transport_sockets_tls_v3_TlsParameters_TlsProtocol[keyof typeof _envoy_extensions_transport_sockets_tls_v3_TlsParameters_TlsProtocol] + +/** + * [#next-free-field: 6] + */ +export interface TlsParameters { + /** + * Minimum TLS protocol version. By default, it's ``TLSv1_2`` for both clients and servers. + * + * TLS protocol versions below TLSv1_2 require setting compatible ciphers with the + * ``cipher_suites`` setting as the default ciphers no longer include compatible ciphers. + * + * .. attention:: + * + * Using TLS protocol versions below TLSv1_2 has serious security considerations and risks. + */ + 'tls_minimum_protocol_version'?: (_envoy_extensions_transport_sockets_tls_v3_TlsParameters_TlsProtocol); + /** + * Maximum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_3`` for + * servers. + */ + 'tls_maximum_protocol_version'?: (_envoy_extensions_transport_sockets_tls_v3_TlsParameters_TlsProtocol); + /** + * If specified, the TLS listener will only support the specified `cipher list + * `_ + * when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). + * + * If not specified, a default list will be used. Defaults are different for server (downstream) and + * client (upstream) TLS configurations. + * Defaults will change over time in response to security considerations; If you care, configure + * it instead of using the default. + * + * In non-FIPS builds, the default server cipher list is: + * + * .. code-block:: none + * + * [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + * [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + * ECDHE-ECDSA-AES256-GCM-SHA384 + * ECDHE-RSA-AES256-GCM-SHA384 + * + * In builds using :ref:`BoringSSL FIPS `, the default server cipher list is: + * + * .. code-block:: none + * + * ECDHE-ECDSA-AES128-GCM-SHA256 + * ECDHE-RSA-AES128-GCM-SHA256 + * ECDHE-ECDSA-AES256-GCM-SHA384 + * ECDHE-RSA-AES256-GCM-SHA384 + * + * In non-FIPS builds, the default client cipher list is: + * + * .. code-block:: none + * + * [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + * [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + * ECDHE-ECDSA-AES256-GCM-SHA384 + * ECDHE-RSA-AES256-GCM-SHA384 + * + * In builds using :ref:`BoringSSL FIPS `, the default client cipher list is: + * + * .. code-block:: none + * + * ECDHE-ECDSA-AES128-GCM-SHA256 + * ECDHE-RSA-AES128-GCM-SHA256 + * ECDHE-ECDSA-AES256-GCM-SHA384 + * ECDHE-RSA-AES256-GCM-SHA384 + */ + 'cipher_suites'?: (string)[]; + /** + * If specified, the TLS connection will only support the specified ECDH + * curves. If not specified, the default curves will be used. + * + * In non-FIPS builds, the default curves are: + * + * .. code-block:: none + * + * X25519 + * P-256 + * + * In builds using :ref:`BoringSSL FIPS `, the default curve is: + * + * .. code-block:: none + * + * P-256 + */ + 'ecdh_curves'?: (string)[]; + /** + * If specified, the TLS connection will only support the specified signature algorithms. + * The list is ordered by preference. + * If not specified, the default signature algorithms defined by BoringSSL will be used. + * + * Default signature algorithms selected by BoringSSL (may be out of date): + * + * .. code-block:: none + * + * ecdsa_secp256r1_sha256 + * rsa_pss_rsae_sha256 + * rsa_pkcs1_sha256 + * ecdsa_secp384r1_sha384 + * rsa_pss_rsae_sha384 + * rsa_pkcs1_sha384 + * rsa_pss_rsae_sha512 + * rsa_pkcs1_sha512 + * rsa_pkcs1_sha1 + * + * Signature algorithms supported by BoringSSL (may be out of date): + * + * .. code-block:: none + * + * rsa_pkcs1_sha256 + * rsa_pkcs1_sha384 + * rsa_pkcs1_sha512 + * ecdsa_secp256r1_sha256 + * ecdsa_secp384r1_sha384 + * ecdsa_secp521r1_sha512 + * rsa_pss_rsae_sha256 + * rsa_pss_rsae_sha384 + * rsa_pss_rsae_sha512 + * ed25519 + * rsa_pkcs1_sha1 + * ecdsa_sha1 + */ + 'signature_algorithms'?: (string)[]; +} + +/** + * [#next-free-field: 6] + */ +export interface TlsParameters__Output { + /** + * Minimum TLS protocol version. By default, it's ``TLSv1_2`` for both clients and servers. + * + * TLS protocol versions below TLSv1_2 require setting compatible ciphers with the + * ``cipher_suites`` setting as the default ciphers no longer include compatible ciphers. + * + * .. attention:: + * + * Using TLS protocol versions below TLSv1_2 has serious security considerations and risks. + */ + 'tls_minimum_protocol_version': (_envoy_extensions_transport_sockets_tls_v3_TlsParameters_TlsProtocol__Output); + /** + * Maximum TLS protocol version. By default, it's ``TLSv1_2`` for clients and ``TLSv1_3`` for + * servers. + */ + 'tls_maximum_protocol_version': (_envoy_extensions_transport_sockets_tls_v3_TlsParameters_TlsProtocol__Output); + /** + * If specified, the TLS listener will only support the specified `cipher list + * `_ + * when negotiating TLS 1.0-1.2 (this setting has no effect when negotiating TLS 1.3). + * + * If not specified, a default list will be used. Defaults are different for server (downstream) and + * client (upstream) TLS configurations. + * Defaults will change over time in response to security considerations; If you care, configure + * it instead of using the default. + * + * In non-FIPS builds, the default server cipher list is: + * + * .. code-block:: none + * + * [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + * [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + * ECDHE-ECDSA-AES256-GCM-SHA384 + * ECDHE-RSA-AES256-GCM-SHA384 + * + * In builds using :ref:`BoringSSL FIPS `, the default server cipher list is: + * + * .. code-block:: none + * + * ECDHE-ECDSA-AES128-GCM-SHA256 + * ECDHE-RSA-AES128-GCM-SHA256 + * ECDHE-ECDSA-AES256-GCM-SHA384 + * ECDHE-RSA-AES256-GCM-SHA384 + * + * In non-FIPS builds, the default client cipher list is: + * + * .. code-block:: none + * + * [ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305] + * [ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305] + * ECDHE-ECDSA-AES256-GCM-SHA384 + * ECDHE-RSA-AES256-GCM-SHA384 + * + * In builds using :ref:`BoringSSL FIPS `, the default client cipher list is: + * + * .. code-block:: none + * + * ECDHE-ECDSA-AES128-GCM-SHA256 + * ECDHE-RSA-AES128-GCM-SHA256 + * ECDHE-ECDSA-AES256-GCM-SHA384 + * ECDHE-RSA-AES256-GCM-SHA384 + */ + 'cipher_suites': (string)[]; + /** + * If specified, the TLS connection will only support the specified ECDH + * curves. If not specified, the default curves will be used. + * + * In non-FIPS builds, the default curves are: + * + * .. code-block:: none + * + * X25519 + * P-256 + * + * In builds using :ref:`BoringSSL FIPS `, the default curve is: + * + * .. code-block:: none + * + * P-256 + */ + 'ecdh_curves': (string)[]; + /** + * If specified, the TLS connection will only support the specified signature algorithms. + * The list is ordered by preference. + * If not specified, the default signature algorithms defined by BoringSSL will be used. + * + * Default signature algorithms selected by BoringSSL (may be out of date): + * + * .. code-block:: none + * + * ecdsa_secp256r1_sha256 + * rsa_pss_rsae_sha256 + * rsa_pkcs1_sha256 + * ecdsa_secp384r1_sha384 + * rsa_pss_rsae_sha384 + * rsa_pkcs1_sha384 + * rsa_pss_rsae_sha512 + * rsa_pkcs1_sha512 + * rsa_pkcs1_sha1 + * + * Signature algorithms supported by BoringSSL (may be out of date): + * + * .. code-block:: none + * + * rsa_pkcs1_sha256 + * rsa_pkcs1_sha384 + * rsa_pkcs1_sha512 + * ecdsa_secp256r1_sha256 + * ecdsa_secp384r1_sha384 + * ecdsa_secp521r1_sha512 + * rsa_pss_rsae_sha256 + * rsa_pss_rsae_sha384 + * rsa_pss_rsae_sha512 + * ed25519 + * rsa_pkcs1_sha1 + * ecdsa_sha1 + */ + 'signature_algorithms': (string)[]; +} diff --git a/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/TlsSessionTicketKeys.ts b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/TlsSessionTicketKeys.ts new file mode 100644 index 000000000..152bccac7 --- /dev/null +++ b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/TlsSessionTicketKeys.ts @@ -0,0 +1,61 @@ +// Original file: deps/envoy-api/envoy/extensions/transport_sockets/tls/v3/common.proto + +import type { DataSource as _envoy_config_core_v3_DataSource, DataSource__Output as _envoy_config_core_v3_DataSource__Output } from '../../../../../envoy/config/core/v3/DataSource'; + +export interface TlsSessionTicketKeys { + /** + * Keys for encrypting and decrypting TLS session tickets. The + * first key in the array contains the key to encrypt all new sessions created by this context. + * All keys are candidates for decrypting received tickets. This allows for easy rotation of keys + * by, for example, putting the new key first, and the previous key second. + * + * If :ref:`session_ticket_keys ` + * is not specified, the TLS library will still support resuming sessions via tickets, but it will + * use an internally-generated and managed key, so sessions cannot be resumed across hot restarts + * or on different hosts. + * + * Each key must contain exactly 80 bytes of cryptographically-secure random data. For + * example, the output of ``openssl rand 80``. + * + * .. attention:: + * + * Using this feature has serious security considerations and risks. Improper handling of keys + * may result in loss of secrecy in connections, even if ciphers supporting perfect forward + * secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some + * discussion. To minimize the risk, you must: + * + * * Keep the session ticket keys at least as secure as your TLS certificate private keys + * * Rotate session ticket keys at least daily, and preferably hourly + * * Always generate keys using a cryptographically-secure random data source + */ + 'keys'?: (_envoy_config_core_v3_DataSource)[]; +} + +export interface TlsSessionTicketKeys__Output { + /** + * Keys for encrypting and decrypting TLS session tickets. The + * first key in the array contains the key to encrypt all new sessions created by this context. + * All keys are candidates for decrypting received tickets. This allows for easy rotation of keys + * by, for example, putting the new key first, and the previous key second. + * + * If :ref:`session_ticket_keys ` + * is not specified, the TLS library will still support resuming sessions via tickets, but it will + * use an internally-generated and managed key, so sessions cannot be resumed across hot restarts + * or on different hosts. + * + * Each key must contain exactly 80 bytes of cryptographically-secure random data. For + * example, the output of ``openssl rand 80``. + * + * .. attention:: + * + * Using this feature has serious security considerations and risks. Improper handling of keys + * may result in loss of secrecy in connections, even if ciphers supporting perfect forward + * secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some + * discussion. To minimize the risk, you must: + * + * * Keep the session ticket keys at least as secure as your TLS certificate private keys + * * Rotate session ticket keys at least daily, and preferably hourly + * * Always generate keys using a cryptographically-secure random data source + */ + 'keys': (_envoy_config_core_v3_DataSource__Output)[]; +} diff --git a/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/UpstreamTlsContext.ts b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/UpstreamTlsContext.ts new file mode 100644 index 000000000..f27677409 --- /dev/null +++ b/packages/grpc-js-xds/src/generated/envoy/extensions/transport_sockets/tls/v3/UpstreamTlsContext.ts @@ -0,0 +1,91 @@ +// Original file: deps/envoy-api/envoy/extensions/transport_sockets/tls/v3/tls.proto + +import type { CommonTlsContext as _envoy_extensions_transport_sockets_tls_v3_CommonTlsContext, CommonTlsContext__Output as _envoy_extensions_transport_sockets_tls_v3_CommonTlsContext__Output } from '../../../../../envoy/extensions/transport_sockets/tls/v3/CommonTlsContext'; +import type { UInt32Value as _google_protobuf_UInt32Value, UInt32Value__Output as _google_protobuf_UInt32Value__Output } from '../../../../../google/protobuf/UInt32Value'; +import type { BoolValue as _google_protobuf_BoolValue, BoolValue__Output as _google_protobuf_BoolValue__Output } from '../../../../../google/protobuf/BoolValue'; + +/** + * [#next-free-field: 6] + */ +export interface UpstreamTlsContext { + /** + * Common TLS context settings. + * + * .. attention:: + * + * Server certificate verification is not enabled by default. Configure + * :ref:`trusted_ca` to enable + * verification. + */ + 'common_tls_context'?: (_envoy_extensions_transport_sockets_tls_v3_CommonTlsContext | null); + /** + * SNI string to use when creating TLS backend connections. + */ + 'sni'?: (string); + /** + * If true, server-initiated TLS renegotiation will be allowed. + * + * .. attention:: + * + * TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary. + */ + 'allow_renegotiation'?: (boolean); + /** + * Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets + * for TLSv1.2 and older) to store for the purpose of session resumption. + * + * Defaults to 1, setting this to 0 disables session resumption. + */ + 'max_session_keys'?: (_google_protobuf_UInt32Value | null); + /** + * This field is used to control the enforcement, whereby the handshake will fail if the keyUsage extension + * is present and incompatible with the TLS usage. Currently, the default value is false (i.e., enforcement off) + * but it is expected to be changed to true by default in a future release. + * ``ssl.was_key_usage_invalid`` in :ref:`listener metrics ` will be set for certificate + * configurations that would fail if this option were set to true. + */ + 'enforce_rsa_key_usage'?: (_google_protobuf_BoolValue | null); +} + +/** + * [#next-free-field: 6] + */ +export interface UpstreamTlsContext__Output { + /** + * Common TLS context settings. + * + * .. attention:: + * + * Server certificate verification is not enabled by default. Configure + * :ref:`trusted_ca` to enable + * verification. + */ + 'common_tls_context': (_envoy_extensions_transport_sockets_tls_v3_CommonTlsContext__Output | null); + /** + * SNI string to use when creating TLS backend connections. + */ + 'sni': (string); + /** + * If true, server-initiated TLS renegotiation will be allowed. + * + * .. attention:: + * + * TLS renegotiation is considered insecure and shouldn't be used unless absolutely necessary. + */ + 'allow_renegotiation': (boolean); + /** + * Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets + * for TLSv1.2 and older) to store for the purpose of session resumption. + * + * Defaults to 1, setting this to 0 disables session resumption. + */ + 'max_session_keys': (_google_protobuf_UInt32Value__Output | null); + /** + * This field is used to control the enforcement, whereby the handshake will fail if the keyUsage extension + * is present and incompatible with the TLS usage. Currently, the default value is false (i.e., enforcement off) + * but it is expected to be changed to true by default in a future release. + * ``ssl.was_key_usage_invalid`` in :ref:`listener metrics ` will be set for certificate + * configurations that would fail if this option were set to true. + */ + 'enforce_rsa_key_usage': (_google_protobuf_BoolValue__Output | null); +} diff --git a/packages/grpc-js-xds/src/generated/envoy/type/matcher/v3/StringMatcher.ts b/packages/grpc-js-xds/src/generated/envoy/type/matcher/v3/StringMatcher.ts index 181d59d54..da787a843 100644 --- a/packages/grpc-js-xds/src/generated/envoy/type/matcher/v3/StringMatcher.ts +++ b/packages/grpc-js-xds/src/generated/envoy/type/matcher/v3/StringMatcher.ts @@ -1,10 +1,11 @@ // Original file: deps/envoy-api/envoy/type/matcher/v3/string.proto import type { RegexMatcher as _envoy_type_matcher_v3_RegexMatcher, RegexMatcher__Output as _envoy_type_matcher_v3_RegexMatcher__Output } from '../../../../envoy/type/matcher/v3/RegexMatcher'; +import type { TypedExtensionConfig as _xds_core_v3_TypedExtensionConfig, TypedExtensionConfig__Output as _xds_core_v3_TypedExtensionConfig__Output } from '../../../../xds/core/v3/TypedExtensionConfig'; /** * Specifies the way to match a string. - * [#next-free-field: 8] + * [#next-free-field: 9] */ export interface StringMatcher { /** @@ -52,12 +53,17 @@ export interface StringMatcher { * * ``abc`` matches the value ``xyz.abc.def`` */ 'contains'?: (string); - 'match_pattern'?: "exact"|"prefix"|"suffix"|"safe_regex"|"contains"; + /** + * Use an extension as the matcher type. + * [#extension-category: envoy.string_matcher] + */ + 'custom'?: (_xds_core_v3_TypedExtensionConfig | null); + 'match_pattern'?: "exact"|"prefix"|"suffix"|"safe_regex"|"contains"|"custom"; } /** * Specifies the way to match a string. - * [#next-free-field: 8] + * [#next-free-field: 9] */ export interface StringMatcher__Output { /** @@ -105,5 +111,10 @@ export interface StringMatcher__Output { * * ``abc`` matches the value ``xyz.abc.def`` */ 'contains'?: (string); - 'match_pattern': "exact"|"prefix"|"suffix"|"safe_regex"|"contains"; + /** + * Use an extension as the matcher type. + * [#extension-category: envoy.string_matcher] + */ + 'custom'?: (_xds_core_v3_TypedExtensionConfig__Output | null); + 'match_pattern': "exact"|"prefix"|"suffix"|"safe_regex"|"contains"|"custom"; } diff --git a/packages/grpc-js-xds/src/generated/fault.ts b/packages/grpc-js-xds/src/generated/fault.ts index aac78243b..65c68b608 100644 --- a/packages/grpc-js-xds/src/generated/fault.ts +++ b/packages/grpc-js-xds/src/generated/fault.ts @@ -28,6 +28,9 @@ export interface ProtoGrpcType { HeaderValue: MessageTypeDefinition HeaderValueOption: MessageTypeDefinition HttpUri: MessageTypeDefinition + KeyValue: MessageTypeDefinition + KeyValueAppend: MessageTypeDefinition + KeyValueMutation: MessageTypeDefinition Locality: MessageTypeDefinition Metadata: MessageTypeDefinition Node: MessageTypeDefinition diff --git a/packages/grpc-js-xds/src/generated/google/protobuf/EnumOptions.ts b/packages/grpc-js-xds/src/generated/google/protobuf/EnumOptions.ts index b92ade4f9..777901a54 100644 --- a/packages/grpc-js-xds/src/generated/google/protobuf/EnumOptions.ts +++ b/packages/grpc-js-xds/src/generated/google/protobuf/EnumOptions.ts @@ -1,15 +1,18 @@ // Original file: null import type { UninterpretedOption as _google_protobuf_UninterpretedOption, UninterpretedOption__Output as _google_protobuf_UninterpretedOption__Output } from '../../google/protobuf/UninterpretedOption'; +import type { MigrateAnnotation as _udpa_annotations_MigrateAnnotation, MigrateAnnotation__Output as _udpa_annotations_MigrateAnnotation__Output } from '../../udpa/annotations/MigrateAnnotation'; export interface EnumOptions { 'allowAlias'?: (boolean); 'deprecated'?: (boolean); 'uninterpretedOption'?: (_google_protobuf_UninterpretedOption)[]; + '.udpa.annotations.enum_migrate'?: (_udpa_annotations_MigrateAnnotation | null); } export interface EnumOptions__Output { 'allowAlias': (boolean); 'deprecated': (boolean); 'uninterpretedOption': (_google_protobuf_UninterpretedOption__Output)[]; + '.udpa.annotations.enum_migrate': (_udpa_annotations_MigrateAnnotation__Output | null); } diff --git a/packages/grpc-js-xds/src/generated/google/protobuf/EnumValueOptions.ts b/packages/grpc-js-xds/src/generated/google/protobuf/EnumValueOptions.ts index e60ee6f4c..9ba51ed60 100644 --- a/packages/grpc-js-xds/src/generated/google/protobuf/EnumValueOptions.ts +++ b/packages/grpc-js-xds/src/generated/google/protobuf/EnumValueOptions.ts @@ -1,13 +1,20 @@ // Original file: null import type { UninterpretedOption as _google_protobuf_UninterpretedOption, UninterpretedOption__Output as _google_protobuf_UninterpretedOption__Output } from '../../google/protobuf/UninterpretedOption'; +import type { MigrateAnnotation as _udpa_annotations_MigrateAnnotation, MigrateAnnotation__Output as _udpa_annotations_MigrateAnnotation__Output } from '../../udpa/annotations/MigrateAnnotation'; export interface EnumValueOptions { 'deprecated'?: (boolean); 'uninterpretedOption'?: (_google_protobuf_UninterpretedOption)[]; + '.envoy.annotations.disallowed_by_default_enum'?: (boolean); + '.udpa.annotations.enum_value_migrate'?: (_udpa_annotations_MigrateAnnotation | null); + '.envoy.annotations.deprecated_at_minor_version_enum'?: (string); } export interface EnumValueOptions__Output { 'deprecated': (boolean); 'uninterpretedOption': (_google_protobuf_UninterpretedOption__Output)[]; + '.envoy.annotations.disallowed_by_default_enum': (boolean); + '.udpa.annotations.enum_value_migrate': (_udpa_annotations_MigrateAnnotation__Output | null); + '.envoy.annotations.deprecated_at_minor_version_enum': (string); } diff --git a/packages/grpc-js-xds/src/generated/google/protobuf/FieldOptions.ts b/packages/grpc-js-xds/src/generated/google/protobuf/FieldOptions.ts index b301f2958..d8f1a7f05 100644 --- a/packages/grpc-js-xds/src/generated/google/protobuf/FieldOptions.ts +++ b/packages/grpc-js-xds/src/generated/google/protobuf/FieldOptions.ts @@ -1,6 +1,9 @@ // Original file: null import type { UninterpretedOption as _google_protobuf_UninterpretedOption, UninterpretedOption__Output as _google_protobuf_UninterpretedOption__Output } from '../../google/protobuf/UninterpretedOption'; +import type { FieldRules as _validate_FieldRules, FieldRules__Output as _validate_FieldRules__Output } from '../../validate/FieldRules'; +import type { FieldMigrateAnnotation as _udpa_annotations_FieldMigrateAnnotation, FieldMigrateAnnotation__Output as _udpa_annotations_FieldMigrateAnnotation__Output } from '../../udpa/annotations/FieldMigrateAnnotation'; +import type { FieldStatusAnnotation as _xds_annotations_v3_FieldStatusAnnotation, FieldStatusAnnotation__Output as _xds_annotations_v3_FieldStatusAnnotation__Output } from '../../xds/annotations/v3/FieldStatusAnnotation'; // Original file: null @@ -46,6 +49,12 @@ export interface FieldOptions { 'jstype'?: (_google_protobuf_FieldOptions_JSType); 'weak'?: (boolean); 'uninterpretedOption'?: (_google_protobuf_UninterpretedOption)[]; + '.validate.rules'?: (_validate_FieldRules | null); + '.udpa.annotations.sensitive'?: (boolean); + '.envoy.annotations.deprecated_at_minor_version'?: (string); + '.udpa.annotations.field_migrate'?: (_udpa_annotations_FieldMigrateAnnotation | null); + '.envoy.annotations.disallowed_by_default'?: (boolean); + '.xds.annotations.v3.field_status'?: (_xds_annotations_v3_FieldStatusAnnotation | null); } export interface FieldOptions__Output { @@ -56,4 +65,10 @@ export interface FieldOptions__Output { 'jstype': (_google_protobuf_FieldOptions_JSType__Output); 'weak': (boolean); 'uninterpretedOption': (_google_protobuf_UninterpretedOption__Output)[]; + '.validate.rules': (_validate_FieldRules__Output | null); + '.udpa.annotations.sensitive': (boolean); + '.envoy.annotations.deprecated_at_minor_version': (string); + '.udpa.annotations.field_migrate': (_udpa_annotations_FieldMigrateAnnotation__Output | null); + '.envoy.annotations.disallowed_by_default': (boolean); + '.xds.annotations.v3.field_status': (_xds_annotations_v3_FieldStatusAnnotation__Output | null); } diff --git a/packages/grpc-js-xds/src/generated/google/protobuf/FileOptions.ts b/packages/grpc-js-xds/src/generated/google/protobuf/FileOptions.ts index 6fab1a84b..2bf09204a 100644 --- a/packages/grpc-js-xds/src/generated/google/protobuf/FileOptions.ts +++ b/packages/grpc-js-xds/src/generated/google/protobuf/FileOptions.ts @@ -1,7 +1,9 @@ // Original file: null import type { UninterpretedOption as _google_protobuf_UninterpretedOption, UninterpretedOption__Output as _google_protobuf_UninterpretedOption__Output } from '../../google/protobuf/UninterpretedOption'; +import type { FileMigrateAnnotation as _udpa_annotations_FileMigrateAnnotation, FileMigrateAnnotation__Output as _udpa_annotations_FileMigrateAnnotation__Output } from '../../udpa/annotations/FileMigrateAnnotation'; import type { StatusAnnotation as _udpa_annotations_StatusAnnotation, StatusAnnotation__Output as _udpa_annotations_StatusAnnotation__Output } from '../../udpa/annotations/StatusAnnotation'; +import type { FileStatusAnnotation as _xds_annotations_v3_FileStatusAnnotation, FileStatusAnnotation__Output as _xds_annotations_v3_FileStatusAnnotation__Output } from '../../xds/annotations/v3/FileStatusAnnotation'; // Original file: null @@ -40,7 +42,9 @@ export interface FileOptions { 'objcClassPrefix'?: (string); 'csharpNamespace'?: (string); 'uninterpretedOption'?: (_google_protobuf_UninterpretedOption)[]; + '.udpa.annotations.file_migrate'?: (_udpa_annotations_FileMigrateAnnotation | null); '.udpa.annotations.file_status'?: (_udpa_annotations_StatusAnnotation | null); + '.xds.annotations.v3.file_status'?: (_xds_annotations_v3_FileStatusAnnotation | null); } export interface FileOptions__Output { @@ -62,5 +66,7 @@ export interface FileOptions__Output { 'objcClassPrefix': (string); 'csharpNamespace': (string); 'uninterpretedOption': (_google_protobuf_UninterpretedOption__Output)[]; + '.udpa.annotations.file_migrate': (_udpa_annotations_FileMigrateAnnotation__Output | null); '.udpa.annotations.file_status': (_udpa_annotations_StatusAnnotation__Output | null); + '.xds.annotations.v3.file_status': (_xds_annotations_v3_FileStatusAnnotation__Output | null); } diff --git a/packages/grpc-js-xds/src/generated/google/protobuf/MessageOptions.ts b/packages/grpc-js-xds/src/generated/google/protobuf/MessageOptions.ts index 31f669eb0..71d8c855b 100644 --- a/packages/grpc-js-xds/src/generated/google/protobuf/MessageOptions.ts +++ b/packages/grpc-js-xds/src/generated/google/protobuf/MessageOptions.ts @@ -1,6 +1,9 @@ // Original file: null import type { UninterpretedOption as _google_protobuf_UninterpretedOption, UninterpretedOption__Output as _google_protobuf_UninterpretedOption__Output } from '../../google/protobuf/UninterpretedOption'; +import type { VersioningAnnotation as _udpa_annotations_VersioningAnnotation, VersioningAnnotation__Output as _udpa_annotations_VersioningAnnotation__Output } from '../../udpa/annotations/VersioningAnnotation'; +import type { MigrateAnnotation as _udpa_annotations_MigrateAnnotation, MigrateAnnotation__Output as _udpa_annotations_MigrateAnnotation__Output } from '../../udpa/annotations/MigrateAnnotation'; +import type { MessageStatusAnnotation as _xds_annotations_v3_MessageStatusAnnotation, MessageStatusAnnotation__Output as _xds_annotations_v3_MessageStatusAnnotation__Output } from '../../xds/annotations/v3/MessageStatusAnnotation'; export interface MessageOptions { 'messageSetWireFormat'?: (boolean); @@ -8,6 +11,10 @@ export interface MessageOptions { 'deprecated'?: (boolean); 'mapEntry'?: (boolean); 'uninterpretedOption'?: (_google_protobuf_UninterpretedOption)[]; + '.validate.disabled'?: (boolean); + '.udpa.annotations.versioning'?: (_udpa_annotations_VersioningAnnotation | null); + '.udpa.annotations.message_migrate'?: (_udpa_annotations_MigrateAnnotation | null); + '.xds.annotations.v3.message_status'?: (_xds_annotations_v3_MessageStatusAnnotation | null); } export interface MessageOptions__Output { @@ -16,4 +23,8 @@ export interface MessageOptions__Output { 'deprecated': (boolean); 'mapEntry': (boolean); 'uninterpretedOption': (_google_protobuf_UninterpretedOption__Output)[]; + '.validate.disabled': (boolean); + '.udpa.annotations.versioning': (_udpa_annotations_VersioningAnnotation__Output | null); + '.udpa.annotations.message_migrate': (_udpa_annotations_MigrateAnnotation__Output | null); + '.xds.annotations.v3.message_status': (_xds_annotations_v3_MessageStatusAnnotation__Output | null); } diff --git a/packages/grpc-js-xds/src/generated/google/protobuf/OneofOptions.ts b/packages/grpc-js-xds/src/generated/google/protobuf/OneofOptions.ts index d81d34797..b54ecb0b1 100644 --- a/packages/grpc-js-xds/src/generated/google/protobuf/OneofOptions.ts +++ b/packages/grpc-js-xds/src/generated/google/protobuf/OneofOptions.ts @@ -4,8 +4,10 @@ import type { UninterpretedOption as _google_protobuf_UninterpretedOption, Unint export interface OneofOptions { 'uninterpretedOption'?: (_google_protobuf_UninterpretedOption)[]; + '.validate.required'?: (boolean); } export interface OneofOptions__Output { 'uninterpretedOption': (_google_protobuf_UninterpretedOption__Output)[]; + '.validate.required': (boolean); } diff --git a/packages/grpc-js-xds/src/generated/http_connection_manager.ts b/packages/grpc-js-xds/src/generated/http_connection_manager.ts index 7443718c6..72fb250c2 100644 --- a/packages/grpc-js-xds/src/generated/http_connection_manager.ts +++ b/packages/grpc-js-xds/src/generated/http_connection_manager.ts @@ -62,6 +62,9 @@ export interface ProtoGrpcType { HttpUri: MessageTypeDefinition JsonFormatOptions: MessageTypeDefinition KeepaliveSettings: MessageTypeDefinition + KeyValue: MessageTypeDefinition + KeyValueAppend: MessageTypeDefinition + KeyValueMutation: MessageTypeDefinition Locality: MessageTypeDefinition Metadata: MessageTypeDefinition Node: MessageTypeDefinition diff --git a/packages/grpc-js-xds/src/generated/listener.ts b/packages/grpc-js-xds/src/generated/listener.ts index bd921d27d..2ba94e54e 100644 --- a/packages/grpc-js-xds/src/generated/listener.ts +++ b/packages/grpc-js-xds/src/generated/listener.ts @@ -61,6 +61,9 @@ export interface ProtoGrpcType { HttpProtocolOptions: MessageTypeDefinition HttpUri: MessageTypeDefinition KeepaliveSettings: MessageTypeDefinition + KeyValue: MessageTypeDefinition + KeyValueAppend: MessageTypeDefinition + KeyValueMutation: MessageTypeDefinition Locality: MessageTypeDefinition Metadata: MessageTypeDefinition Node: MessageTypeDefinition diff --git a/packages/grpc-js-xds/src/generated/lrs.ts b/packages/grpc-js-xds/src/generated/lrs.ts index 57e1bc16b..e072375a1 100644 --- a/packages/grpc-js-xds/src/generated/lrs.ts +++ b/packages/grpc-js-xds/src/generated/lrs.ts @@ -29,6 +29,9 @@ export interface ProtoGrpcType { HeaderValue: MessageTypeDefinition HeaderValueOption: MessageTypeDefinition HttpUri: MessageTypeDefinition + KeyValue: MessageTypeDefinition + KeyValueAppend: MessageTypeDefinition + KeyValueMutation: MessageTypeDefinition Locality: MessageTypeDefinition Metadata: MessageTypeDefinition Node: MessageTypeDefinition @@ -57,6 +60,7 @@ export interface ProtoGrpcType { v3: { ClusterStats: MessageTypeDefinition EndpointLoadMetricStats: MessageTypeDefinition + UnnamedEndpointLoadMetricStats: MessageTypeDefinition UpstreamEndpointStats: MessageTypeDefinition UpstreamLocalityStats: MessageTypeDefinition } diff --git a/packages/grpc-js-xds/src/generated/ring_hash.ts b/packages/grpc-js-xds/src/generated/ring_hash.ts index 57f3d9df2..e7e90b4ca 100644 --- a/packages/grpc-js-xds/src/generated/ring_hash.ts +++ b/packages/grpc-js-xds/src/generated/ring_hash.ts @@ -28,6 +28,9 @@ export interface ProtoGrpcType { HeaderValue: MessageTypeDefinition HeaderValueOption: MessageTypeDefinition HttpUri: MessageTypeDefinition + KeyValue: MessageTypeDefinition + KeyValueAppend: MessageTypeDefinition + KeyValueMutation: MessageTypeDefinition Locality: MessageTypeDefinition Metadata: MessageTypeDefinition Node: MessageTypeDefinition diff --git a/packages/grpc-js-xds/src/generated/route.ts b/packages/grpc-js-xds/src/generated/route.ts index e8953933f..19b1c0d2c 100644 --- a/packages/grpc-js-xds/src/generated/route.ts +++ b/packages/grpc-js-xds/src/generated/route.ts @@ -34,6 +34,9 @@ export interface ProtoGrpcType { HeaderValue: MessageTypeDefinition HeaderValueOption: MessageTypeDefinition HttpUri: MessageTypeDefinition + KeyValue: MessageTypeDefinition + KeyValueAppend: MessageTypeDefinition + KeyValueMutation: MessageTypeDefinition Locality: MessageTypeDefinition Metadata: MessageTypeDefinition Node: MessageTypeDefinition diff --git a/packages/grpc-js-xds/src/generated/tls.ts b/packages/grpc-js-xds/src/generated/tls.ts new file mode 100644 index 000000000..7ee8dabf4 --- /dev/null +++ b/packages/grpc-js-xds/src/generated/tls.ts @@ -0,0 +1,202 @@ +import type * as grpc from '@grpc/grpc-js'; +import type { EnumTypeDefinition, MessageTypeDefinition } from '@grpc/proto-loader'; + + +type SubtypeConstructor any, Subtype> = { + new(...args: ConstructorParameters): Subtype; +}; + +export interface ProtoGrpcType { + envoy: { + annotations: { + } + config: { + core: { + v3: { + Address: MessageTypeDefinition + AggregatedConfigSource: MessageTypeDefinition + ApiConfigSource: MessageTypeDefinition + ApiVersion: EnumTypeDefinition + AsyncDataSource: MessageTypeDefinition + BackoffStrategy: MessageTypeDefinition + BindConfig: MessageTypeDefinition + BuildVersion: MessageTypeDefinition + CidrRange: MessageTypeDefinition + ConfigSource: MessageTypeDefinition + ControlPlane: MessageTypeDefinition + DataSource: MessageTypeDefinition + EnvoyInternalAddress: MessageTypeDefinition + Extension: MessageTypeDefinition + ExtensionConfigSource: MessageTypeDefinition + ExtraSourceAddress: MessageTypeDefinition + GrpcService: MessageTypeDefinition + HeaderMap: MessageTypeDefinition + HeaderValue: MessageTypeDefinition + HeaderValueOption: MessageTypeDefinition + HttpUri: MessageTypeDefinition + KeyValue: MessageTypeDefinition + KeyValueAppend: MessageTypeDefinition + KeyValueMutation: MessageTypeDefinition + Locality: MessageTypeDefinition + Metadata: MessageTypeDefinition + Node: MessageTypeDefinition + PathConfigSource: MessageTypeDefinition + Pipe: MessageTypeDefinition + QueryParameter: MessageTypeDefinition + RateLimitSettings: MessageTypeDefinition + RemoteDataSource: MessageTypeDefinition + RequestMethod: EnumTypeDefinition + RetryPolicy: MessageTypeDefinition + RoutingPriority: EnumTypeDefinition + RuntimeDouble: MessageTypeDefinition + RuntimeFeatureFlag: MessageTypeDefinition + RuntimeFractionalPercent: MessageTypeDefinition + RuntimePercent: MessageTypeDefinition + RuntimeUInt32: MessageTypeDefinition + SelfConfigSource: MessageTypeDefinition + SocketAddress: MessageTypeDefinition + SocketOption: MessageTypeDefinition + SocketOptionsOverride: MessageTypeDefinition + TcpKeepalive: MessageTypeDefinition + TrafficDirection: EnumTypeDefinition + TransportSocket: MessageTypeDefinition + TypedExtensionConfig: MessageTypeDefinition + WatchedDirectory: MessageTypeDefinition + } + } + } + extensions: { + transport_sockets: { + tls: { + v3: { + CertificateProviderPluginInstance: MessageTypeDefinition + CertificateValidationContext: MessageTypeDefinition + CommonTlsContext: MessageTypeDefinition + DownstreamTlsContext: MessageTypeDefinition + GenericSecret: MessageTypeDefinition + PrivateKeyProvider: MessageTypeDefinition + SdsSecretConfig: MessageTypeDefinition + Secret: MessageTypeDefinition + SubjectAltNameMatcher: MessageTypeDefinition + TlsCertificate: MessageTypeDefinition + TlsKeyLog: MessageTypeDefinition + TlsParameters: MessageTypeDefinition + TlsSessionTicketKeys: MessageTypeDefinition + UpstreamTlsContext: MessageTypeDefinition + } + } + } + } + type: { + matcher: { + v3: { + ListStringMatcher: MessageTypeDefinition + RegexMatchAndSubstitute: MessageTypeDefinition + RegexMatcher: MessageTypeDefinition + StringMatcher: MessageTypeDefinition + } + } + v3: { + FractionalPercent: MessageTypeDefinition + Percent: MessageTypeDefinition + SemanticVersion: MessageTypeDefinition + } + } + } + google: { + protobuf: { + Any: MessageTypeDefinition + BoolValue: MessageTypeDefinition + BytesValue: MessageTypeDefinition + DescriptorProto: MessageTypeDefinition + DoubleValue: MessageTypeDefinition + Duration: MessageTypeDefinition + Empty: MessageTypeDefinition + EnumDescriptorProto: MessageTypeDefinition + EnumOptions: MessageTypeDefinition + EnumValueDescriptorProto: MessageTypeDefinition + EnumValueOptions: MessageTypeDefinition + FieldDescriptorProto: MessageTypeDefinition + FieldOptions: MessageTypeDefinition + FileDescriptorProto: MessageTypeDefinition + FileDescriptorSet: MessageTypeDefinition + FileOptions: MessageTypeDefinition + FloatValue: MessageTypeDefinition + GeneratedCodeInfo: MessageTypeDefinition + Int32Value: MessageTypeDefinition + Int64Value: MessageTypeDefinition + ListValue: MessageTypeDefinition + MessageOptions: MessageTypeDefinition + MethodDescriptorProto: MessageTypeDefinition + MethodOptions: MessageTypeDefinition + NullValue: EnumTypeDefinition + OneofDescriptorProto: MessageTypeDefinition + OneofOptions: MessageTypeDefinition + ServiceDescriptorProto: MessageTypeDefinition + ServiceOptions: MessageTypeDefinition + SourceCodeInfo: MessageTypeDefinition + StringValue: MessageTypeDefinition + Struct: MessageTypeDefinition + Timestamp: MessageTypeDefinition + UInt32Value: MessageTypeDefinition + UInt64Value: MessageTypeDefinition + UninterpretedOption: MessageTypeDefinition + Value: MessageTypeDefinition + } + } + udpa: { + annotations: { + FieldMigrateAnnotation: MessageTypeDefinition + FileMigrateAnnotation: MessageTypeDefinition + MigrateAnnotation: MessageTypeDefinition + PackageVersionStatus: EnumTypeDefinition + StatusAnnotation: MessageTypeDefinition + VersioningAnnotation: MessageTypeDefinition + } + } + validate: { + AnyRules: MessageTypeDefinition + BoolRules: MessageTypeDefinition + BytesRules: MessageTypeDefinition + DoubleRules: MessageTypeDefinition + DurationRules: MessageTypeDefinition + EnumRules: MessageTypeDefinition + FieldRules: MessageTypeDefinition + Fixed32Rules: MessageTypeDefinition + Fixed64Rules: MessageTypeDefinition + FloatRules: MessageTypeDefinition + Int32Rules: MessageTypeDefinition + Int64Rules: MessageTypeDefinition + KnownRegex: EnumTypeDefinition + MapRules: MessageTypeDefinition + MessageRules: MessageTypeDefinition + RepeatedRules: MessageTypeDefinition + SFixed32Rules: MessageTypeDefinition + SFixed64Rules: MessageTypeDefinition + SInt32Rules: MessageTypeDefinition + SInt64Rules: MessageTypeDefinition + StringRules: MessageTypeDefinition + TimestampRules: MessageTypeDefinition + UInt32Rules: MessageTypeDefinition + UInt64Rules: MessageTypeDefinition + } + xds: { + annotations: { + v3: { + FieldStatusAnnotation: MessageTypeDefinition + FileStatusAnnotation: MessageTypeDefinition + MessageStatusAnnotation: MessageTypeDefinition + PackageVersionStatus: EnumTypeDefinition + StatusAnnotation: MessageTypeDefinition + } + } + core: { + v3: { + Authority: MessageTypeDefinition + ContextParams: MessageTypeDefinition + TypedExtensionConfig: MessageTypeDefinition + } + } + } +} + diff --git a/packages/grpc-js-xds/src/generated/wrr_locality.ts b/packages/grpc-js-xds/src/generated/wrr_locality.ts index 3c6fb49a1..54fb47322 100644 --- a/packages/grpc-js-xds/src/generated/wrr_locality.ts +++ b/packages/grpc-js-xds/src/generated/wrr_locality.ts @@ -59,11 +59,16 @@ export interface ProtoGrpcType { HttpProtocolOptions: MessageTypeDefinition HttpUri: MessageTypeDefinition KeepaliveSettings: MessageTypeDefinition + KeyValue: MessageTypeDefinition + KeyValueAppend: MessageTypeDefinition + KeyValueMutation: MessageTypeDefinition Locality: MessageTypeDefinition Metadata: MessageTypeDefinition Node: MessageTypeDefinition PathConfigSource: MessageTypeDefinition Pipe: MessageTypeDefinition + ProxyProtocolConfig: MessageTypeDefinition + ProxyProtocolPassThroughTLVs: MessageTypeDefinition QueryParameter: MessageTypeDefinition QuicKeepAliveSettings: MessageTypeDefinition QuicProtocolOptions: MessageTypeDefinition @@ -230,6 +235,7 @@ export interface ProtoGrpcType { CollectionEntry: MessageTypeDefinition ContextParams: MessageTypeDefinition ResourceLocator: MessageTypeDefinition + TypedExtensionConfig: MessageTypeDefinition } } } diff --git a/packages/grpc-js-xds/src/index.ts b/packages/grpc-js-xds/src/index.ts index 01563b7eb..73546443f 100644 --- a/packages/grpc-js-xds/src/index.ts +++ b/packages/grpc-js-xds/src/index.ts @@ -32,6 +32,7 @@ import * as typed_struct_lb from './lb-policy-registry/typed-struct'; import * as pick_first_lb from './lb-policy-registry/pick-first'; export { XdsServer } from './server'; +export { XdsServerCredentials } from './xds-credentials'; /** * Register the "xds:" name scheme with the @grpc/grpc-js library. diff --git a/packages/grpc-js-xds/src/resources.ts b/packages/grpc-js-xds/src/resources.ts index 4542c5fd6..244e9ec34 100644 --- a/packages/grpc-js-xds/src/resources.ts +++ b/packages/grpc-js-xds/src/resources.ts @@ -28,6 +28,7 @@ import { RouteConfiguration__Output } from './generated/envoy/config/route/v3/Ro import { ClusterConfig__Output } from './generated/envoy/extensions/clusters/aggregate/v3/ClusterConfig'; import { HttpConnectionManager__Output } from './generated/envoy/extensions/filters/network/http_connection_manager/v3/HttpConnectionManager'; import { EXPERIMENTAL_FEDERATION } from './environment'; +import { DownstreamTlsContext__Output } from './generated/envoy/extensions/transport_sockets/tls/v3/DownstreamTlsContext'; export const EDS_TYPE_URL = 'type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment'; export const CDS_TYPE_URL = 'type.googleapis.com/envoy.config.cluster.v3.Cluster'; @@ -50,10 +51,14 @@ export const CLUSTER_CONFIG_TYPE_URL = 'type.googleapis.com/envoy.extensions.clu export type ClusterConfigTypeUrl = 'type.googleapis.com/envoy.extensions.clusters.aggregate.v3.ClusterConfig'; +export const DOWNSTREAM_TLS_CONTEXT_TYPE_URL = 'type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext'; + +export type DownstreamTlsContextTypeUrl = 'type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext'; + /** * Map type URLs to their corresponding message types */ -export type AdsOutputType = T extends EdsTypeUrl +export type AdsOutputType = T extends EdsTypeUrl ? ClusterLoadAssignment__Output : T extends CdsTypeUrl ? Cluster__Output @@ -63,17 +68,20 @@ export type AdsOutputType(targetTypeUrl: T, message: Buffer): AdsOutputType { +export function decodeSingleResource(targetTypeUrl: T, message: Buffer): AdsOutputType { const name = targetTypeUrl.substring(targetTypeUrl.lastIndexOf('/') + 1); const type = resourceRoot.lookup(name); if (type) { diff --git a/packages/grpc-js-xds/src/route.ts b/packages/grpc-js-xds/src/route.ts index c94822b2a..38d23632b 100644 --- a/packages/grpc-js-xds/src/route.ts +++ b/packages/grpc-js-xds/src/route.ts @@ -60,6 +60,8 @@ function getPredicateForHeaderMatcher(headerMatch: HeaderMatcher__Output): Match case 'contains': valueChecker = new ContainsValueMatcher(stringMatch.contains!, stringMatch.ignore_case); break; + default: + valueChecker = new RejectValueMatcher(); } break; default: diff --git a/packages/grpc-js-xds/src/server-listener.ts b/packages/grpc-js-xds/src/server-listener.ts index eac92df52..0a0e3ac14 100644 --- a/packages/grpc-js-xds/src/server-listener.ts +++ b/packages/grpc-js-xds/src/server-listener.ts @@ -18,6 +18,7 @@ import { Listener__Output } from "./generated/envoy/config/listener/v3/Listener" import { FilterChain__Output } from "./generated/envoy/config/listener/v3/FilterChain"; import { UInt32Value__Output } from "./generated/google/protobuf/UInt32Value"; import { CidrRange__Output } from "./generated/envoy/config/core/v3/CidrRange"; +import { decodeSingleResource, DOWNSTREAM_TLS_CONTEXT_TYPE_URL } from "./resources"; function nullableValueEquals(first: T | null, second: T | null, valueEquals: (a: T, b: T) => boolean): boolean { if (first === null && second === null) { @@ -109,6 +110,38 @@ function filterChainsEquivalent(first: FilterChain__Output, second: FilterChain_ return false; } } + if ((first.transport_socket === null) !== (second.transport_socket !== null)) { + return false; + } + if (first.transport_socket) { + const firstTlsContext = decodeSingleResource(DOWNSTREAM_TLS_CONTEXT_TYPE_URL, first.transport_socket.typed_config!.value); + const secondTlsContext = decodeSingleResource(DOWNSTREAM_TLS_CONTEXT_TYPE_URL, second.transport_socket!.typed_config!.value); + const firstCommonContext = firstTlsContext.common_tls_context!; + const secondCommonContext = secondTlsContext.common_tls_context!; + if (firstCommonContext.tls_certificate_provider_instance?.instance_name !== secondCommonContext.tls_certificate_provider_instance?.instance_name) { + return false; + } + if (firstCommonContext.validation_context_type !== secondCommonContext.validation_context_type) { + return false; + } + switch (firstCommonContext.validation_context_type) { + case 'validation_context': + if (firstCommonContext.validation_context?.ca_certificate_provider_instance?.instance_name !== secondCommonContext.validation_context?.ca_certificate_provider_instance?.instance_name) { + return false; + } + break; + case 'combined_validation_context': + if (firstCommonContext.combined_validation_context?.default_validation_context?.ca_certificate_provider_instance?.instance_name !== secondCommonContext.validation_context?.ca_certificate_provider_instance?.instance_name) { + return false; + } + break; + default: + return false; + } + if (firstTlsContext.require_client_certificate?.value !== secondTlsContext.require_client_certificate?.value) { + return false; + } + } return true; } /** diff --git a/packages/grpc-js-xds/src/server.ts b/packages/grpc-js-xds/src/server.ts index 7c04122eb..d3c42eeea 100644 --- a/packages/grpc-js-xds/src/server.ts +++ b/packages/grpc-js-xds/src/server.ts @@ -15,7 +15,7 @@ */ import { ConnectionInjector, Metadata, Server, ServerCredentials, ServerInterceptingCall, ServerInterceptor, ServerOptions, StatusObject, experimental, logVerbosity, status } from "@grpc/grpc-js"; -import { BootstrapInfo, formatTemplateString, loadBootstrapInfo, validateBootstrapConfig } from "./xds-bootstrap"; +import { BootstrapInfo, formatTemplateString, loadBootstrapInfo, validateBootstrapConfig, XdsServerConfig } from "./xds-bootstrap"; import * as net from "net"; import HostPort = experimental.HostPort; import splitHostPort = experimental.splitHostPort; @@ -29,12 +29,14 @@ import { FilterChainMatch__Output, _envoy_config_listener_v3_FilterChainMatch_Co import { CidrRange, cidrRangeEqual, cidrRangeMessageToCidrRange, inCidrRange, normalizeCidrRange } from "./cidr"; import { Matcher } from "./matcher"; import { listenersEquivalent } from "./server-listener"; -import { HTTP_CONNECTION_MANGER_TYPE_URL, decodeSingleResource } from "./resources"; +import { DOWNSTREAM_TLS_CONTEXT_TYPE_URL, HTTP_CONNECTION_MANGER_TYPE_URL, decodeSingleResource } from "./resources"; import { FilterChain__Output } from "./generated/envoy/config/listener/v3/FilterChain"; import { getPredicateForMatcher } from "./route"; import { crossProduct } from "./cross-product"; import { findVirtualHostForDomain } from "./resolver-xds"; import { LogVerbosity } from "@grpc/grpc-js/build/src/constants"; +import { XdsServerCredentials } from "./xds-credentials"; +import { CertificateValidationContext__Output } from "./generated/envoy/extensions/transport_sockets/tls/v3/CertificateValidationContext"; const TRACER_NAME = 'xds_server'; @@ -155,6 +157,37 @@ class FilterChainEntry { } }); } + if (credentials instanceof XdsServerCredentials) { + if (filterChain.transport_socket) { + const downstreamTlsContext = decodeSingleResource(DOWNSTREAM_TLS_CONTEXT_TYPE_URL, filterChain.transport_socket.typed_config!.value); + const commonTlsContext = downstreamTlsContext.common_tls_context!; + const instanceCertificateProvider = configParameters.xdsClient.getCertificateProvider(commonTlsContext.tls_certificate_provider_instance!.instance_name); + if (!instanceCertificateProvider) { + throw new Error(`Invalid TLS context detected: unrecognized certificate instance name: ${commonTlsContext.tls_certificate_provider_instance!.instance_name}`); + } + let validationContext: CertificateValidationContext__Output | null; + switch (commonTlsContext?.validation_context_type) { + case 'validation_context': + validationContext = commonTlsContext.validation_context!; + break; + case 'combined_validation_context': + validationContext = commonTlsContext.combined_validation_context!.default_validation_context; + break; + default: + throw new Error(`Invalid TLS context detected: invalid validation_context_type: ${commonTlsContext.validation_context_type}`); + } + let caCertificateProvider: experimental.CertificateProvider | null = null; + if (validationContext?.ca_certificate_provider_instance) { + caCertificateProvider = configParameters.xdsClient.getCertificateProvider(validationContext.ca_certificate_provider_instance.instance_name) ?? null; + if (!caCertificateProvider) { + throw new Error(`Invalid TLS context detected: unrecognized certificate instance name: ${validationContext.ca_certificate_provider_instance.instance_name}`); + } + } + credentials = experimental.createCertificateProviderServerCredentials(instanceCertificateProvider, caCertificateProvider, downstreamTlsContext.require_client_certificate?.value ?? false); + } else { + credentials = credentials.getFallbackCredentials(); + } + } const interceptingCredentials = createServerCredentialsWithInterceptors(credentials, [interceptor]); this.connectionInjector = configParameters.createConnectionInjector(interceptingCredentials); } diff --git a/packages/grpc-js-xds/src/xds-bootstrap.ts b/packages/grpc-js-xds/src/xds-bootstrap.ts index 7f217a239..c25c903e1 100644 --- a/packages/grpc-js-xds/src/xds-bootstrap.ts +++ b/packages/grpc-js-xds/src/xds-bootstrap.ts @@ -345,7 +345,7 @@ function validateFileWatcherPluginConfig(obj: any, instanceName: string): FileWa return { certificateFile: obj.certificate_file, privateKeyFile: obj.private_key_file, - caCertificateFile: obj.caCertificateFile, + caCertificateFile: obj.ca_certificate_file, refreshIntervalMs: durationToMs(refreshDuration) }; } diff --git a/packages/grpc-js-xds/src/xds-client.ts b/packages/grpc-js-xds/src/xds-client.ts index f3df183ff..2caf34e22 100644 --- a/packages/grpc-js-xds/src/xds-client.ts +++ b/packages/grpc-js-xds/src/xds-client.ts @@ -205,7 +205,8 @@ class AdsResponseParser { return; } const decodeContext: XdsDecodeContext = { - server: this.adsCallState.client.xdsServerConfig + server: this.adsCallState.client.xdsServerConfig, + bootstrap: this.adsCallState.client.xdsClient.getBootstrapInfo() }; let decodeResult: XdsDecodeResult; try { @@ -1140,7 +1141,7 @@ export class XdsClient { registerXdsClientWithCsds(this); } - private getBootstrapInfo() { + getBootstrapInfo() { if (!this.bootstrapInfo) { this.bootstrapInfo = loadBootstrapInfo(); } diff --git a/packages/grpc-js-xds/src/xds-credentials.ts b/packages/grpc-js-xds/src/xds-credentials.ts new file mode 100644 index 000000000..4b60b2f50 --- /dev/null +++ b/packages/grpc-js-xds/src/xds-credentials.ts @@ -0,0 +1,34 @@ +/* + * Copyright 2024 gRPC authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +import { ServerCredentials } from "@grpc/grpc-js"; + +export class XdsServerCredentials extends ServerCredentials { + constructor(private fallbackCredentials: ServerCredentials) { + super(); + } + + getFallbackCredentials() { + return this.fallbackCredentials; + } + _isSecure(): boolean { + return this.fallbackCredentials._isSecure(); + } + _equals(other: ServerCredentials): boolean { + return (other instanceof XdsServerCredentials) && this.fallbackCredentials._equals(other.fallbackCredentials); + } +} diff --git a/packages/grpc-js-xds/src/xds-resource-type/listener-resource-type.ts b/packages/grpc-js-xds/src/xds-resource-type/listener-resource-type.ts index fd800d253..8dacbae99 100644 --- a/packages/grpc-js-xds/src/xds-resource-type/listener-resource-type.ts +++ b/packages/grpc-js-xds/src/xds-resource-type/listener-resource-type.ts @@ -19,7 +19,7 @@ import { logVerbosity, experimental } from "@grpc/grpc-js"; import { EXPERIMENTAL_FAULT_INJECTION } from "../environment"; import { Listener__Output } from "../generated/envoy/config/listener/v3/Listener"; import { Any__Output } from "../generated/google/protobuf/Any"; -import { HTTP_CONNECTION_MANGER_TYPE_URL, LDS_TYPE_URL, decodeSingleResource } from "../resources"; +import { DOWNSTREAM_TLS_CONTEXT_TYPE_URL, HTTP_CONNECTION_MANGER_TYPE_URL, LDS_TYPE_URL, decodeSingleResource } from "../resources"; import { XdsDecodeContext, XdsDecodeResult, XdsResourceType } from "./xds-resource-type"; import { getTopLevelFilterUrl, validateTopLevelFilter } from "../http-filter"; import { RouteConfigurationResourceType } from "./route-config-resource-type"; @@ -29,6 +29,7 @@ import { FilterChainMatch__Output, _envoy_config_listener_v3_FilterChainMatch_Co import { crossProduct } from "../cross-product"; import { FilterChain__Output } from "../generated/envoy/config/listener/v3/FilterChain"; import { HttpConnectionManager__Output } from "../generated/envoy/extensions/filters/network/http_connection_manager/v3/HttpConnectionManager"; +import { CertificateValidationContext__Output } from "../generated/envoy/extensions/transport_sockets/tls/v3/CertificateValidationContext"; const TRACER_NAME = 'xds_client'; @@ -128,7 +129,7 @@ function validateHttpConnectionManager(httpConnectionManager: HttpConnectionMana return true; } -function validateFilterChain(filterChain: FilterChain__Output): boolean { +function validateFilterChain(context: XdsDecodeContext, filterChain: FilterChain__Output): boolean { if (filterChain.filters.length !== 1) { return false; } @@ -139,6 +140,81 @@ function validateFilterChain(filterChain: FilterChain__Output): boolean { if (!validateHttpConnectionManager(httpConnectionManager)) { return false; } + if (filterChain.transport_socket) { + const transportSocket = filterChain.transport_socket; + if (transportSocket.name !== 'envoy.transport_sockets.tls') { + trace('Wrong transportSocket.name'); + return false; + } + if (!transportSocket.typed_config) { + trace('No typed_config'); + return false; + } + if (transportSocket.typed_config?.type_url !== DOWNSTREAM_TLS_CONTEXT_TYPE_URL) { + trace(`Wrong typed_config type_url: ${transportSocket.typed_config?.type_url}`); + return false; + } + const downstreamTlsContext = decodeSingleResource(DOWNSTREAM_TLS_CONTEXT_TYPE_URL, transportSocket.typed_config.value); + if (!downstreamTlsContext.common_tls_context) { + trace('No common_tls_context'); + return false; + } + const commonTlsContext = downstreamTlsContext.common_tls_context; + if (!commonTlsContext.tls_certificate_provider_instance) { + trace('No tls_certificate_provider_instance'); + return false; + } + if (!(commonTlsContext.tls_certificate_provider_instance.instance_name in context.bootstrap.certificateProviders)) { + trace('Unmatched tls_certificate_provider_instance instance_name'); + return false; + } + let validationContext: CertificateValidationContext__Output | null; + switch (commonTlsContext.validation_context_type) { + case 'validation_context_sds_secret_config': + trace('Unexpected validation_context_sds_secret_config') + return false; + case 'validation_context': + if (!commonTlsContext.validation_context) { + trace('Missing validation_context'); + return false; + } + validationContext = commonTlsContext.validation_context; + break; + case 'combined_validation_context': + if (!commonTlsContext.combined_validation_context) { + trace('Missing combined_validation_context') + return false; + } + validationContext = commonTlsContext.combined_validation_context.default_validation_context; + break; + default: + return false; + } + if (validationContext?.ca_certificate_provider_instance && !(validationContext.ca_certificate_provider_instance.instance_name in context.bootstrap.certificateProviders)) { + trace('Unmatched validationContext instance_name'); + return false; + } + if (downstreamTlsContext.require_client_certificate && !validationContext) { + trace('require_client_certificate set without validationContext'); + return false; + } + if (commonTlsContext.tls_params) { + trace('tls_params set'); + return false; + } + if (commonTlsContext.custom_handshaker) { + trace('custom_handshaker set'); + return false; + } + if (downstreamTlsContext.require_sni?.value) { + trace('require_sni set'); + return false; + } + if (downstreamTlsContext.ocsp_staple_policy !== 'LENIENT_STAPLING') { + trace('Unexpected ocsp_staple_policy'); + return false; + } + } return true; } @@ -155,7 +231,7 @@ export class ListenerResourceType extends XdsResourceType { return 'envoy.config.listener.v3.Listener'; } - private validateResource(message: Listener__Output): Listener__Output | null { + private validateResource(context: XdsDecodeContext, message: Listener__Output): Listener__Output | null { if ( !( message.api_listener?.api_listener && @@ -185,11 +261,11 @@ export class ListenerResourceType extends XdsResourceType { seenMatches.push(match); } } - if (!validateFilterChain(filterChain)) { + if (!validateFilterChain(context, filterChain)) { return null; } } - if (message.default_filter_chain && !validateFilterChain(message.default_filter_chain)) { + if (message.default_filter_chain && !validateFilterChain(context, message.default_filter_chain)) { return null; } return message; @@ -203,7 +279,7 @@ export class ListenerResourceType extends XdsResourceType { } const message = decodeSingleResource(LDS_TYPE_URL, resource.value); trace('Decoded raw resource of type ' + LDS_TYPE_URL + ': ' + JSON.stringify(message, (key, value) => (value && value.type === 'Buffer' && Array.isArray(value.data)) ? (value.data as Number[]).map(n => n.toString(16)).join('') : value, 2)); - const validatedMessage = this.validateResource(message); + const validatedMessage = this.validateResource(context, message); if (validatedMessage) { return { name: validatedMessage.name, diff --git a/packages/grpc-js-xds/src/xds-resource-type/xds-resource-type.ts b/packages/grpc-js-xds/src/xds-resource-type/xds-resource-type.ts index 8c2dc5e4a..a0b53c3a7 100644 --- a/packages/grpc-js-xds/src/xds-resource-type/xds-resource-type.ts +++ b/packages/grpc-js-xds/src/xds-resource-type/xds-resource-type.ts @@ -16,10 +16,11 @@ */ import { Any__Output } from "../generated/google/protobuf/Any"; -import { XdsServerConfig } from "../xds-bootstrap"; +import { BootstrapInfo, XdsServerConfig } from "../xds-bootstrap"; export interface XdsDecodeContext { server: XdsServerConfig; + bootstrap: BootstrapInfo; } export interface XdsDecodeResult { diff --git a/packages/grpc-js-xds/test/backend.ts b/packages/grpc-js-xds/test/backend.ts index 60957e523..353385fb3 100644 --- a/packages/grpc-js-xds/test/backend.ts +++ b/packages/grpc-js-xds/test/backend.ts @@ -25,6 +25,7 @@ import * as net from 'net'; import { XdsServer } from "../src"; import { ControlPlaneServer } from "./xds-server"; import { findFreePorts } from 'find-free-ports'; +import { XdsServerCredentials } from "../src/xds-credentials"; const loadedProtos = loadPackageDefinition(loadSync( [ @@ -49,7 +50,7 @@ export class Backend { private server: Server | null = null; private receivedCallCount = 0; private callListeners: (() => void)[] = []; - constructor(private port: number, private useXdsServer: boolean, private serverOptions?: ServerOptions) { + constructor(private port: number, private useXdsServer: boolean, private creds?: ServerCredentials | undefined, private serverOptions?: ServerOptions) { } Echo(call: ServerUnaryCall, callback: sendUnaryData) { // call.request.params is currently ignored @@ -89,7 +90,8 @@ export class Backend { } const server = this.server; server.addService(loadedProtos.grpc.testing.EchoTestService.service, this as unknown as UntypedServiceImplementation); - server.bindAsync(`[::1]:${this.port}`, ServerCredentials.createInsecure(), (error, port) => { + const credentials = this.creds ?? ServerCredentials.createInsecure(); + server.bindAsync(`[::1]:${this.port}`, credentials, (error, port) => { if (!error) { this.port = port; } @@ -145,7 +147,7 @@ export class Backend { } } -export async function createBackends(count: number, useXdsServer?: boolean, serverOptions?: ServerOptions): Promise { +export async function createBackends(count: number, useXdsServer?: boolean, creds?: ServerCredentials | undefined, serverOptions?: ServerOptions): Promise { const ports = await findFreePorts(count); - return ports.map(port => new Backend(port, useXdsServer ?? true, serverOptions)); + return ports.map(port => new Backend(port, useXdsServer ?? true, creds, serverOptions)); } diff --git a/packages/grpc-js-xds/test/client.ts b/packages/grpc-js-xds/test/client.ts index a09056c96..731ef0541 100644 --- a/packages/grpc-js-xds/test/client.ts +++ b/packages/grpc-js-xds/test/client.ts @@ -15,7 +15,7 @@ * */ -import { ChannelOptions, credentials, loadPackageDefinition, ServiceError } from "@grpc/grpc-js"; +import { ChannelCredentials, ChannelOptions, credentials, loadPackageDefinition, ServiceError } from "@grpc/grpc-js"; import { loadSync } from "@grpc/proto-loader"; import { ProtoGrpcType } from "./generated/echo"; import { EchoTestServiceClient } from "./generated/grpc/testing/EchoTestService"; @@ -44,14 +44,14 @@ export class XdsTestClient { private client: EchoTestServiceClient; private callInterval: NodeJS.Timer; - constructor(target: string, bootstrapInfo: string, options?: ChannelOptions) { - this.client = new loadedProtos.grpc.testing.EchoTestService(target, credentials.createInsecure(), {...options, [BOOTSTRAP_CONFIG_KEY]: bootstrapInfo}); + constructor(target: string, bootstrapInfo: string, creds?: ChannelCredentials | undefined, options?: ChannelOptions) { + this.client = new loadedProtos.grpc.testing.EchoTestService(target, creds ?? credentials.createInsecure(), {...options, [BOOTSTRAP_CONFIG_KEY]: bootstrapInfo}); this.callInterval = setInterval(() => {}, 0); clearInterval(this.callInterval); } - static createFromServer(targetName: string, xdsServer: ControlPlaneServer, options?: ChannelOptions) { - return new XdsTestClient(`xds:///${targetName}`, xdsServer.getBootstrapInfoString(), options); + static createFromServer(targetName: string, xdsServer: ControlPlaneServer, creds?: ChannelCredentials | undefined, options?: ChannelOptions) { + return new XdsTestClient(`xds:///${targetName}`, xdsServer.getBootstrapInfoString(), creds, options); } startCalls(interval: number) { diff --git a/packages/grpc-js-xds/test/fixtures/ca.pem b/packages/grpc-js-xds/test/fixtures/ca.pem new file mode 100644 index 000000000..6c8511a73 --- /dev/null +++ b/packages/grpc-js-xds/test/fixtures/ca.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICSjCCAbOgAwIBAgIJAJHGGR4dGioHMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMTBnRlc3RjYTAeFw0xNDExMTEyMjMxMjla +Fw0yNDExMDgyMjMxMjlaMFYxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0 +YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMT +BnRlc3RjYTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwEDfBV5MYdlHVHJ7 ++L4nxrZy7mBfAVXpOc5vMYztssUI7mL2/iYujiIXM+weZYNTEpLdjyJdu7R5gGUu +g1jSVK/EPHfc74O7AyZU34PNIP4Sh33N+/A5YexrNgJlPY+E3GdVYi4ldWJjgkAd +Qah2PH5ACLrIIC6tRka9hcaBlIECAwEAAaMgMB4wDAYDVR0TBAUwAwEB/zAOBgNV +HQ8BAf8EBAMCAgQwDQYJKoZIhvcNAQELBQADgYEAHzC7jdYlzAVmddi/gdAeKPau +sPBG/C2HCWqHzpCUHcKuvMzDVkY/MP2o6JIW2DBbY64bO/FceExhjcykgaYtCH/m +oIU63+CFOTtR7otyQAWHqXa7q4SbCDlG7DyRFxqG0txPtGvy12lgldA2+RgcigQG +Dfcog5wrJytaQ6UA0wE= +-----END CERTIFICATE----- diff --git a/packages/grpc-js-xds/test/fixtures/server1.key b/packages/grpc-js-xds/test/fixtures/server1.key new file mode 100644 index 000000000..143a5b876 --- /dev/null +++ b/packages/grpc-js-xds/test/fixtures/server1.key @@ -0,0 +1,16 @@ +-----BEGIN PRIVATE KEY----- +MIICdQIBADANBgkqhkiG9w0BAQEFAASCAl8wggJbAgEAAoGBAOHDFScoLCVJpYDD +M4HYtIdV6Ake/sMNaaKdODjDMsux/4tDydlumN+fm+AjPEK5GHhGn1BgzkWF+slf +3BxhrA/8dNsnunstVA7ZBgA/5qQxMfGAq4wHNVX77fBZOgp9VlSMVfyd9N8YwbBY +AckOeUQadTi2X1S6OgJXgQ0m3MWhAgMBAAECgYAn7qGnM2vbjJNBm0VZCkOkTIWm +V10okw7EPJrdL2mkre9NasghNXbE1y5zDshx5Nt3KsazKOxTT8d0Jwh/3KbaN+YY +tTCbKGW0pXDRBhwUHRcuRzScjli8Rih5UOCiZkhefUTcRb6xIhZJuQy71tjaSy0p +dHZRmYyBYO2YEQ8xoQJBAPrJPhMBkzmEYFtyIEqAxQ/o/A6E+E4w8i+KM7nQCK7q +K4JXzyXVAjLfyBZWHGM2uro/fjqPggGD6QH1qXCkI4MCQQDmdKeb2TrKRh5BY1LR +81aJGKcJ2XbcDu6wMZK4oqWbTX2KiYn9GB0woM6nSr/Y6iy1u145YzYxEV/iMwff +DJULAkB8B2MnyzOg0pNFJqBJuH29bKCcHa8gHJzqXhNO5lAlEbMK95p/P2Wi+4Hd +aiEIAF1BF326QJcvYKmwSmrORp85AkAlSNxRJ50OWrfMZnBgzVjDx3xG6KsFQVk2 +ol6VhqL6dFgKUORFUWBvnKSyhjJxurlPEahV6oo6+A+mPhFY8eUvAkAZQyTdupP3 +XEFQKctGz+9+gKkemDp7LBBMEMBXrGTLPhpEfcjv/7KPdnFHYmhYeBTBnuVmTVWe +F98XJ7tIFfJq +-----END PRIVATE KEY----- diff --git a/packages/grpc-js-xds/test/fixtures/server1.pem b/packages/grpc-js-xds/test/fixtures/server1.pem new file mode 100644 index 000000000..f3d43fcc5 --- /dev/null +++ b/packages/grpc-js-xds/test/fixtures/server1.pem @@ -0,0 +1,16 @@ +-----BEGIN CERTIFICATE----- +MIICnDCCAgWgAwIBAgIBBzANBgkqhkiG9w0BAQsFADBWMQswCQYDVQQGEwJBVTET +MBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQ +dHkgTHRkMQ8wDQYDVQQDEwZ0ZXN0Y2EwHhcNMTUxMTA0MDIyMDI0WhcNMjUxMTAx +MDIyMDI0WjBlMQswCQYDVQQGEwJVUzERMA8GA1UECBMISWxsaW5vaXMxEDAOBgNV +BAcTB0NoaWNhZ28xFTATBgNVBAoTDEV4YW1wbGUsIENvLjEaMBgGA1UEAxQRKi50 +ZXN0Lmdvb2dsZS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOHDFSco +LCVJpYDDM4HYtIdV6Ake/sMNaaKdODjDMsux/4tDydlumN+fm+AjPEK5GHhGn1Bg +zkWF+slf3BxhrA/8dNsnunstVA7ZBgA/5qQxMfGAq4wHNVX77fBZOgp9VlSMVfyd +9N8YwbBYAckOeUQadTi2X1S6OgJXgQ0m3MWhAgMBAAGjazBpMAkGA1UdEwQCMAAw +CwYDVR0PBAQDAgXgME8GA1UdEQRIMEaCECoudGVzdC5nb29nbGUuZnKCGHdhdGVy +em9vaS50ZXN0Lmdvb2dsZS5iZYISKi50ZXN0LnlvdXR1YmUuY29thwTAqAEDMA0G +CSqGSIb3DQEBCwUAA4GBAJFXVifQNub1LUP4JlnX5lXNlo8FxZ2a12AFQs+bzoJ6 +hM044EDjqyxUqSbVePK0ni3w1fHQB5rY9yYC5f8G7aqqTY1QOhoUk8ZTSTRpnkTh +y4jjdvTZeLDVBlueZUTDRmy2feY5aZIU18vFDK08dTG0A87pppuv1LNIR3loveU8 +-----END CERTIFICATE----- diff --git a/packages/grpc-js-xds/test/test-core.ts b/packages/grpc-js-xds/test/test-core.ts index 37337032f..45a96d683 100644 --- a/packages/grpc-js-xds/test/test-core.ts +++ b/packages/grpc-js-xds/test/test-core.ts @@ -84,7 +84,7 @@ describe('core xDS functionality', () => { const serverRoute = new FakeServerRoute(backend.getPort(), 'serverRoute'); xdsServer.setRdsResource(serverRoute.getRouteConfiguration()); xdsServer.setLdsResource(serverRoute.getListener()); - client = XdsTestClient.createFromServer('listener1', xdsServer, { + client = XdsTestClient.createFromServer('listener1', xdsServer, undefined, { 'grpc.client_idle_timeout_ms': 1000, }); client.sendOneCall(error => { @@ -102,7 +102,7 @@ describe('core xDS functionality', () => { }); it('should handle connections aging out', function(done) { this.timeout(5000); - createBackends(1, true, {'grpc.max_connection_age_ms': 1000}).then(([backend]) => { + createBackends(1, true, undefined, {'grpc.max_connection_age_ms': 1000}).then(([backend]) => { const serverRoute = new FakeServerRoute(backend.getPort(), 'serverRoute'); xdsServer.setRdsResource(serverRoute.getRouteConfiguration()); xdsServer.setLdsResource(serverRoute.getListener()); diff --git a/packages/grpc-js-xds/test/test-xds-credentials.ts b/packages/grpc-js-xds/test/test-xds-credentials.ts new file mode 100644 index 000000000..36ad3bb14 --- /dev/null +++ b/packages/grpc-js-xds/test/test-xds-credentials.ts @@ -0,0 +1,170 @@ +/* + * Copyright 2024 gRPC authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + */ + +import * as assert from 'assert'; +import { createBackends } from './backend'; +import { FakeEdsCluster, FakeRouteGroup, FakeServerRoute } from './framework'; +import { ControlPlaneServer } from './xds-server'; +import { XdsTestClient } from './client'; +import { XdsServerCredentials } from '../src'; +import { credentials, ServerCredentials } from '@grpc/grpc-js'; +import { readFileSync } from 'fs'; +import * as path from 'path'; +import { Listener } from '../src/generated/envoy/config/listener/v3/Listener'; +import { DownstreamTlsContext } from '../src/generated/envoy/extensions/transport_sockets/tls/v3/DownstreamTlsContext'; +import { AnyExtension } from '@grpc/proto-loader'; +import { DOWNSTREAM_TLS_CONTEXT_TYPE_URL } from '../src/resources'; + +const ca = readFileSync(path.join(__dirname, 'fixtures', 'ca.pem')); +const key = readFileSync(path.join(__dirname, 'fixtures', 'server1.key')); +const cert = readFileSync(path.join(__dirname, 'fixtures', 'server1.pem')); + +describe('Server xDS Credentials', () => { + let xdsServer: ControlPlaneServer; + let client: XdsTestClient; + beforeEach(done => { + xdsServer = new ControlPlaneServer(); + xdsServer.startServer(error => { + done(error); + }); + }); + afterEach(() => { + client?.close(); + xdsServer?.shutdownServer(); + }); + it('Should use fallback credentials when certificate providers are not configured', async () => { + const [backend] = await createBackends(1, true, new XdsServerCredentials(ServerCredentials.createInsecure())); + const serverRoute = new FakeServerRoute(backend.getPort(), 'serverRoute'); + xdsServer.setRdsResource(serverRoute.getRouteConfiguration()); + xdsServer.setLdsResource(serverRoute.getListener()); + xdsServer.addResponseListener((typeUrl, responseState) => { + if (responseState.state === 'NACKED') { + client?.stopCalls(); + assert.fail(`Client NACKED ${typeUrl} resource with message ${responseState.errorMessage}`); + } + }); + const cluster = new FakeEdsCluster('cluster1', 'endpoint1', [{backends: [backend], locality:{region: 'region1'}}]); + const routeGroup = new FakeRouteGroup('listener1', 'route1', [{cluster: cluster}]); + await routeGroup.startAllBackends(xdsServer); + xdsServer.setEdsResource(cluster.getEndpointConfig()); + xdsServer.setCdsResource(cluster.getClusterConfig()); + xdsServer.setRdsResource(routeGroup.getRouteConfiguration()); + xdsServer.setLdsResource(routeGroup.getListener()); + client = XdsTestClient.createFromServer('listener1', xdsServer, credentials.createInsecure()); + const error = await client.sendOneCallAsync(); + assert.strictEqual(error, null); + }); + it('Should use the identity certificate when configured', async () => { + const [backend] = await createBackends(1, true, new XdsServerCredentials(ServerCredentials.createInsecure())); + const downstreamTlsContext: DownstreamTlsContext & AnyExtension = { + '@type': DOWNSTREAM_TLS_CONTEXT_TYPE_URL, + common_tls_context: { + tls_certificate_provider_instance: { + instance_name: 'test_certificates' + }, + validation_context: {} + }, + ocsp_staple_policy: 'LENIENT_STAPLING' + } + const baseServerListener: Listener = { + default_filter_chain: { + filter_chain_match: { + source_type: 'SAME_IP_OR_LOOPBACK' + }, + transport_socket: { + name: 'envoy.transport_sockets.tls', + typed_config: downstreamTlsContext + } + } + } + const serverRoute = new FakeServerRoute(backend.getPort(), 'serverRoute', baseServerListener); + xdsServer.setRdsResource(serverRoute.getRouteConfiguration()); + xdsServer.setLdsResource(serverRoute.getListener()); + xdsServer.addResponseListener((typeUrl, responseState) => { + if (responseState.state === 'NACKED') { + client?.stopCalls(); + assert.fail(`Client NACKED ${typeUrl} resource with message ${responseState.errorMessage}`); + } + }); + const cluster = new FakeEdsCluster('cluster1', 'endpoint1', [{backends: [backend], locality:{region: 'region1'}}]); + const routeGroup = new FakeRouteGroup('listener1', 'route1', [{cluster: cluster}]); + await routeGroup.startAllBackends(xdsServer); + xdsServer.setEdsResource(cluster.getEndpointConfig()); + xdsServer.setCdsResource(cluster.getClusterConfig()); + xdsServer.setRdsResource(routeGroup.getRouteConfiguration()); + xdsServer.setLdsResource(routeGroup.getListener()); + client = XdsTestClient.createFromServer('listener1', xdsServer, credentials.createSsl(ca), { + 'grpc.ssl_target_name_override': 'foo.test.google.fr', + 'grpc.default_authority': 'foo.test.google.fr', + }); + const error = await client.sendOneCallAsync(); + assert.strictEqual(error, null); + }); + it('Should use identity and CA certificates when configured', async () => { + const [backend] = await createBackends(1, true, new XdsServerCredentials(ServerCredentials.createInsecure())); + const downstreamTlsContext: DownstreamTlsContext & AnyExtension = { + '@type': DOWNSTREAM_TLS_CONTEXT_TYPE_URL, + common_tls_context: { + tls_certificate_provider_instance: { + instance_name: 'test_certificates' + }, + validation_context: { + ca_certificate_provider_instance: { + instance_name: 'test_certificates' + } + } + }, + ocsp_staple_policy: 'LENIENT_STAPLING', + require_client_certificate: { + value: true + } + } + const baseServerListener: Listener = { + default_filter_chain: { + filter_chain_match: { + source_type: 'SAME_IP_OR_LOOPBACK' + }, + transport_socket: { + name: 'envoy.transport_sockets.tls', + typed_config: downstreamTlsContext + } + } + } + const serverRoute = new FakeServerRoute(backend.getPort(), 'serverRoute', baseServerListener); + xdsServer.setRdsResource(serverRoute.getRouteConfiguration()); + xdsServer.setLdsResource(serverRoute.getListener()); + xdsServer.addResponseListener((typeUrl, responseState) => { + if (responseState.state === 'NACKED') { + client?.stopCalls(); + assert.fail(`Client NACKED ${typeUrl} resource with message ${responseState.errorMessage}`); + } + }); + const cluster = new FakeEdsCluster('cluster1', 'endpoint1', [{backends: [backend], locality:{region: 'region1'}}]); + const routeGroup = new FakeRouteGroup('listener1', 'route1', [{cluster: cluster}]); + await routeGroup.startAllBackends(xdsServer); + xdsServer.setEdsResource(cluster.getEndpointConfig()); + xdsServer.setCdsResource(cluster.getClusterConfig()); + xdsServer.setRdsResource(routeGroup.getRouteConfiguration()); + xdsServer.setLdsResource(routeGroup.getListener()); + client = XdsTestClient.createFromServer('listener1', xdsServer, credentials.createSsl(ca, key, cert), { + 'grpc.ssl_target_name_override': 'foo.test.google.fr', + 'grpc.default_authority': 'foo.test.google.fr', + }); + const error = await client.sendOneCallAsync(); + assert.strictEqual(error, null); + }); +}); diff --git a/packages/grpc-js-xds/test/xds-server.ts b/packages/grpc-js-xds/test/xds-server.ts index 78d53874f..ed0a03dca 100644 --- a/packages/grpc-js-xds/test/xds-server.ts +++ b/packages/grpc-js-xds/test/xds-server.ts @@ -31,6 +31,7 @@ import * as adsTypes from '../src/generated/ads'; import * as lrsTypes from '../src/generated/lrs'; import { LoadStatsRequest__Output } from "../src/generated/envoy/service/load_stats/v3/LoadStatsRequest"; import { LoadStatsResponse } from "../src/generated/envoy/service/load_stats/v3/LoadStatsResponse"; +import * as path from 'path'; const TRACER_NAME = 'control_plane_server'; @@ -52,6 +53,7 @@ const loadedProtos = loadPackageDefinition(loadSync( 'envoy/extensions/load_balancing_policies/wrr_locality/v3/wrr_locality.proto', 'envoy/extensions/load_balancing_policies/ring_hash/v3/ring_hash.proto', 'envoy/extensions/load_balancing_policies/pick_first/v3/pick_first.proto', + 'envoy/extensions/transport_sockets/tls/v3/tls.proto', 'xds/type/v3/typed_struct.proto' ], { @@ -367,7 +369,18 @@ export class ControlPlaneServer { id: 'test', locality: {} }, - server_listener_resource_name_template: '%s' + server_listener_resource_name_template: '%s', + certificate_providers: { + test_certificates: { + plugin_name: 'file_watcher', + config: { + certificate_file: path.join(__dirname, 'fixtures', 'server1.pem'), + private_key_file: path.join(__dirname, 'fixtures', 'server1.key'), + ca_certificate_file: path.join(__dirname, 'fixtures', 'ca.pem'), + refresh_interval: '60s' + } + } + } } return JSON.stringify(bootstrapInfo); } diff --git a/packages/grpc-js/src/certificate-provider.ts b/packages/grpc-js/src/certificate-provider.ts index e8bcaed8f..6eaf8447e 100644 --- a/packages/grpc-js/src/certificate-provider.ts +++ b/packages/grpc-js/src/certificate-provider.ts @@ -90,7 +90,7 @@ export class FileWatcherCertificateProvider implements CertificateProvider { if (!this.refreshTimer) { return; } - trace('File watcher read certificates certificate' + (certificateResult ? '!=' : '==') + 'null, privateKey' + (privateKeyResult ? '!=' : '==') + 'null, CA certificate' + (caCertificateResult ? '!=' : '==') + 'null'); + trace('File watcher read certificates certificate ' + certificateResult.status + ', privateKey ' + privateKeyResult.status + ', CA certificate ' + caCertificateResult.status); this.lastUpdateTime = new Date(); this.fileResultPromise = null; if (certificateResult.status === 'fulfilled' && privateKeyResult.status === 'fulfilled') { diff --git a/packages/grpc-js/src/server-credentials.ts b/packages/grpc-js/src/server-credentials.ts index b77bdb249..071e2b687 100644 --- a/packages/grpc-js/src/server-credentials.ts +++ b/packages/grpc-js/src/server-credentials.ts @@ -279,7 +279,8 @@ class CertificateProviderServerCredentials extends ServerCredentials { } private finalizeUpdate() { - this.updateSecureContextOptions(this.calculateSecureContextOptions()); + const secureContextOptions = this.calculateSecureContextOptions(); + this.updateSecureContextOptions(secureContextOptions); } private handleCaCertificateUpdate(update: CaCertificateUpdate | null) {