CONNECT-2370: Update protos in envoy api

gradle.properties

@@ -1,2 +1,2 @@
-version=1.31.8-1
+version=1.34.4-1
 org.gradle.jvmargs=-Xmx2g -XX:MaxMetaspaceSize=512m -XX:+HeapDumpOnOutOfMemoryError -Dfile.encoding=UTF-8

src/main/proto/contrib/envoy/extensions/filters/http/golang/v3alpha/golang.proto

@@ -2,6 +2,8 @@ syntax = "proto3";
 
 package envoy.extensions.filters.http.golang.v3alpha;
 
+import "envoy/extensions/transport_sockets/tls/v3/secret.proto";
+
 import "google/protobuf/any.proto";
 
 import "xds/annotations/v3/status.proto";
@@ -21,7 +23,7 @@ option (xds.annotations.v3.file_status).work_in_progress = true;
 // For an overview of the Golang HTTP filter please see the :ref:`configuration reference documentation <config_http_filters_golang>`.
 // [#extension: envoy.filters.http.golang]
 
-// [#next-free-field: 6]
+// [#next-free-field: 7]
 message Config {
   // The meanings are as follows:
   //
@@ -74,6 +76,13 @@ message Config {
   //
   // [#not-implemented-hide:]
   MergePolicy merge_policy = 5 [(validate.rules).enum = {defined_only: true}];
+
+  // Generic secret list available to the plugin.
+  // Looks into SDS or static bootstrap configuration.
+  //
+  // See :repo:`StreamFilter API <contrib/golang/common/go/api/filter.go>`
+  // for more information about how to access secrets from Go.
+  repeated transport_sockets.tls.v3.SdsSecretConfig generic_secrets = 6;
 }
 
 message RouterPlugin {

src/main/proto/contrib/envoy/extensions/filters/network/kafka_broker/v3/kafka_broker.proto

@@ -15,7 +15,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: Kafka Broker]
 // Kafka Broker :ref:`configuration overview <config_network_filters_kafka_broker>`.
 // [#extension: envoy.filters.network.kafka_broker]
-
+// [#next-free-field: 6]
 message KafkaBroker {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.network.kafka_broker.v2alpha1.KafkaBroker";
@@ -39,6 +39,16 @@ message KafkaBroker {
     // Broker address rewrite rules that match by broker ID.
     IdBasedBrokerRewriteSpec id_based_broker_address_rewrite_spec = 3;
   }
+
+  // Optional list of allowed Kafka API keys. Only requests with provided API keys will be
+  // routed, otherwise the connection will be closed. No effect if empty.
+  repeated uint32 api_keys_allowed = 4
+      [(validate.rules).repeated = {items {uint32 {lte: 32767 gte: 0}}}];
+
+  // Optional list of denied Kafka API keys. Requests with API keys matching this list will have
+  // the connection closed. No effect if empty.
+  repeated uint32 api_keys_denied = 5
+      [(validate.rules).repeated = {items {uint32 {lte: 32767 gte: 0}}}];
 }
 
 // Collection of rules matching by broker ID.

src/main/proto/contrib/envoy/extensions/tap_sinks/udp_sink/v3alpha/udp_sink.proto

@@ -0,0 +1,22 @@
+syntax = "proto3";
+
+package envoy.extensions.tap_sinks.udp_sink.v3alpha;
+
+import "envoy/config/core/v3/address.proto";
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.tap_sinks.udp_sink.v3alpha";
+option java_outer_classname = "UdpSinkProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/tap_sinks/udp_sink/v3alpha";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: Udp sink configuration]
+// [#extension: envoy.tap_sinks.udp_sink]
+
+// Udp sink configuration.
+message UdpSink {
+  // Configure UDP Address.
+  config.core.v3.SocketAddress udp_address = 1;
+}

src/main/proto/contrib/envoy/extensions/upstreams/http/tcp/golang/v3alpha/golang.proto

@@ -0,0 +1,52 @@
+syntax = "proto3";
+
+package envoy.extensions.upstreams.http.tcp.golang.v3alpha;
+
+import "google/protobuf/any.proto";
+
+import "xds/annotations/v3/status.proto";
+
+import "udpa/annotations/status.proto";
+import "validate/validate.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.upstreams.http.tcp.golang.v3alpha";
+option java_outer_classname = "GolangProto";
+option java_multiple_files = true;
+option go_package = "github.com/envoyproxy/go-control-plane/contrib/envoy/extensions/upstreams/http/tcp/golang/v3alpha";
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+option (xds.annotations.v3.file_status).work_in_progress = true;
+
+// [#protodoc-title: Golang]
+//
+// This bridge enables an Http client to connect to a TCP server via a Golang plugin, facilitating Protocol Convert from HTTP to any RPC protocol in Envoy.
+//
+// For an overview of the Golang HTTP TCP bridge please see the :ref:`configuration reference documentation <config_http_tcp_bridge_golang>`.
+// [#extension: envoy.upstreams.http.tcp.golang]
+
+// [#extension-category: envoy.upstreams]
+message Config {
+  // Globally unique ID for a dynamic library file.
+  string library_id = 1 [(validate.rules).string = {min_len: 1}];
+
+  // Path to a dynamic library implementing the
+  // :repo:`HttpTcpBridge API <contrib/golang/common/go/api.HttpTcpBridge>`
+  // interface.
+  string library_path = 2 [(validate.rules).string = {min_len: 1}];
+
+  // Globally unique name of the Go plugin.
+  //
+  // This name **must** be consistent with the name registered in ``tcp::RegisterHttpTcpBridgeFactoryAndConfigParser``
+  //
+  string plugin_name = 3 [(validate.rules).string = {min_len: 1}];
+
+  // Configuration for the Go plugin.
+  //
+  // .. note::
+  //     This configuration is only parsed in the Golang plugin, and is therefore not validated
+  //     by Envoy.
+  //
+  //     See the :repo:`HttpTcpBridge API <contrib/golang/common/go/api/filter.go>`
+  //     for more information about how the plugin's configuration data can be accessed.
+  //
+  google.protobuf.Any plugin_config = 4;
+}

src/main/proto/envoy/admin/v3/clusters.proto

@@ -41,22 +41,24 @@ message ClusterStatus {
   bool added_via_api = 2;
 
   // The success rate threshold used in the last interval.
-  // If
-  // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
-  // is ``false``, all errors: externally and locally generated were used to calculate the threshold.
-  // If
-  // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
-  // is ``true``, only externally generated errors were used to calculate the threshold.
-  // The threshold is used to eject hosts based on their success rate. See
-  // :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation for details.
   //
-  // Note: this field may be omitted in any of the three following cases:
+  // * If :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
+  //   is ``false``, all errors: externally and locally generated were used to calculate the threshold.
+  // * If :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
+  //   is ``true``, only externally generated errors were used to calculate the threshold.
+  //
+  // The threshold is used to eject hosts based on their success rate. For more information, see the
+  // :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation.
+  //
+  // .. note::
+  //
+  //   This field may be omitted in any of the three following cases:
+  //
+  //   1. There were not enough hosts with enough request volume to proceed with success rate based outlier ejection.
+  //   2. The threshold is computed to be < 0 because a negative value implies that there was no threshold for that
+  //      interval.
+  //   3. Outlier detection is not enabled for this cluster.
   //
-  // 1. There were not enough hosts with enough request volume to proceed with success rate based
-  //    outlier ejection.
-  // 2. The threshold is computed to be < 0 because a negative value implies that there was no
-  //    threshold for that interval.
-  // 3. Outlier detection is not enabled for this cluster.
   type.v3.Percent success_rate_ejection_threshold = 3;
 
   // Mapping from host address to the host's current status.
@@ -67,16 +69,18 @@ message ClusterStatus {
   // This field should be interpreted only when
   // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
   // is ``true``. The threshold is used to eject hosts based on their success rate.
-  // See :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation for
-  // details.
   //
-  // Note: this field may be omitted in any of the three following cases:
+  // For more information, see the :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation.
+  //
+  // .. note::
+  //
+  //   This field may be omitted in any of the three following cases:
+  //
+  //   1. There were not enough hosts with enough request volume to proceed with success rate based outlier ejection.
+  //   2. The threshold is computed to be < 0 because a negative value implies that there was no threshold for that
+  //      interval.
+  //   3. Outlier detection is not enabled for this cluster.
   //
-  // 1. There were not enough hosts with enough request volume to proceed with success rate based
-  //    outlier ejection.
-  // 2. The threshold is computed to be < 0 because a negative value implies that there was no
-  //    threshold for that interval.
-  // 3. Outlier detection is not enabled for this cluster.
   type.v3.Percent local_origin_success_rate_ejection_threshold = 5;
 
   // :ref:`Circuit breaking <arch_overview_circuit_break>` settings of the cluster.
@@ -103,19 +107,20 @@ message HostStatus {
   // The host's current health status.
   HostHealthStatus health_status = 3;
 
-  // Request success rate for this host over the last calculated interval.
-  // If
-  // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
-  // is ``false``, all errors: externally and locally generated were used in success rate
-  // calculation. If
-  // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
-  // is ``true``, only externally generated errors were used in success rate calculation.
-  // See :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation for
-  // details.
+  // The success rate for this host during the last measurement interval.
+  //
+  // * If :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
+  //   is ``false``, all errors: externally and locally generated were used in success rate calculation.
+  // * If :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
+  //   is ``true``, only externally generated errors were used in success rate calculation.
+  //
+  // For more information, see the :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation.
+  //
+  // .. note::
+  //
+  //   The message will be missing if the host didn't receive enough traffic to calculate a reliable success rate, or
+  //   if the cluster had too few hosts to apply outlier ejection based on success rate.
   //
-  // Note: the message will not be present if host did not have enough request volume to calculate
-  // success rate or the cluster did not have enough hosts to run through success rate outlier
-  // ejection.
   type.v3.Percent success_rate = 4;
 
   // The host's weight. If not configured, the value defaults to 1.
@@ -127,18 +132,20 @@ message HostStatus {
   // The host's priority. If not configured, the value defaults to 0 (highest priority).
   uint32 priority = 7;
 
-  // Request success rate for this host over the last calculated
-  // interval when only locally originated errors are taken into account and externally originated
-  // errors were treated as success.
-  // This field should be interpreted only when
+  // The success rate for this host during the last interval, considering only locally generated errors. Externally
+  // generated errors are treated as successes.
+  //
+  // This field is only relevant when
   // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
-  // is ``true``.
-  // See :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation for
-  // details.
+  // is set to ``true``.
+  //
+  // For more information, see the :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation.
+  //
+  // .. note::
+  //
+  //   The message will be missing if the host didn’t receive enough traffic to compute a success rate, or if the
+  //   cluster didn’t have enough hosts to perform outlier ejection based on success rate.
   //
-  // Note: the message will not be present if host did not have enough request volume to calculate
-  // success rate or the cluster did not have enough hosts to run through success rate outlier
-  // ejection.
   type.v3.Percent local_origin_success_rate = 8;
 
   // locality of the host.

src/main/proto/envoy/admin/v3/config_dump_shared.proto

@@ -39,6 +39,14 @@ enum ClientResourceStatus {
 
   // Client received this resource and replied with NACK.
   NACKED = 4;
+
+  // Client received an error from the control plane. The attached config
+  // dump is the most recent accepted one. If no config is accepted yet,
+  // the attached config dump will be empty.
+  RECEIVED_ERROR = 5;
+
+  // Client timed out waiting for the resource from the control plane.
+  TIMEOUT = 6;
 }
 
 message UpdateFailureState {

src/main/proto/envoy/admin/v3/server_info.proto

@@ -59,7 +59,7 @@ message ServerInfo {
   config.core.v3.Node node = 7;
 }
 
-// [#next-free-field: 41]
+// [#next-free-field: 42]
 message CommandLineOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.admin.v2alpha.CommandLineOptions";
@@ -125,6 +125,9 @@ message CommandLineOptions {
   // See :option:`--ignore-unknown-dynamic-fields` for details.
   bool ignore_unknown_dynamic_fields = 30;
 
+  // See :option:`--skip-deprecated-logs` for details.
+  bool skip_deprecated_logs = 41;
+
   // See :option:`--admin-address-path` for details.
   string admin_address_path = 6;
 

src/main/proto/envoy/config/accesslog/v3/accesslog.proto

@@ -152,35 +152,38 @@ message TraceableFilter {
       "envoy.config.filter.accesslog.v2.TraceableFilter";
 }
 
-// Filters for random sampling of requests.
+// Filters requests based on runtime-configurable sampling rates.
 message RuntimeFilter {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.accesslog.v2.RuntimeFilter";
 
-  // Runtime key to get an optional overridden numerator for use in the
-  // ``percent_sampled`` field. If found in runtime, this value will replace the
-  // default numerator.
+  // Specifies a key used to look up a custom sampling rate from the runtime configuration. If a value is found for this
+  // key, it will override the default sampling rate specified in ``percent_sampled``.
   string runtime_key = 1 [(validate.rules).string = {min_len: 1}];
 
-  // The default sampling percentage. If not specified, defaults to 0% with
-  // denominator of 100.
+  // Defines the default sampling percentage when no runtime override is present. If not specified, the default is
+  // **0%** (with a denominator of 100).
   type.v3.FractionalPercent percent_sampled = 2;
 
-  // By default, sampling pivots on the header
-  // :ref:`x-request-id<config_http_conn_man_headers_x-request-id>` being
-  // present. If :ref:`x-request-id<config_http_conn_man_headers_x-request-id>`
-  // is present, the filter will consistently sample across multiple hosts based
-  // on the runtime key value and the value extracted from
-  // :ref:`x-request-id<config_http_conn_man_headers_x-request-id>`. If it is
-  // missing, or ``use_independent_randomness`` is set to true, the filter will
-  // randomly sample based on the runtime key value alone.
-  // ``use_independent_randomness`` can be used for logging kill switches within
-  // complex nested :ref:`AndFilter
-  // <envoy_v3_api_msg_config.accesslog.v3.AndFilter>` and :ref:`OrFilter
-  // <envoy_v3_api_msg_config.accesslog.v3.OrFilter>` blocks that are easier to
-  // reason about from a probability perspective (i.e., setting to true will
-  // cause the filter to behave like an independent random variable when
-  // composed within logical operator filters).
+  // Controls how sampling decisions are made.
+  //
+  // - Default behavior (``false``):
+  //
+  //   * Uses the :ref:`x-request-id<config_http_conn_man_headers_x-request-id>` as a consistent sampling pivot.
+  //   * When :ref:`x-request-id<config_http_conn_man_headers_x-request-id>` is present, sampling will be consistent
+  //     across multiple hosts based on both the ``runtime_key`` and
+  //     :ref:`x-request-id<config_http_conn_man_headers_x-request-id>`.
+  //   * Useful for tracking related requests across a distributed system.
+  //
+  // - When set to ``true`` or :ref:`x-request-id<config_http_conn_man_headers_x-request-id>` is missing:
+  //
+  //   * Sampling decisions are made randomly based only on the ``runtime_key``.
+  //   * Useful in complex filter configurations (like nested
+  //     :ref:`AndFilter<envoy_v3_api_msg_config.accesslog.v3.AndFilter>`/
+  //     :ref:`OrFilter<envoy_v3_api_msg_config.accesslog.v3.OrFilter>` blocks) where independent probability
+  //     calculations are desired.
+  //   * Can be used to implement logging kill switches with predictable probability distributions.
+  //
   bool use_independent_randomness = 3;
 }
 
@@ -257,6 +260,7 @@ message ResponseFlagFilter {
         in: "DF"
         in: "DO"
         in: "DR"
+        in: "UDO"
       }
     }
   }];

src/main/proto/envoy/config/cluster/redis/redis_cluster.proto

@@ -43,14 +43,14 @@ option (udpa.annotations.file_status).package_version_status = FROZEN;
 //       address: foo.bar.com
 //       port_value: 22120
 //     cluster_type:
-//     name: envoy.clusters.redis
-//     typed_config:
-//       "@type": type.googleapis.com/google.protobuf.Struct
-//       value:
-//         cluster_refresh_rate: 30s
-//         cluster_refresh_timeout: 0.5s
-//         redirect_refresh_interval: 10s
-//         redirect_refresh_threshold: 10
+//       name: envoy.clusters.redis
+//       typed_config:
+//         "@type": type.googleapis.com/google.protobuf.Struct
+//         value:
+//           cluster_refresh_rate: 30s
+//           cluster_refresh_timeout: 0.5s
+//           redirect_refresh_interval: 10s
+//           redirect_refresh_threshold: 10
 // [#extension: envoy.clusters.redis]
 
 // [#next-free-field: 7]