xds: import envoy proto

xds/third_party/envoy/import.sh

@@ -18,7 +18,7 @@
 set -e
 BRANCH=main
 # import VERSION from one of the google internal CLs
-VERSION=ac9a2637336decdcc52c24add5e8fc39edebb962
+VERSION=8b9b87702885beb324dadb349cbcb06d037c956e
 GIT_REPO="https://github.com/envoyproxy/envoy.git"
 GIT_BASE_DIR=envoy
 SOURCE_PROTO_BASE_DIR=envoy/api
@@ -84,6 +84,7 @@ envoy/config/core/v3/protocol.proto
 envoy/config/core/v3/proxy_protocol.proto
 envoy/config/core/v3/socket_option.proto
 envoy/config/core/v3/substitution_format_string.proto
+envoy/config/core/v3/udp_socket_config.proto
 envoy/config/endpoint/v3/endpoint.proto
 envoy/config/endpoint/v3/endpoint_components.proto
 envoy/config/endpoint/v3/load_report.proto
@@ -96,10 +97,12 @@ envoy/config/listener/v2/api_listener.proto
 envoy/config/listener/v3/api_listener.proto
 envoy/config/listener/v3/listener.proto
 envoy/config/listener/v3/listener_components.proto
+envoy/config/listener/v3/quic_config.proto
 envoy/config/listener/v3/udp_listener_config.proto
 envoy/config/metrics/v3/stats.proto
 envoy/config/overload/v3/overload.proto
 envoy/config/rbac/v2/rbac.proto
+envoy/config/rbac/v3/rbac.proto
 envoy/config/route/v3/route.proto
 envoy/config/route/v3/route_components.proto
 envoy/config/route/v3/scoped_route.proto
@@ -136,6 +139,7 @@ envoy/service/load_stats/v2/lrs.proto
 envoy/service/load_stats/v3/lrs.proto
 envoy/service/status/v3/csds.proto
 envoy/type/http.proto
+envoy/type/http/v3/path_transformation.proto
 envoy/type/matcher/metadata.proto
 envoy/type/matcher/number.proto
 envoy/type/matcher/path.proto
@@ -144,6 +148,7 @@ envoy/type/matcher/string.proto
 envoy/type/matcher/v3/metadata.proto
 envoy/type/matcher/v3/node.proto
 envoy/type/matcher/v3/number.proto
+envoy/type/matcher/v3/path.proto
 envoy/type/matcher/v3/regex.proto
 envoy/type/matcher/v3/string.proto
 envoy/type/matcher/v3/struct.proto

xds/third_party/envoy/src/main/proto/envoy/annotations/deprecation.proto

@@ -5,18 +5,29 @@ package envoy.annotations;
 import "google/protobuf/descriptor.proto";
 
 // [#protodoc-title: Deprecation]
-// Allows tagging proto fields as fatal by default. One Envoy release after
-// deprecation, deprecated fields will be disallowed by default, a state which
-// is reversible with :ref:`runtime overrides <config_runtime_deprecation>`.
+// Adds annotations for deprecated fields and enums to allow tagging proto
+// fields as fatal by default and the minor version on which the field was
+// deprecated. One Envoy release after deprecation, deprecated fields will be
+// disallowed by default, a state which is reversible with
+// :ref:`runtime overrides <config_runtime_deprecation>`.
 
 // Magic number in this file derived from top 28bit of SHA256 digest of
-// "envoy.annotation.disallowed_by_default"
+// "envoy.annotation.disallowed_by_default" and "envoy.annotation.deprecated_at_minor_version"
 extend google.protobuf.FieldOptions {
   bool disallowed_by_default = 189503207;
+
+  // The API major and minor version on which the field was deprecated
+  // (e.g., "3.5" for major version 3 and minor version 5).
+  string deprecated_at_minor_version = 157299826;
 }
 
 // Magic number in this file derived from top 28bit of SHA256 digest of
-// "envoy.annotation.disallowed_by_default_enum"
+// "envoy.annotation.disallowed_by_default_enum" and
+// "envoy.annotation.deprecated_at_minor_version_eum"
 extend google.protobuf.EnumValueOptions {
   bool disallowed_by_default_enum = 70100853;
+
+  // The API major and minor version on which the enum value was deprecated
+  // (e.g., "3.5" for major version 3 and minor version 5).
+  string deprecated_at_minor_version_enum = 181198657;
 }

xds/third_party/envoy/src/main/proto/envoy/api/v2/core/address.proto

@@ -129,6 +129,6 @@ message CidrRange {
   // IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``.
   string address_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
 
-  // Length of prefix, e.g. 0, 32.
+  // Length of prefix, e.g. 0, 32. Defaults to 0 when unset.
   google.protobuf.UInt32Value prefix_len = 2 [(validate.rules).uint32 = {lte: 128}];
 }

xds/third_party/envoy/src/main/proto/envoy/api/v2/listener.proto

@@ -195,6 +195,8 @@ message Listener {
   google.protobuf.UInt32Value tcp_fast_open_queue_length = 12;
 
   // Specifies the intended direction of the traffic relative to the local Envoy.
+  // This property is required on Windows for listeners using the original destination filter,
+  // see :ref:`Original Destination <config_listener_filters_original_dst>`.
   core.TrafficDirection traffic_direction = 16;
 
   // If the protocol in the listener socket address in :ref:`protocol

xds/third_party/envoy/src/main/proto/envoy/config/accesslog/v3/accesslog.proto

@@ -29,26 +29,16 @@ message AccessLog {
 
   reserved "config";
 
-  // The name of the access log implementation to instantiate. The name must
-  // match a statically registered access log. Current built-in loggers include:
-  //
-  // #. "envoy.access_loggers.file"
-  // #. "envoy.access_loggers.http_grpc"
-  // #. "envoy.access_loggers.tcp_grpc"
+  // The name of the access log extension to instantiate.
+  // The name must match one of the compiled in loggers.
+  // See the :ref:`extensions listed in typed_config below <extension_category_envoy.access_loggers>` for the default list of available loggers.
   string name = 1;
 
   // Filter which is used to determine if the access log needs to be written.
   AccessLogFilter filter = 2;
 
-  // Custom configuration that depends on the access log being instantiated.
-  // Built-in configurations include:
-  //
-  // #. "envoy.access_loggers.file": :ref:`FileAccessLog
-  //    <envoy_api_msg_extensions.access_loggers.file.v3.FileAccessLog>`
-  // #. "envoy.access_loggers.http_grpc": :ref:`HttpGrpcAccessLogConfig
-  //    <envoy_api_msg_extensions.access_loggers.grpc.v3.HttpGrpcAccessLogConfig>`
-  // #. "envoy.access_loggers.tcp_grpc": :ref:`TcpGrpcAccessLogConfig
-  //    <envoy_api_msg_extensions.access_loggers.grpc.v3.TcpGrpcAccessLogConfig>`
+  // Custom configuration that must be set according to the access logger extension being instantiated.
+  // [#extension-category: envoy.access_loggers]
   oneof config_type {
     google.protobuf.Any typed_config = 4;
   }
@@ -254,6 +244,8 @@ message ResponseFlagFilter {
         in: "RFCF"
         in: "NFCF"
         in: "DT"
+        in: "UPE"
+        in: "NC"
       }
     }
   }];

xds/third_party/envoy/src/main/proto/envoy/config/bootstrap/v3/bootstrap.proto

@@ -2,6 +2,7 @@ syntax = "proto3";
 
 package envoy.config.bootstrap.v3;
 
+import "envoy/config/accesslog/v3/accesslog.proto";
 import "envoy/config/cluster/v3/cluster.proto";
 import "envoy/config/core/v3/address.proto";
 import "envoy/config/core/v3/base.proto";
@@ -20,6 +21,7 @@ import "google/protobuf/duration.proto";
 import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 
+import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/migrate.proto";
 import "udpa/annotations/security.proto";
 import "udpa/annotations/status.proto";
@@ -186,18 +188,21 @@ message Bootstrap {
   // Optional watchdog configuration.
   // This is for a single watchdog configuration for the entire system.
   // Deprecated in favor of *watchdogs* which has finer granularity.
-  Watchdog watchdog = 8 [deprecated = true];
+  Watchdog watchdog = 8
+      [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 
   // Optional watchdogs configuration.
   // This is used for specifying different watchdogs for the different subsystems.
+  // [#extension-category: envoy.guarddog_actions]
   Watchdogs watchdogs = 27;
 
   // Configuration for an external tracing provider.
   //
   // .. attention::
   //  This field has been deprecated in favor of :ref:`HttpConnectionManager.Tracing.provider
   //  <envoy_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.provider>`.
-  trace.v3.Tracing tracing = 9 [deprecated = true];
+  trace.v3.Tracing tracing = 9
+      [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 
   // Configuration for the runtime configuration provider. If not
   // specified, a “null” provider will be used which will result in all defaults
@@ -249,6 +254,7 @@ message Bootstrap {
 
   // Specifies optional bootstrap extensions to be instantiated at startup time.
   // Each item contains extension specific configuration.
+  // [#extension-category: envoy.bootstrap]
   repeated core.v3.TypedExtensionConfig bootstrap_extensions = 21;
 
   // Specifies optional extensions instantiated at startup time and
@@ -293,13 +299,20 @@ message Bootstrap {
 
 // Administration interface :ref:`operations documentation
 // <operations_admin_interface>`.
+// [#next-free-field: 6]
 message Admin {
   option (udpa.annotations.versioning).previous_message_type = "envoy.config.bootstrap.v2.Admin";
 
+  // Configuration for :ref:`access logs <arch_overview_access_logs>`
+  // emitted by the administration server.
+  repeated accesslog.v3.AccessLog access_log = 5;
+
   // The path to write the access log for the administration server. If no
   // access log is desired specify ‘/dev/null’. This is only required if
   // :ref:`address <envoy_api_field_config.bootstrap.v3.Admin.address>` is set.
-  string access_log_path = 1;
+  // Deprecated in favor of *access_log* which offers more options.
+  string access_log_path = 1
+      [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 
   // The cpu profiler output path for the administration server. If no profile
   // path is specified, the default is ‘/var/log/envoy/envoy.prof’.

xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/cluster.proto

@@ -21,6 +21,8 @@ import "google/protobuf/wrappers.proto";
 
 import "xds/core/v3/collection_entry.proto";
 
+import "envoy/annotations/deprecation.proto";
+import "udpa/annotations/migrate.proto";
 import "udpa/annotations/security.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
@@ -158,6 +160,7 @@ message Cluster {
     google.protobuf.Struct match = 2;
 
     // The configuration of the transport socket.
+    // [#extension-category: envoy.transport_sockets.upstream]
     core.v3.TransportSocket transport_socket = 3;
   }
 
@@ -171,6 +174,7 @@ message Cluster {
 
     // Cluster specific configuration which depends on the cluster being instantiated.
     // See the supported cluster for further documentation.
+    // [#extension-category: envoy.clusters]
     google.protobuf.Any typed_config = 2;
   }
 
@@ -681,11 +685,16 @@ message Cluster {
   // Any ``:`` in the cluster name will be converted to ``_`` when emitting statistics.
   string name = 1 [(validate.rules).string = {min_len: 1}];
 
-  // An optional alternative to the cluster name to be used while emitting stats.
-  // Any ``:`` in the name will be converted to ``_`` when emitting statistics. This should not be
-  // confused with :ref:`Router Filter Header
-  // <config_http_filters_router_x-envoy-upstream-alt-stat-name>`.
-  string alt_stat_name = 28;
+  // An optional alternative to the cluster name to be used for observability. This name is used
+  // emitting stats for the cluster and access logging the cluster name. This will appear as
+  // additional information in configuration dumps of a cluster's current status as
+  // :ref:`observability_name <envoy_v3_api_field_admin.v3.ClusterStatus.observability_name>`
+  // and as an additional tag "upstream_cluster.name" while tracing. Note: access logging using
+  // this field is presently enabled with runtime feature
+  // `envoy.reloadable_features.use_observable_cluster_name`. Any ``:`` in the name will be
+  // converted to ``_`` when emitting statistics. This should not be confused with :ref:`Router
+  // Filter Header <config_http_filters_router_x-envoy-upstream-alt-stat-name>`.
+  string alt_stat_name = 28 [(udpa.annotations.field_migrate).rename = "observability_name"];
 
   oneof cluster_discovery_type {
     // The :ref:`service discovery type <arch_overview_service_discovery_types>`
@@ -747,10 +756,11 @@ message Cluster {
   // in the :ref:`http_protocol_options <envoy_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` message.
   // upstream_http_protocol_options can be set via the cluster's
   // :ref:`extension_protocol_options<envoy_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`.
-  // See ref:`upstream_http_protocol_options
+  // See :ref:`upstream_http_protocol_options
   // <envoy_api_field_extensions.upstreams.http.v3.HttpProtocolOptions.upstream_http_protocol_options>`
   // for example usage.
-  core.v3.UpstreamHttpProtocolOptions upstream_http_protocol_options = 46 [deprecated = true];
+  core.v3.UpstreamHttpProtocolOptions upstream_http_protocol_options = 46
+      [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 
   // Additional options when handling HTTP requests upstream. These options will be applicable to
   // both HTTP1 and HTTP2 requests.
@@ -759,20 +769,22 @@ message Cluster {
   // in the :ref:`http_protocol_options <envoy_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` message.
   // common_http_protocol_options can be set via the cluster's
   // :ref:`extension_protocol_options<envoy_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`.
-  // See ref:`upstream_http_protocol_options
+  // See :ref:`upstream_http_protocol_options
   // <envoy_api_field_extensions.upstreams.http.v3.HttpProtocolOptions.upstream_http_protocol_options>`
   // for example usage.
-  core.v3.HttpProtocolOptions common_http_protocol_options = 29 [deprecated = true];
+  core.v3.HttpProtocolOptions common_http_protocol_options = 29
+      [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 
   // Additional options when handling HTTP1 requests.
   // This has been deprecated in favor of http_protocol_options fields in the in the
   // :ref:`http_protocol_options <envoy_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` message.
   // http_protocol_options can be set via the cluster's
   // :ref:`extension_protocol_options<envoy_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`.
-  // See ref:`upstream_http_protocol_options
+  // See :ref:`upstream_http_protocol_options
   // <envoy_api_field_extensions.upstreams.http.v3.HttpProtocolOptions.upstream_http_protocol_options>`
   // for example usage.
-  core.v3.Http1ProtocolOptions http_protocol_options = 13 [deprecated = true];
+  core.v3.Http1ProtocolOptions http_protocol_options = 13
+      [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 
   // Even if default HTTP2 protocol options are desired, this field must be
   // set so that Envoy will assume that the upstream supports HTTP/2 when
@@ -784,11 +796,14 @@ message Cluster {
   // :ref:`http_protocol_options <envoy_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>`
   // message. http2_protocol_options can be set via the cluster's
   // :ref:`extension_protocol_options<envoy_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`.
-  // See ref:`upstream_http_protocol_options
+  // See :ref:`upstream_http_protocol_options
   // <envoy_api_field_extensions.upstreams.http.v3.HttpProtocolOptions.upstream_http_protocol_options>`
   // for example usage.
-  core.v3.Http2ProtocolOptions http2_protocol_options = 14
-      [deprecated = true, (udpa.annotations.security).configure_for_untrusted_upstream = true];
+  core.v3.Http2ProtocolOptions http2_protocol_options = 14 [
+    deprecated = true,
+    (udpa.annotations.security).configure_for_untrusted_upstream = true,
+    (envoy.annotations.deprecated_at_minor_version) = "3.0"
+  ];
 
   // The extension_protocol_options field is used to provide extension-specific protocol options
   // for upstream connections. The key should match the extension filter name, such as
@@ -924,7 +939,8 @@ message Cluster {
   // <envoy_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` message.
   // http_protocol_options can be set via the cluster's
   // :ref:`extension_protocol_options<envoy_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`.
-  ClusterProtocolSelection protocol_selection = 26 [deprecated = true];
+  ClusterProtocolSelection protocol_selection = 26
+      [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 
   // Optional options for upstream connections.
   UpstreamConnectionOptions upstream_connection_options = 30;
@@ -985,7 +1001,8 @@ message Cluster {
   //
   //   This field has been deprecated in favor of `timeout_budgets`, part of
   //   :ref:`track_cluster_stats <envoy_api_field_config.cluster.v3.Cluster.track_cluster_stats>`.
-  bool track_timeout_budgets = 47 [deprecated = true];
+  bool track_timeout_budgets = 47
+      [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 
   // Optional customization and configuration of upstream connection pool, and upstream type.
   //
@@ -1004,6 +1021,7 @@ message Cluster {
   // If users desire custom connection pool or upstream behavior, for example terminating
   // CONNECT only if a custom filter indicates it is appropriate, the custom factories
   // can be registered and configured here.
+  // [#extension-category: envoy.upstreams]
   core.v3.TypedExtensionConfig upstream_config = 48;
 
   // Configuration to track optional cluster stats.

xds/third_party/envoy/src/main/proto/envoy/config/cluster/v3/outlier_detection.proto

@@ -151,7 +151,7 @@ message OutlierDetection {
   google.protobuf.UInt32Value failure_percentage_request_volume = 20;
 
   // The maximum time that a host is ejected for. See :ref:`base_ejection_time<envoy_api_field_config.cluster.v3.OutlierDetection.base_ejection_time>`
-  // for more information.
-  // Defaults to 300000ms or 300s.
+  // for more information. If not specified, the default value (300000ms or 300s) or
+  // :ref:`base_ejection_time<envoy_api_field_config.cluster.v3.OutlierDetection.base_ejection_time>` value is applied, whatever is larger.
   google.protobuf.Duration max_ejection_time = 21 [(validate.rules).duration = {gt {}}];
 }

xds/third_party/envoy/src/main/proto/envoy/config/core/v3/address.proto

@@ -155,6 +155,6 @@ message CidrRange {
   // IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``.
   string address_prefix = 1 [(validate.rules).string = {min_len: 1}];
 
-  // Length of prefix, e.g. 0, 32.
+  // Length of prefix, e.g. 0, 32. Defaults to 0 when unset.
   google.protobuf.UInt32Value prefix_len = 2 [(validate.rules).uint32 = {lte: 128}];
 }