1syntax = "proto3"; 2 3package envoy.config.core.v3; 4 5import "envoy/config/core/v3/base.proto"; 6 7import "google/protobuf/any.proto"; 8import "google/protobuf/duration.proto"; 9import "google/protobuf/empty.proto"; 10import "google/protobuf/struct.proto"; 11import "google/protobuf/wrappers.proto"; 12 13import "udpa/annotations/sensitive.proto"; 14import "udpa/annotations/status.proto"; 15import "udpa/annotations/versioning.proto"; 16import "validate/validate.proto"; 17 18option java_package = "io.envoyproxy.envoy.config.core.v3"; 19option java_outer_classname = "GrpcServiceProto"; 20option java_multiple_files = true; 21option go_package = "github.com/envoyproxy/go-control-plane/envoy/config/core/v3;corev3"; 22option (udpa.annotations.file_status).package_version_status = ACTIVE; 23 24// [#protodoc-title: gRPC services] 25 26// gRPC service configuration. This is used by :ref:`ApiConfigSource 27// <envoy_v3_api_msg_config.core.v3.ApiConfigSource>` and filter configurations. 28// [#next-free-field: 6] 29message GrpcService { 30 option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.GrpcService"; 31 32 message EnvoyGrpc { 33 option (udpa.annotations.versioning).previous_message_type = 34 "envoy.api.v2.core.GrpcService.EnvoyGrpc"; 35 36 // The name of the upstream gRPC cluster. SSL credentials will be supplied 37 // in the :ref:`Cluster <envoy_v3_api_msg_config.cluster.v3.Cluster>` :ref:`transport_socket 38 // <envoy_v3_api_field_config.cluster.v3.Cluster.transport_socket>`. 39 string cluster_name = 1 [(validate.rules).string = {min_len: 1}]; 40 41 // The ``:authority`` header in the grpc request. If this field is not set, the authority header value will be ``cluster_name``. 42 // Note that this authority does not override the SNI. The SNI is provided by the transport socket of the cluster. 43 string authority = 2 44 [(validate.rules).string = 45 {min_len: 0 max_bytes: 16384 well_known_regex: HTTP_HEADER_VALUE strict: false}]; 46 47 // Indicates the retry policy for re-establishing the gRPC stream 48 // This field is optional. If max interval is not provided, it will be set to ten times the provided base interval. 49 // Currently only supported for xDS gRPC streams. 50 // If not set, xDS gRPC streams default base interval:500ms, maximum interval:30s will be applied. 51 RetryPolicy retry_policy = 3; 52 } 53 54 // [#next-free-field: 9] 55 message GoogleGrpc { 56 option (udpa.annotations.versioning).previous_message_type = 57 "envoy.api.v2.core.GrpcService.GoogleGrpc"; 58 59 // See https://grpc.io/grpc/cpp/structgrpc_1_1_ssl_credentials_options.html. 60 message SslCredentials { 61 option (udpa.annotations.versioning).previous_message_type = 62 "envoy.api.v2.core.GrpcService.GoogleGrpc.SslCredentials"; 63 64 // PEM encoded server root certificates. 65 DataSource root_certs = 1; 66 67 // PEM encoded client private key. 68 DataSource private_key = 2 [(udpa.annotations.sensitive) = true]; 69 70 // PEM encoded client certificate chain. 71 DataSource cert_chain = 3; 72 } 73 74 // Local channel credentials. Only UDS is supported for now. 75 // See https://github.com/grpc/grpc/pull/15909. 76 message GoogleLocalCredentials { 77 option (udpa.annotations.versioning).previous_message_type = 78 "envoy.api.v2.core.GrpcService.GoogleGrpc.GoogleLocalCredentials"; 79 } 80 81 // See https://grpc.io/docs/guides/auth.html#credential-types to understand Channel and Call 82 // credential types. 83 message ChannelCredentials { 84 option (udpa.annotations.versioning).previous_message_type = 85 "envoy.api.v2.core.GrpcService.GoogleGrpc.ChannelCredentials"; 86 87 oneof credential_specifier { 88 option (validate.required) = true; 89 90 SslCredentials ssl_credentials = 1; 91 92 // https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61 93 google.protobuf.Empty google_default = 2; 94 95 GoogleLocalCredentials local_credentials = 3; 96 } 97 } 98 99 // [#next-free-field: 8] 100 message CallCredentials { 101 option (udpa.annotations.versioning).previous_message_type = 102 "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials"; 103 104 message ServiceAccountJWTAccessCredentials { 105 option (udpa.annotations.versioning).previous_message_type = 106 "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials." 107 "ServiceAccountJWTAccessCredentials"; 108 109 string json_key = 1; 110 111 uint64 token_lifetime_seconds = 2; 112 } 113 114 message GoogleIAMCredentials { 115 option (udpa.annotations.versioning).previous_message_type = 116 "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.GoogleIAMCredentials"; 117 118 string authorization_token = 1; 119 120 string authority_selector = 2; 121 } 122 123 message MetadataCredentialsFromPlugin { 124 option (udpa.annotations.versioning).previous_message_type = 125 "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials." 126 "MetadataCredentialsFromPlugin"; 127 128 reserved 2; 129 130 reserved "config"; 131 132 string name = 1; 133 134 // [#extension-category: envoy.grpc_credentials] 135 oneof config_type { 136 google.protobuf.Any typed_config = 3; 137 } 138 } 139 140 // Security token service configuration that allows Google gRPC to 141 // fetch security token from an OAuth 2.0 authorization server. 142 // See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 and 143 // https://github.com/grpc/grpc/pull/19587. 144 // [#next-free-field: 10] 145 message StsService { 146 option (udpa.annotations.versioning).previous_message_type = 147 "envoy.api.v2.core.GrpcService.GoogleGrpc.CallCredentials.StsService"; 148 149 // URI of the token exchange service that handles token exchange requests. 150 // [#comment:TODO(asraa): Add URI validation when implemented. Tracked by 151 // https://github.com/bufbuild/protoc-gen-validate/issues/303] 152 string token_exchange_service_uri = 1; 153 154 // Location of the target service or resource where the client 155 // intends to use the requested security token. 156 string resource = 2; 157 158 // Logical name of the target service where the client intends to 159 // use the requested security token. 160 string audience = 3; 161 162 // The desired scope of the requested security token in the 163 // context of the service or resource where the token will be used. 164 string scope = 4; 165 166 // Type of the requested security token. 167 string requested_token_type = 5; 168 169 // The path of subject token, a security token that represents the 170 // identity of the party on behalf of whom the request is being made. 171 string subject_token_path = 6 [(validate.rules).string = {min_len: 1}]; 172 173 // Type of the subject token. 174 string subject_token_type = 7 [(validate.rules).string = {min_len: 1}]; 175 176 // The path of actor token, a security token that represents the identity 177 // of the acting party. The acting party is authorized to use the 178 // requested security token and act on behalf of the subject. 179 string actor_token_path = 8; 180 181 // Type of the actor token. 182 string actor_token_type = 9; 183 } 184 185 oneof credential_specifier { 186 option (validate.required) = true; 187 188 // Access token credentials. 189 // https://grpc.io/grpc/cpp/namespacegrpc.html#ad3a80da696ffdaea943f0f858d7a360d. 190 string access_token = 1; 191 192 // Google Compute Engine credentials. 193 // https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61 194 google.protobuf.Empty google_compute_engine = 2; 195 196 // Google refresh token credentials. 197 // https://grpc.io/grpc/cpp/namespacegrpc.html#a96901c997b91bc6513b08491e0dca37c. 198 string google_refresh_token = 3; 199 200 // Service Account JWT Access credentials. 201 // https://grpc.io/grpc/cpp/namespacegrpc.html#a92a9f959d6102461f66ee973d8e9d3aa. 202 ServiceAccountJWTAccessCredentials service_account_jwt_access = 4; 203 204 // Google IAM credentials. 205 // https://grpc.io/grpc/cpp/namespacegrpc.html#a9fc1fc101b41e680d47028166e76f9d0. 206 GoogleIAMCredentials google_iam = 5; 207 208 // Custom authenticator credentials. 209 // https://grpc.io/grpc/cpp/namespacegrpc.html#a823c6a4b19ffc71fb33e90154ee2ad07. 210 // https://grpc.io/docs/guides/auth.html#extending-grpc-to-support-other-authentication-mechanisms. 211 MetadataCredentialsFromPlugin from_plugin = 6; 212 213 // Custom security token service which implements OAuth 2.0 token exchange. 214 // https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 215 // See https://github.com/grpc/grpc/pull/19587. 216 StsService sts_service = 7; 217 } 218 } 219 220 // Channel arguments. 221 message ChannelArgs { 222 message Value { 223 // Pointer values are not supported, since they don't make any sense when 224 // delivered via the API. 225 oneof value_specifier { 226 option (validate.required) = true; 227 228 string string_value = 1; 229 230 int64 int_value = 2; 231 } 232 } 233 234 // See grpc_types.h GRPC_ARG #defines for keys that work here. 235 map<string, Value> args = 1; 236 } 237 238 // The target URI when using the `Google C++ gRPC client 239 // <https://github.com/grpc/grpc>`_. SSL credentials will be supplied in 240 // :ref:`channel_credentials <envoy_v3_api_field_config.core.v3.GrpcService.GoogleGrpc.channel_credentials>`. 241 string target_uri = 1 [(validate.rules).string = {min_len: 1}]; 242 243 ChannelCredentials channel_credentials = 2; 244 245 // A set of call credentials that can be composed with `channel credentials 246 // <https://grpc.io/docs/guides/auth.html#credential-types>`_. 247 repeated CallCredentials call_credentials = 3; 248 249 // The human readable prefix to use when emitting statistics for the gRPC 250 // service. 251 // 252 // .. csv-table:: 253 // :header: Name, Type, Description 254 // :widths: 1, 1, 2 255 // 256 // streams_total, Counter, Total number of streams opened 257 // streams_closed_<gRPC status code>, Counter, Total streams closed with <gRPC status code> 258 string stat_prefix = 4 [(validate.rules).string = {min_len: 1}]; 259 260 // The name of the Google gRPC credentials factory to use. This must have been registered with 261 // Envoy. If this is empty, a default credentials factory will be used that sets up channel 262 // credentials based on other configuration parameters. 263 string credentials_factory_name = 5; 264 265 // Additional configuration for site-specific customizations of the Google 266 // gRPC library. 267 google.protobuf.Struct config = 6; 268 269 // How many bytes each stream can buffer internally. 270 // If not set an implementation defined default is applied (1MiB). 271 google.protobuf.UInt32Value per_stream_buffer_limit_bytes = 7; 272 273 // Custom channels args. 274 ChannelArgs channel_args = 8; 275 } 276 277 reserved 4; 278 279 oneof target_specifier { 280 option (validate.required) = true; 281 282 // Envoy's in-built gRPC client. 283 // See the :ref:`gRPC services overview <arch_overview_grpc_services>` 284 // documentation for discussion on gRPC client selection. 285 EnvoyGrpc envoy_grpc = 1; 286 287 // `Google C++ gRPC client <https://github.com/grpc/grpc>`_ 288 // See the :ref:`gRPC services overview <arch_overview_grpc_services>` 289 // documentation for discussion on gRPC client selection. 290 GoogleGrpc google_grpc = 2; 291 } 292 293 // The timeout for the gRPC request. This is the timeout for a specific 294 // request. 295 google.protobuf.Duration timeout = 3; 296 297 // Additional metadata to include in streams initiated to the GrpcService. This can be used for 298 // scenarios in which additional ad hoc authorization headers (e.g. ``x-foo-bar: baz-key``) are to 299 // be injected. For more information, including details on header value syntax, see the 300 // documentation on :ref:`custom request headers 301 // <config_http_conn_man_headers_custom_request_headers>`. 302 repeated HeaderValue initial_metadata = 5; 303} 304