mesh/v1alpha1/proxy.proto (646 lines of code) (raw):
// Copyright 2017 Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
import "networking/v1alpha3/destination_rule.proto";
import "networking/v1alpha3/workload_group.proto";
import "networking/v1beta1/proxy_config.proto";
package istio.mesh.v1alpha1;
option go_package="istio.io/api/mesh/v1alpha1";
// AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
// It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation.
// Mesh policy cannot be INHERIT.
enum AuthenticationPolicy {
// Do not encrypt proxy to control plane traffic.
NONE = 0;
// Proxy to control plane traffic is wrapped into mutual TLS connections.
MUTUAL_TLS = 1;
// Use the policy defined by the parent scope. Should not be used for mesh
// policy.
INHERIT = 1000;
}
// Tracing defines configuration for the tracing performed by Envoy instances.
message Tracing {
// Zipkin defines configuration for a Zipkin tracer.
message Zipkin {
// Address of the Zipkin service (e.g. _zipkin:9411_).
string address = 1;
}
// $hide_from_docs
// Defines configuration for a Lightstep tracer.
message Lightstep {
// Address of the Lightstep Satellite pool.
string address = 1;
// The Lightstep access token.
string access_token = 2;
}
// Datadog defines configuration for a Datadog tracer.
message Datadog {
// Address of the Datadog Agent.
string address = 1;
}
// Stackdriver defines configuration for a Stackdriver tracer.
// See [Envoy's OpenCensus trace configuration](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/trace/v3/opencensus.proto)
// and
// [OpenCensus trace config](https://github.com/census-instrumentation/opencensus-proto/blob/master/src/opencensus/proto/trace/v1/trace_config.proto) for details.
message Stackdriver {
// debug enables trace output to stdout.
// $hide_from_docs
bool debug = 1;
// The global default max number of attributes per span.
// default is 200.
// $hide_from_docs
google.protobuf.Int64Value max_number_of_attributes = 2;
// The global default max number of annotation events per span.
// default is 200.
// $hide_from_docs
google.protobuf.Int64Value max_number_of_annotations = 3;
// The global default max number of message events per span.
// default is 200.
// $hide_from_docs
google.protobuf.Int64Value max_number_of_message_events = 4;
}
// OpenCensusAgent defines configuration for an OpenCensus tracer writing to
// an OpenCensus agent backend. See
// [Envoy's OpenCensus trace configuration](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/trace/v3/opencensus.proto)
// and
// [OpenCensus trace config](https://github.com/census-instrumentation/opencensus-proto/blob/master/src/opencensus/proto/trace/v1/trace_config.proto)
// for details.
message OpenCensusAgent {
// TraceContext selects the context propagation headers used for
// distributed tracing.
enum TraceContext {
// $hide_from_docs
// Unspecified context. Should not be used for now, but added to reserve
// the 0 enum value if TraceContext is used outside of a repeated field.
UNSPECIFIED = 0;
// Use W3C Trace Context propagation using the `traceparent` HTTP header.
// See the
// [Trace Context documentation](https://www.w3.org/TR/trace-context/) for details.
W3C_TRACE_CONTEXT = 1;
// Use gRPC binary context propagation using the `grpc-trace-bin` http header.
GRPC_BIN = 2;
// Use Cloud Trace context propagation using the
// `X-Cloud-Trace-Context` http header.
CLOUD_TRACE_CONTEXT = 3;
// Use multi-header B3 context propagation using the `X-B3-TraceId`,
// `X-B3-SpanId`, and `X-B3-Sampled` HTTP headers. See
// [B3 header propagation README](https://github.com/openzipkin/b3-propagation)
// for details.
B3 = 4;
}
// gRPC address for the OpenCensus agent (e.g. dns://authority/host:port or
// unix:path). See [gRPC naming
// docs](https://github.com/grpc/grpc/blob/master/doc/naming.md) for
// details.
string address = 1;
// Specifies the set of context propagation headers used for distributed
// tracing. Default is `["W3C_TRACE_CONTEXT"]`. If multiple values are specified,
// the proxy will attempt to read each header for each request and will
// write all headers.
repeated TraceContext context = 2;
}
// The tracer implementation to be used by Envoy.
oneof tracer {
// Use a Zipkin tracer.
Zipkin zipkin = 1;
// Use a Lightstep tracer.
// NOTE: For Istio 1.15+, this configuration option will result
// in using OpenTelemetry-based Lightstep integration.
Lightstep lightstep = 2;
// Use a Datadog tracer.
Datadog datadog = 3;
// Use a Stackdriver tracer.
Stackdriver stackdriver = 4;
// Use an OpenCensus tracer exporting to an OpenCensus agent.
OpenCensusAgent open_census_agent = 9;
}
// Configure custom tags that will be added to any active span.
// Tags can be generated via literals, environment variables or an incoming request header.
// $hide_from_docs
message CustomTag {
// Specify how to populate the value in a custom tag
oneof type {
// The custom tag's value is the specified literal.
Literal literal = 1;
// The custom tag's value should be populated from an environmental
// variable
Environment environment = 2;
// The custom tag's value is populated by an http header from
// an incoming request.
RequestHeader header = 3;
}
}
// Literal type represents a static value.
// $hide_from_docs
message Literal {
// Static literal value used to populate the tag value.
string value = 1;
}
// Environment is the proxy's environment variable to be used for populating the custom span tag.
// $hide_from_docs
message Environment {
// Name of the environment variable used to populate the tag's value
string name = 1;
// When the environment variable is not found,
// the tag's value will be populated with this default value if specified,
// otherwise the tag will not be populated.
string default_value = 2;
}
// RequestHeader is the HTTP request header which will be used to populate the span tag.
// A default value can be configured if the header does not exist.
// $hide_from_docs
message RequestHeader {
// HTTP header name used to obtain the value from to populate the tag value.
string name = 1;
// Default value to be used for the tag when the named HTTP header does not exist.
// The tag will be skipped if no default value is provided.
string default_value = 2;
}
// Configures the custom tags to be added to active span by all proxies (i.e. sidecars
// and gateways).
// The key represents the name of the tag.
// Ex:
// ```yaml
// custom_tags:
// new_tag_name:
// header:
// name: custom-http-header-name
// default_value: defaulted-value-from-custom-header
// ```
// $hide_from_docs
map<string, CustomTag> custom_tags = 5;
// Configures the maximum length of the request path to extract and include in the
// HttpUrl tag. Used to truncate length request paths to meet the needs of tracing
// backend. If not set, then a length of 256 will be used.
// $hide_from_docs
uint32 max_path_tag_length = 6;
// The percentage of requests (0.0 - 100.0) that will be randomly selected for trace generation,
// if not requested by the client or not forced. Default is 1.0.
double sampling = 7;
// Use the tlsSettings to specify the tls mode to use. If the remote tracing service
// uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
// mode as `ISTIO_MUTUAL`.
istio.networking.v1alpha3.ClientTLSSettings tls_settings = 8;
// $hide_from_docs
// Next available field number: 10
}
// SDS defines secret discovery service(SDS) configuration to be used by the proxy.
// For workload, its values are set in sidecar injector(passed as arguments to istio-proxy container).
// For pilot/mixer, it's passed as arguments to istio-proxy container in pilot/mixer deployment yaml files directly.
// $hide_from_docs
message SDS {
// True if SDS is enabled.
bool enabled = 1;
// Path of k8s service account JWT path.
string k8s_sa_jwt_path = 2;
}
// Topology describes the configuration for relative location of a proxy with
// respect to intermediate trusted proxies and the client. These settings
// control how the client attributes are retrieved from the incoming traffic by
// the gateway proxy and propagated to the upstream services in the cluster.
message Topology {
// Number of trusted proxies deployed in front of the Istio gateway proxy.
// When this option is set to value N greater than zero, the trusted client
// address is assumed to be the Nth address from the right end of the
// X-Forwarded-For (XFF) header from the incoming request. If the
// X-Forwarded-For (XFF) header is missing or has fewer than N addresses, the
// gateway proxy falls back to using the immediate downstream connection's
// source address as the trusted client address.
// Note that the gateway proxy will append the downstream connection's source
// address to the X-Forwarded-For (XFF) address and set the
// X-Envoy-External-Address header to the trusted client address before
// forwarding it to the upstream services in the cluster.
// The default value of numTrustedProxies is 0.
// See [Envoy XFF](https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_conn_man/headers#config-http-conn-man-headers-x-forwarded-for)
// header handling for more details.
uint32 num_trusted_proxies = 1;
// Configures how the gateway proxy handles x-forwarded-client-cert (XFCC)
// header in the incoming request.
ForwardClientCertDetails forward_client_cert_details = 2;
// PROXY protocol configuration.
message ProxyProtocolConfiguration {
}
// Enables [PROXY protocol](http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt) for
// downstream connections on a gateway.
ProxyProtocolConfiguration proxy_protocol = 3;
repeated string xff_trusted_cidrs = 200;
google.protobuf.BoolValue skip_xff_append = 201;
}
// ForwardClientCertDetails controls how the x-forwarded-client-cert (XFCC)
// header is handled by a proxy.
// See [Envoy XFCC](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-forwardclientcertdetails)
// header handling for more details.
enum ForwardClientCertDetails {
// Field is not set
UNDEFINED = 0;
// Do not send the XFCC header to the next hop.
SANITIZE = 1;
// When the client connection is mTLS (Mutual TLS), forward the XFCC header
// in the request.
FORWARD_ONLY = 2;
// When the client connection is mTLS, append the client certificate
// information to the request’s XFCC header and forward it. This is the default value for sidecar proxies.
APPEND_FORWARD = 3;
// When the client connection is mTLS, reset the XFCC header with the client
// certificate information and send it to the next hop. This is the default value for gateway proxies.
SANITIZE_SET = 4;
// Always forward the XFCC header in the request, regardless of whether the
// client connection is mTLS.
ALWAYS_FORWARD_ONLY = 5;
}
// PrivateKeyProvider defines private key configuration for gateways and sidecars. This can be configured
// mesh wide or individual per-workload basis.
message PrivateKeyProvider {
// CryptoMb PrivateKeyProvider configuration
message CryptoMb {
// How long to wait until the per-thread processing queue should be processed. If the processing queue
// gets full (eight sign or decrypt requests are received) it is processed immediately.
// However, if the queue is not filled before the delay has expired, the requests already in the queue
// are processed, even if the queue is not full.
// In effect, this value controls the balance between latency and throughput.
// The duration needs to be set to a value greater than or equal to 1 millisecond.
google.protobuf.Duration poll_delay = 1;
// If the private key provider isn’t available (eg. the required hardware capability doesn’t existed)
// Envoy will fallback to the BoringSSL default implementation when the fallback is true.
// The default value is false.
google.protobuf.BoolValue fallback = 2;
}
// QAT (QuickAssist Technology) PrivateKeyProvider configuration
message QAT {
// How long to wait before polling the hardware accelerator after a request has been submitted there.
// Having a small value leads to quicker answers from the hardware but causes more polling loop spins,
// leading to potentially larger CPU usage.
// The duration needs to be set to a value greater than or equal to 1 millisecond.
google.protobuf.Duration poll_delay = 1;
// If the private key provider isn’t available (eg. the required hardware capability doesn’t existed)
// Envoy will fallback to the BoringSSL default implementation when the fallback is true.
// The default value is false.
google.protobuf.BoolValue fallback = 2;
}
// REQUIRED. Specifies detailed configuration for the Private key provider.
oneof provider {
// Use CryptoMb private key provider
CryptoMb cryptomb = 2;
// Use QAT private key provider
QAT qat = 3;
}
}
// ProxyConfig defines variables for individual Envoy instances. This can be configured on a per-workload basis
// as well as by the mesh-wide defaults.
// To set the mesh wide defaults, configure the `defaultConfig` section of `meshConfig`. For example:
//
// ```
// meshConfig:
// defaultConfig:
// discoveryAddress: istiod:15012
// ```
//
// This can also be configured on a per-workload basis by configuring the `proxy.istio.io/config` annotation on the pod. For example:
//
// ```
// annotations:
// proxy.istio.io/config: |
// discoveryAddress: istiod:15012
// ```
//
// If both are configured, the two are merged with per field semantics; the field set in annotation will fully replace the field from mesh config defaults.
// This is different than a deep merge provided by protobuf.
// For example, `"tracing": { "sampling": 5 }` would completely override a setting configuring a tracing provider
// such as `"tracing": { "zipkin": { "address": "..." } }`.
//
// Note: fields in ProxyConfig are not dynamically configured; changes will require restart of workloads to take effect.
message ProxyConfig {
// Path to the generated configuration file directory.
// Proxy agent generates the actual configuration and stores it in this directory.
string config_path = 1;
// Path to the proxy binary
string binary_path = 2;
// Allows specification of various Istio-supported naming schemes for the
// Envoy `service_cluster` value. The `service_cluster` value is primarily used
// by Envoys to provide service names for tracing spans.
enum TracingServiceName {
// Default scheme. Uses the `app` label and workload namespace to construct
// a cluster name. If the `app` label does not exist `istio-proxy` is used.
APP_LABEL_AND_NAMESPACE = 0;
// Uses the canonical name for a workload (*excluding namespace*).
CANONICAL_NAME_ONLY = 1;
// Uses the canonical name and namespace for a workload.
CANONICAL_NAME_AND_NAMESPACE = 2;
}
oneof cluster_name {
// Service cluster defines the name for the `service_cluster` that is
// shared by all Envoy instances. This setting corresponds to
// `--service-cluster` flag in Envoy. In a typical Envoy deployment, the
// `service-cluster` flag is used to identify the caller, for
// source-based routing scenarios.
//
// Since Istio does not assign a local `service/service` version to each
// Envoy instance, the name is same for all of them. However, the
// source/caller's identity (e.g., IP address) is encoded in the
// `--service-node` flag when launching Envoy. When the RDS service
// receives API calls from Envoy, it uses the value of the `service-node`
// flag to compute routes that are relative to the service instances
// located at that IP address.
string service_cluster = 3;
// Used by Envoy proxies to assign the values for the service names in trace
// spans.
TracingServiceName tracing_service_name = 36;
}
// The time in seconds that Envoy will drain connections during a hot
// restart. MUST be >=1s (e.g., _1s/1m/1h_)
// Default drain duration is `45s`.
google.protobuf.Duration drain_duration = 4;
reserved "parent_shutdown_duration";
reserved 5;
// Address of the discovery service exposing xDS with mTLS connection.
// The inject configuration may override this value.
string discovery_address = 6;
// $hide_from_docs
google.protobuf.Duration discovery_refresh_delay = 7 [deprecated=true];
// Address of the Zipkin service (e.g. _zipkin:9411_).
// DEPRECATED: Use [tracing][istio.mesh.v1alpha1.ProxyConfig.tracing] instead.
string zipkin_address = 8 [deprecated=true];
reserved "connect_timeout";
reserved 9;
// IP Address and Port of a statsd UDP listener (e.g. `10.75.241.127:9125`).
string statsd_udp_address = 10;
// $hide_from_docs
string envoy_metrics_service_address = 20 [deprecated=true];
// Port on which Envoy should listen for administrative commands.
// Default port is `15000`.
int32 proxy_admin_port = 11;
// $hide_from_docs
string availability_zone = 12 [deprecated=true];
// AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
// Default is set to `MUTUAL_TLS`.
AuthenticationPolicy control_plane_auth_policy = 13;
// File path of custom proxy configuration, currently used by proxies
// in front of Mixer and Pilot.
string custom_config_file = 14;
// Maximum length of name field in Envoy's metrics. The length of the name field
// is determined by the length of a name field in a service and the set of labels that
// comprise a particular version of the service. The default value is set to 189 characters.
// Envoy's internal metrics take up 67 characters, for a total of 256 character name per metric.
// Increase the value of this field if you find that the metrics from Envoys are truncated.
int32 stat_name_length = 15;
// The number of worker threads to run.
// If unset, which is recommended, this will be automatically determined based on CPU requests/limits.
// If set to 0, all cores on the machine will be used, ignoring CPU requests or limits. This can lead to major performance
// issues if CPU limits are also set.
google.protobuf.Int32Value concurrency = 16;
// Path to the proxy bootstrap template file
string proxy_bootstrap_template_path = 17;
// The mode used to redirect inbound traffic to Envoy.
// This setting has no effect on outbound traffic: iptables `REDIRECT` is always used for
// outbound connections.
enum InboundInterceptionMode {
// The `REDIRECT` mode uses iptables `REDIRECT` to `NAT` and redirect to Envoy. This mode loses
// source IP addresses during redirection. This is the default redirection mode.
REDIRECT = 0;
// The `TPROXY` mode uses iptables `TPROXY` to redirect to Envoy. This mode preserves both the
// source and destination IP addresses and ports, so that they can be used for advanced
// filtering and manipulation. This mode also configures the sidecar to run with the
// `CAP_NET_ADMIN` capability, which is required to use `TPROXY`.
TPROXY = 1;
// The `NONE` mode does not configure redirect to Envoy at all. This is an advanced
// configuration that typically requires changes to user applications.
NONE = 2;
}
// The mode used to redirect inbound traffic to Envoy.
InboundInterceptionMode interception_mode = 18;
// Tracing configuration to be used by the proxy.
Tracing tracing = 19;
// Secret Discovery Service(SDS) configuration to be used by the proxy.
// $hide_from_docs
SDS sds = 21 [deprecated=true];
// Address of the service to which access logs from Envoys should be
// sent. (e.g. `accesslog-service:15000`). See [Access Log
// Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/accesslog/v2/als.proto)
// for details about Envoy's gRPC Access Log Service API.
RemoteService envoy_access_log_service = 22;
// Address of the Envoy Metrics Service implementation (e.g. `metrics-service:15000`).
// See [Metric Service](https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto)
// for details about Envoy's Metrics Service API.
RemoteService envoy_metrics_service = 23;
// Additional environment variables for the proxy.
// Names starting with `ISTIO_META_` will be included in the generated bootstrap and sent to the XDS server.
map<string,string> proxy_metadata = 24;
// Envoy [runtime configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/runtime) to set during bootstrapping.
// This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.
map<string,string> runtime_values = 37;
// Port on which the agent should listen for administrative commands such as readiness probe.
// Default is set to port `15020`.
int32 status_port = 26;
// An additional list of tags to extract from the in-proxy Istio telemetry. These extra tags can be
// added by configuring the telemetry extension. Each additional tag needs to be present in this list.
// Extra tags emitted by the telemetry extensions must be listed here so that they can be processed
// and exposed as Prometheus metrics.
// Deprecated: `istio.stats` is a native filter now, this field is no longer needed.
repeated string extra_stat_tags = 27;
// Topology encapsulates the configuration which describes where the proxy is
// located i.e. behind a (or N) trusted proxy (proxies) or directly exposed
// to the internet. This configuration only effects gateways and is applied
// to all the gateways in the cluster unless overridden via annotations of the
// gateway workloads.
Topology gateway_topology = 28;
// The amount of time allowed for connections to complete on proxy shutdown.
// On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining,
// discouraging any new connections and allowing existing connections to complete. It then
// sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes.
// If not set, a default of `5s` will be applied.
google.protobuf.Duration termination_drain_duration = 29;
// The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh)
// All control planes running in the same service mesh should specify the same mesh ID.
// Mesh ID is used to label telemetry reports for cases where telemetry from multiple meshes is mixed together.
string mesh_id = 30;
// VM Health Checking readiness probe. This health check config exactly mirrors the
// kubernetes readiness probe configuration both in schema and logic.
// Only one health check method of 3 can be set at a time.
istio.networking.v1alpha3.ReadinessProbe readiness_probe = 31;
// Proxy stats name matchers for stats creation. Note this is in addition to
// the minimum Envoy stats that Istio generates by default.
message ProxyStatsMatcher {
// Proxy stats name prefix matcher for inclusion.
repeated string inclusion_prefixes = 1;
// Proxy stats name suffix matcher for inclusion.
repeated string inclusion_suffixes = 2;
// Proxy stats name regexps matcher for inclusion.
repeated string inclusion_regexps = 3;
}
// Proxy stats matcher defines configuration for reporting custom Envoy stats.
// To reduce memory and CPU overhead from Envoy stats system, Istio proxies by
// default create and expose only a subset of Envoy stats. This option is to
// control creation of additional Envoy stats with prefix, suffix, and regex
// expressions match on the name of the stats. This replaces the stats
// inclusion annotations
// (`sidecar.istio.io/statsInclusionPrefixes`,
// `sidecar.istio.io/statsInclusionRegexps`, and
// `sidecar.istio.io/statsInclusionSuffixes`). For example, to enable stats
// for circuit breakers, request retries, upstream connections, and request timeouts,
// you can specify stats matcher as follows:
// ```yaml
// proxyStatsMatcher:
// inclusionRegexps:
// - .*outlier_detection.*
// - .*upstream_rq_retry.*
// - .*upstream_cx_.*
// inclusionSuffixes:
// - upstream_rq_timeout
// ```
// Note including more Envoy stats might increase number of time series
// collected by prometheus significantly. Care needs to be taken on Prometheus
// resource provision and configuration to reduce cardinality.
ProxyStatsMatcher proxy_stats_matcher = 32;
// Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.
// This feature adds hooks to delay application startup until the pod proxy
// is ready to accept traffic, mitigating some startup race conditions.
// Default value is 'false'.
google.protobuf.BoolValue hold_application_until_proxy_starts = 33;
// The PEM data of the extra root certificates for workload-to-workload communication.
// This includes the certificates defined in MeshConfig and any other certificates that Istiod uses as CA.
// The plugin certificates (the 'cacerts' secret), self-signed certificates (the 'istio-ca-secret' secret)
// are added automatically by Istiod.
repeated string ca_certificates_pem = 34;
// Specifies the details of the proxy image.
istio.networking.v1beta1.ProxyImage image = 35;
// Specifies the details of the Private Key Provider configuration for gateway and sidecar proxies.
PrivateKeyProvider private_key_provider = 38;
// Define the set of headers to add/modify for HTTP request/responses.
//
// To enable an optional header, simply set the field. If no specific configuration is required, an empty object (`{}`) will enable it.
// Note: currently all headers are enabled by default.
//
// Below shows an example of customizing the `server` header and disabling the `X-Envoy-Attempt-Count` header:
//
// ```yaml
// proxyHeaders:
// server:
// value: "my-custom-server"
// requestId: {} // Explicitly enable Request IDs. As this is the default, this has no effect.
// attemptCount:
// disabled: true
// ```
//
// Some headers are enabled by default, and require explicitly disabling. See below for an example of disabling all default-enabled headers:
//
// ```yaml
// proxyHeaders:
// forwardedClientCert: SANITIZE
// server:
// disabled: true
// requestId:
// disabled: true
// attemptCount:
// disabled: true
// envoyDebugHeaders:
// disabled: true
// metadataExchangeHeaders:
// mode: IN_MESH
// ```
ProxyHeaders proxy_headers = 39;
message ProxyHeaders {
message Server {
google.protobuf.BoolValue disabled = 1;
// If set, and the server header is enabled, this value will be set as the server header. By default, `istio-envoy` will be used.
string value = 2;
}
message RequestId {
google.protobuf.BoolValue disabled = 1;
}
message AttemptCount {
google.protobuf.BoolValue disabled = 1;
}
message EnvoyDebugHeaders {
google.protobuf.BoolValue disabled = 1;
}
enum MetadataExchangeMode {
// Existing Istio behavior for the metadata exchange headers is unchanged.
UNDEFINED = 0;
// Only append the istio metadata exchange headers for services considered in-mesh.
// Traffic is considered in-mesh if it is secured with Istio mutual TLS. This means that `MESH_EXTERNAL` services, unmatched passthrough traffic, and requests to workloads without Istio enabled will be considered out of mesh.
IN_MESH = 1;
}
message MetadataExchangeHeaders {
MetadataExchangeMode mode = 1;
}
message SetCurrentClientCertDetails {
// Whether to forward the subject of the client cert. Defaults to true.
google.protobuf.BoolValue subject = 1;
// Whether to forward the entire client cert in URL encoded PEM format. This will appear in the
// XFCC header comma separated from other values with the value Cert="PEM".
// Defaults to false.
google.protobuf.BoolValue cert = 2;
// Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM
// format. This will appear in the XFCC header comma separated from other values with the value
// Chain="PEM".
// Defaults to false.
google.protobuf.BoolValue chain = 3;
// Whether to forward the DNS type Subject Alternative Names of the client cert.
// Defaults to true.
google.protobuf.BoolValue dns = 4;
// Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to
// true.
google.protobuf.BoolValue uri = 5;
}
// Controls the `X-Forwarded-Client-Cert` header for inbound sidecar requests. To set this on gateways, use the `Topology` setting.
// To disable the header, configure either `SANITIZE` (to always remove the header, if present) or `FORWARD_ONLY` (to leave the header as-is).
// By default, `APPEND_FORWARD` will be used.
ForwardClientCertDetails forwarded_client_cert = 1;
// This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET
// and the client connection is mTLS. It specifies the fields in
// the client certificate to be forwarded. Note that `Hash` is always set, and
// `By` is always set when the client certificate presents the URI type Subject Alternative Name value.
SetCurrentClientCertDetails set_current_client_cert_details = 7;
// Controls the `X-Request-Id` header. If enabled, a request ID is generated for each request if one is not already set.
// This applies to all types of traffic (inbound, outbound, and gateways).
// If disabled, no request ID will be generate for the request. If it is already present, it will be preserved.
// Warning: request IDs are a critical component to mesh tracing and logging, so disabling this is not recommended.
// This header is enabled by default if not configured.
RequestId request_id = 3;
// Controls the `server` header. If enabled, the `Server: istio-envoy` header is set in response headers for inbound traffic (including gateways).
// If disabled, the `Server` header is not modified. If it is already present, it will be preserved.
Server server = 2;
// Controls the `X-Envoy-Attempt-Count` header.
// If enabled, this header will be added on outbound request headers (including gateways) that have retries configured.
// If disabled, this header will not be set. If it is already present, it will be preserved.
// This header is enabled by default if not configured.
AttemptCount attempt_count = 4;
// Controls various `X-Envoy-*` headers, such as `X-Envoy-Overloaded` and `X-Envoy-Upstream-Service-Time`. If enabled,
// these headers will be included.
// If disabled, these headers will not be set. If they are already present, they will be preserved.
// See the [Envoy documentation](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/router/v3/router.proto#envoy-v3-api-field-extensions-filters-http-router-v3-router-suppress-envoy-headers) for more details.
// These headers are enabled by default if not configured.
EnvoyDebugHeaders envoy_debug_headers = 5;
// Controls Istio metadata exchange headers `X-Envoy-Peer-Metadata` and `X-Envoy-Peer-Metadata-Id`.
// By default, the behavior is unspecified.
// If IN_MESH, these headers will not be appended to outbound requests from sidecars to services not in-mesh.
MetadataExchangeHeaders metadata_exchange_headers = 6;
}
// Boolean flag for enabling/disabling the http2 protocol
bool https_http2_disabled = 100;
}
message RemoteService {
// Address of a remove service used for various purposes (access log
// receiver, metrics receiver, etc.). Can be IP address or a fully
// qualified DNS name.
string address = 1;
// Use the `tlsSettings` to specify the tls mode to use. If the remote service
// uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
// mode as `ISTIO_MUTUAL`.
istio.networking.v1alpha3.ClientTLSSettings tls_settings = 2;
// If set then set `SO_KEEPALIVE` on the socket to enable TCP Keepalives.
istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive tcp_keepalive = 3;
}