flemosr · flemosr · Apr 15, 2025 · Apr 15, 2025 · Apr 15, 2025 · Apr 15, 2025
diff --git a/envoy-proto-collect/submodules/cel-spec b/envoy-proto-collect/submodules/cel-spec
diff --git a/envoy-proto-collect/submodules/client_model b/envoy-proto-collect/submodules/client_model
diff --git a/envoy-proto-collect/submodules/data-plane-api b/envoy-proto-collect/submodules/data-plane-api
diff --git a/envoy-proto-collect/submodules/googleapis b/envoy-proto-collect/submodules/googleapis
diff --git a/envoy-proto-collect/submodules/opentelemetry-proto b/envoy-proto-collect/submodules/opentelemetry-proto
diff --git a/envoy-proto-collect/submodules/protoc-gen-validate b/envoy-proto-collect/submodules/protoc-gen-validate
diff --git a/envoy-proto-collect/submodules/xds b/envoy-proto-collect/submodules/xds
diff --git a/envoy-types/proto/data-plane-api/envoy/admin/v3/clusters.proto b/envoy-types/proto/data-plane-api/envoy/admin/v3/clusters.proto
@@ -55,22 +55,24 @@ message ClusterStatus {
   bool added_via_api = 2;
 
   // The success rate threshold used in the last interval.
-  // If
-  // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
-  // is ``false``, all errors: externally and locally generated were used to calculate the threshold.
-  // If
-  // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
-  // is ``true``, only externally generated errors were used to calculate the threshold.
-  // The threshold is used to eject hosts based on their success rate. See
-  // :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation for details.
   //
-  // Note: this field may be omitted in any of the three following cases:
+  // * If :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
+  //   is ``false``, all errors: externally and locally generated were used to calculate the threshold.
+  // * If :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
+  //   is ``true``, only externally generated errors were used to calculate the threshold.
+  //
+  // The threshold is used to eject hosts based on their success rate. For more information, see the
+  // :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation.
+  //
+  // .. note::
+  //
+  //   This field may be omitted in any of the three following cases:
+  //
+  //   1. There were not enough hosts with enough request volume to proceed with success rate based outlier ejection.
+  //   2. The threshold is computed to be < 0 because a negative value implies that there was no threshold for that
+  //      interval.
+  //   3. Outlier detection is not enabled for this cluster.
   //
-  // 1. There were not enough hosts with enough request volume to proceed with success rate based
-  //    outlier ejection.
-  // 2. The threshold is computed to be < 0 because a negative value implies that there was no
-  //    threshold for that interval.
-  // 3. Outlier detection is not enabled for this cluster.
   type.v3.Percent success_rate_ejection_threshold = 3;
 
   // Mapping from host address to the host's current status.
@@ -81,16 +83,18 @@ message ClusterStatus {
   // This field should be interpreted only when
   // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
   // is ``true``. The threshold is used to eject hosts based on their success rate.
-  // See :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation for
-  // details.
   //
-  // Note: this field may be omitted in any of the three following cases:
+  // For more information, see the :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation.
+  //
+  // .. note::
+  //
+  //   This field may be omitted in any of the three following cases:
+  //
+  //   1. There were not enough hosts with enough request volume to proceed with success rate based outlier ejection.
+  //   2. The threshold is computed to be < 0 because a negative value implies that there was no threshold for that
+  //      interval.
+  //   3. Outlier detection is not enabled for this cluster.
   //
-  // 1. There were not enough hosts with enough request volume to proceed with success rate based
-  //    outlier ejection.
-  // 2. The threshold is computed to be < 0 because a negative value implies that there was no
-  //    threshold for that interval.
-  // 3. Outlier detection is not enabled for this cluster.
   type.v3.Percent local_origin_success_rate_ejection_threshold = 5;
 
   // :ref:`Circuit breaking <arch_overview_circuit_break>` settings of the cluster.
@@ -117,19 +121,20 @@ message HostStatus {
   // The host's current health status.
   HostHealthStatus health_status = 3;
 
-  // Request success rate for this host over the last calculated interval.
-  // If
-  // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
-  // is ``false``, all errors: externally and locally generated were used in success rate
-  // calculation. If
-  // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
-  // is ``true``, only externally generated errors were used in success rate calculation.
-  // See :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation for
-  // details.
+  // The success rate for this host during the last measurement interval.
+  //
+  // * If :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
+  //   is ``false``, all errors: externally and locally generated were used in success rate calculation.
+  // * If :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
+  //   is ``true``, only externally generated errors were used in success rate calculation.
+  //
+  // For more information, see the :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation.
+  //
+  // .. note::
+  //
+  //   The message will be missing if the host didn't receive enough traffic to calculate a reliable success rate, or
+  //   if the cluster had too few hosts to apply outlier ejection based on success rate.
   //
-  // Note: the message will not be present if host did not have enough request volume to calculate
-  // success rate or the cluster did not have enough hosts to run through success rate outlier
-  // ejection.
   type.v3.Percent success_rate = 4;
 
   // The host's weight. If not configured, the value defaults to 1.
@@ -141,18 +146,20 @@ message HostStatus {
   // The host's priority. If not configured, the value defaults to 0 (highest priority).
   uint32 priority = 7;
 
-  // Request success rate for this host over the last calculated
-  // interval when only locally originated errors are taken into account and externally originated
-  // errors were treated as success.
-  // This field should be interpreted only when
+  // The success rate for this host during the last interval, considering only locally generated errors. Externally
+  // generated errors are treated as successes.
+  //
+  // This field is only relevant when
   // :ref:`outlier_detection.split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`
-  // is ``true``.
-  // See :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation for
-  // details.
+  // is set to ``true``.
+  //
+  // For more information, see the :ref:`Cluster outlier detection <arch_overview_outlier_detection>` documentation.
+  //
+  // .. note::
+  //
+  //   The message will be missing if the host didn’t receive enough traffic to compute a success rate, or if the
+  //   cluster didn’t have enough hosts to perform outlier ejection based on success rate.
   //
-  // Note: the message will not be present if host did not have enough request volume to calculate
-  // success rate or the cluster did not have enough hosts to run through success rate outlier
-  // ejection.
   type.v3.Percent local_origin_success_rate = 8;
 
   // locality of the host.

diff --git a/envoy-types/proto/data-plane-api/envoy/config/cluster/v3/cluster.proto b/envoy-types/proto/data-plane-api/envoy/config/cluster/v3/cluster.proto
@@ -1359,7 +1359,7 @@ message TrackClusterStats {
 
   // If request_response_sizes is true, then the :ref:`histograms
   // <config_cluster_manager_cluster_stats_request_response_sizes>`  tracking header and body sizes
-  // of requests and responses will be published.
+  // of requests and responses will be published. Additionally, number of headers in the requests and responses will be tracked.
   bool request_response_sizes = 2;
 
   // If true, some stats will be emitted per-endpoint, similar to the stats in admin ``/clusters``

diff --git a/envoy-types/proto/data-plane-api/envoy/config/core/v3/address.proto b/envoy-types/proto/data-plane-api/envoy/config/core/v3/address.proto
@@ -64,7 +64,7 @@ message EnvoyInternalAddress {
   string endpoint_id = 2;
 }
 
-// [#next-free-field: 7]
+// [#next-free-field: 8]
 message SocketAddress {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.SocketAddress";
 
@@ -111,6 +111,11 @@ message SocketAddress {
   // allow both IPv4 and IPv6 connections, with peer IPv4 addresses mapped into
   // IPv6 space as ``::FFFF:<IPv4-address>``.
   bool ipv4_compat = 6;
+
+  // The Linux network namespace to bind the socket to. If this is set, Envoy will
+  // create the socket in the specified network namespace. Only supported on Linux.
+  // [#not-implemented-hide:]
+  string network_namespace_filepath = 7;
 }
 
 message TcpKeepalive {

diff --git a/envoy-types/proto/data-plane-api/envoy/config/core/v3/protocol.proto b/envoy-types/proto/data-plane-api/envoy/config/core/v3/protocol.proto
@@ -670,7 +670,7 @@ message GrpcProtocolOptions {
 }
 
 // A message which allows using HTTP/3.
-// [#next-free-field: 7]
+// [#next-free-field: 8]
 message Http3ProtocolOptions {
   QuicProtocolOptions quic_protocol_options = 1;
 
@@ -697,6 +697,14 @@ message Http3ProtocolOptions {
   // docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more
   // information.
   bool allow_metadata = 6;
+
+  // [#not-implemented-hide:] Hiding until Envoy has full HTTP/3 upstream support.
+  // Still under implementation. DO NOT USE.
+  //
+  // Disables QPACK compression related features for HTTP/3 including:
+  // No huffman encoding, zero dynamic table capacity and no cookie crumbing.
+  // This can be useful for trading off CPU vs bandwidth when an upstream HTTP/3 connection multiplexes multiple downstream connections.
+  bool disable_qpack = 7;
 }
 
 // A message to control transformations to the :scheme header

diff --git a/envoy-types/proto/data-plane-api/envoy/config/endpoint/v3/endpoint_components.proto b/envoy-types/proto/data-plane-api/envoy/config/endpoint/v3/endpoint_components.proto
@@ -23,6 +23,9 @@ import "envoy/config/core/v3/health_check.proto";
 
 import "google/protobuf/wrappers.proto";
 
+import "xds/core/v3/collection_entry.proto";
+
+import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
@@ -147,14 +150,24 @@ message LbEndpoint {
   google.protobuf.UInt32Value load_balancing_weight = 4 [(validate.rules).uint32 = {gte: 1}];
 }
 
+// LbEndpoint list collection. Entries are `LbEndpoint` resources or references.
 // [#not-implemented-hide:]
-// A configuration for a LEDS collection.
+message LbEndpointCollection {
+  xds.core.v3.CollectionEntry entries = 1;
+}
+
+// A configuration for an LEDS collection.
 message LedsClusterLocalityConfig {
   // Configuration for the source of LEDS updates for a Locality.
   core.v3.ConfigSource leds_config = 1;
 
-  // The xDS transport protocol glob collection resource name.
-  // The service is only supported in delta xDS (incremental) mode.
+  // The name of the LbEndpoint collection resource.
+  //
+  // If the name ends in ``/*``, it indicates an LbEndpoint glob collection,
+  // which is supported only in the xDS incremental protocol variants.
+  // Otherwise, it indicates an LbEndpointCollection list collection.
+  //
+  // Envoy currently supports only glob collections.
   string leds_collection_name = 2;
 }
 
@@ -179,18 +192,20 @@ message LocalityLbEndpoints {
   core.v3.Metadata metadata = 9;
 
   // The group of endpoints belonging to the locality specified.
-  // [#comment:TODO(adisuissa): Once LEDS is implemented this field needs to be
-  // deprecated and replaced by ``load_balancer_endpoints``.]
+  // This is ignored if :ref:`leds_cluster_locality_config
+  // <envoy_v3_api_field_config.endpoint.v3.LocalityLbEndpoints.leds_cluster_locality_config>` is set.
   repeated LbEndpoint lb_endpoints = 2;
 
-  // [#not-implemented-hide:]
   oneof lb_config {
-    // The group of endpoints belonging to the locality.
-    // [#comment:TODO(adisuissa): Once LEDS is implemented the ``lb_endpoints`` field
-    // needs to be deprecated.]
-    LbEndpointList load_balancer_endpoints = 7;
+    // [#not-implemented-hide:]
+    // Not implemented and deprecated.
+    LbEndpointList load_balancer_endpoints = 7
+        [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 
     // LEDS Configuration for the current locality.
+    // If this is set, the :ref:`lb_endpoints
+    // <envoy_v3_api_field_config.endpoint.v3.LocalityLbEndpoints.lb_endpoints>`
+    // field is ignored.
     LedsClusterLocalityConfig leds_cluster_locality_config = 8;
   }
 

diff --git a/envoy-types/proto/data-plane-api/envoy/config/rbac/v3/rbac.proto b/envoy-types/proto/data-plane-api/envoy/config/rbac/v3/rbac.proto
@@ -328,7 +328,7 @@ message Permission {
 
 // Principal defines an identity or a group of identities for a downstream
 // subject.
-// [#next-free-field: 14]
+// [#next-free-field: 15]
 message Principal {
   option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Principal";
 
@@ -342,6 +342,10 @@ message Principal {
   }
 
   // Authentication attributes for a downstream.
+  // It is recommended to NOT use this type, but instead use
+  // :ref:`MTlsAuthenticated <envoy_v3_api_msg_extensions.rbac.principals.mtls_authenticated.v3.Config>`,
+  // configured via :ref:`custom <envoy_v3_api_field_config.rbac.v3.Principal.custom>`,
+  // which should be used for most use cases due to its improved security.
   message Authenticated {
     option (udpa.annotations.versioning).previous_message_type =
         "envoy.config.rbac.v2.Principal.Authenticated";
@@ -350,7 +354,11 @@ message Principal {
 
     // The name of the principal. If set, The URI SAN or DNS SAN in that order
     // is used from the certificate, otherwise the subject field is used. If
-    // unset, it applies to any user that is authenticated.
+    // unset, it applies to any user that is allowed by the downstream TLS configuration.
+    // If :ref:`require_client_certificate <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`
+    // is false or :ref:`trust_chain_verification <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trust_chain_verification>`
+    // is set to :ref:`ACCEPT_UNTRUSTED <envoy_v3_api_enum_value_extensions.transport_sockets.tls.v3.CertificateValidationContext.TrustChainVerification.ACCEPT_UNTRUSTED>`,
+    // then no authentication is required.
     type.matcher.v3.StringMatcher principal_name = 2;
   }
 
@@ -369,6 +377,10 @@ message Principal {
     bool any = 3 [(validate.rules).bool = {const: true}];
 
     // Authenticated attributes that identify the downstream.
+    // It is recommended to NOT use this field, but instead use
+    // :ref:`MTlsAuthenticated <envoy_v3_api_msg_extensions.rbac.principals.mtls_authenticated.v3.Config>`,
+    // configured via :ref:`custom <envoy_v3_api_field_config.rbac.v3.Principal.custom>`,
+    // which should be used for most use cases due to its improved security.
     Authenticated authenticated = 4;
 
     // A CIDR block that describes the downstream IP.
@@ -421,6 +433,10 @@ message Principal {
     // Matches against metadata from either dynamic state or route configuration. Preferred over the
     // ``metadata`` field as it provides more flexibility in metadata source selection.
     SourcedMetadata sourced_metadata = 13;
+
+    // Extension for configuring custom principals for RBAC.
+    // [#extension-category: envoy.rbac.principals]
+    core.v3.TypedExtensionConfig custom = 14;
   }
 }
 

diff --git a/envoy-types/proto/data-plane-api/envoy/config/route/v3/route_components.proto b/envoy-types/proto/data-plane-api/envoy/config/route/v3/route_components.proto
@@ -19,6 +19,7 @@ package envoy.config.route.v3;
 import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/extension.proto";
 import "envoy/config/core/v3/proxy_protocol.proto";
+import "envoy/type/matcher/v3/filter_state.proto";
 import "envoy/type/matcher/v3/metadata.proto";
 import "envoy/type/matcher/v3/regex.proto";
 import "envoy/type/matcher/v3/string.proto";
@@ -524,7 +525,7 @@ message ClusterSpecifierPlugin {
   bool is_optional = 2;
 }
 
-// [#next-free-field: 16]
+// [#next-free-field: 17]
 message RouteMatch {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RouteMatch";
 
@@ -675,6 +676,12 @@ message RouteMatch {
   // If the number of specified dynamic metadata matchers is nonzero, they all must match the
   // dynamic metadata for a match to occur.
   repeated type.matcher.v3.MetadataMatcher dynamic_metadata = 13;
+
+  // Specifies a set of filter state matchers on which the route should match.
+  // The router will check the filter state against all the specified filter state matchers.
+  // If the number of specified filter state matchers is nonzero, they all must match the
+  // filter state for a match to occur.
+  repeated type.matcher.v3.FilterStateMatcher filter_state = 16;
 }
 
 // Cors policy configuration.
+5 −5		MODULE.bazel
+88 −206		conformance/conformance_service.pb.go
+60 −167		conformance/env_config.pb.go
+70 −139		conformance/proto2/test_all_types.pb.go
+8 −24		conformance/proto2/test_all_types_extensions.pb.go
+216 −253		conformance/proto3/test_all_types.pb.go
+78 −158		conformance/test/simple.pb.go
+226 −374		conformance/test/suite.pb.go
+76 −23		doc/langdef.md
+1 −1		go.mod
+32 −0		proto/cel/expr/BUILD.bazel
+8 −0		proto/cel/expr/conformance/proto2/BUILD.bazel
+8 −0		proto/cel/expr/conformance/proto3/BUILD.bazel
+1 −1		proto/cel/expr/conformance/proto3/test_all_types.proto
+17 −22		proto/cel/expr/conformance/test/suite.proto
+354 −0		tests/simple/testdata/macros2.textproto
+15 −0		tests/simple/testdata/optionals.textproto
+3 −3		.github/workflows/golangci-lint.yml
+1 −0		.golangci.yml
+2 −4		go.mod
+2 −2		go.sum
+2 −0		BUILD
+3 −3		bazel/repository_locations.bzl
+1 −0		contrib/envoy/extensions/filters/http/golang/v3alpha/BUILD
+10 −1		contrib/envoy/extensions/filters/http/golang/v3alpha/golang.proto
+51 −44		envoy/admin/v3/clusters.proto
+1 −1		envoy/config/cluster/v3/cluster.proto
+6 −1		envoy/config/core/v3/address.proto
+9 −1		envoy/config/core/v3/protocol.proto
+2 −0		envoy/config/endpoint/v3/BUILD
+25 −10		envoy/config/endpoint/v3/endpoint_components.proto
+1 −2		envoy/config/filter/http/jwt_authn/v2alpha/config.proto
+18 −2		envoy/config/rbac/v3/rbac.proto
+8 −1		envoy/config/route/v3/route_components.proto
+26 −23		envoy/data/accesslog/v3/accesslog.proto
+4 −0		envoy/data/tap/v3/transport.proto
+1 −4		envoy/extensions/dynamic_modules/v3/BUILD
+0 −5		envoy/extensions/dynamic_modules/v3/dynamic_modules.proto
+2 −2		envoy/extensions/filters/common/dependency/v3/dependency.proto
+7 −6		envoy/extensions/filters/http/adaptive_concurrency/v3/adaptive_concurrency.proto
+7 −0		envoy/extensions/filters/http/compressor/v3/compressor.proto
+0 −1		envoy/extensions/filters/http/dynamic_modules/v3/BUILD
+0 −5		envoy/extensions/filters/http/dynamic_modules/v3/dynamic_modules.proto
+7 −2		envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto
+2 −1		envoy/extensions/filters/http/health_check/v3/health_check.proto
+5 −3		envoy/extensions/filters/http/jwt_authn/v3/config.proto
+13 −3		envoy/extensions/filters/http/oauth2/v3/oauth.proto
+0 −1		envoy/extensions/filters/network/ext_proc/v3/ext_proc.proto
+4 −0		envoy/extensions/formatter/req_without_query/v3/req_without_query.proto
+4 −0		envoy/extensions/http/ext_proc/response_processors/save_processing_response/v3/save_processing_response.proto
+3 −0		envoy/extensions/load_balancing_policies/common/v3/common.proto
+12 −0		envoy/extensions/rbac/principals/mtls_authenticated/v3/BUILD
+34 −0		envoy/extensions/rbac/principals/mtls_authenticated/v3/mtls_authenticated.proto
+12 −0		envoy/extensions/tracers/fluentd/v3/BUILD
+53 −0		envoy/extensions/tracers/fluentd/v3/fluentd.proto
+10 −0		envoy/extensions/transport_sockets/tap/v3/tap.proto
+7 −0		envoy/extensions/transport_sockets/tls/v3/common.proto
+13 −5		envoy/service/ext_proc/v3/external_processor.proto
+2 −0		versioning/BUILD
+47 −0		.github/workflows/ossf-scorecard.yml
+2 −0		CHANGELOG.md
+0 −2		opentelemetry/proto/collector/logs/v1/logs_service.proto
+0 −2		opentelemetry/proto/collector/metrics/v1/metrics_service.proto
+0 −2		opentelemetry/proto/collector/profiles/v1development/profiles_service.proto
+0 −2		opentelemetry/proto/collector/trace/v1/trace_service.proto
+34 −0		opentelemetry/proto/common/v1/common.proto
+0 −2		opentelemetry/proto/logs/v1/logs.proto
+10 −10		opentelemetry/proto/profiles/v1development/profiles.proto
+7 −0		opentelemetry/proto/resource/v1/resource.proto
+1 −1		java/pgv-java-grpc/pom.xml
+1 −1		java/pgv-java-stub/pom.xml
+1 −1		java/pgv-java-validation/pom.xml
+1 −1		java/pgv-test-coverage-report/pom.xml
+4 −4		java/pom.xml
+29 −19		go/xds/type/v3/cel.pb.go
+2 −0		go/xds/type/v3/cel.pb.validate.go
+4 −4		python/xds/type/v3/cel_pb2.py
+7 −0		xds/type/v3/cel.proto