chore: Update protobuf files

envoy-proto-collect/src/main.rs

@@ -123,15 +123,16 @@ fn main() {
         "xds",
         vec![
             "udpa/annotations/*.proto",
-            "xds/core/v3/context_params.proto",
-            "xds/core/v3/extension.proto",
+            "xds/annotations/v3/status.proto",
             "xds/core/v3/authority.proto",
+            "xds/core/v3/cidr.proto",
             "xds/core/v3/collection_entry.proto",
+            "xds/core/v3/context_params.proto",
+            "xds/core/v3/extension.proto",
             "xds/core/v3/resource_locator.proto",
-            "xds/annotations/v3/status.proto",
             "xds/type/matcher/v3/matcher.proto",
-            "xds/type/matcher/v3/string.proto",
             "xds/type/matcher/v3/regex.proto",
+            "xds/type/matcher/v3/string.proto",
         ],
         Some(&xds_license),
     );
@@ -149,12 +150,12 @@ fn main() {
         &out_dir,
         "googleapis",
         vec![
+            "google/api/annotations.proto",
             "google/api/expr/v1alpha1/checked.proto",
             "google/api/expr/v1alpha1/syntax.proto",
-            "google/rpc/status.proto",
-            "google/rpc/code.proto", // Optional proto
-            "google/api/annotations.proto",
             "google/api/http.proto",
+            "google/rpc/code.proto", // Optional proto
+            "google/rpc/status.proto",
         ],
         None,
     );
@@ -164,8 +165,8 @@ fn main() {
         &out_dir,
         "opencensus-proto",
         vec![
-            "**/opencensus/proto/trace/v1/*.proto",
             "**/opencensus/proto/resource/v1/resource.proto",
+            "**/opencensus/proto/trace/v1/*.proto",
         ],
         None,
     );

envoy-types/proto/data-plane-api/envoy/admin/v3/server_info.proto

@@ -73,7 +73,7 @@ message ServerInfo {
   config.core.v3.Node node = 7;
 }
 
-// [#next-free-field: 41]
+// [#next-free-field: 42]
 message CommandLineOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.admin.v2alpha.CommandLineOptions";
@@ -139,6 +139,9 @@ message CommandLineOptions {
   // See :option:`--ignore-unknown-dynamic-fields` for details.
   bool ignore_unknown_dynamic_fields = 30;
 
+  // See :option:`--skip-deprecated-logs` for details.
+  bool skip_deprecated_logs = 41;
+
   // See :option:`--admin-address-path` for details.
   string admin_address_path = 6;
 

envoy-types/proto/data-plane-api/envoy/config/cluster/v3/cluster.proto

@@ -956,6 +956,7 @@ message Cluster {
   // "envoy.filters.network.thrift_proxy". See the extension's documentation for details on
   // specific options.
   // [#next-major-version: make this a list of typed extensions.]
+  // [#extension-category: envoy.upstream_options]
   map<string, google.protobuf.Any> typed_extension_protocol_options = 36;
 
   // If the DNS refresh rate is specified and the cluster type is either

envoy-types/proto/data-plane-api/envoy/config/core/v3/health_check.proto

@@ -389,13 +389,13 @@ message HealthCheck {
   // The default value for "healthy edge interval" is the same as the default interval.
   google.protobuf.Duration healthy_edge_interval = 16 [(validate.rules).duration = {gt {}}];
 
-  // .. attention::
-  // This field is deprecated in favor of the extension
-  // :ref:`event_logger <envoy_v3_api_field_config.core.v3.HealthCheck.event_logger>` and
-  // :ref:`event_log_path <envoy_v3_api_field_extensions.health_check.event_sinks.file.v3.HealthCheckEventFileSink.event_log_path>`
-  // in the file sink extension.
-  //
   // Specifies the path to the :ref:`health check event log <arch_overview_health_check_logging>`.
+  //
+  // .. attention::
+  //   This field is deprecated in favor of the extension
+  //   :ref:`event_logger <envoy_v3_api_field_config.core.v3.HealthCheck.event_logger>` and
+  //   :ref:`event_log_path <envoy_v3_api_field_extensions.health_check.event_sinks.file.v3.HealthCheckEventFileSink.event_log_path>`
+  //   in the file sink extension.
   string event_log_path = 17
       [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 

envoy-types/proto/data-plane-api/envoy/config/core/v3/protocol.proto

@@ -463,7 +463,7 @@ message KeepaliveSettings {
       [(validate.rules).duration = {gte {nanos: 1000000}}];
 }
 
-// [#next-free-field: 17]
+// [#next-free-field: 18]
 message Http2ProtocolOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.core.Http2ProtocolOptions";
@@ -647,6 +647,9 @@ message Http2ProtocolOptions {
   // If unset, HTTP/2 codec is selected based on envoy.reloadable_features.http2_use_oghttp2.
   google.protobuf.BoolValue use_oghttp2_codec = 16
       [(xds.annotations.v3.field_status).work_in_progress = true];
+
+  // Configure the maximum amount of metadata than can be handled per stream. Defaults to 1 MB.
+  google.protobuf.UInt64Value max_metadata_size = 17;
 }
 
 // [#not-implemented-hide:]

envoy-types/proto/data-plane-api/envoy/config/route/v3/route_components.proto

@@ -829,7 +829,10 @@ message RouteAction {
     // value, the request will be mirrored.
     core.v3.RuntimeFractionalPercent runtime_fraction = 3;
 
-    // Determines if the trace span should be sampled. Defaults to true.
+    // Specifies whether the trace span for the shadow request should be sampled. If this field is not explicitly set,
+    // the shadow request will inherit the sampling decision of its parent span. This ensures consistency with the trace
+    // sampling policy of the original request and prevents oversampling, especially in scenarios where runtime sampling
+    // is disabled.
     google.protobuf.BoolValue trace_sampled = 4;
 
     // Disables appending the ``-shadow`` suffix to the shadowed ``Host`` header. Defaults to ``false``.
@@ -1886,7 +1889,7 @@ message VirtualCluster {
 message RateLimit {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RateLimit";
 
-  // [#next-free-field: 12]
+  // [#next-free-field: 13]
   message Action {
     option (udpa.annotations.versioning).previous_message_type =
         "envoy.api.v2.route.RateLimit.Action";
@@ -1943,9 +1946,48 @@ message RateLimit {
       // The key to use in the descriptor entry.
       string descriptor_key = 2 [(validate.rules).string = {min_len: 1}];
 
-      // If set to true, Envoy skips the descriptor while calling rate limiting service
-      // when header is not present in the request. By default it skips calling the
-      // rate limiting service if this header is not present in the request.
+      // Controls the behavior when the specified header is not present in the request.
+      //
+      // If set to ``false`` (default):
+      //
+      // * Envoy does **NOT** call the rate limiting service for this descriptor.
+      // * Useful if the header is optional and you prefer to skip rate limiting when it's absent.
+      //
+      // If set to ``true``:
+      //
+      // * Envoy calls the rate limiting service but omits this descriptor if the header is missing.
+      // * Useful if you want Envoy to enforce rate limiting even when the header is not present.
+      //
+      bool skip_if_absent = 3;
+    }
+
+    // The following descriptor entry is appended when a query parameter contains a key that matches the
+    // ``query_parameter_name``:
+    //
+    // .. code-block:: cpp
+    //
+    //   ("<descriptor_key>", "<query_parameter_value_queried_from_query_parameter>")
+    message QueryParameters {
+      // The name of the query parameter to use for rate limiting. Value of this query parameter is used to populate
+      // the value of the descriptor entry for the descriptor_key.
+      string query_parameter_name = 1 [(validate.rules).string = {min_len: 1}];
+
+      // The key to use when creating the rate limit descriptor entry. his descriptor key will be used to identify the
+      // rate limit rule in the rate limiting service.
+      string descriptor_key = 2 [(validate.rules).string = {min_len: 1}];
+
+      // Controls the behavior when the specified query parameter is not present in the request.
+      //
+      // If set to ``false`` (default):
+      //
+      // * Envoy does **NOT** call the rate limiting service for this descriptor.
+      // * Useful if the query parameter is optional and you prefer to skip rate limiting when it's absent.
+      //
+      // If set to ``true``:
+      //
+      // * Envoy calls the rate limiting service but omits this descriptor if the query parameter is missing.
+      // * Useful if you want Envoy to enforce rate limiting even when the query parameter is not present.
+      //
       bool skip_if_absent = 3;
     }
 
@@ -2080,9 +2122,19 @@ message RateLimit {
       // Source of metadata
       Source source = 4 [(validate.rules).enum = {defined_only: true}];
 
-      // If set to true, Envoy skips the descriptor while calling rate limiting service
-      // when ``metadata_key`` is empty and ``default_value`` is not set. By default it skips calling the
-      // rate limiting service in that case.
+      // Controls the behavior when the specified ``metadata_key`` is empty and ``default_value`` is not set.
+      //
+      // If set to ``false`` (default):
+      //
+      // * Envoy does **NOT** call the rate limiting service for this descriptor.
+      // * Useful if the metadata is optional and you prefer to skip rate limiting when it's absent.
+      //
+      // If set to ``true``:
+      //
+      // * Envoy calls the rate limiting service but omits this descriptor if the ``metadata_key`` is empty and
+      //   ``default_value`` is missing.
+      // * Useful if you want Envoy to enforce rate limiting even when the metadata is not present.
+      //
       bool skip_if_absent = 5;
     }
 
@@ -2125,6 +2177,9 @@ message RateLimit {
       // Rate limit on request headers.
       RequestHeaders request_headers = 3;
 
+      // Rate limit on query parameters.
+      QueryParameters query_parameters = 12;
+
       // Rate limit on remote address.
       RemoteAddress remote_address = 4;
 

envoy-types/proto/data-plane-api/envoy/extensions/common/dynamic_forward_proxy/v3/dns_cache.proto

@@ -47,7 +47,7 @@ message DnsCacheCircuitBreakers {
 
 // Configuration for the dynamic forward proxy DNS cache. See the :ref:`architecture overview
 // <arch_overview_http_dynamic_forward_proxy>` for more information.
-// [#next-free-field: 15]
+// [#next-free-field: 16]
 message DnsCacheConfig {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.common.dynamic_forward_proxy.v2alpha.DnsCacheConfig";
@@ -108,6 +108,12 @@ message DnsCacheConfig {
   //   value depending on timing. This is similar to how other circuit breakers work.
   google.protobuf.UInt32Value max_hosts = 5 [(validate.rules).uint32 = {gt: 0}];
 
+  // Disable the DNS refresh on failure. If this field is set to true, it will ignore the
+  // :ref:`typed_dns_resolver_config <envoy_v3_api_field_extensions.common.dynamic_forward_proxy.v3.DnsCacheConfig.dns_failure_refresh_rate>`.
+  // If not specified, it defaults to false. By enabling this feature, the failed hosts will now be treated as a cache miss,
+  // allowing the failed hosts to be resolved on demand.
+  bool disable_dns_refresh_on_failure = 15;
+
   // If the DNS failure refresh rate is specified,
   // this is used as the cache's DNS refresh rate when DNS requests are failing. If this setting is
   // not specified, the failure refresh rate defaults to the dns_refresh_rate.
@@ -150,8 +156,9 @@ message DnsCacheConfig {
   // The timeout used for DNS queries. This timeout is independent of any timeout and retry policy
   // used by the underlying DNS implementation (e.g., c-areas and Apple DNS) which are opaque.
   // Setting this timeout will ensure that queries succeed or fail within the specified time frame
-  // and are then retried using the standard refresh rates. Defaults to 5s if not set.
-  google.protobuf.Duration dns_query_timeout = 11 [(validate.rules).duration = {gt {}}];
+  // and are then retried using the standard refresh rates. Setting it to 0 will disable the Envoy DNS
+  // query timeout and use the underlying DNS implementation timeout. Defaults to 5s if not set.
+  google.protobuf.Duration dns_query_timeout = 11 [(validate.rules).duration = {gte {}}];
 
   // Configuration to flush the DNS cache to long term storage.
   config.common.key_value.v3.KeyValueStoreConfig key_value_config = 13;

envoy-types/proto/data-plane-api/envoy/extensions/filters/http/cors/v3/cors.proto

@@ -35,7 +35,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#extension: envoy.filters.http.cors]
 
 // Cors filter config. Set this in
-// ref:`http_filters <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http_filters>`
+// :ref:`http_filters <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http_filters>`
 // to enable the CORS filter.
 //
 // Please note that the :ref:`CorsPolicy <envoy_v3_api_msg_extensions.filters.http.cors.v3.CorsPolicy>`

envoy-types/proto/data-plane-api/envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto

@@ -142,7 +142,6 @@ message ExternalProcessor {
   config.core.v3.GrpcService grpc_service = 1
       [(udpa.annotations.field_migrate).oneof_promotion = "ext_proc_service_type"];
 
-  // [#not-implemented-hide:]
   // Configuration for the HTTP service that the filter will communicate with.
   // Only one of ``http_service`` or
   // :ref:`grpc_service <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.grpc_service>`.

envoy-types/proto/data-plane-api/envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto

@@ -84,7 +84,6 @@ message ProcessingMode {
     // up to the buffer limit will be sent.
     BUFFERED_PARTIAL = 3;
 
-    // [#not-implemented-hide:]
     // Envoy streams the body to the server in pieces as they arrive.
     //
     // 1) The server may choose to buffer any number chunks of data before processing them.
@@ -113,6 +112,7 @@ message ProcessingMode {
     //   :ref:`StreamedBodyResponse <envoy_v3_api_msg_service.ext_proc.v3.StreamedBodyResponse>`
     //   to Envoy in the body response.
     // * Envoy will stream the body chunks in the responses from the server to the upstream/downstream as they arrive.
+
     FULL_DUPLEX_STREAMED = 4;
   }
 

envoy-types/proto/data-plane-api/envoy/extensions/filters/http/oauth2/v3/oauth.proto

@@ -39,6 +39,41 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#extension: envoy.filters.http.oauth2]
 //
 
+// OAuth cookie configuration attributes.
+//
+message CookieConfig {
+  enum SameSite {
+    DISABLED = 0;
+    STRICT = 1;
+    LAX = 2;
+    NONE = 3;
+  }
+
+  // The value used for the SameSite cookie attribute.
+  SameSite same_site = 1 [(validate.rules).enum = {defined_only: true}];
+}
+
+// [#next-free-field: 7]
+message CookieConfigs {
+  // Configuration for the bearer token cookie.
+  CookieConfig bearer_token_cookie_config = 1;
+
+  // Configuration for the OAuth HMAC cookie.
+  CookieConfig oauth_hmac_cookie_config = 2;
+
+  // Configuration for the OAuth expires cookie.
+  CookieConfig oauth_expires_cookie_config = 3;
+
+  // Configuration for the ID token cookie.
+  CookieConfig id_token_cookie_config = 4;
+
+  // Configuration for the refresh token cookie.
+  CookieConfig refresh_token_cookie_config = 5;
+
+  // Configuration for the OAuth nonce cookie.
+  CookieConfig oauth_nonce_cookie_config = 6;
+}
+
 // [#next-free-field: 6]
 message OAuth2Credentials {
   // [#next-free-field: 7]
@@ -98,7 +133,7 @@ message OAuth2Credentials {
 
 // OAuth config
 //
-// [#next-free-field: 21]
+// [#next-free-field: 22]
 message OAuth2Config {
   enum AuthType {
     // The ``client_id`` and ``client_secret`` will be sent in the URL encoded request body.
@@ -200,6 +235,9 @@ message OAuth2Config {
   // will still process incoming Refresh Tokens as part of the HMAC if they are there. This is to ensure compatibility while switching this setting on. Future
   // sessions would not set the Refresh Token cookie header.
   bool disable_refresh_token_set_cookie = 20;
+
+  // Controls for attributes that can be set on the cookies.
+  CookieConfigs cookie_configs = 21;
 }
 
 // Filter config.