Sync Gloo APIs to v1.5.17 (#63)

* gloo-v1.5.17

Author: sam-heilbron

api/gloo/enterprise.gloo/v1/auth_config.proto

@@ -247,6 +247,60 @@ message OAuth2 {
   }
 }
 
+message RedisOptions {
+  // address of the redis. can be address:port or unix://path/to/unix.sock
+  string host = 1;
+  // db to use. can leave unset for db 0.
+  int32 db = 2;
+  // size of the connection pool. can leave unset for default.
+  // defaults to 10 connections per every CPU
+  int32 pool_size = 3;
+}
+
+message UserSession {
+  message InternalSession{}
+  message RedisSession{
+    // Options to connect to redis
+    RedisOptions options = 1;
+    // Key prefix inside redis
+    string key_prefix = 2;
+    // Cookie name to set and store the session id. If empty the default "__session" is used.
+    string cookie_name = 3;
+  }
+  
+  // should we fail auth flow when failing to get a session from redis, or allow it to continue,
+  // potentially starting a new auth flow and setting a new session.
+  bool fail_on_fetch_failure = 1;
+
+  message CookieOptions {
+    // Max age for the cookie. Leave unset for a default of 30 days (2592000 seconds).
+    // To disable cookie expiry, set explicitly to 0.
+    google.protobuf.UInt32Value max_age = 1;
+    // Use a non-secure cookie. Note - this should only be used for testing and in trusted 
+    // environments.
+    bool not_secure = 2;
+    // Path of the cookie. If unset, defaults to "/". Set it explicitly to "" to avoid setting a 
+    // path.
+    google.protobuf.StringValue path = 3;
+    // Cookie domain
+    string domain = 4;
+  }
+
+  // Set-Cookie options
+  CookieOptions cookie_options = 2;
+  oneof session {
+    // Set the tokens in the cookie itself. No need for server side state.
+    InternalSession cookie = 3;
+    // Use redis to store the tokens and just store a random id in the cookie.
+    RedisSession redis = 4;
+  }
+}
+
+message HeaderConfiguration {
+  // If set, the id token will be forward upstream using this header name.
+  string id_token_header = 1;
+}
+
 message OidcAuthorizationCode {
   // your client id as registered with the issuer
   string client_id = 1;
@@ -266,12 +320,27 @@ message OidcAuthorizationCode {
   string app_url = 5;
 
   // a callback path relative to app url that will be used for OIDC callbacks.
-  // needs to not be used by the application
+  // should not be used by the application.
   string callback_path = 6;
 
+  // a path relative to app url that will be used for logging out from an OIDC session.
+  // should not be used by the application.
+  // If not provided, logout functionality will be disabled.
+  string logout_path = 9;
+
   // Scopes to request in addition to openid scope.
   repeated string scopes = 7;
 
+  // Configuration related to the user session.
+  UserSession session = 8;
+
+  // Configures headers added to requests.
+  HeaderConfiguration headers = 10;
+
+  // The interval at which OIDC configuration is discovered at <issuerUrl>/.well-known/openid-configuration
+  // If not specified, the default value is 30 minutes.
+  google.protobuf.Duration discovery_poll_interval = 12;
+
   // in the future we may implement this:
   // add optional configuration for validation of the access token received during the OIDC flow
   // AccessTokenValidation access_token_validation = 8;
@@ -437,6 +506,7 @@ message ExtAuthConfig {
   }
 
   message OidcAuthorizationCodeConfig {
+    
     // your client id as registered with the issuer
     string client_id = 1;
 
@@ -458,9 +528,23 @@ message ExtAuthConfig {
     // needs to not be used by the application
     string callback_path = 6;
 
+    // a path relative to app url that will be used for logging out from an OIDC session.
+    // should not be used by the application.
+    // If not provided, logout functionality will be disabled.
+    string logout_path = 9;
+
     // scopes to request in addition to the openid scope.
     repeated string scopes = 7;
 
+    UserSession session = 8;
+
+    // Configures headers added to requests.
+    HeaderConfiguration headers = 10;
+
+    // The interval at which OIDC configuration is discovered at <issuerUrl>/.well-known/openid-configuration
+    // If not specified, the default value is 30 minutes.
+    google.protobuf.Duration discovery_poll_interval = 12;
+
     // in the future we may implement this:
     // add optional configuration for validation of the access token received during the OIDC flow
     // AccessTokenValidation access_token_validation = 8;

api/gloo/gateway/v1/gateway.proto

@@ -103,6 +103,7 @@ message TcpGateway {
     gloo.solo.io.TcpListenerOptions options = 8;
 }
 
+
 message GatewayStatus {
 	enum State {
 			// Pending status indicates the resource has not yet been validated

api/gloo/gloo/external/envoy/README.md

@@ -1,7 +1,7 @@
-### Envoy Protos in Gloo
+### Envoy Protos in Gloo Edge
 
-The envoy api in Gloo is now taken directly from the envoy protos and then copied into the relevant directory
-here in the Gloo repo. In order to allow for seamless addition of envoy protos directly into the gloo repo simply 
+The envoy api in Gloo Edge is now taken directly from the envoy protos and then copied into the relevant directory
+here in the Gloo Edge repo. In order to allow for seamless addition of envoy protos directly into the gloo repo simply 
 change the go_package option to the appropriate `go-control-plane` package, or if none exists than add the `go-control-plane` one
 
 For example:

api/gloo/gloo/external/envoy/api/v2/cluster/outlier_detection.proto

@@ -114,4 +114,4 @@ message OutlierDetection {
     // is set to true.
     google.protobuf.UInt32Value enforcing_local_origin_success_rate = 15
     [(validate.rules).uint32.lte = 100];
-}
+}

api/gloo/gloo/external/envoy/api/v2/core/health_check.proto

@@ -273,4 +273,4 @@ enum HealthStatus {
 
     // Degraded.
     DEGRADED = 5;
-}
+}

api/gloo/gloo/external/envoy/api/v2/route/route.proto

@@ -1303,4 +1303,4 @@ message QueryParameterMatcher {
     // the right of the equals sign in "key=value") must match the regex.
     // E.g., the regex "\d+$" will match "123" but not "a123" or "123a".
     google.protobuf.BoolValue regex = 4;
-}
+}

api/gloo/gloo/external/envoy/config/filter/http/gzip/v2/gzip.proto

@@ -80,4 +80,4 @@ message Gzip {
     // which will produce a 4096 bytes window. For more details about this parameter, please refer to
     // zlib manual > deflateInit2.
     google.protobuf.UInt32Value window_bits = 9 [(validate.rules).uint32 = {lte: 15 gte: 9}];
-}
+}

api/gloo/gloo/external/envoy/extensions/filters/http/wasm/v3/wasm.proto

@@ -26,4 +26,4 @@ option java_multiple_files = true;
 message Wasm {
   // General Plugin configuration.
   envoy.extensions.wasm.v3.PluginConfig config = 1;
-}
+}

api/gloo/gloo/external/envoy/extensions/transformation/transformation.proto

@@ -236,4 +236,4 @@ message Passthrough {}
 
 message MergeExtractorsToBody {}
 
-message HeaderBodyTransform {}
+message HeaderBodyTransform {}

api/gloo/gloo/external/envoy/type/range.proto

@@ -32,4 +32,4 @@ message DoubleRange {
 
     // end of the range (exclusive)
     double end = 2;
-}
+}

api/gloo/gloo/external/udpa/annotations/sensitive.proto

@@ -12,4 +12,4 @@ extend google.protobuf.FieldOptions {
   // Protobuf functions such as `TextFormat::PrintToString`.
   bool sensitive = 76569463;
 }
-option go_package = "github.com/solo-io/solo-apis/pkg/api/gloo.solo.io/external/udpa/annotations";
+option go_package = "github.com/solo-io/solo-apis/pkg/api/gloo.solo.io/external/udpa/annotations";

api/gloo/gloo/v1/endpoint.proto

@@ -40,4 +40,4 @@ message Endpoint {
 message HealthCheckConfig {
     // hostname to use for the endpoint health checks if provided.
     string hostname = 1;
-}
+}

api/gloo/gloo/v1/enterprise/options/ratelimit/ratelimit.proto

@@ -84,4 +84,4 @@ message RateLimitRouteExtension {
     // Define individual rate limits here. Each rate limit will be evaluated, if any rate limit
     // would be throttled, the entire request returns a 429 (gets throttled)
     repeated ratelimit.api.solo.io.RateLimitActions rate_limits = 2;
-}
+}

api/gloo/gloo/v1/enterprise/options/rbac/rbac.proto

@@ -53,4 +53,4 @@ message Permissions {
     string path_prefix = 1;
     // What http methods (GET, POST, ...) are allowed.
     repeated string methods = 2;
-}
+}

api/gloo/gloo/v1/enterprise/options/waf/waf.proto

@@ -42,4 +42,4 @@ message CoreRuleSet {
         // String representing the core rule set custom config options
         string custom_settings_file = 3;
     }
-}
+}

api/gloo/gloo/v1/extensions.proto

@@ -15,4 +15,4 @@ message Extensions {
 
 message Extension {
     google.protobuf.Struct config = 1;
-}
+}

api/gloo/gloo/v1/failover.proto

@@ -115,4 +115,4 @@ message Locality {
     // into smaller chunks of sub-zones so they can be load balanced
     // independently.
     string sub_zone = 3;
-}
+}

api/gloo/gloo/v1/options.proto

@@ -44,6 +44,8 @@ import "solo-apis/api/gloo/gloo/v1/enterprise/options/waf/waf.proto";
 import "solo-apis/api/gloo/gloo/v1/enterprise/options/dlp/dlp.proto";
 import "solo-apis/api/gloo/gloo/v1/options/transformation/transformation.proto";
 
+import "envoy/api/v2/core/base.proto";
+
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";
 
@@ -66,6 +68,10 @@ message ListenerOptions {
     // Soft limit on size of the listener's new connection read and write buffers. If unspecified, defaults to 1MiB
     // For more info, check out the [Envoy docs](https://www.envoyproxy.io/docs/envoy/v1.14.1/api-v2/api/v2/listener.proto)
     google.protobuf.UInt32Value per_connection_buffer_limit_bytes = 3;
+
+    // Additional socket options that may not be present in Envoy source code or
+    // precompiled binaries.
+    repeated envoy.api.v2.core.SocketOption socket_options = 4;
 }
 
 // Optional, feature-specific configuration that lives on http listeners
@@ -120,6 +126,11 @@ message HttpListenerOptions {
     // envoy.filters.http.grpc_json_transcoder.
     // For more, see https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/grpc_json_transcoder/v3/transcoder.proto
     grpc_json.options.gloo.solo.io.GrpcJsonTranscoder grpc_json_transcoder = 13;
+
+    // Enterprise-only: If using the HTTP header specified by cluster_header to direct traffic to a cluster,
+    // this option will sanitize that header from downstream traffic.
+    // Defaults to false
+    google.protobuf.BoolValue sanitize_cluster_header = 14;
 }
 
 // Optional, feature-specific configuration that lives on tcp listeners

api/gloo/gloo/v1/options/cors/cors.proto

@@ -42,4 +42,4 @@ message CorsPolicy {
     // Optional, only applies to route-specific CORS Policies, defaults to false.
     // If set, the CORS Policy (specified on the virtual host) will be disabled for this route.
     bool disable_for_route = 8;
-}
+}

api/gloo/gloo/v1/options/grpc/grpc.proto

@@ -48,4 +48,4 @@ message DestinationSpec {
   // Parameters describe how to extract the function parameters from the
   // request.
   transformation.options.gloo.solo.io.Parameters parameters = 4;
-}
+}

api/gloo/gloo/v1/options/grpc_json/grpc_json.proto

@@ -158,4 +158,4 @@ message GrpcJsonTranscoder {
     //  the ``google/rpc/error_details.proto`` should be included in the configured
     //  :ref:`proto descriptor set <config_grpc_json_generate_proto_descriptor_set>`.
     bool convert_grpc_status = 9;
-}
+}

api/gloo/gloo/v1/options/grpc_web/grpc_web.proto

@@ -14,4 +14,4 @@ import "solo-apis/api/gloo/gloo/v1/options/transformation/parameters.proto";
 message GrpcWeb {
   // Disable grpc web support.
   bool disable = 1;
-}
+}

api/gloo/gloo/v1/options/hcm/hcm.proto

@@ -24,6 +24,15 @@ message HttpConnectionManagerSettings {
         ALWAYS_FORWARD_ONLY = 4;
     }
 
+    enum ServerHeaderTransformation {
+        // (DEFAULT) Overwrite any Server header with the contents of server_name.
+        OVERWRITE = 0;
+        // If no Server header is present, append Server server_name If a Server header is present, pass it through.
+        APPEND_IF_ABSENT = 1;
+        // Pass through the value of the server header, and do not append a header if none is present.
+        PASS_THROUGH = 2;
+    }
+
     message SetCurrentClientCertDetails {
         google.protobuf.BoolValue subject = 1;
         bool cert = 2;
@@ -62,4 +71,11 @@ message HttpConnectionManagerSettings {
     // HttpConnectionManager configuration for protocol upgrade requests. 
     // Note: WebSocket upgrades are enabled by default on the HTTP Connection Manager and must be explicitly disabled.
     repeated protocol_upgrade.options.gloo.solo.io.ProtocolUpgradeConfig upgrades = 21;
+
+    // For an explanation of these settings see https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/core/v3/protocol.proto#config-core-v3-httpprotocoloptions
+    google.protobuf.Duration max_connection_duration = 23 [ (gogoproto.stdduration) = true ];
+    google.protobuf.Duration max_stream_duration = 24 [ (gogoproto.stdduration) = true ];
+
+    // For an explanation of the settings see: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html#envoy-v3-api-enum-extensions-filters-network-http-connection-manager-v3-httpconnectionmanager-serverheadertransformation
+    ServerHeaderTransformation server_header_transformation = 25;
 }

api/gloo/gloo/v1/options/rest/rest.proto

@@ -29,4 +29,4 @@ message DestinationSpec {
     transformation.options.gloo.solo.io.Parameters parameters = 2;
 
     envoy.api.v2.filter.http.TransformationTemplate response_transformation = 3;
-}
+}

api/gloo/gloo/v1/options/service_spec.proto

@@ -22,4 +22,4 @@ message ServiceSpec {
         rest.options.gloo.solo.io.ServiceSpec rest = 1;
         grpc.options.gloo.solo.io.ServiceSpec grpc = 2;
     }
-}
+}

api/gloo/gloo/v1/options/static/static.proto

@@ -26,6 +26,11 @@ message UpstreamSpec {
 
     // An optional Service Spec describing the service listening at this address
     .options.gloo.solo.io.ServiceSpec service_spec = 5;
+
+    // When set, automatically set the sni address to use to the addr field.
+    // If both this and host.sni_addr are set, host.sni_addr has priority.
+    // defaults to "true".
+    google.protobuf.BoolValue auto_sni_rewrite = 6;
 }
 
 // Represents a single instance of an upstream
@@ -35,6 +40,10 @@ message Host {
     // Port the instance is listening on
     uint32 port = 2;
 
+    // Address to use for SNI if using ssl.
+    string sni_addr = 4;
+
+
     message HealthCheckConfig {
         // (Enterprise Only): Path to use when health checking this specific host.
         string path = 1;

api/gloo/gloo/v1/options/stats/stats.proto

@@ -43,4 +43,4 @@ message VirtualCluster {
 
     // If specified, statistics will be exposed only for requests matching the given HTTP method.
     string method = 3;
-}
+}

api/gloo/gloo/v1/options/tcp/tcp.proto

@@ -16,4 +16,4 @@ option (extproto.hash_all) = true;
 message TcpProxySettings {
     google.protobuf.UInt32Value max_connect_attempts = 1;
     google.protobuf.Duration idle_timeout = 2 [ (gogoproto.stdduration) = true ];
-}
+}

api/gloo/gloo/v1/options/tracing/tracing.proto

@@ -35,6 +35,8 @@ message RouteTracingSettings {
     // Requests can produce traces by random sampling or when the `x-client-trace-id` header is provided.
     // TracePercentages defines the limits for random, forced, and overall tracing percentages.
     TracePercentages trace_percentages = 2;
+    // Optional. Default is true, If set to false, the tracing headers will not propagate to the upstream.
+    google.protobuf.BoolValue propagate = 3;
 }
 
 // Requests can produce traces by random sampling or when the `x-client-trace-id` header is provided.

api/gloo/gloo/v1/options/transformation/transformation.proto

@@ -57,4 +57,4 @@ message TransformationStages {
     RequestResponseTransformations early = 1;
     // Regular transformations happen after Auth and Rate limit decisions has been made.
     RequestResponseTransformations regular = 2;
-}
+}