Skip to content

Instantly share code, notes, and snippets.

@mmizutani

mmizutani/envoy-schema.json

Forked from linux-china/envoy-schema.json
Last active February 26, 2023 06:06
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save mmizutani/17d83a90791e7122aef7230fbcf009d4 to your computer and use it in GitHub Desktop.
Save mmizutani/17d83a90791e7122aef7230fbcf009d4 to your computer and use it in GitHub Desktop.
Download ZIP
Envoy configuration json schema for Json and Yaml based on Envoy v1.20.1 (e9f36d2)
Raw
envoy-schema.json
{
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"node": {
"properties": {
"id": {
"type": "string",
"description": "An opaque node identifier for the Envoy node. This also provides the local\n service node name. It should be set if any of the following features are\n used: :ref:`statsd <arch_overview_statistics>`, :ref:`CDS\n <config_cluster_manager_cds>`, and :ref:`HTTP tracing\n <arch_overview_tracing>`, either in this message or via\n :option:`--service-node`."
},
"cluster": {
"type": "string",
"description": "Defines the local service cluster name where Envoy is running. Though\n optional, it should be set if any of the following features are used:\n :ref:`statsd <arch_overview_statistics>`, :ref:`health check cluster\n verification\n <envoy_v3_api_field_config.core.v3.HealthCheck.HttpHealthCheck.service_name_matcher>`,\n :ref:`runtime override directory <envoy_v3_api_msg_config.bootstrap.v3.Runtime>`,\n :ref:`user agent addition\n <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.add_user_agent>`,\n :ref:`HTTP global rate limiting <config_http_filters_rate_limit>`,\n :ref:`CDS <config_cluster_manager_cds>`, and :ref:`HTTP tracing\n <arch_overview_tracing>`, either in this message or via\n :option:`--service-cluster`."
},
"metadata": {
"properties": {
"fields": {
"additionalProperties": {
"additionalProperties": true,
"type": "object"
},
"type": "object",
"description": "Unordered map of dynamically typed values."
}
},
"additionalProperties": true,
"type": "object",
"description": "Opaque metadata extending the node identifier. Envoy will pass this\n directly to the management server."
},
"dynamic_parameters": {
"additionalProperties": {
"properties": {
"params": {
"additionalProperties": {
"type": "string"
},
"type": "object"
}
},
"additionalProperties": true,
"type": "object"
},
"type": "object",
"description": "Map from xDS resource type URL to dynamic context parameters. These may vary at runtime (unlike\n other fields in this message). For example, the xDS client may have a shard identifier that\n changes during the lifetime of the xDS client. In Envoy, this would be achieved by updating the\n dynamic context on the Server::Instance's LocalInfo context provider. The shard ID dynamic\n parameter then appears in this field during future discovery requests."
},
"locality": {
"$ref": "#/definitions/envoy.config.core.v3.Locality",
"additionalProperties": true,
"description": "Locality specifying where the Envoy instance is running."
},
"user_agent_name": {
"type": "string",
"description": "Free-form string that identifies the entity requesting config.\n E.g. \"envoy\" or \"grpc\""
},
"user_agent_version": {
"type": "string",
"description": "Free-form string that identifies the version of the entity requesting config.\n E.g. \"1.12.2\" or \"abcd1234\", or \"SpecialEnvoyBuild\""
},
"user_agent_build_version": {
"$ref": "#/definitions/envoy.config.core.v3.BuildVersion",
"additionalProperties": true,
"description": "Structured version of the entity requesting config."
},
"extensions": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "This is the name of the Envoy filter as specified in the Envoy\n configuration, e.g. envoy.filters.http.router, com.acme.widget."
},
"category": {
"type": "string",
"description": "Category of the extension.\n Extension category names use reverse DNS notation. For instance \"envoy.filters.listener\"\n for Envoy's built-in listener filters or \"com.acme.filters.http\" for HTTP filters from\n acme.com vendor.\n "
},
"type_descriptor": {
"type": "string",
"description": "[#not-implemented-hide:] Type descriptor of extension configuration proto.\n \n "
},
"version": {
"$ref": "#/definitions/envoy.config.core.v3.BuildVersion",
"additionalProperties": true,
"description": "The version is a property of the extension and maintained independently\n of other extensions and the Envoy API.\n This field is not set when extension did not provide version information."
},
"disabled": {
"type": "boolean",
"description": "Indicates that the extension is present but was disabled via dynamic configuration."
}
},
"additionalProperties": false,
"type": "object",
"description": "Version and identification for an Envoy extension.\n "
},
"type": "array",
"description": "List of extensions and their versions supported by the node."
},
"client_features": {
"items": {
"type": "string"
},
"type": "array",
"description": "Client feature support list. These are well known features described\n in the Envoy API repository for a given major version of an API. Client features\n use reverse DNS naming scheme, for example `com.acme.feature`.\n See :ref:`the list of features <client_features>` that xDS client may\n support."
},
"listening_addresses": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.core.v3.Address"
},
"type": "array",
"description": "Known listening ports on the node as a generic hint to the management server\n for filtering :ref:`listeners <config_listeners>` to be returned. For example,\n if there is a listener bound to port 80, the list can optionally contain the\n SocketAddress `(0.0.0.0,80)`. The field is optional and just a hint."
}
},
"additionalProperties": true,
"type": "object",
"description": "Node identity to present to the management server and for instance\n identification purposes (e.g. in generated headers)."
},
"node_context_params": {
"items": {
"type": "string"
},
"type": "array",
"description": "A list of :ref:`Node <envoy_v3_api_msg_config.core.v3.Node>` field names\n that will be included in the context parameters of the effective\n xdstp:// URL that is sent in a discovery request when resource\n locators are used for LDS/CDS. Any non-string field will have its JSON\n encoding set as the context parameter value, with the exception of\n metadata, which will be flattened (see example below). The supported field\n names are:\n - \"cluster\"\n - \"id\"\n - \"locality.region\"\n - \"locality.sub_zone\"\n - \"locality.zone\"\n - \"metadata\"\n - \"user_agent_build_version.metadata\"\n - \"user_agent_build_version.version\"\n - \"user_agent_name\"\n - \"user_agent_version\"\n\n The node context parameters act as a base layer dictionary for the context\n parameters (i.e. more specific resource specific context parameters will\n override). Field names will be prefixed with \u201cudpa.node.\u201d when included in\n context parameters.\n\n For example, if node_context_params is ``[\"user_agent_name\", \"metadata\"]``,\n the implied context parameters might be::\n\n node.user_agent_name: \"envoy\"\n node.metadata.foo: \"{\\\"bar\\\": \\\"baz\\\"}\"\n node.metadata.some: \"42\"\n node.metadata.thing: \"\\\"thing\\\"\"\n\n [#not-implemented-hide:]"
},
"static_resources": {
"properties": {
"listeners": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The unique name by which this listener is known. If no name is provided,\n Envoy will allocate an internal UUID for the listener. If the listener is to be dynamically\n updated or removed via :ref:`LDS <config_listeners_lds>` a unique name must be provided."
},
"address": {
"$ref": "#/definitions/envoy.config.core.v3.Address",
"additionalProperties": true,
"description": "The address that the listener should listen on. In general, the address must be unique, though\n that is governed by the bind rules of the OS. E.g., multiple listeners can listen on port 0 on\n Linux as the actual port will be allocated by the OS."
},
"stat_prefix": {
"type": "string",
"description": "Optional prefix to use on listener stats. If empty, the stats will be rooted at\n `listener.<address as string>.`. If non-empty, stats will be rooted at\n `listener.<stat_prefix>.`."
},
"filter_chains": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.listener.v3.FilterChain"
},
"type": "array",
"description": "A list of filter chains to consider for this listener. The\n :ref:`FilterChain <envoy_v3_api_msg_config.listener.v3.FilterChain>` with the most specific\n :ref:`FilterChainMatch <envoy_v3_api_msg_config.listener.v3.FilterChainMatch>` criteria is used on a\n connection.\n\n Example using SNI for filter chain selection can be found in the\n :ref:`FAQ entry <faq_how_to_setup_sni>`."
},
"use_original_dst": {
"additionalProperties": true,
"type": "boolean",
"description": "If a connection is redirected using *iptables*, the port on which the proxy\n receives it might be different from the original destination address. When this flag is set to\n true, the listener hands off redirected connections to the listener associated with the\n original destination address. If there is no listener associated with the original destination\n address, the connection is handled by the listener that receives it. Defaults to false."
},
"default_filter_chain": {
"$ref": "#/definitions/envoy.config.listener.v3.FilterChain",
"additionalProperties": true,
"description": "The default filter chain if none of the filter chain matches. If no default filter chain is supplied,\n the connection will be closed. The filter chain match is ignored in this field."
},
"per_connection_buffer_limit_bytes": {
"additionalProperties": true,
"type": "integer",
"description": "Soft limit on size of the listener\u2019s new connection read and write buffers.\n If unspecified, an implementation defined default is applied (1MiB)."
},
"metadata": {
"$ref": "#/definitions/envoy.config.core.v3.Metadata",
"additionalProperties": true,
"description": "Listener metadata."
},
"deprecated_v1": {
"properties": {
"bind_to_port": {
"additionalProperties": true,
"type": "boolean",
"description": "Whether the listener should bind to the port. A listener that doesn't\n bind can only receive connections redirected from other listeners that\n set use_original_dst parameter to true. Default is true.\n\n This is deprecated. Use :ref:`Listener.bind_to_port\n <envoy_v3_api_field_config.listener.v3.Listener.bind_to_port>`"
}
},
"additionalProperties": true,
"type": "object",
"description": "[#not-implemented-hide:]"
},
"drain_type": {
"enum": [
"DEFAULT",
0,
"MODIFY_ONLY",
1
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "The type of draining to perform at a listener-wide level."
},
"listener_filters": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of the filter to instantiate. The name must match a\n :ref:`supported filter <config_listener_filters>`."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. This string must contain at least\n one \"/\" character. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": true,
"type": "object",
"description": "Filter specific configuration which depends on the filter being\n instantiated. See the supported filters for further documentation.\n "
},
"filter_disabled": {
"$ref": "#/definitions/envoy.config.listener.v3.ListenerFilterChainMatchPredicate",
"additionalProperties": true,
"description": "Optional match predicate used to disable the filter. The filter is enabled when this field is empty.\n See :ref:`ListenerFilterChainMatchPredicate <envoy_v3_api_msg_config.listener.v3.ListenerFilterChainMatchPredicate>`\n for further examples."
}
},
"additionalProperties": false,
"type": "object"
},
"type": "array",
"description": "Listener filters have the opportunity to manipulate and augment the connection metadata that\n is used in connection filter chain matching, for example. These filters are run before any in\n :ref:`filter_chains <envoy_v3_api_field_config.listener.v3.Listener.filter_chains>`. Order matters as the\n filters are processed sequentially right after a socket has been accepted by the listener, and\n before a connection is created.\n UDP Listener filters can be specified when the protocol in the listener socket address in\n :ref:`protocol <envoy_v3_api_field_config.core.v3.SocketAddress.protocol>` is :ref:`UDP\n <envoy_v3_api_enum_value_config.core.v3.SocketAddress.Protocol.UDP>`."
},
"listener_filters_timeout": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The timeout to wait for all listener filters to complete operation. If the timeout is reached,\n the accepted socket is closed without a connection being created unless\n `continue_on_listener_filters_timeout` is set to true. Specify 0 to disable the\n timeout. If not specified, a default timeout of 15s is used."
},
"continue_on_listener_filters_timeout": {
"type": "boolean",
"description": "Whether a connection should be created when listener filters timeout. Default is false.\n\n .. attention::\n\n Some listener filters, such as :ref:`Proxy Protocol filter\n <config_listener_filters_proxy_protocol>`, should not be used with this option. It will cause\n unexpected behavior when a connection is created."
},
"transparent": {
"additionalProperties": true,
"type": "boolean",
"description": "Whether the listener should be set as a transparent socket.\n When this flag is set to true, connections can be redirected to the listener using an\n *iptables* *TPROXY* target, in which case the original source and destination addresses and\n ports are preserved on accepted connections. This flag should be used in combination with\n :ref:`an original_dst <config_listener_filters_original_dst>` :ref:`listener filter\n <envoy_v3_api_field_config.listener.v3.Listener.listener_filters>` to mark the connections' local addresses as\n \"restored.\" This can be used to hand off each redirected connection to another listener\n associated with the connection's destination address. Direct connections to the socket without\n using *TPROXY* cannot be distinguished from connections redirected using *TPROXY* and are\n therefore treated as if they were redirected.\n When this flag is set to false, the listener's socket is explicitly reset as non-transparent.\n Setting this flag requires Envoy to run with the *CAP_NET_ADMIN* capability.\n When this flag is not set (default), the socket is not modified, i.e. the transparent option\n is neither set nor reset."
},
"freebind": {
"additionalProperties": true,
"type": "boolean",
"description": "Whether the listener should set the *IP_FREEBIND* socket option. When this\n flag is set to true, listeners can be bound to an IP address that is not\n configured on the system running Envoy. When this flag is set to false, the\n option *IP_FREEBIND* is disabled on the socket. When this flag is not set\n (default), the socket is not modified, i.e. the option is neither enabled\n nor disabled."
},
"socket_options": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.core.v3.SocketOption"
},
"type": "array",
"description": "Additional socket options that may not be present in Envoy source code or\n precompiled binaries."
},
"tcp_fast_open_queue_length": {
"additionalProperties": true,
"type": "integer",
"description": "Whether the listener should accept TCP Fast Open (TFO) connections.\n When this flag is set to a value greater than 0, the option TCP_FASTOPEN is enabled on\n the socket, with a queue length of the specified size\n (see `details in RFC7413 <https://tools.ietf.org/html/rfc7413#section-5.1>`_).\n When this flag is set to 0, the option TCP_FASTOPEN is disabled on the socket.\n When this flag is not set (default), the socket is not modified,\n i.e. the option is neither enabled nor disabled.\n\n On Linux, the net.ipv4.tcp_fastopen kernel parameter must include flag 0x2 to enable\n TCP_FASTOPEN.\n See `ip-sysctl.txt <https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt>`_.\n\n On macOS, only values of 0, 1, and unset are valid; other values may result in an error.\n To set the queue length on macOS, set the net.inet.tcp.fastopen_backlog kernel parameter."
},
"traffic_direction": {
"enum": [
"UNSPECIFIED",
0,
"INBOUND",
1,
"OUTBOUND",
2
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "Specifies the intended direction of the traffic relative to the local Envoy.\n This property is required on Windows for listeners using the original destination filter,\n see :ref:`Original Destination <config_listener_filters_original_dst>`."
},
"udp_listener_config": {
"properties": {
"downstream_socket_config": {
"properties": {
"max_rx_datagram_size": {
"additionalProperties": true,
"type": "integer",
"description": "The maximum size of received UDP datagrams. Using a larger size will cause Envoy to allocate\n more memory per socket. Received datagrams above this size will be dropped. If not set\n defaults to 1500 bytes."
},
"prefer_gro": {
"additionalProperties": true,
"type": "boolean",
"description": "Configures whether Generic Receive Offload (GRO)\n <https://en.wikipedia.org/wiki/Large_receive_offload>_ is preferred when reading from the\n UDP socket. The default is context dependent and is documented where UdpSocketConfig is used.\n This option affects performance but not functionality. If GRO is not supported by the operating\n system, non-GRO receive will be used."
}
},
"additionalProperties": true,
"type": "object",
"description": "UDP socket configuration for the listener. The default for\n :ref:`prefer_gro <envoy_v3_api_field_config.core.v3.UdpSocketConfig.prefer_gro>` is false for\n listener sockets. If receiving a large amount of datagrams from a small number of sources, it\n may be worthwhile to enable this option after performance testing."
},
"quic_options": {
"properties": {
"quic_protocol_options": {
"properties": {
"max_concurrent_streams": {
"additionalProperties": true,
"type": "integer",
"description": "Maximum number of streams that the client can negotiate per connection. 100\n if not specified."
},
"initial_stream_window_size": {
"additionalProperties": true,
"type": "integer",
"description": "`Initial stream-level flow-control receive window\n <https://tools.ietf.org/html/draft-ietf-quic-transport-34#section-4.1>`_ size. Valid values range from\n 1 to 16777216 (2^24, maximum supported by QUICHE) and defaults to 65536 (2^16).\n\n NOTE: 16384 (2^14) is the minimum window size supported in Google QUIC. If configured smaller than it, we will use 16384 instead.\n QUICHE IETF Quic implementation supports 1 bytes window. We only support increasing the default window size now, so it's also the minimum.\n\n This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the\n QUIC stream send and receive buffers. Once the buffer reaches this pointer, watermark callbacks will fire to\n stop the flow of data to the stream buffers."
},
"initial_connection_window_size": {
"additionalProperties": true,
"type": "integer",
"description": "Similar to *initial_stream_window_size*, but for connection-level\n flow-control. Valid values rage from 1 to 25165824 (24MB, maximum supported by QUICHE) and defaults to 65536 (2^16).\n window. Currently, this has the same minimum/default as *initial_stream_window_size*.\n\n NOTE: 16384 (2^14) is the minimum window size supported in Google QUIC. We only support increasing the default\n window size now, so it's also the minimum."
},
"num_timeouts_to_trigger_port_migration": {
"additionalProperties": true,
"type": "integer",
"description": "The number of timeouts that can occur before port migration is triggered for QUIC clients.\n This defaults to 1. If set to 0, port migration will not occur on path degrading.\n Timeout here refers to QUIC internal path degrading timeout mechanism, such as PTO.\n This has no effect on server sessions."
},
"connection_keepalive": {
"properties": {
"max_interval": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The max interval for a connection to send keep-alive probing packets (with PING or PATH_RESPONSE). The value should be smaller than :ref:`connection idle_timeout <envoy_v3_api_field_config.listener.v3.QuicProtocolOptions.idle_timeout>` to prevent idle timeout while not less than 1s to avoid throttling the connection or flooding the peer with probes.\n\n If :ref:`initial_interval <envoy_v3_api_field_config.core.v3.QuicKeepAliveSettings.initial_interval>` is absent or zero, a client connection will use this value to start probing.\n\n If zero, disable keepalive probing.\n If absent, use the QUICHE default interval to probe."
},
"initial_interval": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The interval to send the first few keep-alive probing packets to prevent connection from hitting the idle timeout. Subsequent probes will be sent, each one with an interval exponentially longer than previous one, till it reaches :ref:`max_interval <envoy_v3_api_field_config.core.v3.QuicKeepAliveSettings.max_interval>`. And the probes afterwards will always use :ref:`max_interval <envoy_v3_api_field_config.core.v3.QuicKeepAliveSettings.max_interval>`.\n\n The value should be smaller than :ref:`connection idle_timeout <envoy_v3_api_field_config.listener.v3.QuicProtocolOptions.idle_timeout>` to prevent idle timeout and smaller than max_interval to take effect.\n\n If absent or zero, disable keepalive probing for a server connection. For a client connection, if :ref:`max_interval <envoy_v3_api_field_config.core.v3.QuicKeepAliveSettings.max_interval>` is also zero, do not keepalive, otherwise use max_interval or QUICHE default to probe all the time."
}
},
"additionalProperties": true,
"type": "object",
"description": "Probes the peer at the configured interval to solicit traffic, i.e. ACK or PATH_RESPONSE, from the peer to push back connection idle timeout.\n If absent, use the default keepalive behavior of which a client connection sends PINGs every 15s, and a server connection doesn't do anything."
}
},
"additionalProperties": true,
"type": "object"
},
"idle_timeout": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "Maximum number of milliseconds that connection will be alive when there is\n no network activity. 300000ms if not specified."
},
"crypto_handshake_timeout": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "Connection timeout in milliseconds before the crypto handshake is finished.\n 20000ms if not specified."
},
"enabled": {
"properties": {
"default_value": {
"additionalProperties": true,
"type": "boolean",
"description": "Default value if runtime value is not available."
},
"runtime_key": {
"type": "string",
"description": "Runtime key to get value for comparison. This value is used if defined. The boolean value must\n be represented via its\n `canonical JSON encoding <https://developers.google.com/protocol-buffers/docs/proto3#json>`_."
}
},
"additionalProperties": true,
"type": "object",
"description": "Runtime flag that controls whether the listener is enabled or not. If not specified, defaults\n to enabled."
},
"packets_to_read_to_connection_count_ratio": {
"additionalProperties": true,
"type": "integer",
"description": "A multiplier to number of connections which is used to determine how many packets to read per\n event loop. A reasonable number should allow the listener to process enough payload but not\n starve TCP and other UDP sockets and also prevent long event loop duration.\n The default value is 32. This means if there are N QUIC connections, the total number of\n packets to read in each read event will be 32 * N.\n The actual number of packets to read in total by the UDP listener is also\n bound by 6000, regardless of this field or how many connections there are."
},
"crypto_stream_config": {
"$ref": "#/definitions/envoy.config.core.v3.TypedExtensionConfig",
"additionalProperties": true,
"description": "Configure which implementation of `quic::QuicCryptoClientStreamBase` to be used for this listener.\n If not specified the :ref:`QUICHE default one configured by <envoy_v3_api_msg_extensions.quic.crypto_stream.v3.CryptoServerStreamConfig>` will be used.\n "
},
"proof_source_config": {
"$ref": "#/definitions/envoy.config.core.v3.TypedExtensionConfig",
"additionalProperties": true,
"description": "Configure which implementation of `quic::ProofSource` to be used for this listener.\n If not specified the :ref:`default one configured by <envoy_v3_api_msg_extensions.quic.proof_source.v3.ProofSourceConfig>` will be used.\n "
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration for QUIC protocol. If empty, QUIC will not be enabled on this listener. Set\n to the default object to enable QUIC without modifying any additional options.\n\n .. warning::\n QUIC support is currently alpha and should be used with caution. Please\n see :ref:`here <arch_overview_http3>` for details."
}
},
"additionalProperties": true,
"type": "object",
"description": "If the protocol in the listener socket address in :ref:`protocol\n <envoy_v3_api_field_config.core.v3.SocketAddress.protocol>` is :ref:`UDP\n <envoy_v3_api_enum_value_config.core.v3.SocketAddress.Protocol.UDP>`, this field specifies UDP\n listener specific configuration."
},
"api_listener": {
"properties": {
"api_listener": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. This string must contain at least\n one \"/\" character. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": true,
"type": "object",
"description": "The type in this field determines the type of API listener. At present, the following\n types are supported:\n envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager (HTTP)\n envoy.extensions.filters.network.http_connection_manager.v3.EnvoyMobileHttpConnectionManager (HTTP)\n [#next-major-version: In the v3 API, replace this Any field with a oneof containing the\n specific config message for each type of API listener. We could not do this in v2 because\n it would have caused circular dependencies for go protos: lds.proto depends on this file,\n and http_connection_manager.proto depends on rds.proto, which is in the same directory as\n lds.proto, so lds.proto cannot depend on this file.]"
}
},
"additionalProperties": true,
"type": "object",
"description": "Used to represent an API listener, which is used in non-proxy clients. The type of API\n exposed to the non-proxy application depends on the type of API listener.\n When this field is set, no other field except for :ref:`name<envoy_v3_api_field_config.listener.v3.Listener.name>`\n should be set.\n\n .. note::\n\n Currently only one ApiListener can be installed; and it can only be done via bootstrap config,\n not LDS.\n\n [#next-major-version: In the v3 API, instead of this messy approach where the socket\n listener fields are directly in the top-level Listener message and the API listener types\n are in the ApiListener message, the socket listener messages should be in their own message,\n and the top-level Listener should essentially be a oneof that selects between the\n socket listener and the various types of API listener. That way, a given Listener message\n can structurally only contain the fields of the relevant type.]"
},
"connection_balance_config": {
"properties": {
"exact_balance": {
"additionalProperties": true,
"type": "object",
"description": "If specified, the listener will use the exact connection balancer."
}
},
"additionalProperties": true,
"type": "object",
"description": "The listener's connection balancer configuration, currently only applicable to TCP listeners.\n If no configuration is specified, Envoy will not attempt to balance active connections between\n worker threads.\n\n In the scenario that the listener X redirects all the connections to the listeners Y1 and Y2\n by setting :ref:`use_original_dst <envoy_v3_api_field_config.listener.v3.Listener.use_original_dst>` in X\n and :ref:`bind_to_port <envoy_v3_api_field_config.listener.v3.Listener.bind_to_port>` to false in Y1 and Y2,\n it is recommended to disable the balance config in listener X to avoid the cost of balancing, and\n enable the balance config in Y1 and Y2 to balance the connections among the workers."
},
"reuse_port": {
"type": "boolean",
"description": "Deprecated. Use `enable_reuse_port` instead."
},
"enable_reuse_port": {
"additionalProperties": true,
"type": "boolean",
"description": "When this flag is set to true, listeners set the *SO_REUSEPORT* socket option and\n create one socket for each worker thread. This makes inbound connections\n distribute among worker threads roughly evenly in cases where there are a high number\n of connections. When this flag is set to false, all worker threads share one socket. This field\n defaults to true.\n\n .. attention::\n\n Although this field defaults to true, it has different behavior on different platforms. See\n the following text for more information.\n\n * On Linux, reuse_port is respected for both TCP and UDP listeners. It also works correctly\n with hot restart.\n * On macOS, reuse_port for TCP does not do what it does on Linux. Instead of load balancing,\n the last socket wins and receives all connections/packets. For TCP, reuse_port is force\n disabled and the user is warned. For UDP, it is enabled, but only one worker will receive\n packets. For QUIC/H3, SW routing will send packets to other workers. For \"raw\" UDP, only\n a single worker will currently receive packets.\n * On Windows, reuse_port for TCP has undefined behavior. It is force disabled and the user\n is warned similar to macOS. It is left enabled for UDP with undefined behavior currently."
},
"access_log": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.accesslog.v3.AccessLog"
},
"type": "array",
"description": "Configuration for :ref:`access logs <arch_overview_access_logs>`\n emitted by this listener."
},
"tcp_backlog_size": {
"additionalProperties": true,
"type": "integer",
"description": "The maximum length a tcp listener's pending connections queue can grow to. If no value is\n provided net.core.somaxconn will be used on Linux and 128 otherwise."
},
"bind_to_port": {
"additionalProperties": true,
"type": "boolean",
"description": "Whether the listener should bind to the port. A listener that doesn't\n bind can only receive connections redirected from other listeners that set\n :ref:`use_original_dst <envoy_v3_api_field_config.listener.v3.Listener.use_original_dst>`\n to true. Default is true."
},
"internal_listener": {
"additionalProperties": true,
"type": "object",
"description": "Used to represent an internal listener which does not listen on OSI L4 address but can be used by the\n :ref:`envoy cluster <envoy_v3_api_msg_config.cluster.v3.Cluster>` to create a user space connection to.\n The internal listener acts as a tcp listener. It supports listener filters and network filter chains.\n The internal listener require :ref:`address <envoy_v3_api_field_config.listener.v3.Listener.address>` has\n field `envoy_internal_address`.\n\n There are some limitations are derived from the implementation. The known limitations include\n\n * :ref:`ConnectionBalanceConfig <envoy_v3_api_msg_config.listener.v3.Listener.ConnectionBalanceConfig>` is not\n allowed because both cluster connection and listener connection must be owned by the same dispatcher.\n * :ref:`tcp_backlog_size <envoy_v3_api_field_config.listener.v3.Listener.tcp_backlog_size>`\n * :ref:`freebind <envoy_v3_api_field_config.listener.v3.Listener.freebind>`\n * :ref:`transparent <envoy_v3_api_field_config.listener.v3.Listener.transparent>`\n [#not-implemented-hide:]"
},
"enable_mptcp": {
"type": "boolean",
"description": "Enable MPTCP (multi-path TCP) on this listener. Clients will be allowed to establish\n MPTCP connections. Non-MPTCP clients will fall back to regular TCP."
},
"ignore_global_conn_limit": {
"type": "boolean",
"description": "Whether the listener should limit connections based upon the value of\n :ref:`global_downstream_max_connections <config_overload_manager_limiting_connections>`."
}
},
"additionalProperties": false,
"type": "object",
"description": ""
},
"type": "array",
"description": "Static :ref:`Listeners <envoy_v3_api_msg_config.listener.v3.Listener>`. These listeners are\n available regardless of LDS configuration."
},
"clusters": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"transport_socket_matches": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of the match, used in stats generation."
},
"match": {
"properties": {
"fields": {
"additionalProperties": {
"additionalProperties": true,
"type": "object"
},
"type": "object",
"description": "Unordered map of dynamically typed values."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional endpoint metadata match criteria.\n The connection to the endpoint with metadata matching what is set in this field\n will use the transport socket configuration specified here.\n The endpoint's metadata entry in *envoy.transport_socket_match* is used to match\n against the values specified in this field."
},
"transport_socket": {
"$ref": "#/definitions/envoy.config.core.v3.TransportSocket",
"additionalProperties": true,
"description": "The configuration of the transport socket.\n "
}
},
"additionalProperties": false,
"type": "object",
"description": "TransportSocketMatch specifies what transport socket config will be used\n when the match conditions are satisfied."
},
"type": "array",
"description": "Configuration to use different transport sockets for different endpoints.\n The entry of *envoy.transport_socket_match* in the\n :ref:`LbEndpoint.Metadata <envoy_v3_api_field_config.endpoint.v3.LbEndpoint.metadata>`\n is used to match against the transport sockets as they appear in the list. The first\n :ref:`match <envoy_v3_api_msg_config.cluster.v3.Cluster.TransportSocketMatch>` is used.\n For example, with the following match\n\n .. code-block:: yaml\n\n transport_socket_matches:\n - name: \"enableMTLS\"\n match:\n acceptMTLS: true\n transport_socket:\n name: envoy.transport_sockets.tls\n config: { ... } # tls socket configuration\n - name: \"defaultToPlaintext\"\n match: {}\n transport_socket:\n name: envoy.transport_sockets.raw_buffer\n\n Connections to the endpoints whose metadata value under *envoy.transport_socket_match*\n having \"acceptMTLS\"/\"true\" key/value pair use the \"enableMTLS\" socket configuration.\n\n If a :ref:`socket match <envoy_v3_api_msg_config.cluster.v3.Cluster.TransportSocketMatch>` with empty match\n criteria is provided, that always match any endpoint. For example, the \"defaultToPlaintext\"\n socket match in case above.\n\n If an endpoint metadata's value under *envoy.transport_socket_match* does not match any\n *TransportSocketMatch*, socket configuration fallbacks to use the *tls_context* or\n *transport_socket* specified in this cluster.\n\n This field allows gradual and flexible transport socket configuration changes.\n\n The metadata of endpoints in EDS can indicate transport socket capabilities. For example,\n an endpoint's metadata can have two key value pairs as \"acceptMTLS\": \"true\",\n \"acceptPlaintext\": \"true\". While some other endpoints, only accepting plaintext traffic\n has \"acceptPlaintext\": \"true\" metadata information.\n\n Then the xDS server can configure the CDS to a client, Envoy A, to send mutual TLS\n traffic for endpoints with \"acceptMTLS\": \"true\", by adding a corresponding\n *TransportSocketMatch* in this field. Other client Envoys receive CDS without\n *transport_socket_match* set, and still send plain text traffic to the same cluster.\n\n This field can be used to specify custom transport socket configurations for health\n checks by adding matching key/value pairs in a health check's\n :ref:`transport socket match criteria <envoy_v3_api_field_config.core.v3.HealthCheck.transport_socket_match_criteria>` field.\n\n "
},
"name": {
"type": "string",
"description": "Supplies the name of the cluster which must be unique across all clusters.\n The cluster name is used when emitting\n :ref:`statistics <config_cluster_manager_cluster_stats>` if :ref:`alt_stat_name\n <envoy_v3_api_field_config.cluster.v3.Cluster.alt_stat_name>` is not provided.\n Any ``:`` in the cluster name will be converted to ``_`` when emitting statistics."
},
"alt_stat_name": {
"type": "string",
"description": "An optional alternative to the cluster name to be used for observability. This name is used\n emitting stats for the cluster and access logging the cluster name. This will appear as\n additional information in configuration dumps of a cluster's current status as\n :ref:`observability_name <envoy_v3_api_field_admin.v3.ClusterStatus.observability_name>`\n and as an additional tag \"upstream_cluster.name\" while tracing. Note: access logging using\n this field is presently enabled with runtime feature\n `envoy.reloadable_features.use_observable_cluster_name`. Any ``:`` in the name will be\n converted to ``_`` when emitting statistics. This should not be confused with :ref:`Router\n Filter Header <config_http_filters_router_x-envoy-upstream-alt-stat-name>`."
},
"type": {
"enum": [
"STATIC",
0,
"STRICT_DNS",
1,
"LOGICAL_DNS",
2,
"EDS",
3,
"ORIGINAL_DST",
4
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "The :ref:`service discovery type <arch_overview_service_discovery_types>`\n to use for resolving the cluster."
},
"cluster_type": {
"properties": {
"name": {
"type": "string",
"description": "The type of the cluster to instantiate. The name must match a supported cluster type."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. This string must contain at least\n one \"/\" character. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": true,
"type": "object",
"description": "Cluster specific configuration which depends on the cluster being instantiated.\n See the supported cluster for further documentation.\n "
}
},
"additionalProperties": true,
"type": "object",
"description": "The custom cluster type."
},
"eds_cluster_config": {
"properties": {
"eds_config": {
"$ref": "#/definitions/envoy.config.core.v3.ConfigSource",
"additionalProperties": true,
"description": "Configuration for the source of EDS updates for this Cluster."
},
"service_name": {
"type": "string",
"description": "Optional alternative to cluster name to present to EDS. This does not\n have the same restrictions as cluster name, i.e. it may be arbitrary\n length. This may be a xdstp:// URL."
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration to use for EDS updates for the Cluster."
},
"connect_timeout": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The timeout for new network connections to hosts in the cluster.\n If not set, a default value of 5s will be used."
},
"per_connection_buffer_limit_bytes": {
"additionalProperties": true,
"type": "integer",
"description": "Soft limit on size of the cluster\u2019s connections read and write buffers. If\n unspecified, an implementation defined default is applied (1MiB)."
},
"lb_policy": {
"enum": [
"ROUND_ROBIN",
0,
"LEAST_REQUEST",
1,
"RING_HASH",
2,
"RANDOM",
3,
"MAGLEV",
5,
"CLUSTER_PROVIDED",
6,
"LOAD_BALANCING_POLICY_CONFIG",
7
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "The :ref:`load balancer type <arch_overview_load_balancing_types>` to use\n when picking a host in the cluster."
},
"load_assignment": {
"properties": {
"cluster_name": {
"type": "string",
"description": "Name of the cluster. This will be the :ref:`service_name\n <envoy_v3_api_field_config.cluster.v3.Cluster.EdsClusterConfig.service_name>` value if specified\n in the cluster :ref:`EdsClusterConfig\n <envoy_v3_api_msg_config.cluster.v3.Cluster.EdsClusterConfig>`."
},
"endpoints": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"locality": {
"$ref": "#/definitions/envoy.config.core.v3.Locality",
"additionalProperties": true,
"description": "Identifies location of where the upstream hosts run."
},
"lb_endpoints": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.endpoint.v3.LbEndpoint"
},
"type": "array",
"description": "The group of endpoints belonging to the locality specified.\n [#comment:TODO(adisuissa): Once LEDS is implemented this field needs to be\n deprecated and replaced by *load_balancer_endpoints*.]"
},
"load_balancer_endpoints": {
"properties": {
"lb_endpoints": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.endpoint.v3.LbEndpoint"
},
"type": "array"
}
},
"additionalProperties": true,
"type": "object",
"description": "The group of endpoints belonging to the locality.\n [#comment:TODO(adisuissa): Once LEDS is implemented the *lb_endpoints* field\n needs to be deprecated.]"
},
"leds_cluster_locality_config": {
"properties": {
"leds_config": {
"$ref": "#/definitions/envoy.config.core.v3.ConfigSource",
"additionalProperties": true,
"description": "Configuration for the source of LEDS updates for a Locality."
},
"leds_collection_name": {
"type": "string",
"description": "The xDS transport protocol glob collection resource name.\n The service is only supported in delta xDS (incremental) mode."
}
},
"additionalProperties": true,
"type": "object",
"description": "LEDS Configuration for the current locality."
},
"load_balancing_weight": {
"additionalProperties": true,
"type": "integer",
"description": "Optional: Per priority/region/zone/sub_zone weight; at least 1. The load\n balancing weight for a locality is divided by the sum of the weights of all\n localities at the same priority level to produce the effective percentage\n of traffic for the locality. The sum of the weights of all localities at\n the same priority level must not exceed uint32_t maximal value (4294967295).\n\n Locality weights are only considered when :ref:`locality weighted load\n balancing <arch_overview_load_balancing_locality_weighted_lb>` is\n configured. These weights are ignored otherwise. If no weights are\n specified when locality weighted load balancing is enabled, the locality is\n assigned no load."
},
"priority": {
"type": "integer",
"description": "Optional: the priority for this LocalityLbEndpoints. If unspecified this will\n default to the highest priority (0).\n\n Under usual circumstances, Envoy will only select endpoints for the highest\n priority (0). In the event all endpoints for a particular priority are\n unavailable/unhealthy, Envoy will fail over to selecting endpoints for the\n next highest priority group.\n\n Priorities should range from 0 (highest) to N (lowest) without skipping."
},
"proximity": {
"additionalProperties": true,
"type": "integer",
"description": "Optional: Per locality proximity value which indicates how close this\n locality is from the source locality. This value only provides ordering\n information (lower the value, closer it is to the source locality).\n This will be consumed by load balancing schemes that need proximity order\n to determine where to route the requests.\n [#not-implemented-hide:]"
}
},
"additionalProperties": false,
"type": "object",
"description": "A group of endpoints belonging to a Locality.\n One can have multiple LocalityLbEndpoints for a locality, but this is\n generally only done if the different groups need to have different load\n balancing weights or different priorities.\n "
},
"type": "array",
"description": "List of endpoints to load balance to."
},
"named_endpoints": {
"additionalProperties": {
"$ref": "#/definitions/envoy.config.endpoint.v3.Endpoint",
"additionalProperties": true
},
"type": "object",
"description": "Map of named endpoints that can be referenced in LocalityLbEndpoints.\n [#not-implemented-hide:]"
},
"policy": {
"properties": {
"drop_overloads": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"category": {
"type": "string",
"description": "Identifier for the policy specifying the drop."
},
"drop_percentage": {
"$ref": "#/definitions/envoy.type.v3.FractionalPercent",
"additionalProperties": true,
"description": "Percentage of traffic that should be dropped for the category."
}
},
"additionalProperties": false,
"type": "object",
"description": "[#not-implemented-hide:]"
},
"type": "array",
"description": "Action to trim the overall incoming traffic to protect the upstream\n hosts. This action allows protection in case the hosts are unable to\n recover from an outage, or unable to autoscale or unable to handle\n incoming traffic volume for any reason.\n\n At the client each category is applied one after the other to generate\n the 'actual' drop percentage on all outgoing traffic. For example:\n\n .. code-block:: json\n\n { \"drop_overloads\": [\n { \"category\": \"throttle\", \"drop_percentage\": 60 }\n { \"category\": \"lb\", \"drop_percentage\": 50 }\n ]}\n\n The actual drop percentages applied to the traffic at the clients will be\n \"throttle\"_drop = 60%\n \"lb\"_drop = 20% // 50% of the remaining 'actual' load, which is 40%.\n actual_outgoing_load = 20% // remaining after applying all categories.\n [#not-implemented-hide:]"
},
"overprovisioning_factor": {
"additionalProperties": true,
"type": "integer",
"description": "Priority levels and localities are considered overprovisioned with this\n factor (in percentage). This means that we don't consider a priority\n level or locality unhealthy until the fraction of healthy hosts\n multiplied by the overprovisioning factor drops below 100.\n With the default value 140(1.4), Envoy doesn't consider a priority level\n or a locality unhealthy until their percentage of healthy hosts drops\n below 72%. For example:\n\n .. code-block:: json\n\n { \"overprovisioning_factor\": 100 }\n\n Read more at :ref:`priority levels <arch_overview_load_balancing_priority_levels>` and\n :ref:`localities <arch_overview_load_balancing_locality_weighted_lb>`."
},
"endpoint_stale_after": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The max time until which the endpoints from this assignment can be used.\n If no new assignments are received before this time expires the endpoints\n are considered stale and should be marked unhealthy.\n Defaults to 0 which means endpoints never go stale."
}
},
"additionalProperties": true,
"type": "object",
"description": "Load balancing policy settings."
}
},
"additionalProperties": true,
"type": "object",
"description": "Setting this is required for specifying members of\n :ref:`STATIC<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STATIC>`,\n :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`\n or :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>` clusters.\n This field supersedes the *hosts* field in the v2 API.\n\n .. attention::\n\n Setting this allows non-EDS cluster types to contain embedded EDS equivalent\n :ref:`endpoint assignments<envoy_v3_api_msg_config.endpoint.v3.ClusterLoadAssignment>`."
},
"health_checks": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"timeout": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The time to wait for a health check response. If the timeout is reached the\n health check attempt will be considered a failure."
},
"interval": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The interval between health checks."
},
"initial_jitter": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "An optional jitter amount in milliseconds. If specified, Envoy will start health\n checking after for a random time in ms between 0 and initial_jitter. This only\n applies to the first health check."
},
"interval_jitter": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "An optional jitter amount in milliseconds. If specified, during every\n interval Envoy will add interval_jitter to the wait time."
},
"interval_jitter_percent": {
"type": "integer",
"description": "An optional jitter amount as a percentage of interval_ms. If specified,\n during every interval Envoy will add interval_ms *\n interval_jitter_percent / 100 to the wait time.\n\n If interval_jitter_ms and interval_jitter_percent are both set, both of\n them will be used to increase the wait time."
},
"unhealthy_threshold": {
"additionalProperties": true,
"type": "integer",
"description": "The number of unhealthy health checks required before a host is marked\n unhealthy. Note that for *http* health checking if a host responds with a code not in\n :ref:`expected_statuses <envoy_v3_api_field_config.core.v3.HealthCheck.HttpHealthCheck.expected_statuses>`\n or :ref:`retriable_statuses <envoy_v3_api_field_config.core.v3.HealthCheck.HttpHealthCheck.retriable_statuses>`,\n this threshold is ignored and the host is considered immediately unhealthy."
},
"healthy_threshold": {
"additionalProperties": true,
"type": "integer",
"description": "The number of healthy health checks required before a host is marked\n healthy. Note that during startup, only a single successful health check is\n required to mark a host healthy."
},
"alt_port": {
"additionalProperties": true,
"type": "integer",
"description": "[#not-implemented-hide:] Non-serving port for health checking."
},
"reuse_connection": {
"additionalProperties": true,
"type": "boolean",
"description": "Reuse health check connection between health checks. Default is true."
},
"http_health_check": {
"properties": {
"host": {
"type": "string",
"description": "The value of the host header in the HTTP health check request. If\n left empty (default value), the name of the cluster this health check is associated\n with will be used. The host header can be customized for a specific endpoint by setting the\n :ref:`hostname <envoy_v3_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname>` field."
},
"path": {
"type": "string",
"description": "Specifies the HTTP path that will be requested during health checking. For example\n */healthcheck*."
},
"send": {
"$ref": "#/definitions/envoy.config.core.v3.HealthCheck.Payload",
"additionalProperties": true,
"description": "[#not-implemented-hide:] HTTP specific payload."
},
"receive": {
"$ref": "#/definitions/envoy.config.core.v3.HealthCheck.Payload",
"additionalProperties": true,
"description": "[#not-implemented-hide:] HTTP specific response."
},
"request_headers_to_add": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"header": {
"$ref": "#/definitions/envoy.config.core.v3.HeaderValue",
"additionalProperties": true,
"description": "Header name/value pair that this option applies to."
},
"append": {
"additionalProperties": true,
"type": "boolean",
"description": "Should the value be appended? If true (default), the value is appended to\n existing values. Otherwise it replaces any existing values."
},
"append_action": {
"enum": [
"APPEND_IF_EXISTS_OR_ADD",
0,
"ADD_IF_ABSENT",
1,
"OVERWRITE_IF_EXISTS_OR_ADD",
2
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "[#not-implemented-hide:] Describes the action taken to append/overwrite the given value for an existing header\n or to only add this header if it's absent. Value defaults to :ref:`APPEND_IF_EXISTS_OR_ADD<envoy_v3_api_enum_value_config.core.v3.HeaderValueOption.HeaderAppendAction.APPEND_IF_EXISTS_OR_ADD>`."
}
},
"additionalProperties": false,
"type": "object",
"description": "Header name/value pair plus option to control append behavior."
},
"type": "array",
"description": "Specifies a list of HTTP headers that should be added to each request that is sent to the\n health checked cluster. For more information, including details on header value syntax, see\n the documentation on :ref:`custom request headers\n <config_http_conn_man_headers_custom_request_headers>`."
},
"request_headers_to_remove": {
"items": {
"type": "string"
},
"type": "array",
"description": "Specifies a list of HTTP headers that should be removed from each request that is sent to the\n health checked cluster."
},
"expected_statuses": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.type.v3.Int64Range"
},
"type": "array",
"description": "Specifies a list of HTTP response statuses considered healthy. If provided, replaces default\n 200-only policy - 200 must be included explicitly as needed. Ranges follow half-open\n semantics of :ref:`Int64Range <envoy_v3_api_msg_type.v3.Int64Range>`. The start and end of each\n range are required. Only statuses in the range [100, 600) are allowed."
},
"retriable_statuses": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.type.v3.Int64Range"
},
"type": "array",
"description": "Specifies a list of HTTP response statuses considered retriable. If provided, responses in this range\n will count towards the configured :ref:`unhealthy_threshold <envoy_v3_api_field_config.core.v3.HealthCheck.unhealthy_threshold>`,\n but will not result in the host being considered immediately unhealthy. Ranges follow half-open semantics of\n :ref:`Int64Range <envoy_v3_api_msg_type.v3.Int64Range>`. The start and end of each range are required.\n Only statuses in the range [100, 600) are allowed. The :ref:`expected_statuses <envoy_v3_api_field_config.core.v3.HealthCheck.HttpHealthCheck.expected_statuses>`\n field takes precedence for any range overlaps with this field i.e. if status code 200 is both retriable and expected, a 200 response will\n be considered a successful health check. By default all responses not in\n :ref:`expected_statuses <envoy_v3_api_field_config.core.v3.HealthCheck.HttpHealthCheck.expected_statuses>` will result in\n the host being considered immediately unhealthy i.e. if status code 200 is expected and there are no configured retriable statuses, any\n non-200 response will result in the host being marked unhealthy."
},
"codec_client_type": {
"enum": [
"HTTP1",
0,
"HTTP2",
1,
"HTTP3",
2
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "Use specified application protocol for health checks."
},
"service_name_matcher": {
"$ref": "#/definitions/envoy.type.matcher.v3.StringMatcher",
"additionalProperties": true,
"description": "An optional service name parameter which is used to validate the identity of\n the health checked cluster using a :ref:`StringMatcher\n <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`. See the :ref:`architecture overview\n <arch_overview_health_checking_identity>` for more information."
}
},
"additionalProperties": true,
"type": "object",
"description": "HTTP health check."
},
"tcp_health_check": {
"properties": {
"send": {
"$ref": "#/definitions/envoy.config.core.v3.HealthCheck.Payload",
"additionalProperties": true,
"description": "Empty payloads imply a connect-only health check."
},
"receive": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.core.v3.HealthCheck.Payload"
},
"type": "array",
"description": "When checking the response, \u201cfuzzy\u201d matching is performed such that each\n binary block must be found, and in the order specified, but not\n necessarily contiguous."
}
},
"additionalProperties": true,
"type": "object",
"description": "TCP health check."
},
"grpc_health_check": {
"properties": {
"service_name": {
"type": "string",
"description": "An optional service name parameter which will be sent to gRPC service in\n `grpc.health.v1.HealthCheckRequest\n <https://github.com/grpc/grpc/blob/master/src/proto/grpc/health/v1/health.proto#L20>`_.\n message. See `gRPC health-checking overview\n <https://github.com/grpc/grpc/blob/master/doc/health-checking.md>`_ for more information."
},
"authority": {
"type": "string",
"description": "The value of the :authority header in the gRPC health check request. If\n left empty (default value), the name of the cluster this health check is associated\n with will be used. The authority header can be customized for a specific endpoint by setting\n the :ref:`hostname <envoy_v3_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname>` field."
}
},
"additionalProperties": true,
"type": "object",
"description": "gRPC health check."
},
"custom_health_check": {
"properties": {
"name": {
"type": "string",
"description": "The registered name of the custom health checker."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. This string must contain at least\n one \"/\" character. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object",
"description": "Custom health check."
},
"no_traffic_interval": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The \"no traffic interval\" is a special health check interval that is used when a cluster has\n never had traffic routed to it. This lower interval allows cluster information to be kept up to\n date, without sending a potentially large amount of active health checking traffic for no\n reason. Once a cluster has been used for traffic routing, Envoy will shift back to using the\n standard health check interval that is defined. Note that this interval takes precedence over\n any other.\n\n The default value for \"no traffic interval\" is 60 seconds."
},
"no_traffic_healthy_interval": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The \"no traffic healthy interval\" is a special health check interval that\n is used for hosts that are currently passing active health checking\n (including new hosts) when the cluster has received no traffic.\n\n This is useful for when we want to send frequent health checks with\n `no_traffic_interval` but then revert to lower frequency `no_traffic_healthy_interval` once\n a host in the cluster is marked as healthy.\n\n Once a cluster has been used for traffic routing, Envoy will shift back to using the\n standard health check interval that is defined.\n\n If no_traffic_healthy_interval is not set, it will default to the\n no traffic interval and send that interval regardless of health state."
},
"unhealthy_interval": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The \"unhealthy interval\" is a health check interval that is used for hosts that are marked as\n unhealthy. As soon as the host is marked as healthy, Envoy will shift back to using the\n standard health check interval that is defined.\n\n The default value for \"unhealthy interval\" is the same as \"interval\"."
},
"unhealthy_edge_interval": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The \"unhealthy edge interval\" is a special health check interval that is used for the first\n health check right after a host is marked as unhealthy. For subsequent health checks\n Envoy will shift back to using either \"unhealthy interval\" if present or the standard health\n check interval that is defined.\n\n The default value for \"unhealthy edge interval\" is the same as \"unhealthy interval\"."
},
"healthy_edge_interval": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The \"healthy edge interval\" is a special health check interval that is used for the first\n health check right after a host is marked as healthy. For subsequent health checks\n Envoy will shift back to using the standard health check interval that is defined.\n\n The default value for \"healthy edge interval\" is the same as the default interval."
},
"event_log_path": {
"type": "string",
"description": "Specifies the path to the :ref:`health check event log <arch_overview_health_check_logging>`.\n If empty, no event log will be written."
},
"event_service": {
"$ref": "#/definitions/envoy.config.core.v3.EventServiceConfig",
"additionalProperties": true,
"description": "[#not-implemented-hide:]\n The gRPC service for the health check event service.\n If empty, health check events won't be sent to a remote endpoint."
},
"always_log_health_check_failures": {
"type": "boolean",
"description": "If set to true, health check failure events will always be logged. If set to false, only the\n initial health check failure event will be logged.\n The default value is false."
},
"tls_options": {
"properties": {
"alpn_protocols": {
"items": {
"type": "string"
},
"type": "array",
"description": "Specifies the ALPN protocols for health check connections. This is useful if the\n corresponding upstream is using ALPN-based :ref:`FilterChainMatch\n <envoy_v3_api_msg_config.listener.v3.FilterChainMatch>` along with different protocols for health checks\n versus data connections. If empty, no ALPN protocols will be set on health check connections."
}
},
"additionalProperties": true,
"type": "object",
"description": "This allows overriding the cluster TLS settings, just for health check connections."
},
"transport_socket_match_criteria": {
"properties": {
"fields": {
"additionalProperties": {
"additionalProperties": true,
"type": "object"
},
"type": "object",
"description": "Unordered map of dynamically typed values."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional key/value pairs that will be used to match a transport socket from those specified in the cluster's\n :ref:`tranport socket matches <envoy_v3_api_field_config.cluster.v3.Cluster.transport_socket_matches>`.\n For example, the following match criteria\n\n .. code-block:: yaml\n\n transport_socket_match_criteria:\n useMTLS: true\n\n Will match the following :ref:`cluster socket match <envoy_v3_api_msg_config.cluster.v3.Cluster.TransportSocketMatch>`\n\n .. code-block:: yaml\n\n transport_socket_matches:\n - name: \"useMTLS\"\n match:\n useMTLS: true\n transport_socket:\n name: envoy.transport_sockets.tls\n config: { ... } # tls socket configuration\n\n If this field is set, then for health checks it will supersede an entry of *envoy.transport_socket* in the\n :ref:`LbEndpoint.Metadata <envoy_v3_api_field_config.endpoint.v3.LbEndpoint.metadata>`.\n This allows using different transport socket capabilities for health checking versus proxying to the\n endpoint.\n\n If the key/values pairs specified do not match any\n :ref:`transport socket matches <envoy_v3_api_field_config.cluster.v3.Cluster.transport_socket_matches>`,\n the cluster's :ref:`transport socket <envoy_v3_api_field_config.cluster.v3.Cluster.transport_socket>`\n will be used for health check socket configuration."
}
},
"additionalProperties": false,
"type": "object",
"description": ""
},
"type": "array",
"description": "Optional :ref:`active health checking <arch_overview_health_checking>`\n configuration for the cluster. If no\n configuration is specified no health checking will be done and all cluster\n members will be considered healthy at all times."
},
"max_requests_per_connection": {
"additionalProperties": true,
"type": "integer",
"description": "Optional maximum requests for a single upstream connection. This parameter\n is respected by both the HTTP/1.1 and HTTP/2 connection pool\n implementations. If not specified, there is no limit. Setting this\n parameter to 1 will effectively disable keep alive.\n\n .. attention::\n This field has been deprecated in favor of the :ref:`max_requests_per_connection <envoy_v3_api_field_config.core.v3.HttpProtocolOptions.max_requests_per_connection>` field."
},
"circuit_breakers": {
"properties": {
"thresholds": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"priority": {
"enum": [
"DEFAULT",
0,
"HIGH",
1
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "The :ref:`RoutingPriority<envoy_v3_api_enum_config.core.v3.RoutingPriority>`\n the specified CircuitBreaker settings apply to."
},
"max_connections": {
"additionalProperties": true,
"type": "integer",
"description": "The maximum number of connections that Envoy will make to the upstream\n cluster. If not specified, the default is 1024."
},
"max_pending_requests": {
"additionalProperties": true,
"type": "integer",
"description": "The maximum number of pending requests that Envoy will allow to the\n upstream cluster. If not specified, the default is 1024.\n This limit is applied as a connection limit for non-HTTP traffic."
},
"max_requests": {
"additionalProperties": true,
"type": "integer",
"description": "The maximum number of parallel requests that Envoy will make to the\n upstream cluster. If not specified, the default is 1024.\n This limit does not apply to non-HTTP traffic."
},
"max_retries": {
"additionalProperties": true,
"type": "integer",
"description": "The maximum number of parallel retries that Envoy will allow to the\n upstream cluster. If not specified, the default is 3."
},
"retry_budget": {
"properties": {
"budget_percent": {
"$ref": "#/definitions/envoy.type.v3.Percent",
"additionalProperties": true,
"description": "Specifies the limit on concurrent retries as a percentage of the sum of active requests and\n active pending requests. For example, if there are 100 active requests and the\n budget_percent is set to 25, there may be 25 active retries.\n\n This parameter is optional. Defaults to 20%."
},
"min_retry_concurrency": {
"additionalProperties": true,
"type": "integer",
"description": "Specifies the minimum retry concurrency allowed for the retry budget. The limit on the\n number of active retries may never go below this number.\n\n This parameter is optional. Defaults to 3."
}
},
"additionalProperties": true,
"type": "object",
"description": "Specifies a limit on concurrent retries in relation to the number of active requests. This\n parameter is optional.\n\n .. note::\n\n If this field is set, the retry budget will override any configured retry circuit\n breaker."
},
"track_remaining": {
"type": "boolean",
"description": "If track_remaining is true, then stats will be published that expose\n the number of resources remaining until the circuit breakers open. If\n not specified, the default is false.\n\n .. note::\n\n If a retry budget is used in lieu of the max_retries circuit breaker,\n the remaining retry resources remaining will not be tracked."
},
"max_connection_pools": {
"additionalProperties": true,
"type": "integer",
"description": "The maximum number of connection pools per cluster that Envoy will concurrently support at\n once. If not specified, the default is unlimited. Set this for clusters which create a\n large number of connection pools. See\n :ref:`Circuit Breaking <arch_overview_circuit_break_cluster_maximum_connection_pools>` for\n more details."
}
},
"additionalProperties": false,
"type": "object",
"description": "A Thresholds defines CircuitBreaker settings for a\n :ref:`RoutingPriority<envoy_v3_api_enum_config.core.v3.RoutingPriority>`.\n "
},
"type": "array",
"description": "If multiple :ref:`Thresholds<envoy_v3_api_msg_config.cluster.v3.CircuitBreakers.Thresholds>`\n are defined with the same :ref:`RoutingPriority<envoy_v3_api_enum_config.core.v3.RoutingPriority>`,\n the first one in the list is used. If no Thresholds is defined for a given\n :ref:`RoutingPriority<envoy_v3_api_enum_config.core.v3.RoutingPriority>`, the default values\n are used."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional :ref:`circuit breaking <arch_overview_circuit_break>` for the cluster."
},
"upstream_http_protocol_options": {
"properties": {
"auto_sni": {
"type": "boolean",
"description": "Set transport socket `SNI <https://en.wikipedia.org/wiki/Server_Name_Indication>`_ for new\n upstream connections based on the downstream HTTP host/authority header or any other arbitrary\n header when :ref:`override_auto_sni_header <envoy_v3_api_field_config.core.v3.UpstreamHttpProtocolOptions.override_auto_sni_header>`\n is set, as seen by the :ref:`router filter <config_http_filters_router>`."
},
"auto_san_validation": {
"type": "boolean",
"description": "Automatic validate upstream presented certificate for new upstream connections based on the\n downstream HTTP host/authority header or any other arbitrary header when :ref:`override_auto_sni_header <envoy_v3_api_field_config.core.v3.UpstreamHttpProtocolOptions.override_auto_sni_header>`\n is set, as seen by the :ref:`router filter <config_http_filters_router>`.\n This field is intended to be set with `auto_sni` field."
},
"override_auto_sni_header": {
"type": "string",
"description": "An optional alternative to the host/authority header to be used for setting the SNI value.\n It should be a valid downstream HTTP header, as seen by the\n :ref:`router filter <config_http_filters_router>`.\n If unset, host/authority header will be used for populating the SNI. If the specified header\n is not found or the value is empty, host/authority header will be used instead.\n This field is intended to be set with `auto_sni` and/or `auto_san_validation` fields.\n If none of these fields are set then setting this would be a no-op."
}
},
"additionalProperties": true,
"type": "object",
"description": "HTTP protocol options that are applied only to upstream HTTP connections.\n These options apply to all HTTP versions.\n This has been deprecated in favor of\n :ref:`upstream_http_protocol_options <envoy_v3_api_field_extensions.upstreams.http.v3.HttpProtocolOptions.upstream_http_protocol_options>`\n in the :ref:`http_protocol_options <envoy_v3_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` message.\n upstream_http_protocol_options can be set via the cluster's\n :ref:`extension_protocol_options<envoy_v3_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`.\n See :ref:`upstream_http_protocol_options\n <envoy_v3_api_field_extensions.upstreams.http.v3.HttpProtocolOptions.upstream_http_protocol_options>`\n for example usage."
},
"common_http_protocol_options": {
"properties": {
"idle_timeout": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The idle timeout for connections. The idle timeout is defined as the\n period in which there are no active requests. When the\n idle timeout is reached the connection will be closed. If the connection is an HTTP/2\n downstream connection a drain sequence will occur prior to closing the connection, see\n :ref:`drain_timeout\n <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.drain_timeout>`.\n Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive.\n If not specified, this defaults to 1 hour. To disable idle timeouts explicitly set this to 0.\n\n .. warning::\n Disabling this timeout has a highly likelihood of yielding connection leaks due to lost TCP\n FIN packets, etc.\n\n If the :ref:`overload action <config_overload_manager_overload_actions>` \"envoy.overload_actions.reduce_timeouts\"\n is configured, this timeout is scaled for downstream connections according to the value for\n :ref:`HTTP_DOWNSTREAM_CONNECTION_IDLE <envoy_v3_api_enum_value_config.overload.v3.ScaleTimersOverloadActionConfig.TimerType.HTTP_DOWNSTREAM_CONNECTION_IDLE>`."
},
"max_connection_duration": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The maximum duration of a connection. The duration is defined as a period since a connection\n was established. If not set, there is no max duration. When max_connection_duration is reached\n and if there are no active streams, the connection will be closed. If the connection is a\n downstream connection and there are any active streams, the drain sequence will kick-in,\n and the connection will be force-closed after the drain period. See :ref:`drain_timeout\n <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.drain_timeout>`."
},
"max_headers_count": {
"additionalProperties": true,
"type": "integer",
"description": "The maximum number of headers. If unconfigured, the default\n maximum number of request headers allowed is 100. Requests that exceed this limit will receive\n a 431 response for HTTP/1.x and cause a stream reset for HTTP/2."
},
"max_stream_duration": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "Total duration to keep alive an HTTP request/response stream. If the time limit is reached the stream will be\n reset independent of any other timeouts. If not specified, this value is not set."
},
"headers_with_underscores_action": {
"enum": [
"ALLOW",
0,
"REJECT_REQUEST",
1,
"DROP_HEADER",
2
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "Action to take when a client request with a header name containing underscore characters is received.\n If this setting is not specified, the value defaults to ALLOW.\n Note: upstream responses are not affected by this setting."
},
"max_requests_per_connection": {
"additionalProperties": true,
"type": "integer",
"description": "Optional maximum requests for both upstream and downstream connections.\n If not specified, there is no limit.\n Setting this parameter to 1 will effectively disable keep alive.\n For HTTP/2 and HTTP/3, due to concurrent stream processing, the limit is approximate."
}
},
"additionalProperties": true,
"type": "object",
"description": "Additional options when handling HTTP requests upstream. These options will be applicable to\n both HTTP1 and HTTP2 requests.\n This has been deprecated in favor of\n :ref:`common_http_protocol_options <envoy_v3_api_field_extensions.upstreams.http.v3.HttpProtocolOptions.common_http_protocol_options>`\n in the :ref:`http_protocol_options <envoy_v3_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` message.\n common_http_protocol_options can be set via the cluster's\n :ref:`extension_protocol_options<envoy_v3_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`.\n See :ref:`upstream_http_protocol_options\n <envoy_v3_api_field_extensions.upstreams.http.v3.HttpProtocolOptions.upstream_http_protocol_options>`\n for example usage."
},
"http_protocol_options": {
"properties": {
"allow_absolute_url": {
"additionalProperties": true,
"type": "boolean",
"description": "Handle HTTP requests with absolute URLs in the requests. These requests\n are generally sent by clients to forward/explicit proxies. This allows clients to configure\n envoy as their HTTP proxy. In Unix, for example, this is typically done by setting the\n *http_proxy* environment variable."
},
"accept_http_10": {
"type": "boolean",
"description": "Handle incoming HTTP/1.0 and HTTP 0.9 requests.\n This is off by default, and not fully standards compliant. There is support for pre-HTTP/1.1\n style connect logic, dechunking, and handling lack of client host iff\n *default_host_for_http_10* is configured."
},
"default_host_for_http_10": {
"type": "string",
"description": "A default host for HTTP/1.0 requests. This is highly suggested if *accept_http_10* is true as\n Envoy does not otherwise support HTTP/1.0 without a Host header.\n This is a no-op if *accept_http_10* is not true."
},
"header_key_format": {
"properties": {
"proper_case_words": {
"additionalProperties": true,
"type": "object",
"description": "Formats the header by proper casing words: the first character and any character following\n a special character will be capitalized if it's an alpha character. For example,\n \"content-type\" becomes \"Content-Type\", and \"foo$b#$are\" becomes \"Foo$B#$Are\".\n Note that while this results in most headers following conventional casing, certain headers\n are not covered. For example, the \"TE\" header will be formatted as \"Te\"."
},
"stateful_formatter": {
"$ref": "#/definitions/envoy.config.core.v3.TypedExtensionConfig",
"additionalProperties": true,
"description": "Configuration for stateful formatter extensions that allow using received headers to\n affect the output of encoding headers. E.g., preserving case during proxying.\n "
}
},
"additionalProperties": true,
"type": "object",
"description": "Describes how the keys for response headers should be formatted. By default, all header keys\n are lower cased."
},
"enable_trailers": {
"type": "boolean",
"description": "Enables trailers for HTTP/1. By default the HTTP/1 codec drops proxied trailers.\n\n .. attention::\n\n Note that this only happens when Envoy is chunk encoding which occurs when:\n - The request is HTTP/1.1.\n - Is neither a HEAD only request nor a HTTP Upgrade.\n - Not a response to a HEAD request.\n - The content length header is not present."
},
"allow_chunked_length": {
"type": "boolean",
"description": "Allows Envoy to process requests/responses with both `Content-Length` and `Transfer-Encoding`\n headers set. By default such messages are rejected, but if option is enabled - Envoy will\n remove Content-Length header and process message.\n See `RFC7230, sec. 3.3.3 <https://tools.ietf.org/html/rfc7230#section-3.3.3>`_ for details.\n\n .. attention::\n Enabling this option might lead to request smuggling vulnerability, especially if traffic\n is proxied via multiple layers of proxies."
},
"override_stream_error_on_invalid_http_message": {
"additionalProperties": true,
"type": "boolean",
"description": "Allows invalid HTTP messaging. When this option is false, then Envoy will terminate\n HTTP/1.1 connections upon receiving an invalid HTTP message. However,\n when this option is true, then Envoy will leave the HTTP/1.1 connection\n open where possible.\n If set, this overrides any HCM :ref:`stream_error_on_invalid_http_messaging\n <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_error_on_invalid_http_message>`."
}
},
"additionalProperties": true,
"type": "object",
"description": "Additional options when handling HTTP1 requests.\n This has been deprecated in favor of http_protocol_options fields in the\n :ref:`http_protocol_options <envoy_v3_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` message.\n http_protocol_options can be set via the cluster's\n :ref:`extension_protocol_options<envoy_v3_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`.\n See :ref:`upstream_http_protocol_options\n <envoy_v3_api_field_extensions.upstreams.http.v3.HttpProtocolOptions.upstream_http_protocol_options>`\n for example usage."
},
"http2_protocol_options": {
"properties": {
"hpack_table_size": {
"additionalProperties": true,
"type": "integer",
"description": "`Maximum table size <https://httpwg.org/specs/rfc7541.html#rfc.section.4.2>`_\n (in octets) that the encoder is permitted to use for the dynamic HPACK table. Valid values\n range from 0 to 4294967295 (2^32 - 1) and defaults to 4096. 0 effectively disables header\n compression."
},
"max_concurrent_streams": {
"additionalProperties": true,
"type": "integer",
"description": "`Maximum concurrent streams <https://httpwg.org/specs/rfc7540.html#rfc.section.5.1.2>`_\n allowed for peer on one HTTP/2 connection. Valid values range from 1 to 2147483647 (2^31 - 1)\n and defaults to 2147483647.\n\n For upstream connections, this also limits how many streams Envoy will initiate concurrently\n on a single connection. If the limit is reached, Envoy may queue requests or establish\n additional connections (as allowed per circuit breaker limits).\n\n This acts as an upper bound: Envoy will lower the max concurrent streams allowed on a given\n connection based on upstream settings. Config dumps will reflect the configured upper bound,\n not the per-connection negotiated limits."
},
"initial_stream_window_size": {
"additionalProperties": true,
"type": "integer",
"description": "`Initial stream-level flow-control window\n <https://httpwg.org/specs/rfc7540.html#rfc.section.6.9.2>`_ size. Valid values range from 65535\n (2^16 - 1, HTTP/2 default) to 2147483647 (2^31 - 1, HTTP/2 maximum) and defaults to 268435456\n (256 * 1024 * 1024).\n\n NOTE: 65535 is the initial window size from HTTP/2 spec. We only support increasing the default\n window size now, so it's also the minimum.\n\n This field also acts as a soft limit on the number of bytes Envoy will buffer per-stream in the\n HTTP/2 codec buffers. Once the buffer reaches this pointer, watermark callbacks will fire to\n stop the flow of data to the codec buffers."
},
"initial_connection_window_size": {
"additionalProperties": true,
"type": "integer",
"description": "Similar to *initial_stream_window_size*, but for connection-level flow-control\n window. Currently, this has the same minimum/maximum/default as *initial_stream_window_size*."
},
"allow_connect": {
"type": "boolean",
"description": "Allows proxying Websocket and other upgrades over H2 connect."
},
"allow_metadata": {
"type": "boolean",
"description": "[#not-implemented-hide:] Hiding until envoy has full metadata support.\n Still under implementation. DO NOT USE.\n\n Allows metadata. See [metadata\n docs](https://github.com/envoyproxy/envoy/blob/main/source/docs/h2_metadata.md) for more\n information."
},
"max_outbound_frames": {
"additionalProperties": true,
"type": "integer",
"description": "Limit the number of pending outbound downstream frames of all types (frames that are waiting to\n be written into the socket). Exceeding this limit triggers flood mitigation and connection is\n terminated. The ``http2.outbound_flood`` stat tracks the number of terminated connections due\n to flood mitigation. The default limit is 10000."
},
"max_outbound_control_frames": {
"additionalProperties": true,
"type": "integer",
"description": "Limit the number of pending outbound downstream frames of types PING, SETTINGS and RST_STREAM,\n preventing high memory utilization when receiving continuous stream of these frames. Exceeding\n this limit triggers flood mitigation and connection is terminated. The\n ``http2.outbound_control_flood`` stat tracks the number of terminated connections due to flood\n mitigation. The default limit is 1000."
},
"max_consecutive_inbound_frames_with_empty_payload": {
"additionalProperties": true,
"type": "integer",
"description": "Limit the number of consecutive inbound frames of types HEADERS, CONTINUATION and DATA with an\n empty payload and no end stream flag. Those frames have no legitimate use and are abusive, but\n might be a result of a broken HTTP/2 implementation. The `http2.inbound_empty_frames_flood``\n stat tracks the number of connections terminated due to flood mitigation.\n Setting this to 0 will terminate connection upon receiving first frame with an empty payload\n and no end stream flag. The default limit is 1."
},
"max_inbound_priority_frames_per_stream": {
"additionalProperties": true,
"type": "integer",
"description": "Limit the number of inbound PRIORITY frames allowed per each opened stream. If the number\n of PRIORITY frames received over the lifetime of connection exceeds the value calculated\n using this formula::\n\n max_inbound_priority_frames_per_stream * (1 + opened_streams)\n\n the connection is terminated. For downstream connections the `opened_streams` is incremented when\n Envoy receives complete response headers from the upstream server. For upstream connection the\n `opened_streams` is incremented when Envoy send the HEADERS frame for a new stream. The\n ``http2.inbound_priority_frames_flood`` stat tracks\n the number of connections terminated due to flood mitigation. The default limit is 100."
},
"max_inbound_window_update_frames_per_data_frame_sent": {
"additionalProperties": true,
"type": "integer",
"description": "Limit the number of inbound WINDOW_UPDATE frames allowed per DATA frame sent. If the number\n of WINDOW_UPDATE frames received over the lifetime of connection exceeds the value calculated\n using this formula::\n\n 5 + 2 * (opened_streams +\n max_inbound_window_update_frames_per_data_frame_sent * outbound_data_frames)\n\n the connection is terminated. For downstream connections the `opened_streams` is incremented when\n Envoy receives complete response headers from the upstream server. For upstream connections the\n `opened_streams` is incremented when Envoy sends the HEADERS frame for a new stream. The\n ``http2.inbound_priority_frames_flood`` stat tracks the number of connections terminated due to\n flood mitigation. The default max_inbound_window_update_frames_per_data_frame_sent value is 10.\n Setting this to 1 should be enough to support HTTP/2 implementations with basic flow control,\n but more complex implementations that try to estimate available bandwidth require at least 2."
},
"stream_error_on_invalid_http_messaging": {
"type": "boolean",
"description": "Allows invalid HTTP messaging and headers. When this option is disabled (default), then\n the whole HTTP/2 connection is terminated upon receiving invalid HEADERS frame. However,\n when this option is enabled, only the offending stream is terminated.\n\n This is overridden by HCM :ref:`stream_error_on_invalid_http_messaging\n <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_error_on_invalid_http_message>`\n iff present.\n\n This is deprecated in favor of :ref:`override_stream_error_on_invalid_http_message\n <envoy_v3_api_field_config.core.v3.Http2ProtocolOptions.override_stream_error_on_invalid_http_message>`\n\n See `RFC7540, sec. 8.1 <https://tools.ietf.org/html/rfc7540#section-8.1>`_ for details."
},
"override_stream_error_on_invalid_http_message": {
"additionalProperties": true,
"type": "boolean",
"description": "Allows invalid HTTP messaging and headers. When this option is disabled (default), then\n the whole HTTP/2 connection is terminated upon receiving invalid HEADERS frame. However,\n when this option is enabled, only the offending stream is terminated.\n\n This overrides any HCM :ref:`stream_error_on_invalid_http_messaging\n <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_error_on_invalid_http_message>`\n\n See `RFC7540, sec. 8.1 <https://tools.ietf.org/html/rfc7540#section-8.1>`_ for details."
},
"custom_settings_parameters": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"identifier": {
"additionalProperties": true,
"type": "integer",
"description": "The 16 bit parameter identifier."
},
"value": {
"additionalProperties": true,
"type": "integer",
"description": "The 32 bit parameter value."
}
},
"additionalProperties": false,
"type": "object",
"description": "Defines a parameter to be sent in the SETTINGS frame.\n See `RFC7540, sec. 6.5.1 <https://tools.ietf.org/html/rfc7540#section-6.5.1>`_ for details."
},
"type": "array",
"description": "[#not-implemented-hide:]\n Specifies SETTINGS frame parameters to be sent to the peer, with two exceptions:\n\n 1. SETTINGS_ENABLE_PUSH (0x2) is not configurable as HTTP/2 server push is not supported by\n Envoy.\n\n 2. SETTINGS_ENABLE_CONNECT_PROTOCOL (0x8) is only configurable through the named field\n 'allow_connect'.\n\n Note that custom parameters specified through this field can not also be set in the\n corresponding named parameters:\n\n .. code-block:: text\n\n ID Field Name\n ----------------\n 0x1 hpack_table_size\n 0x3 max_concurrent_streams\n 0x4 initial_stream_window_size\n\n Collisions will trigger config validation failure on load/update. Likewise, inconsistencies\n between custom parameters with the same identifier will trigger a failure.\n\n See `IANA HTTP/2 Settings\n <https://www.iana.org/assignments/http2-parameters/http2-parameters.xhtml#settings>`_ for\n standardized identifiers."
},
"connection_keepalive": {
"properties": {
"interval": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "Send HTTP/2 PING frames at this period, in order to test that the connection is still alive.\n If this is zero, interval PINGs will not be sent."
},
"timeout": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "How long to wait for a response to a keepalive PING. If a response is not received within this\n time period, the connection will be aborted."
},
"interval_jitter": {
"$ref": "#/definitions/envoy.type.v3.Percent",
"additionalProperties": true,
"description": "A random jitter amount as a percentage of interval that will be added to each interval.\n A value of zero means there will be no jitter.\n The default value is 15%."
},
"connection_idle_interval": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "If the connection has been idle for this duration, send a HTTP/2 ping ahead\n of new stream creation, to quickly detect dead connections.\n If this is zero, this type of PING will not be sent.\n If an interval ping is outstanding, a second ping will not be sent as the\n interval ping will determine if the connection is dead.\n\n The same feature for HTTP/3 is given by inheritance from QUICHE which uses :ref:`connection idle_timeout <envoy_v3_api_field_config.listener.v3.QuicProtocolOptions.idle_timeout>` and the current PTO of the connection to decide whether to probe before sending a new request."
}
},
"additionalProperties": true,
"type": "object",
"description": "Send HTTP/2 PING frames to verify that the connection is still healthy. If the remote peer\n does not respond within the configured timeout, the connection will be aborted."
}
},
"additionalProperties": true,
"type": "object",
"description": "Even if default HTTP2 protocol options are desired, this field must be\n set so that Envoy will assume that the upstream supports HTTP/2 when\n making new HTTP connection pool connections. Currently, Envoy only\n supports prior knowledge for upstream connections. Even if TLS is used\n with ALPN, `http2_protocol_options` must be specified. As an aside this allows HTTP/2\n connections to happen over plain text.\n This has been deprecated in favor of http2_protocol_options fields in the\n :ref:`http_protocol_options <envoy_v3_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>`\n message. http2_protocol_options can be set via the cluster's\n :ref:`extension_protocol_options<envoy_v3_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`.\n See :ref:`upstream_http_protocol_options\n <envoy_v3_api_field_extensions.upstreams.http.v3.HttpProtocolOptions.upstream_http_protocol_options>`\n for example usage."
},
"typed_extension_protocol_options": {
"additionalProperties": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. This string must contain at least\n one \"/\" character. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": true,
"type": "object"
},
"type": "object",
"description": "The extension_protocol_options field is used to provide extension-specific protocol options\n for upstream connections. The key should match the extension filter name, such as\n \"envoy.filters.network.thrift_proxy\". See the extension's documentation for details on\n specific options.\n "
},
"dns_refresh_rate": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "If the DNS refresh rate is specified and the cluster type is either\n :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`,\n or :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>`,\n this value is used as the cluster\u2019s DNS refresh\n rate. The value configured must be at least 1ms. If this setting is not specified, the\n value defaults to 5000ms. For cluster types other than\n :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`\n and :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>`\n this setting is ignored."
},
"dns_failure_refresh_rate": {
"properties": {
"base_interval": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "Specifies the base interval between refreshes. This parameter is required and must be greater\n than zero and less than\n :ref:`max_interval <envoy_v3_api_field_config.cluster.v3.Cluster.RefreshRate.max_interval>`."
},
"max_interval": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "Specifies the maximum interval between refreshes. This parameter is optional, but must be\n greater than or equal to the\n :ref:`base_interval <envoy_v3_api_field_config.cluster.v3.Cluster.RefreshRate.base_interval>` if set. The default\n is 10 times the :ref:`base_interval <envoy_v3_api_field_config.cluster.v3.Cluster.RefreshRate.base_interval>`."
}
},
"additionalProperties": true,
"type": "object",
"description": "If the DNS failure refresh rate is specified and the cluster type is either\n :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`,\n or :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>`,\n this is used as the cluster\u2019s DNS refresh rate when requests are failing. If this setting is\n not specified, the failure refresh rate defaults to the DNS refresh rate. For cluster types\n other than :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>` and\n :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>` this setting is\n ignored."
},
"respect_dns_ttl": {
"type": "boolean",
"description": "Optional configuration for setting cluster's DNS refresh rate. If the value is set to true,\n cluster's DNS refresh rate will be set to resource record's TTL which comes from DNS\n resolution."
},
"dns_lookup_family": {
"enum": [
"AUTO",
0,
"V4_ONLY",
1,
"V6_ONLY",
2,
"V4_PREFERRED",
3,
"ALL",
4
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "The DNS IP address resolution policy. If this setting is not specified, the\n value defaults to\n :ref:`AUTO<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DnsLookupFamily.AUTO>`."
},
"dns_resolvers": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.core.v3.Address"
},
"type": "array",
"description": "If DNS resolvers are specified and the cluster type is either\n :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`,\n or :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>`,\n this value is used to specify the cluster\u2019s dns resolvers.\n If this setting is not specified, the value defaults to the default\n resolver, which uses /etc/resolv.conf for configuration. For cluster types\n other than\n :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`\n and :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>`\n this setting is ignored.\n This field is deprecated in favor of *dns_resolution_config*\n which aggregates all of the DNS resolver configuration in a single message."
},
"use_tcp_for_dns_lookups": {
"type": "boolean",
"description": "Always use TCP queries instead of UDP queries for DNS lookups.\n This field is deprecated in favor of *dns_resolution_config*\n which aggregates all of the DNS resolver configuration in a single message."
},
"dns_resolution_config": {
"$ref": "#/definitions/envoy.config.core.v3.DnsResolutionConfig",
"additionalProperties": true,
"description": "DNS resolution configuration which includes the underlying dns resolver addresses and options.\n This field is deprecated in favor of\n :ref:`typed_dns_resolver_config <envoy_v3_api_field_config.cluster.v3.Cluster.typed_dns_resolver_config>`."
},
"typed_dns_resolver_config": {
"$ref": "#/definitions/envoy.config.core.v3.TypedExtensionConfig",
"additionalProperties": true,
"description": "DNS resolver type configuration extension. This extension can be used to configure c-ares, apple,\n or any other DNS resolver types and the related parameters.\n For example, an object of\n :ref:`CaresDnsResolverConfig <envoy_v3_api_msg_extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig>`\n can be packed into this *typed_dns_resolver_config*. This configuration replaces the\n :ref:`dns_resolution_config <envoy_v3_api_field_config.cluster.v3.Cluster.dns_resolution_config>`\n configuration.\n During the transition period when both *dns_resolution_config* and *typed_dns_resolver_config* exists,\n when *typed_dns_resolver_config* is in place, Envoy will use it and ignore *dns_resolution_config*.\n When *typed_dns_resolver_config* is missing, the default behavior is in place.\n "
},
"wait_for_warm_on_init": {
"additionalProperties": true,
"type": "boolean",
"description": "Optional configuration for having cluster readiness block on warm-up. Currently, only applicable for\n :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`,\n or :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>`.\n If true, cluster readiness blocks on warm-up. If false, the cluster will complete\n initialization whether or not warm-up has completed. Defaults to true."
},
"outlier_detection": {
"properties": {
"consecutive_5xx": {
"additionalProperties": true,
"type": "integer",
"description": "The number of consecutive 5xx responses or local origin errors that are mapped\n to 5xx error codes before a consecutive 5xx ejection\n occurs. Defaults to 5."
},
"interval": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The time interval between ejection analysis sweeps. This can result in\n both new ejections as well as hosts being returned to service. Defaults\n to 10000ms or 10s."
},
"base_ejection_time": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The base time that a host is ejected for. The real time is equal to the\n base time multiplied by the number of times the host has been ejected and is\n capped by :ref:`max_ejection_time<envoy_v3_api_field_config.cluster.v3.OutlierDetection.max_ejection_time>`.\n Defaults to 30000ms or 30s."
},
"max_ejection_percent": {
"additionalProperties": true,
"type": "integer",
"description": "The maximum % of an upstream cluster that can be ejected due to outlier\n detection. Defaults to 10% but will eject at least one host regardless of the value."
},
"enforcing_consecutive_5xx": {
"additionalProperties": true,
"type": "integer",
"description": "The % chance that a host will be actually ejected when an outlier status\n is detected through consecutive 5xx. This setting can be used to disable\n ejection or to ramp it up slowly. Defaults to 100."
},
"enforcing_success_rate": {
"additionalProperties": true,
"type": "integer",
"description": "The % chance that a host will be actually ejected when an outlier status\n is detected through success rate statistics. This setting can be used to\n disable ejection or to ramp it up slowly. Defaults to 100."
},
"success_rate_minimum_hosts": {
"additionalProperties": true,
"type": "integer",
"description": "The number of hosts in a cluster that must have enough request volume to\n detect success rate outliers. If the number of hosts is less than this\n setting, outlier detection via success rate statistics is not performed\n for any host in the cluster. Defaults to 5."
},
"success_rate_request_volume": {
"additionalProperties": true,
"type": "integer",
"description": "The minimum number of total requests that must be collected in one\n interval (as defined by the interval duration above) to include this host\n in success rate based outlier detection. If the volume is lower than this\n setting, outlier detection via success rate statistics is not performed\n for that host. Defaults to 100."
},
"success_rate_stdev_factor": {
"additionalProperties": true,
"type": "integer",
"description": "This factor is used to determine the ejection threshold for success rate\n outlier ejection. The ejection threshold is the difference between the\n mean success rate, and the product of this factor and the standard\n deviation of the mean success rate: mean - (stdev *\n success_rate_stdev_factor). This factor is divided by a thousand to get a\n double. That is, if the desired factor is 1.9, the runtime value should\n be 1900. Defaults to 1900."
},
"consecutive_gateway_failure": {
"additionalProperties": true,
"type": "integer",
"description": "The number of consecutive gateway failures (502, 503, 504 status codes)\n before a consecutive gateway failure ejection occurs. Defaults to 5."
},
"enforcing_consecutive_gateway_failure": {
"additionalProperties": true,
"type": "integer",
"description": "The % chance that a host will be actually ejected when an outlier status\n is detected through consecutive gateway failures. This setting can be\n used to disable ejection or to ramp it up slowly. Defaults to 0."
},
"split_external_local_origin_errors": {
"type": "boolean",
"description": "Determines whether to distinguish local origin failures from external errors. If set to true\n the following configuration parameters are taken into account:\n :ref:`consecutive_local_origin_failure<envoy_v3_api_field_config.cluster.v3.OutlierDetection.consecutive_local_origin_failure>`,\n :ref:`enforcing_consecutive_local_origin_failure<envoy_v3_api_field_config.cluster.v3.OutlierDetection.enforcing_consecutive_local_origin_failure>`\n and\n :ref:`enforcing_local_origin_success_rate<envoy_v3_api_field_config.cluster.v3.OutlierDetection.enforcing_local_origin_success_rate>`.\n Defaults to false."
},
"consecutive_local_origin_failure": {
"additionalProperties": true,
"type": "integer",
"description": "The number of consecutive locally originated failures before ejection\n occurs. Defaults to 5. Parameter takes effect only when\n :ref:`split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`\n is set to true."
},
"enforcing_consecutive_local_origin_failure": {
"additionalProperties": true,
"type": "integer",
"description": "The % chance that a host will be actually ejected when an outlier status\n is detected through consecutive locally originated failures. This setting can be\n used to disable ejection or to ramp it up slowly. Defaults to 100.\n Parameter takes effect only when\n :ref:`split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`\n is set to true."
},
"enforcing_local_origin_success_rate": {
"additionalProperties": true,
"type": "integer",
"description": "The % chance that a host will be actually ejected when an outlier status\n is detected through success rate statistics for locally originated errors.\n This setting can be used to disable ejection or to ramp it up slowly. Defaults to 100.\n Parameter takes effect only when\n :ref:`split_external_local_origin_errors<envoy_v3_api_field_config.cluster.v3.OutlierDetection.split_external_local_origin_errors>`\n is set to true."
},
"failure_percentage_threshold": {
"additionalProperties": true,
"type": "integer",
"description": "The failure percentage to use when determining failure percentage-based outlier detection. If\n the failure percentage of a given host is greater than or equal to this value, it will be\n ejected. Defaults to 85."
},
"enforcing_failure_percentage": {
"additionalProperties": true,
"type": "integer",
"description": "The % chance that a host will be actually ejected when an outlier status is detected through\n failure percentage statistics. This setting can be used to disable ejection or to ramp it up\n slowly. Defaults to 0.\n\n [#next-major-version: setting this without setting failure_percentage_threshold should be\n invalid in v4.]"
},
"enforcing_failure_percentage_local_origin": {
"additionalProperties": true,
"type": "integer",
"description": "The % chance that a host will be actually ejected when an outlier status is detected through\n local-origin failure percentage statistics. This setting can be used to disable ejection or to\n ramp it up slowly. Defaults to 0."
},
"failure_percentage_minimum_hosts": {
"additionalProperties": true,
"type": "integer",
"description": "The minimum number of hosts in a cluster in order to perform failure percentage-based ejection.\n If the total number of hosts in the cluster is less than this value, failure percentage-based\n ejection will not be performed. Defaults to 5."
},
"failure_percentage_request_volume": {
"additionalProperties": true,
"type": "integer",
"description": "The minimum number of total requests that must be collected in one interval (as defined by the\n interval duration above) to perform failure percentage-based ejection for this host. If the\n volume is lower than this setting, failure percentage-based ejection will not be performed for\n this host. Defaults to 50."
},
"max_ejection_time": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The maximum time that a host is ejected for. See :ref:`base_ejection_time<envoy_v3_api_field_config.cluster.v3.OutlierDetection.base_ejection_time>`\n for more information. If not specified, the default value (300000ms or 300s) or\n :ref:`base_ejection_time<envoy_v3_api_field_config.cluster.v3.OutlierDetection.base_ejection_time>` value is applied, whatever is larger."
}
},
"additionalProperties": true,
"type": "object",
"description": "If specified, outlier detection will be enabled for this upstream cluster.\n Each of the configuration values can be overridden via\n :ref:`runtime values <config_cluster_manager_cluster_runtime_outlier_detection>`."
},
"cleanup_interval": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The interval for removing stale hosts from a cluster type\n :ref:`ORIGINAL_DST<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.ORIGINAL_DST>`.\n Hosts are considered stale if they have not been used\n as upstream destinations during this interval. New hosts are added\n to original destination clusters on demand as new connections are\n redirected to Envoy, causing the number of hosts in the cluster to\n grow over time. Hosts that are not stale (they are actively used as\n destinations) are kept in the cluster, which allows connections to\n them remain open, saving the latency that would otherwise be spent\n on opening new connections. If this setting is not specified, the\n value defaults to 5000ms. For cluster types other than\n :ref:`ORIGINAL_DST<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.ORIGINAL_DST>`\n this setting is ignored."
},
"upstream_bind_config": {
"$ref": "#/definitions/envoy.config.core.v3.BindConfig",
"additionalProperties": true,
"description": "Optional configuration used to bind newly established upstream connections.\n This overrides any bind_config specified in the bootstrap proto.\n If the address and port are empty, no bind will be performed."
},
"lb_subset_config": {
"properties": {
"fallback_policy": {
"enum": [
"NO_FALLBACK",
0,
"ANY_ENDPOINT",
1,
"DEFAULT_SUBSET",
2
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "The behavior used when no endpoint subset matches the selected route's\n metadata. The value defaults to\n :ref:`NO_FALLBACK<envoy_v3_api_enum_value_config.cluster.v3.Cluster.LbSubsetConfig.LbSubsetFallbackPolicy.NO_FALLBACK>`."
},
"default_subset": {
"properties": {
"fields": {
"additionalProperties": {
"additionalProperties": true,
"type": "object"
},
"type": "object",
"description": "Unordered map of dynamically typed values."
}
},
"additionalProperties": true,
"type": "object",
"description": "Specifies the default subset of endpoints used during fallback if\n fallback_policy is\n :ref:`DEFAULT_SUBSET<envoy_v3_api_enum_value_config.cluster.v3.Cluster.LbSubsetConfig.LbSubsetFallbackPolicy.DEFAULT_SUBSET>`.\n Each field in default_subset is\n compared to the matching LbEndpoint.Metadata under the *envoy.lb*\n namespace. It is valid for no hosts to match, in which case the behavior\n is the same as a fallback_policy of\n :ref:`NO_FALLBACK<envoy_v3_api_enum_value_config.cluster.v3.Cluster.LbSubsetConfig.LbSubsetFallbackPolicy.NO_FALLBACK>`."
},
"subset_selectors": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"keys": {
"items": {
"type": "string"
},
"type": "array",
"description": "List of keys to match with the weighted cluster metadata."
},
"single_host_per_subset": {
"type": "boolean",
"description": "Selects a mode of operation in which each subset has only one host. This mode uses the same rules for\n choosing a host, but updating hosts is faster, especially for large numbers of hosts.\n\n If a match is found to a host, that host will be used regardless of priority levels, unless the host is unhealthy.\n\n Currently, this mode is only supported if `subset_selectors` has only one entry, and `keys` contains\n only one entry.\n\n When this mode is enabled, configurations that contain more than one host with the same metadata value for the single key in `keys`\n will use only one of the hosts with the given key; no requests will be routed to the others. The cluster gauge\n :ref:`lb_subsets_single_host_per_subset_duplicate<config_cluster_manager_cluster_stats_subset_lb>` indicates how many duplicates are\n present in the current configuration."
},
"fallback_policy": {
"enum": [
"NOT_DEFINED",
0,
"NO_FALLBACK",
1,
"ANY_ENDPOINT",
2,
"DEFAULT_SUBSET",
3,
"KEYS_SUBSET",
4
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "The behavior used when no endpoint subset matches the selected route's\n metadata."
},
"fallback_keys_subset": {
"items": {
"type": "string"
},
"type": "array",
"description": "Subset of\n :ref:`keys<envoy_v3_api_field_config.cluster.v3.Cluster.LbSubsetConfig.LbSubsetSelector.keys>` used by\n :ref:`KEYS_SUBSET<envoy_v3_api_enum_value_config.cluster.v3.Cluster.LbSubsetConfig.LbSubsetSelector.LbSubsetSelectorFallbackPolicy.KEYS_SUBSET>`\n fallback policy.\n It has to be a non empty list if KEYS_SUBSET fallback policy is selected.\n For any other fallback policy the parameter is not used and should not be set.\n Only values also present in\n :ref:`keys<envoy_v3_api_field_config.cluster.v3.Cluster.LbSubsetConfig.LbSubsetSelector.keys>` are allowed, but\n `fallback_keys_subset` cannot be equal to `keys`."
}
},
"additionalProperties": false,
"type": "object",
"description": "Specifications for subsets."
},
"type": "array",
"description": "For each entry, LbEndpoint.Metadata's\n *envoy.lb* namespace is traversed and a subset is created for each unique\n combination of key and value. For example:\n\n .. code-block:: json\n\n { \"subset_selectors\": [\n { \"keys\": [ \"version\" ] },\n { \"keys\": [ \"stage\", \"hardware_type\" ] }\n ]}\n\n A subset is matched when the metadata from the selected route and\n weighted cluster contains the same keys and values as the subset's\n metadata. The same host may appear in multiple subsets."
},
"locality_weight_aware": {
"type": "boolean",
"description": "If true, routing to subsets will take into account the localities and locality weights of the\n endpoints when making the routing decision.\n\n There are some potential pitfalls associated with enabling this feature, as the resulting\n traffic split after applying both a subset match and locality weights might be undesirable.\n\n Consider for example a situation in which you have 50/50 split across two localities X/Y\n which have 100 hosts each without subsetting. If the subset LB results in X having only 1\n host selected but Y having 100, then a lot more load is being dumped on the single host in X\n than originally anticipated in the load balancing assignment delivered via EDS."
},
"scale_locality_weight": {
"type": "boolean",
"description": "When used with locality_weight_aware, scales the weight of each locality by the ratio\n of hosts in the subset vs hosts in the original subset. This aims to even out the load\n going to an individual locality if said locality is disproportionately affected by the\n subset predicate."
},
"panic_mode_any": {
"type": "boolean",
"description": "If true, when a fallback policy is configured and its corresponding subset fails to find\n a host this will cause any host to be selected instead.\n\n This is useful when using the default subset as the fallback policy, given the default\n subset might become empty. With this option enabled, if that happens the LB will attempt\n to select a host from the entire cluster."
},
"list_as_any": {
"type": "boolean",
"description": "If true, metadata specified for a metadata key will be matched against the corresponding\n endpoint metadata if the endpoint metadata matches the value exactly OR it is a list value\n and any of the elements in the list matches the criteria."
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration for load balancing subsetting."
},
"ring_hash_lb_config": {
"properties": {
"minimum_ring_size": {
"additionalProperties": true,
"type": "integer",
"description": "Minimum hash ring size. The larger the ring is (that is, the more hashes there are for each\n provided host) the better the request distribution will reflect the desired weights. Defaults\n to 1024 entries, and limited to 8M entries. See also\n :ref:`maximum_ring_size<envoy_v3_api_field_config.cluster.v3.Cluster.RingHashLbConfig.maximum_ring_size>`."
},
"hash_function": {
"enum": [
"XX_HASH",
0,
"MURMUR_HASH_2",
1
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "The hash function used to hash hosts onto the ketama ring. The value defaults to\n :ref:`XX_HASH<envoy_v3_api_enum_value_config.cluster.v3.Cluster.RingHashLbConfig.HashFunction.XX_HASH>`."
},
"maximum_ring_size": {
"additionalProperties": true,
"type": "integer",
"description": "Maximum hash ring size. Defaults to 8M entries, and limited to 8M entries, but can be lowered\n to further constrain resource use. See also\n :ref:`minimum_ring_size<envoy_v3_api_field_config.cluster.v3.Cluster.RingHashLbConfig.minimum_ring_size>`."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional configuration for the Ring Hash load balancing policy."
},
"maglev_lb_config": {
"properties": {
"table_size": {
"additionalProperties": true,
"type": "integer",
"description": "The table size for Maglev hashing. The Maglev aims for \u2018minimal disruption\u2019 rather than an absolute guarantee.\n Minimal disruption means that when the set of upstreams changes, a connection will likely be sent to the same\n upstream as it was before. Increasing the table size reduces the amount of disruption.\n The table size must be prime number limited to 5000011. If it is not specified, the default is 65537."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional configuration for the Maglev load balancing policy."
},
"original_dst_lb_config": {
"properties": {
"use_http_header": {
"type": "boolean",
"description": "When true, :ref:`x-envoy-original-dst-host\n <config_http_conn_man_headers_x-envoy-original-dst-host>` can be used to override destination\n address.\n\n .. attention::\n\n This header isn't sanitized by default, so enabling this feature allows HTTP clients to\n route traffic to arbitrary hosts and/or ports, which may have serious security\n consequences.\n\n .. note::\n\n If the header appears multiple times only the first value is used."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional configuration for the Original Destination load balancing policy."
},
"least_request_lb_config": {
"properties": {
"choice_count": {
"additionalProperties": true,
"type": "integer",
"description": "The number of random healthy hosts from which the host with the fewest active requests will\n be chosen. Defaults to 2 so that we perform two-choice selection if the field is not set."
},
"active_request_bias": {
"$ref": "#/definitions/envoy.config.core.v3.RuntimeDouble",
"additionalProperties": true,
"description": "The following formula is used to calculate the dynamic weights when hosts have different load\n balancing weights:\n\n `weight = load_balancing_weight / (active_requests + 1)^active_request_bias`\n\n The larger the active request bias is, the more aggressively active requests will lower the\n effective weight when all host weights are not equal.\n\n `active_request_bias` must be greater than or equal to 0.0.\n\n When `active_request_bias == 0.0` the Least Request Load Balancer doesn't consider the number\n of active requests at the time it picks a host and behaves like the Round Robin Load\n Balancer.\n\n When `active_request_bias > 0.0` the Least Request Load Balancer scales the load balancing\n weight by the number of active requests at the time it does a pick.\n\n The value is cached for performance reasons and refreshed whenever one of the Load Balancer's\n host sets changes, e.g., whenever there is a host membership update or a host load balancing\n weight change.\n\n .. note::\n This setting only takes effect if all host weights are not equal."
},
"slow_start_config": {
"$ref": "#/definitions/envoy.config.cluster.v3.Cluster.SlowStartConfig",
"additionalProperties": true,
"description": "Configuration for slow start mode.\n If this configuration is not set, slow start will not be not enabled."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional configuration for the LeastRequest load balancing policy."
},
"round_robin_lb_config": {
"properties": {
"slow_start_config": {
"$ref": "#/definitions/envoy.config.cluster.v3.Cluster.SlowStartConfig",
"additionalProperties": true,
"description": "Configuration for slow start mode.\n If this configuration is not set, slow start will not be not enabled."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional configuration for the RoundRobin load balancing policy."
},
"common_lb_config": {
"properties": {
"healthy_panic_threshold": {
"$ref": "#/definitions/envoy.type.v3.Percent",
"additionalProperties": true,
"description": "Configures the :ref:`healthy panic threshold <arch_overview_load_balancing_panic_threshold>`.\n If not specified, the default is 50%.\n To disable panic mode, set to 0%.\n\n .. note::\n The specified percent will be truncated to the nearest 1%."
},
"zone_aware_lb_config": {
"properties": {
"routing_enabled": {
"$ref": "#/definitions/envoy.type.v3.Percent",
"additionalProperties": true,
"description": "Configures percentage of requests that will be considered for zone aware routing\n if zone aware routing is configured. If not specified, the default is 100%.\n * :ref:`runtime values <config_cluster_manager_cluster_runtime_zone_routing>`.\n * :ref:`Zone aware routing support <arch_overview_load_balancing_zone_aware_routing>`."
},
"min_cluster_size": {
"additionalProperties": true,
"type": "integer",
"description": "Configures minimum upstream cluster size required for zone aware routing\n If upstream cluster size is less than specified, zone aware routing is not performed\n even if zone aware routing is configured. If not specified, the default is 6.\n * :ref:`runtime values <config_cluster_manager_cluster_runtime_zone_routing>`.\n * :ref:`Zone aware routing support <arch_overview_load_balancing_zone_aware_routing>`."
},
"fail_traffic_on_panic": {
"type": "boolean",
"description": "If set to true, Envoy will not consider any hosts when the cluster is in :ref:`panic\n mode<arch_overview_load_balancing_panic_threshold>`. Instead, the cluster will fail all\n requests as if all hosts are unhealthy. This can help avoid potentially overwhelming a\n failing service."
}
},
"additionalProperties": true,
"type": "object"
},
"locality_weighted_lb_config": {
"additionalProperties": true,
"type": "object"
},
"update_merge_window": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "If set, all health check/weight/metadata updates that happen within this duration will be\n merged and delivered in one shot when the duration expires. The start of the duration is when\n the first update happens. This is useful for big clusters, with potentially noisy deploys\n that might trigger excessive CPU usage due to a constant stream of healthcheck state changes\n or metadata updates. The first set of updates to be seen apply immediately (e.g.: a new\n cluster). Please always keep in mind that the use of sandbox technologies may change this\n behavior.\n\n If this is not set, we default to a merge window of 1000ms. To disable it, set the merge\n window to 0.\n\n Note: merging does not apply to cluster membership changes (e.g.: adds/removes); this is\n because merging those updates isn't currently safe. See\n https://github.com/envoyproxy/envoy/pull/3941."
},
"ignore_new_hosts_until_first_hc": {
"type": "boolean",
"description": "If set to true, Envoy will :ref:`exclude <arch_overview_load_balancing_excluded>` new hosts\n when computing load balancing weights until they have been health checked for the first time.\n This will have no effect unless active health checking is also configured."
},
"close_connections_on_host_set_change": {
"type": "boolean",
"description": "If set to `true`, the cluster manager will drain all existing\n connections to upstream hosts whenever hosts are added or removed from the cluster."
},
"consistent_hashing_lb_config": {
"properties": {
"use_hostname_for_hashing": {
"type": "boolean",
"description": "If set to `true`, the cluster will use hostname instead of the resolved\n address as the key to consistently hash to an upstream host. Only valid for StrictDNS clusters with hostnames which resolve to a single IP address."
},
"hash_balance_factor": {
"additionalProperties": true,
"type": "integer",
"description": "Configures percentage of average cluster load to bound per upstream host. For example, with a value of 150\n no upstream host will get a load more than 1.5 times the average load of all the hosts in the cluster.\n If not specified, the load is not bounded for any upstream host. Typical value for this parameter is between 120 and 200.\n Minimum is 100.\n\n Applies to both Ring Hash and Maglev load balancers.\n\n This is implemented based on the method described in the paper https://arxiv.org/abs/1608.01350. For the specified\n `hash_balance_factor`, requests to any upstream host are capped at `hash_balance_factor/100` times the average number of requests\n across the cluster. When a request arrives for an upstream host that is currently serving at its max capacity, linear probing\n is used to identify an eligible host. Further, the linear probe is implemented using a random jump in hosts ring/table to identify\n the eligible host (this technique is as described in the paper https://arxiv.org/abs/1908.08762 - the random jump avoids the\n cascading overflow effect when choosing the next host in the ring/table).\n\n If weights are specified on the hosts, they are respected.\n\n This is an O(N) algorithm, unlike other load balancers. Using a lower `hash_balance_factor` results in more hosts\n being probed, so use a higher value if you require better performance."
}
},
"additionalProperties": true,
"type": "object",
"description": "Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.)"
}
},
"additionalProperties": true,
"type": "object",
"description": "Common configuration for all load balancer implementations."
},
"transport_socket": {
"$ref": "#/definitions/envoy.config.core.v3.TransportSocket",
"additionalProperties": true,
"description": "Optional custom transport socket implementation to use for upstream connections.\n To setup TLS, set a transport socket with name `envoy.transport_sockets.tls` and\n :ref:`UpstreamTlsContexts <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.UpstreamTlsContext>` in the `typed_config`.\n If no transport socket configuration is specified, new connections\n will be set up with plaintext."
},
"metadata": {
"$ref": "#/definitions/envoy.config.core.v3.Metadata",
"additionalProperties": true,
"description": "The Metadata field can be used to provide additional information about the\n cluster. It can be used for stats, logging, and varying filter behavior.\n Fields should use reverse DNS notation to denote which entity within Envoy\n will need the information. For instance, if the metadata is intended for\n the Router filter, the filter name should be specified as *envoy.filters.http.router*."
},
"protocol_selection": {
"enum": [
"USE_CONFIGURED_PROTOCOL",
0,
"USE_DOWNSTREAM_PROTOCOL",
1
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "Determines how Envoy selects the protocol used to speak to upstream hosts.\n This has been deprecated in favor of setting explicit protocol selection\n in the :ref:`http_protocol_options\n <envoy_v3_api_msg_extensions.upstreams.http.v3.HttpProtocolOptions>` message.\n http_protocol_options can be set via the cluster's\n :ref:`extension_protocol_options<envoy_v3_api_field_config.cluster.v3.Cluster.typed_extension_protocol_options>`."
},
"upstream_connection_options": {
"properties": {
"tcp_keepalive": {
"properties": {
"keepalive_probes": {
"additionalProperties": true,
"type": "integer",
"description": "Maximum number of keepalive probes to send without response before deciding\n the connection is dead. Default is to use the OS level configuration (unless\n overridden, Linux defaults to 9.)"
},
"keepalive_time": {
"additionalProperties": true,
"type": "integer",
"description": "The number of seconds a connection needs to be idle before keep-alive probes\n start being sent. Default is to use the OS level configuration (unless\n overridden, Linux defaults to 7200s (i.e., 2 hours.)"
},
"keepalive_interval": {
"additionalProperties": true,
"type": "integer",
"description": "The number of seconds between keep-alive probes. Default is to use the OS\n level configuration (unless overridden, Linux defaults to 75s.)"
}
},
"additionalProperties": true,
"type": "object",
"description": "If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional options for upstream connections."
},
"close_connections_on_host_health_failure": {
"type": "boolean",
"description": "If an upstream host becomes unhealthy (as determined by the configured health checks\n or outlier detection), immediately close all connections to the failed host.\n\n .. note::\n\n This is currently only supported for connections created by tcp_proxy.\n\n .. note::\n\n The current implementation of this feature closes all connections immediately when\n the unhealthy status is detected. If there are a large number of connections open\n to an upstream host that becomes unhealthy, Envoy may spend a substantial amount of\n time exclusively closing these connections, and not processing any other traffic."
},
"ignore_health_on_host_removal": {
"type": "boolean",
"description": "If set to true, Envoy will ignore the health value of a host when processing its removal\n from service discovery. This means that if active health checking is used, Envoy will *not*\n wait for the endpoint to go unhealthy before removing it."
},
"filters": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of the filter to instantiate. The name must match a\n supported upstream filter. Note that Envoy's :ref:`downstream network\n filters <config_network_filters>` are not valid upstream filters."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. This string must contain at least\n one \"/\" character. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": true,
"type": "object",
"description": "Filter specific configuration which depends on the filter being\n instantiated. See the supported filters for further documentation."
}
},
"additionalProperties": false,
"type": "object",
"description": "\n Upstream filters apply to the connections to the upstream cluster hosts."
},
"type": "array",
"description": "An (optional) network filter chain, listed in the order the filters should be applied.\n The chain will be applied to all outgoing connections that Envoy makes to the upstream\n servers of this cluster."
},
"load_balancing_policy": {
"properties": {
"policies": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"typed_extension_config": {
"$ref": "#/definitions/envoy.config.core.v3.TypedExtensionConfig",
"additionalProperties": true
}
},
"additionalProperties": false,
"type": "object"
},
"type": "array",
"description": "Each client will iterate over the list in order and stop at the first policy that it\n supports. This provides a mechanism for starting to use new LB policies that are not yet\n supported by all clients."
}
},
"additionalProperties": true,
"type": "object",
"description": "If this field is set and is supported by the client, it will supersede the value of\n :ref:`lb_policy<envoy_v3_api_field_config.cluster.v3.Cluster.lb_policy>`."
},
"lrs_server": {
"$ref": "#/definitions/envoy.config.core.v3.ConfigSource",
"additionalProperties": true,
"description": "[#not-implemented-hide:]\n If present, tells the client where to send load reports via LRS. If not present, the\n client will fall back to a client-side default, which may be either (a) don't send any\n load reports or (b) send load reports for all clusters to a single default server\n (which may be configured in the bootstrap file).\n\n Note that if multiple clusters point to the same LRS server, the client may choose to\n create a separate stream for each cluster or it may choose to coalesce the data for\n multiple clusters onto a single stream. Either way, the client must make sure to send\n the data for any given cluster on no more than one stream.\n\n [#next-major-version: In the v3 API, we should consider restructuring this somehow,\n maybe by allowing LRS to go on the ADS stream, or maybe by moving some of the negotiation\n from the LRS stream here.]"
},
"track_timeout_budgets": {
"type": "boolean",
"description": "If track_timeout_budgets is true, the :ref:`timeout budget histograms\n <config_cluster_manager_cluster_stats_timeout_budgets>` will be published for each\n request. These show what percentage of a request's per try and global timeout was used. A value\n of 0 would indicate that none of the timeout was used or that the timeout was infinite. A value\n of 100 would indicate that the request took the entirety of the timeout given to it.\n\n .. attention::\n\n This field has been deprecated in favor of `timeout_budgets`, part of\n :ref:`track_cluster_stats <envoy_v3_api_field_config.cluster.v3.Cluster.track_cluster_stats>`."
},
"upstream_config": {
"$ref": "#/definitions/envoy.config.core.v3.TypedExtensionConfig",
"additionalProperties": true,
"description": "Optional customization and configuration of upstream connection pool, and upstream type.\n\n Currently this field only applies for HTTP traffic but is designed for eventual use for custom\n TCP upstreams.\n\n For HTTP traffic, Envoy will generally take downstream HTTP and send it upstream as upstream\n HTTP, using the http connection pool and the codec from `http2_protocol_options`\n\n For routes where CONNECT termination is configured, Envoy will take downstream CONNECT\n requests and forward the CONNECT payload upstream over raw TCP using the tcp connection pool.\n\n The default pool used is the generic connection pool which creates the HTTP upstream for most\n HTTP requests, and the TCP upstream if CONNECT termination is configured.\n\n If users desire custom connection pool or upstream behavior, for example terminating\n CONNECT only if a custom filter indicates it is appropriate, the custom factories\n can be registered and configured here.\n "
},
"track_cluster_stats": {
"properties": {
"timeout_budgets": {
"type": "boolean",
"description": "If timeout_budgets is true, the :ref:`timeout budget histograms\n <config_cluster_manager_cluster_stats_timeout_budgets>` will be published for each\n request. These show what percentage of a request's per try and global timeout was used. A value\n of 0 would indicate that none of the timeout was used or that the timeout was infinite. A value\n of 100 would indicate that the request took the entirety of the timeout given to it."
},
"request_response_sizes": {
"type": "boolean",
"description": "If request_response_sizes is true, then the :ref:`histograms\n <config_cluster_manager_cluster_stats_request_response_sizes>` tracking header and body sizes\n of requests and responses will be published."
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration to track optional cluster stats."
},
"preconnect_policy": {
"properties": {
"per_upstream_preconnect_ratio": {
"additionalProperties": true,
"type": "number",
"description": "Indicates how many streams (rounded up) can be anticipated per-upstream for each\n incoming stream. This is useful for high-QPS or latency-sensitive services. Preconnecting\n will only be done if the upstream is healthy and the cluster has traffic.\n\n For example if this is 2, for an incoming HTTP/1.1 stream, 2 connections will be\n established, one for the new incoming stream, and one for a presumed follow-up stream. For\n HTTP/2, only one connection would be established by default as one connection can\n serve both the original and presumed follow-up stream.\n\n In steady state for non-multiplexed connections a value of 1.5 would mean if there were 100\n active streams, there would be 100 connections in use, and 50 connections preconnected.\n This might be a useful value for something like short lived single-use connections,\n for example proxying HTTP/1.1 if keep-alive were false and each stream resulted in connection\n termination. It would likely be overkill for long lived connections, such as TCP proxying SMTP\n or regular HTTP/1.1 with keep-alive. For long lived traffic, a value of 1.05 would be more\n reasonable, where for every 100 connections, 5 preconnected connections would be in the queue\n in case of unexpected disconnects where the connection could not be reused.\n\n If this value is not set, or set explicitly to one, Envoy will fetch as many connections\n as needed to serve streams in flight. This means in steady state if a connection is torn down,\n a subsequent streams will pay an upstream-rtt latency penalty waiting for a new connection.\n\n This is limited somewhat arbitrarily to 3 because preconnecting too aggressively can\n harm latency more than the preconnecting helps."
},
"predictive_preconnect_ratio": {
"additionalProperties": true,
"type": "number",
"description": "Indicates how many many streams (rounded up) can be anticipated across a cluster for each\n stream, useful for low QPS services. This is currently supported for a subset of\n deterministic non-hash-based load-balancing algorithms (weighted round robin, random).\n Unlike *per_upstream_preconnect_ratio* this preconnects across the upstream instances in a\n cluster, doing best effort predictions of what upstream would be picked next and\n pre-establishing a connection.\n\n Preconnecting will be limited to one preconnect per configured upstream in the cluster and will\n only be done if there are healthy upstreams and the cluster has traffic.\n\n For example if preconnecting is set to 2 for a round robin HTTP/2 cluster, on the first\n incoming stream, 2 connections will be preconnected - one to the first upstream for this\n cluster, one to the second on the assumption there will be a follow-up stream.\n\n If this value is not set, or set explicitly to one, Envoy will fetch as many connections\n as needed to serve streams in flight, so during warm up and in steady state if a connection\n is closed (and per_upstream_preconnect_ratio is not set), there will be a latency hit for\n connection establishment.\n\n If both this and preconnect_ratio are set, Envoy will make sure both predicted needs are met,\n basically preconnecting max(predictive-preconnect, per-upstream-preconnect), for each\n upstream."
}
},
"additionalProperties": true,
"type": "object",
"description": "Preconnect configuration for this cluster."
},
"connection_pool_per_downstream_connection": {
"type": "boolean",
"description": "If `connection_pool_per_downstream_connection` is true, the cluster will use a separate\n connection pool for every downstream connection"
}
},
"additionalProperties": false,
"type": "object",
"description": "Configuration for a single upstream cluster.\n "
},
"type": "array",
"description": "If a network based configuration source is specified for :ref:`cds_config\n <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.DynamicResources.cds_config>`, it's necessary\n to have some initial cluster definitions available to allow Envoy to know\n how to speak to the management server. These cluster definitions may not\n use :ref:`EDS <arch_overview_dynamic_config_eds>` (i.e. they should be static\n IP or DNS-based)."
},
"secrets": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to."
},
"tls_certificate": {
"properties": {
"certificate_chain": {
"$ref": "#/definitions/envoy.config.core.v3.DataSource",
"additionalProperties": true,
"description": "The TLS certificate chain.\n\n If *certificate_chain* is a filesystem path, a watch will be added to the\n parent directory for any file moves to support rotation. This currently\n only applies to dynamic secrets, when the *TlsCertificate* is delivered via\n SDS."
},
"private_key": {
"$ref": "#/definitions/envoy.config.core.v3.DataSource",
"additionalProperties": true,
"description": "The TLS private key.\n\n If *private_key* is a filesystem path, a watch will be added to the parent\n directory for any file moves to support rotation. This currently only\n applies to dynamic secrets, when the *TlsCertificate* is delivered via SDS."
},
"pkcs12": {
"$ref": "#/definitions/envoy.config.core.v3.DataSource",
"additionalProperties": true,
"description": "`Pkcs12` data containing TLS certificate, chain, and private key.\n\n If *pkcs12* is a filesystem path, the file will be read, but no watch will\n be added to the parent directory, since *pkcs12* isn't used by SDS.\n This field is mutually exclusive with *certificate_chain*, *private_key* and *private_key_provider*.\n This can't be marked as ``oneof`` due to API compatibility reasons. Setting\n both :ref:`private_key <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>`,\n :ref:`certificate_chain <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.certificate_chain>`,\n or :ref:`private_key_provider <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>`\n and :ref:`pkcs12 <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.pkcs12>`\n fields will result in an error. Use :ref:`password\n <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.password>`\n to specify the password to unprotect the `PKCS12` data, if necessary."
},
"watched_directory": {
"$ref": "#/definitions/envoy.config.core.v3.WatchedDirectory",
"additionalProperties": true,
"description": "If specified, updates of file-based *certificate_chain* and *private_key*\n sources will be triggered by this watch. The certificate/key pair will be\n read together and validated for atomic read consistency (i.e. no\n intervening modification occurred between cert/key read, verified by file\n hash comparisons). This allows explicit control over the path watched, by\n default the parent directories of the filesystem paths in\n *certificate_chain* and *private_key* are watched if this field is not\n specified. This only applies when a *TlsCertificate* is delivered by SDS\n with references to filesystem paths. See the :ref:`SDS key rotation\n <sds_key_rotation>` documentation for further details."
},
"private_key_provider": {
"properties": {
"provider_name": {
"type": "string",
"description": "Private key method provider name. The name must match a\n supported private key method provider type."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. This string must contain at least\n one \"/\" character. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object",
"description": "BoringSSL private key method provider. This is an alternative to :ref:`private_key\n <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` field. This can't be\n marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key\n <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` and\n :ref:`private_key_provider\n <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>` fields will result in an\n error."
},
"password": {
"$ref": "#/definitions/envoy.config.core.v3.DataSource",
"additionalProperties": true,
"description": "The password to decrypt the TLS private key. If this field is not set, it is assumed that the\n TLS private key is not password encrypted."
},
"ocsp_staple": {
"$ref": "#/definitions/envoy.config.core.v3.DataSource",
"additionalProperties": true,
"description": "The OCSP response to be stapled with this certificate during the handshake.\n The response must be DER-encoded and may only be provided via ``filename`` or\n ``inline_bytes``. The response may pertain to only one certificate."
},
"signed_certificate_timestamp": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.core.v3.DataSource"
},
"type": "array",
"description": "[#not-implemented-hide:]"
}
},
"additionalProperties": true,
"type": "object"
},
"session_ticket_keys": {
"properties": {
"keys": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.core.v3.DataSource"
},
"type": "array",
"description": "Keys for encrypting and decrypting TLS session tickets. The\n first key in the array contains the key to encrypt all new sessions created by this context.\n All keys are candidates for decrypting received tickets. This allows for easy rotation of keys\n by, for example, putting the new key first, and the previous key second.\n\n If :ref:`session_ticket_keys <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys>`\n is not specified, the TLS library will still support resuming sessions via tickets, but it will\n use an internally-generated and managed key, so sessions cannot be resumed across hot restarts\n or on different hosts.\n\n Each key must contain exactly 80 bytes of cryptographically-secure random data. For\n example, the output of ``openssl rand 80``.\n\n .. attention::\n\n Using this feature has serious security considerations and risks. Improper handling of keys\n may result in loss of secrecy in connections, even if ciphers supporting perfect forward\n secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some\n discussion. To minimize the risk, you must:\n\n * Keep the session ticket keys at least as secure as your TLS certificate private keys\n * Rotate session ticket keys at least daily, and preferably hourly\n * Always generate keys using a cryptographically-secure random data source"
}
},
"additionalProperties": true,
"type": "object"
},
"validation_context": {
"properties": {
"trusted_ca": {
"$ref": "#/definitions/envoy.config.core.v3.DataSource",
"additionalProperties": true,
"description": "TLS certificate data containing certificate authority certificates to use in verifying\n a presented peer certificate (e.g. server certificate for clusters or client certificate\n for listeners). If not specified and a peer certificate is presented it will not be\n verified. By default, a client certificate is optional, unless one of the additional\n options (:ref:`require_client_certificate\n <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate>`,\n :ref:`verify_certificate_spki\n <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>`,\n :ref:`verify_certificate_hash\n <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`, or\n :ref:`match_typed_subject_alt_names\n <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`) is also\n specified.\n\n It can optionally contain certificate revocation lists, in which case Envoy will verify\n that the presented peer certificate has not been revoked by one of the included CRLs. Note\n that if a CRL is provided for any certificate authority in a trust chain, a CRL must be\n provided for all certificate authorities in that chain. Failure to do so will result in\n verification failure for both revoked and unrevoked certificates from that chain.\n The behavior of requiring all certificates to contain CRLs if any do can be altered by\n setting :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>`\n true. If set to true, only the final certificate in the chain undergoes CRL verification.\n\n See :ref:`the TLS overview <arch_overview_ssl_enabling_verification>` for a list of common\n system CA locations.\n\n If *trusted_ca* is a filesystem path, a watch will be added to the parent\n directory for any file moves to support rotation. This currently only\n applies to dynamic secrets, when the *CertificateValidationContext* is\n delivered via SDS.\n\n Only one of *trusted_ca* and *ca_certificate_provider_instance* may be specified.\n\n [#next-major-version: This field and watched_directory below should ideally be moved into a\n separate sub-message, since there's no point in specifying the latter field without this one.]"
},
"ca_certificate_provider_instance": {
"properties": {
"instance_name": {
"type": "string",
"description": "Provider instance name. If not present, defaults to \"default\".\n\n Instance names should generally be defined not in terms of the underlying provider\n implementation (e.g., \"file_watcher\") but rather in terms of the function of the\n certificates (e.g., \"foo_deployment_identity\")."
},
"certificate_name": {
"type": "string",
"description": "Opaque name used to specify certificate instances or types. For example, \"ROOTCA\" to specify\n a root-certificate (validation context) or \"example.com\" to specify a certificate for a\n particular domain. Not all provider instances will actually use this field, so the value\n defaults to the empty string."
}
},
"additionalProperties": true,
"type": "object",
"description": "Certificate provider instance for fetching TLS certificates.\n\n Only one of *trusted_ca* and *ca_certificate_provider_instance* may be specified.\n [#not-implemented-hide:]"
},
"watched_directory": {
"$ref": "#/definitions/envoy.config.core.v3.WatchedDirectory",
"additionalProperties": true,
"description": "If specified, updates of a file-based *trusted_ca* source will be triggered\n by this watch. This allows explicit control over the path watched, by\n default the parent directory of the filesystem path in *trusted_ca* is\n watched if this field is not specified. This only applies when a\n *CertificateValidationContext* is delivered by SDS with references to\n filesystem paths. See the :ref:`SDS key rotation <sds_key_rotation>`\n documentation for further details."
},
"verify_certificate_spki": {
"items": {
"type": "string"
},
"type": "array",
"description": "An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the\n SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate\n matches one of the specified values.\n\n A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate\n can be generated with the following command:\n\n .. code-block:: bash\n\n $ openssl x509 -in path/to/client.crt -noout -pubkey\n | openssl pkey -pubin -outform DER\n | openssl dgst -sha256 -binary\n | openssl enc -base64\n NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=\n\n This is the format used in HTTP Public Key Pinning.\n\n When both:\n :ref:`verify_certificate_hash\n <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and\n :ref:`verify_certificate_spki\n <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,\n a hash matching value from either of the lists will result in the certificate being accepted.\n\n .. attention::\n\n This option is preferred over :ref:`verify_certificate_hash\n <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>`,\n because SPKI is tied to a private key, so it doesn't change when the certificate\n is renewed using the same private key."
},
"verify_certificate_hash": {
"items": {
"type": "string"
},
"type": "array",
"description": "An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that\n the SHA-256 of the DER-encoded presented certificate matches one of the specified values.\n\n A hex-encoded SHA-256 of the certificate can be generated with the following command:\n\n .. code-block:: bash\n\n $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d\" \" -f2\n df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a\n\n A long hex-encoded and colon-separated SHA-256 (a.k.a. \"fingerprint\") of the certificate\n can be generated with the following command:\n\n .. code-block:: bash\n\n $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d\"=\" -f2\n DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A\n\n Both of those formats are acceptable.\n\n When both:\n :ref:`verify_certificate_hash\n <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash>` and\n :ref:`verify_certificate_spki\n <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki>` are specified,\n a hash matching value from either of the lists will result in the certificate being accepted."
},
"match_typed_subject_alt_names": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"san_type": {
"enum": [
"SAN_TYPE_UNSPECIFIED",
0,
"EMAIL",
1,
"DNS",
2,
"URI",
3,
"IP_ADDRESS",
4
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "Specification of type of SAN. Note that the default enum value is an invalid choice."
},
"matcher": {
"$ref": "#/definitions/envoy.type.matcher.v3.StringMatcher",
"additionalProperties": true,
"description": "Matcher for SAN value."
}
},
"additionalProperties": false,
"type": "object",
"description": "Matcher for subject alternative names, to match both type and value of the SAN."
},
"type": "array",
"description": "An optional list of Subject Alternative name matchers. If specified, Envoy will verify that the\n Subject Alternative Name of the presented certificate matches one of the specified matchers.\n The matching uses \"any\" semantics, that is to say, the SAN is verified if at least one matcher is\n matched.\n\n When a certificate has wildcard DNS SAN entries, to match a specific client, it should be\n configured with exact match type in the :ref:`string matcher <envoy_v3_api_msg_type.matcher.v3.StringMatcher>`.\n For example if the certificate has \"\\*.example.com\" as DNS SAN entry, to allow only \"api.example.com\",\n it should be configured as shown below.\n\n .. code-block:: yaml\n\n match_typed_subject_alt_names:\n - san_type: DNS\n matcher:\n exact: \"api.example.com\"\n\n .. attention::\n\n Subject Alternative Names are easily spoofable and verifying only them is insecure,\n therefore this option must be used together with :ref:`trusted_ca\n <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`."
},
"match_subject_alt_names": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.type.matcher.v3.StringMatcher"
},
"type": "array",
"description": "This field is deprecated in favor of ref:`match_typed_subject_alt_names\n <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_typed_subject_alt_names>`"
},
"require_signed_certificate_timestamp": {
"additionalProperties": true,
"type": "boolean",
"description": "[#not-implemented-hide:] Must present signed certificate time-stamp."
},
"crl": {
"$ref": "#/definitions/envoy.config.core.v3.DataSource",
"additionalProperties": true,
"description": "An optional `certificate revocation list\n <https://en.wikipedia.org/wiki/Certificate_revocation_list>`_\n (in PEM format). If specified, Envoy will verify that the presented peer\n certificate has not been revoked by this CRL. If this DataSource contains\n multiple CRLs, all of them will be used. Note that if a CRL is provided\n for any certificate authority in a trust chain, a CRL must be provided\n for all certificate authorities in that chain. Failure to do so will\n result in verification failure for both revoked and unrevoked certificates\n from that chain. This default behavior can be altered by setting\n :ref:`only_verify_leaf_cert_crl <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.only_verify_leaf_cert_crl>` to\n true."
},
"allow_expired_certificate": {
"type": "boolean",
"description": "If specified, Envoy will not reject expired certificates."
},
"trust_chain_verification": {
"enum": [
"VERIFY_TRUST_CHAIN",
0,
"ACCEPT_UNTRUSTED",
1
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "Certificate trust chain verification mode."
},
"custom_validator_config": {
"$ref": "#/definitions/envoy.config.core.v3.TypedExtensionConfig",
"additionalProperties": true,
"description": "The configuration of an extension specific certificate validator.\n If specified, all validation is done by the specified validator,\n and the behavior of all other validation settings is defined by the specified validator (and may be entirely ignored, unused, and unvalidated).\n Refer to the documentation for the specified validator. If you do not want a custom validation algorithm, do not set this field.\n "
},
"only_verify_leaf_cert_crl": {
"type": "boolean",
"description": "If this option is set to true, only the certificate at the end of the\n certificate chain will be subject to validation by :ref:`CRL <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.crl>`."
}
},
"additionalProperties": true,
"type": "object"
},
"generic_secret": {
"properties": {
"secret": {
"$ref": "#/definitions/envoy.config.core.v3.DataSource",
"additionalProperties": true,
"description": "Secret of generic type and is available to filters."
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": false,
"type": "object",
"description": ""
},
"type": "array",
"description": "These static secrets can be used by :ref:`SdsSecretConfig\n <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.SdsSecretConfig>`"
}
},
"additionalProperties": true,
"type": "object",
"description": "Statically specified resources."
},
"dynamic_resources": {
"properties": {
"lds_config": {
"$ref": "#/definitions/envoy.config.core.v3.ConfigSource",
"additionalProperties": true,
"description": "All :ref:`Listeners <envoy_v3_api_msg_config.listener.v3.Listener>` are provided by a single\n :ref:`LDS <arch_overview_dynamic_config_lds>` configuration source."
},
"lds_resources_locator": {
"type": "string",
"description": "xdstp:// resource locator for listener collection.\n [#not-implemented-hide:]"
},
"cds_config": {
"$ref": "#/definitions/envoy.config.core.v3.ConfigSource",
"additionalProperties": true,
"description": "All post-bootstrap :ref:`Cluster <envoy_v3_api_msg_config.cluster.v3.Cluster>` definitions are\n provided by a single :ref:`CDS <arch_overview_dynamic_config_cds>`\n configuration source."
},
"cds_resources_locator": {
"type": "string",
"description": "xdstp:// resource locator for cluster collection.\n [#not-implemented-hide:]"
},
"ads_config": {
"$ref": "#/definitions/envoy.config.core.v3.ApiConfigSource",
"additionalProperties": true,
"description": "A single :ref:`ADS <config_overview_ads>` source may be optionally\n specified. This must have :ref:`api_type\n <envoy_v3_api_field_config.core.v3.ApiConfigSource.api_type>` :ref:`GRPC\n <envoy_v3_api_enum_value_config.core.v3.ApiConfigSource.ApiType.GRPC>`. Only\n :ref:`ConfigSources <envoy_v3_api_msg_config.core.v3.ConfigSource>` that have\n the :ref:`ads <envoy_v3_api_field_config.core.v3.ConfigSource.ads>` field set will be\n streamed on the ADS channel."
}
},
"additionalProperties": true,
"type": "object",
"description": "xDS configuration sources."
},
"cluster_manager": {
"properties": {
"local_cluster_name": {
"type": "string",
"description": "Name of the local cluster (i.e., the cluster that owns the Envoy running\n this configuration). In order to enable :ref:`zone aware routing\n <arch_overview_load_balancing_zone_aware_routing>` this option must be set.\n If *local_cluster_name* is defined then :ref:`clusters\n <envoy_v3_api_msg_config.cluster.v3.Cluster>` must be defined in the :ref:`Bootstrap\n static cluster resources\n <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.StaticResources.clusters>`. This is unrelated to\n the :option:`--service-cluster` option which does not `affect zone aware\n routing <https://github.com/envoyproxy/envoy/issues/774>`_."
},
"outlier_detection": {
"properties": {
"event_log_path": {
"type": "string",
"description": "Specifies the path to the outlier event log."
},
"event_service": {
"$ref": "#/definitions/envoy.config.core.v3.EventServiceConfig",
"additionalProperties": true,
"description": "[#not-implemented-hide:]\n The gRPC service for the outlier detection event service.\n If empty, outlier detection events won't be sent to a remote endpoint."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional global configuration for outlier detection."
},
"upstream_bind_config": {
"$ref": "#/definitions/envoy.config.core.v3.BindConfig",
"additionalProperties": true,
"description": "Optional configuration used to bind newly established upstream connections.\n This may be overridden on a per-cluster basis by upstream_bind_config in the cds_config."
},
"load_stats_config": {
"$ref": "#/definitions/envoy.config.core.v3.ApiConfigSource",
"additionalProperties": true,
"description": "A management server endpoint to stream load stats to via\n *StreamLoadStats*. This must have :ref:`api_type\n <envoy_v3_api_field_config.core.v3.ApiConfigSource.api_type>` :ref:`GRPC\n <envoy_v3_api_enum_value_config.core.v3.ApiConfigSource.ApiType.GRPC>`."
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration for the cluster manager which owns all upstream clusters\n within the server."
},
"hds_config": {
"$ref": "#/definitions/envoy.config.core.v3.ApiConfigSource",
"additionalProperties": true,
"description": "Health discovery service config option.\n (:ref:`core.ApiConfigSource <envoy_v3_api_msg_config.core.v3.ApiConfigSource>`)"
},
"flags_path": {
"type": "string",
"description": "Optional file system path to search for startup flag files."
},
"stats_sinks": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of the stats sink to instantiate. The name must match a supported\n stats sink.\n See the :ref:`extensions listed in typed_config below <extension_category_envoy.stats_sinks>` for the default list of available stats sink.\n Sinks optionally support tagged/multiple dimensional metrics."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. This string must contain at least\n one \"/\" character. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": false,
"type": "object",
"description": "\n Statistics :ref:`architecture overview <arch_overview_statistics>`.\n\nConfiguration for pluggable stats sinks."
},
"type": "array",
"description": "Optional set of stats sinks."
},
"stats_config": {
"properties": {
"stats_tags": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"tag_name": {
"type": "string",
"description": "Attaches an identifier to the tag values to identify the tag being in the\n sink. Envoy has a set of default names and regexes to extract dynamic\n portions of existing stats, which can be found in :repo:`well_known_names.h\n <source/common/config/well_known_names.h>` in the Envoy repository. If a :ref:`tag_name\n <envoy_v3_api_field_config.metrics.v3.TagSpecifier.tag_name>` is provided in the config and\n neither :ref:`regex <envoy_v3_api_field_config.metrics.v3.TagSpecifier.regex>` or\n :ref:`fixed_value <envoy_v3_api_field_config.metrics.v3.TagSpecifier.fixed_value>` were specified,\n Envoy will attempt to find that name in its set of defaults and use the accompanying regex.\n\n .. note::\n\n It is invalid to specify the same tag name twice in a config."
},
"regex": {
"type": "string",
"description": "Designates a tag to strip from the tag extracted name and provide as a named\n tag value for all statistics. This will only occur if any part of the name\n matches the regex provided with one or more capture groups.\n\n The first capture group identifies the portion of the name to remove. The\n second capture group (which will normally be nested inside the first) will\n designate the value of the tag for the statistic. If no second capture\n group is provided, the first will also be used to set the value of the tag.\n All other capture groups will be ignored.\n\n Example 1. a stat name ``cluster.foo_cluster.upstream_rq_timeout`` and\n one tag specifier:\n\n .. code-block:: json\n\n {\n \"tag_name\": \"envoy.cluster_name\",\n \"regex\": \"^cluster\\\\.((.+?)\\\\.)\"\n }\n\n Note that the regex will remove ``foo_cluster.`` making the tag extracted\n name ``cluster.upstream_rq_timeout`` and the tag value for\n ``envoy.cluster_name`` will be ``foo_cluster`` (note: there will be no\n ``.`` character because of the second capture group).\n\n Example 2. a stat name\n ``http.connection_manager_1.user_agent.ios.downstream_cx_total`` and two\n tag specifiers:\n\n .. code-block:: json\n\n [\n {\n \"tag_name\": \"envoy.http_user_agent\",\n \"regex\": \"^http(?=\\\\.).*?\\\\.user_agent\\\\.((.+?)\\\\.)\\\\w+?$\"\n },\n {\n \"tag_name\": \"envoy.http_conn_manager_prefix\",\n \"regex\": \"^http\\\\.((.*?)\\\\.)\"\n }\n ]\n\n The two regexes of the specifiers will be processed in the definition order.\n\n The first regex will remove ``ios.``, leaving the tag extracted name\n ``http.connection_manager_1.user_agent.downstream_cx_total``. The tag\n ``envoy.http_user_agent`` will be added with tag value ``ios``.\n\n The second regex will remove ``connection_manager_1.`` from the tag\n extracted name produced by the first regex\n ``http.connection_manager_1.user_agent.downstream_cx_total``, leaving\n ``http.user_agent.downstream_cx_total`` as the tag extracted name. The tag\n ``envoy.http_conn_manager_prefix`` will be added with the tag value\n ``connection_manager_1``."
},
"fixed_value": {
"type": "string",
"description": "Specifies a fixed tag value for the ``tag_name``."
}
},
"additionalProperties": false,
"type": "object",
"description": "Designates a tag name and value pair. The value may be either a fixed value\n or a regex providing the value via capture groups. The specified tag will be\n unconditionally set if a fixed value, otherwise it will only be set if one\n or more capture groups in the regex match."
},
"type": "array",
"description": "Each stat name is iteratively processed through these tag specifiers.\n When a tag is matched, the first capture group is removed from the name so\n later :ref:`TagSpecifiers <envoy_v3_api_msg_config.metrics.v3.TagSpecifier>` cannot match that\n same portion of the match."
},
"use_all_default_tags": {
"additionalProperties": true,
"type": "boolean",
"description": "Use all default tag regexes specified in Envoy. These can be combined with\n custom tags specified in :ref:`stats_tags\n <envoy_v3_api_field_config.metrics.v3.StatsConfig.stats_tags>`. They will be processed before\n the custom tags.\n\n .. note::\n\n If any default tags are specified twice, the config will be considered\n invalid.\n\n See :repo:`well_known_names.h <source/common/config/well_known_names.h>` for a list of the\n default tags in Envoy.\n\n If not provided, the value is assumed to be true."
},
"stats_matcher": {
"properties": {
"reject_all": {
"type": "boolean",
"description": "If `reject_all` is true, then all stats are disabled. If `reject_all` is false, then all\n stats are enabled."
},
"exclusion_list": {
"$ref": "#/definitions/envoy.type.matcher.v3.ListStringMatcher",
"additionalProperties": true,
"description": "Exclusive match. All stats are enabled except for those matching one of the supplied\n StringMatcher protos."
},
"inclusion_list": {
"$ref": "#/definitions/envoy.type.matcher.v3.ListStringMatcher",
"additionalProperties": true,
"description": "Inclusive match. No stats are enabled except for those matching one of the supplied\n StringMatcher protos."
}
},
"additionalProperties": true,
"type": "object",
"description": "Inclusion/exclusion matcher for stat name creation. If not provided, all stats are instantiated\n as normal. Preventing the instantiation of certain families of stats can improve memory\n performance for Envoys running especially large configs.\n\n .. warning::\n Excluding stats may affect Envoy's behavior in undocumented ways. See\n `issue #8771 <https://github.com/envoyproxy/envoy/issues/8771>`_ for more information.\n If any unexpected behavior changes are observed, please open a new issue immediately."
},
"histogram_bucket_settings": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"match": {
"$ref": "#/definitions/envoy.type.matcher.v3.StringMatcher",
"additionalProperties": true,
"description": "The stats that this rule applies to. The match is applied to the original stat name\n before tag-extraction, for example `cluster.exampleclustername.upstream_cx_length_ms`."
},
"buckets": {
"items": {
"type": "number"
},
"type": "array",
"description": "Each value is the upper bound of a bucket. Each bucket must be greater than 0 and unique.\n The order of the buckets does not matter."
}
},
"additionalProperties": false,
"type": "object",
"description": "Specifies a matcher for stats and the buckets that matching stats should use."
},
"type": "array",
"description": "Defines rules for setting the histogram buckets. Rules are evaluated in order, and the first\n match is applied. If no match is found (or if no rules are set), the following default buckets\n are used:\n\n .. code-block:: json\n\n [\n 0.5,\n 1,\n 5,\n 10,\n 25,\n 50,\n 100,\n 250,\n 500,\n 1000,\n 2500,\n 5000,\n 10000,\n 30000,\n 60000,\n 300000,\n 600000,\n 1800000,\n 3600000\n ]"
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration for internal processing of stats."
},
"stats_flush_interval": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional duration between flushes to configured stats sinks. For\n performance reasons Envoy latches counters and only flushes counters and\n gauges at a periodic interval. If not specified the default is 5000ms (5\n seconds). Only one of `stats_flush_interval` or `stats_flush_on_admin`\n can be set.\n Duration must be at least 1ms and at most 5 min."
},
"stats_flush_on_admin": {
"type": "boolean",
"description": "Flush stats to sinks only when queried for on the admin interface. If set,\n a flush timer is not created. Only one of `stats_flush_on_admin` or\n `stats_flush_interval` can be set."
},
"watchdog": {
"$ref": "#/definitions/envoy.config.bootstrap.v3.Watchdog",
"additionalProperties": true,
"description": "Optional watchdog configuration.\n This is for a single watchdog configuration for the entire system.\n Deprecated in favor of *watchdogs* which has finer granularity."
},
"watchdogs": {
"properties": {
"main_thread_watchdog": {
"$ref": "#/definitions/envoy.config.bootstrap.v3.Watchdog",
"additionalProperties": true,
"description": "Watchdog for the main thread."
},
"worker_watchdog": {
"$ref": "#/definitions/envoy.config.bootstrap.v3.Watchdog",
"additionalProperties": true,
"description": "Watchdog for the worker threads."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional watchdogs configuration.\n This is used for specifying different watchdogs for the different subsystems.\n "
},
"tracing": {
"properties": {
"http": {
"properties": {
"name": {
"type": "string",
"description": "The name of the HTTP trace driver to instantiate. The name must match a\n supported HTTP trace driver.\n See the :ref:`extensions listed in typed_config below <extension_category_envoy.tracers>` for the default list of the HTTP trace driver."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. This string must contain at least\n one \"/\" character. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object",
"description": "Provides configuration for the HTTP tracer."
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration for an external tracing provider.\n\n .. attention::\n This field has been deprecated in favor of :ref:`HttpConnectionManager.Tracing.provider\n <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.provider>`."
},
"layered_runtime": {
"properties": {
"layers": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "Descriptive name for the runtime layer. This is only used for the runtime\n :http:get:`/runtime` output."
},
"static_layer": {
"properties": {
"fields": {
"additionalProperties": {
"additionalProperties": true,
"type": "object"
},
"type": "object",
"description": "Unordered map of dynamically typed values."
}
},
"additionalProperties": true,
"type": "object",
"description": ":ref:`Static runtime <config_runtime_bootstrap>` layer.\n This follows the :ref:`runtime protobuf JSON representation encoding\n <config_runtime_proto_json>`. Unlike static xDS resources, this static\n layer is overridable by later layers in the runtime virtual filesystem."
},
"disk_layer": {
"properties": {
"symlink_root": {
"type": "string",
"description": "The implementation assumes that the file system tree is accessed via a\n symbolic link. An atomic link swap is used when a new tree should be\n switched to. This parameter specifies the path to the symbolic link.\n Envoy will watch the location for changes and reload the file system tree\n when they happen. See documentation on runtime :ref:`atomicity\n <config_runtime_atomicity>` for further details on how reloads are\n treated."
},
"subdirectory": {
"type": "string",
"description": "Specifies the subdirectory to load within the root directory. This is\n useful if multiple systems share the same delivery mechanism. Envoy\n configuration elements can be contained in a dedicated subdirectory."
},
"append_service_cluster": {
"type": "boolean",
"description": ":ref:`Append <config_runtime_local_disk_service_cluster_subdirs>` the\n service cluster to the path under symlink root."
}
},
"additionalProperties": true,
"type": "object"
},
"admin_layer": {
"additionalProperties": true,
"type": "object"
},
"rtds_layer": {
"properties": {
"name": {
"type": "string",
"description": "Resource to subscribe to at *rtds_config* for the RTDS layer."
},
"rtds_config": {
"$ref": "#/definitions/envoy.config.core.v3.ConfigSource",
"additionalProperties": true,
"description": "RTDS configuration source."
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": false,
"type": "object",
"description": ""
},
"type": "array",
"description": "The :ref:`layers <config_runtime_layering>` of the runtime. This is ordered\n such that later layers in the list overlay earlier entries."
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration for the runtime configuration provider. If not\n specified, a \u201cnull\u201d provider will be used which will result in all defaults\n being used."
},
"admin": {
"properties": {
"access_log": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.accesslog.v3.AccessLog"
},
"type": "array",
"description": "Configuration for :ref:`access logs <arch_overview_access_logs>`\n emitted by the administration server."
},
"access_log_path": {
"type": "string",
"description": "The path to write the access log for the administration server. If no\n access log is desired specify \u2018/dev/null\u2019. This is only required if\n :ref:`address <envoy_v3_api_field_config.bootstrap.v3.Admin.address>` is set.\n Deprecated in favor of *access_log* which offers more options."
},
"profile_path": {
"type": "string",
"description": "The cpu profiler output path for the administration server. If no profile\n path is specified, the default is \u2018/var/log/envoy/envoy.prof\u2019."
},
"address": {
"$ref": "#/definitions/envoy.config.core.v3.Address",
"additionalProperties": true,
"description": "The TCP address that the administration server will listen on.\n If not specified, Envoy will not start an administration server."
},
"socket_options": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.core.v3.SocketOption"
},
"type": "array",
"description": "Additional socket options that may not be present in Envoy source code or\n precompiled binaries."
},
"ignore_global_conn_limit": {
"type": "boolean",
"description": "Indicates whether :ref:`global_downstream_max_connections <config_overload_manager_limiting_connections>`\n should apply to the admin interface or not."
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration for the local administration HTTP server."
},
"overload_manager": {
"properties": {
"refresh_interval": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The interval for refreshing resource usage."
},
"resource_monitors": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of the resource monitor to instantiate. Must match a registered\n resource monitor type.\n See the :ref:`extensions listed in typed_config below <extension_category_envoy.resource_monitors>` for the default list of available resource monitor."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. This string must contain at least\n one \"/\" character. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": false,
"type": "object",
"description": "\n\nThe Overload Manager provides an extensible framework to protect Envoy instances\n from overload of various resources (memory, cpu, file descriptors, etc).\n It monitors a configurable set of resources and notifies registered listeners\n when triggers related to those resources fire."
},
"type": "array",
"description": "The set of resources to monitor."
},
"actions": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of the overload action. This is just a well-known string that listeners can\n use for registering callbacks. Custom overload actions should be named using reverse\n DNS to ensure uniqueness."
},
"triggers": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of the resource this is a trigger for."
},
"threshold": {
"properties": {
"value": {
"type": "number",
"description": "If the resource pressure is greater than or equal to this value, the trigger\n will enter saturation."
}
},
"additionalProperties": true,
"type": "object"
},
"scaled": {
"properties": {
"scaling_threshold": {
"type": "number",
"description": "If the resource pressure is greater than this value, the trigger will be in the\n :ref:`scaling <arch_overview_overload_manager-triggers-state>` state with value\n `(pressure - scaling_threshold) / (saturation_threshold - scaling_threshold)`."
},
"saturation_threshold": {
"type": "number",
"description": "If the resource pressure is greater than this value, the trigger will enter saturation."
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": false,
"type": "object"
},
"type": "array",
"description": "A set of triggers for this action. The state of the action is the maximum\n state of all triggers, which can be scaling between 0 and 1 or saturated. Listeners\n are notified when the overload action changes state."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. This string must contain at least\n one \"/\" character. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration for the action being instantiated."
}
},
"additionalProperties": false,
"type": "object"
},
"type": "array",
"description": "The set of overload actions."
},
"buffer_factory_config": {
"properties": {
"minimum_account_to_track_power_of_two": {
"type": "integer",
"description": "The minimum power of two at which Envoy starts tracking an account.\n\n Envoy has 8 power of two buckets starting with the provided exponent below.\n Concretely the 1st bucket contains accounts for streams that use\n [2^minimum_account_to_track_power_of_two,\n 2^(minimum_account_to_track_power_of_two + 1)) bytes.\n With the 8th bucket tracking accounts\n >= 128 * 2^minimum_account_to_track_power_of_two.\n\n The maximum value is 56, since we're using uint64_t for bytes counting,\n and that's the last value that would use the 8 buckets. In practice,\n we don't expect the proxy to be holding 2^56 bytes.\n\n If omitted, Envoy should not do any tracking."
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration for buffer factory."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional overload manager configuration."
},
"enable_dispatcher_stats": {
"type": "boolean",
"description": "Enable :ref:`stats for event dispatcher <operations_performance>`, defaults to false.\n Note that this records a value for each iteration of the event loop on every thread. This\n should normally be minimal overhead, but when using\n :ref:`statsd <envoy_v3_api_msg_config.metrics.v3.StatsdSink>`, it will send each observed value\n over the wire individually because the statsd protocol doesn't have any way to represent a\n histogram summary. Be aware that this can be a very large volume of data."
},
"header_prefix": {
"type": "string",
"description": "Optional string which will be used in lieu of x-envoy in prefixing headers.\n\n For example, if this string is present and set to X-Foo, then x-envoy-retry-on will be\n transformed into x-foo-retry-on etc.\n\n Note this applies to the headers Envoy will generate, the headers Envoy will sanitize, and the\n headers Envoy will trust for core code and core extensions only. Be VERY careful making\n changes to this string, especially in multi-layer Envoy deployments or deployments using\n extensions which are not upstream."
},
"stats_server_version_override": {
"additionalProperties": true,
"type": "integer",
"description": "Optional proxy version which will be used to set the value of :ref:`server.version statistic\n <server_statistics>` if specified. Envoy will not process this value, it will be sent as is to\n :ref:`stats sinks <envoy_v3_api_msg_config.metrics.v3.StatsSink>`."
},
"use_tcp_for_dns_lookups": {
"type": "boolean",
"description": "Always use TCP queries instead of UDP queries for DNS lookups.\n This may be overridden on a per-cluster basis in cds_config,\n when :ref:`dns_resolvers <envoy_v3_api_field_config.cluster.v3.Cluster.dns_resolvers>` and\n :ref:`use_tcp_for_dns_lookups <envoy_v3_api_field_config.cluster.v3.Cluster.use_tcp_for_dns_lookups>` are\n specified.\n This field is deprecated in favor of *dns_resolution_config*\n which aggregates all of the DNS resolver configuration in a single message."
},
"dns_resolution_config": {
"$ref": "#/definitions/envoy.config.core.v3.DnsResolutionConfig",
"additionalProperties": true,
"description": "DNS resolution configuration which includes the underlying dns resolver addresses and options.\n This may be overridden on a per-cluster basis in cds_config, when\n :ref:`dns_resolution_config <envoy_v3_api_field_config.cluster.v3.Cluster.dns_resolution_config>`\n is specified.\n This field is deprecated in favor of\n :ref:`typed_dns_resolver_config <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.typed_dns_resolver_config>`."
},
"typed_dns_resolver_config": {
"$ref": "#/definitions/envoy.config.core.v3.TypedExtensionConfig",
"additionalProperties": true,
"description": "DNS resolver type configuration extension. This extension can be used to configure c-ares, apple,\n or any other DNS resolver types and the related parameters.\n For example, an object of\n :ref:`CaresDnsResolverConfig <envoy_v3_api_msg_extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig>`\n can be packed into this *typed_dns_resolver_config*. This configuration replaces the\n :ref:`dns_resolution_config <envoy_v3_api_field_config.bootstrap.v3.Bootstrap.dns_resolution_config>`\n configuration.\n During the transition period when both *dns_resolution_config* and *typed_dns_resolver_config* exists,\n when *typed_dns_resolver_config* is in place, Envoy will use it and ignore *dns_resolution_config*.\n When *typed_dns_resolver_config* is missing, the default behavior is in place.\n "
},
"bootstrap_extensions": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.core.v3.TypedExtensionConfig"
},
"type": "array",
"description": "Specifies optional bootstrap extensions to be instantiated at startup time.\n Each item contains extension specific configuration.\n "
},
"fatal_actions": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"config": {
"$ref": "#/definitions/envoy.config.core.v3.TypedExtensionConfig",
"additionalProperties": true,
"description": "Extension specific configuration for the action. It's expected to conform\n to the ``Envoy::Server::Configuration::FatalAction`` interface."
}
},
"additionalProperties": false,
"type": "object",
"description": "Fatal actions to run while crashing. Actions can be safe (meaning they are\n async-signal safe) or unsafe. We run all safe actions before we run unsafe actions.\n If using an unsafe action that could get stuck or deadlock, it important to\n have an out of band system to terminate the process.\n\n The interface for the extension is ``Envoy::Server::Configuration::FatalAction``.\n *FatalAction* extensions live in the ``envoy.extensions.fatal_actions`` API\n namespace."
},
"type": "array",
"description": "Specifies optional extensions instantiated at startup time and\n invoked during crash time on the request that caused the crash."
},
"config_sources": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.core.v3.ConfigSource"
},
"type": "array",
"description": "Configuration sources that will participate in\n xdstp:// URL authority resolution. The algorithm is as\n follows:\n 1. The authority field is taken from the xdstp:// URL, call\n this *resource_authority*.\n 2. *resource_authority* is compared against the authorities in any peer\n *ConfigSource*. The peer *ConfigSource* is the configuration source\n message which would have been used unconditionally for resolution\n with opaque resource names. If there is a match with an authority, the\n peer *ConfigSource* message is used.\n 3. *resource_authority* is compared sequentially with the authorities in\n each configuration source in *config_sources*. The first *ConfigSource*\n to match wins.\n 4. As a fallback, if no configuration source matches, then\n *default_config_source* is used.\n 5. If *default_config_source* is not specified, resolution fails.\n [#not-implemented-hide:]"
},
"default_config_source": {
"$ref": "#/definitions/envoy.config.core.v3.ConfigSource",
"additionalProperties": true,
"description": "Default configuration source for xdstp:// URLs if all\n other resolution fails.\n [#not-implemented-hide:]"
},
"default_socket_interface": {
"type": "string",
"description": "Optional overriding of default socket interface. The value must be the name of one of the\n socket interface factories initialized through a bootstrap extension"
},
"certificate_provider_instances": {
"additionalProperties": {
"$ref": "#/definitions/envoy.config.core.v3.TypedExtensionConfig",
"additionalProperties": true
},
"type": "object",
"description": "Global map of CertificateProvider instances. These instances are referred to by name in the\n :ref:`CommonTlsContext.CertificateProviderInstance.instance_name\n <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CommonTlsContext.CertificateProviderInstance.instance_name>`\n field.\n [#not-implemented-hide:]"
},
"inline_headers": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"inline_header_name": {
"type": "string",
"description": "The name of the header that is expected to be set as the inline header."
},
"inline_header_type": {
"enum": [
"REQUEST_HEADER",
0,
"REQUEST_TRAILER",
1,
"RESPONSE_HEADER",
2,
"RESPONSE_TRAILER",
3
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "The type of the header that is expected to be set as the inline header."
}
},
"additionalProperties": false,
"type": "object",
"description": "Used to specify the header that needs to be registered as an inline header.\n\n If request or response contain multiple headers with the same name and the header\n name is registered as an inline header. Then multiple headers will be folded\n into one, and multiple header values will be concatenated by a suitable delimiter.\n The delimiter is generally a comma.\n\n For example, if 'foo' is registered as an inline header, and the headers contains\n the following two headers:\n\n .. code-block:: text\n\n foo: bar\n foo: eep\n\n Then they will eventually be folded into:\n\n .. code-block:: text\n\n foo: bar, eep\n\n Inline headers provide O(1) search performance, but each inline header imposes\n an additional memory overhead on all instances of the corresponding type of\n HeaderMap or TrailerMap."
},
"type": "array",
"description": "Specifies a set of headers that need to be registered as inline header. This configuration\n allows users to customize the inline headers on-demand at Envoy startup without modifying\n Envoy's source code.\n\n Note that the 'set-cookie' header cannot be registered as inline header."
},
"perf_tracing_file_path": {
"type": "string",
"description": "Optional path to a file with performance tracing data created by \"Perfetto\" SDK in binary\n ProtoBuf format. The default value is \"envoy.pftrace\"."
}
},
"additionalProperties": false,
"type": "object",
"description": "\n This proto is supplied via the :option:`-c` CLI flag and acts as the root\n of the Envoy v3 configuration. See the :ref:`v3 configuration overview\n <config_overview_bootstrap>` for more detail.\n\nBootstrap :ref:`configuration overview <config_overview_bootstrap>`.\n ",
"definitions": {
"envoy.config.accesslog.v3.AccessLog": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of the access log extension to instantiate.\n The name must match one of the compiled in loggers.\n See the :ref:`extensions listed in typed_config below <extension_category_envoy.access_loggers>` for the default list of available loggers."
},
"filter": {
"$ref": "#/definitions/envoy.config.accesslog.v3.AccessLogFilter",
"additionalProperties": true,
"description": "Filter which is used to determine if the access log needs to be written."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. This string must contain at least\n one \"/\" character. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": false,
"type": "object",
"description": "",
"id": "envoy.config.accesslog.v3.AccessLog"
},
"envoy.config.accesslog.v3.AccessLogFilter": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"status_code_filter": {
"properties": {
"comparison": {
"$ref": "#/definitions/envoy.config.accesslog.v3.ComparisonFilter",
"additionalProperties": true,
"description": "Comparison."
}
},
"additionalProperties": true,
"type": "object",
"description": "Status code filter."
},
"duration_filter": {
"properties": {
"comparison": {
"$ref": "#/definitions/envoy.config.accesslog.v3.ComparisonFilter",
"additionalProperties": true,
"description": "Comparison."
}
},
"additionalProperties": true,
"type": "object",
"description": "Duration filter."
},
"not_health_check_filter": {
"additionalProperties": true,
"type": "object",
"description": "Not health check filter."
},
"traceable_filter": {
"additionalProperties": true,
"type": "object",
"description": "Traceable filter."
},
"runtime_filter": {
"properties": {
"runtime_key": {
"type": "string",
"description": "Runtime key to get an optional overridden numerator for use in the\n *percent_sampled* field. If found in runtime, this value will replace the\n default numerator."
},
"percent_sampled": {
"$ref": "#/definitions/envoy.type.v3.FractionalPercent",
"additionalProperties": true,
"description": "The default sampling percentage. If not specified, defaults to 0% with\n denominator of 100."
},
"use_independent_randomness": {
"type": "boolean",
"description": "By default, sampling pivots on the header\n :ref:`x-request-id<config_http_conn_man_headers_x-request-id>` being\n present. If :ref:`x-request-id<config_http_conn_man_headers_x-request-id>`\n is present, the filter will consistently sample across multiple hosts based\n on the runtime key value and the value extracted from\n :ref:`x-request-id<config_http_conn_man_headers_x-request-id>`. If it is\n missing, or *use_independent_randomness* is set to true, the filter will\n randomly sample based on the runtime key value alone.\n *use_independent_randomness* can be used for logging kill switches within\n complex nested :ref:`AndFilter\n <envoy_v3_api_msg_config.accesslog.v3.AndFilter>` and :ref:`OrFilter\n <envoy_v3_api_msg_config.accesslog.v3.OrFilter>` blocks that are easier to\n reason about from a probability perspective (i.e., setting to true will\n cause the filter to behave like an independent random variable when\n composed within logical operator filters)."
}
},
"additionalProperties": true,
"type": "object",
"description": "Runtime filter."
},
"and_filter": {
"properties": {
"filters": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.accesslog.v3.AccessLogFilter"
},
"type": "array"
}
},
"additionalProperties": true,
"type": "object",
"description": "And filter."
},
"or_filter": {
"properties": {
"filters": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.accesslog.v3.AccessLogFilter"
},
"type": "array"
}
},
"additionalProperties": true,
"type": "object",
"description": "Or filter."
},
"header_filter": {
"properties": {
"header": {
"properties": {
"name": {
"type": "string",
"description": "Specifies the name of the header in the request."
},
"exact_match": {
"type": "string",
"description": "If specified, header match will be performed based on the value of the header.\n This field is deprecated. Please use :ref:`string_match <envoy_v3_api_field_config.route.v3.HeaderMatcher.string_match>`."
},
"safe_regex_match": {
"$ref": "#/definitions/envoy.type.matcher.v3.RegexMatcher",
"additionalProperties": true,
"description": "If specified, this regex string is a regular expression rule which implies the entire request\n header value must match the regex. The rule will not match if only a subsequence of the\n request header value matches the regex.\n This field is deprecated. Please use :ref:`string_match <envoy_v3_api_field_config.route.v3.HeaderMatcher.string_match>`."
},
"range_match": {
"$ref": "#/definitions/envoy.type.v3.Int64Range",
"additionalProperties": true,
"description": "If specified, header match will be performed based on range.\n The rule will match if the request header value is within this range.\n The entire request header value must represent an integer in base 10 notation: consisting of\n an optional plus or minus sign followed by a sequence of digits. The rule will not match if\n the header value does not represent an integer. Match will fail for empty values, floating\n point numbers or if only a subsequence of the header value is an integer.\n\n Examples:\n\n * For range [-10,0), route will match for header value -1, but not for 0, \"somestring\", 10.9,\n \"-1somestring\""
},
"present_match": {
"type": "boolean",
"description": "If specified as true, header match will be performed based on whether the header is in the\n request. If specified as false, header match will be performed based on whether the header is absent."
},
"prefix_match": {
"type": "string",
"description": "If specified, header match will be performed based on the prefix of the header value.\n Note: empty prefix is not allowed, please use present_match instead.\n This field is deprecated. Please use :ref:`string_match <envoy_v3_api_field_config.route.v3.HeaderMatcher.string_match>`.\n\n Examples:\n\n * The prefix *abcd* matches the value *abcdxyz*, but not for *abcxyz*."
},
"suffix_match": {
"type": "string",
"description": "If specified, header match will be performed based on the suffix of the header value.\n Note: empty suffix is not allowed, please use present_match instead.\n This field is deprecated. Please use :ref:`string_match <envoy_v3_api_field_config.route.v3.HeaderMatcher.string_match>`.\n\n Examples:\n\n * The suffix *abcd* matches the value *xyzabcd*, but not for *xyzbcd*."
},
"contains_match": {
"type": "string",
"description": "If specified, header match will be performed based on whether the header value contains\n the given value or not.\n Note: empty contains match is not allowed, please use present_match instead.\n This field is deprecated. Please use :ref:`string_match <envoy_v3_api_field_config.route.v3.HeaderMatcher.string_match>`.\n\n Examples:\n\n * The value *abcd* matches the value *xyzabcdpqr*, but not for *xyzbcdpqr*."
},
"string_match": {
"$ref": "#/definitions/envoy.type.matcher.v3.StringMatcher",
"additionalProperties": true,
"description": "If specified, header match will be performed based on the string match of the header value."
},
"invert_match": {
"type": "boolean",
"description": "If specified, the match result will be inverted before checking. Defaults to false.\n\n Examples:\n\n * The regex ``\\d{3}`` does not match the value *1234*, so it will match when inverted.\n * The range [-10,0) will match the value -1, so it will not match when inverted."
}
},
"additionalProperties": true,
"type": "object",
"description": "Only requests with a header which matches the specified HeaderMatcher will\n pass the filter check."
}
},
"additionalProperties": true,
"type": "object",
"description": "Header filter."
},
"response_flag_filter": {
"properties": {
"flags": {
"items": {
"type": "string"
},
"type": "array",
"description": "Only responses with the any of the flags listed in this field will be\n logged. This field is optional. If it is not specified, then any response\n flag will pass the filter check."
}
},
"additionalProperties": true,
"type": "object",
"description": "Response flag filter."
},
"grpc_status_filter": {
"properties": {
"statuses": {
"items": {
"enum": [
"OK",
0,
"CANCELED",
1,
"UNKNOWN",
2,
"INVALID_ARGUMENT",
3,
"DEADLINE_EXCEEDED",
4,
"NOT_FOUND",
5,
"ALREADY_EXISTS",
6,
"PERMISSION_DENIED",
7,
"RESOURCE_EXHAUSTED",
8,
"FAILED_PRECONDITION",
9,
"ABORTED",
10,
"OUT_OF_RANGE",
11,
"UNIMPLEMENTED",
12,
"INTERNAL",
13,
"UNAVAILABLE",
14,
"DATA_LOSS",
15,
"UNAUTHENTICATED",
16
]
},
"type": "array",
"description": "Logs only responses that have any one of the gRPC statuses in this field."
},
"exclude": {
"type": "boolean",
"description": "If included and set to true, the filter will instead block all responses\n with a gRPC status or inferred gRPC status enumerated in statuses, and\n allow all other responses."
}
},
"additionalProperties": true,
"type": "object",
"description": "gRPC status filter."
},
"extension_filter": {
"properties": {
"name": {
"type": "string",
"description": "The name of the filter implementation to instantiate. The name must\n match a statically registered filter."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. This string must contain at least\n one \"/\" character. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object",
"description": "Extension filter.\n "
},
"metadata_filter": {
"properties": {
"matcher": {
"properties": {
"filter": {
"type": "string",
"description": "The filter name to retrieve the Struct from the Metadata."
},
"path": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"key": {
"type": "string",
"description": "If specified, use the key to retrieve the value in a Struct."
}
},
"additionalProperties": false,
"type": "object",
"description": "Specifies the segment in a path to retrieve value from Metadata.\n Note: Currently it's not supported to retrieve a value from a list in Metadata. This means that\n if the segment key refers to a list, it has to be the last segment in a path."
},
"type": "array",
"description": "The path to retrieve the Value from the Struct."
},
"value": {
"$ref": "#/definitions/envoy.type.matcher.v3.ValueMatcher",
"additionalProperties": true,
"description": "The MetadataMatcher is matched if the value retrieved by path is matched to this value."
},
"invert": {
"type": "boolean",
"description": "If true, the match result will be inverted."
}
},
"additionalProperties": true,
"type": "object",
"description": "Matcher to check metadata for specified value. For example, to match on the\n access_log_hint metadata, set the filter to \"envoy.common\" and the path to\n \"access_log_hint\", and the value to \"true\"."
},
"match_if_key_not_found": {
"additionalProperties": true,
"type": "boolean",
"description": "Default result if the key does not exist in dynamic metadata: if unset or\n true, then log; if false, then don't log."
}
},
"additionalProperties": true,
"type": "object",
"description": "Metadata Filter"
}
},
"additionalProperties": false,
"type": "object",
"description": "",
"id": "envoy.config.accesslog.v3.AccessLogFilter"
},
"envoy.config.accesslog.v3.ComparisonFilter": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"op": {
"enum": [
"EQ",
0,
"GE",
1,
"LE",
2
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "Comparison operator."
},
"value": {
"properties": {
"default_value": {
"type": "integer",
"description": "Default value if runtime value is not available."
},
"runtime_key": {
"type": "string",
"description": "Runtime key to get value for comparison. This value is used if defined."
}
},
"additionalProperties": true,
"type": "object",
"description": "Value to compare against."
}
},
"additionalProperties": false,
"type": "object",
"description": "Filter on an integer comparison.",
"id": "envoy.config.accesslog.v3.ComparisonFilter"
},
"envoy.config.bootstrap.v3.Watchdog": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"actions": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"config": {
"$ref": "#/definitions/envoy.config.core.v3.TypedExtensionConfig",
"additionalProperties": true,
"description": "Extension specific configuration for the action."
},
"event": {
"enum": [
"UNKNOWN",
0,
"KILL",
1,
"MULTIKILL",
2,
"MEGAMISS",
3,
"MISS",
4
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
]
}
},
"additionalProperties": false,
"type": "object"
},
"type": "array",
"description": "Register actions that will fire on given WatchDog events.\n See *WatchDogAction* for priority of events."
},
"miss_timeout": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The duration after which Envoy counts a nonresponsive thread in the\n *watchdog_miss* statistic. If not specified the default is 200ms."
},
"megamiss_timeout": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The duration after which Envoy counts a nonresponsive thread in the\n *watchdog_mega_miss* statistic. If not specified the default is\n 1000ms."
},
"kill_timeout": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "If a watched thread has been nonresponsive for this duration, assume a\n programming error and kill the entire Envoy process. Set to 0 to disable\n kill behavior. If not specified the default is 0 (disabled)."
},
"max_kill_timeout_jitter": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "Defines the maximum jitter used to adjust the *kill_timeout* if *kill_timeout* is\n enabled. Enabling this feature would help to reduce risk of synchronized\n watchdog kill events across proxies due to external triggers. Set to 0 to\n disable. If not specified the default is 0 (disabled)."
},
"multikill_timeout": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "If max(2, ceil(registered_threads * Fraction(*multikill_threshold*)))\n threads have been nonresponsive for at least this duration kill the entire\n Envoy process. Set to 0 to disable this behavior. If not specified the\n default is 0 (disabled)."
},
"multikill_threshold": {
"$ref": "#/definitions/envoy.type.v3.Percent",
"additionalProperties": true,
"description": "Sets the threshold for *multikill_timeout* in terms of the percentage of\n nonresponsive threads required for the *multikill_timeout*.\n If not specified the default is 0."
}
},
"additionalProperties": false,
"type": "object",
"description": "Envoy process watchdog configuration. When configured, this monitors for\n nonresponsive threads and kills the process after the configured thresholds.\n See the :ref:`watchdog documentation <operations_performance_watchdog>` for more information.\n ",
"id": "envoy.config.bootstrap.v3.Watchdog"
},
"envoy.config.cluster.v3.Cluster.SlowStartConfig": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"slow_start_window": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "Represents the size of slow start window.\n If set, the newly created host remains in slow start mode starting from its creation time\n for the duration of slow start window."
},
"aggression": {
"$ref": "#/definitions/envoy.config.core.v3.RuntimeDouble",
"additionalProperties": true,
"description": "This parameter controls the speed of traffic increase over the slow start window. Defaults to 1.0,\n so that endpoint would get linearly increasing amount of traffic.\n When increasing the value for this parameter, the speed of traffic ramp-up increases non-linearly.\n The value of aggression parameter should be greater than 0.0.\n By tuning the parameter, is possible to achieve polynomial or exponential shape of ramp-up curve.\n\n During slow start window, effective weight of an endpoint would be scaled with time factor and aggression:\n `new_weight = weight * time_factor ^ (1 / aggression)`,\n where `time_factor=(time_since_start_seconds / slow_start_time_seconds)`.\n\n As time progresses, more and more traffic would be sent to endpoint, which is in slow start window.\n Once host exits slow start, time_factor and aggression no longer affect its weight."
}
},
"additionalProperties": false,
"type": "object",
"description": "Configuration for :ref:`slow start mode <arch_overview_load_balancing_slow_start>`.",
"id": "envoy.config.cluster.v3.Cluster.SlowStartConfig"
},
"envoy.config.core.v3.Address": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"socket_address": {
"$ref": "#/definitions/envoy.config.core.v3.SocketAddress",
"additionalProperties": true
},
"pipe": {
"properties": {
"path": {
"type": "string",
"description": "Unix Domain Socket path. On Linux, paths starting with '@' will use the\n abstract namespace. The starting '@' is replaced by a null byte by Envoy.\n Paths starting with '@' will result in an error in environments other than\n Linux."
},
"mode": {
"type": "integer",
"description": "The mode for the Pipe. Not applicable for abstract sockets."
}
},
"additionalProperties": true,
"type": "object"
},
"envoy_internal_address": {
"properties": {
"server_listener_name": {
"type": "string",
"description": "[#not-implemented-hide:] The :ref:`listener name <envoy_v3_api_field_config.listener.v3.Listener.name>` of the destination internal listener."
}
},
"additionalProperties": true,
"type": "object",
"description": "[#not-implemented-hide:]"
}
},
"additionalProperties": false,
"type": "object",
"description": "Addresses specify either a logical or physical address and port, which are\n used to tell Envoy where to bind/listen, connect to upstream and find\n management servers.",
"id": "envoy.config.core.v3.Address"
},
"envoy.config.core.v3.ApiConfigSource": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"api_type": {
"enum": [
"DEPRECATED_AND_UNAVAILABLE_DO_NOT_USE",
0,
"REST",
1,
"GRPC",
2,
"DELTA_GRPC",
3,
"AGGREGATED_GRPC",
5,
"AGGREGATED_DELTA_GRPC",
6
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "API type (gRPC, REST, delta gRPC)"
},
"transport_api_version": {
"enum": [
"AUTO",
0,
"V2",
1,
"V3",
2
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "API version for xDS transport protocol. This describes the xDS gRPC/REST\n endpoint and version of [Delta]DiscoveryRequest/Response used on the wire."
},
"cluster_names": {
"items": {
"type": "string"
},
"type": "array",
"description": "Cluster names should be used only with REST. If > 1\n cluster is defined, clusters will be cycled through if any kind of failure\n occurs.\n\n .. note::\n\n The cluster with name ``cluster_name`` must be statically defined and its\n type must not be ``EDS``."
},
"grpc_services": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.core.v3.GrpcService"
},
"type": "array",
"description": "Multiple gRPC services be provided for GRPC. If > 1 cluster is defined,\n services will be cycled through if any kind of failure occurs."
},
"refresh_delay": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "For REST APIs, the delay between successive polls."
},
"request_timeout": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "For REST APIs, the request timeout. If not set, a default value of 1s will be used."
},
"rate_limit_settings": {
"properties": {
"max_tokens": {
"additionalProperties": true,
"type": "integer",
"description": "Maximum number of tokens to be used for rate limiting discovery request calls. If not set, a\n default value of 100 will be used."
},
"fill_rate": {
"additionalProperties": true,
"type": "number",
"description": "Rate at which tokens will be filled per second. If not set, a default fill rate of 10 tokens\n per second will be used."
}
},
"additionalProperties": true,
"type": "object",
"description": "For GRPC APIs, the rate limit settings. If present, discovery requests made by Envoy will be\n rate limited."
},
"set_node_on_first_message_only": {
"type": "boolean",
"description": "Skip the node identifier in subsequent discovery requests for streaming gRPC config types."
}
},
"additionalProperties": false,
"type": "object",
"description": "API configuration source. This identifies the API type and cluster that Envoy\n will use to fetch an xDS API.\n ",
"id": "envoy.config.core.v3.ApiConfigSource"
},
"envoy.config.core.v3.BindConfig": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"source_address": {
"$ref": "#/definitions/envoy.config.core.v3.SocketAddress",
"additionalProperties": true,
"description": "The address to bind to when creating a socket."
},
"freebind": {
"additionalProperties": true,
"type": "boolean",
"description": "Whether to set the *IP_FREEBIND* option when creating the socket. When this\n flag is set to true, allows the :ref:`source_address\n <envoy_v3_api_field_config.cluster.v3.UpstreamBindConfig.source_address>` to be an IP address\n that is not configured on the system running Envoy. When this flag is set\n to false, the option *IP_FREEBIND* is disabled on the socket. When this\n flag is not set (default), the socket is not modified, i.e. the option is\n neither enabled nor disabled."
},
"socket_options": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.core.v3.SocketOption"
},
"type": "array",
"description": "Additional socket options that may not be present in Envoy source code or\n precompiled binaries."
}
},
"additionalProperties": false,
"type": "object",
"id": "envoy.config.core.v3.BindConfig"
},
"envoy.config.core.v3.BuildVersion": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"version": {
"properties": {
"major_number": {
"type": "integer"
},
"minor_number": {
"type": "integer"
},
"patch": {
"type": "integer"
}
},
"additionalProperties": true,
"type": "object",
"description": "SemVer version of extension."
},
"metadata": {
"properties": {
"fields": {
"additionalProperties": {
"additionalProperties": true,
"type": "object"
},
"type": "object",
"description": "Unordered map of dynamically typed values."
}
},
"additionalProperties": true,
"type": "object",
"description": "Free-form build information.\n Envoy defines several well known keys in the source/common/version/version.h file"
}
},
"additionalProperties": false,
"type": "object",
"description": "BuildVersion combines SemVer version of extension with free-form build information\n (i.e. 'alpha', 'private-build') as a set of strings.",
"id": "envoy.config.core.v3.BuildVersion"
},
"envoy.config.core.v3.CidrRange": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"address_prefix": {
"type": "string",
"description": "IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``."
},
"prefix_len": {
"additionalProperties": true,
"type": "integer",
"description": "Length of prefix, e.g. 0, 32. Defaults to 0 when unset."
}
},
"additionalProperties": false,
"type": "object",
"description": "CidrRange specifies an IP Address and a prefix length to construct\n the subnet mask for a `CIDR <https://tools.ietf.org/html/rfc4632>`_ range.",
"id": "envoy.config.core.v3.CidrRange"
},
"envoy.config.core.v3.ConfigSource": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"authorities": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string"
}
},
"additionalProperties": false,
"type": "object",
"description": "xDS authority information."
},
"type": "array",
"description": "Authorities that this config source may be used for. An authority specified in a xdstp:// URL\n is resolved to a *ConfigSource* prior to configuration fetch. This field provides the\n association between authority name and configuration source.\n [#not-implemented-hide:]"
},
"path": {
"type": "string",
"description": "Path on the filesystem to source and watch for configuration updates.\n When sourcing configuration for :ref:`secret <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.Secret>`,\n the certificate and key files are also watched for updates.\n\n .. note::\n\n The path to the source must exist at config load time.\n\n .. note::\n\n Envoy will only watch the file path for *moves.* This is because in general only moves\n are atomic. The same method of swapping files as is demonstrated in the\n :ref:`runtime documentation <config_runtime_symbolic_link_swap>` can be used here also."
},
"api_config_source": {
"$ref": "#/definitions/envoy.config.core.v3.ApiConfigSource",
"additionalProperties": true,
"description": "API configuration source."
},
"ads": {
"additionalProperties": true,
"type": "object",
"description": "When set, ADS will be used to fetch resources. The ADS API configuration\n source in the bootstrap configuration is used."
},
"self": {
"properties": {
"transport_api_version": {
"enum": [
"AUTO",
0,
"V2",
1,
"V3",
2
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "API version for xDS transport protocol. This describes the xDS gRPC/REST\n endpoint and version of [Delta]DiscoveryRequest/Response used on the wire."
}
},
"additionalProperties": true,
"type": "object",
"description": "[#not-implemented-hide:]\n When set, the client will access the resources from the same server it got the\n ConfigSource from, although not necessarily from the same stream. This is similar to the\n :ref:`ads<envoy_v3_api_field.ConfigSource.ads>` field, except that the client may use a\n different stream to the same server. As a result, this field can be used for things\n like LRS that cannot be sent on an ADS stream. It can also be used to link from (e.g.)\n LDS to RDS on the same server without requiring the management server to know its name\n or required credentials.\n [#next-major-version: In xDS v3, consider replacing the ads field with this one, since\n this field can implicitly mean to use the same stream in the case where the ConfigSource\n is provided via ADS and the specified data can also be obtained via ADS.]"
},
"initial_fetch_timeout": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "When this timeout is specified, Envoy will wait no longer than the specified time for first\n config response on this xDS subscription during the :ref:`initialization process\n <arch_overview_initialization>`. After reaching the timeout, Envoy will move to the next\n initialization phase, even if the first config is not delivered yet. The timer is activated\n when the xDS API subscription starts, and is disarmed on first config update or on error. 0\n means no timeout - Envoy will wait indefinitely for the first xDS config (unless another\n timeout applies). The default is 15s."
},
"resource_api_version": {
"enum": [
"AUTO",
0,
"V2",
1,
"V3",
2
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "API version for xDS resources. This implies the type URLs that the client\n will request for resources and the resource type that the client will in\n turn expect to be delivered."
}
},
"additionalProperties": false,
"type": "object",
"description": "Configuration for :ref:`listeners <config_listeners>`, :ref:`clusters\n <config_cluster_manager>`, :ref:`routes\n <envoy_v3_api_msg_config.route.v3.RouteConfiguration>`, :ref:`endpoints\n <arch_overview_service_discovery>` etc. may either be sourced from the\n filesystem or from an xDS API source. Filesystem configs are watched with\n inotify for updates.\n ",
"id": "envoy.config.core.v3.ConfigSource"
},
"envoy.config.core.v3.DataSource": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"filename": {
"type": "string",
"description": "Local filesystem data source."
},
"inline_bytes": {
"type": "string",
"description": "Bytes inlined in the configuration.",
"format": "binary",
"binaryEncoding": "base64"
},
"inline_string": {
"type": "string",
"description": "String inlined in the configuration."
},
"environment_variable": {
"type": "string",
"description": "Environment variable data source."
}
},
"additionalProperties": false,
"type": "object",
"description": "Data source consisting of a file, an inline value, or an environment variable.",
"id": "envoy.config.core.v3.DataSource"
},
"envoy.config.core.v3.DnsResolutionConfig": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"resolvers": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.core.v3.Address"
},
"type": "array",
"description": "A list of dns resolver addresses. If specified, the DNS client library will perform resolution\n via the underlying DNS resolvers. Otherwise, the default system resolvers\n (e.g., /etc/resolv.conf) will be used."
},
"dns_resolver_options": {
"properties": {
"use_tcp_for_dns_lookups": {
"type": "boolean",
"description": "Use TCP for all DNS queries instead of the default protocol UDP."
},
"no_default_search_domain": {
"type": "boolean",
"description": "Do not use the default search domains; only query hostnames as-is or as aliases."
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration of DNS resolver option flags which control the behavior of the DNS resolver."
}
},
"additionalProperties": false,
"type": "object",
"description": "DNS resolution configuration which includes the underlying dns resolver addresses and options.",
"id": "envoy.config.core.v3.DnsResolutionConfig"
},
"envoy.config.core.v3.EventServiceConfig": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"grpc_service": {
"$ref": "#/definitions/envoy.config.core.v3.GrpcService",
"additionalProperties": true,
"description": "Specifies the gRPC service that hosts the event reporting service."
}
},
"additionalProperties": false,
"type": "object",
"description": "[#not-implemented-hide:]\n Configuration of the event reporting service endpoint.",
"id": "envoy.config.core.v3.EventServiceConfig"
},
"envoy.config.core.v3.GrpcService": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"envoy_grpc": {
"properties": {
"cluster_name": {
"type": "string",
"description": "The name of the upstream gRPC cluster. SSL credentials will be supplied\n in the :ref:`Cluster <envoy_v3_api_msg_config.cluster.v3.Cluster>` :ref:`transport_socket\n <envoy_v3_api_field_config.cluster.v3.Cluster.transport_socket>`."
},
"authority": {
"type": "string",
"description": "The `:authority` header in the grpc request. If this field is not set, the authority header value will be `cluster_name`.\n Note that this authority does not override the SNI. The SNI is provided by the transport socket of the cluster."
}
},
"additionalProperties": true,
"type": "object",
"description": "Envoy's in-built gRPC client.\n See the :ref:`gRPC services overview <arch_overview_grpc_services>`\n documentation for discussion on gRPC client selection."
},
"google_grpc": {
"properties": {
"target_uri": {
"type": "string",
"description": "The target URI when using the `Google C++ gRPC client\n <https://github.com/grpc/grpc>`_. SSL credentials will be supplied in\n :ref:`channel_credentials <envoy_v3_api_field_config.core.v3.GrpcService.GoogleGrpc.channel_credentials>`."
},
"channel_credentials": {
"properties": {
"ssl_credentials": {
"properties": {
"root_certs": {
"$ref": "#/definitions/envoy.config.core.v3.DataSource",
"additionalProperties": true,
"description": "PEM encoded server root certificates."
},
"private_key": {
"$ref": "#/definitions/envoy.config.core.v3.DataSource",
"additionalProperties": true,
"description": "PEM encoded client private key."
},
"cert_chain": {
"$ref": "#/definitions/envoy.config.core.v3.DataSource",
"additionalProperties": true,
"description": "PEM encoded client certificate chain."
}
},
"additionalProperties": true,
"type": "object"
},
"google_default": {
"additionalProperties": true,
"type": "object",
"description": "https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61"
},
"local_credentials": {
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object"
},
"call_credentials": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"access_token": {
"type": "string",
"description": "Access token credentials.\n https://grpc.io/grpc/cpp/namespacegrpc.html#ad3a80da696ffdaea943f0f858d7a360d."
},
"google_compute_engine": {
"additionalProperties": true,
"type": "object",
"description": "Google Compute Engine credentials.\n https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61"
},
"google_refresh_token": {
"type": "string",
"description": "Google refresh token credentials.\n https://grpc.io/grpc/cpp/namespacegrpc.html#a96901c997b91bc6513b08491e0dca37c."
},
"service_account_jwt_access": {
"properties": {
"json_key": {
"type": "string"
},
"token_lifetime_seconds": {
"type": "string"
}
},
"additionalProperties": true,
"type": "object",
"description": "Service Account JWT Access credentials.\n https://grpc.io/grpc/cpp/namespacegrpc.html#a92a9f959d6102461f66ee973d8e9d3aa."
},
"google_iam": {
"properties": {
"authorization_token": {
"type": "string"
},
"authority_selector": {
"type": "string"
}
},
"additionalProperties": true,
"type": "object",
"description": "Google IAM credentials.\n https://grpc.io/grpc/cpp/namespacegrpc.html#a9fc1fc101b41e680d47028166e76f9d0."
},
"from_plugin": {
"properties": {
"name": {
"type": "string"
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. This string must contain at least\n one \"/\" character. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object",
"description": "Custom authenticator credentials.\n https://grpc.io/grpc/cpp/namespacegrpc.html#a823c6a4b19ffc71fb33e90154ee2ad07.\n https://grpc.io/docs/guides/auth.html#extending-grpc-to-support-other-authentication-mechanisms."
},
"sts_service": {
"properties": {
"token_exchange_service_uri": {
"type": "string",
"description": "URI of the token exchange service that handles token exchange requests.\n [#comment:TODO(asraa): Add URI validation when implemented. Tracked by\n https://github.com/envoyproxy/protoc-gen-validate/issues/303]"
},
"resource": {
"type": "string",
"description": "Location of the target service or resource where the client\n intends to use the requested security token."
},
"audience": {
"type": "string",
"description": "Logical name of the target service where the client intends to\n use the requested security token."
},
"scope": {
"type": "string",
"description": "The desired scope of the requested security token in the\n context of the service or resource where the token will be used."
},
"requested_token_type": {
"type": "string",
"description": "Type of the requested security token."
},
"subject_token_path": {
"type": "string",
"description": "The path of subject token, a security token that represents the\n identity of the party on behalf of whom the request is being made."
},
"subject_token_type": {
"type": "string",
"description": "Type of the subject token."
},
"actor_token_path": {
"type": "string",
"description": "The path of actor token, a security token that represents the identity\n of the acting party. The acting party is authorized to use the\n requested security token and act on behalf of the subject."
},
"actor_token_type": {
"type": "string",
"description": "Type of the actor token."
}
},
"additionalProperties": true,
"type": "object",
"description": "Custom security token service which implements OAuth 2.0 token exchange.\n https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16\n See https://github.com/grpc/grpc/pull/19587."
}
},
"additionalProperties": false,
"type": "object",
"description": ""
},
"type": "array",
"description": "A set of call credentials that can be composed with `channel credentials\n <https://grpc.io/docs/guides/auth.html#credential-types>`_."
},
"stat_prefix": {
"type": "string",
"description": "The human readable prefix to use when emitting statistics for the gRPC\n service.\n\n .. csv-table::\n :header: Name, Type, Description\n :widths: 1, 1, 2\n\n streams_total, Counter, Total number of streams opened\n streams_closed_<gRPC status code>, Counter, Total streams closed with <gRPC status code>"
},
"credentials_factory_name": {
"type": "string",
"description": "The name of the Google gRPC credentials factory to use. This must have been registered with\n Envoy. If this is empty, a default credentials factory will be used that sets up channel\n credentials based on other configuration parameters."
},
"config": {
"properties": {
"fields": {
"additionalProperties": {
"additionalProperties": true,
"type": "object"
},
"type": "object",
"description": "Unordered map of dynamically typed values."
}
},
"additionalProperties": true,
"type": "object",
"description": "Additional configuration for site-specific customizations of the Google\n gRPC library."
},
"per_stream_buffer_limit_bytes": {
"additionalProperties": true,
"type": "integer",
"description": "How many bytes each stream can buffer internally.\n If not set an implementation defined default is applied (1MiB)."
},
"channel_args": {
"properties": {
"args": {
"additionalProperties": {
"properties": {
"string_value": {
"type": "string"
},
"int_value": {
"type": "string"
}
},
"additionalProperties": true,
"type": "object"
},
"type": "object",
"description": "See grpc_types.h GRPC_ARG #defines for keys that work here."
}
},
"additionalProperties": true,
"type": "object",
"description": "Custom channels args."
}
},
"additionalProperties": true,
"type": "object",
"description": "`Google C++ gRPC client <https://github.com/grpc/grpc>`_\n See the :ref:`gRPC services overview <arch_overview_grpc_services>`\n documentation for discussion on gRPC client selection."
},
"timeout": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The timeout for the gRPC request. This is the timeout for a specific\n request."
},
"initial_metadata": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.core.v3.HeaderValue"
},
"type": "array",
"description": "Additional metadata to include in streams initiated to the GrpcService. This can be used for\n scenarios in which additional ad hoc authorization headers (e.g. ``x-foo-bar: baz-key``) are to\n be injected. For more information, including details on header value syntax, see the\n documentation on :ref:`custom request headers\n <config_http_conn_man_headers_custom_request_headers>`."
}
},
"additionalProperties": false,
"type": "object",
"description": "\n\ngRPC service configuration. This is used by :ref:`ApiConfigSource\n <envoy_v3_api_msg_config.core.v3.ApiConfigSource>` and filter configurations.\n ",
"id": "envoy.config.core.v3.GrpcService"
},
"envoy.config.core.v3.HeaderValue": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"key": {
"type": "string",
"description": "Header name."
},
"value": {
"type": "string",
"description": "Header value.\n\n The same :ref:`format specifier <config_access_log_format>` as used for\n :ref:`HTTP access logging <config_access_log>` applies here, however\n unknown header values are replaced with the empty string instead of `-`."
}
},
"additionalProperties": false,
"type": "object",
"description": "Header name/value pair.",
"id": "envoy.config.core.v3.HeaderValue"
},
"envoy.config.core.v3.HealthCheck.Payload": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"text": {
"type": "string",
"description": "Hex encoded payload. E.g., \"000000FF\"."
},
"binary": {
"type": "string",
"description": "[#not-implemented-hide:] Binary payload.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": false,
"type": "object",
"description": "Describes the encoding of the payload bytes in the payload.",
"id": "envoy.config.core.v3.HealthCheck.Payload"
},
"envoy.config.core.v3.Locality": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"region": {
"type": "string",
"description": "Region this :ref:`zone <envoy_v3_api_field_config.core.v3.Locality.zone>` belongs to."
},
"zone": {
"type": "string",
"description": "Defines the local service zone where Envoy is running. Though optional, it\n should be set if discovery service routing is used and the discovery\n service exposes :ref:`zone data <envoy_v3_api_field_config.endpoint.v3.LocalityLbEndpoints.locality>`,\n either in this message or via :option:`--service-zone`. The meaning of zone\n is context dependent, e.g. `Availability Zone (AZ)\n <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html>`_\n on AWS, `Zone <https://cloud.google.com/compute/docs/regions-zones/>`_ on\n GCP, etc."
},
"sub_zone": {
"type": "string",
"description": "When used for locality of upstream hosts, this field further splits zone\n into smaller chunks of sub-zones so they can be load balanced\n independently."
}
},
"additionalProperties": false,
"type": "object",
"description": "Identifies location of where either Envoy runs or where upstream hosts run.",
"id": "envoy.config.core.v3.Locality"
},
"envoy.config.core.v3.Metadata": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"filter_metadata": {
"additionalProperties": {
"properties": {
"fields": {
"additionalProperties": {
"additionalProperties": true,
"type": "object"
},
"type": "object",
"description": "Unordered map of dynamically typed values."
}
},
"additionalProperties": true,
"type": "object"
},
"type": "object",
"description": "Key is the reverse DNS filter name, e.g. com.acme.widget. The envoy.*\n namespace is reserved for Envoy's built-in filters.\n If both *filter_metadata* and\n :ref:`typed_filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.typed_filter_metadata>`\n fields are present in the metadata with same keys,\n only *typed_filter_metadata* field will be parsed."
},
"typed_filter_metadata": {
"additionalProperties": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. This string must contain at least\n one \"/\" character. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": true,
"type": "object"
},
"type": "object",
"description": "Key is the reverse DNS filter name, e.g. com.acme.widget. The envoy.*\n namespace is reserved for Envoy's built-in filters.\n The value is encoded as google.protobuf.Any.\n If both :ref:`filter_metadata <envoy_v3_api_field_config.core.v3.Metadata.filter_metadata>`\n and *typed_filter_metadata* fields are present in the metadata with same keys,\n only *typed_filter_metadata* field will be parsed."
}
},
"additionalProperties": false,
"type": "object",
"description": "Metadata provides additional inputs to filters based on matched listeners,\n filter chains, routes and endpoints. It is structured as a map, usually from\n filter name (in reverse DNS format) to metadata specific to the filter. Metadata\n key-values for a filter are merged as connection and request handling occurs,\n with later values for the same key overriding earlier values.\n\n An example use of metadata is providing additional values to\n http_connection_manager in the envoy.http_connection_manager.access_log\n namespace.\n\n Another example use of metadata is to per service config info in cluster metadata, which may get\n consumed by multiple filters.\n\n For load balancing, Metadata provides a means to subset cluster endpoints.\n Endpoints have a Metadata object associated and routes contain a Metadata\n object to match against. There are some well defined metadata used today for\n this purpose:\n\n * ``{\"envoy.lb\": {\"canary\": <bool> }}`` This indicates the canary status of an\n endpoint and is also used during header processing\n (x-envoy-upstream-canary) and for stats purposes.\n ",
"id": "envoy.config.core.v3.Metadata"
},
"envoy.config.core.v3.RuntimeDouble": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"default_value": {
"type": "number",
"description": "Default value if runtime value is not available."
},
"runtime_key": {
"type": "string",
"description": "Runtime key to get value for comparison. This value is used if defined."
}
},
"additionalProperties": false,
"type": "object",
"description": "Runtime derived double with a default when not specified.",
"id": "envoy.config.core.v3.RuntimeDouble"
},
"envoy.config.core.v3.SocketAddress": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"protocol": {
"enum": [
"TCP",
0,
"UDP",
1
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
]
},
"address": {
"type": "string",
"description": "The address for this socket. :ref:`Listeners <config_listeners>` will bind\n to the address. An empty address is not allowed. Specify ``0.0.0.0`` or ``::``\n to bind to any address. [#comment:TODO(zuercher) reinstate when implemented:\n It is possible to distinguish a Listener address via the prefix/suffix matching\n in :ref:`FilterChainMatch <envoy_v3_api_msg_config.listener.v3.FilterChainMatch>`.] When used\n within an upstream :ref:`BindConfig <envoy_v3_api_msg_config.core.v3.BindConfig>`, the address\n controls the source address of outbound connections. For :ref:`clusters\n <envoy_v3_api_msg_config.cluster.v3.Cluster>`, the cluster type determines whether the\n address must be an IP (*STATIC* or *EDS* clusters) or a hostname resolved by DNS\n (*STRICT_DNS* or *LOGICAL_DNS* clusters). Address resolution can be customized\n via :ref:`resolver_name <envoy_v3_api_field_config.core.v3.SocketAddress.resolver_name>`."
},
"port_value": {
"type": "integer"
},
"named_port": {
"type": "string",
"description": "This is only valid if :ref:`resolver_name\n <envoy_v3_api_field_config.core.v3.SocketAddress.resolver_name>` is specified below and the\n named resolver is capable of named port resolution."
},
"resolver_name": {
"type": "string",
"description": "The name of the custom resolver. This must have been registered with Envoy. If\n this is empty, a context dependent default applies. If the address is a concrete\n IP address, no resolution will occur. If address is a hostname this\n should be set for resolution other than DNS. Specifying a custom resolver with\n *STRICT_DNS* or *LOGICAL_DNS* will generate an error at runtime."
},
"ipv4_compat": {
"type": "boolean",
"description": "When binding to an IPv6 address above, this enables `IPv4 compatibility\n <https://tools.ietf.org/html/rfc3493#page-11>`_. Binding to ``::`` will\n allow both IPv4 and IPv6 connections, with peer IPv4 addresses mapped into\n IPv6 space as ``::FFFF:<IPv4-address>``."
}
},
"additionalProperties": false,
"type": "object",
"description": "",
"id": "envoy.config.core.v3.SocketAddress"
},
"envoy.config.core.v3.SocketOption": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"description": {
"type": "string",
"description": "An optional name to give this socket option for debugging, etc.\n Uniqueness is not required and no special meaning is assumed."
},
"level": {
"type": "string",
"description": "Corresponding to the level value passed to setsockopt, such as IPPROTO_TCP"
},
"name": {
"type": "string",
"description": "The numeric name as passed to setsockopt"
},
"int_value": {
"type": "string",
"description": "Because many sockopts take an int value."
},
"buf_value": {
"type": "string",
"description": "Otherwise it's a byte buffer.",
"format": "binary",
"binaryEncoding": "base64"
},
"state": {
"enum": [
"STATE_PREBIND",
0,
"STATE_BOUND",
1,
"STATE_LISTENING",
2
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "The state in which the option will be applied. When used in BindConfig\n STATE_PREBIND is currently the only valid value."
}
},
"additionalProperties": false,
"type": "object",
"description": "\n\nGeneric socket option message. This would be used to set socket options that\n might not exist in upstream kernels or precompiled Envoy binaries.\n ",
"id": "envoy.config.core.v3.SocketOption"
},
"envoy.config.core.v3.TransportSocket": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of the transport socket to instantiate. The name must match a supported transport\n socket implementation."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. This string must contain at least\n one \"/\" character. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": false,
"type": "object",
"description": "Configuration for transport socket in :ref:`listeners <config_listeners>` and\n :ref:`clusters <envoy_v3_api_msg_config.cluster.v3.Cluster>`. If the configuration is\n empty, a default transport socket implementation and configuration will be\n chosen based on the platform and existence of tls_context.",
"id": "envoy.config.core.v3.TransportSocket"
},
"envoy.config.core.v3.TypedExtensionConfig": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of an extension. This is not used to select the extension, instead\n it serves the role of an opaque identifier."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. This string must contain at least\n one \"/\" character. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": true,
"type": "object",
"description": "The typed config for the extension. The type URL will be used to identify\n the extension. In the case that the type URL is *xds.type.v3.TypedStruct*\n (or, for historical reasons, *udpa.type.v1.TypedStruct*), the inner type\n URL of *TypedStruct* will be utilized. See the\n :ref:`extension configuration overview\n <config_overview_extension_configuration>` for further details."
}
},
"additionalProperties": false,
"type": "object",
"description": "\n\nMessage type for extension configuration.\n .",
"id": "envoy.config.core.v3.TypedExtensionConfig"
},
"envoy.config.core.v3.WatchedDirectory": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"path": {
"type": "string",
"description": "Directory path to watch."
}
},
"additionalProperties": false,
"type": "object",
"description": "A directory that is watched for changes, e.g. by inotify on Linux. Move/rename\n events inside this directory trigger the watch.",
"id": "envoy.config.core.v3.WatchedDirectory"
},
"envoy.config.endpoint.v3.Endpoint": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"address": {
"$ref": "#/definitions/envoy.config.core.v3.Address",
"additionalProperties": true,
"description": "The upstream host address.\n\n .. attention::\n\n The form of host address depends on the given cluster type. For STATIC or EDS,\n it is expected to be a direct IP address (or something resolvable by the\n specified :ref:`resolver <envoy_v3_api_field_config.core.v3.SocketAddress.resolver_name>`\n in the Address). For LOGICAL or STRICT DNS, it is expected to be hostname,\n and will be resolved via DNS."
},
"health_check_config": {
"properties": {
"port_value": {
"type": "integer",
"description": "Optional alternative health check port value.\n\n By default the health check address port of an upstream host is the same\n as the host's serving address port. This provides an alternative health\n check port. Setting this with a non-zero value allows an upstream host\n to have different health check address port."
},
"hostname": {
"type": "string",
"description": "By default, the host header for L7 health checks is controlled by cluster level configuration\n (see: :ref:`host <envoy_v3_api_field_config.core.v3.HealthCheck.HttpHealthCheck.host>` and\n :ref:`authority <envoy_v3_api_field_config.core.v3.HealthCheck.GrpcHealthCheck.authority>`). Setting this\n to a non-empty value allows overriding the cluster level configuration for a specific\n endpoint."
}
},
"additionalProperties": true,
"type": "object",
"description": "The optional health check configuration is used as configuration for the\n health checker to contact the health checked host.\n\n .. attention::\n\n This takes into effect only for upstream clusters with\n :ref:`active health checking <arch_overview_health_checking>` enabled."
},
"hostname": {
"type": "string",
"description": "The hostname associated with this endpoint. This hostname is not used for routing or address\n resolution. If provided, it will be associated with the endpoint, and can be used for features\n that require a hostname, like\n :ref:`auto_host_rewrite <envoy_v3_api_field_config.route.v3.RouteAction.auto_host_rewrite>`."
}
},
"additionalProperties": false,
"type": "object",
"description": "\n\nUpstream host identifier.",
"id": "envoy.config.endpoint.v3.Endpoint"
},
"envoy.config.endpoint.v3.LbEndpoint": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"endpoint": {
"$ref": "#/definitions/envoy.config.endpoint.v3.Endpoint",
"additionalProperties": true
},
"endpoint_name": {
"type": "string",
"description": "[#not-implemented-hide:]"
},
"health_status": {
"enum": [
"UNKNOWN",
0,
"HEALTHY",
1,
"UNHEALTHY",
2,
"DRAINING",
3,
"TIMEOUT",
4,
"DEGRADED",
5
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "Optional health status when known and supplied by EDS server."
},
"metadata": {
"$ref": "#/definitions/envoy.config.core.v3.Metadata",
"additionalProperties": true,
"description": "The endpoint metadata specifies values that may be used by the load\n balancer to select endpoints in a cluster for a given request. The filter\n name should be specified as *envoy.lb*. An example boolean key-value pair\n is *canary*, providing the optional canary status of the upstream host.\n This may be matched against in a route's\n :ref:`RouteAction <envoy_v3_api_msg_config.route.v3.RouteAction>` metadata_match field\n to subset the endpoints considered in cluster load balancing."
},
"load_balancing_weight": {
"additionalProperties": true,
"type": "integer",
"description": "The optional load balancing weight of the upstream host; at least 1.\n Envoy uses the load balancing weight in some of the built in load\n balancers. The load balancing weight for an endpoint is divided by the sum\n of the weights of all endpoints in the endpoint's locality to produce a\n percentage of traffic for the endpoint. This percentage is then further\n weighted by the endpoint's locality's load balancing weight from\n LocalityLbEndpoints. If unspecified, each host is presumed to have equal\n weight in a locality. The sum of the weights of all endpoints in the\n endpoint's locality must not exceed uint32_t maximal value (4294967295)."
}
},
"additionalProperties": false,
"type": "object",
"description": "An Endpoint that Envoy can route traffic to.\n ",
"id": "envoy.config.endpoint.v3.LbEndpoint"
},
"envoy.config.listener.v3.FilterChain": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"filter_chain_match": {
"properties": {
"destination_port": {
"additionalProperties": true,
"type": "integer",
"description": "Optional destination port to consider when use_original_dst is set on the\n listener in determining a filter chain match."
},
"prefix_ranges": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.core.v3.CidrRange"
},
"type": "array",
"description": "If non-empty, an IP address and prefix length to match addresses when the\n listener is bound to 0.0.0.0/:: or when use_original_dst is specified."
},
"address_suffix": {
"type": "string",
"description": "If non-empty, an IP address and suffix length to match addresses when the\n listener is bound to 0.0.0.0/:: or when use_original_dst is specified.\n [#not-implemented-hide:]"
},
"suffix_len": {
"additionalProperties": true,
"type": "integer",
"description": "[#not-implemented-hide:]"
},
"direct_source_prefix_ranges": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.core.v3.CidrRange"
},
"type": "array",
"description": "The criteria is satisfied if the directly connected source IP address of the downstream\n connection is contained in at least one of the specified subnets. If the parameter is not\n specified or the list is empty, the directly connected source IP address is ignored."
},
"source_type": {
"enum": [
"ANY",
0,
"SAME_IP_OR_LOOPBACK",
1,
"EXTERNAL",
2
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "Specifies the connection source IP match type. Can be any, local or external network."
},
"source_prefix_ranges": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.core.v3.CidrRange"
},
"type": "array",
"description": "The criteria is satisfied if the source IP address of the downstream\n connection is contained in at least one of the specified subnets. If the\n parameter is not specified or the list is empty, the source IP address is\n ignored."
},
"source_ports": {
"items": {
"type": "integer"
},
"type": "array",
"description": "The criteria is satisfied if the source port of the downstream connection\n is contained in at least one of the specified ports. If the parameter is\n not specified, the source port is ignored."
},
"server_names": {
"items": {
"type": "string"
},
"type": "array",
"description": "If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining\n a filter chain match. Those values will be compared against the server names of a new\n connection, when detected by one of the listener filters.\n\n The server name will be matched against all wildcard domains, i.e. ``www.example.com``\n will be first matched against ``www.example.com``, then ``*.example.com``, then ``*.com``.\n\n Note that partial wildcards are not supported, and values like ``*w.example.com`` are invalid.\n\n .. attention::\n\n See the :ref:`FAQ entry <faq_how_to_setup_sni>` on how to configure SNI for more\n information."
},
"transport_protocol": {
"type": "string",
"description": "If non-empty, a transport protocol to consider when determining a filter chain match.\n This value will be compared against the transport protocol of a new connection, when\n it's detected by one of the listener filters.\n\n Suggested values include:\n\n * ``raw_buffer`` - default, used when no transport protocol is detected,\n * ``tls`` - set by :ref:`envoy.filters.listener.tls_inspector <config_listener_filters_tls_inspector>`\n when TLS protocol is detected."
},
"application_protocols": {
"items": {
"type": "string"
},
"type": "array",
"description": "If non-empty, a list of application protocols (e.g. ALPN for TLS protocol) to consider when\n determining a filter chain match. Those values will be compared against the application\n protocols of a new connection, when detected by one of the listener filters.\n\n Suggested values include:\n\n * ``http/1.1`` - set by :ref:`envoy.filters.listener.tls_inspector\n <config_listener_filters_tls_inspector>`,\n * ``h2`` - set by :ref:`envoy.filters.listener.tls_inspector <config_listener_filters_tls_inspector>`\n\n .. attention::\n\n Currently, only :ref:`TLS Inspector <config_listener_filters_tls_inspector>` provides\n application protocol detection based on the requested\n `ALPN <https://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation>`_ values.\n\n However, the use of ALPN is pretty much limited to the HTTP/2 traffic on the Internet,\n and matching on values other than ``h2`` is going to lead to a lot of false negatives,\n unless all connecting clients are known to use ALPN."
}
},
"additionalProperties": true,
"type": "object",
"description": "The criteria to use when matching a connection to this filter chain."
},
"filters": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of the filter to instantiate. The name must match a\n :ref:`supported filter <config_network_filters>`."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. This string must contain at least\n one \"/\" character. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": true,
"type": "object",
"description": "Filter specific configuration which depends on the filter being\n instantiated. See the supported filters for further documentation.\n "
},
"config_discovery": {
"properties": {
"config_source": {
"$ref": "#/definitions/envoy.config.core.v3.ConfigSource",
"additionalProperties": true
},
"default_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. This string must contain at least\n one \"/\" character. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type.",
"format": "binary",
"binaryEncoding": "base64"
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional default configuration to use as the initial configuration if\n there is a failure to receive the initial extension configuration or if\n `apply_default_config_without_warming` flag is set."
},
"apply_default_config_without_warming": {
"type": "boolean",
"description": "Use the default config as the initial configuration without warming and\n waiting for the first discovery response. Requires the default configuration\n to be supplied."
},
"type_urls": {
"items": {
"type": "string"
},
"type": "array",
"description": "A set of permitted extension type URLs. Extension configuration updates are rejected\n if they do not match any type URL in the set."
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration source specifier for an extension configuration discovery\n service. In case of a failure and without the default configuration, the\n listener closes the connections.\n [#not-implemented-hide:]"
}
},
"additionalProperties": false,
"type": "object",
"description": "\n Listener :ref:`configuration overview <config_listeners>`\n\n"
},
"type": "array",
"description": "A list of individual network filters that make up the filter chain for\n connections established with the listener. Order matters as the filters are\n processed sequentially as connection events happen. Note: If the filter\n list is empty, the connection will close by default."
},
"use_proxy_proto": {
"additionalProperties": true,
"type": "boolean",
"description": "Whether the listener should expect a PROXY protocol V1 header on new\n connections. If this option is enabled, the listener will assume that that\n remote address of the connection is the one specified in the header. Some\n load balancers including the AWS ELB support this option. If the option is\n absent or set to false, Envoy will use the physical peer address of the\n connection as the remote address.\n\n This field is deprecated. Add a\n :ref:`PROXY protocol listener filter <config_listener_filters_proxy_protocol>`\n explicitly instead."
},
"metadata": {
"$ref": "#/definitions/envoy.config.core.v3.Metadata",
"additionalProperties": true,
"description": "[#not-implemented-hide:] filter chain metadata."
},
"transport_socket": {
"$ref": "#/definitions/envoy.config.core.v3.TransportSocket",
"additionalProperties": true,
"description": "Optional custom transport socket implementation to use for downstream connections.\n To setup TLS, set a transport socket with name `envoy.transport_sockets.tls` and\n :ref:`DownstreamTlsContext <envoy_v3_api_msg_extensions.transport_sockets.tls.v3.DownstreamTlsContext>` in the `typed_config`.\n If no transport socket configuration is specified, new connections\n will be set up with plaintext.\n "
},
"transport_socket_connect_timeout": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "If present and nonzero, the amount of time to allow incoming connections to complete any\n transport socket negotiations. If this expires before the transport reports connection\n establishment, the connection is summarily closed."
},
"name": {
"type": "string",
"description": "[#not-implemented-hide:] The unique name (or empty) by which this filter chain is known. If no\n name is provided, Envoy will allocate an internal UUID for the filter chain. If the filter\n chain is to be dynamically updated or removed via FCDS a unique name must be provided."
},
"on_demand_configuration": {
"properties": {
"rebuild_timeout": {
"properties": {
"seconds": {
"type": "string",
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The timeout to wait for filter chain placeholders to complete rebuilding.\n 1. If this field is set to 0, timeout is disabled.\n 2. If not specified, a default timeout of 15s is used.\n Rebuilding will wait until dependencies are ready, have failed, or this timeout is reached.\n Upon failure or timeout, all connections related to this filter chain will be closed.\n Rebuilding will start again on the next new connection."
}
},
"additionalProperties": true,
"type": "object",
"description": "[#not-implemented-hide:] The configuration to specify whether the filter chain will be built on-demand.\n If this field is not empty, the filter chain will be built on-demand.\n Otherwise, the filter chain will be built normally and block listener warming."
}
},
"additionalProperties": false,
"type": "object",
"description": "A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and\n various other parameters.\n ",
"id": "envoy.config.listener.v3.FilterChain"
},
"envoy.config.listener.v3.ListenerFilterChainMatchPredicate": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"or_match": {
"$ref": "#/definitions/envoy.config.listener.v3.ListenerFilterChainMatchPredicate.MatchSet",
"additionalProperties": true,
"description": "A set that describes a logical OR. If any member of the set matches, the match configuration\n matches."
},
"and_match": {
"$ref": "#/definitions/envoy.config.listener.v3.ListenerFilterChainMatchPredicate.MatchSet",
"additionalProperties": true,
"description": "A set that describes a logical AND. If all members of the set match, the match configuration\n matches."
},
"not_match": {
"$ref": "#/definitions/envoy.config.listener.v3.ListenerFilterChainMatchPredicate",
"additionalProperties": true,
"description": "A negation match. The match configuration will match if the negated match condition matches."
},
"any_match": {
"type": "boolean",
"description": "The match configuration will always match."
},
"destination_port_range": {
"properties": {
"start": {
"type": "integer",
"description": "start of the range (inclusive)"
},
"end": {
"type": "integer",
"description": "end of the range (exclusive)"
}
},
"additionalProperties": true,
"type": "object",
"description": "Match destination port. Particularly, the match evaluation must use the recovered local port if\n the owning listener filter is after :ref:`an original_dst listener filter <config_listener_filters_original_dst>`."
}
},
"additionalProperties": false,
"type": "object",
"description": "Listener filter chain match configuration. This is a recursive structure which allows complex\n nested match configurations to be built using various logical operators.\n\n Examples:\n\n * Matches if the destination port is 3306.\n\n .. code-block:: yaml\n\n destination_port_range:\n start: 3306\n end: 3307\n\n * Matches if the destination port is 3306 or 15000.\n\n .. code-block:: yaml\n\n or_match:\n rules:\n - destination_port_range:\n start: 3306\n end: 3307\n - destination_port_range:\n start: 15000\n end: 15001\n\n ",
"id": "envoy.config.listener.v3.ListenerFilterChainMatchPredicate"
},
"envoy.config.listener.v3.ListenerFilterChainMatchPredicate.MatchSet": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"rules": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.config.listener.v3.ListenerFilterChainMatchPredicate"
},
"type": "array",
"description": "The list of rules that make up the set."
}
},
"additionalProperties": false,
"type": "object",
"description": "A set of match configurations used for logical operations.",
"id": "envoy.config.listener.v3.ListenerFilterChainMatchPredicate.MatchSet"
},
"envoy.type.matcher.v3.ListStringMatcher": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"patterns": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "#/definitions/envoy.type.matcher.v3.StringMatcher"
},
"type": "array"
}
},
"additionalProperties": false,
"type": "object",
"description": "Specifies a list of ways to match a string.",
"id": "envoy.type.matcher.v3.ListStringMatcher"
},
"envoy.type.matcher.v3.RegexMatcher": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"google_re2": {
"properties": {
"max_program_size": {
"additionalProperties": true,
"type": "integer",
"description": "This field controls the RE2 \"program size\" which is a rough estimate of how complex a\n compiled regex is to evaluate. A regex that has a program size greater than the configured\n value will fail to compile. In this case, the configured max program size can be increased\n or the regex can be simplified. If not specified, the default is 100.\n\n This field is deprecated; regexp validation should be performed on the management server\n instead of being done by each individual client.\n\n .. note::\n\n Although this field is deprecated, the program size will still be checked against the\n global ``re2.max_program_size.error_level`` runtime value."
}
},
"additionalProperties": true,
"type": "object",
"description": "Google's RE2 regex engine."
},
"regex": {
"type": "string",
"description": "The regex match string. The string must be supported by the configured engine."
}
},
"additionalProperties": false,
"type": "object",
"description": "\n\nA regex matcher designed for safety when used with untrusted input.",
"id": "envoy.type.matcher.v3.RegexMatcher"
},
"envoy.type.matcher.v3.StringMatcher": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"exact": {
"type": "string",
"description": "The input string must match exactly the string specified here.\n\n Examples:\n\n * *abc* only matches the value *abc*."
},
"prefix": {
"type": "string",
"description": "The input string must have the prefix specified here.\n Note: empty prefix is not allowed, please use regex instead.\n\n Examples:\n\n * *abc* matches the value *abc.xyz*"
},
"suffix": {
"type": "string",
"description": "The input string must have the suffix specified here.\n Note: empty prefix is not allowed, please use regex instead.\n\n Examples:\n\n * *abc* matches the value *xyz.abc*"
},
"safe_regex": {
"$ref": "#/definitions/envoy.type.matcher.v3.RegexMatcher",
"additionalProperties": true,
"description": "The input string must match the regular expression specified here."
},
"contains": {
"type": "string",
"description": "The input string must have the substring specified here.\n Note: empty contains match is not allowed, please use regex instead.\n\n Examples:\n\n * *abc* matches the value *xyz.abc.def*"
},
"ignore_case": {
"type": "boolean",
"description": "If true, indicates the exact/prefix/suffix/contains matching should be case insensitive. This\n has no effect for the safe_regex match.\n For example, the matcher *data* will match both input string *Data* and *data* if set to true."
}
},
"additionalProperties": false,
"type": "object",
"description": "\n\nSpecifies the way to match a string.\n ",
"id": "envoy.type.matcher.v3.StringMatcher"
},
"envoy.type.matcher.v3.ValueMatcher": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"null_match": {
"additionalProperties": true,
"type": "object",
"description": "If specified, a match occurs if and only if the target value is a NullValue."
},
"double_match": {
"properties": {
"range": {
"properties": {
"start": {
"type": "number",
"description": "start of the range (inclusive)"
},
"end": {
"type": "number",
"description": "end of the range (exclusive)"
}
},
"additionalProperties": true,
"type": "object",
"description": "If specified, the input double value must be in the range specified here.\n Note: The range is using half-open interval semantics [start, end)."
},
"exact": {
"type": "number",
"description": "If specified, the input double value must be equal to the value specified here."
}
},
"additionalProperties": true,
"type": "object",
"description": "If specified, a match occurs if and only if the target value is a double value and is\n matched to this field."
},
"string_match": {
"$ref": "#/definitions/envoy.type.matcher.v3.StringMatcher",
"additionalProperties": true,
"description": "If specified, a match occurs if and only if the target value is a string value and is\n matched to this field."
},
"bool_match": {
"type": "boolean",
"description": "If specified, a match occurs if and only if the target value is a bool value and is equal\n to this field."
},
"present_match": {
"type": "boolean",
"description": "If specified, value match will be performed based on whether the path is referring to a\n valid primitive value in the metadata. If the path is referring to a non-primitive value,\n the result is always not matched."
},
"list_match": {
"properties": {
"one_of": {
"$ref": "#/definitions/envoy.type.matcher.v3.ValueMatcher",
"additionalProperties": true,
"description": "If specified, at least one of the values in the list must match the value specified."
}
},
"additionalProperties": true,
"type": "object",
"description": "If specified, a match occurs if and only if the target value is a list value and\n is matched to this field."
}
},
"additionalProperties": false,
"type": "object",
"description": "\n\nSpecifies the way to match a ProtobufWkt::Value. Primitive values and ListValue are supported.\n StructValue is not supported and is always not matched.\n ",
"id": "envoy.type.matcher.v3.ValueMatcher"
},
"envoy.type.v3.FractionalPercent": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"numerator": {
"type": "integer",
"description": "Specifies the numerator. Defaults to 0."
},
"denominator": {
"enum": [
"HUNDRED",
0,
"TEN_THOUSAND",
1,
"MILLION",
2
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "Specifies the denominator. If the denominator specified is less than the numerator, the final\n fractional percentage is capped at 1 (100%)."
}
},
"additionalProperties": false,
"type": "object",
"description": "A fractional percentage is used in cases in which for performance reasons performing floating\n point to integer conversions during randomness calculations is undesirable. The message includes\n both a numerator and denominator that together determine the final fractional value.\n\n * **Example**: 1/100 = 1%.\n * **Example**: 3/10000 = 0.03%.",
"id": "envoy.type.v3.FractionalPercent"
},
"envoy.type.v3.Int64Range": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"start": {
"type": "string",
"description": "start of the range (inclusive)"
},
"end": {
"type": "string",
"description": "end of the range (exclusive)"
}
},
"additionalProperties": false,
"type": "object",
"description": "\n\nSpecifies the int64 start and end of the range using half-open interval semantics [start,\n end).",
"id": "envoy.type.v3.Int64Range"
},
"envoy.type.v3.Percent": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"value": {
"type": "number"
}
},
"additionalProperties": false,
"type": "object",
"description": "\n\nIdentifies a percentage, in the range [0.0, 100.0].",
"id": "envoy.type.v3.Percent"
}
}
}
@mmizutani
Copy link
Author

mmizutani commented Dec 31, 2021
edited

How to generate a JSON Schema for the Envoy config file

  1. Install development tools needed to build the Envoy project (e.g., bazelisk, ninja, etc.)

  2. Git clone and checkout this PR branch: mmizutani/envoy#1

    $ git clone https://github.com/mmizutani/envoy/pull/1
$ cd envoy
$ gh pr checkout 1
$ mkdir ./schema_build
$ mkdir ./schema_build_env

    This branch just made a slight modification to the PR [WIP] tooling: Add jsonschema dump of API (...cont) by phlax · Pull Request #15100 · envoyproxy/envoy.

  3. Run the following script.

    $ BUILD_DIR=./schema_build \
  VENV_DIR=./schema_build_venv \
  VIRTUAL_ENV="" \
  SCHEMA_OUTPUT_DIR=generated/schema \
  GENERATED_RST_DIR=generated/rst ./docs/build-schema.sh
    INFO: Analyzed target //tools/protoschema:protoschema (0 packages loaded, 0 targets configured).
INFO: Found 1 target...
Target //tools/protoschema:protoschema up-to-date:
  bazel-bin/tools/protoschema/protoschema
INFO: Elapsed time: 0.280s, Critical Path: 0.04s
INFO: 1 process: 1 internal.
INFO: Build completed successfully, 1 total action
INFO: Analyzed target //tools/protoschema:protoschema (0 packages loaded, 0 targets configured).
INFO: Found 1 target...
Target //tools/protoschema:protoschema up-to-date:
  bazel-bin/tools/protoschema/protoschema
INFO: Elapsed time: 0.287s, Critical Path: 0.04s
INFO: 1 process: 1 internal.
INFO: Build completed successfully, 1 total action
INFO: Build completed successfully, 1 total action
IGNORE PROTOS: /private/var/tmp/_bazel_mmizutani/aedbb9f2f72cf0228a1069a91744c709/execroot/envoy/bazel-out/darwin-fastbuild/bin/tools/protoschema/protoschema.runfiles/envoy/external/envoy_api
IGNORE PROTOS: /private/var/tmp/_bazel_mmizutani/aedbb9f2f72cf0228a1069a91744c709/execroot/envoy/bazel-out/darwin-fastbuild/bin/tools/protoschema/protoschema.runfiles/envoy/external/envoy_api/envoy
IGNORE PROTOS: /private/var/tmp/_bazel_mmizutani/aedbb9f2f72cf0228a1069a91744c709/execroot/envoy/bazel-out/darwin-fastbuild/bin/tools/protoschema/protoschema.runfiles/envoy/external/envoy_api/envoy/config
IGNORE PROTOS: /private/var/tmp/_bazel_mmizutani/aedbb9f2f72cf0228a1069a91744c709/execroot/envoy/bazel-out/darwin-fastbuild/bin/tools/protoschema/protoschema.runfiles/envoy/external/envoy_api/envoy/config/metrics
INFO[0000] Generating JSON-schema for MESSAGE            jsonschema_filename=envoy.config.metrics.v3/StatsSink.jsonschema msg_name=StatsSink proto_filename=stats.proto
INFO[0000] Generating JSON-schema for MESSAGE            jsonschema_filename=envoy.config.metrics.v3/StatsConfig.jsonschema msg_name=StatsConfig proto_filename=stats.proto
INFO[0000] Generating JSON-schema for MESSAGE            jsonschema_filename=envoy.config.metrics.v3/StatsMatcher.jsonschema msg_name=StatsMatcher proto_filename=stats.proto
INFO[0000] Generating JSON-schema for MESSAGE            jsonschema_filename=envoy.config.metrics.v3/TagSpecifier.jsonschema msg_name=TagSpecifier proto_filename=stats.proto
INFO[0000] Generating JSON-schema for MESSAGE            jsonschema_filename=envoy.config.metrics.v3/HistogramBucketSettings.jsonschema msg_name=HistogramBucketSettings proto_filename=stats.proto
INFO[0000] Generating JSON-schema for MESSAGE            jsonschema_filename=envoy.config.metrics.v3/StatsdSink.jsonschema msg_name=StatsdSink proto_filename=stats.proto
INFO[0000] Generating JSON-schema for MESSAGE            jsonschema_filename=envoy.config.metrics.v3/DogStatsdSink.jsonschema msg_name=DogStatsdSink proto_filename=stats.proto
INFO[0000] Generating JSON-schema for MESSAGE            jsonschema_filename=envoy.config.metrics.v3/HystrixSink.jsonschema msg_name=HystrixSink proto_filename=stats.proto
INFO[0000] Generating JSON-schema for MESSAGE            jsonschema_filename=envoy.config.metrics.v3/MetricsServiceConfig.jsonschema msg_name=MetricsServiceConfig proto_filename=metrics_service.proto
...
INFO[0000] Generating JSON-schema for MESSAGE            jsonschema_filename=envoy.extensions.filters.http.squash.v3/Squash.jsonschema msg_name=Squash proto_filename=squash.proto
IGNORE PROTOS: /private/var/tmp/_bazel_mmizutani/aedbb9f2f72cf0228a1069a91744c709/execroot/envoy/bazel-out/darwin-fastbuild/bin/tools/protoschema/protoschema.runfiles/envoy/external/envoy_api/contrib/envoy/extensions/filters/http/sxg
INFO[0000] Generating JSON-schema for MESSAGE            jsonschema_filename=envoy.extensions.filters.http.sxg.v3alpha/SXG.jsonschema msg_name=SXG proto_filename=sxg.proto
IGNORE PROTOS: /private/var/tmp/_bazel_mmizutani/aedbb9f2f72cf0228a1069a91744c709/execroot/envoy/bazel-out/darwin-fastbuild/bin/tools/protoschema/protoschema.runfiles/envoy/external/envoy_api/contrib/envoy/extensions/vcl
INFO[0000] Generating JSON-schema for MESSAGE            jsonschema_filename=envoy.extensions.vcl.v3alpha/VclSocketInterface.jsonschema msg_name=VclSocketInterface proto_filename=vcl_socket_interface.proto
IGNORE PROTOS: /private/var/tmp/_bazel_mmizutani/aedbb9f2f72cf0228a1069a91744c709/execroot/envoy/bazel-out/darwin-fastbuild/bin/tools/protoschema/protoschema.runfiles/envoy/external/envoy_api/contrib/envoy/extensions/private_key_providers
IGNORE PROTOS: /private/var/tmp/_bazel_mmizutani/aedbb9f2f72cf0228a1069a91744c709/execroot/envoy/bazel-out/darwin-fastbuild/bin/tools/protoschema/protoschema.runfiles/envoy/external/envoy_api/contrib/envoy/extensions/private_key_providers/cryptomb
INFO[0000] Generating JSON-schema for MESSAGE            jsonschema_filename=envoy.extensions.private_key_providers.cryptomb.v3alpha/CryptoMbPrivateKeyMethodConfig.jsonschema msg_name=CryptoMbPrivateKeyMethodConfig proto_filename=cryptomb.proto

    The generated JSON Schema file is found at ./generated/schema/envoy.schema.json

Things will be easier after this improvement PR is merged.

@hyperstripe50
Copy link

Issue while following steps 1 and 2 to build schema

@mmizutani Thanks for your work on this PR. I followed your instructions, but the build fails after it seems to generate many, if not all, schemas. The failure occurs when reading the nonexistent file out/envoy.config.bootstrap.v3/Bootstrap.jsonschema. I've trimmed the beginning of the logs to reduce the noise from schema generation.

INFO[0000] Generating JSON-schema for MESSAGE            jsonschema_filename=envoy.extensions.vcl.v3alpha/VclSocketInterface.json msg_name=VclSocketInterface proto_filename=vcl_socket_interface.proto
IGNORE PROTOS: /private/var/tmp/_bazel_jona/9e37bd81067a2f683f4319ba0bd887a5/execroot/envoy/bazel-out/darwin-fastbuild/bin/tools/protoschema/protoschema.runfiles/envoy/external/envoy_api/contrib/envoy/extensions/private_key_providers
IGNORE PROTOS: /private/var/tmp/_bazel_jona/9e37bd81067a2f683f4319ba0bd887a5/execroot/envoy/bazel-out/darwin-fastbuild/bin/tools/protoschema/protoschema.runfiles/envoy/external/envoy_api/contrib/envoy/extensions/private_key_providers/cryptomb
INFO[0000] Generating JSON-schema for MESSAGE            jsonschema_filename=envoy.extensions.private_key_providers.cryptomb.v3alpha/CryptoMbPrivateKeyMethodConfig.json msg_name=CryptoMbPrivateKeyMethodConfig proto_filename=cryptomb.proto
Traceback (most recent call last):
  File "/private/var/tmp/_bazel_jona/9e37bd81067a2f683f4319ba0bd887a5/execroot/envoy/bazel-out/darwin-fastbuild/bin/tools/protoschema/protoschema.runfiles/envoy/tools/protoschema/protoschema.py", line 228, in <module>
    main()
  File "/private/var/tmp/_bazel_jona/9e37bd81067a2f683f4319ba0bd887a5/execroot/envoy/bazel-out/darwin-fastbuild/bin/tools/protoschema/protoschema.runfiles/envoy/tools/protoschema/protoschema.py", line 224, in main
    ProtoSchema().generate()
  File "/private/var/tmp/_bazel_jona/9e37bd81067a2f683f4319ba0bd887a5/execroot/envoy/bazel-out/darwin-fastbuild/bin/tools/protoschema/protoschema.runfiles/envoy/tools/protoschema/protoschema.py", line 218, in generate
    self.mangle_jsonschema()
  File "/private/var/tmp/_bazel_jona/9e37bd81067a2f683f4319ba0bd887a5/execroot/envoy/bazel-out/darwin-fastbuild/bin/tools/protoschema/protoschema.runfiles/envoy/tools/protoschema/protoschema.py", line 204, in mangle_jsonschema
    ProtoSchemaMangler(
  File "/private/var/tmp/_bazel_jona/9e37bd81067a2f683f4319ba0bd887a5/execroot/envoy/bazel-out/darwin-fastbuild/bin/tools/protoschema/protoschema.runfiles/envoy/tools/protoschema/protoschema.py", line 129, in mangle
    self.recurse_keys(self.bootstrap_schema, self.out)
  File "/private/var/tmp/_bazel_jona/9e37bd81067a2f683f4319ba0bd887a5/execroot/envoy/bazel-out/darwin-fastbuild/bin/tools/protoschema/protoschema.runfiles/envoy/tools/protoschema/protoschema.py", line 33, in bootstrap_schema
    return self.parse_schema(
  File "/private/var/tmp/_bazel_jona/9e37bd81067a2f683f4319ba0bd887a5/execroot/envoy/bazel-out/darwin-fastbuild/bin/tools/protoschema/protoschema.runfiles/envoy/tools/protoschema/protoschema.py", line 166, in parse_schema
    with open(target) as f:
FileNotFoundError: [Errno 2] No such file or directory: 'out/envoy.config.bootstrap.v3/Bootstrap.jsonschema'

Steps to Reproduce

  1. Clone the PR
$ git clone https://github.com/mmizutani/envoy # I think that step 1.1 had a typo so I removed the appended "/pull/1"
$ cd envoy
$ gh pr checkout 1
$ mkdir ./schema_build
$ mkdir ./schema_build_env
  1. Run the Script
$ BUILD_DIR=./schema_build \
  VENV_DIR=./schema_build_venv \
  VIRTUAL_ENV="" \
  SCHEMA_OUTPUT_DIR=generated/schema \
  GENERATED_RST_DIR=generated/rst ./docs/build-schema.sh

Do you have any suggestions?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment