Skip to content

Instantly share code, notes, and snippets.

@oleksiyp

oleksiyp/envoy-1.16.0.jsonschema

Created November 6, 2020 08:21
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save oleksiyp/1a8e7ca599b6d6937963f8d178cb35ce to your computer and use it in GitHub Desktop.
Save oleksiyp/1a8e7ca599b6d6937963f8d178cb35ce to your computer and use it in GitHub Desktop.
Download ZIP
Envyo 1.16.0 schema
Raw
envoy-1.16.0.jsonschema
{
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"node": {
"properties": {
"id": {
"type": "string",
"description": "An opaque node identifier for the Envoy node. This also provides the local\n service node name. It should be set if any of the following features are\n used: :ref:`statsd \u003carch_overview_statistics\u003e`, :ref:`CDS\n \u003cconfig_cluster_manager_cds\u003e`, and :ref:`HTTP tracing\n \u003carch_overview_tracing\u003e`, either in this message or via\n :option:`--service-node`."
},
"cluster": {
"type": "string",
"description": "Defines the local service cluster name where Envoy is running. Though\n optional, it should be set if any of the following features are used:\n :ref:`statsd \u003carch_overview_statistics\u003e`, :ref:`health check cluster\n verification\n \u003cenvoy_api_field_config.core.v3.HealthCheck.HttpHealthCheck.service_name_matcher\u003e`,\n :ref:`runtime override directory \u003cenvoy_api_msg_config.bootstrap.v3.Runtime\u003e`,\n :ref:`user agent addition\n \u003cenvoy_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.add_user_agent\u003e`,\n :ref:`HTTP global rate limiting \u003cconfig_http_filters_rate_limit\u003e`,\n :ref:`CDS \u003cconfig_cluster_manager_cds\u003e`, and :ref:`HTTP tracing\n \u003carch_overview_tracing\u003e`, either in this message or via\n :option:`--service-cluster`."
},
"metadata": {
"properties": {
"fields": {
"additionalProperties": {
"oneOf": [
{
"type": "null"
},
{
"type": "object"
}
]
},
"type": "object",
"description": "Unordered map of dynamically typed values."
}
},
"additionalProperties": true,
"type": "object",
"description": "Opaque metadata extending the node identifier. Envoy will pass this\n directly to the management server."
},
"locality": {
"$ref": "envoy.config.core.v3.Locality",
"additionalProperties": true,
"type": "object",
"description": "Locality specifying where the Envoy instance is running."
},
"user_agent_name": {
"type": "string",
"description": "Free-form string that identifies the entity requesting config.\n E.g. \"envoy\" or \"grpc\""
},
"user_agent_version": {
"type": "string",
"description": "Free-form string that identifies the version of the entity requesting config.\n E.g. \"1.12.2\" or \"abcd1234\", or \"SpecialEnvoyBuild\""
},
"user_agent_build_version": {
"$ref": "envoy.config.core.v3.BuildVersion",
"additionalProperties": true,
"type": "object",
"description": "Structured version of the entity requesting config."
},
"extensions": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "This is the name of the Envoy filter as specified in the Envoy\n configuration, e.g. envoy.filters.http.router, com.acme.widget."
},
"category": {
"type": "string",
"description": "Category of the extension.\n Extension category names use reverse DNS notation. For instance \"envoy.filters.listener\"\n for Envoy's built-in listener filters or \"com.acme.filters.http\" for HTTP filters from\n acme.com vendor.\n [#comment:TODO(yanavlasov): Link to the doc with existing envoy category names.]"
},
"type_descriptor": {
"type": "string",
"description": "[#not-implemented-hide:] Type descriptor of extension configuration proto.\n [#comment:TODO(yanavlasov): Link to the doc with existing configuration protos.]\n [#comment:TODO(yanavlasov): Add tests when PR #9391 lands.]"
},
"version": {
"$ref": "envoy.config.core.v3.BuildVersion",
"additionalProperties": true,
"type": "object",
"description": "The version is a property of the extension and maintained independently\n of other extensions and the Envoy API.\n This field is not set when extension did not provide version information."
},
"disabled": {
"type": "boolean",
"description": "Indicates that the extension is present but was disabled via dynamic configuration."
}
},
"additionalProperties": true,
"type": "object",
"description": "Version and identification for an Envoy extension.\n [#next-free-field: 6]"
},
"type": "array",
"description": "List of extensions and their versions supported by the node."
},
"client_features": {
"items": {
"type": "string"
},
"type": "array",
"description": "Client feature support list. These are well known features described\n in the Envoy API repository for a given major version of an API. Client features\n use reverse DNS naming scheme, for example `com.acme.feature`.\n See :ref:`the list of features \u003cclient_features\u003e` that xDS client may\n support."
},
"listening_addresses": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "envoy.config.core.v3.Address"
},
"type": "array",
"description": "Known listening ports on the node as a generic hint to the management server\n for filtering :ref:`listeners \u003cconfig_listeners\u003e` to be returned. For example,\n if there is a listener bound to port 80, the list can optionally contain the\n SocketAddress `(0.0.0.0,80)`. The field is optional and just a hint."
}
},
"additionalProperties": true,
"type": "object",
"description": "Node identity to present to the management server and for instance\n identification purposes (e.g. in generated headers)."
},
"node_context_params": {
"items": {
"type": "string"
},
"type": "array",
"description": "A list of :ref:`Node \u003cenvoy_v3_api_msg_config.core.v3.Node\u003e` field names\n that will be included in the context parameters of the effective\n *UdpaResourceLocator* that is sent in a discovery request when resource\n locators are used for LDS/CDS. Any non-string field will have its JSON\n encoding set as the context parameter value, with the exception of\n metadata, which will be flattened (see example below). The supported field\n names are:\n - \"cluster\"\n - \"id\"\n - \"locality.region\"\n - \"locality.sub_zone\"\n - \"locality.zone\"\n - \"metadata\"\n - \"user_agent_build_version.metadata\"\n - \"user_agent_build_version.version\"\n - \"user_agent_name\"\n - \"user_agent_version\"\n\n The node context parameters act as a base layer dictionary for the context\n parameters (i.e. more specific resource specific context parameters will\n override). Field names will be prefixed with “udpa.node.” when included in\n context parameters.\n\n For example, if node_context_params is ``[\"user_agent_name\", \"metadata\"]``,\n the implied context parameters might be::\n\n node.user_agent_name: \"envoy\"\n node.metadata.foo: \"{\\\"bar\\\": \\\"baz\\\"}\"\n node.metadata.some: \"42\"\n node.metadata.thing: \"\\\"thing\\\"\"\n\n [#not-implemented-hide:]"
},
"static_resources": {
"properties": {
"listeners": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The unique name by which this listener is known. If no name is provided,\n Envoy will allocate an internal UUID for the listener. If the listener is to be dynamically\n updated or removed via :ref:`LDS \u003cconfig_listeners_lds\u003e` a unique name must be provided."
},
"address": {
"$ref": "envoy.config.core.v3.Address",
"additionalProperties": true,
"type": "object",
"description": "The address that the listener should listen on. In general, the address must be unique, though\n that is governed by the bind rules of the OS. E.g., multiple listeners can listen on port 0 on\n Linux as the actual port will be allocated by the OS."
},
"filter_chains": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"filter_chain_match": {
"properties": {
"destination_port": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"prefix_ranges": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "envoy.config.core.v3.CidrRange"
},
"type": "array",
"description": "If non-empty, an IP address and prefix length to match addresses when the\n listener is bound to 0.0.0.0/:: or when use_original_dst is specified."
},
"address_suffix": {
"type": "string",
"description": "If non-empty, an IP address and suffix length to match addresses when the\n listener is bound to 0.0.0.0/:: or when use_original_dst is specified.\n [#not-implemented-hide:]"
},
"suffix_len": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"source_type": {
"enum": [
"ANY",
0,
"SAME_IP_OR_LOOPBACK",
1,
"EXTERNAL",
2
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "Specifies the connection source IP match type. Can be any, local or external network."
},
"source_prefix_ranges": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "envoy.config.core.v3.CidrRange"
},
"type": "array",
"description": "The criteria is satisfied if the source IP address of the downstream\n connection is contained in at least one of the specified subnets. If the\n parameter is not specified or the list is empty, the source IP address is\n ignored."
},
"source_ports": {
"items": {
"type": "integer"
},
"type": "array",
"description": "The criteria is satisfied if the source port of the downstream connection\n is contained in at least one of the specified ports. If the parameter is\n not specified, the source port is ignored."
},
"server_names": {
"items": {
"type": "string"
},
"type": "array",
"description": "If non-empty, a list of server names (e.g. SNI for TLS protocol) to consider when determining\n a filter chain match. Those values will be compared against the server names of a new\n connection, when detected by one of the listener filters.\n\n The server name will be matched against all wildcard domains, i.e. ``www.example.com``\n will be first matched against ``www.example.com``, then ``*.example.com``, then ``*.com``.\n\n Note that partial wildcards are not supported, and values like ``*w.example.com`` are invalid.\n\n .. attention::\n\n See the :ref:`FAQ entry \u003cfaq_how_to_setup_sni\u003e` on how to configure SNI for more\n information."
},
"transport_protocol": {
"type": "string",
"description": "If non-empty, a transport protocol to consider when determining a filter chain match.\n This value will be compared against the transport protocol of a new connection, when\n it's detected by one of the listener filters.\n\n Suggested values include:\n\n * ``raw_buffer`` - default, used when no transport protocol is detected,\n * ``tls`` - set by :ref:`envoy.filters.listener.tls_inspector \u003cconfig_listener_filters_tls_inspector\u003e`\n when TLS protocol is detected."
},
"application_protocols": {
"items": {
"type": "string"
},
"type": "array",
"description": "If non-empty, a list of application protocols (e.g. ALPN for TLS protocol) to consider when\n determining a filter chain match. Those values will be compared against the application\n protocols of a new connection, when detected by one of the listener filters.\n\n Suggested values include:\n\n * ``http/1.1`` - set by :ref:`envoy.filters.listener.tls_inspector\n \u003cconfig_listener_filters_tls_inspector\u003e`,\n * ``h2`` - set by :ref:`envoy.filters.listener.tls_inspector \u003cconfig_listener_filters_tls_inspector\u003e`\n\n .. attention::\n\n Currently, only :ref:`TLS Inspector \u003cconfig_listener_filters_tls_inspector\u003e` provides\n application protocol detection based on the requested\n `ALPN \u003chttps://en.wikipedia.org/wiki/Application-Layer_Protocol_Negotiation\u003e`_ values.\n\n However, the use of ALPN is pretty much limited to the HTTP/2 traffic on the Internet,\n and matching on values other than ``h2`` is going to lead to a lot of false negatives,\n unless all connecting clients are known to use ALPN."
}
},
"additionalProperties": true,
"type": "object",
"description": "The criteria to use when matching a connection to this filter chain."
},
"filters": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of the filter to instantiate. The name must match a\n :ref:`supported filter \u003cconfig_network_filters\u003e`."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type."
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object",
"description": "[#protodoc-title: Listener components]\n Listener :ref:`configuration overview \u003cconfig_listeners\u003e`"
},
"type": "array",
"description": "A list of individual network filters that make up the filter chain for\n connections established with the listener. Order matters as the filters are\n processed sequentially as connection events happen. Note: If the filter\n list is empty, the connection will close by default."
},
"use_proxy_proto": {
"oneOf": [
{
"type": "null"
},
{
"type": "boolean"
}
]
},
"metadata": {
"$ref": "envoy.config.core.v3.Metadata",
"additionalProperties": true,
"type": "object",
"description": "[#not-implemented-hide:] filter chain metadata."
},
"transport_socket": {
"$ref": "envoy.config.core.v3.TransportSocket",
"additionalProperties": true,
"type": "object",
"description": "Optional custom transport socket implementation to use for downstream connections.\n To setup TLS, set a transport socket with name `tls` and\n :ref:`DownstreamTlsContext \u003cenvoy_api_msg_extensions.transport_sockets.tls.v3.DownstreamTlsContext\u003e` in the `typed_config`.\n If no transport socket configuration is specified, new connections\n will be set up with plaintext."
},
"name": {
"type": "string",
"description": "[#not-implemented-hide:] The unique name (or empty) by which this filter chain is known. If no\n name is provided, Envoy will allocate an internal UUID for the filter chain. If the filter\n chain is to be dynamically updated or removed via FCDS a unique name must be provided."
},
"on_demand_configuration": {
"properties": {
"rebuild_timeout": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The timeout to wait for filter chain placeholders to complete rebuilding.\n 1. If this field is set to 0, timeout is disabled.\n 2. If not specified, a default timeout of 15s is used.\n Rebuilding will wait until dependencies are ready, have failed, or this timeout is reached.\n Upon failure or timeout, all connections related to this filter chain will be closed.\n Rebuilding will start again on the next new connection."
}
},
"additionalProperties": true,
"type": "object",
"description": "[#not-implemented-hide:] The configuration to specify whether the filter chain will be built on-demand.\n If this field is not empty, the filter chain will be built on-demand.\n Otherwise, the filter chain will be built normally and block listener warming."
}
},
"additionalProperties": true,
"type": "object",
"description": "A filter chain wraps a set of match criteria, an option TLS context, a set of filters, and\n various other parameters.\n [#next-free-field: 9]"
},
"type": "array",
"description": "A list of filter chains to consider for this listener. The\n :ref:`FilterChain \u003cenvoy_api_msg_config.listener.v3.FilterChain\u003e` with the most specific\n :ref:`FilterChainMatch \u003cenvoy_api_msg_config.listener.v3.FilterChainMatch\u003e` criteria is used on a\n connection.\n\n Example using SNI for filter chain selection can be found in the\n :ref:`FAQ entry \u003cfaq_how_to_setup_sni\u003e`."
},
"per_connection_buffer_limit_bytes": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"metadata": {
"$ref": "envoy.config.core.v3.Metadata",
"additionalProperties": true,
"type": "object",
"description": "Listener metadata."
},
"deprecated_v1": {
"properties": {
"bind_to_port": {
"oneOf": [
{
"type": "null"
},
{
"type": "boolean"
}
]
}
},
"additionalProperties": true,
"type": "object",
"description": "[#not-implemented-hide:]"
},
"drain_type": {
"enum": [
"DEFAULT",
0,
"MODIFY_ONLY",
1
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "The type of draining to perform at a listener-wide level."
},
"listener_filters": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of the filter to instantiate. The name must match a\n :ref:`supported filter \u003cconfig_listener_filters\u003e`."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type."
}
},
"additionalProperties": true,
"type": "object"
},
"filter_disabled": {
"$ref": "envoy.config.listener.v3.ListenerFilterChainMatchPredicate",
"additionalProperties": true,
"type": "object",
"description": "Optional match predicate used to disable the filter. The filter is enabled when this field is empty.\n See :ref:`ListenerFilterChainMatchPredicate \u003cenvoy_api_msg_config.listener.v3.ListenerFilterChainMatchPredicate\u003e`\n for further examples."
}
},
"additionalProperties": true,
"type": "object"
},
"type": "array",
"description": "Listener filters have the opportunity to manipulate and augment the connection metadata that\n is used in connection filter chain matching, for example. These filters are run before any in\n :ref:`filter_chains \u003cenvoy_api_field_config.listener.v3.Listener.filter_chains\u003e`. Order matters as the\n filters are processed sequentially right after a socket has been accepted by the listener, and\n before a connection is created.\n UDP Listener filters can be specified when the protocol in the listener socket address in\n :ref:`protocol \u003cenvoy_api_field_config.core.v3.SocketAddress.protocol\u003e` is :ref:`UDP\n \u003cenvoy_api_enum_value_config.core.v3.SocketAddress.Protocol.UDP\u003e`.\n UDP listeners currently support a single filter."
},
"listener_filters_timeout": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The timeout to wait for all listener filters to complete operation. If the timeout is reached,\n the accepted socket is closed without a connection being created unless\n `continue_on_listener_filters_timeout` is set to true. Specify 0 to disable the\n timeout. If not specified, a default timeout of 15s is used."
},
"continue_on_listener_filters_timeout": {
"type": "boolean",
"description": "Whether a connection should be created when listener filters timeout. Default is false.\n\n .. attention::\n\n Some listener filters, such as :ref:`Proxy Protocol filter\n \u003cconfig_listener_filters_proxy_protocol\u003e`, should not be used with this option. It will cause\n unexpected behavior when a connection is created."
},
"transparent": {
"oneOf": [
{
"type": "null"
},
{
"type": "boolean"
}
]
},
"freebind": {
"oneOf": [
{
"type": "null"
},
{
"type": "boolean"
}
]
},
"socket_options": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "envoy.config.core.v3.SocketOption"
},
"type": "array",
"description": "Additional socket options that may not be present in Envoy source code or\n precompiled binaries."
},
"tcp_fast_open_queue_length": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"traffic_direction": {
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "Specifies the intended direction of the traffic relative to the local Envoy."
},
"udp_listener_config": {
"properties": {
"udp_listener_name": {
"type": "string",
"description": "Used to look up UDP listener factory, matches \"raw_udp_listener\" or\n \"quic_listener\" to create a specific udp listener.\n If not specified, treat as \"raw_udp_listener\"."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type."
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object",
"description": "If the protocol in the listener socket address in :ref:`protocol\n \u003cenvoy_api_field_config.core.v3.SocketAddress.protocol\u003e` is :ref:`UDP\n \u003cenvoy_api_enum_value_config.core.v3.SocketAddress.Protocol.UDP\u003e`, this field specifies the actual udp\n listener to create, i.e. :ref:`udp_listener_name\n \u003cenvoy_api_field_config.listener.v3.UdpListenerConfig.udp_listener_name\u003e` = \"raw_udp_listener\" for\n creating a packet-oriented UDP listener. If not present, treat it as \"raw_udp_listener\"."
},
"api_listener": {
"properties": {
"api_listener": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type."
}
},
"additionalProperties": true,
"type": "object",
"description": "The type in this field determines the type of API listener. At present, the following\n types are supported:\n envoy.config.filter.network.http_connection_manager.v2.HttpConnectionManager (HTTP)\n [#next-major-version: In the v3 API, replace this Any field with a oneof containing the\n specific config message for each type of API listener. We could not do this in v2 because\n it would have caused circular dependencies for go protos: lds.proto depends on this file,\n and http_connection_manager.proto depends on rds.proto, which is in the same directory as\n lds.proto, so lds.proto cannot depend on this file.]"
}
},
"additionalProperties": true,
"type": "object",
"description": "Used to represent an API listener, which is used in non-proxy clients. The type of API\n exposed to the non-proxy application depends on the type of API listener.\n When this field is set, no other field except for :ref:`name\u003cenvoy_api_field_config.listener.v3.Listener.name\u003e`\n should be set.\n\n .. note::\n\n Currently only one ApiListener can be installed; and it can only be done via bootstrap config,\n not LDS.\n\n [#next-major-version: In the v3 API, instead of this messy approach where the socket\n listener fields are directly in the top-level Listener message and the API listener types\n are in the ApiListener message, the socket listener messages should be in their own message,\n and the top-level Listener should essentially be a oneof that selects between the\n socket listener and the various types of API listener. That way, a given Listener message\n can structurally only contain the fields of the relevant type.]"
},
"connection_balance_config": {
"properties": {
"exact_balance": {
"additionalProperties": true,
"type": "object",
"description": "If specified, the listener will use the exact connection balancer."
}
},
"additionalProperties": true,
"type": "object",
"description": "The listener's connection balancer configuration, currently only applicable to TCP listeners.\n If no configuration is specified, Envoy will not attempt to balance active connections between\n worker threads."
},
"reuse_port": {
"type": "boolean",
"description": "When this flag is set to true, listeners set the *SO_REUSEPORT* socket option and\n create one socket for each worker thread. This makes inbound connections\n distribute among worker threads roughly evenly in cases where there are a high number\n of connections. When this flag is set to false, all worker threads share one socket.\n\n Before Linux v4.19-rc1, new TCP connections may be rejected during hot restart\n (see `3rd paragraph in 'soreuseport' commit message\n \u003chttps://github.com/torvalds/linux/commit/c617f398edd4db2b8567a28e89\u003e`_).\n This issue was fixed by `tcp: Avoid TCP syncookie rejected by SO_REUSEPORT socket\n \u003chttps://github.com/torvalds/linux/commit/40a1227ea845a37ab197dd1caffb60b047fa36b1\u003e`_."
},
"access_log": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of the access log implementation to instantiate. The name must\n match a statically registered access log. Current built-in loggers include:\n\n #. \"envoy.access_loggers.file\"\n #. \"envoy.access_loggers.http_grpc\"\n #. \"envoy.access_loggers.tcp_grpc\""
},
"filter": {
"$ref": "envoy.config.accesslog.v3.AccessLogFilter",
"additionalProperties": true,
"type": "object",
"description": "Filter which is used to determine if the access log needs to be written."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type."
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object",
"description": "[#protodoc-title: Common access log types]"
},
"type": "array",
"description": "Configuration for :ref:`access logs \u003carch_overview_access_logs\u003e`\n emitted by this listener."
},
"udp_writer_config": {
"$ref": "envoy.config.core.v3.TypedExtensionConfig",
"additionalProperties": true,
"type": "object",
"description": "If the protocol in the listener socket address in :ref:`protocol\n \u003cenvoy_api_field_config.core.v3.SocketAddress.protocol\u003e` is :ref:`UDP\n \u003cenvoy_api_enum_value_config.core.v3.SocketAddress.Protocol.UDP\u003e`, this field specifies the actual udp\n writer to create, i.e. :ref:`name \u003cenvoy_api_field_config.core.v3.TypedExtensionConfig.name\u003e`\n = \"udp_default_writer\" for creating a udp writer with writing in passthrough mode,\n = \"udp_gso_batch_writer\" for creating a udp writer with writing in batch mode.\n If not present, treat it as \"udp_default_writer\".\n [#not-implemented-hide:]"
},
"tcp_backlog_size": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
}
},
"additionalProperties": true,
"type": "object",
"description": "[#next-free-field: 25]"
},
"type": "array",
"description": "Static :ref:`Listeners \u003cenvoy_api_msg_config.listener.v3.Listener\u003e`. These listeners are\n available regardless of LDS configuration."
},
"clusters": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"transport_socket_matches": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of the match, used in stats generation."
},
"match": {
"properties": {
"fields": {
"additionalProperties": {
"oneOf": [
{
"type": "null"
},
{
"type": "object"
}
]
},
"type": "object",
"description": "Unordered map of dynamically typed values."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional endpoint metadata match criteria.\n The connection to the endpoint with metadata matching what is set in this field\n will use the transport socket configuration specified here.\n The endpoint's metadata entry in *envoy.transport_socket_match* is used to match\n against the values specified in this field."
},
"transport_socket": {
"$ref": "envoy.config.core.v3.TransportSocket",
"additionalProperties": true,
"type": "object",
"description": "The configuration of the transport socket."
}
},
"additionalProperties": true,
"type": "object",
"description": "TransportSocketMatch specifies what transport socket config will be used\n when the match conditions are satisfied."
},
"type": "array",
"description": "Configuration to use different transport sockets for different endpoints.\n The entry of *envoy.transport_socket_match* in the\n :ref:`LbEndpoint.Metadata \u003cenvoy_api_field_config.endpoint.v3.LbEndpoint.metadata\u003e`\n is used to match against the transport sockets as they appear in the list. The first\n :ref:`match \u003cenvoy_api_msg_config.cluster.v3.Cluster.TransportSocketMatch\u003e` is used.\n For example, with the following match\n\n .. code-block:: yaml\n\n transport_socket_matches:\n - name: \"enableMTLS\"\n match:\n acceptMTLS: true\n transport_socket:\n name: envoy.transport_sockets.tls\n config: { ... } # tls socket configuration\n - name: \"defaultToPlaintext\"\n match: {}\n transport_socket:\n name: envoy.transport_sockets.raw_buffer\n\n Connections to the endpoints whose metadata value under *envoy.transport_socket_match*\n having \"acceptMTLS\"/\"true\" key/value pair use the \"enableMTLS\" socket configuration.\n\n If a :ref:`socket match \u003cenvoy_api_msg_config.cluster.v3.Cluster.TransportSocketMatch\u003e` with empty match\n criteria is provided, that always match any endpoint. For example, the \"defaultToPlaintext\"\n socket match in case above.\n\n If an endpoint metadata's value under *envoy.transport_socket_match* does not match any\n *TransportSocketMatch*, socket configuration fallbacks to use the *tls_context* or\n *transport_socket* specified in this cluster.\n\n This field allows gradual and flexible transport socket configuration changes.\n\n The metadata of endpoints in EDS can indicate transport socket capabilities. For example,\n an endpoint's metadata can have two key value pairs as \"acceptMTLS\": \"true\",\n \"acceptPlaintext\": \"true\". While some other endpoints, only accepting plaintext traffic\n has \"acceptPlaintext\": \"true\" metadata information.\n\n Then the xDS server can configure the CDS to a client, Envoy A, to send mutual TLS\n traffic for endpoints with \"acceptMTLS\": \"true\", by adding a corresponding\n *TransportSocketMatch* in this field. Other client Envoys receive CDS without\n *transport_socket_match* set, and still send plain text traffic to the same cluster.\n\n This field can be used to specify custom transport socket configurations for health\n checks by adding matching key/value pairs in a health check's\n :ref:`transport socket match criteria \u003cenvoy_api_field_config.core.v3.HealthCheck.transport_socket_match_criteria\u003e` field.\n\n [#comment:TODO(incfly): add a detailed architecture doc on intended usage.]"
},
"name": {
"type": "string",
"description": "Supplies the name of the cluster which must be unique across all clusters.\n The cluster name is used when emitting\n :ref:`statistics \u003cconfig_cluster_manager_cluster_stats\u003e` if :ref:`alt_stat_name\n \u003cenvoy_api_field_config.cluster.v3.Cluster.alt_stat_name\u003e` is not provided.\n Any ``:`` in the cluster name will be converted to ``_`` when emitting statistics."
},
"alt_stat_name": {
"type": "string",
"description": "An optional alternative to the cluster name to be used while emitting stats.\n Any ``:`` in the name will be converted to ``_`` when emitting statistics. This should not be\n confused with :ref:`Router Filter Header\n \u003cconfig_http_filters_router_x-envoy-upstream-alt-stat-name\u003e`."
},
"type": {
"enum": [
"STATIC",
0,
"STRICT_DNS",
1,
"LOGICAL_DNS",
2,
"EDS",
3,
"ORIGINAL_DST",
4
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "The :ref:`service discovery type \u003carch_overview_service_discovery_types\u003e`\n to use for resolving the cluster."
},
"cluster_type": {
"properties": {
"name": {
"type": "string",
"description": "The type of the cluster to instantiate. The name must match a supported cluster type."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type."
}
},
"additionalProperties": true,
"type": "object",
"description": "Cluster specific configuration which depends on the cluster being instantiated.\n See the supported cluster for further documentation."
}
},
"additionalProperties": true,
"type": "object",
"description": "The custom cluster type."
},
"eds_cluster_config": {
"properties": {
"eds_config": {
"$ref": "envoy.config.core.v3.ConfigSource",
"additionalProperties": true,
"type": "object",
"description": "Configuration for the source of EDS updates for this Cluster."
},
"service_name": {
"type": "string",
"description": "Optional alternative to cluster name to present to EDS. This does not\n have the same restrictions as cluster name, i.e. it may be arbitrary\n length."
},
"eds_resource_locator": {
"$ref": "udpa.core.v1.ResourceLocator",
"additionalProperties": true,
"type": "object",
"description": "Resource locator for EDS. This is mutually exclusive to *service_name*.\n [#not-implemented-hide:]"
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration to use for EDS updates for the Cluster."
},
"connect_timeout": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The timeout for new network connections to hosts in the cluster."
},
"per_connection_buffer_limit_bytes": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"lb_policy": {
"enum": [
"ROUND_ROBIN",
0,
"LEAST_REQUEST",
1,
"RING_HASH",
2,
"RANDOM",
3,
"MAGLEV",
5,
"CLUSTER_PROVIDED",
6,
"LOAD_BALANCING_POLICY_CONFIG",
7
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "The :ref:`load balancer type \u003carch_overview_load_balancing_types\u003e` to use\n when picking a host in the cluster.\n [#comment:TODO: Remove enum constraint :ref:`LOAD_BALANCING_POLICY_CONFIG\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.LbPolicy.LOAD_BALANCING_POLICY_CONFIG\u003e` when implemented.]"
},
"load_assignment": {
"properties": {
"cluster_name": {
"type": "string",
"description": "Name of the cluster. This will be the :ref:`service_name\n \u003cenvoy_api_field_config.cluster.v3.Cluster.EdsClusterConfig.service_name\u003e` value if specified\n in the cluster :ref:`EdsClusterConfig\n \u003cenvoy_api_msg_config.cluster.v3.Cluster.EdsClusterConfig\u003e`."
},
"endpoints": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"locality": {
"$ref": "envoy.config.core.v3.Locality",
"additionalProperties": true,
"type": "object",
"description": "Identifies location of where the upstream hosts run."
},
"lb_endpoints": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"endpoint": {
"$ref": "envoy.config.endpoint.v3.Endpoint",
"additionalProperties": true,
"type": "object"
},
"endpoint_name": {
"type": "string",
"description": "[#not-implemented-hide:]"
},
"health_status": {
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "Optional health status when known and supplied by EDS server."
},
"metadata": {
"$ref": "envoy.config.core.v3.Metadata",
"additionalProperties": true,
"type": "object",
"description": "The endpoint metadata specifies values that may be used by the load\n balancer to select endpoints in a cluster for a given request. The filter\n name should be specified as *envoy.lb*. An example boolean key-value pair\n is *canary*, providing the optional canary status of the upstream host.\n This may be matched against in a route's\n :ref:`RouteAction \u003cenvoy_api_msg_config.route.v3.RouteAction\u003e` metadata_match field\n to subset the endpoints considered in cluster load balancing."
},
"load_balancing_weight": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
}
},
"additionalProperties": true,
"type": "object",
"description": "An Endpoint that Envoy can route traffic to.\n [#next-free-field: 6]"
},
"type": "array",
"description": "The group of endpoints belonging to the locality specified."
},
"load_balancing_weight": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"priority": {
"type": "integer",
"description": "Optional: the priority for this LocalityLbEndpoints. If unspecified this will\n default to the highest priority (0).\n\n Under usual circumstances, Envoy will only select endpoints for the highest\n priority (0). In the event all endpoints for a particular priority are\n unavailable/unhealthy, Envoy will fail over to selecting endpoints for the\n next highest priority group.\n\n Priorities should range from 0 (highest) to N (lowest) without skipping."
},
"proximity": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
}
},
"additionalProperties": true,
"type": "object",
"description": "A group of endpoints belonging to a Locality.\n One can have multiple LocalityLbEndpoints for a locality, but this is\n generally only done if the different groups need to have different load\n balancing weights or different priorities.\n [#next-free-field: 7]"
},
"type": "array",
"description": "List of endpoints to load balance to."
},
"named_endpoints": {
"additionalProperties": {
"$ref": "envoy.config.endpoint.v3.Endpoint",
"additionalProperties": true,
"type": "object"
},
"type": "object",
"description": "Map of named endpoints that can be referenced in LocalityLbEndpoints.\n [#not-implemented-hide:]"
},
"policy": {
"properties": {
"drop_overloads": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"category": {
"type": "string",
"description": "Identifier for the policy specifying the drop."
},
"drop_percentage": {
"$ref": "envoy.type.v3.FractionalPercent",
"additionalProperties": true,
"type": "object",
"description": "Percentage of traffic that should be dropped for the category."
}
},
"additionalProperties": true,
"type": "object",
"description": "[#not-implemented-hide:]"
},
"type": "array",
"description": "Action to trim the overall incoming traffic to protect the upstream\n hosts. This action allows protection in case the hosts are unable to\n recover from an outage, or unable to autoscale or unable to handle\n incoming traffic volume for any reason.\n\n At the client each category is applied one after the other to generate\n the 'actual' drop percentage on all outgoing traffic. For example:\n\n .. code-block:: json\n\n { \"drop_overloads\": [\n { \"category\": \"throttle\", \"drop_percentage\": 60 }\n { \"category\": \"lb\", \"drop_percentage\": 50 }\n ]}\n\n The actual drop percentages applied to the traffic at the clients will be\n \"throttle\"_drop = 60%\n \"lb\"_drop = 20% // 50% of the remaining 'actual' load, which is 40%.\n actual_outgoing_load = 20% // remaining after applying all categories.\n [#not-implemented-hide:]"
},
"overprovisioning_factor": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"endpoint_stale_after": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The max time until which the endpoints from this assignment can be used.\n If no new assignments are received before this time expires the endpoints\n are considered stale and should be marked unhealthy.\n Defaults to 0 which means endpoints never go stale."
}
},
"additionalProperties": true,
"type": "object",
"description": "Load balancing policy settings."
}
},
"additionalProperties": true,
"type": "object",
"description": "Setting this is required for specifying members of\n :ref:`STATIC\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STATIC\u003e`,\n :ref:`STRICT_DNS\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS\u003e`\n or :ref:`LOGICAL_DNS\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS\u003e` clusters.\n This field supersedes the *hosts* field in the v2 API.\n\n .. attention::\n\n Setting this allows non-EDS cluster types to contain embedded EDS equivalent\n :ref:`endpoint assignments\u003cenvoy_api_msg_config.endpoint.v3.ClusterLoadAssignment\u003e`."
},
"health_checks": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"timeout": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The time to wait for a health check response. If the timeout is reached the\n health check attempt will be considered a failure."
},
"interval": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The interval between health checks."
},
"initial_jitter": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "An optional jitter amount in milliseconds. If specified, Envoy will start health\n checking after for a random time in ms between 0 and initial_jitter. This only\n applies to the first health check."
},
"interval_jitter": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "An optional jitter amount in milliseconds. If specified, during every\n interval Envoy will add interval_jitter to the wait time."
},
"interval_jitter_percent": {
"type": "integer",
"description": "An optional jitter amount as a percentage of interval_ms. If specified,\n during every interval Envoy will add interval_ms *\n interval_jitter_percent / 100 to the wait time.\n\n If interval_jitter_ms and interval_jitter_percent are both set, both of\n them will be used to increase the wait time."
},
"unhealthy_threshold": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"healthy_threshold": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"alt_port": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"reuse_connection": {
"oneOf": [
{
"type": "null"
},
{
"type": "boolean"
}
]
},
"http_health_check": {
"properties": {
"host": {
"type": "string",
"description": "The value of the host header in the HTTP health check request. If\n left empty (default value), the name of the cluster this health check is associated\n with will be used. The host header can be customized for a specific endpoint by setting the\n :ref:`hostname \u003cenvoy_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname\u003e` field."
},
"path": {
"type": "string",
"description": "Specifies the HTTP path that will be requested during health checking. For example\n */healthcheck*."
},
"send": {
"$ref": "envoy.config.core.v3.HealthCheck.Payload",
"additionalProperties": true,
"type": "object",
"description": "[#not-implemented-hide:] HTTP specific payload."
},
"receive": {
"$ref": "envoy.config.core.v3.HealthCheck.Payload",
"additionalProperties": true,
"type": "object",
"description": "[#not-implemented-hide:] HTTP specific response."
},
"request_headers_to_add": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"header": {
"$ref": "envoy.config.core.v3.HeaderValue",
"additionalProperties": true,
"type": "object",
"description": "Header name/value pair that this option applies to."
},
"append": {
"oneOf": [
{
"type": "null"
},
{
"type": "boolean"
}
]
}
},
"additionalProperties": true,
"type": "object",
"description": "Header name/value pair plus option to control append behavior."
},
"type": "array",
"description": "Specifies a list of HTTP headers that should be added to each request that is sent to the\n health checked cluster. For more information, including details on header value syntax, see\n the documentation on :ref:`custom request headers\n \u003cconfig_http_conn_man_headers_custom_request_headers\u003e`."
},
"request_headers_to_remove": {
"items": {
"type": "string"
},
"type": "array",
"description": "Specifies a list of HTTP headers that should be removed from each request that is sent to the\n health checked cluster."
},
"expected_statuses": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "envoy.type.v3.Int64Range"
},
"type": "array",
"description": "Specifies a list of HTTP response statuses considered healthy. If provided, replaces default\n 200-only policy - 200 must be included explicitly as needed. Ranges follow half-open\n semantics of :ref:`Int64Range \u003cenvoy_api_msg_type.v3.Int64Range\u003e`. The start and end of each\n range are required. Only statuses in the range [100, 600) are allowed."
},
"codec_client_type": {
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "Use specified application protocol for health checks."
},
"service_name_matcher": {
"$ref": "envoy.type.matcher.v3.StringMatcher",
"additionalProperties": true,
"type": "object",
"description": "An optional service name parameter which is used to validate the identity of\n the health checked cluster using a :ref:`StringMatcher\n \u003cenvoy_api_msg_type.matcher.v3.StringMatcher\u003e`. See the :ref:`architecture overview\n \u003carch_overview_health_checking_identity\u003e` for more information."
}
},
"additionalProperties": true,
"type": "object",
"description": "HTTP health check."
},
"tcp_health_check": {
"properties": {
"send": {
"$ref": "envoy.config.core.v3.HealthCheck.Payload",
"additionalProperties": true,
"type": "object",
"description": "Empty payloads imply a connect-only health check."
},
"receive": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "envoy.config.core.v3.HealthCheck.Payload"
},
"type": "array",
"description": "When checking the response, “fuzzy” matching is performed such that each\n binary block must be found, and in the order specified, but not\n necessarily contiguous."
}
},
"additionalProperties": true,
"type": "object",
"description": "TCP health check."
},
"grpc_health_check": {
"properties": {
"service_name": {
"type": "string",
"description": "An optional service name parameter which will be sent to gRPC service in\n `grpc.health.v1.HealthCheckRequest\n \u003chttps://github.com/grpc/grpc/blob/master/src/proto/grpc/health/v1/health.proto#L20\u003e`_.\n message. See `gRPC health-checking overview\n \u003chttps://github.com/grpc/grpc/blob/master/doc/health-checking.md\u003e`_ for more information."
},
"authority": {
"type": "string",
"description": "The value of the :authority header in the gRPC health check request. If\n left empty (default value), the name of the cluster this health check is associated\n with will be used. The authority header can be customized for a specific endpoint by setting\n the :ref:`hostname \u003cenvoy_api_field_config.endpoint.v3.Endpoint.HealthCheckConfig.hostname\u003e` field."
}
},
"additionalProperties": true,
"type": "object",
"description": "gRPC health check."
},
"custom_health_check": {
"properties": {
"name": {
"type": "string",
"description": "The registered name of the custom health checker."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type."
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object",
"description": "Custom health check."
},
"no_traffic_interval": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The \"no traffic interval\" is a special health check interval that is used when a cluster has\n never had traffic routed to it. This lower interval allows cluster information to be kept up to\n date, without sending a potentially large amount of active health checking traffic for no\n reason. Once a cluster has been used for traffic routing, Envoy will shift back to using the\n standard health check interval that is defined. Note that this interval takes precedence over\n any other.\n\n The default value for \"no traffic interval\" is 60 seconds."
},
"unhealthy_interval": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The \"unhealthy interval\" is a health check interval that is used for hosts that are marked as\n unhealthy. As soon as the host is marked as healthy, Envoy will shift back to using the\n standard health check interval that is defined.\n\n The default value for \"unhealthy interval\" is the same as \"interval\"."
},
"unhealthy_edge_interval": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The \"unhealthy edge interval\" is a special health check interval that is used for the first\n health check right after a host is marked as unhealthy. For subsequent health checks\n Envoy will shift back to using either \"unhealthy interval\" if present or the standard health\n check interval that is defined.\n\n The default value for \"unhealthy edge interval\" is the same as \"unhealthy interval\"."
},
"healthy_edge_interval": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The \"healthy edge interval\" is a special health check interval that is used for the first\n health check right after a host is marked as healthy. For subsequent health checks\n Envoy will shift back to using the standard health check interval that is defined.\n\n The default value for \"healthy edge interval\" is the same as the default interval."
},
"event_log_path": {
"type": "string",
"description": "Specifies the path to the :ref:`health check event log \u003carch_overview_health_check_logging\u003e`.\n If empty, no event log will be written."
},
"event_service": {
"$ref": "envoy.config.core.v3.EventServiceConfig",
"additionalProperties": true,
"type": "object",
"description": "[#not-implemented-hide:]\n The gRPC service for the health check event service.\n If empty, health check events won't be sent to a remote endpoint."
},
"always_log_health_check_failures": {
"type": "boolean",
"description": "If set to true, health check failure events will always be logged. If set to false, only the\n initial health check failure event will be logged.\n The default value is false."
},
"tls_options": {
"properties": {
"alpn_protocols": {
"items": {
"type": "string"
},
"type": "array",
"description": "Specifies the ALPN protocols for health check connections. This is useful if the\n corresponding upstream is using ALPN-based :ref:`FilterChainMatch\n \u003cenvoy_api_msg_config.listener.v3.FilterChainMatch\u003e` along with different protocols for health checks\n versus data connections. If empty, no ALPN protocols will be set on health check connections."
}
},
"additionalProperties": true,
"type": "object",
"description": "This allows overriding the cluster TLS settings, just for health check connections."
},
"transport_socket_match_criteria": {
"properties": {
"fields": {
"additionalProperties": {
"oneOf": [
{
"type": "null"
},
{
"type": "object"
}
]
},
"type": "object",
"description": "Unordered map of dynamically typed values."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional key/value pairs that will be used to match a transport socket from those specified in the cluster's\n :ref:`tranport socket matches \u003cenvoy_api_field_config.cluster.v3.Cluster.transport_socket_matches\u003e`.\n For example, the following match criteria\n\n .. code-block:: yaml\n\n transport_socket_match_criteria:\n useMTLS: true\n\n Will match the following :ref:`cluster socket match \u003cenvoy_api_msg_config.cluster.v3.Cluster.TransportSocketMatch\u003e`\n\n .. code-block:: yaml\n\n transport_socket_matches:\n - name: \"useMTLS\"\n match:\n useMTLS: true\n transport_socket:\n name: envoy.transport_sockets.tls\n config: { ... } # tls socket configuration\n\n If this field is set, then for health checks it will supersede an entry of *envoy.transport_socket* in the\n :ref:`LbEndpoint.Metadata \u003cenvoy_api_field_config.endpoint.v3.LbEndpoint.metadata\u003e`.\n This allows using different transport socket capabilities for health checking versus proxying to the\n endpoint.\n\n If the key/values pairs specified do not match any\n :ref:`transport socket matches \u003cenvoy_api_field_config.cluster.v3.Cluster.transport_socket_matches\u003e`,\n the cluster's :ref:`transport socket \u003cenvoy_api_field_config.cluster.v3.Cluster.transport_socket\u003e`\n will be used for health check socket configuration."
}
},
"additionalProperties": true,
"type": "object",
"description": "[#next-free-field: 24]"
},
"type": "array",
"description": "Optional :ref:`active health checking \u003carch_overview_health_checking\u003e`\n configuration for the cluster. If no\n configuration is specified no health checking will be done and all cluster\n members will be considered healthy at all times."
},
"max_requests_per_connection": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"circuit_breakers": {
"properties": {
"thresholds": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"priority": {
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "The :ref:`RoutingPriority\u003cenvoy_api_enum_config.core.v3.RoutingPriority\u003e`\n the specified CircuitBreaker settings apply to."
},
"max_connections": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"max_pending_requests": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"max_requests": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"max_retries": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"retry_budget": {
"properties": {
"budget_percent": {
"$ref": "envoy.type.v3.Percent",
"additionalProperties": true,
"type": "object",
"description": "Specifies the limit on concurrent retries as a percentage of the sum of active requests and\n active pending requests. For example, if there are 100 active requests and the\n budget_percent is set to 25, there may be 25 active retries.\n\n This parameter is optional. Defaults to 20%."
},
"min_retry_concurrency": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
}
},
"additionalProperties": true,
"type": "object",
"description": "Specifies a limit on concurrent retries in relation to the number of active requests. This\n parameter is optional.\n\n .. note::\n\n If this field is set, the retry budget will override any configured retry circuit\n breaker."
},
"track_remaining": {
"type": "boolean",
"description": "If track_remaining is true, then stats will be published that expose\n the number of resources remaining until the circuit breakers open. If\n not specified, the default is false.\n\n .. note::\n\n If a retry budget is used in lieu of the max_retries circuit breaker,\n the remaining retry resources remaining will not be tracked."
},
"max_connection_pools": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
}
},
"additionalProperties": true,
"type": "object",
"description": "A Thresholds defines CircuitBreaker settings for a\n :ref:`RoutingPriority\u003cenvoy_api_enum_config.core.v3.RoutingPriority\u003e`.\n [#next-free-field: 9]"
},
"type": "array",
"description": "If multiple :ref:`Thresholds\u003cenvoy_api_msg_config.cluster.v3.CircuitBreakers.Thresholds\u003e`\n are defined with the same :ref:`RoutingPriority\u003cenvoy_api_enum_config.core.v3.RoutingPriority\u003e`,\n the first one in the list is used. If no Thresholds is defined for a given\n :ref:`RoutingPriority\u003cenvoy_api_enum_config.core.v3.RoutingPriority\u003e`, the default values\n are used."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional :ref:`circuit breaking \u003carch_overview_circuit_break\u003e` for the cluster."
},
"upstream_http_protocol_options": {
"properties": {
"auto_sni": {
"type": "boolean",
"description": "Set transport socket `SNI \u003chttps://en.wikipedia.org/wiki/Server_Name_Indication\u003e`_ for new\n upstream connections based on the downstream HTTP host/authority header, as seen by the\n :ref:`router filter \u003cconfig_http_filters_router\u003e`."
},
"auto_san_validation": {
"type": "boolean",
"description": "Automatic validate upstream presented certificate for new upstream connections based on the\n downstream HTTP host/authority header, as seen by the\n :ref:`router filter \u003cconfig_http_filters_router\u003e`.\n This field is intended to set with `auto_sni` field."
}
},
"additionalProperties": true,
"type": "object",
"description": "HTTP protocol options that are applied only to upstream HTTP connections.\n These options apply to all HTTP versions."
},
"common_http_protocol_options": {
"properties": {
"idle_timeout": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The idle timeout for connections. The idle timeout is defined as the\n period in which there are no active requests. When the\n idle timeout is reached the connection will be closed. If the connection is an HTTP/2\n downstream connection a drain sequence will occur prior to closing the connection, see\n :ref:`drain_timeout\n \u003cenvoy_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.drain_timeout\u003e`.\n Note that request based timeouts mean that HTTP/2 PINGs will not keep the connection alive.\n If not specified, this defaults to 1 hour. To disable idle timeouts explicitly set this to 0.\n\n .. warning::\n Disabling this timeout has a highly likelihood of yielding connection leaks due to lost TCP\n FIN packets, etc."
},
"max_connection_duration": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The maximum duration of a connection. The duration is defined as a period since a connection\n was established. If not set, there is no max duration. When max_connection_duration is reached\n the connection will be closed. Drain sequence will occur prior to closing the connection if\n if's applicable. See :ref:`drain_timeout\n \u003cenvoy_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.drain_timeout\u003e`.\n Note: not implemented for upstream connections."
},
"max_headers_count": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"max_stream_duration": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "Total duration to keep alive an HTTP request/response stream. If the time limit is reached the stream will be\n reset independent of any other timeouts. If not specified, this value is not set."
},
"headers_with_underscores_action": {
"enum": [
"ALLOW",
0,
"REJECT_REQUEST",
1,
"DROP_HEADER",
2
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "Action to take when a client request with a header name containing underscore characters is received.\n If this setting is not specified, the value defaults to ALLOW.\n Note: upstream responses are not affected by this setting."
}
},
"additionalProperties": true,
"type": "object",
"description": "Additional options when handling HTTP requests upstream. These options will be applicable to\n both HTTP1 and HTTP2 requests."
},
"http_protocol_options": {
"properties": {
"allow_absolute_url": {
"oneOf": [
{
"type": "null"
},
{
"type": "boolean"
}
]
},
"accept_http_10": {
"type": "boolean",
"description": "Handle incoming HTTP/1.0 and HTTP 0.9 requests.\n This is off by default, and not fully standards compliant. There is support for pre-HTTP/1.1\n style connect logic, dechunking, and handling lack of client host iff\n *default_host_for_http_10* is configured."
},
"default_host_for_http_10": {
"type": "string",
"description": "A default host for HTTP/1.0 requests. This is highly suggested if *accept_http_10* is true as\n Envoy does not otherwise support HTTP/1.0 without a Host header.\n This is a no-op if *accept_http_10* is not true."
},
"header_key_format": {
"properties": {
"proper_case_words": {
"additionalProperties": true,
"type": "object",
"description": "Formats the header by proper casing words: the first character and any character following\n a special character will be capitalized if it's an alpha character. For example,\n \"content-type\" becomes \"Content-Type\", and \"foo$b#$are\" becomes \"Foo$B#$Are\".\n Note that while this results in most headers following conventional casing, certain headers\n are not covered. For example, the \"TE\" header will be formatted as \"Te\"."
}
},
"additionalProperties": true,
"type": "object",
"description": "Describes how the keys for response headers should be formatted. By default, all header keys\n are lower cased."
},
"enable_trailers": {
"type": "boolean",
"description": "Enables trailers for HTTP/1. By default the HTTP/1 codec drops proxied trailers.\n\n .. attention::\n\n Note that this only happens when Envoy is chunk encoding which occurs when:\n - The request is HTTP/1.1.\n - Is neither a HEAD only request nor a HTTP Upgrade.\n - Not a response to a HEAD request.\n - The content length header is not present."
},
"allow_chunked_length": {
"type": "boolean",
"description": "Allows Envoy to process requests/responses with both `Content-Length` and `Transfer-Encoding`\n headers set. By default such messages are rejected, but if option is enabled - Envoy will\n remove Content-Length header and process message.\n See `RFC7230, sec. 3.3.3 \u003chttps://tools.ietf.org/html/rfc7230#section-3.3.3\u003e` for details.\n\n .. attention::\n Enabling this option might lead to request smuggling vulnerability, especially if traffic\n is proxied via multiple layers of proxies."
},
"override_stream_error_on_invalid_http_message": {
"oneOf": [
{
"type": "null"
},
{
"type": "boolean"
}
]
}
},
"additionalProperties": true,
"type": "object",
"description": "Additional options when handling HTTP1 requests."
},
"http2_protocol_options": {
"properties": {
"hpack_table_size": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"max_concurrent_streams": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"initial_stream_window_size": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"initial_connection_window_size": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"allow_connect": {
"type": "boolean",
"description": "Allows proxying Websocket and other upgrades over H2 connect."
},
"allow_metadata": {
"type": "boolean",
"description": "[#not-implemented-hide:] Hiding until envoy has full metadata support.\n Still under implementation. DO NOT USE.\n\n Allows metadata. See [metadata\n docs](https://github.com/envoyproxy/envoy/blob/master/source/docs/h2_metadata.md) for more\n information."
},
"max_outbound_frames": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"max_outbound_control_frames": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"max_consecutive_inbound_frames_with_empty_payload": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"max_inbound_priority_frames_per_stream": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"max_inbound_window_update_frames_per_data_frame_sent": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"stream_error_on_invalid_http_messaging": {
"type": "boolean",
"description": "Allows invalid HTTP messaging and headers. When this option is disabled (default), then\n the whole HTTP/2 connection is terminated upon receiving invalid HEADERS frame. However,\n when this option is enabled, only the offending stream is terminated.\n\n This is overridden by HCM :ref:`stream_error_on_invalid_http_messaging\n \u003cenvoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.stream_error_on_invalid_http_message\u003e`\n iff present.\n\n This is deprecated in favor of :ref:`override_stream_error_on_invalid_http_message\n \u003cenvoy_v3_api_field_config.core.v3.Http2ProtocolOptions.override_stream_error_on_invalid_http_message\u003e`\n\n See `RFC7540, sec. 8.1 \u003chttps://tools.ietf.org/html/rfc7540#section-8.1\u003e`_ for details."
},
"override_stream_error_on_invalid_http_message": {
"oneOf": [
{
"type": "null"
},
{
"type": "boolean"
}
]
},
"custom_settings_parameters": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"identifier": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"value": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
}
},
"additionalProperties": true,
"type": "object",
"description": "Defines a parameter to be sent in the SETTINGS frame.\n See `RFC7540, sec. 6.5.1 \u003chttps://tools.ietf.org/html/rfc7540#section-6.5.1\u003e`_ for details."
},
"type": "array",
"description": "[#not-implemented-hide:]\n Specifies SETTINGS frame parameters to be sent to the peer, with two exceptions:\n\n 1. SETTINGS_ENABLE_PUSH (0x2) is not configurable as HTTP/2 server push is not supported by\n Envoy.\n\n 2. SETTINGS_ENABLE_CONNECT_PROTOCOL (0x8) is only configurable through the named field\n 'allow_connect'.\n\n Note that custom parameters specified through this field can not also be set in the\n corresponding named parameters:\n\n .. code-block:: text\n\n ID Field Name\n ----------------\n 0x1 hpack_table_size\n 0x3 max_concurrent_streams\n 0x4 initial_stream_window_size\n\n Collisions will trigger config validation failure on load/update. Likewise, inconsistencies\n between custom parameters with the same identifier will trigger a failure.\n\n See `IANA HTTP/2 Settings\n \u003chttps://www.iana.org/assignments/http2-parameters/http2-parameters.xhtml#settings\u003e`_ for\n standardized identifiers."
},
"connection_keepalive": {
"properties": {
"interval": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "Send HTTP/2 PING frames at this period, in order to test that the connection is still alive."
},
"timeout": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "How long to wait for a response to a keepalive PING. If a response is not received within this\n time period, the connection will be aborted."
},
"interval_jitter": {
"$ref": "envoy.type.v3.Percent",
"additionalProperties": true,
"type": "object",
"description": "A random jitter amount as a percentage of interval that will be added to each interval.\n A value of zero means there will be no jitter.\n The default value is 15%."
}
},
"additionalProperties": true,
"type": "object",
"description": "Send HTTP/2 PING frames to verify that the connection is still healthy. If the remote peer\n does not respond within the configured timeout, the connection will be aborted."
}
},
"additionalProperties": true,
"type": "object",
"description": "Even if default HTTP2 protocol options are desired, this field must be\n set so that Envoy will assume that the upstream supports HTTP/2 when\n making new HTTP connection pool connections. Currently, Envoy only\n supports prior knowledge for upstream connections. Even if TLS is used\n with ALPN, `http2_protocol_options` must be specified. As an aside this allows HTTP/2\n connections to happen over plain text."
},
"typed_extension_protocol_options": {
"additionalProperties": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type."
}
},
"additionalProperties": true,
"type": "object"
},
"type": "object",
"description": "The extension_protocol_options field is used to provide extension-specific protocol options\n for upstream connections. The key should match the extension filter name, such as\n \"envoy.filters.network.thrift_proxy\". See the extension's documentation for details on\n specific options."
},
"dns_refresh_rate": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "If the DNS refresh rate is specified and the cluster type is either\n :ref:`STRICT_DNS\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS\u003e`,\n or :ref:`LOGICAL_DNS\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS\u003e`,\n this value is used as the cluster’s DNS refresh\n rate. The value configured must be at least 1ms. If this setting is not specified, the\n value defaults to 5000ms. For cluster types other than\n :ref:`STRICT_DNS\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS\u003e`\n and :ref:`LOGICAL_DNS\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS\u003e`\n this setting is ignored."
},
"dns_failure_refresh_rate": {
"properties": {
"base_interval": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "Specifies the base interval between refreshes. This parameter is required and must be greater\n than zero and less than\n :ref:`max_interval \u003cenvoy_api_field_config.cluster.v3.Cluster.RefreshRate.max_interval\u003e`."
},
"max_interval": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "Specifies the maximum interval between refreshes. This parameter is optional, but must be\n greater than or equal to the\n :ref:`base_interval \u003cenvoy_api_field_config.cluster.v3.Cluster.RefreshRate.base_interval\u003e` if set. The default\n is 10 times the :ref:`base_interval \u003cenvoy_api_field_config.cluster.v3.Cluster.RefreshRate.base_interval\u003e`."
}
},
"additionalProperties": true,
"type": "object",
"description": "If the DNS failure refresh rate is specified and the cluster type is either\n :ref:`STRICT_DNS\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS\u003e`,\n or :ref:`LOGICAL_DNS\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS\u003e`,\n this is used as the cluster’s DNS refresh rate when requests are failing. If this setting is\n not specified, the failure refresh rate defaults to the DNS refresh rate. For cluster types\n other than :ref:`STRICT_DNS\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS\u003e` and\n :ref:`LOGICAL_DNS\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS\u003e` this setting is\n ignored."
},
"respect_dns_ttl": {
"type": "boolean",
"description": "Optional configuration for setting cluster's DNS refresh rate. If the value is set to true,\n cluster's DNS refresh rate will be set to resource record's TTL which comes from DNS\n resolution."
},
"dns_lookup_family": {
"enum": [
"AUTO",
0,
"V4_ONLY",
1,
"V6_ONLY",
2
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "The DNS IP address resolution policy. If this setting is not specified, the\n value defaults to\n :ref:`AUTO\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.DnsLookupFamily.AUTO\u003e`."
},
"dns_resolvers": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "envoy.config.core.v3.Address"
},
"type": "array",
"description": "If DNS resolvers are specified and the cluster type is either\n :ref:`STRICT_DNS\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS\u003e`,\n or :ref:`LOGICAL_DNS\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS\u003e`,\n this value is used to specify the cluster’s dns resolvers.\n If this setting is not specified, the value defaults to the default\n resolver, which uses /etc/resolv.conf for configuration. For cluster types\n other than\n :ref:`STRICT_DNS\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS\u003e`\n and :ref:`LOGICAL_DNS\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS\u003e`\n this setting is ignored.\n Setting this value causes failure if the\n ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during\n server startup. Apple's API only allows overriding DNS resolvers via system settings."
},
"use_tcp_for_dns_lookups": {
"type": "boolean",
"description": "[#next-major-version: Reconcile DNS options in a single message.]\n Always use TCP queries instead of UDP queries for DNS lookups.\n Setting this value causes failure if the\n ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during\n server startup. Apple' API only uses UDP for DNS resolution."
},
"outlier_detection": {
"properties": {
"consecutive_5xx": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"interval": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The time interval between ejection analysis sweeps. This can result in\n both new ejections as well as hosts being returned to service. Defaults\n to 10000ms or 10s."
},
"base_ejection_time": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The base time that a host is ejected for. The real time is equal to the\n base time multiplied by the number of times the host has been ejected.\n Defaults to 30000ms or 30s."
},
"max_ejection_percent": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"enforcing_consecutive_5xx": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"enforcing_success_rate": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"success_rate_minimum_hosts": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"success_rate_request_volume": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"success_rate_stdev_factor": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"consecutive_gateway_failure": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"enforcing_consecutive_gateway_failure": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"split_external_local_origin_errors": {
"type": "boolean",
"description": "Determines whether to distinguish local origin failures from external errors. If set to true\n the following configuration parameters are taken into account:\n :ref:`consecutive_local_origin_failure\u003cenvoy_api_field_config.cluster.v3.OutlierDetection.consecutive_local_origin_failure\u003e`,\n :ref:`enforcing_consecutive_local_origin_failure\u003cenvoy_api_field_config.cluster.v3.OutlierDetection.enforcing_consecutive_local_origin_failure\u003e`\n and\n :ref:`enforcing_local_origin_success_rate\u003cenvoy_api_field_config.cluster.v3.OutlierDetection.enforcing_local_origin_success_rate\u003e`.\n Defaults to false."
},
"consecutive_local_origin_failure": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"enforcing_consecutive_local_origin_failure": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"enforcing_local_origin_success_rate": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"failure_percentage_threshold": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"enforcing_failure_percentage": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"enforcing_failure_percentage_local_origin": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"failure_percentage_minimum_hosts": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"failure_percentage_request_volume": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
}
},
"additionalProperties": true,
"type": "object",
"description": "If specified, outlier detection will be enabled for this upstream cluster.\n Each of the configuration values can be overridden via\n :ref:`runtime values \u003cconfig_cluster_manager_cluster_runtime_outlier_detection\u003e`."
},
"cleanup_interval": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The interval for removing stale hosts from a cluster type\n :ref:`ORIGINAL_DST\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.ORIGINAL_DST\u003e`.\n Hosts are considered stale if they have not been used\n as upstream destinations during this interval. New hosts are added\n to original destination clusters on demand as new connections are\n redirected to Envoy, causing the number of hosts in the cluster to\n grow over time. Hosts that are not stale (they are actively used as\n destinations) are kept in the cluster, which allows connections to\n them remain open, saving the latency that would otherwise be spent\n on opening new connections. If this setting is not specified, the\n value defaults to 5000ms. For cluster types other than\n :ref:`ORIGINAL_DST\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.ORIGINAL_DST\u003e`\n this setting is ignored."
},
"upstream_bind_config": {
"$ref": "envoy.config.core.v3.BindConfig",
"additionalProperties": true,
"type": "object",
"description": "Optional configuration used to bind newly established upstream connections.\n This overrides any bind_config specified in the bootstrap proto.\n If the address and port are empty, no bind will be performed."
},
"lb_subset_config": {
"properties": {
"fallback_policy": {
"enum": [
"NO_FALLBACK",
0,
"ANY_ENDPOINT",
1,
"DEFAULT_SUBSET",
2
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "The behavior used when no endpoint subset matches the selected route's\n metadata. The value defaults to\n :ref:`NO_FALLBACK\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.LbSubsetConfig.LbSubsetFallbackPolicy.NO_FALLBACK\u003e`."
},
"default_subset": {
"properties": {
"fields": {
"additionalProperties": {
"oneOf": [
{
"type": "null"
},
{
"type": "object"
}
]
},
"type": "object",
"description": "Unordered map of dynamically typed values."
}
},
"additionalProperties": true,
"type": "object",
"description": "Specifies the default subset of endpoints used during fallback if\n fallback_policy is\n :ref:`DEFAULT_SUBSET\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.LbSubsetConfig.LbSubsetFallbackPolicy.DEFAULT_SUBSET\u003e`.\n Each field in default_subset is\n compared to the matching LbEndpoint.Metadata under the *envoy.lb*\n namespace. It is valid for no hosts to match, in which case the behavior\n is the same as a fallback_policy of\n :ref:`NO_FALLBACK\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.LbSubsetConfig.LbSubsetFallbackPolicy.NO_FALLBACK\u003e`."
},
"subset_selectors": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"keys": {
"items": {
"type": "string"
},
"type": "array",
"description": "List of keys to match with the weighted cluster metadata."
},
"single_host_per_subset": {
"type": "boolean",
"description": "Selects a mode of operation in which each subset has only one host. This mode uses the same rules for\n choosing a host, but updating hosts is faster, especially for large numbers of hosts.\n\n If a match is found to a host, that host will be used regardless of priority levels, unless the host is unhealthy.\n\n Currently, this mode is only supported if `subset_selectors` has only one entry, and `keys` contains\n only one entry.\n\n When this mode is enabled, configurations that contain more than one host with the same metadata value for the single key in `keys`\n will use only one of the hosts with the given key; no requests will be routed to the others. The cluster gauge\n :ref:`lb_subsets_single_host_per_subset_duplicate\u003cconfig_cluster_manager_cluster_stats_subset_lb\u003e` indicates how many duplicates are\n present in the current configuration."
},
"fallback_policy": {
"enum": [
"NOT_DEFINED",
0,
"NO_FALLBACK",
1,
"ANY_ENDPOINT",
2,
"DEFAULT_SUBSET",
3,
"KEYS_SUBSET",
4
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "The behavior used when no endpoint subset matches the selected route's\n metadata."
},
"fallback_keys_subset": {
"items": {
"type": "string"
},
"type": "array",
"description": "Subset of\n :ref:`keys\u003cenvoy_api_field_config.cluster.v3.Cluster.LbSubsetConfig.LbSubsetSelector.keys\u003e` used by\n :ref:`KEYS_SUBSET\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.LbSubsetConfig.LbSubsetSelector.LbSubsetSelectorFallbackPolicy.KEYS_SUBSET\u003e`\n fallback policy.\n It has to be a non empty list if KEYS_SUBSET fallback policy is selected.\n For any other fallback policy the parameter is not used and should not be set.\n Only values also present in\n :ref:`keys\u003cenvoy_api_field_config.cluster.v3.Cluster.LbSubsetConfig.LbSubsetSelector.keys\u003e` are allowed, but\n `fallback_keys_subset` cannot be equal to `keys`."
}
},
"additionalProperties": true,
"type": "object",
"description": "Specifications for subsets."
},
"type": "array",
"description": "For each entry, LbEndpoint.Metadata's\n *envoy.lb* namespace is traversed and a subset is created for each unique\n combination of key and value. For example:\n\n .. code-block:: json\n\n { \"subset_selectors\": [\n { \"keys\": [ \"version\" ] },\n { \"keys\": [ \"stage\", \"hardware_type\" ] }\n ]}\n\n A subset is matched when the metadata from the selected route and\n weighted cluster contains the same keys and values as the subset's\n metadata. The same host may appear in multiple subsets."
},
"locality_weight_aware": {
"type": "boolean",
"description": "If true, routing to subsets will take into account the localities and locality weights of the\n endpoints when making the routing decision.\n\n There are some potential pitfalls associated with enabling this feature, as the resulting\n traffic split after applying both a subset match and locality weights might be undesirable.\n\n Consider for example a situation in which you have 50/50 split across two localities X/Y\n which have 100 hosts each without subsetting. If the subset LB results in X having only 1\n host selected but Y having 100, then a lot more load is being dumped on the single host in X\n than originally anticipated in the load balancing assignment delivered via EDS."
},
"scale_locality_weight": {
"type": "boolean",
"description": "When used with locality_weight_aware, scales the weight of each locality by the ratio\n of hosts in the subset vs hosts in the original subset. This aims to even out the load\n going to an individual locality if said locality is disproportionately affected by the\n subset predicate."
},
"panic_mode_any": {
"type": "boolean",
"description": "If true, when a fallback policy is configured and its corresponding subset fails to find\n a host this will cause any host to be selected instead.\n\n This is useful when using the default subset as the fallback policy, given the default\n subset might become empty. With this option enabled, if that happens the LB will attempt\n to select a host from the entire cluster."
},
"list_as_any": {
"type": "boolean",
"description": "If true, metadata specified for a metadata key will be matched against the corresponding\n endpoint metadata if the endpoint metadata matches the value exactly OR it is a list value\n and any of the elements in the list matches the criteria."
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration for load balancing subsetting."
},
"ring_hash_lb_config": {
"properties": {
"minimum_ring_size": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"hash_function": {
"enum": [
"XX_HASH",
0,
"MURMUR_HASH_2",
1
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "The hash function used to hash hosts onto the ketama ring. The value defaults to\n :ref:`XX_HASH\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.RingHashLbConfig.HashFunction.XX_HASH\u003e`."
},
"maximum_ring_size": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional configuration for the Ring Hash load balancing policy."
},
"maglev_lb_config": {
"properties": {
"table_size": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional configuration for the Maglev load balancing policy."
},
"original_dst_lb_config": {
"properties": {
"use_http_header": {
"type": "boolean",
"description": "When true, :ref:`x-envoy-original-dst-host\n \u003cconfig_http_conn_man_headers_x-envoy-original-dst-host\u003e` can be used to override destination\n address.\n\n .. attention::\n\n This header isn't sanitized by default, so enabling this feature allows HTTP clients to\n route traffic to arbitrary hosts and/or ports, which may have serious security\n consequences."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional configuration for the Original Destination load balancing policy."
},
"least_request_lb_config": {
"properties": {
"choice_count": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"active_request_bias": {
"properties": {
"default_value": {
"type": "number",
"description": "Default value if runtime value is not available."
},
"runtime_key": {
"type": "string",
"description": "Runtime key to get value for comparison. This value is used if defined."
}
},
"additionalProperties": true,
"type": "object",
"description": "The following formula is used to calculate the dynamic weights when hosts have different load\n balancing weights:\n\n `weight = load_balancing_weight / (active_requests + 1)^active_request_bias`\n\n The larger the active request bias is, the more aggressively active requests will lower the\n effective weight when all host weights are not equal.\n\n `active_request_bias` must be greater than or equal to 0.0.\n\n When `active_request_bias == 0.0` the Least Request Load Balancer doesn't consider the number\n of active requests at the time it picks a host and behaves like the Round Robin Load\n Balancer.\n\n When `active_request_bias \u003e 0.0` the Least Request Load Balancer scales the load balancing\n weight by the number of active requests at the time it does a pick.\n\n The value is cached for performance reasons and refreshed whenever one of the Load Balancer's\n host sets changes, e.g., whenever there is a host membership update or a host load balancing\n weight change.\n\n .. note::\n This setting only takes effect if all host weights are not equal."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional configuration for the LeastRequest load balancing policy."
},
"common_lb_config": {
"properties": {
"healthy_panic_threshold": {
"$ref": "envoy.type.v3.Percent",
"additionalProperties": true,
"type": "object",
"description": "Configures the :ref:`healthy panic threshold \u003carch_overview_load_balancing_panic_threshold\u003e`.\n If not specified, the default is 50%.\n To disable panic mode, set to 0%.\n\n .. note::\n The specified percent will be truncated to the nearest 1%."
},
"zone_aware_lb_config": {
"properties": {
"routing_enabled": {
"$ref": "envoy.type.v3.Percent",
"additionalProperties": true,
"type": "object",
"description": "Configures percentage of requests that will be considered for zone aware routing\n if zone aware routing is configured. If not specified, the default is 100%.\n * :ref:`runtime values \u003cconfig_cluster_manager_cluster_runtime_zone_routing\u003e`.\n * :ref:`Zone aware routing support \u003carch_overview_load_balancing_zone_aware_routing\u003e`."
},
"min_cluster_size": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"fail_traffic_on_panic": {
"type": "boolean",
"description": "If set to true, Envoy will not consider any hosts when the cluster is in :ref:`panic\n mode\u003carch_overview_load_balancing_panic_threshold\u003e`. Instead, the cluster will fail all\n requests as if all hosts are unhealthy. This can help avoid potentially overwhelming a\n failing service."
}
},
"additionalProperties": true,
"type": "object"
},
"locality_weighted_lb_config": {
"additionalProperties": true,
"type": "object"
},
"update_merge_window": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "If set, all health check/weight/metadata updates that happen within this duration will be\n merged and delivered in one shot when the duration expires. The start of the duration is when\n the first update happens. This is useful for big clusters, with potentially noisy deploys\n that might trigger excessive CPU usage due to a constant stream of healthcheck state changes\n or metadata updates. The first set of updates to be seen apply immediately (e.g.: a new\n cluster). Please always keep in mind that the use of sandbox technologies may change this\n behavior.\n\n If this is not set, we default to a merge window of 1000ms. To disable it, set the merge\n window to 0.\n\n Note: merging does not apply to cluster membership changes (e.g.: adds/removes); this is\n because merging those updates isn't currently safe. See\n https://github.com/envoyproxy/envoy/pull/3941."
},
"ignore_new_hosts_until_first_hc": {
"type": "boolean",
"description": "If set to true, Envoy will not consider new hosts when computing load balancing weights until\n they have been health checked for the first time. This will have no effect unless\n active health checking is also configured.\n\n Ignoring a host means that for any load balancing calculations that adjust weights based\n on the ratio of eligible hosts and total hosts (priority spillover, locality weighting and\n panic mode) Envoy will exclude these hosts in the denominator.\n\n For example, with hosts in two priorities P0 and P1, where P0 looks like\n {healthy, unhealthy (new), unhealthy (new)}\n and where P1 looks like\n {healthy, healthy}\n all traffic will still hit P0, as 1 / (3 - 2) = 1.\n\n Enabling this will allow scaling up the number of hosts for a given cluster without entering\n panic mode or triggering priority spillover, assuming the hosts pass the first health check.\n\n If panic mode is triggered, new hosts are still eligible for traffic; they simply do not\n contribute to the calculation when deciding whether panic mode is enabled or not."
},
"close_connections_on_host_set_change": {
"type": "boolean",
"description": "If set to `true`, the cluster manager will drain all existing\n connections to upstream hosts whenever hosts are added or removed from the cluster."
},
"consistent_hashing_lb_config": {
"properties": {
"use_hostname_for_hashing": {
"type": "boolean",
"description": "If set to `true`, the cluster will use hostname instead of the resolved\n address as the key to consistently hash to an upstream host. Only valid for StrictDNS clusters with hostnames which resolve to a single IP address."
},
"hash_balance_factor": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
}
},
"additionalProperties": true,
"type": "object",
"description": "Common Configuration for all consistent hashing load balancers (MaglevLb, RingHashLb, etc.)"
}
},
"additionalProperties": true,
"type": "object",
"description": "Common configuration for all load balancer implementations."
},
"transport_socket": {
"$ref": "envoy.config.core.v3.TransportSocket",
"additionalProperties": true,
"type": "object",
"description": "Optional custom transport socket implementation to use for upstream connections.\n To setup TLS, set a transport socket with name `tls` and\n :ref:`UpstreamTlsContexts \u003cenvoy_api_msg_extensions.transport_sockets.tls.v3.UpstreamTlsContext\u003e` in the `typed_config`.\n If no transport socket configuration is specified, new connections\n will be set up with plaintext."
},
"metadata": {
"$ref": "envoy.config.core.v3.Metadata",
"additionalProperties": true,
"type": "object",
"description": "The Metadata field can be used to provide additional information about the\n cluster. It can be used for stats, logging, and varying filter behavior.\n Fields should use reverse DNS notation to denote which entity within Envoy\n will need the information. For instance, if the metadata is intended for\n the Router filter, the filter name should be specified as *envoy.filters.http.router*."
},
"protocol_selection": {
"enum": [
"USE_CONFIGURED_PROTOCOL",
0,
"USE_DOWNSTREAM_PROTOCOL",
1
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "Determines how Envoy selects the protocol used to speak to upstream hosts."
},
"upstream_connection_options": {
"properties": {
"tcp_keepalive": {
"properties": {
"keepalive_probes": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"keepalive_time": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"keepalive_interval": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
}
},
"additionalProperties": true,
"type": "object",
"description": "If set then set SO_KEEPALIVE on the socket to enable TCP Keepalives."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional options for upstream connections."
},
"close_connections_on_host_health_failure": {
"type": "boolean",
"description": "If an upstream host becomes unhealthy (as determined by the configured health checks\n or outlier detection), immediately close all connections to the failed host.\n\n .. note::\n\n This is currently only supported for connections created by tcp_proxy.\n\n .. note::\n\n The current implementation of this feature closes all connections immediately when\n the unhealthy status is detected. If there are a large number of connections open\n to an upstream host that becomes unhealthy, Envoy may spend a substantial amount of\n time exclusively closing these connections, and not processing any other traffic."
},
"ignore_health_on_host_removal": {
"type": "boolean",
"description": "If set to true, Envoy will ignore the health value of a host when processing its removal\n from service discovery. This means that if active health checking is used, Envoy will *not*\n wait for the endpoint to go unhealthy before removing it."
},
"filters": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of the filter to instantiate. The name must match a\n :ref:`supported filter \u003cconfig_network_filters\u003e`."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type."
}
},
"additionalProperties": true,
"type": "object",
"description": "Filter specific configuration which depends on the filter being\n instantiated. See the supported filters for further documentation."
}
},
"additionalProperties": true,
"type": "object",
"description": "[#protodoc-title: Upstream filters]\n Upstream filters apply to the connections to the upstream cluster hosts."
},
"type": "array",
"description": "An (optional) network filter chain, listed in the order the filters should be applied.\n The chain will be applied to all outgoing connections that Envoy makes to the upstream\n servers of this cluster."
},
"load_balancing_policy": {
"properties": {
"policies": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "Required. The name of the LB policy."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type."
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object"
},
"type": "array",
"description": "Each client will iterate over the list in order and stop at the first policy that it\n supports. This provides a mechanism for starting to use new LB policies that are not yet\n supported by all clients."
}
},
"additionalProperties": true,
"type": "object",
"description": "[#not-implemented-hide:] New mechanism for LB policy configuration. Used only if the\n :ref:`lb_policy\u003cenvoy_api_field_config.cluster.v3.Cluster.lb_policy\u003e` field has the value\n :ref:`LOAD_BALANCING_POLICY_CONFIG\u003cenvoy_api_enum_value_config.cluster.v3.Cluster.LbPolicy.LOAD_BALANCING_POLICY_CONFIG\u003e`."
},
"lrs_server": {
"$ref": "envoy.config.core.v3.ConfigSource",
"additionalProperties": true,
"type": "object",
"description": "[#not-implemented-hide:]\n If present, tells the client where to send load reports via LRS. If not present, the\n client will fall back to a client-side default, which may be either (a) don't send any\n load reports or (b) send load reports for all clusters to a single default server\n (which may be configured in the bootstrap file).\n\n Note that if multiple clusters point to the same LRS server, the client may choose to\n create a separate stream for each cluster or it may choose to coalesce the data for\n multiple clusters onto a single stream. Either way, the client must make sure to send\n the data for any given cluster on no more than one stream.\n\n [#next-major-version: In the v3 API, we should consider restructuring this somehow,\n maybe by allowing LRS to go on the ADS stream, or maybe by moving some of the negotiation\n from the LRS stream here.]"
},
"track_timeout_budgets": {
"type": "boolean",
"description": "If track_timeout_budgets is true, the :ref:`timeout budget histograms\n \u003cconfig_cluster_manager_cluster_stats_timeout_budgets\u003e` will be published for each\n request. These show what percentage of a request's per try and global timeout was used. A value\n of 0 would indicate that none of the timeout was used or that the timeout was infinite. A value\n of 100 would indicate that the request took the entirety of the timeout given to it.\n\n .. attention::\n\n This field has been deprecated in favor of `timeout_budgets`, part of\n :ref:`track_cluster_stats \u003cenvoy_api_field_config.cluster.v3.Cluster.track_cluster_stats\u003e`."
},
"upstream_config": {
"$ref": "envoy.config.core.v3.TypedExtensionConfig",
"additionalProperties": true,
"type": "object",
"description": "Optional customization and configuration of upstream connection pool, and upstream type.\n\n Currently this field only applies for HTTP traffic but is designed for eventual use for custom\n TCP upstreams.\n\n For HTTP traffic, Envoy will generally take downstream HTTP and send it upstream as upstream\n HTTP, using the http connection pool and the codec from `http2_protocol_options`\n\n For routes where CONNECT termination is configured, Envoy will take downstream CONNECT\n requests and forward the CONNECT payload upstream over raw TCP using the tcp connection pool.\n\n The default pool used is the generic connection pool which creates the HTTP upstream for most\n HTTP requests, and the TCP upstream if CONNECT termination is configured.\n\n If users desire custom connection pool or upstream behavior, for example terminating\n CONNECT only if a custom filter indicates it is appropriate, the custom factories\n can be registered and configured here."
},
"track_cluster_stats": {
"properties": {
"timeout_budgets": {
"type": "boolean",
"description": "If timeout_budgets is true, the :ref:`timeout budget histograms\n \u003cconfig_cluster_manager_cluster_stats_timeout_budgets\u003e` will be published for each\n request. These show what percentage of a request's per try and global timeout was used. A value\n of 0 would indicate that none of the timeout was used or that the timeout was infinite. A value\n of 100 would indicate that the request took the entirety of the timeout given to it."
},
"request_response_sizes": {
"type": "boolean",
"description": "If request_response_sizes is true, then the :ref:`histograms\n \u003cconfig_cluster_manager_cluster_stats_request_response_sizes\u003e` tracking header and body sizes\n of requests and responses will be published."
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration to track optional cluster stats."
},
"prefetch_policy": {
"properties": {
"per_upstream_prefetch_ratio": {
"oneOf": [
{
"type": "null"
},
{
"type": "number"
}
]
},
"predictive_prefetch_ratio": {
"oneOf": [
{
"type": "null"
},
{
"type": "number"
}
]
}
},
"additionalProperties": true,
"type": "object",
"description": "[#not-implemented-hide:]\n Prefetch configuration for this cluster."
},
"connection_pool_per_downstream_connection": {
"type": "boolean",
"description": "If `connection_pool_per_downstream_connection` is true, the cluster will use a separate\n connection pool for every downstream connection"
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration for a single upstream cluster.\n [#next-free-field: 53]"
},
"type": "array",
"description": "If a network based configuration source is specified for :ref:`cds_config\n \u003cenvoy_api_field_config.bootstrap.v3.Bootstrap.DynamicResources.cds_config\u003e`, it's necessary\n to have some initial cluster definitions available to allow Envoy to know\n how to speak to the management server. These cluster definitions may not\n use :ref:`EDS \u003carch_overview_dynamic_config_eds\u003e` (i.e. they should be static\n IP or DNS-based)."
},
"secrets": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to."
},
"tls_certificate": {
"properties": {
"certificate_chain": {
"$ref": "envoy.config.core.v3.DataSource",
"additionalProperties": true,
"type": "object",
"description": "The TLS certificate chain."
},
"private_key": {
"$ref": "envoy.config.core.v3.DataSource",
"additionalProperties": true,
"type": "object",
"description": "The TLS private key."
},
"private_key_provider": {
"properties": {
"provider_name": {
"type": "string",
"description": "Private key method provider name. The name must match a\n supported private key method provider type."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type."
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object",
"description": "BoringSSL private key method provider. This is an alternative to :ref:`private_key\n \u003cenvoy_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key\u003e` field. This can't be\n marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key\n \u003cenvoy_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key\u003e` and\n :ref:`private_key_provider\n \u003cenvoy_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider\u003e` fields will result in an\n error."
},
"password": {
"$ref": "envoy.config.core.v3.DataSource",
"additionalProperties": true,
"type": "object",
"description": "The password to decrypt the TLS private key. If this field is not set, it is assumed that the\n TLS private key is not password encrypted."
},
"ocsp_staple": {
"$ref": "envoy.config.core.v3.DataSource",
"additionalProperties": true,
"type": "object",
"description": "The OCSP response to be stapled with this certificate during the handshake.\n The response must be DER-encoded and may only be provided via ``filename`` or\n ``inline_bytes``. The response may pertain to only one certificate."
},
"signed_certificate_timestamp": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "envoy.config.core.v3.DataSource"
},
"type": "array",
"description": "[#not-implemented-hide:]"
}
},
"additionalProperties": true,
"type": "object"
},
"session_ticket_keys": {
"properties": {
"keys": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "envoy.config.core.v3.DataSource"
},
"type": "array",
"description": "Keys for encrypting and decrypting TLS session tickets. The\n first key in the array contains the key to encrypt all new sessions created by this context.\n All keys are candidates for decrypting received tickets. This allows for easy rotation of keys\n by, for example, putting the new key first, and the previous key second.\n\n If :ref:`session_ticket_keys \u003cenvoy_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.session_ticket_keys\u003e`\n is not specified, the TLS library will still support resuming sessions via tickets, but it will\n use an internally-generated and managed key, so sessions cannot be resumed across hot restarts\n or on different hosts.\n\n Each key must contain exactly 80 bytes of cryptographically-secure random data. For\n example, the output of ``openssl rand 80``.\n\n .. attention::\n\n Using this feature has serious security considerations and risks. Improper handling of keys\n may result in loss of secrecy in connections, even if ciphers supporting perfect forward\n secrecy are used. See https://www.imperialviolet.org/2013/06/27/botchingpfs.html for some\n discussion. To minimize the risk, you must:\n\n * Keep the session ticket keys at least as secure as your TLS certificate private keys\n * Rotate session ticket keys at least daily, and preferably hourly\n * Always generate keys using a cryptographically-secure random data source"
}
},
"additionalProperties": true,
"type": "object"
},
"validation_context": {
"properties": {
"trusted_ca": {
"$ref": "envoy.config.core.v3.DataSource",
"additionalProperties": true,
"type": "object",
"description": "TLS certificate data containing certificate authority certificates to use in verifying\n a presented peer certificate (e.g. server certificate for clusters or client certificate\n for listeners). If not specified and a peer certificate is presented it will not be\n verified. By default, a client certificate is optional, unless one of the additional\n options (:ref:`require_client_certificate\n \u003cenvoy_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.require_client_certificate\u003e`,\n :ref:`verify_certificate_spki\n \u003cenvoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki\u003e`,\n :ref:`verify_certificate_hash\n \u003cenvoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash\u003e`, or\n :ref:`match_subject_alt_names\n \u003cenvoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.match_subject_alt_names\u003e`) is also\n specified.\n\n It can optionally contain certificate revocation lists, in which case Envoy will verify\n that the presented peer certificate has not been revoked by one of the included CRLs. Note\n that if a CRL is provided for any certificate authority in a trust chain, a CRL must be\n provided for all certificate authorities in that chain. Failure to do so will result in\n verification failure for both revoked and unrevoked certificates from that chain.\n\n See :ref:`the TLS overview \u003carch_overview_ssl_enabling_verification\u003e` for a list of common\n system CA locations."
},
"verify_certificate_spki": {
"items": {
"type": "string"
},
"type": "array",
"description": "An optional list of base64-encoded SHA-256 hashes. If specified, Envoy will verify that the\n SHA-256 of the DER-encoded Subject Public Key Information (SPKI) of the presented certificate\n matches one of the specified values.\n\n A base64-encoded SHA-256 of the Subject Public Key Information (SPKI) of the certificate\n can be generated with the following command:\n\n .. code-block:: bash\n\n $ openssl x509 -in path/to/client.crt -noout -pubkey\n | openssl pkey -pubin -outform DER\n | openssl dgst -sha256 -binary\n | openssl enc -base64\n NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=\n\n This is the format used in HTTP Public Key Pinning.\n\n When both:\n :ref:`verify_certificate_hash\n \u003cenvoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash\u003e` and\n :ref:`verify_certificate_spki\n \u003cenvoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki\u003e` are specified,\n a hash matching value from either of the lists will result in the certificate being accepted.\n\n .. attention::\n\n This option is preferred over :ref:`verify_certificate_hash\n \u003cenvoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash\u003e`,\n because SPKI is tied to a private key, so it doesn't change when the certificate\n is renewed using the same private key."
},
"verify_certificate_hash": {
"items": {
"type": "string"
},
"type": "array",
"description": "An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that\n the SHA-256 of the DER-encoded presented certificate matches one of the specified values.\n\n A hex-encoded SHA-256 of the certificate can be generated with the following command:\n\n .. code-block:: bash\n\n $ openssl x509 -in path/to/client.crt -outform DER | openssl dgst -sha256 | cut -d\" \" -f2\n df6ff72fe9116521268f6f2dd4966f51df479883fe7037b39f75916ac3049d1a\n\n A long hex-encoded and colon-separated SHA-256 (a.k.a. \"fingerprint\") of the certificate\n can be generated with the following command:\n\n .. code-block:: bash\n\n $ openssl x509 -in path/to/client.crt -noout -fingerprint -sha256 | cut -d\"=\" -f2\n DF:6F:F7:2F:E9:11:65:21:26:8F:6F:2D:D4:96:6F:51:DF:47:98:83:FE:70:37:B3:9F:75:91:6A:C3:04:9D:1A\n\n Both of those formats are acceptable.\n\n When both:\n :ref:`verify_certificate_hash\n \u003cenvoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_hash\u003e` and\n :ref:`verify_certificate_spki\n \u003cenvoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.verify_certificate_spki\u003e` are specified,\n a hash matching value from either of the lists will result in the certificate being accepted."
},
"match_subject_alt_names": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "envoy.type.matcher.v3.StringMatcher"
},
"type": "array",
"description": "An optional list of Subject Alternative name matchers. Envoy will verify that the\n Subject Alternative Name of the presented certificate matches one of the specified matches.\n\n When a certificate has wildcard DNS SAN entries, to match a specific client, it should be\n configured with exact match type in the :ref:`string matcher \u003cenvoy_api_msg_type.matcher.v3.StringMatcher\u003e`.\n For example if the certificate has \"\\*.example.com\" as DNS SAN entry, to allow only \"api.example.com\",\n it should be configured as shown below.\n\n .. code-block:: yaml\n\n match_subject_alt_names:\n exact: \"api.example.com\"\n\n .. attention::\n\n Subject Alternative Names are easily spoofable and verifying only them is insecure,\n therefore this option must be used together with :ref:`trusted_ca\n \u003cenvoy_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca\u003e`."
},
"require_signed_certificate_timestamp": {
"oneOf": [
{
"type": "null"
},
{
"type": "boolean"
}
]
},
"crl": {
"$ref": "envoy.config.core.v3.DataSource",
"additionalProperties": true,
"type": "object",
"description": "An optional `certificate revocation list\n \u003chttps://en.wikipedia.org/wiki/Certificate_revocation_list\u003e`_\n (in PEM format). If specified, Envoy will verify that the presented peer\n certificate has not been revoked by this CRL. If this DataSource contains\n multiple CRLs, all of them will be used. Note that if a CRL is provided\n for any certificate authority in a trust chain, a CRL must be provided\n for all certificate authorities in that chain. Failure to do so will\n result in verification failure for both revoked and unrevoked certificates\n from that chain."
},
"allow_expired_certificate": {
"type": "boolean",
"description": "If specified, Envoy will not reject expired certificates."
},
"trust_chain_verification": {
"enum": [
"VERIFY_TRUST_CHAIN",
0,
"ACCEPT_UNTRUSTED",
1
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "Certificate trust chain verification mode."
}
},
"additionalProperties": true,
"type": "object"
},
"generic_secret": {
"properties": {
"secret": {
"$ref": "envoy.config.core.v3.DataSource",
"additionalProperties": true,
"type": "object",
"description": "Secret of generic type and is available to filters."
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object",
"description": "[#next-free-field: 6]"
},
"type": "array",
"description": "These static secrets can be used by :ref:`SdsSecretConfig\n \u003cenvoy_api_msg_extensions.transport_sockets.tls.v3.SdsSecretConfig\u003e`"
}
},
"additionalProperties": true,
"type": "object",
"description": "Statically specified resources."
},
"dynamic_resources": {
"properties": {
"lds_config": {
"$ref": "envoy.config.core.v3.ConfigSource",
"additionalProperties": true,
"type": "object",
"description": "All :ref:`Listeners \u003cenvoy_api_msg_config.listener.v3.Listener\u003e` are provided by a single\n :ref:`LDS \u003carch_overview_dynamic_config_lds\u003e` configuration source."
},
"lds_resources_locator": {
"$ref": "udpa.core.v1.ResourceLocator",
"additionalProperties": true,
"type": "object",
"description": "Resource locator for listener collection.\n [#not-implemented-hide:]"
},
"cds_config": {
"$ref": "envoy.config.core.v3.ConfigSource",
"additionalProperties": true,
"type": "object",
"description": "All post-bootstrap :ref:`Cluster \u003cenvoy_api_msg_config.cluster.v3.Cluster\u003e` definitions are\n provided by a single :ref:`CDS \u003carch_overview_dynamic_config_cds\u003e`\n configuration source."
},
"cds_resources_locator": {
"$ref": "udpa.core.v1.ResourceLocator",
"additionalProperties": true,
"type": "object",
"description": "Resource locator for cluster collection.\n [#not-implemented-hide:]"
},
"ads_config": {
"$ref": "envoy.config.core.v3.ApiConfigSource",
"additionalProperties": true,
"type": "object",
"description": "A single :ref:`ADS \u003cconfig_overview_ads\u003e` source may be optionally\n specified. This must have :ref:`api_type\n \u003cenvoy_api_field_config.core.v3.ApiConfigSource.api_type\u003e` :ref:`GRPC\n \u003cenvoy_api_enum_value_config.core.v3.ApiConfigSource.ApiType.GRPC\u003e`. Only\n :ref:`ConfigSources \u003cenvoy_api_msg_config.core.v3.ConfigSource\u003e` that have\n the :ref:`ads \u003cenvoy_api_field_config.core.v3.ConfigSource.ads\u003e` field set will be\n streamed on the ADS channel."
}
},
"additionalProperties": true,
"type": "object",
"description": "xDS configuration sources."
},
"cluster_manager": {
"properties": {
"local_cluster_name": {
"type": "string",
"description": "Name of the local cluster (i.e., the cluster that owns the Envoy running\n this configuration). In order to enable :ref:`zone aware routing\n \u003carch_overview_load_balancing_zone_aware_routing\u003e` this option must be set.\n If *local_cluster_name* is defined then :ref:`clusters\n \u003cenvoy_api_msg_config.cluster.v3.Cluster\u003e` must be defined in the :ref:`Bootstrap\n static cluster resources\n \u003cenvoy_api_field_config.bootstrap.v3.Bootstrap.StaticResources.clusters\u003e`. This is unrelated to\n the :option:`--service-cluster` option which does not `affect zone aware\n routing \u003chttps://github.com/envoyproxy/envoy/issues/774\u003e`_."
},
"outlier_detection": {
"properties": {
"event_log_path": {
"type": "string",
"description": "Specifies the path to the outlier event log."
},
"event_service": {
"$ref": "envoy.config.core.v3.EventServiceConfig",
"additionalProperties": true,
"type": "object",
"description": "[#not-implemented-hide:]\n The gRPC service for the outlier detection event service.\n If empty, outlier detection events won't be sent to a remote endpoint."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional global configuration for outlier detection."
},
"upstream_bind_config": {
"$ref": "envoy.config.core.v3.BindConfig",
"additionalProperties": true,
"type": "object",
"description": "Optional configuration used to bind newly established upstream connections.\n This may be overridden on a per-cluster basis by upstream_bind_config in the cds_config."
},
"load_stats_config": {
"$ref": "envoy.config.core.v3.ApiConfigSource",
"additionalProperties": true,
"type": "object",
"description": "A management server endpoint to stream load stats to via\n *StreamLoadStats*. This must have :ref:`api_type\n \u003cenvoy_api_field_config.core.v3.ApiConfigSource.api_type\u003e` :ref:`GRPC\n \u003cenvoy_api_enum_value_config.core.v3.ApiConfigSource.ApiType.GRPC\u003e`."
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration for the cluster manager which owns all upstream clusters\n within the server."
},
"hds_config": {
"$ref": "envoy.config.core.v3.ApiConfigSource",
"additionalProperties": true,
"type": "object",
"description": "Health discovery service config option.\n (:ref:`core.ApiConfigSource \u003cenvoy_api_msg_config.core.v3.ApiConfigSource\u003e`)"
},
"flags_path": {
"type": "string",
"description": "Optional file system path to search for startup flag files."
},
"stats_sinks": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of the stats sink to instantiate. The name must match a supported\n stats sink. The built-in stats sinks are:\n\n * :ref:`envoy.stat_sinks.statsd \u003cenvoy_api_msg_config.metrics.v3.StatsdSink\u003e`\n * :ref:`envoy.stat_sinks.dog_statsd \u003cenvoy_api_msg_config.metrics.v3.DogStatsdSink\u003e`\n * :ref:`envoy.stat_sinks.metrics_service \u003cenvoy_api_msg_config.metrics.v3.MetricsServiceConfig\u003e`\n * :ref:`envoy.stat_sinks.hystrix \u003cenvoy_api_msg_config.metrics.v3.HystrixSink\u003e`\n\n Sinks optionally support tagged/multiple dimensional metrics."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type."
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object",
"description": "[#protodoc-title: Stats]\n Statistics :ref:`architecture overview \u003carch_overview_statistics\u003e`.\n\nConfiguration for pluggable stats sinks."
},
"type": "array",
"description": "Optional set of stats sinks."
},
"stats_config": {
"properties": {
"stats_tags": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"tag_name": {
"type": "string",
"description": "Attaches an identifier to the tag values to identify the tag being in the\n sink. Envoy has a set of default names and regexes to extract dynamic\n portions of existing stats, which can be found in :repo:`well_known_names.h\n \u003csource/common/config/well_known_names.h\u003e` in the Envoy repository. If a :ref:`tag_name\n \u003cenvoy_api_field_config.metrics.v3.TagSpecifier.tag_name\u003e` is provided in the config and\n neither :ref:`regex \u003cenvoy_api_field_config.metrics.v3.TagSpecifier.regex\u003e` or\n :ref:`fixed_value \u003cenvoy_api_field_config.metrics.v3.TagSpecifier.fixed_value\u003e` were specified,\n Envoy will attempt to find that name in its set of defaults and use the accompanying regex.\n\n .. note::\n\n It is invalid to specify the same tag name twice in a config."
},
"regex": {
"type": "string",
"description": "Designates a tag to strip from the tag extracted name and provide as a named\n tag value for all statistics. This will only occur if any part of the name\n matches the regex provided with one or more capture groups.\n\n The first capture group identifies the portion of the name to remove. The\n second capture group (which will normally be nested inside the first) will\n designate the value of the tag for the statistic. If no second capture\n group is provided, the first will also be used to set the value of the tag.\n All other capture groups will be ignored.\n\n Example 1. a stat name ``cluster.foo_cluster.upstream_rq_timeout`` and\n one tag specifier:\n\n .. code-block:: json\n\n {\n \"tag_name\": \"envoy.cluster_name\",\n \"regex\": \"^cluster\\\\.((.+?)\\\\.)\"\n }\n\n Note that the regex will remove ``foo_cluster.`` making the tag extracted\n name ``cluster.upstream_rq_timeout`` and the tag value for\n ``envoy.cluster_name`` will be ``foo_cluster`` (note: there will be no\n ``.`` character because of the second capture group).\n\n Example 2. a stat name\n ``http.connection_manager_1.user_agent.ios.downstream_cx_total`` and two\n tag specifiers:\n\n .. code-block:: json\n\n [\n {\n \"tag_name\": \"envoy.http_user_agent\",\n \"regex\": \"^http(?=\\\\.).*?\\\\.user_agent\\\\.((.+?)\\\\.)\\\\w+?$\"\n },\n {\n \"tag_name\": \"envoy.http_conn_manager_prefix\",\n \"regex\": \"^http\\\\.((.*?)\\\\.)\"\n }\n ]\n\n The two regexes of the specifiers will be processed in the definition order.\n\n The first regex will remove ``ios.``, leaving the tag extracted name\n ``http.connection_manager_1.user_agent.downstream_cx_total``. The tag\n ``envoy.http_user_agent`` will be added with tag value ``ios``.\n\n The second regex will remove ``connection_manager_1.`` from the tag\n extracted name produced by the first regex\n ``http.connection_manager_1.user_agent.downstream_cx_total``, leaving\n ``http.user_agent.downstream_cx_total`` as the tag extracted name. The tag\n ``envoy.http_conn_manager_prefix`` will be added with the tag value\n ``connection_manager_1``."
},
"fixed_value": {
"type": "string",
"description": "Specifies a fixed tag value for the ``tag_name``."
}
},
"additionalProperties": true,
"type": "object",
"description": "Designates a tag name and value pair. The value may be either a fixed value\n or a regex providing the value via capture groups. The specified tag will be\n unconditionally set if a fixed value, otherwise it will only be set if one\n or more capture groups in the regex match."
},
"type": "array",
"description": "Each stat name is iteratively processed through these tag specifiers.\n When a tag is matched, the first capture group is removed from the name so\n later :ref:`TagSpecifiers \u003cenvoy_api_msg_config.metrics.v3.TagSpecifier\u003e` cannot match that\n same portion of the match."
},
"use_all_default_tags": {
"oneOf": [
{
"type": "null"
},
{
"type": "boolean"
}
]
},
"stats_matcher": {
"properties": {
"reject_all": {
"type": "boolean",
"description": "If `reject_all` is true, then all stats are disabled. If `reject_all` is false, then all\n stats are enabled."
},
"exclusion_list": {
"$ref": "envoy.type.matcher.v3.ListStringMatcher",
"additionalProperties": true,
"type": "object",
"description": "Exclusive match. All stats are enabled except for those matching one of the supplied\n StringMatcher protos."
},
"inclusion_list": {
"$ref": "envoy.type.matcher.v3.ListStringMatcher",
"additionalProperties": true,
"type": "object",
"description": "Inclusive match. No stats are enabled except for those matching one of the supplied\n StringMatcher protos."
}
},
"additionalProperties": true,
"type": "object",
"description": "Inclusion/exclusion matcher for stat name creation. If not provided, all stats are instantiated\n as normal. Preventing the instantiation of certain families of stats can improve memory\n performance for Envoys running especially large configs.\n\n .. warning::\n Excluding stats may affect Envoy's behavior in undocumented ways. See\n `issue #8771 \u003chttps://github.com/envoyproxy/envoy/issues/8771\u003e`_ for more information.\n If any unexpected behavior changes are observed, please open a new issue immediately."
},
"histogram_bucket_settings": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"match": {
"$ref": "envoy.type.matcher.v3.StringMatcher",
"additionalProperties": true,
"type": "object",
"description": "The stats that this rule applies to. The match is applied to the original stat name\n before tag-extraction, for example `cluster.exampleclustername.upstream_cx_length_ms`."
},
"buckets": {
"items": {
"type": "number"
},
"type": "array",
"description": "Each value is the upper bound of a bucket. Each bucket must be greater than 0 and unique.\n The order of the buckets does not matter."
}
},
"additionalProperties": true,
"type": "object",
"description": "Specifies a matcher for stats and the buckets that matching stats should use."
},
"type": "array",
"description": "Defines rules for setting the histogram buckets. Rules are evaluated in order, and the first\n match is applied. If no match is found (or if no rules are set), the following default buckets\n are used:\n\n .. code-block:: json\n\n [\n 0.5,\n 1,\n 5,\n 10,\n 25,\n 50,\n 100,\n 250,\n 500,\n 1000,\n 2500,\n 5000,\n 10000,\n 30000,\n 60000,\n 300000,\n 600000,\n 1800000,\n 3600000\n ]"
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration for internal processing of stats."
},
"stats_flush_interval": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional duration between flushes to configured stats sinks. For\n performance reasons Envoy latches counters and only flushes counters and\n gauges at a periodic interval. If not specified the default is 5000ms (5\n seconds).\n Duration must be at least 1ms and at most 5 min."
},
"watchdog": {
"$ref": "envoy.config.bootstrap.v3.Watchdog",
"additionalProperties": true,
"type": "object",
"description": "Optional watchdog configuration.\n This is for a single watchdog configuration for the entire system.\n Deprecated in favor of *watchdogs* which has finer granularity."
},
"watchdogs": {
"properties": {
"main_thread_watchdog": {
"$ref": "envoy.config.bootstrap.v3.Watchdog",
"additionalProperties": true,
"type": "object",
"description": "Watchdog for the main thread."
},
"worker_watchdog": {
"$ref": "envoy.config.bootstrap.v3.Watchdog",
"additionalProperties": true,
"type": "object",
"description": "Watchdog for the worker threads."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional watchdogs configuration.\n This is used for specifying different watchdogs for the different subsystems."
},
"tracing": {
"properties": {
"http": {
"properties": {
"name": {
"type": "string",
"description": "The name of the HTTP trace driver to instantiate. The name must match a\n supported HTTP trace driver. Built-in trace drivers:\n\n - *envoy.tracers.lightstep*\n - *envoy.tracers.zipkin*\n - *envoy.tracers.dynamic_ot*\n - *envoy.tracers.datadog*\n - *envoy.tracers.opencensus*\n - *envoy.tracers.xray*"
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type."
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object",
"description": "Provides configuration for the HTTP tracer."
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration for an external tracing provider.\n\n .. attention::\n This field has been deprecated in favor of :ref:`HttpConnectionManager.Tracing.provider\n \u003cenvoy_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.Tracing.provider\u003e`."
},
"layered_runtime": {
"properties": {
"layers": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "Descriptive name for the runtime layer. This is only used for the runtime\n :http:get:`/runtime` output."
},
"static_layer": {
"properties": {
"fields": {
"additionalProperties": {
"oneOf": [
{
"type": "null"
},
{
"type": "object"
}
]
},
"type": "object",
"description": "Unordered map of dynamically typed values."
}
},
"additionalProperties": true,
"type": "object",
"description": ":ref:`Static runtime \u003cconfig_runtime_bootstrap\u003e` layer.\n This follows the :ref:`runtime protobuf JSON representation encoding\n \u003cconfig_runtime_proto_json\u003e`. Unlike static xDS resources, this static\n layer is overridable by later layers in the runtime virtual filesystem."
},
"disk_layer": {
"properties": {
"symlink_root": {
"type": "string",
"description": "The implementation assumes that the file system tree is accessed via a\n symbolic link. An atomic link swap is used when a new tree should be\n switched to. This parameter specifies the path to the symbolic link.\n Envoy will watch the location for changes and reload the file system tree\n when they happen. See documentation on runtime :ref:`atomicity\n \u003cconfig_runtime_atomicity\u003e` for further details on how reloads are\n treated."
},
"subdirectory": {
"type": "string",
"description": "Specifies the subdirectory to load within the root directory. This is\n useful if multiple systems share the same delivery mechanism. Envoy\n configuration elements can be contained in a dedicated subdirectory."
},
"append_service_cluster": {
"type": "boolean",
"description": ":ref:`Append \u003cconfig_runtime_local_disk_service_cluster_subdirs\u003e` the\n service cluster to the path under symlink root."
}
},
"additionalProperties": true,
"type": "object"
},
"admin_layer": {
"additionalProperties": true,
"type": "object"
},
"rtds_layer": {
"properties": {
"name": {
"type": "string",
"description": "Resource to subscribe to at *rtds_config* for the RTDS layer."
},
"rtds_resource_locator": {
"$ref": "udpa.core.v1.ResourceLocator",
"additionalProperties": true,
"type": "object",
"description": "Resource locator for RTDS layer. This is mutually exclusive to *name*.\n [#not-implemented-hide:]"
},
"rtds_config": {
"$ref": "envoy.config.core.v3.ConfigSource",
"additionalProperties": true,
"type": "object",
"description": "RTDS configuration source."
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object",
"description": "[#next-free-field: 6]"
},
"type": "array",
"description": "The :ref:`layers \u003cconfig_runtime_layering\u003e` of the runtime. This is ordered\n such that later layers in the list overlay earlier entries."
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration for the runtime configuration provider. If not\n specified, a “null” provider will be used which will result in all defaults\n being used."
},
"admin": {
"properties": {
"access_log_path": {
"type": "string",
"description": "The path to write the access log for the administration server. If no\n access log is desired specify ‘/dev/null’. This is only required if\n :ref:`address \u003cenvoy_api_field_config.bootstrap.v3.Admin.address\u003e` is set."
},
"profile_path": {
"type": "string",
"description": "The cpu profiler output path for the administration server. If no profile\n path is specified, the default is ‘/var/log/envoy/envoy.prof’."
},
"address": {
"$ref": "envoy.config.core.v3.Address",
"additionalProperties": true,
"type": "object",
"description": "The TCP address that the administration server will listen on.\n If not specified, Envoy will not start an administration server."
},
"socket_options": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "envoy.config.core.v3.SocketOption"
},
"type": "array",
"description": "Additional socket options that may not be present in Envoy source code or\n precompiled binaries."
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration for the local administration HTTP server."
},
"overload_manager": {
"properties": {
"refresh_interval": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The interval for refreshing resource usage."
},
"resource_monitors": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of the resource monitor to instantiate. Must match a registered\n resource monitor type. The built-in resource monitors are:\n\n * :ref:`envoy.resource_monitors.fixed_heap\n \u003cenvoy_api_msg_config.resource_monitor.fixed_heap.v2alpha.FixedHeapConfig\u003e`\n * :ref:`envoy.resource_monitors.injected_resource\n \u003cenvoy_api_msg_config.resource_monitor.injected_resource.v2alpha.InjectedResourceConfig\u003e`"
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type."
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object",
"description": "[#protodoc-title: Overload Manager]\n\nThe Overload Manager provides an extensible framework to protect Envoy instances\n from overload of various resources (memory, cpu, file descriptors, etc).\n It monitors a configurable set of resources and notifies registered listeners\n when triggers related to those resources fire."
},
"type": "array",
"description": "The set of resources to monitor."
},
"actions": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of the overload action. This is just a well-known string that listeners can\n use for registering callbacks. Custom overload actions should be named using reverse\n DNS to ensure uniqueness."
},
"triggers": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of the resource this is a trigger for."
},
"threshold": {
"properties": {
"value": {
"type": "number",
"description": "If the resource pressure is greater than or equal to this value, the trigger\n will enter saturation."
}
},
"additionalProperties": true,
"type": "object"
},
"scaled": {
"properties": {
"scaling_threshold": {
"type": "number",
"description": "If the resource pressure is greater than this value, the trigger will be in the\n :ref:`scaling \u003carch_overview_overload_manager-triggers-state\u003e` state with value\n `(pressure - scaling_threshold) / (saturation_threshold - scaling_threshold)`."
},
"saturation_threshold": {
"type": "number",
"description": "If the resource pressure is greater than this value, the trigger will enter saturation."
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object"
},
"type": "array",
"description": "A set of triggers for this action. The state of the action is the maximum\n state of all triggers, which can be scaling between 0 and 1 or saturated. Listeners\n are notified when the overload action changes state."
}
},
"additionalProperties": true,
"type": "object"
},
"type": "array",
"description": "The set of overload actions."
}
},
"additionalProperties": true,
"type": "object",
"description": "Optional overload manager configuration."
},
"enable_dispatcher_stats": {
"type": "boolean",
"description": "Enable :ref:`stats for event dispatcher \u003coperations_performance\u003e`, defaults to false.\n Note that this records a value for each iteration of the event loop on every thread. This\n should normally be minimal overhead, but when using\n :ref:`statsd \u003cenvoy_api_msg_config.metrics.v3.StatsdSink\u003e`, it will send each observed value\n over the wire individually because the statsd protocol doesn't have any way to represent a\n histogram summary. Be aware that this can be a very large volume of data."
},
"header_prefix": {
"type": "string",
"description": "Optional string which will be used in lieu of x-envoy in prefixing headers.\n\n For example, if this string is present and set to X-Foo, then x-envoy-retry-on will be\n transformed into x-foo-retry-on etc.\n\n Note this applies to the headers Envoy will generate, the headers Envoy will sanitize, and the\n headers Envoy will trust for core code and core extensions only. Be VERY careful making\n changes to this string, especially in multi-layer Envoy deployments or deployments using\n extensions which are not upstream."
},
"stats_server_version_override": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"use_tcp_for_dns_lookups": {
"type": "boolean",
"description": "Always use TCP queries instead of UDP queries for DNS lookups.\n This may be overridden on a per-cluster basis in cds_config,\n when :ref:`dns_resolvers \u003cenvoy_api_field_config.cluster.v3.Cluster.dns_resolvers\u003e` and\n :ref:`use_tcp_for_dns_lookups \u003cenvoy_api_field_config.cluster.v3.Cluster.use_tcp_for_dns_lookups\u003e` are\n specified.\n Setting this value causes failure if the\n ``envoy.restart_features.use_apple_api_for_dns_lookups`` runtime value is true during\n server startup. Apple' API only uses UDP for DNS resolution."
},
"bootstrap_extensions": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "envoy.config.core.v3.TypedExtensionConfig"
},
"type": "array",
"description": "Specifies optional bootstrap extensions to be instantiated at startup time.\n Each item contains extension specific configuration."
},
"config_sources": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "envoy.config.core.v3.ConfigSource"
},
"type": "array",
"description": "Configuration sources that will participate in\n *udpa.core.v1.ResourceLocator* authority resolution. The algorithm is as\n follows:\n 1. The authority field is taken from the *udpa.core.v1.ResourceLocator*, call\n this *resource_authority*.\n 2. *resource_authority* is compared against the authorities in any peer\n *ConfigSource*. The peer *ConfigSource* is the configuration source\n message which would have been used unconditionally for resolution\n with opaque resource names. If there is a match with an authority, the\n peer *ConfigSource* message is used.\n 3. *resource_authority* is compared sequentially with the authorities in\n each configuration source in *config_sources*. The first *ConfigSource*\n to match wins.\n 4. As a fallback, if no configuration source matches, then\n *default_config_source* is used.\n 5. If *default_config_source* is not specified, resolution fails.\n [#not-implemented-hide:]"
},
"default_config_source": {
"$ref": "envoy.config.core.v3.ConfigSource",
"additionalProperties": true,
"type": "object",
"description": "Default configuration source for *udpa.core.v1.ResourceLocator* if all\n other resolution fails.\n [#not-implemented-hide:]"
},
"default_socket_interface": {
"type": "string",
"description": "Optional overriding of default socket interface. The value must be the name of one of the\n socket interface factories initialized through a bootstrap extension"
},
"certificate_provider_instances": {
"additionalProperties": {
"$ref": "envoy.config.core.v3.TypedExtensionConfig",
"additionalProperties": true,
"type": "object"
},
"type": "object",
"description": "Global map of CertificateProvider instances. These instances are referred to by name in the\n :ref:`CommonTlsContext.CertificateProviderInstance.instance_name\n \u003cenvoy_api_field_extensions.transport_sockets.tls.v3.CommonTlsContext.CertificateProviderInstance.instance_name\u003e`\n field.\n [#not-implemented-hide:]"
}
},
"additionalProperties": true,
"type": "object",
"description": "[#protodoc-title: Bootstrap]\n This proto is supplied via the :option:`-c` CLI flag and acts as the root\n of the Envoy v2 configuration. See the :ref:`v2 configuration overview\n \u003cconfig_overview_bootstrap\u003e` for more detail.\n\nBootstrap :ref:`configuration overview \u003cconfig_overview_bootstrap\u003e`.\n [#next-free-field: 28]",
"definitions": {
"envoy.config.accesslog.v3.AccessLogFilter": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"status_code_filter": {
"properties": {
"comparison": {
"$ref": "envoy.config.accesslog.v3.ComparisonFilter",
"additionalProperties": true,
"type": "object",
"description": "Comparison."
}
},
"additionalProperties": true,
"type": "object",
"description": "Status code filter."
},
"duration_filter": {
"properties": {
"comparison": {
"$ref": "envoy.config.accesslog.v3.ComparisonFilter",
"additionalProperties": true,
"type": "object",
"description": "Comparison."
}
},
"additionalProperties": true,
"type": "object",
"description": "Duration filter."
},
"not_health_check_filter": {
"additionalProperties": true,
"type": "object",
"description": "Not health check filter."
},
"traceable_filter": {
"additionalProperties": true,
"type": "object",
"description": "Traceable filter."
},
"runtime_filter": {
"properties": {
"runtime_key": {
"type": "string",
"description": "Runtime key to get an optional overridden numerator for use in the\n *percent_sampled* field. If found in runtime, this value will replace the\n default numerator."
},
"percent_sampled": {
"$ref": "envoy.type.v3.FractionalPercent",
"additionalProperties": true,
"type": "object",
"description": "The default sampling percentage. If not specified, defaults to 0% with\n denominator of 100."
},
"use_independent_randomness": {
"type": "boolean",
"description": "By default, sampling pivots on the header\n :ref:`x-request-id\u003cconfig_http_conn_man_headers_x-request-id\u003e` being\n present. If :ref:`x-request-id\u003cconfig_http_conn_man_headers_x-request-id\u003e`\n is present, the filter will consistently sample across multiple hosts based\n on the runtime key value and the value extracted from\n :ref:`x-request-id\u003cconfig_http_conn_man_headers_x-request-id\u003e`. If it is\n missing, or *use_independent_randomness* is set to true, the filter will\n randomly sample based on the runtime key value alone.\n *use_independent_randomness* can be used for logging kill switches within\n complex nested :ref:`AndFilter\n \u003cenvoy_api_msg_config.accesslog.v3.AndFilter\u003e` and :ref:`OrFilter\n \u003cenvoy_api_msg_config.accesslog.v3.OrFilter\u003e` blocks that are easier to\n reason about from a probability perspective (i.e., setting to true will\n cause the filter to behave like an independent random variable when\n composed within logical operator filters)."
}
},
"additionalProperties": true,
"type": "object",
"description": "Runtime filter."
},
"and_filter": {
"properties": {
"filters": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "envoy.config.accesslog.v3.AccessLogFilter"
},
"type": "array"
}
},
"additionalProperties": true,
"type": "object",
"description": "And filter."
},
"or_filter": {
"properties": {
"filters": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "envoy.config.accesslog.v3.AccessLogFilter"
},
"type": "array"
}
},
"additionalProperties": true,
"type": "object",
"description": "Or filter."
},
"header_filter": {
"properties": {
"header": {
"properties": {
"name": {
"type": "string",
"description": "Specifies the name of the header in the request."
},
"exact_match": {
"type": "string",
"description": "If specified, header match will be performed based on the value of the header."
},
"safe_regex_match": {
"$ref": "envoy.type.matcher.v3.RegexMatcher",
"additionalProperties": true,
"type": "object",
"description": "If specified, this regex string is a regular expression rule which implies the entire request\n header value must match the regex. The rule will not match if only a subsequence of the\n request header value matches the regex."
},
"range_match": {
"$ref": "envoy.type.v3.Int64Range",
"additionalProperties": true,
"type": "object",
"description": "If specified, header match will be performed based on range.\n The rule will match if the request header value is within this range.\n The entire request header value must represent an integer in base 10 notation: consisting of\n an optional plus or minus sign followed by a sequence of digits. The rule will not match if\n the header value does not represent an integer. Match will fail for empty values, floating\n point numbers or if only a subsequence of the header value is an integer.\n\n Examples:\n\n * For range [-10,0), route will match for header value -1, but not for 0, \"somestring\", 10.9,\n \"-1somestring\""
},
"present_match": {
"type": "boolean",
"description": "If specified, header match will be performed based on whether the header is in the\n request."
},
"prefix_match": {
"type": "string",
"description": "If specified, header match will be performed based on the prefix of the header value.\n Note: empty prefix is not allowed, please use present_match instead.\n\n Examples:\n\n * The prefix *abcd* matches the value *abcdxyz*, but not for *abcxyz*."
},
"suffix_match": {
"type": "string",
"description": "If specified, header match will be performed based on the suffix of the header value.\n Note: empty suffix is not allowed, please use present_match instead.\n\n Examples:\n\n * The suffix *abcd* matches the value *xyzabcd*, but not for *xyzbcd*."
},
"contains_match": {
"type": "string",
"description": "If specified, header match will be performed based on whether the header value contains\n the given value or not.\n Note: empty contains match is not allowed, please use present_match instead.\n\n Examples:\n\n * The value *abcd* matches the value *xyzabcdpqr*, but not for *xyzbcdpqr*."
},
"invert_match": {
"type": "boolean",
"description": "If specified, the match result will be inverted before checking. Defaults to false.\n\n Examples:\n\n * The regex ``\\d{3}`` does not match the value *1234*, so it will match when inverted.\n * The range [-10,0) will match the value -1, so it will not match when inverted."
}
},
"additionalProperties": true,
"type": "object",
"description": "Only requests with a header which matches the specified HeaderMatcher will\n pass the filter check."
}
},
"additionalProperties": true,
"type": "object",
"description": "Header filter."
},
"response_flag_filter": {
"properties": {
"flags": {
"items": {
"type": "string"
},
"type": "array",
"description": "Only responses with the any of the flags listed in this field will be\n logged. This field is optional. If it is not specified, then any response\n flag will pass the filter check."
}
},
"additionalProperties": true,
"type": "object",
"description": "Response flag filter."
},
"grpc_status_filter": {
"properties": {
"statuses": {
"items": {
"enum": [
"OK",
0,
"CANCELED",
1,
"UNKNOWN",
2,
"INVALID_ARGUMENT",
3,
"DEADLINE_EXCEEDED",
4,
"NOT_FOUND",
5,
"ALREADY_EXISTS",
6,
"PERMISSION_DENIED",
7,
"RESOURCE_EXHAUSTED",
8,
"FAILED_PRECONDITION",
9,
"ABORTED",
10,
"OUT_OF_RANGE",
11,
"UNIMPLEMENTED",
12,
"INTERNAL",
13,
"UNAVAILABLE",
14,
"DATA_LOSS",
15,
"UNAUTHENTICATED",
16
]
},
"type": "array",
"description": "Logs only responses that have any one of the gRPC statuses in this field."
},
"exclude": {
"type": "boolean",
"description": "If included and set to true, the filter will instead block all responses\n with a gRPC status or inferred gRPC status enumerated in statuses, and\n allow all other responses."
}
},
"additionalProperties": true,
"type": "object",
"description": "gRPC status filter."
},
"extension_filter": {
"properties": {
"name": {
"type": "string",
"description": "The name of the filter implementation to instantiate. The name must\n match a statically registered filter."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type."
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object",
"description": "Extension filter."
},
"metadata_filter": {
"properties": {
"matcher": {
"properties": {
"filter": {
"type": "string",
"description": "The filter name to retrieve the Struct from the Metadata."
},
"path": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"key": {
"type": "string",
"description": "If specified, use the key to retrieve the value in a Struct."
}
},
"additionalProperties": true,
"type": "object",
"description": "Specifies the segment in a path to retrieve value from Metadata.\n Note: Currently it's not supported to retrieve a value from a list in Metadata. This means that\n if the segment key refers to a list, it has to be the last segment in a path."
},
"type": "array",
"description": "The path to retrieve the Value from the Struct."
},
"value": {
"$ref": "envoy.type.matcher.v3.ValueMatcher",
"additionalProperties": true,
"type": "object",
"description": "The MetadataMatcher is matched if the value retrieved by path is matched to this value."
}
},
"additionalProperties": true,
"type": "object",
"description": "Matcher to check metadata for specified value. For example, to match on the\n access_log_hint metadata, set the filter to \"envoy.common\" and the path to\n \"access_log_hint\", and the value to \"true\"."
},
"match_if_key_not_found": {
"oneOf": [
{
"type": "null"
},
{
"type": "boolean"
}
]
}
},
"additionalProperties": true,
"type": "object",
"description": "Metadata Filter"
}
},
"additionalProperties": true,
"type": "object",
"description": "[#next-free-field: 13]",
"id": "envoy.config.accesslog.v3.AccessLogFilter"
},
"envoy.config.accesslog.v3.ComparisonFilter": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"op": {
"enum": [
"EQ",
0,
"GE",
1,
"LE",
2
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "Comparison operator."
},
"value": {
"properties": {
"default_value": {
"type": "integer",
"description": "Default value if runtime value is not available."
},
"runtime_key": {
"type": "string",
"description": "Runtime key to get value for comparison. This value is used if defined."
}
},
"additionalProperties": true,
"type": "object",
"description": "Value to compare against."
}
},
"additionalProperties": true,
"type": "object",
"description": "Filter on an integer comparison.",
"id": "envoy.config.accesslog.v3.ComparisonFilter"
},
"envoy.config.bootstrap.v3.Watchdog": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"actions": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"config": {
"$ref": "envoy.config.core.v3.TypedExtensionConfig",
"additionalProperties": true,
"type": "object",
"description": "Extension specific configuration for the action."
},
"event": {
"enum": [
"UNKNOWN",
0,
"KILL",
1,
"MULTIKILL",
2,
"MEGAMISS",
3,
"MISS",
4
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
]
}
},
"additionalProperties": true,
"type": "object"
},
"type": "array",
"description": "Register actions that will fire on given WatchDog events.\n See *WatchDogAction* for priority of events."
},
"miss_timeout": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The duration after which Envoy counts a nonresponsive thread in the\n *watchdog_miss* statistic. If not specified the default is 200ms."
},
"megamiss_timeout": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The duration after which Envoy counts a nonresponsive thread in the\n *watchdog_mega_miss* statistic. If not specified the default is\n 1000ms."
},
"kill_timeout": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "If a watched thread has been nonresponsive for this duration, assume a\n programming error and kill the entire Envoy process. Set to 0 to disable\n kill behavior. If not specified the default is 0 (disabled)."
},
"max_kill_timeout_jitter": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "Defines the maximum jitter used to adjust the *kill_timeout* if *kill_timeout* is\n enabled. Enabling this feature would help to reduce risk of synchronized\n watchdog kill events across proxies due to external triggers. Set to 0 to\n disable. If not specified the default is 0 (disabled)."
},
"multikill_timeout": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "If max(2, ceil(registered_threads * Fraction(*multikill_threshold*)))\n threads have been nonresponsive for at least this duration kill the entire\n Envoy process. Set to 0 to disable this behavior. If not specified the\n default is 0 (disabled)."
},
"multikill_threshold": {
"$ref": "envoy.type.v3.Percent",
"additionalProperties": true,
"type": "object",
"description": "Sets the threshold for *multikill_timeout* in terms of the percentage of\n nonresponsive threads required for the *multikill_timeout*.\n If not specified the default is 0."
}
},
"additionalProperties": true,
"type": "object",
"description": "Envoy process watchdog configuration. When configured, this monitors for\n nonresponsive threads and kills the process after the configured thresholds.\n See the :ref:`watchdog documentation \u003coperations_performance_watchdog\u003e` for more information.\n [#next-free-field: 8]",
"id": "envoy.config.bootstrap.v3.Watchdog"
},
"envoy.config.core.v3.Address": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"socket_address": {
"$ref": "envoy.config.core.v3.SocketAddress",
"additionalProperties": true,
"type": "object"
},
"pipe": {
"properties": {
"path": {
"type": "string",
"description": "Unix Domain Socket path. On Linux, paths starting with '@' will use the\n abstract namespace. The starting '@' is replaced by a null byte by Envoy.\n Paths starting with '@' will result in an error in environments other than\n Linux."
},
"mode": {
"type": "integer",
"description": "The mode for the Pipe. Not applicable for abstract sockets."
}
},
"additionalProperties": true,
"type": "object"
},
"envoy_internal_address": {
"properties": {
"server_listener_name": {
"type": "string",
"description": "[#not-implemented-hide:] The :ref:`listener name \u003cenvoy_api_field_config.listener.v3.Listener.name\u003e` of the destination internal listener."
}
},
"additionalProperties": true,
"type": "object",
"description": "[#not-implemented-hide:]"
}
},
"additionalProperties": true,
"type": "object",
"description": "Addresses specify either a logical or physical address and port, which are\n used to tell Envoy where to bind/listen, connect to upstream and find\n management servers.",
"id": "envoy.config.core.v3.Address"
},
"envoy.config.core.v3.ApiConfigSource": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"api_type": {
"enum": [
"DEPRECATED_AND_UNAVAILABLE_DO_NOT_USE",
0,
"REST",
1,
"GRPC",
2,
"DELTA_GRPC",
3,
"AGGREGATED_GRPC",
5,
"AGGREGATED_DELTA_GRPC",
6
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "API type (gRPC, REST, delta gRPC)"
},
"transport_api_version": {
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "API version for xDS transport protocol. This describes the xDS gRPC/REST\n endpoint and version of [Delta]DiscoveryRequest/Response used on the wire."
},
"cluster_names": {
"items": {
"type": "string"
},
"type": "array",
"description": "Cluster names should be used only with REST. If \u003e 1\n cluster is defined, clusters will be cycled through if any kind of failure\n occurs.\n\n .. note::\n\n The cluster with name ``cluster_name`` must be statically defined and its\n type must not be ``EDS``."
},
"grpc_services": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "envoy.config.core.v3.GrpcService"
},
"type": "array",
"description": "Multiple gRPC services be provided for GRPC. If \u003e 1 cluster is defined,\n services will be cycled through if any kind of failure occurs."
},
"refresh_delay": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "For REST APIs, the delay between successive polls."
},
"request_timeout": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "For REST APIs, the request timeout. If not set, a default value of 1s will be used."
},
"rate_limit_settings": {
"properties": {
"max_tokens": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"fill_rate": {
"oneOf": [
{
"type": "null"
},
{
"type": "number"
}
]
}
},
"additionalProperties": true,
"type": "object",
"description": "For GRPC APIs, the rate limit settings. If present, discovery requests made by Envoy will be\n rate limited."
},
"set_node_on_first_message_only": {
"type": "boolean",
"description": "Skip the node identifier in subsequent discovery requests for streaming gRPC config types."
}
},
"additionalProperties": true,
"type": "object",
"description": "API configuration source. This identifies the API type and cluster that Envoy\n will use to fetch an xDS API.\n [#next-free-field: 9]",
"id": "envoy.config.core.v3.ApiConfigSource"
},
"envoy.config.core.v3.BindConfig": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"source_address": {
"$ref": "envoy.config.core.v3.SocketAddress",
"additionalProperties": true,
"type": "object",
"description": "The address to bind to when creating a socket."
},
"freebind": {
"oneOf": [
{
"type": "null"
},
{
"type": "boolean"
}
]
},
"socket_options": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "envoy.config.core.v3.SocketOption"
},
"type": "array",
"description": "Additional socket options that may not be present in Envoy source code or\n precompiled binaries."
}
},
"additionalProperties": true,
"type": "object",
"id": "envoy.config.core.v3.BindConfig"
},
"envoy.config.core.v3.BuildVersion": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"version": {
"properties": {
"major_number": {
"type": "integer"
},
"minor_number": {
"type": "integer"
},
"patch": {
"type": "integer"
}
},
"additionalProperties": true,
"type": "object",
"description": "SemVer version of extension."
},
"metadata": {
"properties": {
"fields": {
"additionalProperties": {
"oneOf": [
{
"type": "null"
},
{
"type": "object"
}
]
},
"type": "object",
"description": "Unordered map of dynamically typed values."
}
},
"additionalProperties": true,
"type": "object",
"description": "Free-form build information.\n Envoy defines several well known keys in the source/common/version/version.h file"
}
},
"additionalProperties": true,
"type": "object",
"description": "BuildVersion combines SemVer version of extension with free-form build information\n (i.e. 'alpha', 'private-build') as a set of strings.",
"id": "envoy.config.core.v3.BuildVersion"
},
"envoy.config.core.v3.CidrRange": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"address_prefix": {
"type": "string",
"description": "IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``."
},
"prefix_len": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
}
},
"additionalProperties": true,
"type": "object",
"description": "CidrRange specifies an IP Address and a prefix length to construct\n the subnet mask for a `CIDR \u003chttps://tools.ietf.org/html/rfc4632\u003e`_ range.",
"id": "envoy.config.core.v3.CidrRange"
},
"envoy.config.core.v3.ConfigSource": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"authorities": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string"
}
},
"additionalProperties": true,
"type": "object",
"description": "UDPA authority information."
},
"type": "array",
"description": "Authorities that this config source may be used for. An authority specified\n in a *udpa.core.v1.ResourceLocator* is resolved to a *ConfigSource* prior\n to configuration fetch. This field provides the association between\n authority name and configuration source.\n [#not-implemented-hide:]"
},
"path": {
"type": "string",
"description": "Path on the filesystem to source and watch for configuration updates.\n When sourcing configuration for :ref:`secret \u003cenvoy_api_msg_extensions.transport_sockets.tls.v3.Secret\u003e`,\n the certificate and key files are also watched for updates.\n\n .. note::\n\n The path to the source must exist at config load time.\n\n .. note::\n\n Envoy will only watch the file path for *moves.* This is because in general only moves\n are atomic. The same method of swapping files as is demonstrated in the\n :ref:`runtime documentation \u003cconfig_runtime_symbolic_link_swap\u003e` can be used here also."
},
"api_config_source": {
"$ref": "envoy.config.core.v3.ApiConfigSource",
"additionalProperties": true,
"type": "object",
"description": "API configuration source."
},
"ads": {
"additionalProperties": true,
"type": "object",
"description": "When set, ADS will be used to fetch resources. The ADS API configuration\n source in the bootstrap configuration is used."
},
"self": {
"properties": {
"transport_api_version": {
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "API version for xDS transport protocol. This describes the xDS gRPC/REST\n endpoint and version of [Delta]DiscoveryRequest/Response used on the wire."
}
},
"additionalProperties": true,
"type": "object",
"description": "[#not-implemented-hide:]\n When set, the client will access the resources from the same server it got the\n ConfigSource from, although not necessarily from the same stream. This is similar to the\n :ref:`ads\u003cenvoy_api_field.ConfigSource.ads\u003e` field, except that the client may use a\n different stream to the same server. As a result, this field can be used for things\n like LRS that cannot be sent on an ADS stream. It can also be used to link from (e.g.)\n LDS to RDS on the same server without requiring the management server to know its name\n or required credentials.\n [#next-major-version: In xDS v3, consider replacing the ads field with this one, since\n this field can implicitly mean to use the same stream in the case where the ConfigSource\n is provided via ADS and the specified data can also be obtained via ADS.]"
},
"initial_fetch_timeout": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "When this timeout is specified, Envoy will wait no longer than the specified time for first\n config response on this xDS subscription during the :ref:`initialization process\n \u003carch_overview_initialization\u003e`. After reaching the timeout, Envoy will move to the next\n initialization phase, even if the first config is not delivered yet. The timer is activated\n when the xDS API subscription starts, and is disarmed on first config update or on error. 0\n means no timeout - Envoy will wait indefinitely for the first xDS config (unless another\n timeout applies). The default is 15s."
},
"resource_api_version": {
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "API version for xDS resources. This implies the type URLs that the client\n will request for resources and the resource type that the client will in\n turn expect to be delivered."
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration for :ref:`listeners \u003cconfig_listeners\u003e`, :ref:`clusters\n \u003cconfig_cluster_manager\u003e`, :ref:`routes\n \u003cenvoy_api_msg_config.route.v3.RouteConfiguration\u003e`, :ref:`endpoints\n \u003carch_overview_service_discovery\u003e` etc. may either be sourced from the\n filesystem or from an xDS API source. Filesystem configs are watched with\n inotify for updates.\n [#next-free-field: 8]",
"id": "envoy.config.core.v3.ConfigSource"
},
"envoy.config.core.v3.DataSource": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"filename": {
"type": "string",
"description": "Local filesystem data source."
},
"inline_bytes": {
"type": "string",
"description": "Bytes inlined in the configuration."
},
"inline_string": {
"type": "string",
"description": "String inlined in the configuration."
}
},
"additionalProperties": true,
"type": "object",
"description": "Data source consisting of either a file or an inline value.",
"id": "envoy.config.core.v3.DataSource"
},
"envoy.config.core.v3.EventServiceConfig": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"grpc_service": {
"$ref": "envoy.config.core.v3.GrpcService",
"additionalProperties": true,
"type": "object",
"description": "Specifies the gRPC service that hosts the event reporting service."
}
},
"additionalProperties": true,
"type": "object",
"description": "[#not-implemented-hide:]\n Configuration of the event reporting service endpoint.",
"id": "envoy.config.core.v3.EventServiceConfig"
},
"envoy.config.core.v3.GrpcService": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"envoy_grpc": {
"properties": {
"cluster_name": {
"type": "string",
"description": "The name of the upstream gRPC cluster. SSL credentials will be supplied\n in the :ref:`Cluster \u003cenvoy_api_msg_config.cluster.v3.Cluster\u003e` :ref:`transport_socket\n \u003cenvoy_api_field_config.cluster.v3.Cluster.transport_socket\u003e`."
},
"authority": {
"type": "string",
"description": "The `:authority` header in the grpc request. If this field is not set, the authority header value will be `cluster_name`.\n Note that this authority does not override the SNI. The SNI is provided by the transport socket of the cluster."
}
},
"additionalProperties": true,
"type": "object",
"description": "Envoy's in-built gRPC client.\n See the :ref:`gRPC services overview \u003carch_overview_grpc_services\u003e`\n documentation for discussion on gRPC client selection."
},
"google_grpc": {
"properties": {
"target_uri": {
"type": "string",
"description": "The target URI when using the `Google C++ gRPC client\n \u003chttps://github.com/grpc/grpc\u003e`_. SSL credentials will be supplied in\n :ref:`channel_credentials \u003cenvoy_api_field_config.core.v3.GrpcService.GoogleGrpc.channel_credentials\u003e`."
},
"channel_credentials": {
"properties": {
"ssl_credentials": {
"properties": {
"root_certs": {
"$ref": "envoy.config.core.v3.DataSource",
"additionalProperties": true,
"type": "object",
"description": "PEM encoded server root certificates."
},
"private_key": {
"$ref": "envoy.config.core.v3.DataSource",
"additionalProperties": true,
"type": "object",
"description": "PEM encoded client private key."
},
"cert_chain": {
"$ref": "envoy.config.core.v3.DataSource",
"additionalProperties": true,
"type": "object",
"description": "PEM encoded client certificate chain."
}
},
"additionalProperties": true,
"type": "object"
},
"google_default": {
"additionalProperties": true,
"type": "object",
"description": "https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61"
},
"local_credentials": {
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object"
},
"call_credentials": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"access_token": {
"type": "string",
"description": "Access token credentials.\n https://grpc.io/grpc/cpp/namespacegrpc.html#ad3a80da696ffdaea943f0f858d7a360d."
},
"google_compute_engine": {
"additionalProperties": true,
"type": "object",
"description": "Google Compute Engine credentials.\n https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61"
},
"google_refresh_token": {
"type": "string",
"description": "Google refresh token credentials.\n https://grpc.io/grpc/cpp/namespacegrpc.html#a96901c997b91bc6513b08491e0dca37c."
},
"service_account_jwt_access": {
"properties": {
"json_key": {
"type": "string"
},
"token_lifetime_seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
]
}
},
"additionalProperties": true,
"type": "object",
"description": "Service Account JWT Access credentials.\n https://grpc.io/grpc/cpp/namespacegrpc.html#a92a9f959d6102461f66ee973d8e9d3aa."
},
"google_iam": {
"properties": {
"authorization_token": {
"type": "string"
},
"authority_selector": {
"type": "string"
}
},
"additionalProperties": true,
"type": "object",
"description": "Google IAM credentials.\n https://grpc.io/grpc/cpp/namespacegrpc.html#a9fc1fc101b41e680d47028166e76f9d0."
},
"from_plugin": {
"properties": {
"name": {
"type": "string"
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type."
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object",
"description": "Custom authenticator credentials.\n https://grpc.io/grpc/cpp/namespacegrpc.html#a823c6a4b19ffc71fb33e90154ee2ad07.\n https://grpc.io/docs/guides/auth.html#extending-grpc-to-support-other-authentication-mechanisms."
},
"sts_service": {
"properties": {
"token_exchange_service_uri": {
"type": "string",
"description": "URI of the token exchange service that handles token exchange requests.\n [#comment:TODO(asraa): Add URI validation when implemented. Tracked by\n https://github.com/envoyproxy/protoc-gen-validate/issues/303]"
},
"resource": {
"type": "string",
"description": "Location of the target service or resource where the client\n intends to use the requested security token."
},
"audience": {
"type": "string",
"description": "Logical name of the target service where the client intends to\n use the requested security token."
},
"scope": {
"type": "string",
"description": "The desired scope of the requested security token in the\n context of the service or resource where the token will be used."
},
"requested_token_type": {
"type": "string",
"description": "Type of the requested security token."
},
"subject_token_path": {
"type": "string",
"description": "The path of subject token, a security token that represents the\n identity of the party on behalf of whom the request is being made."
},
"subject_token_type": {
"type": "string",
"description": "Type of the subject token."
},
"actor_token_path": {
"type": "string",
"description": "The path of actor token, a security token that represents the identity\n of the acting party. The acting party is authorized to use the\n requested security token and act on behalf of the subject."
},
"actor_token_type": {
"type": "string",
"description": "Type of the actor token."
}
},
"additionalProperties": true,
"type": "object",
"description": "Custom security token service which implements OAuth 2.0 token exchange.\n https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16\n See https://github.com/grpc/grpc/pull/19587."
}
},
"additionalProperties": true,
"type": "object",
"description": "[#next-free-field: 8]"
},
"type": "array",
"description": "A set of call credentials that can be composed with `channel credentials\n \u003chttps://grpc.io/docs/guides/auth.html#credential-types\u003e`_."
},
"stat_prefix": {
"type": "string",
"description": "The human readable prefix to use when emitting statistics for the gRPC\n service.\n\n .. csv-table::\n :header: Name, Type, Description\n :widths: 1, 1, 2\n\n streams_total, Counter, Total number of streams opened\n streams_closed_\u003cgRPC status code\u003e, Counter, Total streams closed with \u003cgRPC status code\u003e"
},
"credentials_factory_name": {
"type": "string",
"description": "The name of the Google gRPC credentials factory to use. This must have been registered with\n Envoy. If this is empty, a default credentials factory will be used that sets up channel\n credentials based on other configuration parameters."
},
"config": {
"properties": {
"fields": {
"additionalProperties": {
"oneOf": [
{
"type": "null"
},
{
"type": "object"
}
]
},
"type": "object",
"description": "Unordered map of dynamically typed values."
}
},
"additionalProperties": true,
"type": "object",
"description": "Additional configuration for site-specific customizations of the Google\n gRPC library."
},
"per_stream_buffer_limit_bytes": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
},
"channel_args": {
"properties": {
"args": {
"additionalProperties": {
"properties": {
"string_value": {
"type": "string"
},
"int_value": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
]
}
},
"additionalProperties": true,
"type": "object"
},
"type": "object",
"description": "See grpc_types.h GRPC_ARG #defines for keys that work here."
}
},
"additionalProperties": true,
"type": "object",
"description": "Custom channels args."
}
},
"additionalProperties": true,
"type": "object",
"description": "`Google C++ gRPC client \u003chttps://github.com/grpc/grpc\u003e`_\n See the :ref:`gRPC services overview \u003carch_overview_grpc_services\u003e`\n documentation for discussion on gRPC client selection."
},
"timeout": {
"properties": {
"seconds": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Signed seconds of the span of time. Must be from -315,576,000,000\n to +315,576,000,000 inclusive. Note: these bounds are computed from:\n 60 sec/min * 60 min/hr * 24 hr/day * 365.25 days/year * 10000 years"
},
"nanos": {
"type": "integer",
"description": "Signed fractions of a second at nanosecond resolution of the span\n of time. Durations less than one second are represented with a 0\n `seconds` field and a positive or negative `nanos` field. For durations\n of one second or more, a non-zero value for the `nanos` field must be\n of the same sign as the `seconds` field. Must be from -999,999,999\n to +999,999,999 inclusive."
}
},
"additionalProperties": true,
"type": "object",
"description": "The timeout for the gRPC request. This is the timeout for a specific\n request."
},
"initial_metadata": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "envoy.config.core.v3.HeaderValue"
},
"type": "array",
"description": "Additional metadata to include in streams initiated to the GrpcService.\n This can be used for scenarios in which additional ad hoc authorization\n headers (e.g. ``x-foo-bar: baz-key``) are to be injected."
}
},
"additionalProperties": true,
"type": "object",
"description": "[#protodoc-title: gRPC services]\n\ngRPC service configuration. This is used by :ref:`ApiConfigSource\n \u003cenvoy_api_msg_config.core.v3.ApiConfigSource\u003e` and filter configurations.\n [#next-free-field: 6]",
"id": "envoy.config.core.v3.GrpcService"
},
"envoy.config.core.v3.HeaderValue": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"key": {
"type": "string",
"description": "Header name."
},
"value": {
"type": "string",
"description": "Header value.\n\n The same :ref:`format specifier \u003cconfig_access_log_format\u003e` as used for\n :ref:`HTTP access logging \u003cconfig_access_log\u003e` applies here, however\n unknown header values are replaced with the empty string instead of `-`."
}
},
"additionalProperties": true,
"type": "object",
"description": "Header name/value pair.",
"id": "envoy.config.core.v3.HeaderValue"
},
"envoy.config.core.v3.HealthCheck.Payload": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"text": {
"type": "string",
"description": "Hex encoded payload. E.g., \"000000FF\"."
},
"binary": {
"type": "string",
"description": "[#not-implemented-hide:] Binary payload."
}
},
"additionalProperties": true,
"type": "object",
"description": "Describes the encoding of the payload bytes in the payload.",
"id": "envoy.config.core.v3.HealthCheck.Payload"
},
"envoy.config.core.v3.Locality": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"region": {
"type": "string",
"description": "Region this :ref:`zone \u003cenvoy_api_field_config.core.v3.Locality.zone\u003e` belongs to."
},
"zone": {
"type": "string",
"description": "Defines the local service zone where Envoy is running. Though optional, it\n should be set if discovery service routing is used and the discovery\n service exposes :ref:`zone data \u003cenvoy_api_field_config.endpoint.v3.LocalityLbEndpoints.locality\u003e`,\n either in this message or via :option:`--service-zone`. The meaning of zone\n is context dependent, e.g. `Availability Zone (AZ)\n \u003chttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html\u003e`_\n on AWS, `Zone \u003chttps://cloud.google.com/compute/docs/regions-zones/\u003e`_ on\n GCP, etc."
},
"sub_zone": {
"type": "string",
"description": "When used for locality of upstream hosts, this field further splits zone\n into smaller chunks of sub-zones so they can be load balanced\n independently."
}
},
"additionalProperties": true,
"type": "object",
"description": "Identifies location of where either Envoy runs or where upstream hosts run.",
"id": "envoy.config.core.v3.Locality"
},
"envoy.config.core.v3.Metadata": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"filter_metadata": {
"additionalProperties": {
"properties": {
"fields": {
"additionalProperties": {
"oneOf": [
{
"type": "null"
},
{
"type": "object"
}
]
},
"type": "object",
"description": "Unordered map of dynamically typed values."
}
},
"additionalProperties": true,
"type": "object"
},
"type": "object",
"description": "Key is the reverse DNS filter name, e.g. com.acme.widget. The envoy.*\n namespace is reserved for Envoy's built-in filters."
}
},
"additionalProperties": true,
"type": "object",
"description": "Metadata provides additional inputs to filters based on matched listeners,\n filter chains, routes and endpoints. It is structured as a map, usually from\n filter name (in reverse DNS format) to metadata specific to the filter. Metadata\n key-values for a filter are merged as connection and request handling occurs,\n with later values for the same key overriding earlier values.\n\n An example use of metadata is providing additional values to\n http_connection_manager in the envoy.http_connection_manager.access_log\n namespace.\n\n Another example use of metadata is to per service config info in cluster metadata, which may get\n consumed by multiple filters.\n\n For load balancing, Metadata provides a means to subset cluster endpoints.\n Endpoints have a Metadata object associated and routes contain a Metadata\n object to match against. There are some well defined metadata used today for\n this purpose:\n\n * ``{\"envoy.lb\": {\"canary\": \u003cbool\u003e }}`` This indicates the canary status of an\n endpoint and is also used during header processing\n (x-envoy-upstream-canary) and for stats purposes.\n [#next-major-version: move to type/metadata/v2]",
"id": "envoy.config.core.v3.Metadata"
},
"envoy.config.core.v3.SocketAddress": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"protocol": {
"enum": [
"TCP",
0,
"UDP",
1
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
]
},
"address": {
"type": "string",
"description": "The address for this socket. :ref:`Listeners \u003cconfig_listeners\u003e` will bind\n to the address. An empty address is not allowed. Specify ``0.0.0.0`` or ``::``\n to bind to any address. [#comment:TODO(zuercher) reinstate when implemented:\n It is possible to distinguish a Listener address via the prefix/suffix matching\n in :ref:`FilterChainMatch \u003cenvoy_api_msg_config.listener.v3.FilterChainMatch\u003e`.] When used\n within an upstream :ref:`BindConfig \u003cenvoy_api_msg_config.core.v3.BindConfig\u003e`, the address\n controls the source address of outbound connections. For :ref:`clusters\n \u003cenvoy_api_msg_config.cluster.v3.Cluster\u003e`, the cluster type determines whether the\n address must be an IP (*STATIC* or *EDS* clusters) or a hostname resolved by DNS\n (*STRICT_DNS* or *LOGICAL_DNS* clusters). Address resolution can be customized\n via :ref:`resolver_name \u003cenvoy_api_field_config.core.v3.SocketAddress.resolver_name\u003e`."
},
"port_value": {
"type": "integer"
},
"named_port": {
"type": "string",
"description": "This is only valid if :ref:`resolver_name\n \u003cenvoy_api_field_config.core.v3.SocketAddress.resolver_name\u003e` is specified below and the\n named resolver is capable of named port resolution."
},
"resolver_name": {
"type": "string",
"description": "The name of the custom resolver. This must have been registered with Envoy. If\n this is empty, a context dependent default applies. If the address is a concrete\n IP address, no resolution will occur. If address is a hostname this\n should be set for resolution other than DNS. Specifying a custom resolver with\n *STRICT_DNS* or *LOGICAL_DNS* will generate an error at runtime."
},
"ipv4_compat": {
"type": "boolean",
"description": "When binding to an IPv6 address above, this enables `IPv4 compatibility\n \u003chttps://tools.ietf.org/html/rfc3493#page-11\u003e`_. Binding to ``::`` will\n allow both IPv4 and IPv6 connections, with peer IPv4 addresses mapped into\n IPv6 space as ``::FFFF:\u003cIPv4-address\u003e``."
}
},
"additionalProperties": true,
"type": "object",
"description": "[#next-free-field: 7]",
"id": "envoy.config.core.v3.SocketAddress"
},
"envoy.config.core.v3.SocketOption": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"description": {
"type": "string",
"description": "An optional name to give this socket option for debugging, etc.\n Uniqueness is not required and no special meaning is assumed."
},
"level": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Corresponding to the level value passed to setsockopt, such as IPPROTO_TCP"
},
"name": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "The numeric name as passed to setsockopt"
},
"int_value": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "Because many sockopts take an int value."
},
"buf_value": {
"type": "string",
"description": "Otherwise it's a byte buffer."
},
"state": {
"enum": [
"STATE_PREBIND",
0,
"STATE_BOUND",
1,
"STATE_LISTENING",
2
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "The state in which the option will be applied. When used in BindConfig\n STATE_PREBIND is currently the only valid value."
}
},
"additionalProperties": true,
"type": "object",
"description": "[#protodoc-title: Socket Option ]\n\nGeneric socket option message. This would be used to set socket options that\n might not exist in upstream kernels or precompiled Envoy binaries.\n [#next-free-field: 7]",
"id": "envoy.config.core.v3.SocketOption"
},
"envoy.config.core.v3.TransportSocket": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of the transport socket to instantiate. The name must match a supported transport\n socket implementation."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type."
}
},
"additionalProperties": true,
"type": "object"
}
},
"additionalProperties": true,
"type": "object",
"description": "Configuration for transport socket in :ref:`listeners \u003cconfig_listeners\u003e` and\n :ref:`clusters \u003cenvoy_api_msg_config.cluster.v3.Cluster\u003e`. If the configuration is\n empty, a default transport socket implementation and configuration will be\n chosen based on the platform and existence of tls_context.",
"id": "envoy.config.core.v3.TransportSocket"
},
"envoy.config.core.v3.TypedExtensionConfig": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"name": {
"type": "string",
"description": "The name of an extension. This is not used to select the extension, instead\n it serves the role of an opaque identifier."
},
"typed_config": {
"properties": {
"type_url": {
"type": "string",
"description": "A URL/resource name that uniquely identifies the type of the serialized\n protocol buffer message. The last segment of the URL's path must represent\n the fully qualified name of the type (as in\n `path/google.protobuf.Duration`). The name should be in a canonical form\n (e.g., leading \".\" is not accepted).\n\n In practice, teams usually precompile into the binary all types that they\n expect it to use in the context of Any. However, for URLs which use the\n scheme `http`, `https`, or no scheme, one can optionally set up a type\n server that maps type URLs to message definitions as follows:\n\n * If no scheme is provided, `https` is assumed.\n * An HTTP GET on the URL must yield a [google.protobuf.Type][]\n value in binary format, or produce an error.\n * Applications are allowed to cache lookup results based on the\n URL, or have them precompiled into a binary to avoid any\n lookup. Therefore, binary compatibility needs to be preserved\n on changes to types. (Use versioned type names to manage\n breaking changes.)\n\n Note: this functionality is not currently available in the official\n protobuf release, and it is not used for type URLs beginning with\n type.googleapis.com.\n\n Schemes other than `http`, `https` (or the empty scheme) might be\n used with implementation specific semantics."
},
"value": {
"type": "string",
"description": "Must be a valid serialized protocol buffer of the above specified type."
}
},
"additionalProperties": true,
"type": "object",
"description": "The typed config for the extension. The type URL will be used to identify\n the extension. In the case that the type URL is *udpa.type.v1.TypedStruct*,\n the inner type URL of *TypedStruct* will be utilized. See the\n :ref:`extension configuration overview\n \u003cconfig_overview_extension_configuration\u003e` for further details."
}
},
"additionalProperties": true,
"type": "object",
"description": "[#protodoc-title: Extension configuration]\n\nMessage type for extension configuration.\n [#next-major-version: revisit all existing typed_config that doesn't use this wrapper.].",
"id": "envoy.config.core.v3.TypedExtensionConfig"
},
"envoy.config.endpoint.v3.Endpoint": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"address": {
"$ref": "envoy.config.core.v3.Address",
"additionalProperties": true,
"type": "object",
"description": "The upstream host address.\n\n .. attention::\n\n The form of host address depends on the given cluster type. For STATIC or EDS,\n it is expected to be a direct IP address (or something resolvable by the\n specified :ref:`resolver \u003cenvoy_api_field_config.core.v3.SocketAddress.resolver_name\u003e`\n in the Address). For LOGICAL or STRICT DNS, it is expected to be hostname,\n and will be resolved via DNS."
},
"health_check_config": {
"properties": {
"port_value": {
"type": "integer",
"description": "Optional alternative health check port value.\n\n By default the health check address port of an upstream host is the same\n as the host's serving address port. This provides an alternative health\n check port. Setting this with a non-zero value allows an upstream host\n to have different health check address port."
},
"hostname": {
"type": "string",
"description": "By default, the host header for L7 health checks is controlled by cluster level configuration\n (see: :ref:`host \u003cenvoy_api_field_config.core.v3.HealthCheck.HttpHealthCheck.host\u003e` and\n :ref:`authority \u003cenvoy_api_field_config.core.v3.HealthCheck.GrpcHealthCheck.authority\u003e`). Setting this\n to a non-empty value allows overriding the cluster level configuration for a specific\n endpoint."
}
},
"additionalProperties": true,
"type": "object",
"description": "The optional health check configuration is used as configuration for the\n health checker to contact the health checked host.\n\n .. attention::\n\n This takes into effect only for upstream clusters with\n :ref:`active health checking \u003carch_overview_health_checking\u003e` enabled."
},
"hostname": {
"type": "string",
"description": "The hostname associated with this endpoint. This hostname is not used for routing or address\n resolution. If provided, it will be associated with the endpoint, and can be used for features\n that require a hostname, like\n :ref:`auto_host_rewrite \u003cenvoy_api_field_config.route.v3.RouteAction.auto_host_rewrite\u003e`."
}
},
"additionalProperties": true,
"type": "object",
"description": "[#protodoc-title: Endpoints]\n\nUpstream host identifier.",
"id": "envoy.config.endpoint.v3.Endpoint"
},
"envoy.config.listener.v3.ListenerFilterChainMatchPredicate": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"or_match": {
"$ref": "envoy.config.listener.v3.ListenerFilterChainMatchPredicate.MatchSet",
"additionalProperties": true,
"type": "object",
"description": "A set that describes a logical OR. If any member of the set matches, the match configuration\n matches."
},
"and_match": {
"$ref": "envoy.config.listener.v3.ListenerFilterChainMatchPredicate.MatchSet",
"additionalProperties": true,
"type": "object",
"description": "A set that describes a logical AND. If all members of the set match, the match configuration\n matches."
},
"not_match": {
"$ref": "envoy.config.listener.v3.ListenerFilterChainMatchPredicate",
"additionalProperties": true,
"type": "object",
"description": "A negation match. The match configuration will match if the negated match condition matches."
},
"any_match": {
"type": "boolean",
"description": "The match configuration will always match."
},
"destination_port_range": {
"properties": {
"start": {
"type": "integer",
"description": "start of the range (inclusive)"
},
"end": {
"type": "integer",
"description": "end of the range (exclusive)"
}
},
"additionalProperties": true,
"type": "object",
"description": "Match destination port. Particularly, the match evaluation must use the recovered local port if\n the owning listener filter is after :ref:`an original_dst listener filter \u003cconfig_listener_filters_original_dst\u003e`."
}
},
"additionalProperties": true,
"type": "object",
"description": "Listener filter chain match configuration. This is a recursive structure which allows complex\n nested match configurations to be built using various logical operators.\n\n Examples:\n\n * Matches if the destination port is 3306.\n\n .. code-block:: yaml\n\n destination_port_range:\n start: 3306\n end: 3307\n\n * Matches if the destination port is 3306 or 15000.\n\n .. code-block:: yaml\n\n or_match:\n rules:\n - destination_port_range:\n start: 3306\n end: 3306\n - destination_port_range:\n start: 15000\n end: 15001\n\n [#next-free-field: 6]",
"id": "envoy.config.listener.v3.ListenerFilterChainMatchPredicate"
},
"envoy.config.listener.v3.ListenerFilterChainMatchPredicate.MatchSet": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"rules": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "envoy.config.listener.v3.ListenerFilterChainMatchPredicate"
},
"type": "array",
"description": "The list of rules that make up the set."
}
},
"additionalProperties": true,
"type": "object",
"description": "A set of match configurations used for logical operations.",
"id": "envoy.config.listener.v3.ListenerFilterChainMatchPredicate.MatchSet"
},
"envoy.type.matcher.v3.ListStringMatcher": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"patterns": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"$ref": "envoy.type.matcher.v3.StringMatcher"
},
"type": "array"
}
},
"additionalProperties": true,
"type": "object",
"description": "Specifies a list of ways to match a string.",
"id": "envoy.type.matcher.v3.ListStringMatcher"
},
"envoy.type.matcher.v3.RegexMatcher": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"google_re2": {
"properties": {
"max_program_size": {
"oneOf": [
{
"type": "null"
},
{
"type": "integer"
}
]
}
},
"additionalProperties": true,
"type": "object",
"description": "Google's RE2 regex engine."
},
"regex": {
"type": "string",
"description": "The regex match string. The string must be supported by the configured engine."
}
},
"additionalProperties": true,
"type": "object",
"description": "[#protodoc-title: Regex matcher]\n\nA regex matcher designed for safety when used with untrusted input.",
"id": "envoy.type.matcher.v3.RegexMatcher"
},
"envoy.type.matcher.v3.StringMatcher": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"exact": {
"type": "string",
"description": "The input string must match exactly the string specified here.\n\n Examples:\n\n * *abc* only matches the value *abc*."
},
"prefix": {
"type": "string",
"description": "The input string must have the prefix specified here.\n Note: empty prefix is not allowed, please use regex instead.\n\n Examples:\n\n * *abc* matches the value *abc.xyz*"
},
"suffix": {
"type": "string",
"description": "The input string must have the suffix specified here.\n Note: empty prefix is not allowed, please use regex instead.\n\n Examples:\n\n * *abc* matches the value *xyz.abc*"
},
"safe_regex": {
"$ref": "envoy.type.matcher.v3.RegexMatcher",
"additionalProperties": true,
"type": "object",
"description": "The input string must match the regular expression specified here."
},
"contains": {
"type": "string",
"description": "The input string must have the substring specified here.\n Note: empty contains match is not allowed, please use regex instead.\n\n Examples:\n\n * *abc* matches the value *xyz.abc.def*"
},
"ignore_case": {
"type": "boolean",
"description": "If true, indicates the exact/prefix/suffix matching should be case insensitive. This has no\n effect for the safe_regex match.\n For example, the matcher *data* will match both input string *Data* and *data* if set to true."
}
},
"additionalProperties": true,
"type": "object",
"description": "[#protodoc-title: String matcher]\n\nSpecifies the way to match a string.\n [#next-free-field: 8]",
"id": "envoy.type.matcher.v3.StringMatcher"
},
"envoy.type.matcher.v3.ValueMatcher": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"null_match": {
"additionalProperties": true,
"type": "object",
"description": "If specified, a match occurs if and only if the target value is a NullValue."
},
"double_match": {
"properties": {
"range": {
"properties": {
"start": {
"type": "number",
"description": "start of the range (inclusive)"
},
"end": {
"type": "number",
"description": "end of the range (exclusive)"
}
},
"additionalProperties": true,
"type": "object",
"description": "If specified, the input double value must be in the range specified here.\n Note: The range is using half-open interval semantics [start, end)."
},
"exact": {
"type": "number",
"description": "If specified, the input double value must be equal to the value specified here."
}
},
"additionalProperties": true,
"type": "object",
"description": "If specified, a match occurs if and only if the target value is a double value and is\n matched to this field."
},
"string_match": {
"$ref": "envoy.type.matcher.v3.StringMatcher",
"additionalProperties": true,
"type": "object",
"description": "If specified, a match occurs if and only if the target value is a string value and is\n matched to this field."
},
"bool_match": {
"type": "boolean",
"description": "If specified, a match occurs if and only if the target value is a bool value and is equal\n to this field."
},
"present_match": {
"type": "boolean",
"description": "If specified, value match will be performed based on whether the path is referring to a\n valid primitive value in the metadata. If the path is referring to a non-primitive value,\n the result is always not matched."
},
"list_match": {
"properties": {
"one_of": {
"$ref": "envoy.type.matcher.v3.ValueMatcher",
"additionalProperties": true,
"type": "object",
"description": "If specified, at least one of the values in the list must match the value specified."
}
},
"additionalProperties": true,
"type": "object",
"description": "If specified, a match occurs if and only if the target value is a list value and\n is matched to this field."
}
},
"additionalProperties": true,
"type": "object",
"description": "[#protodoc-title: Value matcher]\n\nSpecifies the way to match a ProtobufWkt::Value. Primitive values and ListValue are supported.\n StructValue is not supported and is always not matched.\n [#next-free-field: 7]",
"id": "envoy.type.matcher.v3.ValueMatcher"
},
"envoy.type.v3.FractionalPercent": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"numerator": {
"type": "integer",
"description": "Specifies the numerator. Defaults to 0."
},
"denominator": {
"enum": [
"HUNDRED",
0,
"TEN_THOUSAND",
1,
"MILLION",
2
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "Specifies the denominator. If the denominator specified is less than the numerator, the final\n fractional percentage is capped at 1 (100%)."
}
},
"additionalProperties": true,
"type": "object",
"description": "A fractional percentage is used in cases in which for performance reasons performing floating\n point to integer conversions during randomness calculations is undesirable. The message includes\n both a numerator and denominator that together determine the final fractional value.\n\n * **Example**: 1/100 = 1%.\n * **Example**: 3/10000 = 0.03%.",
"id": "envoy.type.v3.FractionalPercent"
},
"envoy.type.v3.Int64Range": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"start": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "start of the range (inclusive)"
},
"end": {
"oneOf": [
{
"type": "integer"
},
{
"type": "string"
}
],
"description": "end of the range (exclusive)"
}
},
"additionalProperties": true,
"type": "object",
"description": "[#protodoc-title: Range]\n\nSpecifies the int64 start and end of the range using half-open interval semantics [start,\n end).",
"id": "envoy.type.v3.Int64Range"
},
"envoy.type.v3.Percent": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"value": {
"type": "number"
}
},
"additionalProperties": true,
"type": "object",
"description": "[#protodoc-title: Percent]\n\nIdentifies a percentage, in the range [0.0, 100.0].",
"id": "envoy.type.v3.Percent"
},
"udpa.core.v1.ResourceLocator": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"scheme": {
"enum": [
"UDPA",
0,
"HTTP",
1,
"FILE",
2
],
"oneOf": [
{
"type": "string"
},
{
"type": "integer"
}
],
"description": "URI scheme."
},
"id": {
"items": {
"type": "string"
},
"type": "array",
"description": "Opaque identifiers for the resource. These are effectively concatenated\n with ‘/’ to form the non-query param path as resource ID. This may end\n with ‘*’ for glob collection references."
},
"authority": {
"type": "string",
"description": "Logical authority for resource (not necessarily transport network address).\n Authorities are opaque in the UDPA API, data-plane load balancers will map\n them to concrete network transports such as an xDS management server, e.g.\n via envoy.config.core.v3.ConfigSource."
},
"resource_type": {
"type": "string",
"description": "Fully qualified resource type (as in type URL without types.googleapis.com/\n prefix)."
},
"exact_context": {
"properties": {
"params": {
"additionalProperties": {
"type": "string"
},
"type": "object"
}
},
"additionalProperties": true,
"type": "object",
"description": "Additional parameters that can be used to select resource variants.\n Matches must be exact, i.e. all context parameters must match exactly and\n there must be no additional context parameters set on the matched\n resource."
},
"directives": {
"items": {
"$schema": "http://json-schema.org/draft-04/schema#",
"properties": {
"alt": {
"$ref": "udpa.core.v1.ResourceLocator",
"additionalProperties": true,
"type": "object",
"description": "An alternative resource locator for fallback if the resource is\n unavailable. For example, take the resource locator:\n\n udpa://foo/some-type/some-route-table#alt=udpa://bar/some-type/another-route-table\n\n If the data-plane load balancer is unable to reach `foo` to fetch the\n resource, it will fallback to `bar`. Alternative resources do not need\n to have equivalent content, but they should be functional substitutes."
},
"entry": {
"type": "string",
"description": "List collections support inlining of resources via the entry field in\n Resource. These inlined Resource objects may have an optional name\n field specified. When specified, the entry directive allows\n UdpaResourceLocator to directly reference these inlined resources, e.g.\n udpa://.../foo#entry=bar."
}
},
"additionalProperties": true,
"type": "object",
"description": "Directives provide information to data-plane load balancers on how UDPA\n resource names are to be interpreted and potentially further resolved. For\n example, they may provide alternative resource locators for when primary\n resolution fails. Directives are not part of resource names and do not\n appear in a xDS transport discovery request.\n\n When encoding to URIs, directives take the form:\n\n \u003cdirective name\u003e=\u003cstring representation of directive value\u003e\n\n For example, we can have alt=udpa://foo/bar or entry=some%20thing. Each\n directive value type may have its own string encoding, in the case of\n ResourceLocator there is a recursive URI encoding.\n\n Percent encoding applies to the URI encoding of the directive value.\n Multiple directives are comma-separated, so the reserved characters that\n require percent encoding in a directive value are [',', '#', '[', ']',\n '%']. These are the RFC3986 fragment reserved characters with the addition\n of the UDPA scheme specific ','. See\n https://tools.ietf.org/html/rfc3986#page-49 for further details on URI ABNF\n and reserved characters."
},
"type": "array",
"description": "A list of directives that appear in the UDPA resource locator #fragment.\n\n When encoding to URI form, directives are percent encoded with comma\n separation."
}
},
"additionalProperties": true,
"type": "object",
"description": "UDPA resource locators identify a UDPA resource name and instruct the\n data-plane load balancer on how the resource may be located.\n\n Resource locators have a canonical udpa:// URI representation:\n\n udpa://{authority}/{type_url}/{id/*}?{context_params}{#directive,*}\n\n where context_params take the form of URI query parameters.\n\n Resource locators have a similar canonical http:// URI representation:\n\n http://{authority}/{type_url}/{id/*}?{context_params}{#directive,*}\n\n Resource locators also have a simplified file:// URI representation:\n\n file:///{id/*}{#directive,*}",
"id": "udpa.core.v1.ResourceLocator"
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment