xds: update envoy proto version to f709434b37e9ff74666d5b854aa11fb2f1…

…ec37f3 (#6291)

xds/third_party/envoy/NOTICE

@@ -1,4 +1,4 @@
 Envoy
-Copyright 2016-2018 Envoy Project Authors
+Copyright 2016-2019 Envoy Project Authors
 
 Licensed under Apache License 2.0.  See LICENSE for terms.

xds/third_party/envoy/import.sh

@@ -18,7 +18,7 @@
 set -e
 BRANCH=master
 # import VERSION from one of the google internal CLs
-VERSION=6ff0bce8ff417a252cde4d04dfb9cba2bab463d8
+VERSION=f709434b37e9ff74666d5b854aa11fb2f1ec37f3
 GIT_REPO="https://github.com/envoyproxy/envoy.git"
 GIT_BASE_DIR=envoy
 SOURCE_PROTO_BASE_DIR=envoy/api

xds/third_party/envoy/src/main/proto/envoy/api/v2/auth/cert.proto

@@ -5,7 +5,6 @@ package envoy.api.v2.auth;
 option java_outer_classname = "CertProto";
 option java_multiple_files = true;
 option java_package = "io.envoyproxy.envoy.api.v2.auth";
-option go_package = "auth";
 
 import "envoy/api/v2/core/base.proto";
 import "envoy/api/v2/core/config_source.proto";
@@ -15,9 +14,6 @@ import "google/protobuf/struct.proto";
 import "google/protobuf/wrappers.proto";
 
 import "validate/validate.proto";
-import "gogoproto/gogo.proto";
-
-option (gogoproto.equal_all) = true;
 
 // [#protodoc-title: Common TLS configuration]
 
@@ -40,11 +36,11 @@ message TlsParameters {
   }
 
   // Minimum TLS protocol version. By default, it's ``TLSv1_0``.
-  TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum.defined_only = true];
+  TlsProtocol tls_minimum_protocol_version = 1 [(validate.rules).enum = {defined_only: true}];
 
   // Maximum TLS protocol version. By default, it's ``TLSv1_3`` for servers in non-FIPS builds, and
   // ``TLSv1_2`` for clients and for servers using :ref:`BoringSSL FIPS <arch_overview_ssl_fips>`.
-  TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum.defined_only = true];
+  TlsProtocol tls_maximum_protocol_version = 2 [(validate.rules).enum = {defined_only: true}];
 
   // If specified, the TLS listener will only support the specified `cipher list
   // <https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_
@@ -110,7 +106,7 @@ message TlsParameters {
 message PrivateKeyProvider {
   // Private key method provider name. The name must match a
   // supported private key method provider type.
-  string provider_name = 1 [(validate.rules).string.min_bytes = 1];
+  string provider_name = 1 [(validate.rules).string = {min_bytes: 1}];
 
   // Private key method provider specific configuration.
   oneof config_type {
@@ -171,7 +167,7 @@ message TlsSessionTicketKeys {
   //   * Keep the session ticket keys at least as secure as your TLS certificate private keys
   //   * Rotate session ticket keys at least daily, and preferably hourly
   //   * Always generate keys using a cryptographically-secure random data source
-  repeated core.DataSource keys = 1 [(validate.rules).repeated .min_items = 1];
+  repeated core.DataSource keys = 1 [(validate.rules).repeated = {min_items: 1}];
 }
 
 message CertificateValidationContext {
@@ -205,9 +201,9 @@ message CertificateValidationContext {
   //
   // .. code-block:: bash
   //
-  //   $ openssl x509 -in path/to/client.crt -noout -pubkey \
-  //     | openssl pkey -pubin -outform DER \
-  //     | openssl dgst -sha256 -binary \
+  //   $ openssl x509 -in path/to/client.crt -noout -pubkey
+  //     | openssl pkey -pubin -outform DER
+  //     | openssl dgst -sha256 -binary
   //     | openssl enc -base64
   //   NvqYIYSbgK2vCJpQhObf77vv+bQWtc5ek5RIOwPiC9A=
   //
@@ -227,7 +223,7 @@ message CertificateValidationContext {
   //   because SPKI is tied to a private key, so it doesn't change when the certificate
   //   is renewed using the same private key.
   repeated string verify_certificate_spki = 3
-      [(validate.rules).repeated .items.string = {min_bytes: 44, max_bytes: 44}];
+      [(validate.rules).repeated = {items {string {min_bytes: 44 max_bytes: 44}}}];
 
   // An optional list of hex-encoded SHA-256 hashes. If specified, Envoy will verify that
   // the SHA-256 of the DER-encoded presented certificate matches one of the specified values.
@@ -256,7 +252,7 @@ message CertificateValidationContext {
   // <envoy_api_field_auth.CertificateValidationContext.verify_certificate_spki>` are specified,
   // a hash matching value from either of the lists will result in the certificate being accepted.
   repeated string verify_certificate_hash = 2
-      [(validate.rules).repeated .items.string = {min_bytes: 64, max_bytes: 95}];
+      [(validate.rules).repeated = {items {string {min_bytes: 64 max_bytes: 95}}}];
 
   // An optional list of Subject Alternative Names. If specified, Envoy will verify that the
   // Subject Alternative Name of the presented certificate matches one of the specified values.
@@ -287,6 +283,18 @@ message CertificateValidationContext {
 
 // TLS context shared by both client and server TLS contexts.
 message CommonTlsContext {
+  message CombinedCertificateValidationContext {
+    // How to validate peer certificates.
+    CertificateValidationContext default_validation_context = 1
+        [(validate.rules).message = {required: true}];
+
+    // Config for fetching validation context via SDS API.
+    SdsSecretConfig validation_context_sds_secret_config = 2
+        [(validate.rules).message = {required: true}];
+  }
+
+  reserved 5;
+
   // TLS protocol versions, cipher suites etc.
   TlsParameters tls_params = 1;
 
@@ -300,17 +308,7 @@ message CommonTlsContext {
 
   // Configs for fetching TLS certificates via SDS API.
   repeated SdsSecretConfig tls_certificate_sds_secret_configs = 6
-      [(validate.rules).repeated .max_items = 1];
-
-  message CombinedCertificateValidationContext {
-    // How to validate peer certificates.
-    CertificateValidationContext default_validation_context = 1
-        [(validate.rules).message.required = true];
-
-    // Config for fetching validation context via SDS API.
-    SdsSecretConfig validation_context_sds_secret_config = 2
-        [(validate.rules).message.required = true];
-  };
+      [(validate.rules).repeated = {max_items: 1}];
 
   oneof validation_context_type {
     // How to validate peer certificates.
@@ -340,16 +338,14 @@ message CommonTlsContext {
   //
   // There is no default for this parameter. If empty, Envoy will not expose ALPN.
   repeated string alpn_protocols = 4;
-
-  reserved 5;
 }
 
 message UpstreamTlsContext {
   // Common TLS context settings.
   CommonTlsContext common_tls_context = 1;
 
   // SNI string to use when creating TLS backend connections.
-  string sni = 2 [(validate.rules).string.max_bytes = 255];
+  string sni = 2 [(validate.rules).string = {max_bytes: 255}];
 
   // If true, server-initiated TLS renegotiation will be allowed.
   //
@@ -386,22 +382,25 @@ message DownstreamTlsContext {
   }
 }
 
-// [#proto-status: experimental]
 message SdsSecretConfig {
   // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
   // When both name and config are specified, then secret can be fetched and/or reloaded via SDS.
-  // When only name is specified, then secret will be loaded from static resources [V2-API-DIFF].
+  // When only name is specified, then secret will be loaded from static
+  // resources.
   string name = 1;
+
   core.ConfigSource sds_config = 2;
 }
 
-// [#proto-status: experimental]
 message Secret {
   // Name (FQDN, UUID, SPKI, SHA256, etc.) by which the secret can be uniquely referred to.
   string name = 1;
+
   oneof type {
     TlsCertificate tls_certificate = 2;
+
     TlsSessionTicketKeys session_ticket_keys = 3;
+
     CertificateValidationContext validation_context = 4;
   }
 }

xds/third_party/envoy/src/main/proto/envoy/api/v2/core/address.proto

@@ -11,9 +11,6 @@ import "envoy/api/v2/core/base.proto";
 import "google/protobuf/wrappers.proto";
 
 import "validate/validate.proto";
-import "gogoproto/gogo.proto";
-
-option (gogoproto.equal_all) = true;
 
 // [#protodoc-title: Network addresses]
 
@@ -22,17 +19,19 @@ message Pipe {
   // abstract namespace. The starting '@' is replaced by a null byte by Envoy.
   // Paths starting with '@' will result in an error in environments other than
   // Linux.
-  string path = 1 [(validate.rules).string.min_bytes = 1];
+  string path = 1 [(validate.rules).string = {min_bytes: 1}];
 }
 
 message SocketAddress {
   enum Protocol {
-    option (gogoproto.goproto_enum_prefix) = false;
     TCP = 0;
+
     // [#not-implemented-hide:]
     UDP = 1;
   }
-  Protocol protocol = 1 [(validate.rules).enum.defined_only = true];
+
+  Protocol protocol = 1 [(validate.rules).enum = {defined_only: true}];
+
   // The address for this socket. :ref:`Listeners <config_listeners>` will bind
   // to the address. An empty address is not allowed. Specify ``0.0.0.0`` or ``::``
   // to bind to any address. [#comment:TODO(zuercher) reinstate when implemented:
@@ -44,15 +43,19 @@ message SocketAddress {
   // address must be an IP (*STATIC* or *EDS* clusters) or a hostname resolved by DNS
   // (*STRICT_DNS* or *LOGICAL_DNS* clusters). Address resolution can be customized
   // via :ref:`resolver_name <envoy_api_field_core.SocketAddress.resolver_name>`.
-  string address = 2 [(validate.rules).string.min_bytes = 1];
+  string address = 2 [(validate.rules).string = {min_bytes: 1}];
+
   oneof port_specifier {
     option (validate.required) = true;
-    uint32 port_value = 3 [(validate.rules).uint32.lte = 65535];
+
+    uint32 port_value = 3 [(validate.rules).uint32 = {lte: 65535}];
+
     // This is only valid if :ref:`resolver_name
     // <envoy_api_field_core.SocketAddress.resolver_name>` is specified below and the
     // named resolver is capable of named port resolution.
     string named_port = 4;
   }
+
   // The name of the custom resolver. This must have been registered with Envoy. If
   // this is empty, a context dependent default applies. If the address is a concrete
   // IP address, no resolution will occur. If address is a hostname this
@@ -72,18 +75,20 @@ message TcpKeepalive {
   // the connection is dead. Default is to use the OS level configuration (unless
   // overridden, Linux defaults to 9.)
   google.protobuf.UInt32Value keepalive_probes = 1;
+
   // The number of seconds a connection needs to be idle before keep-alive probes
   // start being sent. Default is to use the OS level configuration (unless
   // overridden, Linux defaults to 7200s (ie 2 hours.)
   google.protobuf.UInt32Value keepalive_time = 2;
+
   // The number of seconds between keep-alive probes. Default is to use the OS
   // level configuration (unless overridden, Linux defaults to 75s.)
   google.protobuf.UInt32Value keepalive_interval = 3;
 }
 
 message BindConfig {
   // The address to bind to when creating a socket.
-  SocketAddress source_address = 1 [(validate.rules).message.required = true];
+  SocketAddress source_address = 1 [(validate.rules).message = {required: true}];
 
   // Whether to set the *IP_FREEBIND* option when creating the socket. When this
   // flag is set to true, allows the :ref:`source_address
@@ -107,6 +112,7 @@ message Address {
     option (validate.required) = true;
 
     SocketAddress socket_address = 1;
+
     Pipe pipe = 2;
   }
 }
@@ -115,7 +121,8 @@ message Address {
 // the subnet mask for a `CIDR <https://tools.ietf.org/html/rfc4632>`_ range.
 message CidrRange {
   // IPv4 or IPv6 address, e.g. ``192.0.0.0`` or ``2001:db8::``.
-  string address_prefix = 1 [(validate.rules).string.min_bytes = 1];
+  string address_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
+
   // Length of prefix, e.g. 0, 32.
-  google.protobuf.UInt32Value prefix_len = 2 [(validate.rules).uint32.lte = 128];
+  google.protobuf.UInt32Value prefix_len = 2 [(validate.rules).uint32 = {lte: 128}];
 }