Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CAS diff command #849

Merged
merged 15 commits into from
Feb 7, 2025
Merged

CAS diff command #849

merged 15 commits into from
Feb 7, 2025

Conversation

unmultimedio
Copy link
Member

@unmultimedio unmultimedio commented Jan 30, 2025
edited
Loading

Utility to help diff changes between 2 manifests in CAS directories.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 30, 2025
edited
Loading

The latest Buf updates on your PR. Results from workflow Buf CI / buf (pull_request).

BuildFormatLintBreakingUpdated (UTC)
✅ passed✅ passed✅ passed✅ passedFeb 7, 2025, 2:37 PM

@unmultimedio
Copy link
Member Author

unmultimedio commented Jan 30, 2025
edited
Loading

Example, running it for this PR: #832 (comment)

# from the modules dir using synced referencescd ./modules/sync/envoyproxy/envoy
➜  go run ../../../../cmd/diff v1.32.3 v1.33.0 > diff.md

# or from the cas dir using the manifests digestscd ./modules/sync/envoyproxy/envoy/cas
➜  go run ../../../../cmd/diff a85ebaf16e7fbb65c6c15e0b6f2ca8790e82d27d8952114ebb8c531ca3d8ca48ccef60fc6c13dd6788a3eaa47e03fd1d1aa23e0f7211380db969f1b5b48975cb 0f6f4339ea181ae26dd8156629ac3d40d49740ff4ba2cea29a7c393755902df2a8a5ab4140e97f28c86ca25c08b73d4610bd00d049e6fa2ed176191570b209f1 > diff.md
diff.md

Removed:

- shake256:0ceaf70cf3fe02577abd4afb4da61ad063f036d32f49d4c399d5c41b1add94c29b2ed39081d35bcb69e2d9e165606064cdd4bd48fe10447b5531b2e02179f1b7  envoy/config/trace/v2/opencensus.proto
- shake256:9686c006be651abd4657dc919d2cb50af9924cd7d19d21d4e817abd33db4035ecde0bfcb646dee74746eb22c9dc58e144addb3bdd7ef2d7ee305f1306190cfb2  envoy/config/trace/v3/opencensus.proto
- shake256:d064376af017a1aba89bb087dfd46cb19876e674a6f2fb0ede123262f15456303ea7ba9076710943463e9b21945c5949487f8ec8a77821bebbf40622298c99ae  envoy/service/trace/v2/trace_service.proto
- shake256:62caad4899e648ca1f43060b06e431ccdf0503b357d22be46547bb1483d61b216f5d668072e7ec7c322f279185c411a2485174546eeac731feaedb0ed88093fc  envoy/service/trace/v3/trace_service.proto

Added:

+ shake256:e3fbc3da2acacca933166dc9dabde689f5f20e29f2b7ab43f839c0b29c8bb5bea668ff8536544d06a5a0020b7c537e3789fe9a671b2e217880442891c899d9a3  envoy/extensions/clusters/common/dns/v3/dns.proto
+ shake256:b8474a002d72c2f26c487b3f7ff34c9d28dede1ae5deebca5bca92acdc82e3eb084a31405538e2210f87d882cc4cedc05abe0a337497ff6dc211e65c16dcf02a  envoy/extensions/clusters/dns/v3/dns_cluster.proto
+ shake256:3c8077c937c86ff48ab61d081a0dd12a4f34778e79d77bc2bdeeecafcfc6e4bbd032fc63aecfb89e7a7828872ded2dc4efa515b62995683d4dc6d19c2da07e69  envoy/extensions/common/aws/v3/credential_provider.proto
+ shake256:c6d8f7809023346a853aedc7b74dd1f18dbb8be1dfe43cefecbc74b24ef29ee107f4f115a0481b954e41517f9d5c1d12d1a0eb3563bcdd5202b17d56555d8359  envoy/extensions/dynamic_modules/v3/dynamic_modules.proto
+ shake256:3a1640f66dbc67a20600d062e3b0bdeb164df21765beb797dde519f0fa918cbfdb91a93956172fdd866a964a4cc02b5bbaf899fec9d102e681b241c95fe14c41  envoy/extensions/filters/http/api_key_auth/v3/api_key_auth.proto
+ shake256:f0425c1657f5d21bc766ab56612144f466c193c9557a7ef43170b054b8f5f5f04b14d5fae4ec23a2503b68c22c2d7f30d4ab965aecb8472508901d4f277f717b  envoy/extensions/filters/http/dynamic_modules/v3/dynamic_modules.proto
+ shake256:8695627774888384867f60a36b2bdd64d260d7dbeb4bde5a9fcaf617c436af794050181efee94998f5966bdceeaee8733c6db03b11af64e4487d1a0f4dd1e476  envoy/extensions/filters/http/grpc_json_reverse_transcoder/v3/transcoder.proto
+ shake256:f7680ea8269c00d0a1c18ee2f3af1e75f8dd2c000c5e8b943910b9d94929ab55ee5d987f52e72a9de04314d7b1067f32b720b754a90f86de61696b264851498e  envoy/extensions/quic/connection_debug_visitor/quic_stats/v3/quic_stats.proto
+ shake256:b8aeb0435ab80c4f331ede8ee6367cf5eb25df2219c291e177b1be3dae38269671d7d2c2855e045c88058f0e973fdd447875a154228148abb5f00e94f4c47281  envoy/type/matcher/v3/address.proto

Changed content:

contrib/envoy/extensions/filters/network/kafka_broker/v3/kafka_broker.proto:

--- shake256:e05cc4323c3fe82daed4472a3ee2d0ff67f10903a5619ff9d69774aed3045bb73012ec806dccb348524472e0c5fba0c4ce3184dfa7c068d6d187a0e242d8658a
+++ shake256:e1d0772c1e79f87f10446e70e445510cee7549c348789cbaa4b6e17ab6931aea85a6051f3d3c056472e6900e9b711063a01a70abcced4d271558e455f397df98
@@ -15,7 +15,7 @@
 // [#protodoc-title: Kafka Broker]
 // Kafka Broker :ref:`configuration overview <config_network_filters_kafka_broker>`.
 // [#extension: envoy.filters.network.kafka_broker]
-
+// [#next-free-field: 6]
 message KafkaBroker {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.network.kafka_broker.v2alpha1.KafkaBroker";
@@ -39,6 +39,16 @@
     // Broker address rewrite rules that match by broker ID.
     IdBasedBrokerRewriteSpec id_based_broker_address_rewrite_spec = 3;
   }
+
+  // Optional list of allowed Kafka API keys. Only requests with provided API keys will be
+  // routed, otherwise the connection will be closed. No effect if empty.
+  repeated uint32 api_keys_allowed = 4
+      [(validate.rules).repeated = {items {uint32 {lte: 32767 gte: 0}}}];
+
+  // Optional list of denied Kafka API keys. Requests with API keys matching this list will have
+  // the connection closed. No effect if empty.
+  repeated uint32 api_keys_denied = 5
+      [(validate.rules).repeated = {items {uint32 {lte: 32767 gte: 0}}}];
 }

 // Collection of rules matching by broker ID.

envoy/admin/v3/config_dump_shared.proto:

--- shake256:63364d2750270a2d67c3edc2093c6d85382ecc9044f078a47f65dc9d445e234e4bf7c43e94a7198eb015b2f558c13bf5bc407abc51b5332d4742dd2ed63e2ba9
+++ shake256:e5c3e7849f8aab45cf872016d0b6f6288e7d1694fe103e3b0f64e74a7444dec99b7f296e59cbfe28373c351b0404b7c865e1281b175c19434c5b84f3d4225d03
@@ -39,6 +39,14 @@

   // Client received this resource and replied with NACK.
   NACKED = 4;
+
+  // Client received an error from the control plane. The attached config
+  // dump is the most recent accepted one. If no config is accepted yet,
+  // the attached config dump will be empty.
+  RECEIVED_ERROR = 5;
+
+  // Client timed out waiting for the resource from the control plane.
+  TIMEOUT = 6;
 }

 message UpdateFailureState {

envoy/admin/v3/server_info.proto:

--- shake256:b3c58b37de88b21f6256a2f4b4d432338e9fb4e07fe573630e0de638a3b6ff6e1d011574ccfcf53eae93e072dbdb8fbcaebfc4e60434250f6c7288a7da1c9109
+++ shake256:b5082be33b95bbc2c8a1bae0d4ab9585ce842da65878270cf233bf066be2276fd9282b37d7b809cb974812a92cd343d877f95344756ba946b6b05630261df3ce
@@ -59,7 +59,7 @@
   config.core.v3.Node node = 7;
 }

-// [#next-free-field: 41]
+// [#next-free-field: 42]
 message CommandLineOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.admin.v2alpha.CommandLineOptions";
@@ -125,6 +125,9 @@
   // See :option:`--ignore-unknown-dynamic-fields` for details.
   bool ignore_unknown_dynamic_fields = 30;

+  // See :option:`--skip-deprecated-logs` for details.
+  bool skip_deprecated_logs = 41;
+
   // See :option:`--admin-address-path` for details.
   string admin_address_path = 6;

envoy/config/accesslog/v3/accesslog.proto:

--- shake256:2bfccf628b3e9d91fcd337eb4113d8a80b0655e13d187d79226e7362d005c3d142f3a5fe3fcfc602de4df87231ac23480ed6443622a532d168291d286ac43a3d
+++ shake256:c3a06caefa9e50db33112179456b945e2afe0288391af79cfc591a19ddcfc303a5ab49b43da11a334a728c093e15f0d2c733bebfb34308dc41c37d81368c828a
@@ -152,35 +152,38 @@
       "envoy.config.filter.accesslog.v2.TraceableFilter";
 }

-// Filters for random sampling of requests.
+// Filters requests based on runtime-configurable sampling rates.
 message RuntimeFilter {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.accesslog.v2.RuntimeFilter";

-  // Runtime key to get an optional overridden numerator for use in the
-  // ``percent_sampled`` field. If found in runtime, this value will replace the
-  // default numerator.
+  // Specifies a key used to look up a custom sampling rate from the runtime configuration. If a value is found for this
+  // key, it will override the default sampling rate specified in ``percent_sampled``.
   string runtime_key = 1 [(validate.rules).string = {min_len: 1}];

-  // The default sampling percentage. If not specified, defaults to 0% with
-  // denominator of 100.
+  // Defines the default sampling percentage when no runtime override is present. If not specified, the default is
+  // **0%** (with a denominator of 100).
   type.v3.FractionalPercent percent_sampled = 2;

-  // By default, sampling pivots on the header
-  // :ref:`x-request-id<config_http_conn_man_headers_x-request-id>` being
-  // present. If :ref:`x-request-id<config_http_conn_man_headers_x-request-id>`
-  // is present, the filter will consistently sample across multiple hosts based
-  // on the runtime key value and the value extracted from
-  // :ref:`x-request-id<config_http_conn_man_headers_x-request-id>`. If it is
-  // missing, or ``use_independent_randomness`` is set to true, the filter will
-  // randomly sample based on the runtime key value alone.
-  // ``use_independent_randomness`` can be used for logging kill switches within
-  // complex nested :ref:`AndFilter
-  // <envoy_v3_api_msg_config.accesslog.v3.AndFilter>` and :ref:`OrFilter
-  // <envoy_v3_api_msg_config.accesslog.v3.OrFilter>` blocks that are easier to
-  // reason about from a probability perspective (i.e., setting to true will
-  // cause the filter to behave like an independent random variable when
-  // composed within logical operator filters).
+  // Controls how sampling decisions are made.
+  //
+  // - Default behavior (``false``):
+  //
+  //   * Uses the :ref:`x-request-id<config_http_conn_man_headers_x-request-id>` as a consistent sampling pivot.
+  //   * When :ref:`x-request-id<config_http_conn_man_headers_x-request-id>` is present, sampling will be consistent
+  //     across multiple hosts based on both the ``runtime_key`` and
+  //     :ref:`x-request-id<config_http_conn_man_headers_x-request-id>`.
+  //   * Useful for tracking related requests across a distributed system.
+  //
+  // - When set to ``true`` or :ref:`x-request-id<config_http_conn_man_headers_x-request-id>` is missing:
+  //
+  //   * Sampling decisions are made randomly based only on the ``runtime_key``.
+  //   * Useful in complex filter configurations (like nested
+  //     :ref:`AndFilter<envoy_v3_api_msg_config.accesslog.v3.AndFilter>`/
+  //     :ref:`OrFilter<envoy_v3_api_msg_config.accesslog.v3.OrFilter>` blocks) where independent probability
+  //     calculations are desired.
+  //   * Can be used to implement logging kill switches with predictable probability distributions.
+  //
   bool use_independent_randomness = 3;
 }

envoy/config/cluster/redis/redis_cluster.proto:

--- shake256:05fa6bd35c8cffe1eb7f9a67dca55ddd4966f371e9123bf12c2ead8afe6bb4b8d839fe678547d041178ee54ece57d6c0e3ce0e1226b884e31fce002810b69153
+++ shake256:f88d1d71037a70c72f39863a5a9ec8d65ded375d725b7e416d36ec233adcd670e010a8b024c755835c16899a8e4c1d00ee24eacc7bc51c778296d6c5fff1fc8a
@@ -43,14 +43,14 @@
 //       address: foo.bar.com
 //       port_value: 22120
 //     cluster_type:
-//     name: envoy.clusters.redis
-//     typed_config:
-//       "@type": type.googleapis.com/google.protobuf.Struct
-//       value:
-//         cluster_refresh_rate: 30s
-//         cluster_refresh_timeout: 0.5s
-//         redirect_refresh_interval: 10s
-//         redirect_refresh_threshold: 10
+//       name: envoy.clusters.redis
+//       typed_config:
+//         "@type": type.googleapis.com/google.protobuf.Struct
+//         value:
+//           cluster_refresh_rate: 30s
+//           cluster_refresh_timeout: 0.5s
+//           redirect_refresh_interval: 10s
+//           redirect_refresh_threshold: 10
 // [#extension: envoy.clusters.redis]

 // [#next-free-field: 7]

envoy/config/cluster/v3/cluster.proto:

--- shake256:681e621142dc47cd0c2b9bd88a60edb600ffa33b49acfd9bdd1b53f1787b2d24054b9d9da9ac90645b044ac624e5870c0bd35da5f856d32a47dd2bd8167010b7
+++ shake256:ebf748fd4dcfff091c2dd3e683ab0cbfbea458b8fc74989b53812d68e37aa595dbfaa781e456f98ca651ddb53629f52f4908d58a5e4d733b506977b98628c1a7
@@ -953,8 +953,15 @@
   // :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`
   // and :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>`
   // this setting is ignored.
-  google.protobuf.Duration dns_refresh_rate = 16
-      [(validate.rules).duration = {gt {nanos: 1000000}}];
+  // This field is deprecated in favor of using the :ref:`cluster_type<envoy_v3_api_field_config.cluster.v3.Cluster.cluster_type>`
+  // extension point and configuring it with :ref:`DnsCluster<envoy_v3_api_msg_extensions.clusters.dns.v3.DnsCluster>`.
+  // If :ref:`cluster_type<envoy_v3_api_field_config.cluster.v3.Cluster.cluster_type>` is configured with
+  // :ref:`DnsCluster<envoy_v3_api_msg_extensions.clusters.dns.v3.DnsCluster>`, this field will be ignored.
+  google.protobuf.Duration dns_refresh_rate = 16 [
+    deprecated = true,
+    (validate.rules).duration = {gt {nanos: 1000000}},
+    (envoy.annotations.deprecated_at_minor_version) = "3.0"
+  ];

   // DNS jitter can be optionally specified if the cluster type is either
   // :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`,
@@ -965,7 +972,15 @@
   // :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`
   // and :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>`
   // this setting is ignored.
-  google.protobuf.Duration dns_jitter = 58 [(validate.rules).duration = {gte {}}];
+  // This field is deprecated in favor of using the :ref:`cluster_type<envoy_v3_api_field_config.cluster.v3.Cluster.cluster_type>`
+  // extension point and configuring it with :ref:`DnsCluster<envoy_v3_api_msg_extensions.clusters.dns.v3.DnsCluster>`.
+  // If :ref:`cluster_type<envoy_v3_api_field_config.cluster.v3.Cluster.cluster_type>` is configured with
+  // :ref:`DnsCluster<envoy_v3_api_msg_extensions.clusters.dns.v3.DnsCluster>`, this field will be ignored.
+  google.protobuf.Duration dns_jitter = 58 [
+    deprecated = true,
+    (validate.rules).duration = {gte {}},
+    (envoy.annotations.deprecated_at_minor_version) = "3.0"
+  ];

   // If the DNS failure refresh rate is specified and the cluster type is either
   // :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>`,
@@ -975,16 +990,31 @@
   // other than :ref:`STRICT_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.STRICT_DNS>` and
   // :ref:`LOGICAL_DNS<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DiscoveryType.LOGICAL_DNS>` this setting is
   // ignored.
-  RefreshRate dns_failure_refresh_rate = 44;
+  // This field is deprecated in favor of using the :ref:`cluster_type<envoy_v3_api_field_config.cluster.v3.Cluster.cluster_type>`
+  // extension point and configuring it with :ref:`DnsCluster<envoy_v3_api_msg_extensions.clusters.dns.v3.DnsCluster>`.
+  // If :ref:`cluster_type<envoy_v3_api_field_config.cluster.v3.Cluster.cluster_type>` is configured with
+  // :ref:`DnsCluster<envoy_v3_api_msg_extensions.clusters.dns.v3.DnsCluster>`, this field will be ignored.
+  RefreshRate dns_failure_refresh_rate = 44
+      [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];

   // Optional configuration for setting cluster's DNS refresh rate. If the value is set to true,
   // cluster's DNS refresh rate will be set to resource record's TTL which comes from DNS
   // resolution.
-  bool respect_dns_ttl = 39;
+  // This field is deprecated in favor of using the :ref:`cluster_type<envoy_v3_api_field_config.cluster.v3.Cluster.cluster_type>`
+  // extension point and configuring it with :ref:`DnsCluster<envoy_v3_api_msg_extensions.clusters.dns.v3.DnsCluster>`.
+  // If :ref:`cluster_type<envoy_v3_api_field_config.cluster.v3.Cluster.cluster_type>` is configured with
+  // :ref:`DnsCluster<envoy_v3_api_msg_extensions.clusters.dns.v3.DnsCluster>`, this field will be ignored.
+  bool respect_dns_ttl = 39
+      [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];

   // The DNS IP address resolution policy. If this setting is not specified, the
   // value defaults to
   // :ref:`AUTO<envoy_v3_api_enum_value_config.cluster.v3.Cluster.DnsLookupFamily.AUTO>`.
+  // For logical and strict dns cluster, this field is deprecated in favor of using the
+  // :ref:`cluster_type<envoy_v3_api_field_config.cluster.v3.Cluster.cluster_type>`
+  // extension point and configuring it with :ref:`DnsCluster<envoy_v3_api_msg_extensions.clusters.dns.v3.DnsCluster>`.
+  // If :ref:`cluster_type<envoy_v3_api_field_config.cluster.v3.Cluster.cluster_type>` is configured with
+  // :ref:`DnsCluster<envoy_v3_api_msg_extensions.clusters.dns.v3.DnsCluster>`, this field will be ignored.
   DnsLookupFamily dns_lookup_family = 17 [(validate.rules).enum = {defined_only: true}];

   // If DNS resolvers are specified and the cluster type is either
@@ -1024,6 +1054,9 @@
   // During the transition period when both ``dns_resolution_config`` and ``typed_dns_resolver_config`` exists,
   // when ``typed_dns_resolver_config`` is in place, Envoy will use it and ignore ``dns_resolution_config``.
   // When ``typed_dns_resolver_config`` is missing, the default behavior is in place.
+  // Also note that this field is deprecated for logical dns and strict dns clusters and will be ignored when
+  // :ref:`cluster_type<envoy_v3_api_field_config.cluster.v3.Cluster.cluster_type>` is configured with
+  // :ref:`DnsCluster<envoy_v3_api_msg_extensions.clusters.dns.v3.DnsCluster>`.
   // [#extension-category: envoy.network.dns_resolver]
   core.v3.TypedExtensionConfig typed_dns_resolver_config = 55;

envoy/config/core/v3/base.proto:

--- shake256:265c44cf80c744e3ac9f15e362d226a400043f07578324e31faf27c74826d102e0de636b31020a5beb3015fe80fca126049dd0787452241fd1ef0b38be65d19a
+++ shake256:ae28b55a1d43e246e656acdd267aee16e19b6ab15c507b928417b17ce81741a6cbb4cb72da3cfd5980142e16aee8468122e34febd659868cf0e4cd077049470f
@@ -303,12 +303,31 @@
   string runtime_key = 2 [(validate.rules).string = {min_len: 1}];
 }

+// Please use :ref:`KeyValuePair <envoy_api_msg_config.core.v3.KeyValuePair>` instead.
+// [#not-implemented-hide:]
 message KeyValue {
   // The key of the key/value pair.
+  string key = 1 [
+    deprecated = true,
+    (validate.rules).string = {min_len: 1 max_bytes: 16384},
+    (envoy.annotations.deprecated_at_minor_version) = "3.0"
+  ];
+
+  // The value of the key/value pair.
+  //
+  // The ``bytes`` type is used. This means if JSON or YAML is used to to represent the
+  // configuration, the value must be base64 encoded. This is unfriendly for users in most
+  // use scenarios of this message.
+  //
+  bytes value = 2 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
+}
+
+message KeyValuePair {
+  // The key of the key/value pair.
   string key = 1 [(validate.rules).string = {min_len: 1 max_bytes: 16384}];

   // The value of the key/value pair.
-  bytes value = 2;
+  google.protobuf.Value value = 2;
 }

 // Key/value pair plus option to control append behavior. This is used to specify
@@ -339,9 +358,19 @@
     OVERWRITE_IF_EXISTS = 3;
   }

-  // Key/value pair entry that this option to append or overwrite.
-  KeyValue entry = 1 [(validate.rules).message = {required: true}];
+  // The single key/value pair record to be appended or overridden. This field must be set.
+  KeyValuePair record = 3;

+  // Key/value pair entry that this option to append or overwrite. This field is deprecated
+  // and please use :ref:`record <envoy_v3_api_field_config.core.v3.KeyValueAppend.record>`
+  // as replacement.
+  // [#not-implemented-hide:]
+  KeyValue entry = 1 [
+    deprecated = true,
+    (validate.rules).message = {skip: true},
+    (envoy.annotations.deprecated_at_minor_version) = "3.0"
+  ];
+
   // Describes the action taken to append/overwrite the given value for an existing
   // key or to only add this key if it's absent.
   KeyValueAppendAction action = 2 [(validate.rules).enum = {defined_only: true}];
@@ -349,10 +378,12 @@

 // Key/value pair to append or remove.
 message KeyValueMutation {
-  // Key/value pair to append or overwrite. Only one of ``append`` or ``remove`` can be set.
+  // Key/value pair to append or overwrite. Only one of ``append`` or ``remove`` can be set or
+  // the configuration will be rejected.
   KeyValueAppend append = 1;

-  // Key to remove. Only one of ``append`` or ``remove`` can be set.
+  // Key to remove. Only one of ``append`` or ``remove`` can be set or the configuration will be
+  // rejected.
   string remove = 2 [(validate.rules).string = {max_bytes: 16384}];
 }

@@ -453,6 +484,7 @@
 message HeaderMap {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.core.HeaderMap";

+  // A list of header names and their values.
   repeated HeaderValue headers = 1;
 }

envoy/config/core/v3/protocol.proto:

--- shake256:f37276604610b21497d901ecf3e432e9be187a43ee96c3c7cbd6e48e75a8d9e0527acfb57189d6ae1c0c82f59727a7b7fc5b89c5ccf3cd15a32632532bc058f1
+++ shake256:795dd3264f9e074b9862a701299bd1a7a02feb95a27bbe36cf2dbb7b868690a14b411b38762ef399487148b25107dddda66115c1ff1faa7691e85d97e79db831
@@ -39,19 +39,16 @@
   //
   // If zero, disable keepalive probing.
   // If absent, use the QUICHE default interval to probe.
-  google.protobuf.Duration max_interval = 1 [(validate.rules).duration = {
-    lte {}
-    gte {seconds: 1}
-  }];
+  google.protobuf.Duration max_interval = 1;

   // The interval to send the first few keep-alive probing packets to prevent connection from hitting the idle timeout. Subsequent probes will be sent, each one with an interval exponentially longer than previous one, till it reaches :ref:`max_interval <envoy_v3_api_field_config.core.v3.QuicKeepAliveSettings.max_interval>`. And the probes afterwards will always use :ref:`max_interval <envoy_v3_api_field_config.core.v3.QuicKeepAliveSettings.max_interval>`.
   //
   // The value should be smaller than :ref:`connection idle_timeout <envoy_v3_api_field_config.listener.v3.QuicProtocolOptions.idle_timeout>` to prevent idle timeout and smaller than max_interval to take effect.
   //
-  // If absent or zero, disable keepalive probing for a server connection. For a client connection, if :ref:`max_interval <envoy_v3_api_field_config.core.v3.QuicKeepAliveSettings.max_interval>`  is also zero, do not keepalive, otherwise use max_interval or QUICHE default to probe all the time.
+  // If absent, disable keepalive probing for a server connection. For a client connection, if :ref:`max_interval <envoy_v3_api_field_config.core.v3.QuicKeepAliveSettings.max_interval>` is zero, do not keepalive, otherwise use max_interval or QUICHE default to probe all the time.
   google.protobuf.Duration initial_interval = 2 [(validate.rules).duration = {
     lte {}
-    gte {seconds: 1}
+    gte {nanos: 1000000}
   }];
 }

@@ -126,6 +123,9 @@
   // header when :ref:`override_auto_sni_header <envoy_v3_api_field_config.core.v3.UpstreamHttpProtocolOptions.override_auto_sni_header>`
   // is set, as seen by the :ref:`router filter <config_http_filters_router>`.
   // Does nothing if a filter before the http router filter sets the corresponding metadata.
+  //
+  // See :ref:`SNI configuration <start_quick_start_securing_sni_client>` for details on how this
+  // interacts with other validation options.
   bool auto_sni = 1;

   // Automatic validate upstream presented certificate for new upstream connections based on the
@@ -133,6 +133,9 @@
   // is set, as seen by the :ref:`router filter <config_http_filters_router>`.
   // This field is intended to be set with ``auto_sni`` field.
   // Does nothing if a filter before the http router filter sets the corresponding metadata.
+  //
+  // See :ref:`validation configuration <start_quick_start_securing_validation>` for how this interacts with
+  // other validation options.
   bool auto_san_validation = 2;

   // An optional alternative to the host/authority header to be used for setting the SNI value.

envoy/config/filter/network/http_connection_manager/v2/http_connection_manager.proto:

--- shake256:66b8ba0fbab2f35e46c8ac6213fac40b80503263468b147691455591395fc20de61326aef12f8651173f1b0ef3d9bf52427dfa5f27047e018586eaf9c3a826b0
+++ shake256:a7f813dbdfaadb034a6a7332b0255a0e3b22c62a143f04961312762d3abbf1f55bead00e1df978bdd79ea16c8d90d7c6fd485b60367217391e39ec5aab637b2b
@@ -163,14 +163,6 @@

     // Configuration for an external tracing provider.
     // If not specified, no tracing will be performed.
-    //
-    // .. attention::
-    //   Please be aware that *envoy.tracers.opencensus* provider can only be configured once
-    //   in Envoy lifetime.
-    //   Any attempts to reconfigure it or to use different configurations for different HCM filters
-    //   will be rejected.
-    //   Such a constraint is inherent to OpenCensus itself. It cannot be overcome without changes
-    //   on OpenCensus side.
     trace.v2.Tracing.Http provider = 9;
   }

envoy/config/filter/network/kafka_broker/v2alpha1/kafka_broker.proto:

--- shake256:e4b005143cd458e31f5abb596a63a5eda39555938795ef5722fbb432e041c505d6a3d84f587c35a0afe82538fd363b6a1e00ee72204801563cae6e32eb8a018d
+++ shake256:c287f1093bd60b0ed243f40f69dc868a8856f31b36cc3f44790c0ed62e24c23fee9046ff0c55512f5fdbabd3f7fb89ca60d13a90ae0e1595189e5f2ef03febb1
@@ -17,7 +17,7 @@
 // [#protodoc-title: Kafka Broker]
 // Kafka Broker :ref:`configuration overview <config_network_filters_kafka_broker>`.
 // [#extension: envoy.filters.network.kafka_broker]
-
+// [#next-free-field: 6]
 message KafkaBroker {
   // The prefix to use when emitting :ref:`statistics <config_network_filters_kafka_broker_stats>`.
   string stat_prefix = 1 [(validate.rules).string = {min_bytes: 1}];
@@ -38,6 +38,16 @@
     // Broker address rewrite rules that match by broker ID.
     IdBasedBrokerRewriteSpec id_based_broker_address_rewrite_spec = 3;
   }
+
+  // Optional list of allowed Kafka API keys. Only requests with provided API keys will be
+  // routed, otherwise the connection will be closed. No effect if empty.
+  repeated uint32 api_keys_allowed = 4
+      [(validate.rules).repeated = {items {uint32 {lte: 32767 gte: 0}}}];
+
+  // Optional list of denied Kafka API keys. Requests with API keys matching this list will have
+  // the connection closed. No effect if empty.
+  repeated uint32 api_keys_denied = 5
+      [(validate.rules).repeated = {items {uint32 {lte: 32767 gte: 0}}}];
 }

 // Collection of rules matching by broker ID.

envoy/config/grpc_credential/v3/aws_iam.proto:

--- shake256:b84bc539d7d8839e117a944f0726902d59a8c447c9e6ca5044b9d5418f9a67f59e8e90d2f20da5bb591a7766d5b133fa2fb963555ff4f834499f1371dd731907
+++ shake256:62e9cbba4ef90857312393ba23c0c2e68c7ddf909fb944dbb82991c11ea9e2156e58cc0597c12e2057b122c1b5eef2de801256ff1185a6fd4e7b7f9f53ac43cd
@@ -2,6 +2,7 @@

 package envoy.config.grpc_credential.v3;

+import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
@@ -14,6 +15,11 @@

 // [#protodoc-title: Grpc Credentials AWS IAM]
 // Configuration for AWS IAM Grpc Credentials Plugin
+// .. warning::
+//
+//    This extension is deprecated and will be deleted in a future Envoy release, no
+//    later than Envoy 1.35, but possibly sooner.
+//
 // [#extension: envoy.grpc_credentials.aws_iam]

 message AwsIamConfig {
@@ -25,12 +31,16 @@
   // of the Grpc endpoint.
   //
   // Example: appmesh
-  string service_name = 1 [(validate.rules).string = {min_len: 1}];
+  string service_name = 1 [
+    deprecated = true,
+    (validate.rules).string = {min_len: 1},
+    (envoy.annotations.deprecated_at_minor_version) = "3.0"
+  ];

   // The `region <https://docs.aws.amazon.com/general/latest/gr/rande.html>`_ hosting the Grpc
   // endpoint. If unspecified, the extension will use the value in the ``AWS_REGION`` environment
   // variable.
   //
   // Example: us-west-2
-  string region = 2;
+  string region = 2 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];
 }

envoy/config/listener/v3/listener_components.proto:

--- shake256:233e3612535686776464c11f6426358c7c0aa995179cacb92d4d6657cea67583368b06cb31f40714eaa3cf6e77c5c5bbe36e6862a04f85f52da0c3c5c0362f18
+++ shake256:898dcb73232fc67a2cdd1d61309a81f12c1da724cc3e5c9877e2a1c8f8c4b9f6d170383f7dff706ffc19dca6e09c9cd558136dc75a9cf507c7e1d341c497a293
@@ -201,25 +201,10 @@
 message FilterChain {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.listener.FilterChain";

-  // The configuration for on-demand filter chain. If this field is not empty in FilterChain message,
-  // a filter chain will be built on-demand.
-  // On-demand filter chains help speedup the warming up of listeners since the building and initialization of
-  // an on-demand filter chain will be postponed to the arrival of new connection requests that require this filter chain.
-  // Filter chains that are not often used can be set as on-demand.
-  message OnDemandConfiguration {
-    // The timeout to wait for filter chain placeholders to complete rebuilding.
-    // 1. If this field is set to 0, timeout is disabled.
-    // 2. If not specified, a default timeout of 15s is used.
-    // Rebuilding will wait until dependencies are ready, have failed, or this timeout is reached.
-    // Upon failure or timeout, all connections related to this filter chain will be closed.
-    // Rebuilding will start again on the next new connection.
-    google.protobuf.Duration rebuild_timeout = 1;
-  }
+  reserved 2, 8;

-  reserved 2;
+  reserved "tls_context", "on_demand_configuration";

-  reserved "tls_context";
-
   // The criteria to use when matching a connection to this filter chain.
   FilterChainMatch filter_chain_match = 1;

@@ -269,11 +254,6 @@
   // <envoy_v3_api_field_config.listener.v3.Listener.filter_chain_matcher>`
   // requires that filter chains are uniquely named within a listener.
   string name = 7;
-
-  // [#not-implemented-hide:] The configuration to specify whether the filter chain will be built on-demand.
-  // If this field is not empty, the filter chain will be built on-demand.
-  // Otherwise, the filter chain will be built normally and block listener warming.
-  OnDemandConfiguration on_demand_configuration = 8;
 }

 // Listener filter chain match configuration. This is a recursive structure which allows complex

envoy/config/overload/v3/overload.proto:

--- shake256:ebf4af49fc5450c6ace367f6cacd6badbefc4030204f094a8a50807627072be098166fb2c038f4b7f7744e35c17c9265c26fc93e16dd96e02203d710107c3fd8
+++ shake256:b1b80519ed10cd644f155c72798d6d0f8a55d4657fb61d2de8aab8c821865aa7b60be401f52e6b04157c806772428ea368d36791ded9328940fe980b70e42f8f
@@ -103,6 +103,12 @@
     // This affects the value of
     // :ref:`FilterChain.transport_socket_connect_timeout <envoy_v3_api_field_config.listener.v3.FilterChain.transport_socket_connect_timeout>`.
     TRANSPORT_SOCKET_CONNECT = 3;
+
+    // Adjusts the max connection duration timer for downstream HTTP connections.
+    // This affects the value of
+    // :ref:`HttpConnectionManager.common_http_protocol_options.max_connection_duration
+    // <envoy_v3_api_field_config.core.v3.HttpProtocolOptions.max_connection_duration>`.
+    HTTP_DOWNSTREAM_CONNECTION_MAX = 4;
   }

   message ScaleTimer {

envoy/config/rbac/v3/rbac.proto:

--- shake256:532608924c3e452c06b3277a70b72490115bd22f58dfc1eb18a4a947d402db3ca7e4602460693f3351ec1b2cfbe6cfcbdff6aa576b5547f2b2ad0e17e55e59f8
+++ shake256:b1cef5fdc3d1350e3f96bc2cf2d14909e19dc8686fb620a42bec19fab962d6e83a1a532b62d30e8ab5256d6809510a88722c4ee872548eb5d01f0e9bd832e3c5
@@ -28,6 +28,14 @@

 // [#protodoc-title: Role Based Access Control (RBAC)]

+enum MetadataSource {
+  // Query :ref:`dynamic metadata <well_known_dynamic_metadata>`
+  DYNAMIC = 0;
+
+  // Query :ref:`route metadata <envoy_v3_api_field_config.route.v3.Route.metadata>`
+  ROUTE = 1;
+}
+
 // Role Based Access Control (RBAC) provides service-level and method-level access control for a
 // service. Requests are allowed or denied based on the ``action`` and whether a matching policy is
 // found. For instance, if the action is ALLOW and a matching policy is found the request should be
@@ -193,8 +201,29 @@
       [(udpa.annotations.field_migrate).oneof_promotion = "expression_specifier"];
 }

+// SourcedMetadata enables matching against metadata from different sources in the request processing
+// pipeline. It extends the base MetadataMatcher functionality by allowing specification of where the
+// metadata should be sourced from, rather than only matching against dynamic metadata.
+//
+// The matcher can be configured to look up metadata from:
+//
+// * Dynamic metadata: Runtime metadata added by filters during request processing
+// * Route metadata: Static metadata configured on the route entry
+//
+message SourcedMetadata {
+  // Metadata matcher configuration that defines what metadata to match against. This includes the filter name,
+  // metadata key path, and expected value.
+  type.matcher.v3.MetadataMatcher metadata_matcher = 1
+      [(validate.rules).message = {required: true}];
+
+  // Specifies which metadata source should be used for matching. If not set,
+  // defaults to DYNAMIC (dynamic metadata). Set to ROUTE to match against
+  // static metadata configured on the route entry.
+  MetadataSource metadata_source = 2 [(validate.rules).enum = {defined_only: true}];
+}
+
 // Permission defines an action (or actions) that a principal can take.
-// [#next-free-field: 14]
+// [#next-free-field: 15]
 message Permission {
   option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Permission";

@@ -237,8 +266,10 @@
     // A port number range that describes a range of destination ports connecting to.
     type.v3.Int32Range destination_port_range = 11;

-    // Metadata that describes additional information about the action.
-    type.matcher.v3.MetadataMatcher metadata = 7;
+    // Metadata that describes additional information about the action. This field is deprecated; please use
+    // :ref:`sourced_metadata<envoy_v3_api_field_config.rbac.v3.Permission.sourced_metadata>` instead.
+    type.matcher.v3.MetadataMatcher metadata = 7
+        [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];

     // Negates matching the provided permission. For instance, if the value of
     // ``not_rule`` would match, this permission would not match. Conversely, if
@@ -274,12 +305,16 @@
     // URI template path matching.
     // [#extension-category: envoy.path.match]
     core.v3.TypedExtensionConfig uri_template = 13;
+
+    // Matches against metadata from either dynamic state or route configuration. Preferred over the
+    // ``metadata`` field as it provides more flexibility in metadata source selection.
+    SourcedMetadata sourced_metadata = 14;
   }
 }

 // Principal defines an identity or a group of identities for a downstream
 // subject.
-// [#next-free-field: 13]
+// [#next-free-field: 14]
 message Principal {
   option (udpa.annotations.versioning).previous_message_type = "envoy.config.rbac.v2.Principal";

@@ -356,8 +391,10 @@
     // A URL path on the incoming HTTP request. Only available for HTTP.
     type.matcher.v3.PathMatcher url_path = 9;

-    // Metadata that describes additional information about the principal.
-    type.matcher.v3.MetadataMatcher metadata = 7;
+    // Metadata that describes additional information about the principal. This field is deprecated; please use
+    // :ref:`sourced_metadata<envoy_v3_api_field_config.rbac.v3.Principal.sourced_metadata>` instead.
+    type.matcher.v3.MetadataMatcher metadata = 7
+        [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];

     // Identifies the principal using a filter state object.
     type.matcher.v3.FilterStateMatcher filter_state = 12;
@@ -366,6 +403,10 @@
     // ``not_id`` would match, this principal would not match. Conversely, if the
     // value of ``not_id`` would not match, this principal would match.
     Principal not_id = 8;
+
+    // Matches against metadata from either dynamic state or route configuration. Preferred over the
+    // ``metadata`` field as it provides more flexibility in metadata source selection.
+    SourcedMetadata sourced_metadata = 13;
   }
 }

envoy/config/route/v3/route_components.proto:

--- shake256:ee5a4c6ef87f05135f4518b301ecc3c6354e7f695f5c30b8d086f9a0afdad2e55a0229f6cd2e439c415972ced4c46c7b3460ea9a0b2fd6f1a3cb513a9817391a
+++ shake256:d2a94d5b779e9b75c6304545c0f1b7fbd6880270024fddd44bb7490334749e60d7d97fda0288bd27f0ea52658299d2e503c1ac580f161d867231052bba4d9744
@@ -17,7 +17,6 @@
 import "google/protobuf/duration.proto";
 import "google/protobuf/wrappers.proto";

-import "xds/annotations/v3/status.proto";
 import "xds/type/matcher/v3/matcher.proto";

 import "envoy/annotations/deprecation.proto";
@@ -92,13 +91,12 @@
   // The list of routes that will be matched, in order, for incoming requests.
   // The first route that matches will be used.
   // Only one of this and ``matcher`` can be specified.
-  repeated Route routes = 3;
+  repeated Route routes = 3 [(udpa.annotations.field_migrate).oneof_promotion = "route_selection"];

-  // [#next-major-version: This should be included in a oneof with routes wrapped in a message.]
   // The match tree to use when resolving route actions for incoming requests. Only one of this and ``routes``
   // can be specified.
   xds.type.matcher.v3.Matcher matcher = 21
-      [(xds.annotations.v3.field_status).work_in_progress = true];
+      [(udpa.annotations.field_migrate).oneof_promotion = "route_selection"];

   // Specifies the type of TLS enforcement the virtual host expects. If this option is not
   // specified, there is no TLS requirement for the virtual host.
@@ -817,7 +815,10 @@
     // value, the request will be mirrored.
     core.v3.RuntimeFractionalPercent runtime_fraction = 3;

-    // Determines if the trace span should be sampled. Defaults to true.
+    // Specifies whether the trace span for the shadow request should be sampled. If this field is not explicitly set,
+    // the shadow request will inherit the sampling decision of its parent span. This ensures consistency with the trace
+    // sampling policy of the original request and prevents oversampling, especially in scenarios where runtime sampling
+    // is disabled.
     google.protobuf.BoolValue trace_sampled = 4;

     // Disables appending the ``-shadow`` suffix to the shadowed ``Host`` header. Defaults to ``false``.
@@ -1870,10 +1871,11 @@

 // Global rate limiting :ref:`architecture overview <arch_overview_global_rate_limit>`.
 // Also applies to Local rate limiting :ref:`using descriptors <config_http_filters_local_rate_limit_descriptors>`.
+// [#next-free-field: 7]
 message RateLimit {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.route.RateLimit";

-  // [#next-free-field: 12]
+  // [#next-free-field: 13]
   message Action {
     option (udpa.annotations.versioning).previous_message_type =
         "envoy.api.v2.route.RateLimit.Action";
@@ -1930,12 +1932,51 @@
       // The key to use in the descriptor entry.
       string descriptor_key = 2 [(validate.rules).string = {min_len: 1}];

-      // If set to true, Envoy skips the descriptor while calling rate limiting service
-      // when header is not present in the request. By default it skips calling the
-      // rate limiting service if this header is not present in the request.
+      // Controls the behavior when the specified header is not present in the request.
+      //
+      // If set to ``false`` (default):
+      //
+      // * Envoy does **NOT** call the rate limiting service for this descriptor.
+      // * Useful if the header is optional and you prefer to skip rate limiting when it's absent.
+      //
+      // If set to ``true``:
+      //
+      // * Envoy calls the rate limiting service but omits this descriptor if the header is missing.
+      // * Useful if you want Envoy to enforce rate limiting even when the header is not present.
+      //
       bool skip_if_absent = 3;
     }

+    // The following descriptor entry is appended when a query parameter contains a key that matches the
+    // ``query_parameter_name``:
+    //
+    // .. code-block:: cpp
+    //
+    //   ("<descriptor_key>", "<query_parameter_value_queried_from_query_parameter>")
+    message QueryParameters {
+      // The name of the query parameter to use for rate limiting. Value of this query parameter is used to populate
+      // the value of the descriptor entry for the descriptor_key.
+      string query_parameter_name = 1 [(validate.rules).string = {min_len: 1}];
+
+      // The key to use when creating the rate limit descriptor entry. his descriptor key will be used to identify the
+      // rate limit rule in the rate limiting service.
+      string descriptor_key = 2 [(validate.rules).string = {min_len: 1}];
+
+      // Controls the behavior when the specified query parameter is not present in the request.
+      //
+      // If set to ``false`` (default):
+      //
+      // * Envoy does **NOT** call the rate limiting service for this descriptor.
+      // * Useful if the query parameter is optional and you prefer to skip rate limiting when it's absent.
+      //
+      // If set to ``true``:
+      //
+      // * Envoy calls the rate limiting service but omits this descriptor if the query parameter is missing.
+      // * Useful if you want Envoy to enforce rate limiting even when the query parameter is not present.
+      //
+      bool skip_if_absent = 3;
+    }
+
     // The following descriptor entry is appended to the descriptor and is populated using the
     // trusted address from :ref:`x-forwarded-for <config_http_conn_man_headers_x-forwarded-for>`:
     //
@@ -2067,9 +2108,19 @@
       // Source of metadata
       Source source = 4 [(validate.rules).enum = {defined_only: true}];

-      // If set to true, Envoy skips the descriptor while calling rate limiting service
-      // when ``metadata_key`` is empty and ``default_value`` is not set. By default it skips calling the
-      // rate limiting service in that case.
+      // Controls the behavior when the specified ``metadata_key`` is empty and ``default_value`` is not set.
+      //
+      // If set to ``false`` (default):
+      //
+      // * Envoy does **NOT** call the rate limiting service for this descriptor.
+      // * Useful if the metadata is optional and you prefer to skip rate limiting when it's absent.
+      //
+      // If set to ``true``:
+      //
+      // * Envoy calls the rate limiting service but omits this descriptor if the ``metadata_key`` is empty and
+      //   ``default_value`` is missing.
+      // * Useful if you want Envoy to enforce rate limiting even when the metadata is not present.
+      //
       bool skip_if_absent = 5;
     }

@@ -2112,6 +2163,9 @@
       // Rate limit on request headers.
       RequestHeaders request_headers = 3;

+      // Rate limit on query parameters.
+      QueryParameters query_parameters = 12;
+
       // Rate limit on remote address.
       RemoteAddress remote_address = 4;

@@ -2170,6 +2224,33 @@
     }
   }

+  message HitsAddend {
+    // Fixed number of hits to add to the rate limit descriptor.
+    //
+    // One of the ``number`` or ``format`` fields should be set but not both.
+    google.protobuf.UInt64Value number = 1 [(validate.rules).uint64 = {lte: 1000000000}];
+
+    // Substitution format string to extract the number of hits to add to the rate limit descriptor.
+    // The same :ref:`format specifier <config_access_log_format>` as used for
+    // :ref:`HTTP access logging <config_access_log>` applies here.
+    //
+    // .. note::
+    //
+    //   The format string must contains only single valid substitution field. If the format string
+    //   not meets the requirement, the configuration will be rejected.
+    //
+    //   The substitution field should generates a non-negative number or string representation of
+    //   a non-negative number. The value of the non-negative number should be less than or equal
+    //   to 1000000000 like the ``number`` field. If the output of the substitution field not meet
+    //   the requirement, this will be treated as an error and the current descriptor will be ignored.
+    //
+    // For example, the ``%BYTES_RECEIVED%`` format string will be replaced with the number of bytes
+    // received in the request.
+    //
+    // One of the ``number`` or ``format`` fields should be set but not both.
+    string format = 2 [(validate.rules).string = {prefix: "%" suffix: "%" ignore_empty: true}];
+  }
+
   // Refers to the stage set in the filter. The rate limit configuration only
   // applies to filters with the same stage number. The default stage number is
   // 0.
@@ -2177,9 +2258,19 @@
   // .. note::
   //
   //   The filter supports a range of 0 - 10 inclusively for stage numbers.
+  //
+  // .. note::
+  //   This is not supported if the rate limit action is configured in the ``typed_per_filter_config`` like
+  //   :ref:`VirtualHost.typed_per_filter_config<envoy_v3_api_field_config.route.v3.VirtualHost.typed_per_filter_config>` or
+  //   :ref:`Route.typed_per_filter_config<envoy_v3_api_field_config.route.v3.Route.typed_per_filter_config>`, etc.
   google.protobuf.UInt32Value stage = 1 [(validate.rules).uint32 = {lte: 10}];

   // The key to be set in runtime to disable this rate limit configuration.
+  //
+  // .. note::
+  //   This is not supported if the rate limit action is configured in the ``typed_per_filter_config`` like
+  //   :ref:`VirtualHost.typed_per_filter_config<envoy_v3_api_field_config.route.v3.VirtualHost.typed_per_filter_config>` or
+  //   :ref:`Route.typed_per_filter_config<envoy_v3_api_field_config.route.v3.Route.typed_per_filter_config>`, etc.
   string disable_key = 2;

   // A list of actions that are to be applied for this rate limit configuration.
@@ -2194,7 +2285,38 @@
   // rate limit configuration. If the override value is invalid or cannot be resolved
   // from metadata, no override is provided. See :ref:`rate limit override
   // <config_http_filters_rate_limit_rate_limit_override>` for more information.
+  //
+  // .. note::
+  //   This is not supported if the rate limit action is configured in the ``typed_per_filter_config`` like
+  //   :ref:`VirtualHost.typed_per_filter_config<envoy_v3_api_field_config.route.v3.VirtualHost.typed_per_filter_config>` or
+  //   :ref:`Route.typed_per_filter_config<envoy_v3_api_field_config.route.v3.Route.typed_per_filter_config>`, etc.
   Override limit = 4;
+
+  // An optional hits addend to be appended to the descriptor produced by this rate limit
+  // configuration.
+  //
+  // .. note::
+  //   This is only supported if the rate limit action is configured in the ``typed_per_filter_config`` like
+  //   :ref:`VirtualHost.typed_per_filter_config<envoy_v3_api_field_config.route.v3.VirtualHost.typed_per_filter_config>` or
+  //   :ref:`Route.typed_per_filter_config<envoy_v3_api_field_config.route.v3.Route.typed_per_filter_config>`, etc.
+  HitsAddend hits_addend = 5;
+
+  // If true, the rate limit request will be applied when the stream completes. The default value is false.
+  // This is useful when the rate limit budget needs to reflect the response context that is not available
+  // on the request path.
+  //
+  // For example, let's say the upstream service calculates the usage statistics and returns them in the response body
+  // and we want to utilize these numbers to apply the rate limit action for the subsequent requests.
+  // Combined with another filter that can set the desired addend based on the response (e.g. Lua filter),
+  // this can be used to subtract the usage statistics from the rate limit budget.
+  //
+  // A rate limit applied on the stream completion is "fire-and-forget" by nature, and rate limit is not enforced by this config.
+  // In other words, the current request won't be blocked when this is true, but the budget will be updated for the subsequent
+  // requests based on the action with this field set to true. Users should ensure that the rate limit is enforced by the actions
+  // applied on the request path, i.e. the ones with this field set to false.
+  //
+  // Currently, this is only supported by the HTTP global rate filter.
+  bool apply_on_stream_done = 6;
 }

 // .. attention::

envoy/config/trace/v2/http_tracer.proto:

--- shake256:e7b69a0717e514f015bc7ed8d4e5895f4cafc2a0f8838fe9a273a6409b5d98c6901d9b81d0499ab71593d33c432aa311147aed2d1e6be173f7beb1783d6bc3e3
+++ shake256:4637407c3a7a724268ec49ee0bee774f940f60c54d7e13838a12ea9c6115fb34ed56fa20c31ab972a2c9d022616784038e940d2f40c43c0fbb3b85bc9f53bf36
@@ -41,7 +41,6 @@
     // - *envoy.tracers.zipkin*
     // - *envoy.tracers.dynamic_ot*
     // - *envoy.tracers.datadog*
-    // - *envoy.tracers.opencensus*
     // - *envoy.tracers.xray*
     string name = 1 [(validate.rules).string = {min_bytes: 1}];

@@ -52,7 +51,6 @@
     // - :ref:`ZipkinConfig <envoy_api_msg_config.trace.v2.ZipkinConfig>`
     // - :ref:`DynamicOtConfig <envoy_api_msg_config.trace.v2.DynamicOtConfig>`
     // - :ref:`DatadogConfig <envoy_api_msg_config.trace.v2.DatadogConfig>`
-    // - :ref:`OpenCensusConfig <envoy_api_msg_config.trace.v2.OpenCensusConfig>`
     // - :ref:`AWS X-Ray <envoy_api_msg_config.trace.v2alpha.XRayConfig>`
     oneof config_type {
       google.protobuf.Struct config = 2 [deprecated = true];

envoy/config/trace/v2/trace.proto:

--- shake256:094cfa68bd3487f0431634837080d454a8b2e98586eda16b8b19680ec14faf95baf4c126b126af66b3f36e2d9febe016a1ad951b637ed6a23d39643fda430b08
+++ shake256:db7a4656ca79bb7a54e54e6c6d0c7fe39871f6333f32084aceb29823252bc2bca6090d1f79bebf9c0d2cc9517cb9bbf730003164fe278bdb8777765738320a14
@@ -6,7 +6,6 @@
 import public "envoy/config/trace/v2/dynamic_ot.proto";
 import public "envoy/config/trace/v2/http_tracer.proto";
 import public "envoy/config/trace/v2/lightstep.proto";
-import public "envoy/config/trace/v2/opencensus.proto";
 import public "envoy/config/trace/v2/service.proto";
 import public "envoy/config/trace/v2/zipkin.proto";

envoy/config/trace/v3/trace.proto:

--- shake256:551c5d40b27d1ff5aa20d50b89c5c7dc575461441074cd5f3e792f79c6415ebcafa2a09e63a2de8238083f612cf4baad070436ff03096c38fdca76be67fd5d85
+++ shake256:d0205fe3c89d1f582db76034f79b0ffc035a8bd2c0d6c1b2fa0a080c9836e3fc69ec5c01d2ff82fdb53d52c27ff9e55f424535eb83b118a5bfc4b96654d41f17
@@ -6,7 +6,6 @@
 import public "envoy/config/trace/v3/dynamic_ot.proto";
 import public "envoy/config/trace/v3/http_tracer.proto";
 import public "envoy/config/trace/v3/lightstep.proto";
-import public "envoy/config/trace/v3/opencensus.proto";
 import public "envoy/config/trace/v3/opentelemetry.proto";
 import public "envoy/config/trace/v3/service.proto";
 import public "envoy/config/trace/v3/zipkin.proto";

envoy/extensions/clusters/redis/v3/redis_cluster.proto:

--- shake256:b2825631e1699808e49fa48b5a06681dcbc154c279b4216d25b09b3cc26de12d7ca57e145aca2a0f47f9e12fd2501a71406b76b5785066d9cfa7b3593123bfeb
+++ shake256:5f8a02cf67b5c30f47a9459137ed47a77744906a5bb75baafbce675671109b7038b8464dc2b5e186728bd6360fa0d889df05ff944a21894a27d3cd2d7e38218b
@@ -44,14 +44,14 @@
 //       address: foo.bar.com
 //       port_value: 22120
 //     cluster_type:
-//     name: envoy.clusters.redis
-//     typed_config:
-//       "@type": type.googleapis.com/google.protobuf.Struct
-//       value:
-//         cluster_refresh_rate: 30s
-//         cluster_refresh_timeout: 0.5s
-//         redirect_refresh_interval: 10s
-//         redirect_refresh_threshold: 10
+//       name: envoy.clusters.redis
+//       typed_config:
+//         "@type": type.googleapis.com/google.protobuf.Struct
+//         value:
+//           cluster_refresh_rate: 30s
+//           cluster_refresh_timeout: 0.5s
+//           redirect_refresh_interval: 10s
+//           redirect_refresh_threshold: 10
 // [#extension: envoy.clusters.redis]

 // [#next-free-field: 7]

envoy/extensions/common/ratelimit/v3/ratelimit.proto:

--- shake256:2cac97036daba3cc748209bcfd974fde6952e6358c9fe6bfe44df0bcbc55237025638ad5be0d175675a72be75cd9ae42084bac3d14a72f8e0c8b9f50ddae5cd2
+++ shake256:acf97d4c6b5404951c13b3929354bb0613f3cc5cb4852a71f6d79b0fc37a40cd8e0b756a90fc1bbc2a11fd52b851fbd244dae48296a34873dcaeef73fa9ca421
@@ -5,6 +5,8 @@
 import "envoy/type/v3/ratelimit_unit.proto";
 import "envoy/type/v3/token_bucket.proto";

+import "google/protobuf/wrappers.proto";
+
 import "udpa/annotations/status.proto";
 import "udpa/annotations/versioning.proto";
 import "validate/validate.proto";
@@ -121,8 +123,19 @@

   // Optional rate limit override to supply to the ratelimit service.
   RateLimitOverride limit = 2;
+
+  // Optional hits_addend for the rate limit descriptor. If set the value will override the
+  // request level hits_addend.
+  google.protobuf.UInt64Value hits_addend = 3;
 }

+// Configuration used to enable local rate limiting.
+//
+// .. note::
+//   The ``LocalRateLimitDescriptor`` is used to configure a local rate limit rule with a token
+//   bucket algorithm. The ``RateLimitDescriptor`` is used to represent a list of symbols that
+//   are used to match against the rate limit rule.
+//
 message LocalRateLimitDescriptor {
   // Descriptor entries.
   repeated v3.RateLimitDescriptor.Entry entries = 1 [(validate.rules).repeated = {min_items: 1}];

envoy/extensions/filters/http/aws_request_signing/v3/aws_request_signing.proto:

--- shake256:310137d40f40fbc8d2c8464782f4df446daea5653788dd56af1818ac0aa0263cdd5591e312deefed88575646e23bc8cc7739e261d9494a81031b2c333211f505
+++ shake256:16743e9abc094d74cb488491197a0532e12c366aa9ca08f626567d642746c77f51d41fb061812c2e00ece48509131a6d1e0944c3802b62306a320ae73a49a4a0
@@ -2,6 +2,7 @@

 package envoy.extensions.filters.http.aws_request_signing.v3;

+import "envoy/extensions/common/aws/v3/credential_provider.proto";
 import "envoy/type/matcher/v3/string.proto";

 import "google/protobuf/duration.proto";
@@ -21,7 +22,7 @@
 // [#extension: envoy.filters.http.aws_request_signing]

 // Top level configuration for the AWS request signing filter.
-// [#next-free-field: 8]
+// [#next-free-field: 9]
 message AwsRequestSigning {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.aws_request_signing.v2alpha.AwsRequestSigning";
@@ -107,6 +108,10 @@
   // query_string: {}
   //
   QueryString query_string = 7;
+
+  // The credential provider for signing the request. This is optional and if not set,
+  // it will be retrieved from the procedure described in :ref:`config_http_filters_aws_request_signing`.
+  common.aws.v3.AwsCredentialProvider credential_provider = 8;
 }

 message AwsRequestSigningPerRoute {

envoy/extensions/filters/http/ext_authz/v3/ext_authz.proto:

--- shake256:bcdaba3dabbb7f5beda04e7e21f75c7840996e0b27d5717075293210efacd58a9cdd6abcbaac7fd0e4e1bf35204d13ab7d0b4df3c22c6689b9357892ebae6dcb
+++ shake256:cb69962e85abacb9240973a33cfde3c0751df04be12d99b5c8736416893a6d084fecfe9e9bdc6e6e29831ca852072f21ad08a501d1c105103dec24e7f43a8fad
@@ -53,7 +53,7 @@
   config.core.v3.ApiVersion transport_api_version = 12
       [(validate.rules).enum = {defined_only: true}];

-  //  Changes filter's behaviour on errors:
+  //  Changes filter's behavior on errors:
   //
   //  1. When set to true, the filter will ``accept`` client request even if the communication with
   //  the authorization service has failed, or if the authorization service has returned a HTTP 5xx
@@ -210,12 +210,12 @@
   //
   // .. note::
   //
-  //  1. For requests to an HTTP authorization server: in addition to the the user's supplied matchers, ``Host``, ``Method``, ``Path``,
+  //  1. For requests to an HTTP authorization server: in addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``,
   //     ``Content-Length``, and ``Authorization`` are **additionally included** in the list.
   //
   // .. note::
   //
-  //  2. For requests to an HTTP authorization server: *Content-Length* will be set to 0 and the request to the
+  //  2. For requests to an HTTP authorization server: value of ``Content-Length`` will be set to 0 and the request to the
   //  authorization server will not have a message body. However, the check request can include the buffered
   //  client request body (controlled by :ref:`with_request_body
   //  <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>` setting),
@@ -243,11 +243,11 @@
   google.protobuf.BoolValue charge_cluster_response_stats = 20;

   // Whether to encode the raw headers (i.e. unsanitized values & unconcatenated multi-line headers)
-  // in authentication request. Works with both HTTP and GRPC clients.
+  // in authentication request. Works with both HTTP and gRPC clients.
   //
   // When this is set to true, header values are not sanitized. Headers with the same key will also
   // not be combined into a single, comma-separated header.
-  // Requests to GRPC services will populate the field
+  // Requests to gRPC services will populate the field
   // :ref:`header_map<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.header_map>`.
   // Requests to HTTP services will be constructed with the unsanitized header values and preserved
   // multi-line headers with the same key.
@@ -255,7 +255,7 @@
   // If this field is set to false, header values will be sanitized, with any non-UTF-8-compliant
   // bytes replaced with '!'. Headers with the same key will have their values concatenated into a
   // single comma-separated header value.
-  // Requests to GRPC services will populate the field
+  // Requests to gRPC services will populate the field
   // :ref:`headers<envoy_v3_api_field_service.auth.v3.AttributeContext.HttpRequest.headers>`.
   // Requests to HTTP services will have their header values sanitized and will not preserve
   // multi-line headers with the same key.
@@ -300,12 +300,15 @@
   // When set to true, the filter will emit per-stream stats for access logging. The filter state
   // key will be the same as the filter name.
   //
-  // If using Envoy GRPC, emits latency, bytes sent / received, upstream info, and upstream cluster
-  // info. If not using Envoy GRPC, emits only latency. Note that stats are ONLY added to filter
+  // If using Envoy gRPC, emits latency, bytes sent / received, upstream info, and upstream cluster
+  // info. If not using Envoy gRPC, emits only latency. Note that stats are ONLY added to filter
   // state if a check request is actually made to an ext_authz service.
   //
   // If this is false the filter will not emit stats, but filter_metadata will still be respected if
   // it has a value.
+  //
+  // Field ``latency_us`` is exposed for CEL and logging when using gRPC or HTTP service.
+  // Fields ``bytesSent`` and ``bytesReceived`` are exposed for CEL and logging only when using gRPC service.
   bool emit_filter_state_stats = 29;
 }

@@ -396,8 +399,8 @@
   //
   // .. note::
   //
-  //   In addition to the the user's supplied matchers, ``Host``, ``Method``, ``Path``,
-  //   ``Content-Length``, and ``Authorization`` are **automatically included** to the list.
+  //   In addition to the user's supplied matchers, ``Host``, ``Method``, ``Path``,
+  //   ``Content-Length``, and ``Authorization`` are **automatically included** in the list.
   //
   // .. note::
   //
@@ -504,7 +507,7 @@
   // :ref:`with_request_body <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.with_request_body>`
   // option for a specific route.
   //
-  // Please note that only only one of *with_request_body* or
+  // Please note that only one of ``with_request_body`` or
   // :ref:`disable_request_body_buffering <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.CheckSettings.disable_request_body_buffering>`
   // may be specified.
   BufferSettings with_request_body = 3;

envoy/extensions/filters/http/ext_proc/v3/ext_proc.proto:

--- shake256:96f79253b5bfde5ef7135f44060f331e7be2a90feee8a6f7c663872797a51922edc264fb78850b2d3a915868fa749c98f8df4d861adca563cb11b42a83855023
+++ shake256:351c700fdc79f734495275aa260893d6c24fb092e46a262587b4bdc2ac6ff3ca72882169529598449f54aff03ceb3915e9ad71e3e6b2d0010e93e3081fa87a0e
@@ -128,7 +128,6 @@
   config.core.v3.GrpcService grpc_service = 1
       [(udpa.annotations.field_migrate).oneof_promotion = "ext_proc_service_type"];

-  // [#not-implemented-hide:]
   // Configuration for the HTTP service that the filter will communicate with.
   // Only one of ``http_service`` or
   // :ref:`grpc_service <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.grpc_service>`.

envoy/extensions/filters/http/ext_proc/v3/processing_mode.proto:

--- shake256:3cbdeb484885b41165ff35f6664b9d527ecc358af041691d29ff611dce8e87d6a9a2c408659cf6ba241117e35544dac01e13996cac51f46cc3b215351a4aef68
+++ shake256:8c4419111eb187a571b0ee7b60f1cc436450e5d263ccc007c90e58fdd029c2a5c7db789944e0a9963b1c53d37a311f5ec3e05cf1849f7c794fea38899ea406ea
@@ -36,11 +36,12 @@

   // Control how the request and response bodies are handled
   // When body mutation by external processor is enabled, ext_proc filter will always remove
-  // the content length header in three cases below because content length can not be guaranteed
+  // the content length header in four cases below because content length can not be guaranteed
   // to be set correctly:
   // 1) STREAMED BodySendMode: header processing completes before body mutation comes back.
   // 2) BUFFERED_PARTIAL BodySendMode: body is buffered and could be injected in different phases.
   // 3) BUFFERED BodySendMode + SKIP HeaderSendMode: header processing (e.g., update content-length) is skipped.
+  // 4) FULL_DUPLEX_STREAMED BodySendMode: header processing completes before body mutation comes back.
   //
   // In Envoy's http1 codec implementation, removing content length will enable chunked transfer
   // encoding whenever feasible. The recipient (either client or server) must be able
@@ -68,6 +69,37 @@
     // chunk. If the body exceeds the configured buffer limit, then the body contents
     // up to the buffer limit will be sent.
     BUFFERED_PARTIAL = 3;
+
+    // [#not-implemented-hide:]
+    // Envoy streams the body to the server in pieces as they arrive.
+    //
+    // 1) The server may choose to buffer any number chunks of data before processing them.
+    // After it finishes buffering, the server processes the buffered data. Then it splits the processed
+    // data into any number of chunks, and streams them back to Envoy one by one.
+    // The server may continuously do so until the complete body is processed.
+    // The individual response chunk size is recommended to be no greater than 64K bytes, or
+    // :ref:`max_receive_message_length <envoy_v3_api_field_config.core.v3.GrpcService.EnvoyGrpc.max_receive_message_length>`
+    // if EnvoyGrpc is used.
+    //
+    // 2) The server may also choose to buffer the entire message, including the headers (if header mode is
+    // ``SEND``), the entire body, and the trailers (if present), before sending back any response.
+    // The server response has to maintain the headers-body-trailers ordering.
+    //
+    // 3) Note that the server might also choose not to buffer data. That is, upon receiving a
+    // body request, it could process the data and send back a body response immediately.
+    //
+    // In this body mode:
+    // * The corresponding trailer mode has to be set to ``SEND``.
+    // * Envoy will send body and trailers (if present) to the server as they arrive.
+    //   Sending the trailers (if present) is to inform the server the complete body arrives.
+    //   In case there are no trailers, then Envoy will set
+    //   :ref:`end_of_stream <envoy_v3_api_field_service.ext_proc.v3.HttpBody.end_of_stream>`
+    //   to true as part of the last body chunk request to notify the server that no other data is to be sent.
+    // * The server needs to send
+    //   :ref:`StreamedBodyResponse <envoy_v3_api_msg_service.ext_proc.v3.StreamedBodyResponse>`
+    //   to Envoy in the body response.
+    // * Envoy will stream the body chunks in the responses from the server to the upstream/downstream as they arrive.
+    FULL_DUPLEX_STREAMED = 4;
   }

   // How to handle the request header. Default is "SEND".

envoy/extensions/filters/http/header_mutation/v3/header_mutation.proto:

--- shake256:bfb99c27d1f622756132a259699a8819336023ee8c880afc07d145e58c49c71aac38a119ab5e187b86632758420c88f0299edd49bdf306179435f1d11ca19eec
+++ shake256:f1334a390dbbb3b9711cb629b4e99b90ee363a428192cfb2de8206c7cf0d69e852796baa9e3fa00fb9f40e419ee2ca6c6a8815223b9ce27f28c49a72ea39828e
@@ -3,6 +3,7 @@
 package envoy.extensions.filters.http.header_mutation.v3;

 import "envoy/config/common/mutation_rules/v3/mutation_rules.proto";
+import "envoy/config/core/v3/base.proto";

 import "udpa/annotations/status.proto";

@@ -19,6 +20,10 @@
   // The request mutations are applied before the request is forwarded to the upstream cluster.
   repeated config.common.mutation_rules.v3.HeaderMutation request_mutations = 1;

+  // The ``path`` header query parameter mutations are applied after ``request_mutations`` and before the request
+  // is forwarded to the next filter in the filter chain.
+  repeated config.core.v3.KeyValueMutation query_parameter_mutations = 3;
+
   // The response mutations are applied before the response is sent to the downstream client.
   repeated config.common.mutation_rules.v3.HeaderMutation response_mutations = 2;
 }

envoy/extensions/filters/http/ip_tagging/v3/ip_tagging.proto:

--- shake256:7567b762ba006e5b9dad9a101e7f29e425ada45ead3c483d47a772b96b3d3cd0d62c48e9362371c183da8f994010952939edfe6088375d2422010737b7b65ed9
+++ shake256:e21dabe4f701068b930a6c2586ed13869ab20e7756b0ab88bf4730ac17d0eca7b68083f2fb86a8a15acf96150b78411dd840a35bb2865cceeb2c2840913e3f59
@@ -18,6 +18,7 @@
 // IP tagging :ref:`configuration overview <config_http_filters_ip_tagging>`.
 // [#extension: envoy.filters.http.ip_tagging]

+// [#next-free-field: 6]
 message IPTagging {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.http.ip_tagging.v2.IPTagging";
@@ -52,6 +53,38 @@
     repeated config.core.v3.CidrRange ip_list = 2;
   }

+  // Specify to which header the tags will be written.
+  message IpTagHeader {
+    // Describes how to apply the tags to the headers.
+    enum HeaderAction {
+      // (DEFAULT) The header specified in :ref:`ip_tag_header <envoy_v3_api_field_extensions.filters.http.ip_tagging.v3.IPTagging.ip_tag_header>`
+      // will be dropped, before the tags are applied. The incoming header will be "sanitized" regardless of whether the request is internal or external.
+      //
+      // Note that the header will be visible unsanitized to any filters that are invoked before the ip-tag-header filter, unless it has an *x-envoy* prefix.
+      SANITIZE = 0;
+
+      // Tags will be appended to the header specified in
+      // :ref:`ip_tag_header <envoy_v3_api_field_extensions.filters.http.ip_tagging.v3.IPTagging.ip_tag_header>`.
+      //
+      // Please note that this could cause the header to retain values set by the http client regardless of whether the request is internal or external.
+      APPEND_IF_EXISTS_OR_ADD = 1;
+    }
+
+    // Header to use for ip-tagging.
+    //
+    // This header will be sanitized based on the config in
+    // :ref:`action <envoy_v3_api_field_extensions.filters.http.ip_tagging.v3.IPTagging.IpTagHeader.action>`
+    // rather than the defaults for x-envoy prefixed headers.
+    string header = 1
+        [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
+
+    // Control if the :ref:`header <envoy_v3_api_field_extensions.filters.http.ip_tagging.v3.IPTagging.IpTagHeader.header>`
+    // will be sanitized, or be appended to.
+    //
+    // Default: *SANITIZE*.
+    HeaderAction action = 2;
+  }
+
   // The type of request the filter should apply to.
   RequestType request_type = 1 [(validate.rules).enum = {defined_only: true}];

@@ -59,4 +92,9 @@
   // Tracked by issue https://github.com/envoyproxy/envoy/issues/2695]
   // The set of IP tags for the filter.
   repeated IPTag ip_tags = 4 [(validate.rules).repeated = {min_items: 1}];
+
+  // Specify to which header the tags will be written.
+  //
+  // If left unspecified, the tags will be appended to the ``x-envoy-ip-tags`` header.
+  IpTagHeader ip_tag_header = 5;
 }

envoy/extensions/filters/http/oauth2/v3/oauth.proto:

--- shake256:f659f1c5f5c4faa4a6fb78e45a030b747d6e2be21eb6969e54f89a4c0189849e5fe5920ca6695f898b050c7c595dbe3cf31823cb5c70b115d66fe1074ed811e3
+++ shake256:11f45c677f93182f5a7f82fb48ca417bbf204674684d823868a85fc0d1199404604c5b9753b20abed6e87ebe66b6d20a82f9e9deb5f79be528c4c08cb6835674
@@ -148,7 +148,7 @@

   // If set to true, allows automatic access token refresh using the associated refresh token (see
   // `RFC 6749 section 6 <https://datatracker.ietf.org/doc/html/rfc6749#section-6>`_), provided that the OAuth server supports that.
-  // Default value is false.
+  // Default value is true.
   google.protobuf.BoolValue use_refresh_token = 12;

   // The default lifetime in seconds of the access token, if omitted by the authorization server.

envoy/extensions/filters/http/ratelimit/v3/rate_limit.proto:

--- shake256:586c03f4458170c4f6124a7ca70c2347f0af3015a4baf611f1efeb5ec9fdc1dfbdffd87e6518c78202e9af9cba8a104c04f4ab095b5fee206ea7017449baa126
+++ shake256:3e1e879b6ddede1c4891287c1d075cc4f34f19e1ea15deee2125a63c00d86985d2857b186c8885dd09b51f0d76d081a5a12b88d096cba8766cb478144a9ba400
@@ -3,10 +3,8 @@
 package envoy.extensions.filters.http.ratelimit.v3;

 import "envoy/config/core/v3/base.proto";
-import "envoy/config/core/v3/extension.proto";
 import "envoy/config/ratelimit/v3/rls.proto";
 import "envoy/config/route/v3/route_components.proto";
-import "envoy/type/metadata/v3/metadata.proto";
 import "envoy/type/v3/http_status.proto";

 import "google/protobuf/duration.proto";
@@ -134,221 +132,6 @@
   // Optional additional prefix to use when emitting statistics. This allows to distinguish
   // emitted statistics between configured ``ratelimit`` filters in an HTTP filter chain.
   string stat_prefix = 13;
-}
-
-// Global rate limiting :ref:`architecture overview <arch_overview_global_rate_limit>`.
-// Also applies to Local rate limiting :ref:`using descriptors <config_http_filters_local_rate_limit_descriptors>`.
-// [#not-implemented-hide:]
-message RateLimitConfig {
-  // [#next-free-field: 10]
-  message Action {
-    // The following descriptor entry is appended to the descriptor:
-    //
-    // .. code-block:: cpp
-    //
-    //   ("source_cluster", "<local service cluster>")
-    //
-    // <local service cluster> is derived from the :option:`--service-cluster` option.
-    message SourceCluster {
-    }
-
-    // The following descriptor entry is appended to the descriptor:
-    //
-    // .. code-block:: cpp
-    //
-    //   ("destination_cluster", "<routed target cluster>")
-    //
-    // Once a request matches against a route table rule, a routed cluster is determined by one of
-    // the following :ref:`route table configuration <envoy_v3_api_msg_config.route.v3.RouteConfiguration>`
-    // settings:
-    //
-    // * :ref:`cluster <envoy_v3_api_field_config.route.v3.RouteAction.cluster>` indicates the upstream cluster
-    //   to route to.
-    // * :ref:`weighted_clusters <envoy_v3_api_field_config.route.v3.RouteAction.weighted_clusters>`
-    //   chooses a cluster randomly from a set of clusters with attributed weight.
-    // * :ref:`cluster_header <envoy_v3_api_field_config.route.v3.RouteAction.cluster_header>` indicates which
-    //   header in the request contains the target cluster.
-    message DestinationCluster {
-    }
-
-    // The following descriptor entry is appended when a header contains a key that matches the
-    // ``header_name``:
-    //
-    // .. code-block:: cpp
-    //
-    //   ("<descriptor_key>", "<header_value_queried_from_header>")
-    message RequestHeaders {
-      // The header name to be queried from the request headers. The header’s
-      // value is used to populate the value of the descriptor entry for the
-      // descriptor_key.
-      string header_name = 1
-          [(validate.rules).string = {min_len: 1 well_known_regex: HTTP_HEADER_NAME strict: false}];
-
-      // The key to use in the descriptor entry.
-      string descriptor_key = 2 [(validate.rules).string = {min_len: 1}];
-
-      // If set to true, Envoy skips the descriptor while calling rate limiting service
-      // when header is not present in the request. By default it skips calling the
-      // rate limiting service if this header is not present in the request.
-      bool skip_if_absent = 3;
-    }
-
-    // The following descriptor entry is appended to the descriptor and is populated using the
-    // trusted address from :ref:`x-forwarded-for <config_http_conn_man_headers_x-forwarded-for>`:
-    //
-    // .. code-block:: cpp
-    //
-    //   ("remote_address", "<trusted address from x-forwarded-for>")
-    message RemoteAddress {
-    }
-
-    // The following descriptor entry is appended to the descriptor:
-    //
-    // .. code-block:: cpp
-    //
-    //   ("generic_key", "<descriptor_value>")
-    message GenericKey {
-      // The value to use in the descriptor entry.
-      string descriptor_value = 1 [(validate.rules).string = {min_len: 1}];
-
-      // An optional key to use in the descriptor entry. If not set it defaults
-      // to 'generic_key' as the descriptor key.
-      string descriptor_key = 2;
-    }
-
-    // The following descriptor entry is appended to the descriptor:
-    //
-    // .. code-block:: cpp
-    //
-    //   ("header_match", "<descriptor_value>")
-    message HeaderValueMatch {
-      // The value to use in the descriptor entry.
-      string descriptor_value = 1 [(validate.rules).string = {min_len: 1}];
-
-      // If set to true, the action will append a descriptor entry when the
-      // request matches the headers. If set to false, the action will append a
-      // descriptor entry when the request does not match the headers. The
-      // default value is true.
-      bool expect_match = 2;
-
-      // Specifies a set of headers that the rate limit action should match
-      // on. The action will check the request’s headers against all the
-      // specified headers in the config. A match will happen if all the
-      // headers in the config are present in the request with the same values
-      // (or based on presence if the value field is not in the config).
-      repeated config.route.v3.HeaderMatcher headers = 3
-          [(validate.rules).repeated = {min_items: 1}];
-    }
-
-    // The following descriptor entry is appended when the metadata contains a key value:
-    //
-    // .. code-block:: cpp
-    //
-    //   ("<descriptor_key>", "<value_queried_from_metadata>")
-    // [#next-free-field: 6]
-    message MetaData {
-      enum Source {
-        // Query :ref:`dynamic metadata <well_known_dynamic_metadata>`
-        DYNAMIC = 0;
-
-        // Query :ref:`route entry metadata <envoy_v3_api_field_config.route.v3.Route.metadata>`
-        ROUTE_ENTRY = 1;
-      }
-
-      // The key to use in the descriptor entry.
-      string descriptor_key = 1 [(validate.rules).string = {min_len: 1}];
-
-      // Metadata struct that defines the key and path to retrieve the string value. A match will
-      // only happen if the value in the metadata is of type string.
-      type.metadata.v3.MetadataKey metadata_key = 2 [(validate.rules).message = {required: true}];
-
-      // An optional value to use if ``metadata_key`` is empty. If not set and
-      // no value is present under the metadata_key then ``skip_if_absent`` is followed to
-      // skip calling the rate limiting service or skip the descriptor.
-      string default_value = 3;
-
-      // Source of metadata
-      Source source = 4 [(validate.rules).enum = {defined_only: true}];
-
-      // If set to true, Envoy skips the descriptor while calling rate limiting service
-      // when ``metadata_key`` is empty and ``default_value`` is not set. By default it skips calling the
-      // rate limiting service in that case.
-      bool skip_if_absent = 5;
-    }
-
-    oneof action_specifier {
-      option (validate.required) = true;
-
-      // Rate limit on source cluster.
-      SourceCluster source_cluster = 1;
-
-      // Rate limit on destination cluster.
-      DestinationCluster destination_cluster = 2;
-
-      // Rate limit on request headers.
-      RequestHeaders request_headers = 3;
-
-      // Rate limit on remote address.
-      RemoteAddress remote_address = 4;
-
-      // Rate limit on a generic key.
-      GenericKey generic_key = 5;
-
-      // Rate limit on the existence of request headers.
-      HeaderValueMatch header_value_match = 6;
-
-      // Rate limit on metadata.
-      MetaData metadata = 8;
-
-      // Rate limit descriptor extension. See the rate limit descriptor extensions documentation.
-      // [#extension-category: envoy.rate_limit_descriptors]
-      config.core.v3.TypedExtensionConfig extension = 9;
-    }
-  }
-
-  message Override {
-    // Fetches the override from the dynamic metadata.
-    message DynamicMetadata {
-      // Metadata struct that defines the key and path to retrieve the struct value.
-      // The value must be a struct containing an integer "requests_per_unit" property
-      // and a "unit" property with a value parseable to :ref:`RateLimitUnit
-      // enum <envoy_v3_api_enum_type.v3.RateLimitUnit>`
-      type.metadata.v3.MetadataKey metadata_key = 1 [(validate.rules).message = {required: true}];
-    }
-
-    oneof override_specifier {
-      option (validate.required) = true;
-
-      // Limit override from dynamic metadata.
-      DynamicMetadata dynamic_metadata = 1;
-    }
-  }
-
-  // Refers to the stage set in the filter. The rate limit configuration only
-  // applies to filters with the same stage number. The default stage number is
-  // 0.
-  //
-  // .. note::
-  //
-  //   The filter supports a range of 0 - 10 inclusively for stage numbers.
-  uint32 stage = 1 [(validate.rules).uint32 = {lte: 10}];
-
-  // The key to be set in runtime to disable this rate limit configuration.
-  string disable_key = 2;
-
-  // A list of actions that are to be applied for this rate limit configuration.
-  // Order matters as the actions are processed sequentially and the descriptor
-  // is composed by appending descriptor entries in that sequence. If an action
-  // cannot append a descriptor entry, no descriptor is generated for the
-  // configuration. See :ref:`composing actions
-  // <config_http_filters_rate_limit_composing_actions>` for additional documentation.
-  repeated Action actions = 3 [(validate.rules).repeated = {min_items: 1}];
-
-  // An optional limit override to be appended to the descriptor produced by this
-  // rate limit configuration. If the override value is invalid or cannot be resolved
-  // from metadata, no override is provided. See :ref:`rate limit override
-  // <config_http_filters_rate_limit_rate_limit_override>` for more information.
-  Override limit = 4;
 }

 message RateLimitPerRoute {
@@ -388,11 +171,24 @@
   // [#not-implemented-hide:]
   OverrideOptions override_option = 2 [(validate.rules).enum = {defined_only: true}];

-  // Rate limit configuration. If not set, uses the
+  // Rate limit configuration that is used to generate a list of descriptor entries based on
+  // the request context. The generated entries will be used to find one or multiple matched rate
+  // limit rule from the ``descriptors``.
+  // If this is set, then
   // :ref:`VirtualHost.rate_limits<envoy_v3_api_field_config.route.v3.VirtualHost.rate_limits>` or
-  // :ref:`RouteAction.rate_limits<envoy_v3_api_field_config.route.v3.RouteAction.rate_limits>` fields instead.
-  // [#not-implemented-hide:]
-  repeated RateLimitConfig rate_limits = 3;
+  // :ref:`RouteAction.rate_limits<envoy_v3_api_field_config.route.v3.RouteAction.rate_limits>` fields
+  // will be ignored.
+  //
+  // .. note::
+  //   Not all configuration fields of
+  //   :ref:`rate limit config <envoy_v3_api_msg_config.route.v3.RateLimit>` is supported at here.
+  //   Following fields are not supported:
+  //
+  //   1. :ref:`rate limit stage <envoy_v3_api_field_config.route.v3.RateLimit.stage>`.
+  //   2. :ref:`dynamic metadata <envoy_v3_api_field_config.route.v3.RateLimit.Action.dynamic_metadata>`.
+  //   3. :ref:`disable_key <envoy_v3_api_field_config.route.v3.RateLimit.disable_key>`.
+  //   4. :ref:`override limit <envoy_v3_api_field_config.route.v3.RateLimit.limit>`.
+  repeated config.route.v3.RateLimit rate_limits = 3;

   // Overrides the domain. If not set, uses the filter-level domain instead.
   string domain = 4;

envoy/extensions/filters/http/stateful_session/v3/stateful_session.proto:

--- shake256:532595e7787577d06e8907488109b721bb5d57ca48f577a1d99371957e3b1329c000bacce99d40b7e58c374cef7d514df54792573fdfd4e023619bda5216d249
+++ shake256:c29c6d22b41d00bd1a0c1ef267637fc69e8e43dcbe035dca36946ca152031f28cc5fb3773ece8c10b5051c9bf41f183abe458845d060c5b154c34265cf5368bf
@@ -18,14 +18,16 @@
 // [#extension: envoy.filters.http.stateful_session]

 message StatefulSession {
-  // Specific implementation of session state. This session state will be used to store and
-  // get address of the upstream host to which the session is assigned.
+  // Specifies the implementation of session state. This session state is used to store and retrieve the address of the
+  // upstream host assigned to the session.
   //
   // [#extension-category: envoy.http.stateful_session]
   config.core.v3.TypedExtensionConfig session_state = 1;

-  // If set to True, the HTTP request must be routed to the requested destination.
-  // If the requested destination is not available, Envoy returns 503. Defaults to False.
+  // Determines whether the HTTP request must be strictly routed to the requested destination. When set to ``true``,
+  // if the requested destination is unavailable, Envoy will return a 503 status code. The default value is ``false``,
+  // which allows Envoy to fall back to its load balancing mechanism. In this case, if the requested destination is not
+  // found, the request will be routed according to the load balancing algorithm.
   bool strict = 2;
 }

envoy/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto:

--- shake256:f33453cef40c288bfd69f201bed5eafabf45180518e7c637e2b86a7f6fed812632582561abb80e0ebfaa23e658ff3344508cf7607c0123ab22d49bc34abd39b6
+++ shake256:c8daed978d22da1c6d9cfa605dabc020dece377ceda612fc6b219731e3eab82fea4a6d97ab9c7d875eec2ffeb37a216a2d4a9d1a289bde799d58600fafb88815
@@ -185,14 +185,6 @@

     // Configuration for an external tracing provider.
     // If not specified, no tracing will be performed.
-    //
-    // .. attention::
-    //   Please be aware that ``envoy.tracers.opencensus`` provider can only be configured once
-    //   in Envoy lifetime.
-    //   Any attempts to reconfigure it or to use different configurations for different HCM filters
-    //   will be rejected.
-    //   Such a constraint is inherent to OpenCensus itself. It cannot be overcome without changes
-    //   on OpenCensus side.
     config.trace.v3.Tracing.Http provider = 9;

     // Create separate tracing span for each upstream request if true. And if this flag is set to true,
@@ -691,7 +683,7 @@
   // information about internal/external addresses.
   //
   // .. warning::
-  //     In the next release, no IP addresses will be considered trusted. If you have tooling such as probes
+  //     As of Envoy 1.33.0 no IP addresses will be considered trusted. If you have tooling such as probes
   //     on your private network which need to be treated as trusted (e.g. changing arbitrary x-envoy headers)
   //     you will have to manually include those addresses or CIDR ranges like:
   //

envoy/extensions/filters/network/rbac/v3/rbac.proto:

--- shake256:e09ee9d9fe54eaaaa8466a10f77a83a1b4f9204fd57142fb0185ab71880589d95619efb53e3a73f884d5886cdf99df927e8cb2795f971f4113040075be43b57b
+++ shake256:aa88a5a272e85552ea9c02d9411ff0a545d9c0a4a0345db2c7c9ffa173ccb554d5c904b8fb177c2fd608c47feebe16457071b0eb1bfa401314d07008da49478e
@@ -4,6 +4,8 @@

 import "envoy/config/rbac/v3/rbac.proto";

+import "google/protobuf/duration.proto";
+
 import "xds/annotations/v3/status.proto";
 import "xds/type/matcher/v3/matcher.proto";

@@ -26,7 +28,7 @@
 //
 // Header should not be used in rules/shadow_rules in RBAC network filter as
 // this information is only available in :ref:`RBAC http filter <config_http_filters_rbac>`.
-// [#next-free-field: 8]
+// [#next-free-field: 9]
 message RBAC {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.config.filter.network.rbac.v2.RBAC";
@@ -87,4 +89,10 @@
   // every payload (e.g., Mongo, MySQL, Kafka) set the enforcement type to
   // CONTINUOUS to enforce RBAC policies on every message boundary.
   EnforcementType enforcement_type = 4;
+
+  // Delay the specified duration before closing the connection when the policy evaluation
+  // result is ``DENY``. If this is not present, the connection will be closed immediately.
+  // This is useful to provide a better protection for Envoy against clients that retries
+  // aggressively when the connection is rejected by the RBAC filter.
+  google.protobuf.Duration delay_deny = 8;
 }

envoy/extensions/filters/network/sni_dynamic_forward_proxy/v3/sni_dynamic_forward_proxy.proto:

--- shake256:750023e2431f43fc789d68c7c8f7d818e12e8f2f12015898e8ca1f3c0baf3a487e9ff19da63c7581997f27c48bf4783f3698975623b03ead56b61a2c7c5a5433
+++ shake256:e3ea7ba1c2fcc332e031713bde4b92e894ad6d650df9355b1d6cfd29439fe33578be62cba39f88f3c8a8845edeb0fae6a15a7874043b40b4f45e566c639bb19b
@@ -33,4 +33,10 @@
     // The port number to connect to the upstream.
     uint32 port_value = 2 [(validate.rules).uint32 = {lte: 65535 gt: 0}];
   }
+
+  // When this flag is set, the filter will add the resolved upstream address in the filter
+  // state. The state should be saved with key
+  // ``envoy.stream.upstream_address`` (See
+  // :repo:`upstream_address.h<source/common/stream_info/upstream_address.h>`).
+  bool save_upstream_address = 3;
 }

envoy/extensions/filters/network/tcp_proxy/v3/tcp_proxy.proto:

--- shake256:bc71bde4d07136047c1b2d30b4be42aa988af31527c49a1c7c447c9908fa77fa67f086f793d8e76e55b3d8d94d8d4cfeb5edcc78fbda23963a7b1d22722c1586
+++ shake256:13d28573480c0a3b4318af035def7a2044fd80b1e2976cc9d869d3d91e23eba5a81d0f7aaf7392fd2988a302f55e78feeca582d86a5257ee7c36c350f937f4b8
@@ -175,9 +175,9 @@
   // :ref:`TcpProxy.weighted_clusters <envoy_v3_api_field_extensions.filters.network.tcp_proxy.v3.TcpProxy.weighted_clusters>`.
   OnDemand on_demand = 14;

-  // Optional endpoint metadata match criteria. Only endpoints in the upstream
-  // cluster with metadata matching that set in metadata_match will be
-  // considered. The filter name should be specified as ``envoy.lb``.
+  // Optional endpoint metadata match criteria used by the subset load balancer. Only endpoints
+  // in the upstream cluster with metadata matching what is set in this field will be considered
+  // for load balancing. The filter name should be specified as ``envoy.lb``.
   config.core.v3.Metadata metadata_match = 9;

   // The idle timeout for connections managed by the TCP proxy filter. The idle timeout

envoy/extensions/filters/udp/udp_proxy/v3/udp_proxy.proto:

--- shake256:da58c0d63022f4ecc409fe9a308773caa1f04291829ac0906a120f831ec253afe1e323b1eebda423c36f36ade18f538731765942ef57c123d80e11092a8273f5
+++ shake256:90c9a5e1b2bfe3cf7dccc8cb444c46a99c9214ab0a7b0c78c19f9f9cdb9787c35a1a85547849ae858e97f440352069bbabe91c5efeb9d8643c457a64737ac00c
@@ -3,6 +3,7 @@
 package envoy.extensions.filters.udp.udp_proxy.v3;

 import "envoy/config/accesslog/v3/accesslog.proto";
+import "envoy/config/core/v3/backoff.proto";
 import "envoy/config/core/v3/base.proto";
 import "envoy/config/core/v3/config_source.proto";
 import "envoy/config/core/v3/udp_socket_config.proto";
@@ -91,6 +92,9 @@
       // The maximum number of unsuccessful connection attempts that will be made before giving up.
       // If the parameter is not specified, 1 connection attempt will be made.
       google.protobuf.UInt32Value max_connect_attempts = 1;
+
+      // Sets the backoff strategy. If not set, the retries are performed without backoff.
+      config.core.v3.BackoffStrategy backoff_options = 2;
     }

     // The hostname to send in the synthesized CONNECT headers to the upstream proxy.

envoy/extensions/network/dns_resolver/cares/v3/cares_dns_resolver.proto:

--- shake256:1c6ba65dd95ab332632371fdb86add708728e3f9b9a023ed2e8a3991e8a578d5ed723e4953b8bc146106d48ebfe2dae46743b7a6b53309d53de46eb46659a314
+++ shake256:51c726cd9b4aa56a62db2e6abd3546cc72958033365ca62c6c69b134d91d658ec04b82d64910f062d70c085f07bac3d93ee567493207ac3c736ec52cbcde847b
@@ -20,13 +20,13 @@
 // [#extension: envoy.network.dns_resolver.cares]

 // Configuration for c-ares DNS resolver.
-// [#next-free-field: 6]
+// [#next-free-field: 9]
 message CaresDnsResolverConfig {
   // A list of dns resolver addresses.
   // :ref:`use_resolvers_as_fallback<envoy_v3_api_field_extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig.use_resolvers_as_fallback>`
   // below dictates if the DNS client should override system defaults or only use the provided
   // resolvers if the system defaults are not available, i.e., as a fallback.
-  repeated config.core.v3.Address resolvers = 1 [(validate.rules).repeated = {min_items: 1}];
+  repeated config.core.v3.Address resolvers = 1;

   // If true use the resolvers listed in the
   // :ref:`resolvers<envoy_v3_api_field_extensions.network.dns_resolver.cares.v3.CaresDnsResolverConfig.resolvers>`
@@ -48,4 +48,24 @@
   // This option allows for number of UDP based DNS queries to be capped. Note, this
   // is only applicable to c-ares DNS resolver currently.
   google.protobuf.UInt32Value udp_max_queries = 5;
+
+  // The number of seconds each name server is given to respond to a query on the first try of any given server.
+  //
+  // Note: While the c-ares library defaults to 2 seconds, Envoy's default (if this field is unset) is 5 seconds.
+  // This adjustment was made to maintain the previous behavior after users reported an increase in DNS resolution times.
+  google.protobuf.UInt64Value query_timeout_seconds = 6 [(validate.rules).uint64 = {gte: 1}];
+
+  // The maximum number of query attempts the resolver will make before giving up.
+  // Each attempt may use a different name server.
+  //
+  // Note: While the c-ares library defaults to 3 attempts, Envoy's default (if this field is unset) is 4 attempts.
+  // This adjustment was made to maintain the previous behavior after users reported an increase in DNS resolution times.
+  google.protobuf.UInt32Value query_tries = 7 [(validate.rules).uint32 = {gte: 1}];
+
+  // Enable round-robin selection of name servers for DNS resolution. When enabled, the resolver will cycle through the
+  // list of name servers for each resolution request. This can help distribute the query load across multiple name
+  // servers. If disabled (default), the resolver will try name servers in the order they are configured.
+  //
+  // Note: This setting overrides any system configuration for name server rotation.
+  bool rotate_nameservers = 8;
 }

envoy/extensions/transport_sockets/proxy_protocol/v3/upstream_proxy_protocol.proto:

--- shake256:df9ebfc34d1b325add35ee4e78ca45e876ad3661ff91038df42d95b4a0a9a6363e371001d251f78fabc0d38c4d20964a023557169e31c5593e41833e6a366394
+++ shake256:432449b6de25f852f1c6d8ebb4df1376dfa0042cfa816a7906cafa4739032b3f66f887a2d85fbc00c2e6fd948515acb3732d7be761bf2e9af2d1739dde866b91
@@ -24,4 +24,13 @@

   // The underlying transport socket being wrapped.
   config.core.v3.TransportSocket transport_socket = 2 [(validate.rules).message = {required: true}];
+
+  // If this is set to true, the null addresses are allowed in the PROXY protocol header.
+  // The proxy protocol header encodes the null addresses to AF_UNSPEC.
+  // [#not-implemented-hide:]
+  bool allow_unspecified_address = 3;
+
+  // If true, all the TLVs are encoded in the connection pool key.
+  // [#not-implemented-hide:]
+  bool tlv_as_pool_key = 4;
 }

envoy/extensions/transport_sockets/tls/v3/common.proto:

--- shake256:3b0dd2de3c89a7ab2566ee1320ce04bd89c5d6495034d249441d72743e962f2c0b7ac3befc2347bc1db5598d3f114245530f3fee5a7e4d18dadbe88a239ab4fb
+++ shake256:c532345a4b2414764b040b34e5a2e9d71f496fdd34ca36725f4cae2d461cebe13c64c22c958f310b678440f349f8e34d468241d5f321d5a8b1358f755ab3f749
@@ -232,12 +232,13 @@
   config.core.v3.WatchedDirectory watched_directory = 7;

   // BoringSSL private key method provider. This is an alternative to :ref:`private_key
-  // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` field. This can't be
-  // marked as ``oneof`` due to API compatibility reasons. Setting both :ref:`private_key
-  // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` and
-  // :ref:`private_key_provider
-  // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>` fields will result in an
-  // error.
+  // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` field.
+  // When both :ref:`private_key <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key>` and
+  // :ref:`private_key_provider <envoy_v3_api_field_extensions.transport_sockets.tls.v3.TlsCertificate.private_key_provider>` fields are set,
+  // ``private_key_provider`` takes precedence.
+  // If ``private_key_provider`` is unavailable and :ref:`fallback
+  // <envoy_v3_api_field_extensions.transport_sockets.tls.v3.PrivateKeyProvider.fallback>`
+  // is enabled, ``private_key`` will be used.
   PrivateKeyProvider private_key_provider = 6;

   // The password to decrypt the TLS private key. If this field is not set, it is assumed that the

envoy/extensions/transport_sockets/tls/v3/tls.proto:

--- shake256:0fe8b5a1642bcf743430dbf235b959e4fa16314f44d365b500f25832e090b9c8360c02fb4036d2ba3fb70655450fce36707974a9c81c5205eb18226893512a7c
+++ shake256:0711d88a9129014e77db8a918e6b1ff5fd7dd6f1e2e19cce9573ea29c253d700594809a424beebdb28ce10898b9c1db5ae88c05ae4b0cd139821dd502e6f68f2
@@ -25,7 +25,7 @@
 // [#extension: envoy.transport_sockets.tls]
 // The TLS contexts below provide the transport socket configuration for upstream/downstream TLS.

-// [#next-free-field: 6]
+// [#next-free-field: 8]
 message UpstreamTlsContext {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.auth.UpstreamTlsContext";
@@ -34,14 +34,32 @@
   //
   // .. attention::
   //
-  //   Server certificate verification is not enabled by default. Configure
-  //   :ref:`trusted_ca<envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>` to enable
-  //   verification.
+  //   Server certificate verification is not enabled by default. To enable verification, configure
+  //   :ref:`trusted_ca<envoy_v3_api_field_extensions.transport_sockets.tls.v3.CertificateValidationContext.trusted_ca>`.
   CommonTlsContext common_tls_context = 1;

   // SNI string to use when creating TLS backend connections.
   string sni = 2 [(validate.rules).string = {max_bytes: 255}];

+  // If true, replaces the SNI for the connection with the hostname of the upstream host, if
+  // the hostname is known due to either a DNS cluster type or the
+  // :ref:`hostname <envoy_v3_api_field_config.endpoint.v3.Endpoint.hostname>` is set on
+  // the host.
+  //
+  // See :ref:`SNI configuration <start_quick_start_securing_sni_client>` for details on how this
+  // interacts with other validation options.
+  bool auto_host_sni = 6;
+
+  // If true, replaces any Subject Alternative Name (SAN) validations with a validation for a DNS SAN matching
+  // the SNI value sent. The validation uses the actual requested SNI, regardless of how the SNI is configured.
+  //
+  // For common cases where an SNI value is present and the server certificate should include a corresponding SAN,
+  // this option ensures the SAN is properly validated.
+  //
+  // See the :ref:`validation configuration <start_quick_start_securing_validation>` for how this interacts with
+  // other validation options.
+  bool auto_sni_san_validation = 7;
+
   // If true, server-initiated TLS renegotiation will be allowed.
   //
   // .. attention::
@@ -50,16 +68,19 @@
   bool allow_renegotiation = 3;

   // Maximum number of session keys (Pre-Shared Keys for TLSv1.3+, Session IDs and Session Tickets
-  // for TLSv1.2 and older) to store for the purpose of session resumption.
+  // for TLSv1.2 and older) to be stored for session resumption.
   //
   // Defaults to 1, setting this to 0 disables session resumption.
   google.protobuf.UInt32Value max_session_keys = 4;

-  // This field is used to control the enforcement, whereby the handshake will fail if the keyUsage extension
-  // is present and incompatible with the TLS usage. Currently, the default value is false (i.e., enforcement off)
-  // but it is expected to be changed to true by default in a future release.
-  // ``ssl.was_key_usage_invalid`` in :ref:`listener metrics <config_listener_stats>` will be set for certificate
-  // configurations that would fail if this option were set to true.
+  // Controls enforcement of the ``keyUsage`` extension in peer certificates. If set to ``true``, the handshake will fail if
+  // the ``keyUsage`` is incompatible with TLS usage.
+  //
+  // .. note::
+  //   The default value is ``false`` (i.e., enforcement off). It is expected to change to ``true`` in a future release.
+  //
+  // The ``ssl.was_key_usage_invalid`` in :ref:`listener metrics <config_listener_stats>` metric will be incremented
+  // for configurations that would fail if this option were enabled.
   google.protobuf.BoolValue enforce_rsa_key_usage = 5;
 }

@@ -69,24 +90,16 @@
       "envoy.api.v2.auth.DownstreamTlsContext";

   enum OcspStaplePolicy {
-    // OCSP responses are optional. If an OCSP response is absent
-    // or expired, the associated certificate will be used for
-    // connections without an OCSP staple.
+    // OCSP responses are optional. If absent or expired, the certificate is used without stapling.
     LENIENT_STAPLING = 0;

-    // OCSP responses are optional. If an OCSP response is absent,
-    // the associated certificate will be used without an
-    // OCSP staple. If a response is provided but is expired,
-    // the associated certificate will not be used for
-    // subsequent connections. If no suitable certificate is found,
-    // the connection is rejected.
+    // OCSP responses are optional. If absent, the certificate is used without stapling. If present but expired,
+    // the certificate is not used for subsequent connections. Connections are rejected if no suitable certificate
+    // is found.
     STRICT_STAPLING = 1;

-    // OCSP responses are required. Configuration will fail if
-    // a certificate is provided without an OCSP response. If a
-    // response expires, the associated certificate will not be
-    // used connections. If no suitable certificate is found, the
-    // connection is rejected.
+    // OCSP responses are required. Connections fail if a certificate lacks a valid OCSP response. Expired responses
+    // prevent certificate use in new connections, and connections are rejected if no suitable certificate is available.
     MUST_STAPLE = 2;
   }

@@ -119,46 +132,54 @@
     bool disable_stateless_session_resumption = 7;
   }

-  // If set to true, the TLS server will not maintain a session cache of TLS sessions. (This is
-  // relevant only for TLSv1.2 and earlier.)
+  // If ``true``, the TLS server will not maintain a session cache of TLS sessions.
+  //
+  // .. note::
+  //   This applies only to TLSv1.2 and earlier.
+  //
   bool disable_stateful_session_resumption = 10;

-  // If specified, ``session_timeout`` will change the maximum lifetime (in seconds) of the TLS session.
-  // Currently this value is used as a hint for the `TLS session ticket lifetime (for TLSv1.2) <https://tools.ietf.org/html/rfc5077#section-5.6>`_.
-  // Only seconds can be specified (fractional seconds are ignored).
+  // Maximum lifetime of TLS sessions. If specified, ``session_timeout`` will change the maximum lifetime
+  // of the TLS session.
+  //
+  // This serves as a hint for the `TLS session ticket lifetime (for TLSv1.2) <https://tools.ietf.org/html/rfc5077#section-5.6>`_.
+  // Only whole seconds are considered; fractional seconds are ignored.
   google.protobuf.Duration session_timeout = 6 [(validate.rules).duration = {
     lt {seconds: 4294967296}
     gte {}
   }];

-  // Config for whether to use certificates if they do not have
-  // an accompanying OCSP response or if the response expires at runtime.
-  // Defaults to LENIENT_STAPLING
+  // Configuration for handling certificates without an OCSP response or with expired responses.
+  //
+  // Defaults to ``LENIENT_STAPLING``
   OcspStaplePolicy ocsp_staple_policy = 8 [(validate.rules).enum = {defined_only: true}];

   // Multiple certificates are allowed in Downstream transport socket to serve different SNI.
-  // If the client provides SNI but no such cert matched, it will decide to full scan certificates or not based on this config.
-  // Defaults to false. See more details in :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>`.
+  // This option controls the behavior when no matching certificate is found for the received SNI value,
+  // or no SNI value was sent. If enabled, all certificates will be evaluated for a match for non-SNI criteria
+  // such as key type and OCSP settings. If disabled, the first provided certificate will be used.
+  // Defaults to ``false``. See more details in :ref:`Multiple TLS certificates <arch_overview_ssl_cert_select>`.
   google.protobuf.BoolValue full_scan_certs_on_sni_mismatch = 9;

-  // By default, Envoy as a server uses its preferred cipher during the handshake.
-  // Setting this to true would allow the downstream client's preferred cipher to be used instead.
-  // Has no effect when using TLSv1_3.
+  // If ``true``, the downstream client's preferred cipher is used during the handshake. If ``false``, Envoy
+  // uses its preferred cipher.
+  //
+  // .. note::
+  //   This has no effect when using TLSv1_3.
+  //
   bool prefer_client_ciphers = 11;
 }

 // TLS key log configuration.
 // The key log file format is "format used by NSS for its SSLKEYLOGFILE debugging output" (text taken from openssl man page)
 message TlsKeyLog {
-  // The path to save the TLS key log.
+  // Path to save the TLS key log.
   string path = 1 [(validate.rules).string = {min_len: 1}];

-  // The local IP address that will be used to filter the connection which should save the TLS key log
-  // If it is not set, any local IP address  will be matched.
+  // Local IP address ranges to filter connections for TLS key logging. If not set, matches any local IP address.
   repeated config.core.v3.CidrRange local_address_range = 2;

-  // The remote IP address that will be used to filter the connection which should save the TLS key log
-  // If it is not set, any remote IP address will be matched.
+  // Remote IP address ranges to filter connections for TLS key logging. If not set, matches any remote IP address.
   repeated config.core.v3.CidrRange remote_address_range = 3;
 }

@@ -167,8 +188,8 @@
 message CommonTlsContext {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.auth.CommonTlsContext";

-  // Config for Certificate provider to get certificates. This provider should allow certificates to be
-  // fetched/refreshed over the network asynchronously with respect to the TLS handshake.
+  // Config for the Certificate Provider to fetch certificates. Certificates are fetched/refreshed asynchronously over
+  // the network relative to the TLS handshake.
   //
   // DEPRECATED: This message is not currently used, but if we ever do need it, we will want to
   // move it out of CommonTlsContext and into common.proto, similar to the existing
@@ -261,7 +282,7 @@
   // fetched/refreshed over the network asynchronously with respect to the TLS handshake.
   //
   // The same number and types of certificates as :ref:`tls_certificates <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CommonTlsContext.tls_certificates>`
-  // are valid in the the certificates fetched through this setting.
+  // are valid in the certificates fetched through this setting.
   //
   // If ``tls_certificates`` or ``tls_certificate_provider_instance`` are set, this field
   // is ignored.
@@ -299,13 +320,17 @@
     // fetched/refreshed over the network asynchronously with respect to the TLS handshake.
     SdsSecretConfig validation_context_sds_secret_config = 7;

-    // Combined certificate validation context holds a default CertificateValidationContext
-    // and SDS config. When SDS server returns dynamic CertificateValidationContext, both dynamic
-    // and default CertificateValidationContext are merged into a new CertificateValidationContext
-    // for validation. This merge is done by Message::MergeFrom(), so dynamic
-    // CertificateValidationContext overwrites singular fields in default
-    // CertificateValidationContext, and concatenates repeated fields to default
-    // CertificateValidationContext, and logical OR is applied to boolean fields.
+    // Combines the default ``CertificateValidationContext`` with the SDS-provided dynamic context for certificate
+    // validation.
+    //
+    // When the SDS server returns a dynamic ``CertificateValidationContext``, it is merged
+    // with the default context using ``Message::MergeFrom()``. The merging rules are as follows:
+    //
+    // * **Singular Fields:** Dynamic fields override the default singular fields.
+    // * **Repeated Fields:** Dynamic repeated fields are concatenated with the default repeated fields.
+    // * **Boolean Fields:** Boolean fields are combined using a logical OR operation.
+    //
+    // The resulting ``CertificateValidationContext`` is used to perform certificate validation.
     CombinedCertificateValidationContext combined_validation_context = 8;

     // Certificate provider for fetching validation context.

envoy/extensions/wasm/v3/wasm.proto:

--- shake256:b62b889c4321c94ad2836883c5c8ac569dfb727f6bccaee55deb1c00cc87f1d098998bb5059d66a51726627777620bdb436c083976b13dc662f474ca5d470511
+++ shake256:6f596e69c9a1af917e12680f6e43c941f9e4a254ee86d30da4127b4aa01d9bb1f08d270c0ff8ddb63099c972d37cfac32cbf729633e4454d6a5c2dd28c2c7d81
@@ -2,10 +2,12 @@

 package envoy.extensions.wasm.v3;

+import "envoy/config/core/v3/backoff.proto";
 import "envoy/config/core/v3/base.proto";

 import "google/protobuf/any.proto";

+import "envoy/annotations/deprecation.proto";
 import "udpa/annotations/status.proto";

 option java_package = "io.envoyproxy.envoy.extensions.wasm.v3";
@@ -17,6 +19,33 @@
 // [#protodoc-title: Wasm]
 // [#extension: envoy.bootstrap.wasm]

+// If there is a fatal error on the VM (e.g. exception, abort()), then the policy will be applied.
+enum FailurePolicy {
+  // No policy is specified. The default policy will be used. The default policy is ``FAIL_CLOSED``.
+  UNSPECIFIED = 0;
+
+  // New plugin instance will be created for the new request if the VM is failed. Note this only
+  // be applied to the following failures:
+  //
+  // * ``proxy_wasm::FailState::RuntimeError``
+  //
+  // This will fallback to the ``FAIL_CLOSED`` for all other failures.
+  FAIL_RELOAD = 1;
+
+  // All plugins associated with the VM will return an HTTP 503 error.
+  FAIL_CLOSED = 2;
+
+  // All plugins associated with the VM will be ignored and the filter chain will continue. This
+  // makes sense when the plugin is optional.
+  FAIL_OPEN = 3;
+}
+
+message ReloadConfig {
+  // Backoff strategy for the VM failure reload. If not specified, the default 1s base interval
+  // will be applied.
+  config.core.v3.BackoffStrategy backoff = 1;
+}
+
 // Configuration for restricting Proxy-Wasm capabilities available to modules.
 message CapabilityRestrictionConfig {
   // The Proxy-Wasm capabilities which will be allowed. Capabilities are mapped by
@@ -114,7 +143,7 @@
 }

 // Base Configuration for Wasm Plugins e.g. filters and services.
-// [#next-free-field: 7]
+// [#next-free-field: 9]
 message PluginConfig {
   // A unique name for a filters/services in a VM for use in identifying the filter/service if
   // multiple filters/services are handled by the same ``vm_id`` and ``root_id`` and for
@@ -144,8 +173,15 @@
   // or fail open (if 'fail_open' is set to true) by bypassing the filter. Note: when on_start or on_configure return false
   // during xDS updates the xDS configuration will be rejected and when on_start or on_configuration return false on initial
   // startup the proxy will not start.
-  bool fail_open = 5;
+  // This field is deprecated in favor of the ``failure_policy`` field.
+  bool fail_open = 5 [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];

+  // The failure policy for the plugin.
+  FailurePolicy failure_policy = 7;
+
+  // Reload configuration. This is only applied when ``failure_policy`` is set to ``FAIL_RELOAD``.
+  ReloadConfig reload_config = 8;
+
   // Configuration for restricting Proxy-Wasm capabilities available to modules.
   CapabilityRestrictionConfig capability_restriction_config = 6;
 }

envoy/service/discovery/v3/discovery.proto:

--- shake256:32e21dec7dc289f56e0708c19d21d2fb0a6709dd1c142031508e2eec817228f1de2d1e66ea627e81bb5b47d236ce8a2a92693c2e796fd9c1bd125fc9cdf386a0
+++ shake256:1dc0ed3175669fbe7e372cb788cf08b7bd223d1c41f84006c55252f24c7d97717692fcd2bba39c6073db9ea03761a7f2926b41cd7b58edfdb6ed1054777c5325
@@ -41,6 +41,17 @@
   DynamicParameterConstraints dynamic_parameter_constraints = 2;
 }

+// [#not-implemented-hide:]
+// An error associated with a specific resource name, returned to the
+// client by the server.
+message ResourceError {
+  // The name of the resource.
+  ResourceName resource_name = 1;
+
+  // The error reported for the resource.
+  google.rpc.Status error_detail = 2;
+}
+
 // A DiscoveryRequest requests a set of versioned resources of the same type for
 // a given Envoy node on some API.
 // [#next-free-field: 8]
@@ -96,7 +107,7 @@
   google.rpc.Status error_detail = 6;
 }

-// [#next-free-field: 7]
+// [#next-free-field: 8]
 message DiscoveryResponse {
   option (udpa.annotations.versioning).previous_message_type = "envoy.api.v2.DiscoveryResponse";

@@ -138,6 +149,13 @@

   // The control plane instance that sent the response.
   config.core.v3.ControlPlane control_plane = 6;
+
+  // [#not-implemented-hide:]
+  // Errors associated with specific resources. Clients are expected to
+  // remember the most recent error for a given resource across responses;
+  // the error condition is not considered to be cleared until a response is
+  // received that contains the resource in the 'resources' field.
+  repeated ResourceError resource_errors = 7;
 }

 // DeltaDiscoveryRequest and DeltaDiscoveryResponse are used in a new gRPC
@@ -247,7 +265,7 @@
   google.rpc.Status error_detail = 7;
 }

-// [#next-free-field: 9]
+// [#next-free-field: 10]
 message DeltaDiscoveryResponse {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.DeltaDiscoveryResponse";
@@ -281,6 +299,13 @@
   // [#not-implemented-hide:]
   // The control plane instance that sent the response.
   config.core.v3.ControlPlane control_plane = 7;
+
+  // [#not-implemented-hide:]
+  // Errors associated with specific resources. Note that a resource in
+  // this field with a status of NOT_FOUND should be treated the same as
+  // a resource listed in the 'removed_resources' or 'removed_resource_names'
+  // fields.
+  repeated ResourceError resource_errors = 9;
 }

 // A set of dynamic parameter constraints associated with a variant of an individual xDS resource.

envoy/service/ext_proc/v3/external_processor.proto:

--- shake256:3cba5f4d2b8a4c1698bec7edbe2bcf50f8852e27333adc006570a15f38a6c2c88721d688876a268f4ade605c26df98bbba8623deac8b58daa1aae23bbcac371a
+++ shake256:273468a90f7dcbc52642fbfc349d82c95b632f8e2a826803410ab1339941c30db7cbbbeead904fc6023365da6c465951f454b9d5d0efbf4154b454d527d39d20
@@ -45,7 +45,6 @@
 // In other words, the process is a request/response conversation, but
 // using a gRPC stream to make it easier for the server to
 // maintain state.
-
 service ExternalProcessor {
   // This begins the bidirectional stream that Envoy will use to
   // give the server control over what the filter does. The actual
@@ -129,6 +128,7 @@
 // set to false, the server must send back exactly one ProcessingResponse message.
 // [#next-free-field: 11]
 message ProcessingResponse {
+  // The response type that is sent by the server.
   oneof response {
     option (validate.required) = true;

@@ -220,19 +220,25 @@
   map<string, google.protobuf.Struct> attributes = 2
       [deprecated = true, (envoy.annotations.deprecated_at_minor_version) = "3.0"];

-  // If true, then there is no message body associated with this
+  // If ``true``, then there is no message body associated with this
   // request or response.
   bool end_of_stream = 3;
 }

-// This message contains the message body that Envoy sends to the external server.
+// This message is sent to the external server when the HTTP request and
+// response bodies are received.
 message HttpBody {
+  // The contents of the body in the HTTP request/response. Note that in
+  // streaming mode multiple ``HttpBody`` messages may be sent.
   bytes body = 1;

+  // If ``true``, this will be the last ``HttpBody`` message that will be sent and no
+  // trailers will be sent for the current request/response.
   bool end_of_stream = 2;
 }

-// This message contains the trailers.
+// This message is sent to the external server when the HTTP request and
+// response trailers are received.
 message HttpTrailers {
   // The header value is encoded in the
   // :ref:`raw_value <envoy_v3_api_field_config.core.v3.HeaderValue.raw_value>` field.
@@ -241,25 +247,34 @@

 // The following are messages that may be sent back by the server.

-// This message must be sent in response to an HttpHeaders message.
+// This message is sent by the external server to Envoy after ``HttpHeaders`` was
+// sent to it.
 message HeadersResponse {
+  // Details the modifications (if any) to be made by Envoy to the current
+  // request/response.
   CommonResponse response = 1;
 }

-// This message must be sent in response to an HttpTrailers message.
-message TrailersResponse {
-  // Instructions on how to manipulate the trailers
-  HeaderMutation header_mutation = 1;
-}
-
-// This message must be sent in response to an HttpBody message.
+// This message is sent by the external server to Envoy after ``HttpBody`` was
+// sent to it.
 message BodyResponse {
+  // Details the modifications (if any) to be made by Envoy to the current
+  // request/response.
   CommonResponse response = 1;
 }

+// This message is sent by the external server to Envoy after ``HttpTrailers`` was
+// sent to it.
+message TrailersResponse {
+  // Details the modifications (if any) to be made by Envoy to the current
+  // request/response trailers.
+  HeaderMutation header_mutation = 1;
+}
+
 // This message contains common fields between header and body responses.
 // [#next-free-field: 6]
 message CommonResponse {
+  // The status of the response.
   enum ResponseStatus {
     // Apply the mutation instructions in this message to the
     // request or response, and then continue processing the filter
@@ -322,7 +337,7 @@
 // to the downstream codec, or reset the stream.
 // [#next-free-field: 6]
 message ImmediateResponse {
-  // The response code to return
+  // The response code to return.
   type.v3.HttpStatus status = 1 [(validate.rules).message = {required: true}];

   // Apply changes to the default headers, which will include content-type.
@@ -343,7 +358,7 @@

 // This message specifies a gRPC status for an ImmediateResponse message.
 message GrpcStatus {
-  // The actual gRPC status
+  // The actual gRPC status.
   uint32 status = 1;
 }

@@ -362,14 +377,39 @@
   repeated string remove_headers = 2;
 }

-// Replace the entire message body chunk received in the corresponding
-// HttpBody message with this new body, or clear the body.
+// [#not-implemented-hide:]
+// The body response message corresponding to FULL_DUPLEX_STREAMED body mode.
+message StreamedBodyResponse {
+  // The body response chunk that will be passed to the upstream/downstream by Envoy.
+  bytes body = 1;
+
+  // The server sets this flag to true if it has received a body request with
+  // :ref:`end_of_stream <envoy_v3_api_field_service.ext_proc.v3.HttpBody.end_of_stream>` set to true,
+  // and this is the last chunk of body responses.
+  bool end_of_stream = 2;
+}
+
+// This message specifies the body mutation the server sends to Envoy.
 message BodyMutation {
+  // The type of mutation for the body.
   oneof mutation {
-    // The entire body to replace
+    // The entire body to replace.
+    // Should only be used when the corresponding ``BodySendMode`` in the
+    // :ref:`processing_mode <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.processing_mode>`
+    // is not set to ``FULL_DUPLEX_STREAMED``.
     bytes body = 1;

-    // Clear the corresponding body chunk
+    // Clear the corresponding body chunk.
+    // Should only be used when the corresponding ``BodySendMode`` in the
+    // :ref:`processing_mode <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.processing_mode>`
+    // is not set to ``FULL_DUPLEX_STREAMED``.
+    // Clear the corresponding body chunk.
     bool clear_body = 2;
+
+    // [#not-implemented-hide:]
+    // Must be used when the corresponding ``BodySendMode`` in the
+    // :ref:`processing_mode <envoy_v3_api_field_extensions.filters.http.ext_proc.v3.ExternalProcessor.processing_mode>`
+    // is set to ``FULL_DUPLEX_STREAMED``.
+    StreamedBodyResponse streamed_response = 3;
   }
 }

envoy/service/ratelimit/v3/rls.proto:

--- shake256:fda3ff07087461760f5e793e23f7ebfd0ca43b5078388538c49a257cbdde9328dd5d154c45c65b5f2ded4be944ff760aafd653f9e5b9df6096cefb4a8a1b8740
+++ shake256:9641a91435e6e6b8c64e8e68adb42c0ce592170cc68972d4724169361766892b4d2a00b16e4dc9a2863d7b4d05ff1ebd27e820622355d2de4f5d09b7d71983ef
@@ -94,6 +94,9 @@
       // The time unit representing a day.
       DAY = 4;

+      // The time unit representing a week.
+      WEEK = 7;
+
       // The time unit representing a month.
       MONTH = 5;

envoy/service/status/v3/csds.proto:

--- shake256:c2c36647c5d9f9089c5759bf890a1b5e200357b4b76abfe69ce6eb30e859540d7521d4cc8d1311f9e250f22011ea4f006e4ec4531b1af5420d2f882814915a41
+++ shake256:ac4a57cb2f25fbfce2a8daef2546317e33d09d8162447b82d56491df84b4847880ea6fa7048a0d82380191fced4f1caa1490773c8584aac1251b274429a8335b
@@ -72,6 +72,11 @@
   // config dump is not the NACKed version, but the most recent accepted one. If
   // no config is accepted yet, the attached config dump will be empty.
   CLIENT_NACKED = 3;
+
+  // Client received an error from the control plane. The attached config
+  // dump is the most recent accepted one. If no config is accepted yet,
+  // the attached config dump will be empty.
+  CLIENT_RECEIVED_ERROR = 4;
 }

 // Request for client status of clients identified by a list of NodeMatchers.

envoy/type/matcher/v3/filter_state.proto:

--- shake256:ed016be6eedd59a70a54ad70a2d39f7aa2be47c8f962744307d7ebcc7415f1ac9d81f98cdcd5540cdb88f5d4941bdb110798e83e0841180f8e40d7b24d065711
+++ shake256:368384c1f18c40e250a3c223bad867c16c2171e4f3e81dc0e64f95ab0ac8ffa138e3615f975ff473c19ac9cc1de304ce6de23935424d7246b15449a70c8a1f55
@@ -2,6 +2,7 @@

 package envoy.type.matcher.v3;

+import "envoy/type/matcher/v3/address.proto";
 import "envoy/type/matcher/v3/string.proto";

 import "udpa/annotations/status.proto";
@@ -25,5 +26,8 @@

     // Matches the filter state object as a string value.
     StringMatcher string_match = 2;
+
+    // Matches the filter state object as a ip Instance.
+    AddressMatcher address_match = 3;
   }
 }

envoy/type/v3/http_status.proto:

--- shake256:cb13202df49b11e6033daaf75d640b73c9c6011020e6c7ad0df519929fb47a4d06ad72a584a79c8d401aa97524d36dfb01552db9347c32d7b6c6505191416796
+++ shake256:d202ec6e99b45a8e9a5671718b070c368e6a5067194ab1c73da32705d28d45802db75994b6e5fb938b9bf4bd2eff59d52dddc8797e085ee99ca6a8d6db475de8
@@ -21,116 +21,172 @@
   // `enum` type.
   Empty = 0;

+  // Continue - ``100`` status code.
   Continue = 100;

+  // OK - ``200`` status code.
   OK = 200;

+  // Created - ``201`` status code.
   Created = 201;

+  // Accepted - ``202`` status code.
   Accepted = 202;

+  // NonAuthoritativeInformation - ``203`` status code.
   NonAuthoritativeInformation = 203;

+  // NoContent - ``204`` status code.
   NoContent = 204;

+  // ResetContent - ``205`` status code.
   ResetContent = 205;

+  // PartialContent - ``206`` status code.
   PartialContent = 206;

+  // MultiStatus - ``207`` status code.
   MultiStatus = 207;

+  // AlreadyReported - ``208`` status code.
   AlreadyReported = 208;

+  // IMUsed - ``226`` status code.
   IMUsed = 226;

+  // MultipleChoices - ``300`` status code.
   MultipleChoices = 300;

+  // MovedPermanently - ``301`` status code.
   MovedPermanently = 301;

+  // Found - ``302`` status code.
   Found = 302;

+  // SeeOther - ``303`` status code.
   SeeOther = 303;

+  // NotModified - ``304`` status code.
   NotModified = 304;

+  // UseProxy - ``305`` status code.
   UseProxy = 305;

+  // TemporaryRedirect - ``307`` status code.
   TemporaryRedirect = 307;

+  // PermanentRedirect - ``308`` status code.
   PermanentRedirect = 308;

+  // BadRequest - ``400`` status code.
   BadRequest = 400;

+  // Unauthorized - ``401`` status code.
   Unauthorized = 401;

+  // PaymentRequired - ``402`` status code.
   PaymentRequired = 402;

+  // Forbidden - ``403`` status code.
   Forbidden = 403;

+  // NotFound - ``404`` status code.
   NotFound = 404;

+  // MethodNotAllowed - ``405`` status code.
   MethodNotAllowed = 405;

+  // NotAcceptable - ``406`` status code.
   NotAcceptable = 406;

+  // ProxyAuthenticationRequired - ``407`` status code.
   ProxyAuthenticationRequired = 407;

+  // RequestTimeout - ``408`` status code.
   RequestTimeout = 408;

+  // Conflict - ``409`` status code.
   Conflict = 409;

+  // Gone - ``410`` status code.
   Gone = 410;

+  // LengthRequired - ``411`` status code.
   LengthRequired = 411;

+  // PreconditionFailed - ``412`` status code.
   PreconditionFailed = 412;

+  // PayloadTooLarge - ``413`` status code.
   PayloadTooLarge = 413;

+  // URITooLong - ``414`` status code.
   URITooLong = 414;

+  // UnsupportedMediaType - ``415`` status code.
   UnsupportedMediaType = 415;

+  // RangeNotSatisfiable - ``416`` status code.
   RangeNotSatisfiable = 416;

+  // ExpectationFailed - ``417`` status code.
   ExpectationFailed = 417;

+  // MisdirectedRequest - ``421`` status code.
   MisdirectedRequest = 421;

+  // UnprocessableEntity - ``422`` status code.
   UnprocessableEntity = 422;

+  // Locked - ``423`` status code.
   Locked = 423;

+  // FailedDependency - ``424`` status code.
   FailedDependency = 424;

+  // UpgradeRequired - ``426`` status code.
   UpgradeRequired = 426;

+  // PreconditionRequired - ``428`` status code.
   PreconditionRequired = 428;

+  // TooManyRequests - ``429`` status code.
   TooManyRequests = 429;

+  // RequestHeaderFieldsTooLarge - ``431`` status code.
   RequestHeaderFieldsTooLarge = 431;

+  // InternalServerError - ``500`` status code.
   InternalServerError = 500;

+  // NotImplemented - ``501`` status code.
   NotImplemented = 501;

+  // BadGateway - ``502`` status code.
   BadGateway = 502;

+  // ServiceUnavailable - ``503`` status code.
   ServiceUnavailable = 503;

+  // GatewayTimeout - ``504`` status code.
   GatewayTimeout = 504;

+  // HTTPVersionNotSupported - ``505`` status code.
   HTTPVersionNotSupported = 505;

+  // VariantAlsoNegotiates - ``506`` status code.
   VariantAlsoNegotiates = 506;

+  // InsufficientStorage - ``507`` status code.
   InsufficientStorage = 507;

+  // LoopDetected - ``508`` status code.
   LoopDetected = 508;

+  // NotExtended - ``510`` status code.
   NotExtended = 510;

+  // NetworkAuthenticationRequired - ``511`` status code.
   NetworkAuthenticationRequired = 511;
 }

Total changes: 58 (4 deletions, 9 additions, 45 changed)

pkwarren
pkwarren reviewed Jan 31, 2025
View reviewed changes
cmd/diff/main.go Outdated Show resolved Hide resolved
cmd/diff/main.go Outdated Show resolved Hide resolved
cmd/diff/main.go Outdated Show resolved Hide resolved
cmd/diff/main.go Outdated Show resolved Hide resolved
cmd/diff/main.go Outdated
sb.WriteString("```diff\n")
sortedPaths := slicesext.MapKeysToSortedSlice(d.removedPaths)
for _, path := range sortedPaths {
sb.WriteString("- " + d.removedPaths[path].String() + "\n")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to handle any escaping within markdown?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't think so, it's just file nodes in this format:

- <digestType>:<digestValue>  <path>

cmd/diff/main.go Outdated Show resolved Hide resolved
cmd/diff/main.go Outdated Show resolved Hide resolved
@pkwarren
Copy link
Member

Just minor comments but this looks super handy - it will make it much easier for reviewers of updates to managed modules if we include this information somewhere.

pkwarren
pkwarren reviewed Jan 31, 2025
View reviewed changes
cmd/diff/main.go Outdated Show resolved Hide resolved
@unmultimedio unmultimedio requested a review from pkwarren February 7, 2025 14:33
@unmultimedio unmultimedio merged commit 6ec4489 into main Feb 7, 2025
4 checks passed
@unmultimedio unmultimedio deleted the jfigueroa/cas-diff branch February 7, 2025 16:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pkwarren pkwarren pkwarren approved these changes

@stefanvanburen stefanvanburen Awaiting requested review from stefanvanburen

@saquibmian saquibmian Awaiting requested review from saquibmian

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@unmultimedio @pkwarren