mesh/v1alpha1/config.proto

// Copyright 2017 Istio Authors
//
//   Licensed under the Apache License, Version 2.0 (the "License");
//   you may not use this file except in compliance with the License.
//   You may obtain a copy of the License at
//
//       http://www.apache.org/licenses/LICENSE-2.0
//
//   Unless required by applicable law or agreed to in writing, software
//   distributed under the License is distributed on an "AS IS" BASIS,
//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
//   See the License for the specific language governing permissions and
//   limitations under the License.

syntax = "proto3";

import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "mesh/v1alpha1/proxy.proto";
import "networking/v1alpha3/destination_rule.proto";
import "networking/v1alpha3/virtual_service.proto";

// $title: Global Mesh Options
// $description: Configuration affecting the service mesh as a whole.
// $location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html
// $weight: 20
// $mode: package

// Configuration affecting the service mesh as a whole.
package istio.mesh.v1alpha1;

option go_package="istio.io/api/mesh/v1alpha1";

// MeshConfig defines mesh-wide settings for the Istio service mesh.
message MeshConfig {
  // Port on which Envoy should listen for all outbound traffic to other services.
  // Default port is 15001.
  int32 proxy_listen_port = 4;

  // Port on which Envoy should listen for all inbound traffic to the pod/vm will be captured to.
  // Default port is 15006.
  int32 proxy_inbound_listen_port = 65;

  // Port on which Envoy should listen for HTTP PROXY requests if set.
  int32 proxy_http_port = 5;

  // Connection timeout used by Envoy. (MUST be >=1ms)
  // Default timeout is 10s.
  google.protobuf.Duration connect_timeout = 6;

  // $hide_from_docs
  // Automatic protocol detection uses a set of heuristics to
  // determine whether the connection is using TLS or not (on the
  // server side), as well as the application protocol being used
  // (e.g., http vs tcp). These heuristics rely on the client sending
  // the first bits of data. For server first protocols like MySQL,
  // MongoDB, etc. Envoy will timeout on the protocol detection after
  // the specified period, defaulting to non mTLS plain TCP
  // traffic. Set this field to tweak the period that Envoy will wait
  // for the client to send the first bits of data. (MUST be >=1ms or
  // 0s to disable). Default detection timeout is 0s (no timeout).
  //
  // Setting a timeout is not recommended nor safe. Even high timeouts (>5s) will be hit
  // occasionally, and when they occur the result is typically broken traffic that may not
  // recover on its own. Exceptionally high values might solve this, but injecting 60s delays
  // onto new connections is generally not tenable anyways.
  google.protobuf.Duration protocol_detection_timeout = 42;

  // If set then set `SO_KEEPALIVE` on the socket to enable TCP Keepalives.
  istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive tcp_keepalive = 28;

  // Class of ingress resources to be processed by Istio ingress
  // controller. This corresponds to the value of
  // `kubernetes.io/ingress.class` annotation.
  string ingress_class = 7;

  // Name of the Kubernetes service used for the istio ingress controller.
  // If no ingress controller is specified, the default value `istio-ingressgateway` is used.
  string ingress_service = 8;

  enum IngressControllerMode {
    // Unspecified Istio ingress controller.
    UNSPECIFIED = 0;

    // Disables Istio ingress controller.
    OFF = 1;

    // Istio ingress controller will act on ingress resources that do not
    // contain any annotation or whose annotations match the value
    // specified in the ingressClass parameter described earlier. Use this
    // mode if Istio ingress controller will be the default ingress
    // controller for the entire Kubernetes cluster.
    DEFAULT = 2;

    // Istio ingress controller will only act on ingress resources whose
    // annotations match the value specified in the ingressClass parameter
    // described earlier. Use this mode if Istio ingress controller will be
    // a secondary ingress controller (e.g., in addition to a
    // cloud-provided ingress controller).
    STRICT = 3;
  }

  // Defines whether to use Istio ingress controller for annotated or all ingress resources.
  // Default mode is `STRICT`.
  IngressControllerMode ingress_controller_mode = 9;

  // Defines which gateway deployment to use as the Ingress controller. This field corresponds to
  // the Gateway.selector field, and will be set as `istio: INGRESS_SELECTOR`.
  // By default, `ingressgateway` is used, which will select the default IngressGateway as it has the
  // `istio: ingressgateway` labels.
  // It is recommended that this is the same value as ingressService.
  string ingress_selector = 52;

  // $hide_from_docs
  enum AuthPolicy {
    NONE = 0;
    MUTUAL_TLS = 1;
  }

  // Flag to control generation of trace spans and request IDs.
  // Requires a trace span collector defined in the proxy configuration.
  bool enable_tracing = 12;

  // File address for the proxy access log (e.g. /dev/stdout).
  // Empty value disables access logging.
  string access_log_file = 13;

  // Format for the proxy access log
  // Empty value results in proxy's default access log format
  string access_log_format = 24;

  enum AccessLogEncoding {
    // text encoding for the proxy access log
    TEXT = 0;

    // json encoding for the proxy access log
    JSON = 1;
  }

  // Encoding for the proxy access log (`TEXT` or `JSON`).
  // Default value is `TEXT`.
  AccessLogEncoding access_log_encoding = 27;

  // This flag enables Envoy's gRPC Access Log Service.
  // See [Access Log Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto)
  // for details about Envoy's gRPC Access Log Service API.
  // Default value is `false`.
  bool enable_envoy_access_log_service = 40;

  // This flag disables Envoy Listener logs.
  // See [Listener Access Log](https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/listener/v3/listener.proto#envoy-v3-api-field-config-listener-v3-listener-access-log)
  // Istio Enables Envoy's listener access logs on "NoRoute" response flag.
  // Default value is `false`.
  bool disable_envoy_listener_log = 56;

  // Default proxy config used by gateway and sidecars.
  // In case of Kubernetes, the proxy config is applied once during the injection process,
  // and remain constant for the duration of the pod. The rest of the mesh config can be changed
  // at runtime and config gets distributed dynamically.
  // On Kubernetes, this can be overridden on individual pods with the `proxy.istio.io/config` annotation.
  ProxyConfig default_config = 14;

  // `OutboundTrafficPolicy` sets the default behavior of the sidecar for
  // handling unknown outbound traffic from the application.
  message OutboundTrafficPolicy {
    enum Mode {
      // In `REGISTRY_ONLY` mode, unknown outbound traffic will be dropped.
      // Traffic destinations must be explicitly declared into the service registry through `ServiceEntry` configurations.
      //
      // Note: Istio [does not offer an outbound traffic security policy](https://istio.io/latest/docs/ops/best-practices/security/#understand-traffic-capture-limitations).
      // This option does not act as one, or as any form of an outbound firewall.
      // Instead, this option exists primarily to offer users a way to detect missing `ServiceEntry` configurations by explicitly failing.
      REGISTRY_ONLY = 0;
      // In `ALLOW_ANY` mode, any traffic to unknown destinations will be allowed.
      // Unknown destination traffic will have limited functionality, however, such as reduced observability.
      // This mode allows users that do not have all possible egress destinations registered through `ServiceEntry` configurations to still connect
      // to arbitrary destinations.
      ALLOW_ANY = 1;

      reserved 2;
      reserved "VIRTUAL_SERVICE_ONLY";
    }
    Mode mode = 1;
  }

  // Set the default behavior of the sidecar for handling outbound
  // traffic from the application.
  //
  // Can be overridden at a Sidecar level by setting the `OutboundTrafficPolicy` in the
  // [Sidecar API](https://istio.io/docs/reference/config/networking/sidecar/#OutboundTrafficPolicy).
  //
  // Default mode is `ALLOW_ANY`, which means outbound traffic to unknown destinations will be allowed.
  OutboundTrafficPolicy outbound_traffic_policy = 17;

  message InboundTrafficPolicy {
    enum Mode {
      // inbound traffic will be passed through to the destination listening
      // on Pod IP. This matches the behavior without Istio enabled at all
      // allowing proxy to be transparent.
      PASSTHROUGH = 0;
      // inbound traffic will be sent to the destinations listening on localhost.
      LOCALHOST = 1;
    }
    Mode mode = 1;
  }

  // Set the default behavior of the sidecar for handling inbound
  // traffic to the application.  If your application listens on
  // localhost, you will need to set this to `LOCALHOST`.
  InboundTrafficPolicy inbound_traffic_policy = 66;

  // ConfigSource describes a source of configuration data for networking
  // rules, and other Istio configuration artifacts. Multiple data sources
  // can be configured for a single control plane.
  repeated ConfigSource config_sources = 22;

  // This flag is used to enable mutual `TLS` automatically for service to service communication
  // within the mesh, default true.
  // If set to true, and a given service does not have a corresponding `DestinationRule` configured,
  // or its `DestinationRule` does not have ClientTLSSettings specified, Istio configures client side
  // TLS configuration appropriately. More specifically,
  // If the upstream authentication policy is in `STRICT` mode, use Istio provisioned certificate
  // for mutual `TLS` to connect to upstream.
  // If upstream service is in plain text mode, use plain text.
  // If the upstream authentication policy is in PERMISSIVE mode, Istio configures clients to use
  // mutual `TLS` when server sides are capable of accepting mutual `TLS` traffic.
  // If service `DestinationRule` exists and has `ClientTLSSettings` specified, that is always used instead.
  google.protobuf.BoolValue enable_auto_mtls = 43;

  // The trust domain corresponds to the trust root of a system.
  // Refer to [SPIFFE-ID](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md#21-trust-domain)
  string trust_domain = 26;

  // The trust domain aliases represent the aliases of `trustDomain`.
  // For example, if we have
  // ```yaml
  // trustDomain: td1
  // trustDomainAliases: ["td2", "td3"]
  // ```
  // Any service with the identity `td1/ns/foo/sa/a-service-account`, `td2/ns/foo/sa/a-service-account`,
  // or `td3/ns/foo/sa/a-service-account` will be treated the same in the Istio mesh.
  repeated string trust_domain_aliases = 46;

  message CertificateData {
    oneof certificate_data {
      // The PEM data of the certificate.
      string pem = 1;
      // The SPIFFE bundle endpoint URL that complies to:
      // https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#the-spiffe-trust-domain-and-bundle
      // The endpoint should support authentication based on Web PKI:
      // https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE_Trust_Domain_and_Bundle.md#521-web-pki
      // The certificate is retrieved from the endpoint.
      string spiffe_bundle_url = 2;
    }
    // Optional. Specify the kubernetes signers (External CA) that use this trustAnchor
    // when Istiod is acting as RA(registration authority)
    // If set, they are used for these signers. Otherwise, this trustAnchor is used for all signers.
    repeated string cert_signers = 3;

    // Optional. Specify the list of trust domains to which this trustAnchor data belongs.
    // If set, they are used for these trust domains. Otherwise, this trustAnchor is used for default trust domain
    // and its aliases.
    // Note that we can have multiple trustAnchor data for a same trustDomain.
    // In that case, trustAnchors with a same trust domain will be merged and used together to verify peer certificates.
    // If neither certSigners nor trustDomains is set, this trustAnchor is used for all trust domains and all signers.
    // If only trustDomains is set, this trustAnchor is used for these trustDomains and all signers.
    // If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains.
    // If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains.
    repeated string trust_domains = 4;
  }

  // The extra root certificates for workload-to-workload communication.
  // The plugin certificates (the 'cacerts' secret) or self-signed certificates (the 'istio-ca-secret' secret)
  // are automatically added by Istiod.
  // The CA certificate that signs the workload certificates is automatically added by Istio Agent.
  repeated CertificateData ca_certificates = 58;

  // The default value for the ServiceEntry.exportTo field and services
  // imported through container registry integrations, e.g. this applies to
  // Kubernetes Service resources. The value is a list of namespace names and
  // reserved namespace aliases. The allowed namespace aliases are:
  // ```
  // * - All Namespaces
  // . - Current Namespace
  // ~ - No Namespace
  // ```
  // If not set the system will use "*" as the default value which implies that
  // services are exported to all namespaces.
  //
  // `All namespaces` is a reasonable default for implementations that don't
  // need to restrict access or visibility of services across namespace
  // boundaries. If that requirement is present it is generally good practice to
  // make the default `Current namespace` so that services are only visible
  // within their own namespaces by default. Operators can then expand the
  // visibility of services to other namespaces as needed. Use of `No Namespace`
  // is expected to be rare but can have utility for deployments where
  // dependency management needs to be precise even within the scope of a single
  // namespace.
  //
  // For further discussion see the reference documentation for `ServiceEntry`,
  // `Sidecar`, and `Gateway`.
  repeated string default_service_export_to = 31;

  // The default value for the VirtualService.exportTo field. Has the same
  // syntax as `defaultServiceExportTo`.
  //
  // If not set the system will use "*" as the default value which implies that
  // virtual services are exported to all namespaces
  repeated string default_virtual_service_export_to = 32;

  // The default value for the `DestinationRule.exportTo` field. Has the same
  // syntax as `defaultServiceExportTo`.
  //
  // If not set the system will use "*" as the default value which implies that
  // destination rules are exported to all namespaces
  repeated string default_destination_rule_export_to = 33;

  // The namespace to treat as the administrative root namespace for
  // Istio configuration. When processing a leaf namespace Istio will search for
  // declarations in that namespace first and if none are found it will
  // search in the root namespace. Any matching declaration found in the root
  // namespace is processed as if it were declared in the leaf namespace.
  //
  // The precise semantics of this processing are documented on each resource
  // type.
  string root_namespace = 34;

  // Locality based load balancing distribution or failover settings.
  // If unspecified, locality based load balancing will be enabled by default.
  // However, this requires outlierDetection to actually take effect for a particular
  // service, see https://istio.io/latest/docs/tasks/traffic-management/locality-load-balancing/failover/
  istio.networking.v1alpha3.LocalityLoadBalancerSetting locality_lb_setting = 35;

  // Configures DNS refresh rate for Envoy clusters of type `STRICT_DNS`
  // Default refresh rate is `60s`.
  google.protobuf.Duration dns_refresh_rate = 36;

  // Default Policy for upgrading http1.1 connections to http2.
  enum H2UpgradePolicy {
    // Do not upgrade connections to http2.
    DO_NOT_UPGRADE = 0;
    // Upgrade the connections to http2.
    UPGRADE = 1;
  }

  // Specify if http1.1 connections should be upgraded to http2 by default.
  // if sidecar is installed on all pods in the mesh, then this should be set to `UPGRADE`.
  // If one or more services or namespaces do not have sidecar(s), then this should be set to `DO_NOT_UPGRADE`.
  // It can be enabled by destination using the `destinationRule.trafficPolicy.connectionPool.http.h2UpgradePolicy` override.
  H2UpgradePolicy h2_upgrade_policy = 41;

  // Name to be used while emitting statistics for inbound clusters. The same pattern is used while computing stat prefix for
  // network filters like TCP and Redis.
  // By default, Istio emits statistics with the pattern `inbound|<port>|<port-name>|<service-FQDN>`.
  // For example `inbound|7443|grpc-reviews|reviews.prod.svc.cluster.local`. This can be used to override that pattern.
  //
  // A Pattern can be composed of various pre-defined variables. The following variables are supported.
  //
  // - `%SERVICE%` - Will be substituted with short hostname of the service.
  // - `%SERVICE_NAME%` - Will be substituted with name of the service.
  // - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service.
  // - `%SERVICE_PORT%` - Will be substituted with port of the service.
  // - `%TARGET_PORT%`  - Will be substituted with the target port of the service.
  // - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service.
  //
  // Following are some examples of supported patterns for reviews:
  //
  // - `%SERVICE_FQDN%_%SERVICE_PORT%` will use reviews.prod.svc.cluster.local_7443 as the stats name.
  // - `%SERVICE%` will use reviews.prod as the stats name.
  string inbound_cluster_stat_name = 44;

  // Name to be used while emitting statistics for outbound clusters. The same pattern is used while computing stat prefix for
  // network filters like TCP and Redis.
  // By default, Istio emits statistics with the pattern `outbound|<port>|<subsetname>|<service-FQDN>`.
  // For example `outbound|8080|v2|reviews.prod.svc.cluster.local`. This can be used to override that pattern.
  //
  // A Pattern can be composed of various pre-defined variables. The following variables are supported.
  //
  // - `%SERVICE%` - Will be substituted with short hostname of the service.
  // - `%SERVICE_NAME%` - Will be substituted with name of the service.
  // - `%SERVICE_FQDN%` - Will be substituted with FQDN of the service.
  // - `%SERVICE_PORT%` - Will be substituted with port of the service.
  // - `%SERVICE_PORT_NAME%` - Will be substituted with port name of the service.
  // - `%SUBSET_NAME%` - Will be substituted with subset.
  //
  // Following are some examples of supported patterns for reviews:
  //
  // - `%SERVICE_FQDN%_%SERVICE_PORT%` will use `reviews.prod.svc.cluster.local_7443` as the stats name.
  // - `%SERVICE%` will use reviews.prod as the stats name.
  string outbound_cluster_stat_name = 45;

  // $hide_from_docs
  // Configure the provision of certificates.
  //
  // Note: Deprecated, please refer to Cert-Manager or other cert provisioning solutions to sign DNS certificates.
  repeated Certificate certificates = 47 [deprecated=true];

  reserved 49;
  reserved "thrift_config";

  // $hide_from_docs
  // Settings to be applied to select services.
  //
  // For example, the following configures all services in namespace "foo" as well as the
  // "bar" service in namespace "baz" to be considered cluster-local:
  //
  // ```yaml
  // serviceSettings:
  //   - settings:
  //       clusterLocal: true
  //     hosts:
  //       - "*.foo.svc.cluster.local"
  //       - "bar.baz.svc.cluster.local"
  // ```
  message ServiceSettings {
    // Settings for the selected services.
    message Settings {
      // If true, specifies that the client and service endpoints must reside in the same cluster.
      // By default, in multi-cluster deployments, the Istio control plane assumes all service
      // endpoints to be reachable from any client in any of the clusters which are part of the
      // mesh. This configuration option limits the set of service endpoints visible to a client
      // to be cluster scoped.
      //
      // There are some common scenarios when this can be useful:
      //
      //   - A service (or group of services) is inherently local to the cluster and has local storage
      //     for that cluster. For example, the kube-system namespace (e.g. the Kube API Server).
      //   - A mesh administrator wants to slowly migrate services to Istio. They might start by first
      //     having services cluster-local and then slowly transition them to mesh-wide. They could do
      //     this service-by-service (e.g. mysvc.myns.svc.cluster.local) or as a group
      //     (e.g. *.myns.svc.cluster.local).
      //
      // By default Istio will consider kubernetes.default.svc (i.e. the API Server) as well as all
      // services in the kube-system namespace to be cluster-local, unless explicitly overridden here.
      bool cluster_local = 1;
    }

    // The settings to apply to the selected services.
    Settings settings = 1;

    // The services to which the Settings should be applied. Services are selected using the hostname
    // matching rules used by DestinationRule.
    //
    // For example: foo.bar.svc.cluster.local, *.baz.svc.cluster.local
    repeated string hosts = 2;
  }

  // $hide_from_docs
  // Settings to be applied to select services.
  repeated ServiceSettings service_settings = 50;

  // If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
  // and Istio agent. The sidecar injection will replace `prometheus.io` annotations present on the pod
  // and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
  // This relies on the annotations `prometheus.io/scrape`, `prometheus.io/port`, and
  // `prometheus.io/path` annotations.
  // If you are running a separately managed Envoy with an Istio sidecar, this may cause issues, as the metrics will collide.
  // In this case, it is recommended to disable aggregation on that deployment with the
  // `prometheus.istio.io/merge-metrics: "false"` annotation.
  // If not specified, this will be enabled by default.
  google.protobuf.BoolValue enable_prometheus_merge = 51;

  // $hide_from_docs
  // `VerifyCertificateAtClient` sets the mesh global default for peer certificate validation
  // at the client-side proxy when `SIMPLE` TLS or `MUTUAL` TLS (non `ISTIO_MUTUAL`) origination
  // modes are used. This setting can be overridden at the host level via DestinationRule API.
  // By default, `VerifyCertificateAtClient` is `true`.
  //
  // `CaCertificates`: If set, proxy verifies CA signature based on given CaCertificates. If unset,
  // and VerifyCertificateAtClient is true, proxy uses default System CA bundle. If unset and
  // `VerifyCertificateAtClient` is false, proxy will not verify the CA.
  //
  // `SubjectAltNames`: If set, proxy verifies subject alt names are present in the SAN. If unset,
  // and `VerifyCertificateAtClient` is true, proxy uses host in destination rule to verify the SANs.
  // If unset, and `VerifyCertificateAtClient` is false, proxy does not verify SANs.
  //
  // For SAN, client-side proxy will exact match host in `DestinationRule` as well as one level
  // wildcard if the specified host in DestinationRule doesn't contain a wildcard.
  // For example, if the host in `DestinationRule` is `x.y.com`, client-side proxy will
  // match either `x.y.com` or `*.y.com` for the SAN in the presented server certificate.
  // For wildcard host name in DestinationRule, client-side proxy will do a suffix match. For example,
  // if host is `*.x.y.com`, client-side proxy will verify the presented server certificate SAN matches
  // ``.x.y.com` suffix.
  google.protobuf.BoolValue verify_certificate_at_client = 54 [deprecated=true];

  message CA {
    // REQUIRED. Address of the CA server implementing the Istio CA gRPC API.
    // Can be IP address or a fully qualified DNS name with port
    // Eg: custom-ca.default.svc.cluster.local:8932, 192.168.23.2:9000
    string address = 1;
    // Use the tlsSettings to specify the tls mode to use.
    // Regarding tlsSettings:
    // - DISABLE MODE is legitimate for the case Istiod is making the request via an Envoy sidecar.
    // DISABLE MODE can also be used for testing
    // - TLS MUTUAL MODE be on by default. If the CA certificates
    // (cert bundle to verify the CA server's certificate) is omitted, Istiod will
    // use the system root certs to verify the CA server's certificate.
    istio.networking.v1alpha3.ClientTLSSettings tls_settings = 2;
    // timeout for forward CSR requests from Istiod to External CA
    // Default: 10s
    google.protobuf.Duration request_timeout = 3;
    // Use istiodSide to specify CA Server integrate to Istiod side or Agent side
    // Default: true
    bool istiod_side = 4;
  }
  // $hide_from_docs
  // If specified, Istiod will authorize and forward the CSRs from the workloads to the specified external CA
  // using the Istio CA gRPC API.
  CA ca = 55;

  message ExtensionProvider {
    // REQUIRED. A unique name identifying the extension provider.
    string name = 1;

    // REQUIRED. Specifies detailed configuration for the extension provider.
    oneof provider {
      // Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the HTTP API.
      EnvoyExternalAuthorizationHttpProvider envoy_ext_authz_http = 2;
      // Configures an external authorizer that implements the Envoy ext_authz filter authorization check service using the gRPC API.
      EnvoyExternalAuthorizationGrpcProvider envoy_ext_authz_grpc = 3;
      // Configures a tracing provider that uses the Zipkin API.
      ZipkinTracingProvider zipkin = 4;
      // $hide_from_docs
      // Configures a Lightstep tracing provider.
      // Deprecated: For Istio 1.15+, please use an OpenTelemetryTracingProvider instead, more details can be found at https://github.com/istio/istio/issues/40027
      LightstepTracingProvider lightstep = 5 [deprecated=true];
      // Configures a Datadog tracing provider.
      DatadogTracingProvider datadog = 6;
      // $hide_from_docs
      // Configures a Stackdriver provider.
      StackdriverProvider stackdriver = 7;
      // $hide_from_docs
      // Configures an OpenCensusAgent tracing provider.
      // Deprecated: OpenCensus is deprecated, more details can be found at https://opentelemetry.io/blog/2023/sunsetting-opencensus/
      OpenCensusAgentTracingProvider opencensus = 8 [deprecated=true];
      // Configures a Apache SkyWalking provider.
      SkyWalkingTracingProvider skywalking = 9;
      // Configures an OpenTelemetry tracing provider.
      OpenTelemetryTracingProvider opentelemetry = 15;
      // Configures a Prometheus metrics provider.
      PrometheusMetricsProvider prometheus = 10;
      // Configures an Envoy File Access Log provider.
      EnvoyFileAccessLogProvider envoy_file_access_log = 11;
      // Configures an Envoy Access Logging Service provider for HTTP traffic.
      EnvoyHttpGrpcV3LogProvider envoy_http_als = 12;
      // Configures an Envoy Access Logging Service provider for TCP traffic.
      EnvoyTcpGrpcV3LogProvider envoy_tcp_als = 13;
      // Configures an Envoy Open Telemetry Access Logging Service provider.
      EnvoyOpenTelemetryLogProvider envoy_otel_als = 14;

      // $hide_from_docs
      // next id: 16
    }

    message EnvoyExternalAuthorizationRequestBody {
      // Sets the maximum size of a message body that the ext-authz filter will hold in memory.
      // If maxRequestBytes is reached, and allowPartialMessage is false, Envoy will return a 413 (Payload Too Large).
      // Otherwise the request will be sent to the provider with a partial message.
      // Note that this setting will have precedence over the failOpen field, the 413 will be returned even when the
      // failOpen is set to true.
      uint32 max_request_bytes = 1;

      // When this field is true, ext-authz filter will buffer the message until maxRequestBytes is reached.
      // The authorization request will be dispatched and no 413 HTTP error will be returned by the filter.
      // A "x-envoy-auth-partial-body: false|true" metadata header will be added to the authorization request message
      // indicating if the body data is partial.
      bool allow_partial_message = 2;

      // If true, the body sent to the external authorization service in the gRPC authorization request is set with raw bytes
      // in the [raw_body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L153).
      // Otherwise, it will be filled with UTF-8 string in the [body field](https://github.com/envoyproxy/envoy/blame/cffb095d59d7935abda12b9509bcd136808367bb/api/envoy/service/auth/v3/attribute_context.proto#L147).
      // This field only works with the envoyExtAuthzGrpc provider and has no effect for the envoyExtAuthzHttp provider.
      bool pack_as_bytes = 3;
    }

    message EnvoyExternalAuthorizationHttpProvider {
      // REQUIRED. Specifies the service that implements the Envoy ext_authz HTTP authorization service.
      // The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
      // to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
      // service defined by the Kubernetes service or ServiceEntry.
      //
      // Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".
      string service = 1;

      // REQUIRED. Specifies the port of the service.
      uint32 port = 2;

      // The maximum duration that the proxy will wait for a response from the provider (default timeout: 600s).
      // When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
      // In this situation, the response sent back to the client will depend on the configured `failOpen` field.
      google.protobuf.Duration timeout = 9;

      // Sets a prefix to the value of authorization request header *Path*.
      // For example, setting this to "/check" for an original user request at path "/admin" will cause the
      // authorization check request to be sent to the authorization service at the path "/check/admin" instead of "/admin".
      string path_prefix = 3;

      // If true, the user request will be allowed even if the communication with the authorization service has failed,
      // or if the authorization service has returned a HTTP 5xx error.
      // Default is false and the request will be rejected with "Forbidden" response.
      bool fail_open = 4;

      // If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions.
      // If true, recalculate routes with the new ExtAuthZ added/removed headers.
      // Default is false
      bool clear_route_cache = 14;

      // Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
      // The default status is "403" (HTTP Forbidden).
      string status_on_error = 5;

      // DEPRECATED. Use includeRequestHeadersInCheck instead.
      repeated string include_headers_in_check = 6 [deprecated=true];

      // List of client request headers that should be included in the authorization request sent to the authorization service.
      // Note that in addition to the headers specified here following headers are included by default:
      // 1. *Host*, *Method*, *Path* and *Content-Length* are automatically sent.
      // 2. *Content-Length* will be set to 0 and the request will not have a message body. However, the authorization
      // request can include the buffered client request body (controlled by includeRequestBodyInCheck setting),
      // consequently the value of Content-Length of the authorization request reflects the size of its payload size.
      //
      // Exact, prefix and suffix matches are supported (similar to the
      // [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
      // except the presence match):
      // - Exact match: "abc" will match on value "abc".
      // - Prefix match: "abc*" will match on value "abc" and "abcd".
      // - Suffix match: "*abc" will match on value "abc" and "xabc".
      repeated string include_request_headers_in_check = 10;

      // Set of additional fixed headers that should be included in the authorization request sent to the authorization service.
      // Key is the header name and value is the header value.
      // Note that client request of the same key or headers specified in includeRequestHeadersInCheck will be overridden.
      map<string, string> include_additional_headers_in_check = 11;

      // If set, the client request body will be included in the authorization request sent to the authorization service.
      EnvoyExternalAuthorizationRequestBody include_request_body_in_check = 12;

      // List of headers from the authorization service that should be added or overridden in the original request and
      // forwarded to the upstream when the authorization check result is allowed (HTTP code 200).
      // If not specified, the original request will not be modified and forwarded to backend as-is.
      // Note, any existing headers will be overridden.
      //
      // Exact, prefix and suffix matches are supported (similar to the
      // [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
      // except the presence match):
      // - Exact match: "abc" will match on value "abc".
      // - Prefix match: "abc*" will match on value "abc" and "abcd".
      // - Suffix match: "*abc" will match on value "abc" and "xabc".
      repeated string headers_to_upstream_on_allow = 7;

      // List of headers from the authorization service that should be forwarded to downstream when the authorization
      // check result is not allowed (HTTP code other than 200).
      // If not specified, all the authorization response headers, except *Authority (Host)* will be in the response to
      // the downstream.
      // When a header is included in this list, *Path*, *Status*, *Content-Length*, *WWWAuthenticate* and *Location* are
      // automatically added.
      // Note, the body from the authorization service is always included in the response to downstream.
      //
      // Exact, prefix and suffix matches are supported (similar to the
      // [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
      // except the presence match):
      // - Exact match: "abc" will match on value "abc".
      // - Prefix match: "abc*" will match on value "abc" and "abcd".
      // - Suffix match: "*abc" will match on value "abc" and "xabc".
      repeated string headers_to_downstream_on_deny = 8;

      // List of headers from the authorization service that should be forwarded to downstream when the authorization
      // check result is allowed (HTTP code 200).
      // If not specified, the original response will not be modified and forwarded to downstream as-is.
      // Note, any existing headers will be overridden.
      //
      // Exact, prefix and suffix matches are supported (similar to the
      // [authorization policy rule syntax](https://istio.io/latest/docs/reference/config/security/authorization-policy/#Rule)
      // except the presence match):
      // - Exact match: "abc" will match on value "abc".
      // - Prefix match: "abc*" will match on value "abc" and "abcd".
      // - Suffix match: "*abc" will match on value "abc" and "xabc".
      repeated string headers_to_downstream_on_allow = 13;

      // $hide_from_docs
      // Next available field number: 15
    }

    message EnvoyExternalAuthorizationGrpcProvider {
      // REQUIRED. Specifies the service that implements the Envoy ext_authz gRPC authorization service.
      // The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
      // to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
      // service defined by the Kubernetes service or ServiceEntry.
      //
      // Example: "my-ext-authz.foo.svc.cluster.local" or "bar/my-ext-authz.example.com".
      string service = 1;

      // REQUIRED. Specifies the port of the service.
      uint32 port = 2;

      // The maximum duration that the proxy will wait for a response from the provider, this is the timeout for a specific request (default timeout: 600s).
      // When this timeout condition is met, the proxy marks the communication to the authorization service as failure.
      // In this situation, the response sent back to the client will depend on the configured `failOpen` field.
      google.protobuf.Duration timeout = 5;

      // If true, the HTTP request or TCP connection will be allowed even if the communication with the authorization service has failed,
      // or if the authorization service has returned a HTTP 5xx error.
      // Default is false. For HTTP request, it will be rejected with 403 (HTTP Forbidden). For TCP connection, it will be closed immediately.
      bool fail_open = 3;

      // If true, clears route cache in order to allow the external authorization service to correctly affect routing decisions.
      // If true, recalculate routes with the new ExtAuthZ added/removed headers.
      // Default is false
      bool clear_route_cache = 7;

      // Sets the HTTP status that is returned to the client when there is a network error to the authorization service.
      // The default status is "403" (HTTP Forbidden).
      string status_on_error = 4;

      // If set, the client request body will be included in the authorization request sent to the authorization service.
      EnvoyExternalAuthorizationRequestBody include_request_body_in_check = 6;

      // $hide_from_docs
      // Next available field number: 8
    }

    // Defines configuration for a Zipkin tracer.
    message ZipkinTracingProvider {
      // REQUIRED. Specifies the service that the Zipkin API.
      // The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
      // to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
      // service defined by the Kubernetes service or ServiceEntry.
      //
      // Example: "zipkin.default.svc.cluster.local" or "bar/zipkin.example.com".
      string service = 1;

      // REQUIRED. Specifies the port of the service.
      uint32 port = 2;

      // Optional. Controls the overall path length allowed in a reported span.
      // NOTE: currently only controls max length of the path tag.
      uint32 max_tag_length = 3;

      // Optional. A 128 bit trace id will be used in Istio.
      // If true, will result in a 64 bit trace id being used.
      bool enable_64bit_trace_id = 4;

      // Optional. Specifies the endpoint of Zipkin API.
      // The default value is "/api/v2/spans".
      string path = 5;
    }

    // Defines configuration for a Lightstep tracer.
    // Note: Lightstep has moved to OpenTelemetry-based integrations. Istio 1.15+
    // will generate OpenTelemetry-compatible configuration when using this option.
    message LightstepTracingProvider {
      // REQUIRED. Specifies the service for the Lightstep collector.
      // The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
      // to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
      // service defined by the Kubernetes service or ServiceEntry.
      //
      // Example: "lightstep.default.svc.cluster.local" or "bar/lightstep.example.com".
      string service = 1;

      // REQUIRED. Specifies the port of the service.
      uint32 port = 2;

      // The Lightstep access token.
      string access_token = 3;

      // Optional. Controls the overall path length allowed in a reported span.
      // NOTE: currently only controls max length of the path tag.
      uint32 max_tag_length = 4;
    }

    // Defines configuration for a Datadog tracer.
    message DatadogTracingProvider {
      // REQUIRED. Specifies the service for the Datadog agent.
      // The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
      // to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
      // service defined by the Kubernetes service or ServiceEntry.
      //
      // Example: "datadog.default.svc.cluster.local" or "bar/datadog.example.com".
      string service = 1;

      // REQUIRED. Specifies the port of the service.
      uint32 port = 2;

      // Optional. Controls the overall path length allowed in a reported span.
      // NOTE: currently only controls max length of the path tag.
      uint32 max_tag_length = 3;
    }

    // Defines configuration for a SkyWalking tracer.
    message SkyWalkingTracingProvider {
      // REQUIRED. Specifies the service for the SkyWalking receiver.
      // The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
      // to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
      // service defined by the Kubernetes service or ServiceEntry.
      //
      // Example: "skywalking.default.svc.cluster.local" or "bar/skywalking.example.com".
      string service = 1;

      // REQUIRED. Specifies the port of the service.
      uint32 port = 2;

      // Optional. The SkyWalking OAP access token.
      string access_token = 3;
    }

    // Defines configuration for Stackdriver.
    //
    // WARNING: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used
    // alongside any OpenCensus provider configuration. This is due to a limitation in the implementation of OpenCensus
    // driver in Envoy.
    message StackdriverProvider {
      // debug enables trace output to stdout.
      // $hide_from_docs
      bool debug = 1 [deprecated=true];
      // The global default max number of attributes per span.
      // default is 200.
      // $hide_from_docs
      google.protobuf.Int64Value max_number_of_attributes = 2 [deprecated=true];
      // The global default max number of annotation events per span.
      // default is 200.
      // $hide_from_docs
      google.protobuf.Int64Value max_number_of_annotations = 3 [deprecated=true];
      // The global default max number of message events per span.
      // default is 200.
      // $hide_from_docs
      google.protobuf.Int64Value max_number_of_message_events = 4 [deprecated=true];

      // Optional. Controls the overall path length allowed in a reported span.
      // NOTE: currently only controls max length of the path tag.
      uint32 max_tag_length = 5;

      message Logging {
        // Collection of tag names and tag expressions to include in the log
        // entry. Conflicts are resolved by the tag name by overriding previously
        // supplied values.
        //
        // Example:
        //   labels:
        //     path: request.url_path
        //     foo: request.headers['x-foo']
        map<string, string> labels = 1;
      }

      // Optional. Controls Stackdriver logging behavior.
      Logging logging = 6;
    }

    // Defines configuration for an OpenCensus tracer writing to an OpenCensus backend.
    //
    // WARNING: OpenCensusAgentTracingProviders should be used with extreme care. Configuration of
    // OpenCensus providers CANNOT be changed during the course of proxy's lifetime due to a limitation
    // in the implementation of OpenCensus driver in Envoy. This means only a single provider configuration
    // may be used for OpenCensus at any given time for a proxy or group of proxies AND that any change to the provider
    // configuration MUST be accompanied by a restart of all proxies that will use that configuration.
    //
    // NOTE: Stackdriver tracing uses OpenCensus configuration under the hood and, as a result, cannot be used
    // alongside OpenCensus provider configuration.
    message OpenCensusAgentTracingProvider {
      // REQUIRED. Specifies the service for the OpenCensusAgent.
      // The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
      // to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
      // service defined by the Kubernetes service or ServiceEntry.
      //
      // Example: "ocagent.default.svc.cluster.local" or "bar/ocagent.example.com".
      string service = 1;

      // REQUIRED. Specifies the port of the service.
      uint32 port = 2;

      // TraceContext selects the context propagation headers used for
      // distributed tracing.
      enum TraceContext {
        // $hide_from_docs
        // Unspecified context. Should not be used for now, but added to reserve
        // the 0 enum value if TraceContext is used outside of a repeated field.
        UNSPECIFIED = 0;
        // Use W3C Trace Context propagation using the `traceparent` HTTP header.
        // See the
        // [Trace Context documentation](https://www.w3.org/TR/trace-context/) for details.
        W3C_TRACE_CONTEXT = 1;
        // Use gRPC binary context propagation using the `grpc-trace-bin` http header.
        GRPC_BIN = 2;
        // Use Cloud Trace context propagation using the
        // `X-Cloud-Trace-Context` http header.
        CLOUD_TRACE_CONTEXT = 3;
        // Use multi-header B3 context propagation using the `X-B3-TraceId`,
        // `X-B3-SpanId`, and `X-B3-Sampled` HTTP headers. See
        // [B3 header propagation README](https://github.com/openzipkin/b3-propagation)
        // for details.
        B3 = 4;
      }

      // Specifies the set of context propagation headers used for distributed
      // tracing. Default is `["W3C_TRACE_CONTEXT"]`. If multiple values are specified,
      // the proxy will attempt to read each header for each request and will
      // write all headers.
      repeated TraceContext context = 3;

      // Optional. Controls the overall path length allowed in a reported span.
      // NOTE: currently only controls max length of the path tag.
      uint32 max_tag_length = 4;
    }

    message PrometheusMetricsProvider {}

    // Defines configuration for Envoy-based access logging that writes to
    // local files (and/or standard streams).
    message EnvoyFileAccessLogProvider {
      // Path to a local file to write the access log entries.
      // This may be used to write to streams, via `/dev/stderr` and `/dev/stdout`
      // If unspecified, defaults to `/dev/stdout`.
      string path = 1;

      message LogFormat {
        oneof log_format {
          // Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be
          // used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
          // provides more information.
          //
          // NOTE: Istio will insert a newline ('\n') on all formats (if missing).
          //
          // Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"`
          string text = 1;

          // JSON structured format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
          // can be used as values for fields within the Struct. Values are rendered
          // as strings, numbers, or boolean values, as appropriate
          // (see: [format dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is
          // supported for some command operators (e.g. `FILTER_STATE` or `DYNAMIC_METADATA`).
          // Use `labels: {}` for default envoy JSON log format.
          //
          // Example:
          // ```
          // labels:
          //   status: "%RESPONSE_CODE%"
          //   message: "%LOCAL_REPLY_BODY%"
          // ```
          google.protobuf.Struct labels = 2;
        }
      }

      // Optional. Allows overriding of the default access log format.
      LogFormat log_format = 2;
    }

    // Defines configuration for an Envoy [Access Logging Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto#grpc-access-log-service-als)
    // integration for HTTP traffic.
    message EnvoyHttpGrpcV3LogProvider {
      // REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
      // The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
      // to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
      // service defined by the Kubernetes service or ServiceEntry.
      //
      // Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
      string service = 1;

      // REQUIRED. Specifies the port of the service.
      uint32 port = 2;

      // Optional. The friendly name of the access log.
      // Defaults:
      // -  "http_envoy_accesslog"
      // -  "listener_envoy_accesslog"
      string log_name = 3;

      // Optional. Additional filter state objects to log.
      repeated string filter_state_objects_to_log = 4;

      // Optional. Additional request headers to log.
      repeated string additional_request_headers_to_log = 5;

      // Optional. Additional response headers to log.
      repeated string additional_response_headers_to_log = 6;

      // Optional. Additional response trailers to log.
      repeated string additional_response_trailers_to_log = 7;
    }

    // Defines configuration for an Envoy [Access Logging Service](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/grpc/v3/als.proto#grpc-access-log-service-als)
    // integration for TCP traffic.
    message EnvoyTcpGrpcV3LogProvider {
      // REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
      // The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
      // to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
      // service defined by the Kubernetes service or ServiceEntry.
      //
      // Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
      string service = 1;

      // REQUIRED. Specifies the port of the service.
      uint32 port = 2;

      // Optional. The friendly name of the access log.
      // Defaults:
      // - "tcp_envoy_accesslog"
      // - "listener_envoy_accesslog"
      string log_name = 3;

      // Optional. Additional filter state objects to log.
      repeated string filter_state_objects_to_log = 4;
    }

    // Defines configuration for an Envoy [OpenTelemetry (gRPC) Access Log](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
    message EnvoyOpenTelemetryLogProvider {
      // REQUIRED. Specifies the service that implements the Envoy ALS gRPC authorization service.
      // The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
      // to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
      // service defined by the Kubernetes service or ServiceEntry.
      //
      // Example: "envoy-als.foo.svc.cluster.local" or "bar/envoy-als.example.com".
      string service = 1;

      // REQUIRED. Specifies the port of the service.
      uint32 port = 2;

      // Optional. The friendly name of the access log.
      // Defaults:
      // - "otel_envoy_accesslog"
      string log_name = 3;

      // Optional. Format for the proxy access log
      // Empty value results in proxy's default access log format, following Envoy access logging formatting.
      LogFormat log_format = 4;

      message LogFormat {
          // Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be
          // used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
          // provides more information.
          // Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
          // Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"`
          string text = 1;

          // Optional. Additional attributes that describe the specific event occurrence.
          // Structured format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
          // can be used as values for fields within the Struct. Values are rendered
          // as strings, numbers, or boolean values, as appropriate
          // (see: [format dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is
          // supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
          // Alias to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
          //
          // Example:
          // ```
          // labels:
          //   status: "%RESPONSE_CODE%"
          //   message: "%LOCAL_REPLY_BODY%"
          // ```
          google.protobuf.Struct labels = 2;
      }
    }

    // Defines configuration for an OpenTelemetry tracing backend. Istio 1.16.1 or higher is needed.
    message OpenTelemetryTracingProvider {
      // REQUIRED. Specifies the OpenTelemetry endpoint that will receive OTLP traces.
      // The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
      // to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
      // service defined by the Kubernetes service or ServiceEntry.
      //
      // Example: "otlp.default.svc.cluster.local" or "bar/otlp.example.com".
      string service = 1;

      // REQUIRED. Specifies the port of the service.
      uint32 port = 2;

      // Optional. Controls the overall path length allowed in a reported span.
      // NOTE: currently only controls max length of the path tag.
      uint32 max_tag_length = 3;

      // Optional. Specifies the configuration for exporting OTLP traces via HTTP.
      // When empty, traces will be exported via gRPC.
      //
      // The following example shows how to configure the OpenTelemetry ExtensionProvider to export via HTTP:
      //
      // 1. Add/change the OpenTelemetry extension provider in `MeshConfig`
      // ```yaml
      // - name: otel-tracing
      //   opentelemetry:
      //     port: 443
      //     service: my.olly-backend.com
      //     http:
      //       path: "/api/otlp/traces"
      //       timeout: 10s
      //       headers:
      //       - name: "my-custom-header"
      //         value: "some value"
      // ```
      //
      // 2. Deploy a `ServiceEntry` for the observability back-end
      // ```yaml
      // apiVersion: networking.istio.io/v1alpha3
      // kind: ServiceEntry
      // metadata:
      //   name: my-olly-backend
      // spec:
      //   hosts:
      //   - my.olly-backend.com
      //   ports:
      //   - number: 443
      //     name: https-port
      //     protocol: HTTPS
      //   resolution: DNS
      //   location: MESH_EXTERNAL
      // ---
      // apiVersion: networking.istio.io/v1alpha3
      // kind: DestinationRule
      // metadata:
      //   name: my-olly-backend
      // spec:
      //   host: my.olly-backend.com
      //   trafficPolicy:
      //     portLevelSettings:
      //     - port:
      //         number: 443
      //       tls:
      //         mode: SIMPLE
      // ```
      HttpService http = 4;

      // Optional. Specifies the configuration for exporting OTLP traces via GRPC.
      // When empty, traces will check whether HTTP is set.
      // If not, traces will use default GRPC configurations.
      //
      // The following example shows how to configure the OpenTelemetry ExtensionProvider to export via GRPC:
      //
      // 1. Add/change the OpenTelemetry extension provider in `MeshConfig`
      // ```yaml
      // - name: opentelemetry
      //   opentelemetry:
      //     port: 8090
      //     service: tracing.example.com
      //     grpc:
      //       timeout: 10s
      //       initialMetadata:
      //       - name: "Authentication"
      //         value: "token-xxxxx"
      // ```
      //
      // 2. Deploy a `ServiceEntry` for the observability back-end
      // ```yaml
      // apiVersion: networking.istio.io/v1alpha3
      // kind: ServiceEntry
      // metadata:
      //   name: tracing-grpc
      // spec:
      //   hosts:
      //   - tracing.example.com
      //   ports:
      //   - number: 8090
      //     name: grpc-port
      //     protocol: GRPC
      //   resolution: DNS
      //   location: MESH_EXTERNAL
      // ```
      GrpcService grpc = 7;

      // Optional. Specifies [Resource Detectors](https://opentelemetry.io/docs/specs/otel/resource/sdk/)
      // to be used by the OpenTelemetry Tracer. When multiple resources are provided, they are merged
      // according to the OpenTelemetry [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#merge).
      //
      // The following example shows how to configure the Environment Resource Detector, that will
      // read the attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES`:
      //
      // ```yaml
      // - name: otel-tracing
      //   opentelemetry:
      //     port: 443
      //     service: my.olly-backend.com
      //     resourceDetectors:
      //       environment: {}
      // ```
      ResourceDetectors resource_detectors = 5;

      // Optional. Configure a [Sampler](https://opentelemetry.io/docs/specs/otel/trace/sdk/#sampler)
      // to be used by the OpenTelemetry Tracer.
      oneof sampling {

        // The Dynatrace adaptive traffic management (ATM) sampler.
        //
        // Example configuration:
        //
        // ```yaml
        // - name: otel-tracing
        //   opentelemetry:
        //     port: 443
        //     service: "{your-environment-id}.live.dynatrace.com"
        //     http:
        //       path: "/api/v2/otlp/v1/traces"
        //       timeout: 10s
        //       headers:
        //         - name: "Authorization"
        //           value: "Api-Token dt0c01."
        //     resourceDetectors:
        //       dynatrace: {}
        //     dynatraceSampler:
        //       tenant: "{your-environment-id}"
        //       clusterId: 1234
        DynatraceSampler dynatrace_sampler = 6;
      }

      message DynatraceSampler {
        // REQUIRED. The Dynatrace customer's tenant identifier.
        //
        // The value can be obtained from the Istio deployment page in Dynatrace.
        string tenant = 1;

        // REQUIRED. The identifier of the cluster in the Dynatrace platform.
        // The cluster here is Dynatrace-specific concept and not related to the cluster concept in Istio/Envoy.
        //
        // The value can be obtained from the Istio deployment page in Dynatrace.
        int32 cluster_id = 2;

        // Optional. Number of sampled spans per minute to be used
        // when the adaptive value cannot be obtained from the Dynatrace API.
        //
        // A default value of `1000` is used when:
        //
        // - `rootSpansPerMinute` is unset
        // - `rootSpansPerMinute` is set to 0
        uint32 root_spans_per_minute = 3;

        // Optional. Dynatrace HTTP API to obtain sampling configuration.
        //
        // When not provided, the Dynatrace Sampler will re-use the configuration from the OpenTelemetryTracingProvider HTTP Exporter
        // (`service`, `port` and `http`), including the access token.
        DynatraceApi http_service = 4;

        message DynatraceApi {
          // REQUIRED. Specifies the Dynatrace environment to obtain the sampling configuration.
          // The format is `<Hostname>`, where `<Hostname>` is the fully qualified Dynatrace environment
          // host name defined in the ServiceEntry.
          //
          // Example: "{your-environment-id}.live.dynatrace.com".
          string service = 1;

          // REQUIRED. Specifies the port of the service.
          uint32 port = 2;

          // REQUIRED. Specifies sampling configuration URI.
          HttpService http = 3;
        }
      }
    }

    // Defines configuration for an HTTP service that can be used by an Extension Provider.
    // that does communication via HTTP.
    message HttpService {
      // REQUIRED. Specifies the path on the service.
      string path = 1;

      // Optional. Specifies the timeout for the HTTP request.
      // If not specified, the default is 3s.
      google.protobuf.Duration timeout = 2;

      // Optional. Allows specifying custom HTTP headers that will be added
      // to each HTTP request sent.
      repeated HttpHeader headers = 3;
    }

    message HttpHeader {
      // REQUIRED. The HTTP header name.
      string name = 1;
      // REQUIRED. The HTTP header value.
      string value = 2;
    }

    message ResourceDetectors {
      EnvironmentResourceDetector environment = 1;

      DynatraceResourceDetector dynatrace = 2;

      // OpenTelemetry Environment Resource Detector.
      // The resource detector reads attributes from the environment variable `OTEL_RESOURCE_ATTRIBUTES`
      // and adds them to the OpenTelemetry resource.
      //
      // See: [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#specifying-resource-information-via-an-environment-variable)
      message EnvironmentResourceDetector { }

      // Dynatrace Resource Detector.
      // The resource detector reads from the Dynatrace enrichment files
      // and adds host/process related attributes to the OpenTelemetry resource.
      //
      // See: [Enrich ingested data with Dynatrace-specific dimensions](https://docs.dynatrace.com/docs/shortlink/enrichment-files)
      message DynatraceResourceDetector { }
    }

    // Defines configuration for an GRPC service that can be used by an Extension Provider.
    // that does communication via GRPC.
    message GrpcService {
      // Optional. Specifies the timeout for the GRPC request.
      google.protobuf.Duration timeout = 1;

      // Optional. Additional metadata to include in streams initiated to the GrpcService. This can be used for
      // scenarios in which additional ad hoc authorization headers (e.g. "x-foo-bar: baz-key") are to
      // be injected.
      repeated HttpHeader initial_metadata = 2;
    }
  }

  // Defines a list of extension providers that extend Istio's functionality. For example, the AuthorizationPolicy
  // can be used with an extension provider to delegate the authorization decision to a custom authorization system.
  repeated ExtensionProvider extension_providers = 57;

  // Holds the name references to the providers that will be used by default
  // in other Istio configuration resources if the provider is not specified.
  //
  // These names must match a provider defined in `extensionProviders` that is
  // one of the supported tracing providers.
  message DefaultProviders {
    // Name of the default provider(s) for tracing.
    repeated string tracing = 1;
    // Name of the default provider(s) for metrics.
    repeated string metrics = 2;
    // Name of the default provider(s) for access logging.
    repeated string access_logging = 3;
  }

  // Specifies extension providers to use by default in Istio configuration resources.
  DefaultProviders default_providers = 60;

  // A list of Kubernetes selectors that specify the set of namespaces that Istio considers when
  // computing configuration updates for sidecars. This can be used to reduce Istio's computational load
  // by limiting the number of entities (including services, pods, and endpoints) that are watched and processed.
  // If omitted, Istio will use the default behavior of processing all namespaces in the cluster.
  // Elements in the list are disjunctive (OR semantics), i.e. a namespace will be included if it matches any selector.
  // The following example selects any namespace that matches either below:
  // 1. The namespace has both of these labels: `env: prod` and `region: us-east1`
  // 2. The namespace has label `app` equal to `cassandra` or `spark`.
  // ```yaml
  // discoverySelectors:
  //   - matchLabels:
  //       env: prod
  //       region: us-east1
  //   - matchExpressions:
  //     - key: app
  //       operator: In
  //       values:
  //         - cassandra
  //         - spark
  // ```
  // Refer to the [Kubernetes selector docs](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors)
  // for additional detail on selector semantics.
  repeated LabelSelector discovery_selectors = 59;

  message ProxyPathNormalization {
    enum NormalizationType {
      // Apply default normalizations. Currently, this is BASE.
      DEFAULT = 0;

      // No normalization, paths are used as is.
      NONE = 1;

      // Normalize according to [RFC 3986](https://tools.ietf.org/html/rfc3986).
      // For Envoy proxies, this is the [`normalize_path`](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/network/http_connection_manager/v3/http_connection_manager.proto.html) option.
      // For example, `/a/../b` normalizes to `/b`.
      BASE = 2;

      // In addition to the `BASE` normalization, consecutive slashes are also merged.
      // For example, `/a//b` normalizes to `a/b`.
      MERGE_SLASHES = 3;

      // In addition to normalization in `MERGE_SLASHES`, slash characters are UTF-8 decoded (case insensitive) prior to merging.
      // This means `%2F`, `%2f`, `%5C`, and `%5c` sequences in the request path will be rewritten to `/` or `\`.
      // For example, `/a%2f/b` normalizes to `a/b`.
      DECODE_AND_MERGE_SLASHES = 4;
    }
    NormalizationType normalization = 1;
  }

  // ProxyPathNormalization configures how URL paths in incoming and outgoing HTTP requests are
  // normalized by the sidecars and gateways.
  // The normalized paths will be used in all aspects through the requests' lifetime on the
  // sidecars and gateways, which includes routing decisions in outbound direction (client proxy),
  // authorization policy match and enforcement in inbound direction (server proxy), and the URL
  // path proxied to the upstream service.
  // If not set, the NormalizationType.DEFAULT configuration will be used.
  ProxyPathNormalization path_normalization = 61;

  // Configure the default HTTP retry policy.
  // The default number of retry attempts is set at 2 for these errors:
  //   "connect-failure,refused-stream,unavailable,cancelled,retriable-status-codes".
  // Setting the number of attempts to 0 disables retry policy globally.
  // This setting can be overridden on a per-host basis using the Virtual Service
  // API.
  // All settings in the retry policy except `perTryTimeout` can currently be
  // configured globally via this field.
  istio.networking.v1alpha3.HTTPRetry default_http_retry_policy = 62;

  message TLSConfig {
    // TLS protocol versions.
    enum TLSProtocol {
      // Automatically choose the optimal TLS version.
      TLS_AUTO = 0;

      // TLS version 1.2
      TLSV1_2 = 1;

      // TLS version 1.3
      TLSV1_3 = 2;
    }

    // Optional: the minimum TLS protocol version. The default minimum
    // TLS version will be TLS 1.2. As servers may not be Envoy and be
    // set to TLS 1.2 (e.g., workloads using mTLS without sidecars), the
    // minimum TLS version for clients may also be TLS 1.2.
    // In the current Istio implementation, the maximum TLS protocol version
    // is TLS 1.3.
    TLSProtocol min_protocol_version = 1;
    //
    // Optional: If specified, the TLS connection will only support the specified ECDH curves for the DH key exchange.
    // If not specified, the default curves enforced by Envoy will be used. For details about the default curves, refer to
    // [Ecdh Curves](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/transport_sockets/tls/v3/common.proto).
    repeated string ecdh_curves = 2;
    //
    // Optional: If specified, the TLS connection will only support the specified cipher list when negotiating TLS 1.0-1.2.
    // If not specified, the following cipher suites will be used:
    // ```
    // ECDHE-ECDSA-AES256-GCM-SHA384
    // ECDHE-RSA-AES256-GCM-SHA384
    // ECDHE-ECDSA-AES128-GCM-SHA256
    // ECDHE-RSA-AES128-GCM-SHA256
    // AES256-GCM-SHA384
    // AES128-GCM-SHA256
    // ```
    repeated string cipher_suites = 3;
  }

  // The below configuration parameters can be used to specify TLSConfig for mesh traffic.
  // For example, a user could enable min TLS version for ISTIO_MUTUAL traffic and specify a curve for non ISTIO_MUTUAL traffic like below:
  // ```yaml
  // meshConfig:
  //   meshMTLS:
  //     minProtocolVersion: TLSV1_3
  //   tlsDefaults:
  //     Note: applicable only for non ISTIO_MUTUAL scenarios
  //     ecdhCurves:
  //       - P-256
  //       - P-512
  // ```
  // Configuration of mTLS for traffic between workloads with ISTIO_MUTUAL TLS traffic.
  //
  // Note: Mesh mTLS does not respect ECDH curves.
  TLSConfig mesh_mTLS = 63;
  //
  // Configuration of TLS for all traffic except for ISTIO_MUTUAL mode.
  // Currently, this supports configuration of ecdhCurves and cipherSuites only.
  // For ISTIO_MUTUAL TLS settings, use meshMTLS configuration.
  TLSConfig tls_defaults = 64;

  // $hide_from_docs
  // Next available field number: 67
  reserved 1;
  reserved "mixer_check_server";
  reserved 2;
  reserved "mixer_report_server";
  reserved 3;
  reserved "disable_policy_checks";
  reserved 48;
  reserved "disable_mixer_http_reports";
  reserved 25;
  reserved "policy_check_fail_open";
  reserved 30;
  reserved "sidecar_to_telemetry_session_affinity";
  reserved 10;
  reserved "auth_policy";
  reserved 11;
  reserved "rds_refresh_delay";
  reserved 15;
  reserved 16;
  reserved "mixer_address";
  reserved 18;
  reserved 19;
  reserved "enable_client_side_policy_check";
  reserved 20;
  reserved "sds_uds_path";
  reserved 21;
  reserved "sds_refresh_delay";
  reserved 23;
  reserved "enable_sds_token_mount";
  reserved 29;
  reserved "sds_use_k8s_sa_jwt";
  reserved 53;
  reserved "termination_drain_duration";
  reserved 37;
  reserved "disable_report_batch";
  reserved 38;
  reserved "report_batch_max_entries";
  reserved 39;
  reserved "report_batch_max_time";
}

// Resource describes the source of configuration
 enum Resource {
   // Set to only receive service entries that are generated by the platform.
   // These auto generated service entries are combination of services and endpoints
   // that are generated by a specific platform e.g. k8
   SERVICE_REGISTRY = 0;
 }


// A label selector requirement is a selector that contains values, a key, and an operator that
// relates the key and values.
// Copied from Kubernetes to avoid expensive dependency on Kubernetes libraries.
message LabelSelector {
  // matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
  // map is equivalent to an element of matchExpressions, whose key field is "key", the
  // operator is "In", and the values array contains only "value". The requirements are ANDed.
  // +optional
  map<string, string> matchLabels = 1;

  // matchExpressions is a list of label selector requirements. The requirements are ANDed.
  // +optional
  repeated LabelSelectorRequirement matchExpressions = 2;
}

// A label selector requirement is a selector that contains values, a key, and an operator that
// relates the key and values.
// Copied from Kubernetes to avoid expensive dependency on Kubernetes libraries.
message LabelSelectorRequirement {
  // key is the label key that the selector applies to.
  // +patchMergeKey=key
  // +patchStrategy=merge
  string key = 1;

  // operator represents a key's relationship to a set of values.
  // Valid operators are In, NotIn, Exists and DoesNotExist.
  string operator = 2;

  // values is an array of string values. If the operator is In or NotIn,
  // the values array must be non-empty. If the operator is Exists or DoesNotExist,
  // the values array must be empty. This array is replaced during a strategic
  // merge patch.
  // +optional
  repeated string values = 3;
}

// ConfigSource describes information about a configuration store inside a
// mesh. A single control plane instance can interact with one or more data
// sources.
message ConfigSource {
 // Address of the server implementing the Istio Mesh Configuration
 // protocol (MCP). Can be IP address or a fully qualified DNS name.
 // Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or
 // fs:/// to specify a file-based backend with absolute path to the directory.
 string address = 1;
 // Use the tlsSettings to specify the tls mode to use. If the MCP server
 // uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
 // mode as `ISTIO_MUTUAL`.
 istio.networking.v1alpha3.ClientTLSSettings tls_settings = 2;
 // Describes the source of configuration, if nothing is specified default is MCP
 repeated Resource subscribed_resources = 3;
}


// $hide_from_docs
// Certificate configures the provision of a certificate and its key.
// Example 1: key and cert stored in a secret
// ```
// { secretName: galley-cert
//   secretNamespace: istio-system
//   dnsNames:
//     - galley.istio-system.svc
//     - galley.mydomain.com
// }
// ```
// Example 2: key and cert stored in a directory
// ```
// { dnsNames:
//     - pilot.istio-system
//     - pilot.istio-system.svc
//     - pilot.mydomain.com
// }
// ```
message Certificate {
  // Name of the secret the certificate and its key will be stored into.
  // If it is empty, it will not be stored into a secret.
  // Instead, the certificate and its key will be stored into a hard-coded directory.
  string secret_name = 1;
  // The DNS names for the certificate. A certificate may contain
  // multiple DNS names.
  repeated string dns_names = 2;
}