gRPC services (proto)
config.core.v3.GrpcService
[config.core.v3.GrpcService proto]
gRPC service configuration. This is used by ApiConfigSource and filter configurations.
{
"envoy_grpc": {...},
"google_grpc": {...},
"timeout": {...},
"initial_metadata": [],
"retry_policy": {...}
}
- envoy_grpc
(config.core.v3.GrpcService.EnvoyGrpc) Envoy’s in-built gRPC client. See the gRPC services overview documentation for discussion on gRPC client selection.
Precisely one of envoy_grpc, google_grpc must be set.
- google_grpc
(config.core.v3.GrpcService.GoogleGrpc) Google C++ gRPC client See the gRPC services overview documentation for discussion on gRPC client selection.
Precisely one of envoy_grpc, google_grpc must be set.
- timeout
(Duration) The timeout for the gRPC request. This is the timeout for a specific request.
- initial_metadata
(repeated config.core.v3.HeaderValue) Additional metadata to include in streams initiated to the GrpcService. This can be used for scenarios in which additional ad hoc authorization headers (e.g.
x-foo-bar: baz-key
) are to be injected. For more information, including details on header value syntax, see the documentation on custom request headers.
- retry_policy
(config.core.v3.RetryPolicy) Optional default retry policy for streams toward the service. If an async stream doesn’t have retry policy configured in its stream options, this retry policy is used.
config.core.v3.GrpcService.EnvoyGrpc
[config.core.v3.GrpcService.EnvoyGrpc proto]
{
"cluster_name": ...,
"authority": ...,
"retry_policy": {...},
"max_receive_message_length": {...}
}
- cluster_name
(string, REQUIRED) The name of the upstream gRPC cluster. SSL credentials will be supplied in the Cluster transport_socket.
- authority
(string) The
:authority
header in the grpc request. If this field is not set, the authority header value will becluster_name
. Note that this authority does not override the SNI. The SNI is provided by the transport socket of the cluster.
- retry_policy
(config.core.v3.RetryPolicy) Indicates the retry policy for re-establishing the gRPC stream This field is optional. If max interval is not provided, it will be set to ten times the provided base interval. Currently only supported for xDS gRPC streams. If not set, xDS gRPC streams default base interval:500ms, maximum interval:30s will be applied.
- max_receive_message_length
(UInt32Value) Maximum gRPC message size that is allowed to be received. If a message over this limit is received, the gRPC stream is terminated with the RESOURCE_EXHAUSTED error. This limit is applied to individual messages in the streaming response and not the total size of streaming response. Defaults to 0, which means unlimited.
config.core.v3.GrpcService.GoogleGrpc
[config.core.v3.GrpcService.GoogleGrpc proto]
{
"target_uri": ...,
"channel_credentials": {...},
"call_credentials": [],
"stat_prefix": ...,
"credentials_factory_name": ...,
"config": {...},
"per_stream_buffer_limit_bytes": {...},
"channel_args": {...}
}
- target_uri
(string, REQUIRED) The target URI when using the Google C++ gRPC client. SSL credentials will be supplied in channel_credentials.
- channel_credentials
- call_credentials
(repeated config.core.v3.GrpcService.GoogleGrpc.CallCredentials) A set of call credentials that can be composed with channel credentials.
- stat_prefix
(string, REQUIRED) The human readable prefix to use when emitting statistics for the gRPC service.
Name
Type
Description
streams_total
Counter
Total number of streams opened
streams_closed_<gRPC status code>
Counter
Total streams closed with <gRPC status code>
- credentials_factory_name
(string) The name of the Google gRPC credentials factory to use. This must have been registered with Envoy. If this is empty, a default credentials factory will be used that sets up channel credentials based on other configuration parameters.
- config
(Struct) Additional configuration for site-specific customizations of the Google gRPC library.
- per_stream_buffer_limit_bytes
(UInt32Value) How many bytes each stream can buffer internally. If not set an implementation defined default is applied (1MiB).
- channel_args
(config.core.v3.GrpcService.GoogleGrpc.ChannelArgs) Custom channels args.
config.core.v3.GrpcService.GoogleGrpc.SslCredentials
[config.core.v3.GrpcService.GoogleGrpc.SslCredentials proto]
See https://grpc.io/grpc/cpp/structgrpc_1_1_ssl_credentials_options.html.
{
"root_certs": {...},
"private_key": {...},
"cert_chain": {...}
}
- root_certs
(config.core.v3.DataSource) PEM encoded server root certificates.
- private_key
(config.core.v3.DataSource) PEM encoded client private key.
- cert_chain
(config.core.v3.DataSource) PEM encoded client certificate chain.
config.core.v3.GrpcService.GoogleGrpc.GoogleLocalCredentials
[config.core.v3.GrpcService.GoogleGrpc.GoogleLocalCredentials proto]
Local channel credentials. Only UDS is supported for now. See https://github.com/grpc/grpc/pull/15909.
config.core.v3.GrpcService.GoogleGrpc.ChannelCredentials
[config.core.v3.GrpcService.GoogleGrpc.ChannelCredentials proto]
See https://grpc.io/docs/guides/auth.html#credential-types to understand Channel and Call credential types.
{
"ssl_credentials": {...},
"google_default": {...},
"local_credentials": {...}
}
- ssl_credentials
(config.core.v3.GrpcService.GoogleGrpc.SslCredentials)
Precisely one of ssl_credentials, google_default, local_credentials must be set.
- google_default
(Empty) https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61
Precisely one of ssl_credentials, google_default, local_credentials must be set.
- local_credentials
(config.core.v3.GrpcService.GoogleGrpc.GoogleLocalCredentials)
Precisely one of ssl_credentials, google_default, local_credentials must be set.
config.core.v3.GrpcService.GoogleGrpc.CallCredentials
[config.core.v3.GrpcService.GoogleGrpc.CallCredentials proto]
{
"access_token": ...,
"google_compute_engine": {...},
"google_refresh_token": ...,
"service_account_jwt_access": {...},
"google_iam": {...},
"from_plugin": {...},
"sts_service": {...}
}
- access_token
(string) Access token credentials. https://grpc.io/grpc/cpp/namespacegrpc.html#ad3a80da696ffdaea943f0f858d7a360d.
Precisely one of access_token, google_compute_engine, google_refresh_token, service_account_jwt_access, google_iam, from_plugin, sts_service must be set.
- google_compute_engine
(Empty) Google Compute Engine credentials. https://grpc.io/grpc/cpp/namespacegrpc.html#a6beb3ac70ff94bd2ebbd89b8f21d1f61
Precisely one of access_token, google_compute_engine, google_refresh_token, service_account_jwt_access, google_iam, from_plugin, sts_service must be set.
- google_refresh_token
(string) Google refresh token credentials. https://grpc.io/grpc/cpp/namespacegrpc.html#a96901c997b91bc6513b08491e0dca37c.
Precisely one of access_token, google_compute_engine, google_refresh_token, service_account_jwt_access, google_iam, from_plugin, sts_service must be set.
- service_account_jwt_access
(config.core.v3.GrpcService.GoogleGrpc.CallCredentials.ServiceAccountJWTAccessCredentials) Service Account JWT Access credentials. https://grpc.io/grpc/cpp/namespacegrpc.html#a92a9f959d6102461f66ee973d8e9d3aa.
Precisely one of access_token, google_compute_engine, google_refresh_token, service_account_jwt_access, google_iam, from_plugin, sts_service must be set.
- google_iam
(config.core.v3.GrpcService.GoogleGrpc.CallCredentials.GoogleIAMCredentials) Google IAM credentials. https://grpc.io/grpc/cpp/namespacegrpc.html#a9fc1fc101b41e680d47028166e76f9d0.
Precisely one of access_token, google_compute_engine, google_refresh_token, service_account_jwt_access, google_iam, from_plugin, sts_service must be set.
- from_plugin
(config.core.v3.GrpcService.GoogleGrpc.CallCredentials.MetadataCredentialsFromPlugin) Custom authenticator credentials. https://grpc.io/grpc/cpp/namespacegrpc.html#a823c6a4b19ffc71fb33e90154ee2ad07. https://grpc.io/docs/guides/auth.html#extending-grpc-to-support-other-authentication-mechanisms.
Precisely one of access_token, google_compute_engine, google_refresh_token, service_account_jwt_access, google_iam, from_plugin, sts_service must be set.
- sts_service
(config.core.v3.GrpcService.GoogleGrpc.CallCredentials.StsService) Custom security token service which implements OAuth 2.0 token exchange. https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 See https://github.com/grpc/grpc/pull/19587.
Precisely one of access_token, google_compute_engine, google_refresh_token, service_account_jwt_access, google_iam, from_plugin, sts_service must be set.
config.core.v3.GrpcService.GoogleGrpc.CallCredentials.ServiceAccountJWTAccessCredentials
[config.core.v3.GrpcService.GoogleGrpc.CallCredentials.ServiceAccountJWTAccessCredentials proto]
{
"json_key": ...,
"token_lifetime_seconds": ...
}
- json_key
(string)
- token_lifetime_seconds
(uint64)
config.core.v3.GrpcService.GoogleGrpc.CallCredentials.GoogleIAMCredentials
[config.core.v3.GrpcService.GoogleGrpc.CallCredentials.GoogleIAMCredentials proto]
{
"authorization_token": ...,
"authority_selector": ...
}
- authorization_token
(string)
- authority_selector
(string)
config.core.v3.GrpcService.GoogleGrpc.CallCredentials.MetadataCredentialsFromPlugin
[config.core.v3.GrpcService.GoogleGrpc.CallCredentials.MetadataCredentialsFromPlugin proto]
{
"name": ...,
"typed_config": {...}
}
- name
(string)
- typed_config
(Any)
Tip
This extension category has the following known extensions:
config.core.v3.GrpcService.GoogleGrpc.CallCredentials.StsService
[config.core.v3.GrpcService.GoogleGrpc.CallCredentials.StsService proto]
Security token service configuration that allows Google gRPC to fetch security token from an OAuth 2.0 authorization server. See https://tools.ietf.org/html/draft-ietf-oauth-token-exchange-16 and https://github.com/grpc/grpc/pull/19587.
{
"token_exchange_service_uri": ...,
"resource": ...,
"audience": ...,
"scope": ...,
"requested_token_type": ...,
"subject_token_path": ...,
"subject_token_type": ...,
"actor_token_path": ...,
"actor_token_type": ...
}
- token_exchange_service_uri
(string) URI of the token exchange service that handles token exchange requests.
- resource
(string) Location of the target service or resource where the client intends to use the requested security token.
- audience
(string) Logical name of the target service where the client intends to use the requested security token.
- scope
(string) The desired scope of the requested security token in the context of the service or resource where the token will be used.
- requested_token_type
(string) Type of the requested security token.
- subject_token_path
(string, REQUIRED) The path of subject token, a security token that represents the identity of the party on behalf of whom the request is being made.
- subject_token_type
(string, REQUIRED) Type of the subject token.
- actor_token_path
(string) The path of actor token, a security token that represents the identity of the acting party. The acting party is authorized to use the requested security token and act on behalf of the subject.
- actor_token_type
(string) Type of the actor token.
config.core.v3.GrpcService.GoogleGrpc.ChannelArgs
[config.core.v3.GrpcService.GoogleGrpc.ChannelArgs proto]
Channel arguments.
{
"args": {...}
}
- args
(repeated map<string, config.core.v3.GrpcService.GoogleGrpc.ChannelArgs.Value>) See grpc_types.h GRPC_ARG #defines for keys that work here.
config.core.v3.GrpcService.GoogleGrpc.ChannelArgs.Value
[config.core.v3.GrpcService.GoogleGrpc.ChannelArgs.Value proto]
{
"string_value": ...,
"int_value": ...
}
- string_value
(string) Pointer values are not supported, since they don’t make any sense when delivered via the API.
Precisely one of string_value, int_value must be set.
- int_value
(int64) Pointer values are not supported, since they don’t make any sense when delivered via the API.
Precisely one of string_value, int_value must be set.