Cherry-picked changes for release v0.11.0-rc.2 (#957)

fluxninja · Nov 21, 2022 · 9085743 · 9085743
2 parents 21a748c + b30672b
commit 9085743
Show file tree

Hide file tree

Showing 154 changed files with 6,752 additions and 3,667 deletions.
diff --git a/api/aperture/flowcontrol/check/v1/check.proto b/api/aperture/flowcontrol/check/v1/check.proto
@@ -12,7 +12,7 @@ service FlowControlService {
 
 // CheckRequest contains fields required to perform Check call.
 message CheckRequest {
-  string feature = 1;
+  string control_point = 1;
   map<string, string> labels = 2;
 }
 
@@ -38,7 +38,7 @@ message CheckResponse {
   // services that matched
   repeated string services = 4;
   // control_point of request
-  ControlPointInfo control_point_info = 5;
+  string control_point = 5;
   // flow label keys that were matched for this request.
   repeated string flow_label_keys = 6;
   // telemetry_flow_labels are labels for telemetry purpose. The keys in telemetry_flow_labels is subset of flow_label_keys.
@@ -55,19 +55,6 @@ message CheckResponse {
   repeated LimiterDecision limiter_decisions = 12;
 }
 
-message ControlPointInfo {
-  // Type contains fields that represent type of ControlPointInfo.
-  enum Type {
-    TYPE_UNKNOWN = 0;
-    TYPE_FEATURE = 1;
-    TYPE_INGRESS = 2;
-    TYPE_EGRESS = 3;
-  }
-
-  Type type = 1;
-  string feature = 2;
-}
-
 // ClassifierInfo describes details for each ClassifierInfo.
 message ClassifierInfo {
   // Error information.

diff --git a/api/aperture/policy/language/v1/classifier.proto b/api/aperture/policy/language/v1/classifier.proto
@@ -48,13 +48,12 @@ message Classifier {
 //
 // Flow classification rule extracts a value from request metadata.
 // More specifically, from `input`, which has the same spec as [Envoy's External Authorization Attribute Context][attribute-context].
-// See <https://play.openpolicyagent.org/p/gU7vcLkc70> for an example input.
+// See https://play.openpolicyagent.org/p/gU7vcLkc70 for an example input.
 // There are two ways to define a flow classification rule:
 // * Using a declarative extractor – suitable from simple cases, such as directly reading a value from header or a field from json body.
 // * Rego expression.
 //
 // Performance note: It's recommended to use declarative extractors where possible, as they may be slightly performant than Rego expressions.
-// [attribute-context](https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/attribute_context.proto)
 //
 // Example of Declarative JSON extractor:
 // ```yaml
@@ -64,7 +63,7 @@ message Classifier {
 //     pointer: /user/name
 // ```
 //
-// Example of Rego module which also disables propagation of a label:
+// Example of Rego module which also disables propagation by disabling telemetry:
 // ```yaml
 // rego:
 //   query: data.user_from_cookie.user
@@ -77,8 +76,9 @@ message Classifier {
 //     parts: split(session, '.')
 //     object: json.unmarshal(base64url.decode(parts[0]))
 //     user: object.user
-// propagate: false
+// telemetry: false
 // ```
+// [attribute-context]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/attribute_context.proto
 message Rule {
   // Raw rego rules are compiled 1:1 to rego queries
   //
@@ -109,12 +109,12 @@ message Rule {
     // High-level declarative extractor.
     Extractor extractor = 1;
 
-    // Rego module to extract a value from the rego module.
+    // Rego module to extract a value from.
     Rego rego = 2;
   } // @gotags: validate:"required"
 
   // Decides if the created flow label should be available as an attribute in OLAP telemetry and
-  // propagated in [baggage](/concepts/flow-control/flow-label.md#baggage))
+  // propagated in [baggage](/concepts/flow-control/flow-label.md#baggage)
   //
   // :::note
   // The flow label is always accessible in Aperture Policies regardless of this setting.
@@ -154,7 +154,7 @@ message Extractor {
     // ```yaml
     // from: request.http.headers.user-agent
     // ```
-    // [attribute-context]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/attribute_context.proto"
+    // [attribute-context]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/attribute_context.proto
     string from = 1;
 
     // Deserialize a json, and extract one of the fields.

diff --git a/api/aperture/policy/language/v1/fluxmeter.proto b/api/aperture/policy/language/v1/fluxmeter.proto
@@ -5,7 +5,8 @@ package aperture.policy.language.v1;
 import "aperture/policy/language/v1/selector.proto";
 import "protoc-gen-openapiv2/options/annotations.proto";
 
-// Flux Meter gathers metrics for the traffic that matches its selector
+// Flux Meter gathers metrics for the traffic that matches its selector.
+// The histogram created by Flux Meter measures the workload latency by default.
 //
 // :::info
 // See also [Flux Meter overview](/concepts/flow-control/flux-meter.md).
@@ -18,8 +19,7 @@ import "protoc-gen-openapiv2/options/annotations.proto";
 //   service_selector:
 //     service: myservice.mynamespace.svc.cluster.local
 //   flow_selector:
-//     control_point:
-//       traffic: ingress
+//     control_point: ingress
 // ```
 message FluxMeter {
   // StaticBuckets holds the static value of the buckets where latency histogram will be stored.
@@ -102,14 +102,7 @@ message FluxMeter {
     }]; // @gotags: validate:"gt=0"
   }
 
-  // What latency should we measure in the histogram created by this Flux Meter.
-  //
-  // * For traffic control points, fluxmeter will measure the duration of the
-  //   whole http transaction (including sending request and receiving
-  //   response).
-  // * For feature control points, fluxmeter will measure execution of the span
-  //   associated with particular feature. What contributes to the span's
-  //   duration is entirely up to the user code that uses Aperture SDK.
+  // The selection criteria for the traffic that will be measured.
   Selector selector = 1;
 
   // Latency histogram buckets (in ms) for this Flux Meter.

diff --git a/api/aperture/policy/language/v1/selector.proto b/api/aperture/policy/language/v1/selector.proto
@@ -5,7 +5,7 @@ package aperture.policy.language.v1;
 import "aperture/policy/language/v1/label_matcher.proto";
 import "protoc-gen-openapiv2/options/annotations.proto";
 
-// Describes which flow in which service a [dataplane
+// Describes which flow in which service a [flow control
 // component](/concepts/flow-control/flow-control.md#components) should apply
 // to
 //
@@ -27,7 +27,7 @@ message Selector {
   }]; // @gotags: validate:"required"
 }
 
-// Describes which service a [dataplane
+// Describes which service a [flow control
 // component](/concepts/flow-control/flow-control.md#components) should apply
 // to
 //
@@ -57,7 +57,7 @@ message ServiceSelector {
   string service = 2;
 }
 
-// Describes which flows a [dataplane
+// Describes which flows a [flow control
 // component](/concepts/flow-control/flow-control.md#components) should apply
 // to
 //
@@ -67,8 +67,7 @@ message ServiceSelector {
 //
 // Example:
 // ```yaml
-// control_point:
-//   traffic: ingress # Allowed values are `ingress` and `egress`.
+// control_point: ingress
 // label_matcher:
 //   match_labels:
 //     user_tier: gold
@@ -82,10 +81,11 @@ message ServiceSelector {
 //       regex: ^(?!.*Chrome).*Safari
 // ```
 message FlowSelector {
-  // Describes
-  // [control point](/concepts/flow-control/flow-control.md#control-point)
-  // within the entity where the policy should apply to.
-  ControlPoint control_point = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
+  // [Control Point](/concepts/flow-control/flow-control.md#control-point)
+  // identifies the location of a Flow within a Service. For an SDK based insertion, a Control Point can represent a particular feature or execution
+  // block within a Service. In case of Service Mesh or Middleware insertion, a Control Point can identify ingress vs egress calls or distinct listeners
+  // or filter chains.
+  string control_point = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
     extensions: {
       key: "x-go-validate"
       value: {string_value: "required"}
@@ -112,34 +112,3 @@ message FlowSelector {
   // :::
   LabelMatcher label_matcher = 2;
 }
-
-// Identifies control point within a service that the rule or policy should apply to.
-// Controlpoint is either a library feature name or one of ingress/egress traffic control point.
-message ControlPoint {
-  // @gotags: validate:"required"
-  oneof controlpoint {
-    // Name of Aperture SDK's feature.
-    // Feature corresponds to a block of code that can be "switched off" which usually is a "named opentelemetry's Span".
-    //
-    // Note: Flowcontrol only.
-    string feature = 1 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
-      extensions: {
-        key: "x-go-validate"
-        value: {string_value: "required"}
-      }
-    }]; //@gotags: validate:"required"
-
-    // Type of traffic service, either "ingress" or "egress".
-    // Apply the policy to the whole incoming/outgoing traffic of a service.
-    // Usually powered by integration with a proxy (like envoy) or a web framework.
-    //
-    // * Flowcontrol: Blockable atom here is a single HTTP-transaction.
-    // * Classification: Apply the classification rules to every incoming/outgoing request and attach the resulting flow labels to baggage and telemetry.
-    string traffic = 2 [(grpc.gateway.protoc_gen_openapiv2.options.openapiv2_field) = {
-      extensions: {
-        key: "x-go-validate"
-        value: {string_value: "required,oneof=ingress egress"}
-      }
-    }]; // @gotags: validate:"required,oneof=ingress egress"
-  }
-}
diff --git a/api/buf.lock b/api/buf.lock
@@ -20,7 +20,7 @@ deps:
   - remote: buf.build
     owner: grpc-ecosystem
     repository: grpc-gateway
-    commit: b96615cde70c403f8075c48e56178f88
+    commit: b98ae2f8ce63452e97e6bae65c5add1b
   - remote: buf.build
     owner: opencensus
     repository: opencensus