quiche: make quic proof source and crypto stream pluggable (#16658)

Commit Message: make quic proof source and crypto streams extensions. Add config for default ones. If not specified in config, the default ones will be used.

Risk Level: low
Testing: existing tests passed
Part of #2557
Co-authored-by: Dan Zhang <[email protected]>

CODEOWNERS

@@ -67,7 +67,7 @@ extensions/filters/common/original_src @snowp @klarose
 # postgres_proxy extension
 /*/extensions/filters/network/postgres_proxy @fabriziomello @cpakulski @dio
 # quic extension
-/*/extensions/quic_listeners/ @alyssawilk @danzh2010 @mattklein123 @mpwarres @wu-bin @ggreenway
+/*/extensions/quic/ @alyssawilk @danzh2010 @mattklein123 @mpwarres @wu-bin @ggreenway
 # zookeeper_proxy extension
 /*/extensions/filters/network/zookeeper_proxy @rgs1 @snowp
 # redis cluster extension

api/BUILD

@@ -54,7 +54,6 @@ proto_library(
         "//envoy/config/filter/http/rate_limit/v2:pkg",
         "//envoy/config/filter/http/rbac/v2:pkg",
         "//envoy/config/filter/http/router/v2:pkg",
-        "//envoy/config/filter/http/squash/v2:pkg",
         "//envoy/config/filter/http/tap/v2alpha:pkg",
         "//envoy/config/filter/http/transcoder/v2:pkg",
         "//envoy/config/filter/listener/http_inspector/v2:pkg",
@@ -256,6 +255,8 @@ proto_library(
         "//envoy/extensions/matching/common_inputs/environment_variable/v3:pkg",
         "//envoy/extensions/matching/input_matchers/consistent_hashing/v3:pkg",
         "//envoy/extensions/network/socket_interface/v3:pkg",
+        "//envoy/extensions/quic/crypto_stream/v3:pkg",
+        "//envoy/extensions/quic/proof_source/v3:pkg",
         "//envoy/extensions/rate_limit_descriptors/expr/v3:pkg",
         "//envoy/extensions/request_id/uuid/v3:pkg",
         "//envoy/extensions/resource_monitors/fixed_heap/v3:pkg",

api/envoy/config/listener/v3/quic_config.proto

@@ -3,6 +3,7 @@ syntax = "proto3";
 package envoy.config.listener.v3;
 
 import "envoy/config/core/v3/base.proto";
+import "envoy/config/core/v3/extension.proto";
 import "envoy/config/core/v3/protocol.proto";
 
 import "google/protobuf/duration.proto";
@@ -20,7 +21,7 @@ option (udpa.annotations.file_status).package_version_status = ACTIVE;
 // [#protodoc-title: QUIC listener config]
 
 // Configuration specific to the UDP QUIC listener.
-// [#next-free-field: 6]
+// [#next-free-field: 8]
 message QuicProtocolOptions {
   option (udpa.annotations.versioning).previous_message_type =
       "envoy.api.v2.listener.QuicProtocolOptions";
@@ -48,4 +49,14 @@ message QuicProtocolOptions {
   // bound by 6000, regardless of this field or how many connections there are.
   google.protobuf.UInt32Value packets_to_read_to_connection_count_ratio = 5
       [(validate.rules).uint32 = {gte: 1}];
+
+  // Configure which implementation of `quic::QuicCryptoClientStreamBase` to be used for this listener.
+  // If not specified the :ref:`QUICHE default one configured by <envoy_v3_api_msg_extensions.quic.crypto_stream.v3.CryptoServerStreamConfig>` will be used.
+  // [#extension-category: envoy.quic.server.crypto_stream]
+  core.v3.TypedExtensionConfig crypto_stream_config = 6;
+
+  // Configure which implementation of `quic::ProofSource` to be used for this listener.
+  // If not specified the :ref:`default one configured by <envoy_v3_api_msg_extensions.quic.proof_source.v3.ProofSourceConfig>` will be used.
+  // [#extension-category: envoy.quic.proof_source]
+  core.v3.TypedExtensionConfig proof_source_config = 7;
 }

api/envoy/extensions/quic/crypto_stream/v3/BUILD

@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"],
+)

api/envoy/extensions/quic/crypto_stream/v3/crypto_stream.proto

@@ -0,0 +1,17 @@
+syntax = "proto3";
+
+package envoy.extensions.quic.crypto_stream.v3;
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.quic.crypto_stream.v3";
+option java_outer_classname = "CryptoStreamProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: QUIC server crypto stream config]
+// [#extension: envoy.quic.crypto_stream.server.quiche]
+
+// Configuration for the default QUIC server crypto stream provided by QUICHE.
+message CryptoServerStreamConfig {
+}

api/envoy/extensions/quic/proof_source/v3/BUILD

@@ -0,0 +1,9 @@
+# DO NOT EDIT. This file is generated by tools/proto_format/proto_sync.py.
+
+load("@envoy_api//bazel:api_build_system.bzl", "api_proto_package")
+
+licenses(["notice"])  # Apache 2
+
+api_proto_package(
+    deps = ["@com_github_cncf_udpa//udpa/annotations:pkg"],
+)

api/envoy/extensions/quic/proof_source/v3/proof_source.proto

@@ -0,0 +1,17 @@
+syntax = "proto3";
+
+package envoy.extensions.quic.proof_source.v3;
+
+import "udpa/annotations/status.proto";
+
+option java_package = "io.envoyproxy.envoy.extensions.quic.proof_source.v3";
+option java_outer_classname = "ProofSourceProto";
+option java_multiple_files = true;
+option (udpa.annotations.file_status).package_version_status = ACTIVE;
+
+// [#protodoc-title: QUIC proof source config]
+// [#extension: envoy.quic.proof_source.filter_chain]
+
+// Configuration for the default QUIC proof source.
+message ProofSourceConfig {
+}

api/versioning/BUILD

@@ -139,6 +139,8 @@ proto_library(
         "//envoy/extensions/matching/common_inputs/environment_variable/v3:pkg",
         "//envoy/extensions/matching/input_matchers/consistent_hashing/v3:pkg",
         "//envoy/extensions/network/socket_interface/v3:pkg",
+        "//envoy/extensions/quic/crypto_stream/v3:pkg",
+        "//envoy/extensions/quic/proof_source/v3:pkg",
         "//envoy/extensions/rate_limit_descriptors/expr/v3:pkg",
         "//envoy/extensions/request_id/uuid/v3:pkg",
         "//envoy/extensions/resource_monitors/fixed_heap/v3:pkg",

bazel/envoy_library.bzl

@@ -62,6 +62,7 @@ def envoy_cc_extension(
     )
     cc_library(
         name = ext_name,
+        tags = tags,
         deps = select({
             ":is_enabled": [":" + name],
             "//conditions:default": [],

bazel/external/quiche.BUILD

@@ -2031,6 +2031,7 @@ envoy_cc_library(
     external_deps = ["ssl"],
     repository = "@envoy",
     tags = ["nofips"],
+    visibility = ["//visibility:public"],
     deps = [
         ":quic_core_crypto_hkdf_lib",
         ":quic_core_data_lib",

docs/root/api-v3/config/config.rst

@@ -28,3 +28,4 @@ Extensions
   request_id/request_id
   http/header_formatters
   http/original_ip_detection
+  quic/quic_extensions

docs/root/api-v3/config/quic/quic_extensions.rst

@@ -0,0 +1,9 @@
+Quic Extensions
+=================
+
+.. toctree::
+  :glob:
+  :maxdepth: 2
+
+  ../../extensions/quic/crypto_stream/v3/*
+  ../../extensions/quic/proof_source/v3/*

generated_api_shadow/BUILD

@@ -54,7 +54,6 @@ proto_library(
         "//envoy/config/filter/http/rate_limit/v2:pkg",
         "//envoy/config/filter/http/rbac/v2:pkg",
         "//envoy/config/filter/http/router/v2:pkg",
-        "//envoy/config/filter/http/squash/v2:pkg",
         "//envoy/config/filter/http/tap/v2alpha:pkg",
         "//envoy/config/filter/http/transcoder/v2:pkg",
         "//envoy/config/filter/listener/http_inspector/v2:pkg",
@@ -256,6 +255,8 @@ proto_library(
         "//envoy/extensions/matching/common_inputs/environment_variable/v3:pkg",
         "//envoy/extensions/matching/input_matchers/consistent_hashing/v3:pkg",
         "//envoy/extensions/network/socket_interface/v3:pkg",
+        "//envoy/extensions/quic/crypto_stream/v3:pkg",
+        "//envoy/extensions/quic/proof_source/v3:pkg",
         "//envoy/extensions/rate_limit_descriptors/expr/v3:pkg",
         "//envoy/extensions/request_id/uuid/v3:pkg",
         "//envoy/extensions/resource_monitors/fixed_heap/v3:pkg",