extensions: Add extensions metadata.yaml

CONTRIBUTING.md

@@ -259,6 +259,7 @@ API can be found [here](api/STYLE.md#adding-an-extension-configuration-to-the-ap
 Other changes will likely include
 
   * Editing [source/extensions/extensions_build_config.bzl](source/extensions/extensions_build_config.bzl) to include the new extensions
+  * Editing [source/extensions/extensions_metadata.yaml](source/extensions/extensions_metadata.yaml) to include metadata for the new extensions
   * Editing [docs/root/api-v3/config/config.rst](docs/root/api-v3/config/config.rst) to add area/area
   * Adding `docs/root/api-v3/config/area/area.rst` to add a table of contents for the API docs
   * Adding `source/extensions/area/well_known_names.h` for registered plugins

bazel/envoy_library.bzl

@@ -44,76 +44,6 @@ def envoy_basic_cc_library(name, deps = [], external_deps = [], **kargs):
         **kargs
     )
 
-# All Envoy extensions must be tagged with their security hardening stance with
-# respect to downstream and upstream data plane threats. These are verbose
-# labels intended to make clear the trust that operators may place in
-# extensions.
-EXTENSION_SECURITY_POSTURES = [
-    # This extension is hardened against untrusted downstream traffic. It
-    # assumes that the upstream is trusted.
-    "robust_to_untrusted_downstream",
-    # This extension is hardened against both untrusted downstream and upstream
-    # traffic.
-    "robust_to_untrusted_downstream_and_upstream",
-    # This extension is not hardened and should only be used in deployments
-    # where both the downstream and upstream are trusted.
-    "requires_trusted_downstream_and_upstream",
-    # This is functionally equivalent to
-    # requires_trusted_downstream_and_upstream, but acts as a placeholder to
-    # allow us to identify extensions that need classifying.
-    "unknown",
-    # Not relevant to data plane threats, e.g. stats sinks.
-    "data_plane_agnostic",
-]
-
-# Extension categories as defined by factories
-EXTENSION_CATEGORIES = [
-    "envoy.access_loggers",
-    "envoy.bootstrap",
-    "envoy.clusters",
-    "envoy.compression.compressor",
-    "envoy.compression.decompressor",
-    "envoy.filters.http",
-    "envoy.filters.http.cache",
-    "envoy.filters.listener",
-    "envoy.filters.network",
-    "envoy.filters.udp_listener",
-    "envoy.grpc_credentials",
-    "envoy.guarddog_actions",
-    "envoy.health_checkers",
-    "envoy.http.stateful_header_formatters",
-    "envoy.internal_redirect_predicates",
-    "envoy.io_socket",
-    "envoy.http.original_ip_detection",
-    "envoy.matching.common_inputs",
-    "envoy.matching.input_matchers",
-    "envoy.rate_limit_descriptors",
-    "envoy.request_id",
-    "envoy.resource_monitors",
-    "envoy.retry_host_predicates",
-    "envoy.retry_priorities",
-    "envoy.stats_sinks",
-    "envoy.thrift_proxy.filters",
-    "envoy.tracers",
-    "envoy.transport_sockets.downstream",
-    "envoy.transport_sockets.upstream",
-    "envoy.tls.cert_validator",
-    "envoy.upstreams",
-    "envoy.wasm.runtime",
-    "DELIBERATELY_OMITTED",
-]
-
-EXTENSION_STATUS_VALUES = [
-    # This extension is stable and is expected to be production usable.
-    "stable",
-    # This extension is functional but has not had substantial production burn
-    # time, use only with this caveat.
-    "alpha",
-    # This extension is work-in-progress. Functionality is incomplete and it is
-    # not intended for production use.
-    "wip",
-]
-
 def envoy_cc_extension(
         name,
         security_posture,
@@ -125,18 +55,6 @@ def envoy_cc_extension(
         extra_visibility = [],
         visibility = EXTENSION_CONFIG_VISIBILITY,
         **kwargs):
-    if not category:
-        fail("Category not set for %s" % name)
-    if type(category) == "string":
-        category = (category,)
-    for cat in category:
-        if cat not in EXTENSION_CATEGORIES:
-            fail("Unknown extension category for %s: %s" %
-                 (name, cat))
-    if security_posture not in EXTENSION_SECURITY_POSTURES:
-        fail("Unknown extension security posture: " + security_posture)
-    if status not in EXTENSION_STATUS_VALUES:
-        fail("Unknown extension status: " + status)
     if "//visibility:public" not in visibility:
         visibility = visibility + extra_visibility
 

docs/build.sh

@@ -77,6 +77,9 @@ BAZEL_BUILD_OPTIONS+=(
     "--action_env=ENVOY_BLOB_SHA"
     "--action_env=EXTENSION_DB_PATH")
 
+# TODO(phlax): move this to format_pre checks
+bazel run "${BAZEL_BUILD_OPTIONS[@]}" //tools/extensions:validate_extensions
+
 # Generate RST for the lists of trusted/untrusted extensions in
 # intro/arch_overview/security docs.
 bazel run "${BAZEL_BUILD_OPTIONS[@]}" //tools/extensions:generate_extension_rst

docs/requirements.txt

@@ -35,6 +35,7 @@ docutils==0.16 \
     #   -r docs/requirements.txt
     #   sphinx
     #   sphinx-rtd-theme
+    #   sphinx-tabs
 gitdb==4.0.7 \
     --hash=sha256:6c4cc71933456991da20917998acbe6cf4fb41eeaab7d6d67fbc05ecd4c865b0 \
     --hash=sha256:96bf5c08b157a666fec41129e6d327235284cca4c81e92109260f353ba138005
@@ -101,15 +102,16 @@ markupsafe==2.0.1 \
     # via
     #   -r docs/requirements.txt
     #   jinja2
+    #   sphinx
 packaging==20.9 \
     --hash=sha256:5b327ac1320dc863dca72f4514ecc086f31186744b84a230374cc1fd776feae5 \
     --hash=sha256:67714da7f7bc052e064859c05c595155bd1ee9f69f76557e21f051443c20947a
     # via
     #   -r docs/requirements.txt
     #   sphinx
 pygments==2.9.0 \
-    --hash=sha256:d66e804411278594d764fc69ec36ec13d9ae9147193a1740cd34d272ca383b8e \
-    --hash=sha256:a18f47b506a429f6f4b9df81bb02beab9ca21d0a5fee38ed15aef65f0545519f
+    --hash=sha256:a18f47b506a429f6f4b9df81bb02beab9ca21d0a5fee38ed15aef65f0545519f \
+    --hash=sha256:d66e804411278594d764fc69ec36ec13d9ae9147193a1740cd34d272ca383b8e
     # via
     #   -r docs/requirements.txt
     #   sphinx
@@ -126,15 +128,46 @@ pytz==2021.1 \
     # via
     #   -r docs/requirements.txt
     #   babel
+pyyaml==5.4.1 \
+    --hash=sha256:08682f6b72c722394747bddaf0aa62277e02557c0fd1c42cb853016a38f8dedf \
+    --hash=sha256:0f5f5786c0e09baddcd8b4b45f20a7b5d61a7e7e99846e3c799b05c7c53fa696 \
+    --hash=sha256:129def1b7c1bf22faffd67b8f3724645203b79d8f4cc81f674654d9902cb4393 \
+    --hash=sha256:294db365efa064d00b8d1ef65d8ea2c3426ac366c0c4368d930bf1c5fb497f77 \
+    --hash=sha256:3b2b1824fe7112845700f815ff6a489360226a5609b96ec2190a45e62a9fc922 \
+    --hash=sha256:3bd0e463264cf257d1ffd2e40223b197271046d09dadf73a0fe82b9c1fc385a5 \
+    --hash=sha256:4465124ef1b18d9ace298060f4eccc64b0850899ac4ac53294547536533800c8 \
+    --hash=sha256:49d4cdd9065b9b6e206d0595fee27a96b5dd22618e7520c33204a4a3239d5b10 \
+    --hash=sha256:4e0583d24c881e14342eaf4ec5fbc97f934b999a6828693a99157fde912540cc \
+    --hash=sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018 \
+    --hash=sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e \
+    --hash=sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253 \
+    --hash=sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347 \
+    --hash=sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183 \
+    --hash=sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541 \
+    --hash=sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb \
+    --hash=sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185 \
+    --hash=sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc \
+    --hash=sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db \
+    --hash=sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa \
+    --hash=sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46 \
+    --hash=sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122 \
+    --hash=sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b \
+    --hash=sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63 \
+    --hash=sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df \
+    --hash=sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc \
+    --hash=sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247 \
+    --hash=sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6 \
+    --hash=sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0
+    # via -r docs/requirements.txt
 requests==2.25.1 \
     --hash=sha256:27973dd4a904a4f13b263a19c866c13b92a39ed1c964655f025f3f8d3d75b804 \
     --hash=sha256:c210084e36a42ae6b9219e00e48287def368a26d03a048ddad7bfee44f75871e
     # via
     #   -r docs/requirements.txt
     #   sphinx
 six==1.16.0 \
-    --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254 \
-    --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926
+    --hash=sha256:1e61c37477a1626458e36f7b1d82aa5c9b094fa4802892072e49de9c60c4c926 \
+    --hash=sha256:8abb2f1d86890a2dfb989f9a77cfcfd3e47c2a354b01111771326f8aa26e0254
     # via
     #   -r docs/requirements.txt
     #   sphinxcontrib-httpdomain

source/extensions/BUILD

@@ -1 +1,5 @@
 licenses(["notice"])  # Apache 2
+
+exports_files([
+    "extensions_metadata.yaml",
+])