Sync Gloo APIs. Destination Branch: gloo-main

solo-io · Oct 11, 2024 · 515900e · 515900e
1 parent 9ee2b9d
commit 515900e
Show file tree

Hide file tree

Showing 10 changed files with 3,974 additions and 2,390 deletions.
diff --git a/api/gloo/enterprise.gloo/v1/auth_config.proto b/api/gloo/enterprise.gloo/v1/auth_config.proto
@@ -1071,6 +1071,10 @@ message AccessTokenValidation {
  // in the future we may add other types of scope validation (e.g. predicate matching)
  }
 
+ message ScopeList {
+ repeated string scope = 1;
+ }
+
  // Map of metadata key to claim. Ie:
  // dynamic_metadata_from_claims:
  // issuer: iss
@@ -1081,10 +1085,6 @@ message AccessTokenValidation {
  // The metadata will live in a namespace specified by the canonical name of the ext auth filter (in our case `envoy.filters.http.ext_authz`),
  // and the structure of the claim value will be preserved in the metadata struct.
  map<string, string> dynamic_metadata_from_claims = 7;
-
- message ScopeList {
- repeated string scope = 1;
- }
 }
 
 message OauthSecret {
@@ -1260,6 +1260,9 @@ message AerospikeApiKeyStorage {
  map<string, string> label_selector = 17;
 }
 
+// When no storage backend is specified, the default storage backend defined in the extauth server is used.
+message ServerDefaultApiKeyStorage{}
+
 message ApiKey {
  // The string value of the API key.
  string api_key = 2;
@@ -1874,9 +1877,20 @@ message ExtAuthConfig {
  string path=1;
  }
 
- // Configuration for front channel logout. This is used to log out the user from multiple apps/clients associated with one OpenId Provider (OP).
- // The path is registered with the OP and is called for each app/client that the user is logged into when the logout endpoint is called.
+  // Configuration for front channel logout. This is used to log out the user from multiple apps/clients associated with one OpenId Provider (OP).
+  // The path is registered with the OP and is called for each app/client that the user is logged into when the logout endpoint is called.
  FrontChannelLogout front_channel_logout = 28;
+
+
+ // Map of metadata key to claim. Ie:
+ // dynamic_metadata_from_claims:
+ // issuer: iss
+ // email: email
+ // When specified, the matching claims from the ID token will be emitted as dynamic metadata.
+ // Note that metadata keys must be unique, and the claim names must be alphanumeric and use `-` or `_` as separators.
+ // The metadata will live in a namespace specified by the canonical name of the ext auth filter (in our case `envoy.filters.http.ext_authz`),
+ // and the structure of the claim value will be preserved in the metadata struct.
+ map<string, string> dynamic_metadata_from_claims = 29;
  }
 
  message AccessTokenValidationConfig {
@@ -2005,6 +2019,17 @@ message ExtAuthConfig {
  message ScopeList {
  repeated string scope = 1;
  }
+
+ // Map of metadata key to claim. Ie:
+ // dynamic_metadata_from_claims:
+ // issuer: iss
+ // email: email
+ // When specified, the matching claims from the access token will be emitted as dynamic metadata.
+ // Note that metadata keys must be unique, and the claim names must be alphanumeric and use `-` or `_` as separators.
+ // Works when the access token is a JWT or when the access token is opaque, in which case the claims will refer to field in the response from the token introspection endpoint.
+ // The metadata will live in a namespace specified by the canonical name of the ext auth filter (in our case `envoy.filters.http.ext_authz`),
+ // and the structure of the claim value will be preserved in the metadata struct.
+ map<string, string> dynamic_metadata_from_claims = 7;
  }
 
  message PlainOAuth2Config {
@@ -2113,11 +2138,12 @@ message ExtAuthConfig {
  oneof storage_backend {
  K8sSecretApiKeyStorage k8s_secret_apikey_storage = 4;
  AerospikeApiKeyStorage aerospike_apikey_storage = 5;
+ ServerDefaultApiKeyStorage server_default_apikey_storage = 7;
  }
 
- // API key metadata may contain data is is invalid for a header, such as a newline. By default, this data will be validated
- // in the data plane and mitigated in a way that provides a consistent experience for the user and visibility for the operator.
- // This validation comes with a performance cost, and can be disabled by setting this field to `true`.
+  // API key metadata may contain data is is invalid for a header, such as a newline. By default, this data will be validated
+  // in the data plane and mitigated in a way that provides a consistent experience for the user and visibility for the operator.
+  // This validation comes with a performance cost, and can be disabled by setting this field to `true`.
  bool skip_metadata_validation = 6;
  }
 

diff --git a/api/gloo/gloo/v1/enterprise/options/ai/ai.proto b/api/gloo/gloo/v1/enterprise/options/ai/ai.proto
@@ -78,6 +78,7 @@ message SingleAuthToken {
 */
 message UpstreamSpec {
 
+ // Settings to configure a custom host to send the traffic to
  message CustomHost {
  // Custom host to send the traffic to
  string host = 1;
@@ -125,6 +126,25 @@ message UpstreamSpec {
  string api_version = 4;
  }
 
+ // Settings for the Gemini API
+ message Gemini {
+ // Auth Token to use for the Gemini API
+ // This token will be placed into the `key` header
+ oneof auth_token_source {
+ // Auth Token to use for the Gemini API
+ // This token will be placed into the `key` header
+ SingleAuthToken auth_token = 1;
+ // TODO: use oauth
+ }
+
+ // The model name to use
+ // This value can be found https://generativelanguage.googleapis.com/{version}/models/{model}:generateContent?key={api_key}
+ string model = 2;
+ // The version of the API to use
+ // This value can be found https://generativelanguage.googleapis.com/{api_version}/models/{model}:generateContent?key={api_key}
+ string api_version = 3;
+ }
+
  // Settings for the Mistral API
  message Mistral {
  // Auth Token to use for the Mistral API.
@@ -139,6 +159,7 @@ message UpstreamSpec {
  string model = 3;
  }
 
+ // Settings for the Anthropic API
  message Anthropic {
  // Auth Token to use for the Anthropic API.
  // This token will be placed into the `x-api-key` header
@@ -201,10 +222,14 @@ message UpstreamSpec {
  Anthropic anthropic = 3;
  // Azure OpenAI upstream
  AzureOpenAI azure_openai = 4;
+ // Gemini upstream
+ Gemini gemini = 5;
  }
  }
 
+ // Priority represents a single endpoint pool with a given priority
  message Priority {
+ // list of backends representing a single endpoint pool
  repeated Backend pool = 1;
  }
 
@@ -224,6 +249,8 @@ message UpstreamSpec {
  AzureOpenAI azure_openai = 4;
  // multi upstream
  MultiPool multi = 5;
+ // Gemini upstream
+ Gemini gemini = 6;
  }
 }
 
@@ -277,15 +304,17 @@ message RouteSettings {
  promptGuard:
  request:
  customResponseMessage: "Rejected due to inappropriate content"
- matches:
- - "credit card"
+ regex:
+ matches:
+ - "credit card"
  response:
- matches:
- # Mastercard
- - '(?:^|\D)(5[1-5][0-9]{2}(?:\ |\-|)[0-9]{4}(?:\ |\-|)[0-9]{4}(?:\ |\-|)[0-9]{4})(?:\D|$)'
+ regex:
+ matches:
+ # Mastercard
+ - '(?:^|\D)(5[1-5][0-9]{2}(?:\ |\-|)[0-9]{4}(?:\ |\-|)[0-9]{4}(?:\ |\-|)[0-9]{4})(?:\D|$)'
  ````
  */
- AIPromptGaurd prompt_guard = 2;
+ AIPromptGuard prompt_guard = 2;
 
  /*
  Retrieval Augmented Generation. https://research.ibm.com/blog/retrieval-augmented-generation-RAG
@@ -311,6 +340,7 @@ message RouteSettings {
  ```
  */
  RAG rag = 3;
+
  /*
  Semantic caching configuration
  Semantic caching allows you to cache previous model responses in order to provide
@@ -386,6 +416,8 @@ message Postgres {
 
 
 message Embedding {
+
+ // OpenAI embedding
  message OpenAI {
  oneof auth_token_source {
  SingleAuthToken auth_token = 1;
@@ -394,6 +426,7 @@ message Embedding {
  }
  }
 
+ // Azure OpenAI embedding
  message AzureOpenAI {
  oneof auth_token_source {
  // Auth Token to use for the OpenAI API
@@ -424,7 +457,10 @@ message Embedding {
  }
 }
 
+// Settings for the Semantic Caching feature
 message SemanticCache {
+
+ // Settings for the Redis database
  message Redis {
  // Connection string to the Redis database
  string connection_string = 1;
@@ -438,6 +474,7 @@ message SemanticCache {
  float score_threshold = 2;
  }
 
+ // Settings for the Weaviate database
  message Weaviate {
  // Connection string to the Weaviate database, scheme should NOT be included.
  // For example: weaviate.my-ns.svc.cluster.local
@@ -450,6 +487,7 @@ message SemanticCache {
  // Whether or not to use a secure connection, true by default
  bool insecure = 4;
  }
+
  // Data store from which to cache the request/response pairs
  message DataStore {
  oneof datastore {
@@ -473,6 +511,7 @@ message SemanticCache {
  Mode mode = 4;
 }
 
+// Settings for the Retrieval Augmented Generation feature
 message RAG {
  message DataStore {
  oneof datastore {
@@ -487,11 +526,7 @@ message RAG {
  string prompt_template = 3;
 }
 
-message RateLimiting {
- // List of rate_limit configs to apply
- repeated string rate_limit_configs = 1;
-}
-
+// Settings for the Prompt Enrichment feature
 message AIPromptEnrichment {
  message Message {
  // Role of the message.
@@ -508,39 +543,88 @@ message AIPromptEnrichment {
 
 }
 
-message AIPromptGaurd {
- message Request {
- // A list of Regex patterns to match against the prompt.
- // Each one will be checked against the prompt and if any match
- // the request will be rejected.
+// Settings for the Prompt Guard feature
+message AIPromptGuard {
+
+ // Regex settings for prompt guard
+ message Regex {
+ enum BuiltIn {
+ // Default REGEX for Social Security Numbers
+ SSN = 0;
+ // Default REGEX for Credit Card Numbers
+ CREDIT_CARD = 1;
+ }
+ // A list of Regex patterns to match against the response.
+ // All matches will be masked before being sent back to the client.
+ // matches and builtins are additive.
  repeated string matches = 1;
+ // A list of built-in regexes to mask in the response.
+ // matches and builtins are additive.
+ repeated BuiltIn builtins = 2;
+ }
+
+ // Webhook settings for prompt guard
+ message Webhook {
+ // Host to send the traffic to.
+ string host = 1;
+ // Port to send the traffic to
+ uint32 port = 2;
+ message HeaderMatch {
+ enum MatchType {
+ // Exact match
+ EXACT = 0;
+ // Prefix match
+ PREFIX = 1;
+ // Suffix match
+ SUFFIX = 2;
+ // Contains match
+ CONTAINS = 3;
+ // Regex match
+ REGEX = 4;
+ }
+ // Header key to match
+ string key = 1;
+ // Type of match to use
+ MatchType match_type = 2;
+ }
+ // Headers to forward with the request
+ repeated HeaderMatch headers = 3;
+ }
+
+
+ // Request settings for Prompt Guard
+ message Request {
+ message CustomResponse {
+ // Custom response message to send back to the client.
+ // If not specified, the following default message will be used:
+ // "The request was rejected due to inappropriate content"
+ string message = 1;
+
+ // Status code to send back to the client.
+ uint32 status_code = 2;
+ }
  // Custom response message to send back to the client.
  // If not specified, the following default message will be used:
  // "The request was rejected due to inappropriate content"
- string custom_response_message = 2;
+ CustomResponse custom_response = 1;
+
+ // Regex request guard
+ Regex regex = 2;
+
+ // Webhook request guard
+ Webhook webhook = 3;
  }
 
+ // Request settings for Prompt Guard
  message Response {
- enum BuiltIn {
- // Default REGEX for Social Security Numbers
- SSN = 0;
- // Default REGEX for Credit Card Numbers
- CREDIT_CARD = 1;
- // Default REGEX for Email Addresses
- EMAIL = 2;
- // Default REGEX for Phone Numbers
- PHONE_NUMBER = 3;
- }
- // A list of Regex patterns to match against the response.
- // All matches will be masked before being sent back to the client.
- // matches and builtins are additive.
- repeated string matches = 1;
- // A list of built-in regexes to mask in the response.
- // matches and builtins are additive.
- repeated BuiltIn builtins = 2;
+ // Regex response guard
+ Regex regex = 1;
+
+ // Webhook response guard
+ Webhook webhook = 2;
  }
  // Guards for the prompt request
- Request request = 2;
+ Request request = 1;
  // Guards for the LLM response
- Response response = 3;
+ Response response = 2;
 }