Introduce the xds-api module (#6403)

Motivation:

Envoy utilizes pgv to validate the schema of a resource.
ref:
https://www.envoyproxy.io/docs/envoy/latest/configuration/operations/config_validation/config_validation

Given that upstream `libs.controlplane.api` doesn't support this, I
propose that we publish our own jar containing APIs along with
validators.
See jrhee17#43 for a sample run.

Going forward, this can be further developed so that we can add our own
annotations. This may be useful for marking which fields are supported
by Armeria - this can be further exposed to users via metrics/logs (in
case a control plane specifies fields not supported) and in the UI later
on.

Modifications:

- Workflows are added to periodically check if upstream envoy version is
updated
- `xds-apply-updates.yml`: Runs the update script and creates a pull
request
- `xds-compare-versions.yml`: Compares envoy versions with the current
version and determines whether an update is needed
- `xds-sync-apis.yml`: An umbrella task which invokes the above two
workflows periodically
- Scripts are added under `/xds-api/tools`
- `upstream-patch.sh`: Creates two worktrees corresponding to each envoy
version, and computes a patch. The patch is applied to the working
directory.
- `update-sha.sh`: Updates the sha of each version (envoy and
dependencies) and writes `API_SHAS` and `envoy_version` files. This has
been forked from upstream (which is also apache 2.0 licensed)
- `update-api.sh`: Updates the proto directory according to the
`API_SHAS` and `envoy_version` files. This has also been forked.
- Added dependencies to `pgv-java-stub` and `protoc-gen-validate`, each
of which generates validator files and applies validation at runtime.

Result:

- The `xds` module now relies on the `xds-api` module.

<!--
Visit this URL to learn more about how to write a pull request
description:

https://armeria.dev/community/developer-guide#how-to-write-pull-request-description
-->

Author: jrhee17

.github/workflows/xds-apply-updates.yml

@@ -0,0 +1,52 @@
+name: Apply xDS API updates from upstream
+
+permissions:
+  contents: read
+
+on:
+  workflow_call:
+    inputs:
+      target_version:
+        description: 'Envoy version to update to'
+        required: true
+        type: string
+
+jobs:
+  update-protobuf:
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Configure git
+        run: |
+          git config user.email "[email protected]"
+          git config user.name "Meri Kim"
+      - name: Run scripts
+        working-directory: ./xds-api/tools/
+        run: |
+          if ! ./upstream-patch.sh --target ${{ inputs.target_version }}; then
+            echo "❌ Automatic update failed due to conflicts."
+            echo ""
+            echo "To resolve manually:"
+            echo "1. Run locally: ./xds-api/tools/upstream-patch.sh --target ${{ inputs.target_version }}"
+            echo "2. Resolve any conflicts shown in the output"
+            echo "3. Commit and push the changes"
+            exit 1
+          fi
+      - name: Create Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          branch: update-protobuf-to-${{ inputs.target_version }}
+          base: main
+          author: Meri Kim <[email protected]>
+          committer: Meri Kim <[email protected]>
+          signoff: true
+          delete-branch: true
+          title: '[xds] Update protobuf definitions to ${{ inputs.target_version }}'
+          commit-message: |
+            [xds] Update protobuf definitions to ${{ inputs.target_version }}
+          body: |
+            This is an automatic PR created by github action workflow:
+            - Updated protobuf files

.github/workflows/xds-compare-versions.yml

@@ -0,0 +1,53 @@
+name: Compare upstream envoy versions
+
+permissions:
+  contents: read
+
+on:
+  workflow_call:
+    outputs:
+      target_version:
+        description: "Envoy version we need to update to"
+        value: ${{ jobs.compare-envoy-versions.outputs.target_version }}
+      should_update:
+        description: "Whether the apis should be updated"
+        value: ${{ jobs.compare-envoy-versions.outputs.should_update }}
+
+jobs:
+  compare-envoy-versions:
+    runs-on: ubuntu-latest
+    outputs:
+      target_version: ${{ steps.latest-envoy-version.outputs.version }}
+      should_update: ${{ steps.compare.outputs.should_update }}
+    steps:
+      - uses: actions/checkout@v4
+      - name: Fetch latest Envoy version
+        id: latest-envoy-version
+        run: |
+          version=$(curl -s https://api.github.com/repos/envoyproxy/envoy/releases/latest | jq -r '.tag_name')
+          echo "version=$version" >> $GITHUB_OUTPUT
+      - name: Read current Envoy version
+        id: current-envoy-version
+        run: |
+          version=$(cat ./xds-api/tools/envoy_release)
+          echo "version=$version" >> $GITHUB_OUTPUT
+      - name: Compare latest to current
+        id: compare
+        run: |
+          latest="${{ steps.latest-envoy-version.outputs.version }}"
+          current="${{ steps.current-envoy-version.outputs.version }}"
+
+          # Remove 'v' prefix if present
+          latest_clean=${latest#v}
+          current_clean=${current#v}
+
+          # Function to compare semantic versions
+          version_greater() {
+            printf '%s\n%s\n' "$1" "$2" | sort -V | head -n1 | grep -q "^$2$"
+          }
+
+          if version_greater "$latest_clean" "$current_clean"; then
+            echo "should_update=true" >> $GITHUB_OUTPUT
+          else
+            echo "should_update=false" >> $GITHUB_OUTPUT
+          fi

.github/workflows/xds-sync-apis.yml

@@ -0,0 +1,23 @@
+name: Sync xDS APIs with upstream
+
+permissions:
+  contents: read
+
+on:
+  schedule:
+    # every day at 10
+    - cron:  '0 10 * * *'
+
+jobs:
+  envoy-versions:
+    uses: ./.github/workflows/xds-compare-versions.yml
+
+  call-update-protobuf:
+    permissions:
+      contents: write
+      pull-requests: write
+    needs: envoy-versions
+    if: ${{ needs.envoy-versions.outputs.should_update == 'true' }}
+    uses: ./.github/workflows/xds-apply-updates.yml
+    with:
+      target_version: ${{ needs.envoy-versions.outputs.target_version }}

dependencies.toml

@@ -109,6 +109,7 @@ opensaml = "3.4.6"
 osdetector = "1.7.3"
 # Used for kubernetes-chaos-tests
 picocli = "4.7.7"
+protoc-gen-validate = "1.2.1"
 proguard = "7.5.0"
 prometheus = "1.3.10"
 prometheus-legacy = "0.16.0"
@@ -344,9 +345,6 @@ version.ref = "checkstyle"
 module = "io.micrometer:context-propagation"
 version.ref = "context-propagation"
 
-[libraries.controlplane-api]
-module = "io.envoyproxy.controlplane:api"
-version.ref = "controlplane"
 [libraries.controlplane-cache]
 module = "io.envoyproxy.controlplane:cache"
 version.ref = "controlplane"
@@ -994,6 +992,13 @@ javadocs = "https://prometheus.github.io/client_java/"
 module = "io.prometheus:simpleclient_common"
 version.ref = "prometheus-legacy"
 
+[libraries.protoc-pgv-java-stub]
+module = "build.buf.protoc-gen-validate:pgv-java-stub"
+version.ref = "protoc-gen-validate"
+[libraries.protoc-gen-validate]
+module = "build.buf.protoc-gen-validate:protoc-gen-validate"
+version.ref = "protoc-gen-validate"
+
 [libraries.protobuf-java]
 module = "com.google.protobuf:protobuf-java"
 version.ref = "protobuf"

gradle/scripts/lib/java-rpc-proto.gradle

@@ -88,6 +88,16 @@ configure(projectsWithFlags('java')) {
                         }
                     }
                 }
+
+                def validateVersion = managedVersions['build.buf.protoc-gen-validate:protoc-gen-validate']
+                if (validateVersion != null) {
+                    plugins {
+                        javapgv {
+                            artifact = "build.buf.protoc-gen-validate:protoc-gen-validate:${validateVersion}"
+                        }
+                    }
+                }
+
                 generateProtoTasks {
                     all()*.plugins {
                         if (project.ext.hasFlag('scala-grpc_2.13') && managedVersions.containsKey('com.thesamet.scalapb:scalapb-runtime_2.13')) {
@@ -114,6 +124,11 @@ configure(projectsWithFlags('java')) {
                                 akkaGrpc {}
                             }
                         }
+                        if (project.ext.hasFlag('javapgv')) {
+                            javapgv {
+                                option "lang=java"
+                            }
+                        }
                     }
 
                     all().each { task ->

settings.gradle

@@ -197,6 +197,7 @@ includeWithFlags ':tomcat8',                             'java', 'publish', 'rel
 includeWithFlags ':tomcat9',                             'java', 'publish', 'relocate', 'no_aggregation'
 includeWithFlags ':tomcat10',                            'java11', 'publish', 'relocate'
 includeWithFlags ':xds',                                 'java', 'publish', 'relocate'
+includeWithFlags ':xds-api',                             'java', 'publish', 'relocate', 'javapgv'
 includeWithFlags ':zookeeper3',                          'java', 'publish', 'relocate', 'native'
 includeWithFlags ':saml',                                'java', 'publish', 'relocate', 'native'
 includeWithFlags ':bucket4j',                            'java', 'publish', 'relocate', 'native'

xds-api/build.gradle

@@ -0,0 +1,21 @@
+dependencies {
+    configurations.configureEach {
+        resolutionStrategy {
+            force "com.google.protobuf:protobuf-java:${libs.versions.protobuf.asProvider().get()}"
+        }
+    }
+
+    compileOnly libs.protobuf.java
+    compileOnly libs.protobuf.java.util
+    compileOnly project(":grpc")
+    compileOnly libs.protoc.gen.validate
+    compileOnly libs.protoc.pgv.java.stub
+
+    testImplementation libs.protobuf.java
+    testImplementation libs.protobuf.java.util
+    testImplementation libs.protoc.pgv.java.stub
+}
+
+tasks.withType(JavaCompile).configureEach {
+    options.forkOptions.memoryMaximumSize = '1g'
+}