The Envoy xDS (x Discovery Service) REST API provides endpoints for dynamically discovering and configuring Envoy proxy resources including clusters (CDS), listeners (LDS), routes (RDS), endpoints (EDS), secrets (SDS), and runtime configuration (RTDS). The xDS protocol is the foundation of Envoy's dynamic configuration model, enabling control planes to push configuration updates to Envoy instances without requiring restarts.
openapi: 3.1.0
info:
title: Envoy Proxy xDS Discovery API
description: >-
The Envoy xDS (x Discovery Service) REST API provides a set of endpoints
for dynamically discovering and configuring Envoy proxy resources. The xDS
protocol is the foundation of Envoy's dynamic configuration, enabling a
control plane to push configuration updates for clusters (CDS), listeners
(LDS), routes (RDS), and endpoints (EDS) to Envoy instances without
requiring restarts. This OpenAPI specification covers the REST/JSON variant
of the xDS API, which uses HTTP endpoints for resource discovery via the
Aggregated Discovery Service (ADS) pattern or individual discovery service
endpoints.
version: 3.0.0
contact:
name: Envoy Proxy
url: https://www.envoyproxy.io/
license:
name: Apache 2.0
url: https://www.apache.org/licenses/LICENSE-2.0
servers:
- url: http://localhost:18000
description: Default xDS Management Server
paths:
/v3/discovery:clusters:
post:
operationId: discoverClusters
summary: Envoy Proxy Cluster Discovery Service (CDS)
description: >-
Fetches cluster configuration from the management server. The Cluster
Discovery Service (CDS) returns a set of dynamically discovered upstream
clusters that Envoy should route traffic to. Each cluster defines how
Envoy connects to a group of upstream hosts including load balancing
policy, connection limits, circuit breaking thresholds, and health
checking configuration.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/DiscoveryRequest'
responses:
'200':
description: Successful cluster discovery response.
content:
application/json:
schema:
$ref: '#/components/schemas/DiscoveryResponse'
tags:
- Cluster Discovery
/v3/discovery:listeners:
post:
operationId: discoverListeners
summary: Envoy Proxy Listener Discovery Service (LDS)
description: >-
Fetches listener configuration from the management server. The Listener
Discovery Service (LDS) returns a set of listeners that Envoy should
configure to accept downstream connections. Each listener defines the
address and port to bind to, filter chains for processing connections,
and associated TLS context for secure connections.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/DiscoveryRequest'
responses:
'200':
description: Successful listener discovery response.
content:
application/json:
schema:
$ref: '#/components/schemas/DiscoveryResponse'
tags:
- Listener Discovery
/v3/discovery:routes:
post:
operationId: discoverRoutes
summary: Envoy Proxy Route Discovery Service (RDS)
description: >-
Fetches route configuration from the management server. The Route
Discovery Service (RDS) returns route configuration that maps incoming
requests to specific upstream clusters based on request attributes such
as path, headers, and query parameters. Route configurations define
virtual hosts, route matching rules, and traffic management policies
including retries, timeouts, and rate limiting.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/DiscoveryRequest'
responses:
'200':
description: Successful route discovery response.
content:
application/json:
schema:
$ref: '#/components/schemas/DiscoveryResponse'
tags:
- Route Discovery
/v3/discovery:endpoints:
post:
operationId: discoverEndpoints
summary: Envoy Proxy Endpoint Discovery Service (EDS)
description: >-
Fetches endpoint configuration from the management server. The Endpoint
Discovery Service (EDS) returns a set of endpoint assignments for each
cluster, specifying the network addresses of upstream hosts along with
load balancing weights, health status, and locality information used for
zone-aware routing.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/DiscoveryRequest'
responses:
'200':
description: Successful endpoint discovery response.
content:
application/json:
schema:
$ref: '#/components/schemas/DiscoveryResponse'
tags:
- Endpoint Discovery
/v3/discovery:secrets:
post:
operationId: discoverSecrets
summary: Envoy Proxy Secret Discovery Service (SDS)
description: >-
Fetches secret configuration from the management server. The Secret
Discovery Service (SDS) returns TLS certificates, private keys, and
trusted CA certificates that Envoy uses for TLS handshakes. SDS enables
dynamic rotation of certificates without requiring Envoy restarts.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/DiscoveryRequest'
responses:
'200':
description: Successful secret discovery response.
content:
application/json:
schema:
$ref: '#/components/schemas/DiscoveryResponse'
tags:
- Secret Discovery
/v3/discovery:runtime:
post:
operationId: discoverRuntime
summary: Envoy Proxy Runtime Discovery Service (RTDS)
description: >-
Fetches runtime configuration layers from the management server. The
Runtime Discovery Service (RTDS) allows dynamic updates to runtime
feature flags and settings without requiring Envoy restarts or
redeployments.
requestBody:
required: true
content:
application/json:
schema:
$ref: '#/components/schemas/DiscoveryRequest'
responses:
'200':
description: Successful runtime discovery response.
content:
application/json:
schema:
$ref: '#/components/schemas/DiscoveryResponse'
tags:
- Runtime Discovery
components:
schemas:
DiscoveryRequest:
type: object
description: >-
A request from an Envoy instance to the management server for xDS
resources. Contains the node identity, requested resource names, the
type URL of the resource being requested, and version information for
ACK/NACK semantics.
properties:
version_info:
type: string
description: >-
The version of the resources being requested. On the first request
this is empty. On subsequent requests it is the version received in
the last DiscoveryResponse.
node:
$ref: '#/components/schemas/Node'
resource_names:
type: array
items:
type: string
description: >-
List of resource names to subscribe to. For LDS and CDS, this is
typically empty to receive all resources. For RDS and EDS, this
contains the specific route configuration or cluster names.
type_url:
type: string
description: >-
The type URL of the resource being requested, such as
type.googleapis.com/envoy.config.cluster.v3.Cluster.
response_nonce:
type: string
description: >-
The nonce from the most recent successfully processed
DiscoveryResponse. Used to pair requests with responses.
error_detail:
type: object
description: >-
Error details when the previous DiscoveryResponse could not be
applied. Populated when NACKing a configuration update.
properties:
code:
type: integer
description: gRPC status code.
message:
type: string
description: Error message describing the rejection reason.
DiscoveryResponse:
type: object
description: >-
A response from the management server containing xDS resources. The
resources are encoded as protobuf Any messages and identified by their
type URL.
properties:
version_info:
type: string
description: >-
The version of the response data, used for ACK/NACK and
request-response pairing.
resources:
type: array
items:
type: object
properties:
'@type':
type: string
description: The type URL identifying the resource type.
additionalProperties: true
description: The xDS resources being returned.
type_url:
type: string
description: The type URL of the resources in this response.
nonce:
type: string
description: >-
A nonce that must be provided in the next DiscoveryRequest to ACK or
NACK this response.
control_plane:
type: object
description: The control plane instance that sent the response.
properties:
identifier:
type: string
description: An opaque identifier for the control plane.
Node:
type: object
description: >-
Identifies the Envoy instance making a discovery request. Contains
metadata about the proxy node including its identity, cluster
membership, locality, and build version.
properties:
id:
type: string
description: >-
An opaque node identifier for the Envoy instance. This must be set
when using any of the xDS APIs.
cluster:
type: string
description: >-
The cluster that the Envoy instance belongs to. Defines the
redundancy domain for the proxy.
metadata:
type: object
additionalProperties: true
description: >-
Opaque metadata extending the node identifier. Used by the
management server for filtering and configuration targeting.
locality:
type: object
description: The locality the Envoy instance is running in.
properties:
region:
type: string
description: Region this proxy belongs to.
zone:
type: string
description: Zone within the region.
sub_zone:
type: string
description: Sub-zone within the zone.
user_agent_name:
type: string
description: >-
Free-form string that identifies the entity requesting config, e.g.
envoy or grpc.
user_agent_version:
type: string
description: Free-form string that identifies the version of the requesting entity.
tags:
- name: Cluster Discovery
description: >-
Cluster Discovery Service (CDS) endpoints for dynamically discovering
upstream clusters.
- name: Endpoint Discovery
description: >-
Endpoint Discovery Service (EDS) endpoints for dynamically discovering
cluster endpoints.
- name: Listener Discovery
description: >-
Listener Discovery Service (LDS) endpoints for dynamically discovering
listeners.
- name: Route Discovery
description: >-
Route Discovery Service (RDS) endpoints for dynamically discovering
route configurations.
- name: Runtime Discovery
description: >-
Runtime Discovery Service (RTDS) endpoints for dynamically discovering
runtime configuration layers.
- name: Secret Discovery
description: >-
Secret Discovery Service (SDS) endpoints for dynamically discovering
TLS certificates and keys.