diff --git a/envoy/config/filter/http/authn/v2alpha2/config.proto b/envoy/config/filter/http/authn/v2alpha2/config.proto new file mode 100644 index 00000000000..cf78acdc8eb --- /dev/null +++ b/envoy/config/filter/http/authn/v2alpha2/config.proto @@ -0,0 +1,50 @@ +// Copyright 2020 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +syntax = "proto3"; + +import "security/v1beta1/request_authentication.proto"; +import "security/v1beta1/peer_authentication.proto"; + +// $title: Internal API for authentication implementation on Envoy. + +package istio.envoy.config.filter.http.authn.v2alpha2; + + +option go_package = "istio.io/api/envoy/config/filter/http/authn/v2alpha2"; + +// FilterConfig is the config for Istio-specific filter that is used to enforce +// authentication policy on Envoy. +message FilterConfig { + // Filter configuration for RequestAuthentication, which supports Jwt authentication. + istio.security.v1beta1.RequestAuthentication request_authentication = 1; + + // Filter configuration for PeerAuthentication, which supports + // mTLS authentication for sidecar to sidecar workload. + istio.security.v1beta1.PeerAuthentication peer_authentication = 2; + + // Map from issuer to location of the payload that is emitted by Jwt filter. + // This information is added by pilot when construct and add Jwt and + // authN filters. + map jwt_output_payload_locations = 3; + + // Skips validating the peer's trust domain. + // By default, the istio authn filter will reject the request if the peer and + // the local service is not in the same trust domain. + // Set this field to true to skip the validation and allows peers from any + // trust domains. + // Note, the istio authn filter only validates the trust domain when mTLS is + // used, In other words, this field has no effect for plaintext traffic. + bool skip_validate_trust_domain = 4; +} diff --git a/python/istio_api/envoy/config/filter/http/authn/v2alpha2/config_pb2.py b/python/istio_api/envoy/config/filter/http/authn/v2alpha2/config_pb2.py new file mode 100644 index 00000000000..e924bc112f5 --- /dev/null +++ b/python/istio_api/envoy/config/filter/http/authn/v2alpha2/config_pb2.py @@ -0,0 +1,145 @@ +# -*- coding: utf-8 -*- +# Generated by the protocol buffer compiler. DO NOT EDIT! +# source: envoy/config/filter/http/authn/v2alpha2/config.proto + +import sys +_b=sys.version_info[0]<3 and (lambda x:x) or (lambda x:x.encode('latin1')) +from google.protobuf import descriptor as _descriptor +from google.protobuf import message as _message +from google.protobuf import reflection as _reflection +from google.protobuf import symbol_database as _symbol_database +# @@protoc_insertion_point(imports) + +_sym_db = _symbol_database.Default() + + +from security.v1beta1 import request_authentication_pb2 as security_dot_v1beta1_dot_request__authentication__pb2 +from security.v1beta1 import peer_authentication_pb2 as security_dot_v1beta1_dot_peer__authentication__pb2 + + +DESCRIPTOR = _descriptor.FileDescriptor( + name='envoy/config/filter/http/authn/v2alpha2/config.proto', + package='istio.envoy.config.filter.http.authn.v2alpha2', + syntax='proto3', + serialized_options=_b('Z4istio.io/api/envoy/config/filter/http/authn/v2alpha2'), + serialized_pb=_b('\n4envoy/config/filter/http/authn/v2alpha2/config.proto\x12-istio.envoy.config.filter.http.authn.v2alpha2\x1a-security/v1beta1/request_authentication.proto\x1a*security/v1beta1/peer_authentication.proto\"\x8f\x03\n\x0c\x46ilterConfig\x12M\n\x16request_authentication\x18\x01 \x01(\x0b\x32-.istio.security.v1beta1.RequestAuthentication\x12G\n\x13peer_authentication\x18\x02 \x01(\x0b\x32*.istio.security.v1beta1.PeerAuthentication\x12\x80\x01\n\x1cjwt_output_payload_locations\x18\x03 \x03(\x0b\x32Z.istio.envoy.config.filter.http.authn.v2alpha2.FilterConfig.JwtOutputPayloadLocationsEntry\x12\"\n\x1askip_validate_trust_domain\x18\x04 \x01(\x08\x1a@\n\x1eJwtOutputPayloadLocationsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\x42\x36Z4istio.io/api/envoy/config/filter/http/authn/v2alpha2b\x06proto3') + , + dependencies=[security_dot_v1beta1_dot_request__authentication__pb2.DESCRIPTOR,security_dot_v1beta1_dot_peer__authentication__pb2.DESCRIPTOR,]) + + + + +_FILTERCONFIG_JWTOUTPUTPAYLOADLOCATIONSENTRY = _descriptor.Descriptor( + name='JwtOutputPayloadLocationsEntry', + full_name='istio.envoy.config.filter.http.authn.v2alpha2.FilterConfig.JwtOutputPayloadLocationsEntry', + filename=None, + file=DESCRIPTOR, + containing_type=None, + fields=[ + _descriptor.FieldDescriptor( + name='key', full_name='istio.envoy.config.filter.http.authn.v2alpha2.FilterConfig.JwtOutputPayloadLocationsEntry.key', index=0, + number=1, type=9, cpp_type=9, label=1, + has_default_value=False, default_value=_b("").decode('utf-8'), + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + serialized_options=None, file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='value', full_name='istio.envoy.config.filter.http.authn.v2alpha2.FilterConfig.JwtOutputPayloadLocationsEntry.value', index=1, + number=2, type=9, cpp_type=9, label=1, + has_default_value=False, default_value=_b("").decode('utf-8'), + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + serialized_options=None, file=DESCRIPTOR), + ], + extensions=[ + ], + nested_types=[], + enum_types=[ + ], + serialized_options=_b('8\001'), + is_extendable=False, + syntax='proto3', + extension_ranges=[], + oneofs=[ + ], + serialized_start=530, + serialized_end=594, +) + +_FILTERCONFIG = _descriptor.Descriptor( + name='FilterConfig', + full_name='istio.envoy.config.filter.http.authn.v2alpha2.FilterConfig', + filename=None, + file=DESCRIPTOR, + containing_type=None, + fields=[ + _descriptor.FieldDescriptor( + name='request_authentication', full_name='istio.envoy.config.filter.http.authn.v2alpha2.FilterConfig.request_authentication', index=0, + number=1, type=11, cpp_type=10, label=1, + has_default_value=False, default_value=None, + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + serialized_options=None, file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='peer_authentication', full_name='istio.envoy.config.filter.http.authn.v2alpha2.FilterConfig.peer_authentication', index=1, + number=2, type=11, cpp_type=10, label=1, + has_default_value=False, default_value=None, + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + serialized_options=None, file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='jwt_output_payload_locations', full_name='istio.envoy.config.filter.http.authn.v2alpha2.FilterConfig.jwt_output_payload_locations', index=2, + number=3, type=11, cpp_type=10, label=3, + has_default_value=False, default_value=[], + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + serialized_options=None, file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='skip_validate_trust_domain', full_name='istio.envoy.config.filter.http.authn.v2alpha2.FilterConfig.skip_validate_trust_domain', index=3, + number=4, type=8, cpp_type=7, label=1, + has_default_value=False, default_value=False, + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + serialized_options=None, file=DESCRIPTOR), + ], + extensions=[ + ], + nested_types=[_FILTERCONFIG_JWTOUTPUTPAYLOADLOCATIONSENTRY, ], + enum_types=[ + ], + serialized_options=None, + is_extendable=False, + syntax='proto3', + extension_ranges=[], + oneofs=[ + ], + serialized_start=195, + serialized_end=594, +) + +_FILTERCONFIG_JWTOUTPUTPAYLOADLOCATIONSENTRY.containing_type = _FILTERCONFIG +_FILTERCONFIG.fields_by_name['request_authentication'].message_type = security_dot_v1beta1_dot_request__authentication__pb2._REQUESTAUTHENTICATION +_FILTERCONFIG.fields_by_name['peer_authentication'].message_type = security_dot_v1beta1_dot_peer__authentication__pb2._PEERAUTHENTICATION +_FILTERCONFIG.fields_by_name['jwt_output_payload_locations'].message_type = _FILTERCONFIG_JWTOUTPUTPAYLOADLOCATIONSENTRY +DESCRIPTOR.message_types_by_name['FilterConfig'] = _FILTERCONFIG +_sym_db.RegisterFileDescriptor(DESCRIPTOR) + +FilterConfig = _reflection.GeneratedProtocolMessageType('FilterConfig', (_message.Message,), { + + 'JwtOutputPayloadLocationsEntry' : _reflection.GeneratedProtocolMessageType('JwtOutputPayloadLocationsEntry', (_message.Message,), { + 'DESCRIPTOR' : _FILTERCONFIG_JWTOUTPUTPAYLOADLOCATIONSENTRY, + '__module__' : 'envoy.config.filter.http.authn.v2alpha2.config_pb2' + # @@protoc_insertion_point(class_scope:istio.envoy.config.filter.http.authn.v2alpha2.FilterConfig.JwtOutputPayloadLocationsEntry) + }) + , + 'DESCRIPTOR' : _FILTERCONFIG, + '__module__' : 'envoy.config.filter.http.authn.v2alpha2.config_pb2' + # @@protoc_insertion_point(class_scope:istio.envoy.config.filter.http.authn.v2alpha2.FilterConfig) + }) +_sym_db.RegisterMessage(FilterConfig) +_sym_db.RegisterMessage(FilterConfig.JwtOutputPayloadLocationsEntry) + + +DESCRIPTOR._options = None +_FILTERCONFIG_JWTOUTPUTPAYLOADLOCATIONSENTRY._options = None +# @@protoc_insertion_point(module_scope)