Example: https://www.googleapis.com/oauth2/v1/certs
+Example: https://www.googleapis.com/oauth2/v1/certs
Note: Only one of jwks_uri and jwks should be used.
diff --git a/authentication/v1alpha1/policy.pb.go b/authentication/v1alpha1/policy.pb.go index d4f4f1cd8a3..4195a047c70 100644 --- a/authentication/v1alpha1/policy.pb.go +++ b/authentication/v1alpha1/policy.pb.go @@ -430,7 +430,7 @@ type Jwt struct { // the issuer or (b) inferred from the email domain of the issuer (e.g. a // Google service account). // - // Example: https://www.googleapis.com/oauth2/v1/certs + // Example: `https://www.googleapis.com/oauth2/v1/certs` // // Note: Only one of jwks_uri and jwks should be used. JwksUri string `protobuf:"bytes,3,opt,name=jwks_uri,json=jwksUri,proto3" json:"jwks_uri,omitempty"` diff --git a/authentication/v1alpha1/policy.proto b/authentication/v1alpha1/policy.proto index 30fcd32cb24..1eeffb2d671 100644 --- a/authentication/v1alpha1/policy.proto +++ b/authentication/v1alpha1/policy.proto @@ -154,7 +154,7 @@ message Jwt { // the issuer or (b) inferred from the email domain of the issuer (e.g. a // Google service account). // - // Example: https://www.googleapis.com/oauth2/v1/certs + // Example: `https://www.googleapis.com/oauth2/v1/certs` // // Note: Only one of jwks_uri and jwks should be used. string jwks_uri = 3; diff --git a/dictionaries/custom.txt b/dictionaries/custom.txt index 14c8b03d73f..f056b95fd06 100644 --- a/dictionaries/custom.txt +++ b/dictionaries/custom.txt @@ -13,6 +13,7 @@ jitter JSON JWT Kubernetes +LightStep MCP multicluster NACK @@ -27,6 +28,7 @@ scalability SDS SNI SPIFFE +subnet TCP TLS UDP @@ -35,3 +37,5 @@ unmanaged unterminated URI URL +VM +Zipkin diff --git a/envoy/config/filter/http/jwt_auth/v2alpha1/config.pb.go b/envoy/config/filter/http/jwt_auth/v2alpha1/config.pb.go index 87ce22a8f38..d05358fc7ea 100644 --- a/envoy/config/filter/http/jwt_auth/v2alpha1/config.pb.go +++ b/envoy/config/filter/http/jwt_auth/v2alpha1/config.pb.go @@ -348,15 +348,14 @@ func _DataSource_OneofSizer(msg proto.Message) (n int) { return n } -// This message specifies how a JSON Web Token (JWT) can be verified. JWT format is defined -// `heretlsSettingsistio.networking.v1alpha3.TLSSettingsUse the tlssettings to specify the tls mode to use. If the MCP server
+ Use the tls_settings to specify the tls mode to use. If the MCP server
uses Istio mutual TLS and shares the root CA with Pilot, specify the TLS
-mode as ISTIO
ISTIO_MUTUAL.
Optional: only one of distribute or failover can be set. Explicitly specify loadbalancing weight across different zones and geographical locations. -Refer to Locality weighted load balancing +Refer to Locality weighted load balancing If empty, the locality weight is set according to the endpoints number within it.
MeshNetworks(file/config map): networks: -- network1: + network1: - endpoints: - - fromRegistry: registry1 #must match secret name inKubernetes + - fromRegistry: registry1 #must match secret name in Kubernetes - fromCidr: 192.168.100.0/22 #a VM network for example gateways: - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local + port: 15443 + locality: us-east-1a + - address: 192.168.100.1 port: 15443 locality: us-east-1a
@@ -755,13 +758,13 @@Implicitly: If the registry explicitly provides information about the network to which the endpoint belongs to. In some cases, its possible to indicate the network associated with the endpoint by -adding ISTIOMETANETWORK environment variable to the sidecar.
ISTIO_META_NETWORK environment variable to the sidecar.
Explicitly:
a. By matching the registry name with one of the “fromregistries” - in the mesh config. A “fromregistry” can only be assigned to a +
a. By matching the registry name with one of the “fromRegistry” + in the mesh config. A “from_registry” can only be assigned to a single network.
b. By matching the IP against one of the CIDR ranges in a mesh @@ -794,7 +797,7 @@
Add all endpoints from the specified registry into this network. The names of the registries should correspond to the secret name -that was used to configure the registry (kubernetes multicluster) or +that was used to configure the registry (Kubernetes multicluster) or supplied by MCP server.
stringAddress of the Envoy Metrics Service implementation (e.g. metrics-service:15000). -See https://www.envoyproxy.io/docs/envoy/latest/api-v2/config/metrics/v2/metrics_service.proto +See Metric Service for details about Envoy’s Metrics Service API.
Describes the configuration state for the Mixer client library that’s built into Envoy.
+APIKey defines the explicit configuration for generating the @@ -1058,7 +1062,7 @@
The common baseline set of attributes available in most Istio deployments is defined -here.
+here.Attributes are strongly typed. The supported attribute types are defined by ValueType. diff --git a/mixer/v1/config/client/quota.pb.go b/mixer/v1/config/client/quota.pb.go index 02e71e22b1c..39fe9ff3118 100644 --- a/mixer/v1/config/client/quota.pb.go +++ b/mixer/v1/config/client/quota.pb.go @@ -40,16 +40,12 @@ func (m *QuotaSpec) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) } func (m *QuotaSpec) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - if deterministic { - return xxx_messageInfo_QuotaSpec.Marshal(b, m, deterministic) - } else { - b = b[:cap(b)] - n, err := m.MarshalTo(b) - if err != nil { - return nil, err - } - return b[:n], nil + b = b[:cap(b)] + n, err := m.MarshalTo(b) + if err != nil { + return nil, err } + return b[:n], nil } func (m *QuotaSpec) XXX_Merge(src proto.Message) { xxx_messageInfo_QuotaSpec.Merge(m, src) @@ -82,16 +78,12 @@ func (m *QuotaRule) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) } func (m *QuotaRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - if deterministic { - return xxx_messageInfo_QuotaRule.Marshal(b, m, deterministic) - } else { - b = b[:cap(b)] - n, err := m.MarshalTo(b) - if err != nil { - return nil, err - } - return b[:n], nil + b = b[:cap(b)] + n, err := m.MarshalTo(b) + if err != nil { + return nil, err } + return b[:n], nil } func (m *QuotaRule) XXX_Merge(src proto.Message) { xxx_messageInfo_QuotaRule.Merge(m, src) @@ -124,16 +116,12 @@ func (m *StringMatch) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) } func (m *StringMatch) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - if deterministic { - return xxx_messageInfo_StringMatch.Marshal(b, m, deterministic) - } else { - b = b[:cap(b)] - n, err := m.MarshalTo(b) - if err != nil { - return nil, err - } - return b[:n], nil + b = b[:cap(b)] + n, err := m.MarshalTo(b) + if err != nil { + return nil, err } + return b[:n], nil } func (m *StringMatch) XXX_Merge(src proto.Message) { xxx_messageInfo_StringMatch.Merge(m, src) @@ -300,16 +288,12 @@ func (m *AttributeMatch) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) } func (m *AttributeMatch) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - if deterministic { - return xxx_messageInfo_AttributeMatch.Marshal(b, m, deterministic) - } else { - b = b[:cap(b)] - n, err := m.MarshalTo(b) - if err != nil { - return nil, err - } - return b[:n], nil + b = b[:cap(b)] + n, err := m.MarshalTo(b) + if err != nil { + return nil, err } + return b[:n], nil } func (m *AttributeMatch) XXX_Merge(src proto.Message) { xxx_messageInfo_AttributeMatch.Merge(m, src) @@ -340,16 +324,12 @@ func (m *Quota) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) } func (m *Quota) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - if deterministic { - return xxx_messageInfo_Quota.Marshal(b, m, deterministic) - } else { - b = b[:cap(b)] - n, err := m.MarshalTo(b) - if err != nil { - return nil, err - } - return b[:n], nil + b = b[:cap(b)] + n, err := m.MarshalTo(b) + if err != nil { + return nil, err } + return b[:n], nil } func (m *Quota) XXX_Merge(src proto.Message) { xxx_messageInfo_Quota.Merge(m, src) @@ -383,16 +363,12 @@ func (m *QuotaSpecBinding) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) } func (m *QuotaSpecBinding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - if deterministic { - return xxx_messageInfo_QuotaSpecBinding.Marshal(b, m, deterministic) - } else { - b = b[:cap(b)] - n, err := m.MarshalTo(b) - if err != nil { - return nil, err - } - return b[:n], nil + b = b[:cap(b)] + n, err := m.MarshalTo(b) + if err != nil { + return nil, err } + return b[:n], nil } func (m *QuotaSpecBinding) XXX_Merge(src proto.Message) { xxx_messageInfo_QuotaSpecBinding.Merge(m, src) @@ -426,16 +402,12 @@ func (m *QuotaSpecBinding_QuotaSpecReference) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) } func (m *QuotaSpecBinding_QuotaSpecReference) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - if deterministic { - return xxx_messageInfo_QuotaSpecBinding_QuotaSpecReference.Marshal(b, m, deterministic) - } else { - b = b[:cap(b)] - n, err := m.MarshalTo(b) - if err != nil { - return nil, err - } - return b[:n], nil + b = b[:cap(b)] + n, err := m.MarshalTo(b) + if err != nil { + return nil, err } + return b[:n], nil } func (m *QuotaSpecBinding_QuotaSpecReference) XXX_Merge(src proto.Message) { xxx_messageInfo_QuotaSpecBinding_QuotaSpecReference.Merge(m, src) @@ -464,40 +436,40 @@ func init() { proto.RegisterFile("mixer/v1/config/client/quota.proto", fileDescr var fileDescriptor_81777b5d047af315 = []byte{ // 540 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x93, 0xcf, 0x6a, 0x13, 0x5f, - 0x14, 0xc7, 0x67, 0x92, 0xdf, 0x84, 0x5f, 0x4e, 0x44, 0xca, 0xa5, 0x94, 0x21, 0x94, 0x4b, 0x99, - 0x0a, 0x56, 0x91, 0x19, 0x5a, 0x11, 0x8a, 0x22, 0xd2, 0x88, 0x45, 0x05, 0x41, 0x6f, 0x76, 0x82, - 0x94, 0xc9, 0xf4, 0x64, 0x7a, 0x31, 0x99, 0x99, 0xde, 0xb9, 0x13, 0x92, 0x9d, 0x2b, 0x57, 0x2e, - 0x7c, 0x0c, 0x1f, 0x25, 0xcb, 0x2c, 0xbb, 0x34, 0x93, 0x8d, 0xcb, 0x3e, 0x82, 0xcc, 0xbd, 0x37, - 0x6d, 0x44, 0x0d, 0x75, 0x35, 0xe7, 0x9c, 0x39, 0x9f, 0xef, 0xf9, 0xc3, 0xb9, 0xe0, 0x0d, 0xf9, - 0x18, 0x45, 0x30, 0xda, 0x0f, 0xa2, 0x34, 0xe9, 0xf3, 0x38, 0x88, 0x06, 0x1c, 0x13, 0x19, 0x9c, - 0x17, 0xa9, 0x0c, 0xfd, 0x4c, 0xa4, 0x32, 0x25, 0xdb, 0x3c, 0x97, 0x3c, 0xf5, 0x55, 0xa6, 0x3f, - 0xda, 0xf7, 0x75, 0xa6, 0xaf, 0x33, 0xdb, 0x9b, 0x71, 0x1a, 0xa7, 0x2a, 0x31, 0xa8, 0x2c, 0xcd, - 0xb4, 0xef, 0xfc, 0x45, 0x37, 0x47, 0x31, 0xe2, 0x11, 0xea, 0x2c, 0xef, 0x35, 0x34, 0xdf, 0x55, - 0x85, 0xba, 0x19, 0x46, 0xe4, 0x29, 0x38, 0xa2, 0x18, 0x60, 0xee, 0xda, 0x3b, 0xf5, 0xbd, 0xd6, - 0xc1, 0x5d, 0x7f, 0x5d, 0x59, 0x5f, 0x71, 0xac, 0x18, 0x20, 0xd3, 0x94, 0xf7, 0xc5, 0x36, 0x62, - 0x55, 0x90, 0x74, 0xc0, 0x19, 0x86, 0x32, 0x3a, 0x33, 0x62, 0x0f, 0xd6, 0x8b, 0x1d, 0x49, 0x29, - 0x78, 0xaf, 0x90, 0xf8, 0xa6, 0x62, 0x98, 0x46, 0xc9, 0x13, 0x68, 0xa8, 0x35, 0xe4, 0x6e, 0x4d, - 0x89, 0xec, 0xde, 0xa4, 0x23, 0x83, 0x78, 0x08, 0xad, 0xae, 0x14, 0x3c, 0x89, 0x95, 0x24, 0xd9, - 0x02, 0x07, 0xc7, 0x61, 0x24, 0x5d, 0x7b, 0xc7, 0xde, 0x6b, 0xbe, 0xb4, 0x98, 0x76, 0x89, 0x0b, - 0x8d, 0x4c, 0x60, 0x9f, 0x8f, 0xdd, 0x9a, 0xf9, 0x61, 0xfc, 0x8a, 0x10, 0x18, 0xe3, 0xd8, 0xad, - 0x2f, 0x09, 0xe5, 0x76, 0x6e, 0x01, 0xa8, 0xf6, 0x4e, 0xe4, 0x24, 0x43, 0x6f, 0x6a, 0xc3, 0xed, - 0x5f, 0xbb, 0x27, 0x6f, 0xa1, 0x11, 0x0d, 0xc2, 0x22, 0x47, 0x33, 0xfb, 0xe1, 0xbf, 0xcc, 0xee, - 0x3f, 0x57, 0xe8, 0x8b, 0x44, 0x8a, 0x09, 0x33, 0x3a, 0xed, 0x53, 0x68, 0xad, 0x84, 0xc9, 0x06, - 0xd4, 0x3f, 0xe2, 0x44, 0x4f, 0xc2, 0x2a, 0x93, 0x3c, 0x03, 0x67, 0x14, 0x0e, 0x0a, 0x54, 0x43, - 0xb4, 0x0e, 0xee, 0xad, 0xaf, 0xb8, 0xb2, 0x17, 0xa6, 0xb9, 0xc7, 0xb5, 0x43, 0xdb, 0x7b, 0x04, - 0x8e, 0x5a, 0x21, 0xd9, 0x04, 0x47, 0x2d, 0xd1, 0x54, 0xd0, 0x0e, 0xd9, 0x82, 0x46, 0x74, 0x16, - 0x8a, 0x58, 0x17, 0xa9, 0x33, 0xe3, 0x79, 0x9f, 0x6b, 0xb0, 0x71, 0x75, 0x44, 0x1d, 0x9e, 0x9c, - 0xf2, 0x24, 0x26, 0xc7, 0xf0, 0xbf, 0xb9, 0xb4, 0xe5, 0x39, 0xdd, 0x5f, 0xdf, 0xd3, 0xab, 0xea, - 0x67, 0x57, 0x23, 0xec, 0x8a, 0x25, 0x3d, 0x68, 0xa9, 0xea, 0x27, 0x79, 0x86, 0xd1, 0xf2, 0x0e, - 0x8e, 0x6e, 0x70, 0x07, 0x2b, 0xcd, 0x5c, 0x07, 0x18, 0xf6, 0x51, 0x60, 0x12, 0x21, 0x83, 0xf3, - 0x65, 0x2c, 0x6f, 0x1f, 0x03, 0xf9, 0x3d, 0x83, 0x10, 0xf8, 0x2f, 0x09, 0x87, 0x68, 0x76, 0xa0, - 0x6c, 0xb2, 0x0d, 0xcd, 0xea, 0x9b, 0x67, 0x61, 0xa4, 0xb7, 0xd0, 0x64, 0xd7, 0x81, 0xce, 0x87, - 0xe9, 0x9c, 0x5a, 0xb3, 0x39, 0xb5, 0x2e, 0xe6, 0xd4, 0xba, 0x9c, 0x53, 0xeb, 0x53, 0x49, 0xed, - 0x6f, 0x25, 0xb5, 0xa6, 0x25, 0xb5, 0x67, 0x25, 0xb5, 0xbf, 0x97, 0xd4, 0xfe, 0x51, 0x52, 0xeb, - 0xb2, 0xa4, 0xf6, 0xd7, 0x05, 0xb5, 0x66, 0x0b, 0x6a, 0x5d, 0x2c, 0xa8, 0xf5, 0x7e, 0x57, 0xcf, - 0xc3, 0xd3, 0x20, 0xcc, 0x78, 0xf0, 0xe7, 0x97, 0xdb, 0x6b, 0xa8, 0x27, 0xfb, 0xf0, 0x67, 0x00, - 0x00, 0x00, 0xff, 0xff, 0x07, 0x28, 0x43, 0xd1, 0x32, 0x04, 0x00, 0x00, + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x93, 0xcf, 0x6b, 0x13, 0x41, + 0x14, 0xc7, 0x77, 0x12, 0x37, 0x98, 0x17, 0x91, 0x32, 0x94, 0xb2, 0x84, 0x32, 0x94, 0xad, 0x60, + 0x15, 0xd9, 0xa5, 0x15, 0xa1, 0x28, 0x22, 0x8d, 0x58, 0x54, 0x10, 0x74, 0x7a, 0xf3, 0x52, 0x36, + 0xdb, 0x97, 0xed, 0x60, 0xb2, 0xbb, 0xdd, 0x9d, 0x0d, 0xc9, 0xcd, 0x93, 0x27, 0x0f, 0xfe, 0x19, + 0xfe, 0x29, 0x39, 0xe6, 0x98, 0xa3, 0xd9, 0x5c, 0x3c, 0xf6, 0x4f, 0x90, 0x9d, 0x99, 0xb4, 0x11, + 0x35, 0xd4, 0xd3, 0xbe, 0xf7, 0xf6, 0x7d, 0xbe, 0xef, 0x07, 0x6f, 0xc0, 0x1d, 0x88, 0x11, 0x66, + 0xfe, 0x70, 0xdf, 0x0f, 0x93, 0xb8, 0x27, 0x22, 0x3f, 0xec, 0x0b, 0x8c, 0xa5, 0x7f, 0x51, 0x24, + 0x32, 0xf0, 0xd2, 0x2c, 0x91, 0x09, 0xdd, 0x16, 0xb9, 0x14, 0x89, 0xa7, 0x32, 0xbd, 0xe1, 0xbe, + 0xa7, 0x33, 0x3d, 0x9d, 0xd9, 0xde, 0x8c, 0x92, 0x28, 0x51, 0x89, 0x7e, 0x65, 0x69, 0xa6, 0x7d, + 0xef, 0x1f, 0xba, 0x39, 0x66, 0x43, 0x11, 0xa2, 0xce, 0x72, 0xdf, 0x42, 0xf3, 0x43, 0x55, 0xe8, + 0x24, 0xc5, 0x90, 0x3e, 0x07, 0x3b, 0x2b, 0xfa, 0x98, 0x3b, 0x64, 0xa7, 0xbe, 0xd7, 0x3a, 0xb8, + 0xef, 0xad, 0x2b, 0xeb, 0x29, 0x8e, 0x17, 0x7d, 0xe4, 0x9a, 0x72, 0xbf, 0x12, 0x23, 0x56, 0x05, + 0x69, 0x07, 0xec, 0x41, 0x20, 0xc3, 0x73, 0x23, 0xf6, 0x68, 0xbd, 0xd8, 0x91, 0x94, 0x99, 0xe8, + 0x16, 0x12, 0xdf, 0x55, 0x0c, 0xd7, 0x28, 0x7d, 0x06, 0x0d, 0xb5, 0x86, 0xdc, 0xa9, 0x29, 0x91, + 0xdd, 0x9b, 0x74, 0x64, 0x10, 0x17, 0xa1, 0x75, 0x22, 0x33, 0x11, 0x47, 0x4a, 0x92, 0x6e, 0x81, + 0x8d, 0xa3, 0x20, 0x94, 0x0e, 0xd9, 0x21, 0x7b, 0xcd, 0xd7, 0x16, 0xd7, 0x2e, 0x75, 0xa0, 0x91, + 0x66, 0xd8, 0x13, 0x23, 0xa7, 0x66, 0x7e, 0x18, 0xbf, 0x22, 0x32, 0x8c, 0x70, 0xe4, 0xd4, 0x97, + 0x84, 0x72, 0x3b, 0x77, 0x00, 0x54, 0x7b, 0xa7, 0x72, 0x9c, 0xa2, 0x3b, 0x21, 0x70, 0xf7, 0xf7, + 0xee, 0xe9, 0x7b, 0x68, 0x84, 0xfd, 0xa0, 0xc8, 0xd1, 0xcc, 0x7e, 0xf8, 0x3f, 0xb3, 0x7b, 0x2f, + 0x15, 0xfa, 0x2a, 0x96, 0xd9, 0x98, 0x1b, 0x9d, 0xf6, 0x19, 0xb4, 0x56, 0xc2, 0x74, 0x03, 0xea, + 0x9f, 0x70, 0xac, 0x27, 0xe1, 0x95, 0x49, 0x5f, 0x80, 0x3d, 0x0c, 0xfa, 0x05, 0xaa, 0x21, 0x5a, + 0x07, 0x0f, 0xd6, 0x57, 0x5c, 0xd9, 0x0b, 0xd7, 0xdc, 0xd3, 0xda, 0x21, 0x71, 0x9f, 0x80, 0xad, + 0x56, 0x48, 0x37, 0xc1, 0x56, 0x4b, 0x34, 0x15, 0xb4, 0x43, 0xb7, 0xa0, 0x11, 0x9e, 0x07, 0x59, + 0xa4, 0x8b, 0xd4, 0xb9, 0xf1, 0xdc, 0x2f, 0x35, 0xd8, 0xb8, 0x3a, 0xa2, 0x8e, 0x88, 0xcf, 0x44, + 0x1c, 0xd1, 0x63, 0xb8, 0x6d, 0x2e, 0x6d, 0x79, 0x4e, 0x0f, 0xd7, 0xf7, 0xf4, 0xa6, 0xfa, 0x79, + 0xa2, 0x11, 0x7e, 0xc5, 0xd2, 0x2e, 0xb4, 0x54, 0xf5, 0xd3, 0x3c, 0xc5, 0x70, 0x79, 0x07, 0x47, + 0x37, 0xb8, 0x83, 0x95, 0x66, 0xae, 0x03, 0x1c, 0x7b, 0x98, 0x61, 0x1c, 0x22, 0x87, 0x8b, 0x65, + 0x2c, 0x6f, 0x1f, 0x03, 0xfd, 0x33, 0x83, 0x52, 0xb8, 0x15, 0x07, 0x03, 0x34, 0x3b, 0x50, 0x36, + 0xdd, 0x86, 0x66, 0xf5, 0xcd, 0xd3, 0x20, 0xd4, 0x5b, 0x68, 0xf2, 0xeb, 0x40, 0x27, 0x98, 0xcc, + 0x99, 0x35, 0x9d, 0x33, 0x6b, 0x36, 0x67, 0xd6, 0xe5, 0x9c, 0x59, 0x9f, 0x4b, 0x46, 0xbe, 0x97, + 0xcc, 0x9a, 0x94, 0x8c, 0x4c, 0x4b, 0x46, 0x66, 0x25, 0x23, 0x3f, 0x4a, 0x46, 0x7e, 0x96, 0xcc, + 0xba, 0x2c, 0x19, 0xf9, 0xb6, 0x60, 0xd6, 0x74, 0xc1, 0xac, 0xd9, 0x82, 0x59, 0x1f, 0x77, 0xf5, + 0x4c, 0x22, 0xf1, 0x83, 0x54, 0xf8, 0x7f, 0x7f, 0xbd, 0xdd, 0x86, 0x7a, 0xb6, 0x8f, 0x7f, 0x05, + 0x00, 0x00, 0xff, 0xff, 0xb5, 0x3a, 0x59, 0xa6, 0x36, 0x04, 0x00, 0x00, } func (m *QuotaSpec) Marshal() (dAtA []byte, err error) { @@ -637,10 +609,15 @@ func (m *AttributeMatch) MarshalTo(dAtA []byte) (int, error) { var l int _ = l if len(m.Clause) > 0 { + keysForClause := make([]string, 0, len(m.Clause)) for k, _ := range m.Clause { + keysForClause = append(keysForClause, string(k)) + } + github_com_gogo_protobuf_sortkeys.Strings(keysForClause) + for _, k := range keysForClause { dAtA[i] = 0xa i++ - v := m.Clause[k] + v := m.Clause[string(k)] msgSize := 0 if v != nil { msgSize = v.Size() diff --git a/mixer/v1/config/client/quota.proto b/mixer/v1/config/client/quota.proto index 3894fcd18dc..5ea594c8384 100644 --- a/mixer/v1/config/client/quota.proto +++ b/mixer/v1/config/client/quota.proto @@ -24,6 +24,7 @@ import "mixer/v1/config/client/service.proto"; option (gogoproto.goproto_getters_all) = false; option (gogoproto.equal_all) = false; option (gogoproto.gostring_all) = false; +option (gogoproto.stable_marshaler_all) = true; // Specifies runtime quota rules. // * Uses Istio attributes to match individual requests diff --git a/mixer/v1/config/client/service.pb.go b/mixer/v1/config/client/service.pb.go index 11e541be687..34e237910f4 100644 --- a/mixer/v1/config/client/service.pb.go +++ b/mixer/v1/config/client/service.pb.go @@ -53,16 +53,12 @@ func (m *IstioService) XXX_Unmarshal(b []byte) error { return m.Unmarshal(b) } func (m *IstioService) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - if deterministic { - return xxx_messageInfo_IstioService.Marshal(b, m, deterministic) - } else { - b = b[:cap(b)] - n, err := m.MarshalTo(b) - if err != nil { - return nil, err - } - return b[:n], nil + b = b[:cap(b)] + n, err := m.MarshalTo(b) + if err != nil { + return nil, err } + return b[:n], nil } func (m *IstioService) XXX_Merge(src proto.Message) { xxx_messageInfo_IstioService.Merge(m, src) @@ -86,27 +82,27 @@ func init() { } var fileDescriptor_3358a28a51c817d5 = []byte{ - // 315 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x51, 0x3f, 0x4b, 0x03, 0x31, - 0x1c, 0x4d, 0xfa, 0x4f, 0x9a, 0x3a, 0x48, 0x28, 0x12, 0x4a, 0xf9, 0x51, 0xd4, 0xa1, 0x53, 0x42, - 0x15, 0x44, 0x1d, 0x05, 0x07, 0x41, 0x1c, 0xea, 0x26, 0x38, 0xa4, 0x67, 0x2c, 0xc1, 0xeb, 0xa5, - 0xdc, 0x9d, 0x87, 0xdd, 0xfc, 0x08, 0x7e, 0x0c, 0x3f, 0x4a, 0xc7, 0x8e, 0x1d, 0xbd, 0x74, 0x71, - 0xec, 0x17, 0x10, 0xe4, 0x92, 0x2b, 0x76, 0x10, 0xa7, 0xbc, 0xf7, 0x7b, 0xef, 0xfd, 0x78, 0x49, - 0xc8, 0xd1, 0x44, 0xbf, 0xaa, 0x58, 0x64, 0x03, 0x11, 0x98, 0xe8, 0x49, 0x8f, 0x45, 0x10, 0x6a, - 0x15, 0xa5, 0x22, 0x51, 0x71, 0xa6, 0x03, 0xc5, 0xa7, 0xb1, 0x49, 0x0d, 0xed, 0xea, 0x24, 0xd5, - 0x86, 0x3b, 0x2f, 0xcf, 0x06, 0xdc, 0x7b, 0xb9, 0xf7, 0x76, 0xda, 0x63, 0x33, 0x36, 0xce, 0x28, - 0x0a, 0xe4, 0x33, 0x07, 0xdf, 0x98, 0xec, 0x5e, 0x17, 0xb1, 0x3b, 0xbf, 0x8a, 0x52, 0x52, 0x8b, - 0xe4, 0x44, 0x31, 0xdc, 0xc3, 0xfd, 0xe6, 0xd0, 0x61, 0xda, 0x25, 0xcd, 0xe2, 0x4c, 0xa6, 0x32, - 0x50, 0xac, 0xe2, 0x84, 0xdf, 0x01, 0xdd, 0x27, 0x8d, 0x47, 0x33, 0x91, 0x3a, 0x62, 0x55, 0x27, - 0x95, 0x8c, 0x32, 0xb2, 0x53, 0xf6, 0x63, 0x35, 0x27, 0x6c, 0x28, 0xbd, 0x25, 0x8d, 0x50, 0x8e, - 0x54, 0x98, 0xb0, 0x7a, 0xaf, 0xda, 0x6f, 0x1d, 0x9f, 0xf2, 0xff, 0x9a, 0xf3, 0xed, 0x7e, 0xfc, - 0xc6, 0x05, 0xaf, 0xa2, 0x34, 0x9e, 0x0d, 0xcb, 0x2d, 0x9d, 0x73, 0xd2, 0xda, 0x1a, 0xd3, 0x3d, - 0x52, 0x7d, 0x56, 0xb3, 0xf2, 0x06, 0x05, 0xa4, 0x6d, 0x52, 0xcf, 0x64, 0xf8, 0xb2, 0x29, 0xef, - 0xc9, 0x45, 0xe5, 0x0c, 0x5f, 0x3e, 0xcc, 0x73, 0x40, 0x8b, 0x1c, 0xd0, 0x32, 0x07, 0xb4, 0xce, - 0x01, 0xbd, 0x59, 0xc0, 0x1f, 0x16, 0xd0, 0xdc, 0x02, 0x5e, 0x58, 0xc0, 0x9f, 0x16, 0xf0, 0x97, - 0x05, 0xb4, 0xb6, 0x80, 0xdf, 0x57, 0x80, 0x16, 0x2b, 0x40, 0xcb, 0x15, 0xa0, 0xfb, 0x43, 0xdf, - 0x59, 0x1b, 0x21, 0xa7, 0x5a, 0xfc, 0xfd, 0x41, 0xa3, 0x86, 0x7b, 0xe5, 0x93, 0x9f, 0x00, 0x00, - 0x00, 0xff, 0xff, 0xc4, 0x69, 0x6e, 0x30, 0xc1, 0x01, 0x00, 0x00, + // 318 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x51, 0x3f, 0x4b, 0x3b, 0x31, + 0x18, 0x4e, 0xfa, 0xef, 0x47, 0xd3, 0xdf, 0x20, 0xa1, 0x48, 0x28, 0xe5, 0xa5, 0xa8, 0x43, 0xa7, + 0x84, 0x2a, 0x88, 0x3a, 0x0a, 0x0e, 0x82, 0x38, 0xd4, 0xcd, 0x2d, 0x3d, 0x63, 0x09, 0x5e, 0x2f, + 0xe5, 0xee, 0x3c, 0xec, 0xe6, 0x47, 0xf0, 0x63, 0xf8, 0x51, 0x3a, 0x76, 0xec, 0xe8, 0xe5, 0x16, + 0xc7, 0x7e, 0x01, 0x41, 0x2e, 0xb9, 0x62, 0x07, 0x71, 0xca, 0xf3, 0xbc, 0xcf, 0xf3, 0xbc, 0x3c, + 0x49, 0xc8, 0xd1, 0x4c, 0xbf, 0xa8, 0x58, 0x64, 0x23, 0x11, 0x98, 0xe8, 0x51, 0x4f, 0x45, 0x10, + 0x6a, 0x15, 0xa5, 0x22, 0x51, 0x71, 0xa6, 0x03, 0xc5, 0xe7, 0xb1, 0x49, 0x0d, 0xed, 0xeb, 0x24, + 0xd5, 0x86, 0x3b, 0x2f, 0xcf, 0x46, 0xdc, 0x7b, 0xb9, 0xf7, 0xf6, 0xba, 0x53, 0x33, 0x35, 0xce, + 0x28, 0x4a, 0xe4, 0x33, 0x07, 0x5f, 0x98, 0xfc, 0xbf, 0x2e, 0x63, 0x77, 0x7e, 0x15, 0xa5, 0xa4, + 0x11, 0xc9, 0x99, 0x62, 0x78, 0x80, 0x87, 0xed, 0xb1, 0xc3, 0xb4, 0x4f, 0xda, 0xe5, 0x99, 0xcc, + 0x65, 0xa0, 0x58, 0xcd, 0x09, 0x3f, 0x03, 0xba, 0x4f, 0x5a, 0x0f, 0x66, 0x26, 0x75, 0xc4, 0xea, + 0x4e, 0xaa, 0x18, 0x65, 0xe4, 0x5f, 0xd5, 0x8f, 0x35, 0x9c, 0xb0, 0xa5, 0xf4, 0x96, 0xb4, 0x42, + 0x39, 0x51, 0x61, 0xc2, 0x9a, 0x83, 0xfa, 0xb0, 0x73, 0x7c, 0xca, 0xff, 0x6a, 0xce, 0x77, 0xfb, + 0xf1, 0x1b, 0x17, 0xbc, 0x8a, 0xd2, 0x78, 0x31, 0xae, 0xb6, 0xf4, 0xce, 0x49, 0x67, 0x67, 0x4c, + 0xf7, 0x48, 0xfd, 0x49, 0x2d, 0xaa, 0x1b, 0x94, 0x90, 0x76, 0x49, 0x33, 0x93, 0xe1, 0xf3, 0xb6, + 0xbc, 0x27, 0x17, 0xb5, 0x33, 0x7c, 0x29, 0x97, 0x39, 0xa0, 0x55, 0x0e, 0x68, 0x9d, 0x03, 0xda, + 0xe4, 0x80, 0x5e, 0x2d, 0xe0, 0x77, 0x0b, 0x68, 0x69, 0x01, 0xaf, 0x2c, 0xe0, 0xb5, 0x05, 0xfc, + 0x61, 0x01, 0x7f, 0x5a, 0x40, 0x1b, 0x0b, 0xf8, 0xad, 0x00, 0xb4, 0x2a, 0x00, 0xad, 0x0b, 0x40, + 0xf7, 0x87, 0xbe, 0xb7, 0x36, 0x42, 0xce, 0xb5, 0xf8, 0xfd, 0x93, 0x26, 0x2d, 0xf7, 0xd2, 0x27, + 0xdf, 0x01, 0x00, 0x00, 0xff, 0xff, 0xab, 0x14, 0xde, 0x44, 0xc5, 0x01, 0x00, 0x00, } func (m *IstioService) Marshal() (dAtA []byte, err error) { @@ -149,10 +145,15 @@ func (m *IstioService) MarshalTo(dAtA []byte) (int, error) { i += copy(dAtA[i:], m.Service) } if len(m.Labels) > 0 { + keysForLabels := make([]string, 0, len(m.Labels)) for k, _ := range m.Labels { + keysForLabels = append(keysForLabels, string(k)) + } + github_com_gogo_protobuf_sortkeys.Strings(keysForLabels) + for _, k := range keysForLabels { dAtA[i] = 0x2a i++ - v := m.Labels[k] + v := m.Labels[string(k)] mapSize := 1 + len(k) + sovService(uint64(len(k))) + 1 + len(v) + sovService(uint64(len(v))) i = encodeVarintService(dAtA, i, uint64(mapSize)) dAtA[i] = 0xa diff --git a/mixer/v1/config/client/service.proto b/mixer/v1/config/client/service.proto index 958a4cb2c9c..01de2e97376 100644 --- a/mixer/v1/config/client/service.proto +++ b/mixer/v1/config/client/service.proto @@ -23,13 +23,14 @@ import "gogoproto/gogo.proto"; option (gogoproto.goproto_getters_all) = false; option (gogoproto.equal_all) = false; option (gogoproto.gostring_all) = false; +option (gogoproto.stable_marshaler_all) = true; // NOTE: this is a duplicate of proxy.v1.config.IstioService from // proxy/v1alpha1/config/route_rules.proto. // // Mixer protobufs have gogoproto specific options which are not // compatiable with the proxy's vanilla protobufs. Ideally, these -// protobuf options be reconciled so fundamental istio concepts and +// protobuf options be reconciled so fundamental Istio concepts and // types can be shared by components. Until then, make a copy of // IstioService for mixerclient to use. diff --git a/mixer/v1/istio.mixer.v1.pb.html b/mixer/v1/istio.mixer.v1.pb.html index e2d446ab964..1caee7a896a 100644 --- a/mixer/v1/istio.mixer.v1.pb.html +++ b/mixer/v1/istio.mixer.v1.pb.html @@ -66,7 +66,7 @@
The common baseline set of attributes available in most Istio deployments is defined -here.
+here.Attributes are strongly typed. The supported attribute types are defined by ValueType. diff --git a/networking/v1alpha3/envoy_filter.pb.go b/networking/v1alpha3/envoy_filter.pb.go index bbe92a378f3..5f7a23157fe 100644 --- a/networking/v1alpha3/envoy_filter.pb.go +++ b/networking/v1alpha3/envoy_filter.pb.go @@ -16,8 +16,11 @@ // The behavior is undefined if multiple EnvoyFilter configurations conflict // with each other. // +// NOTE 3: For filters of `filterType: HTTP` you must include a `listenerMatch` section +// with a `listenerProtocol: HTTP` or the filter have no effect. +// // The following example for Kubernetes enables Envoy's Lua filter for all -// inbound calls arriving at service port 8080 of the reviews service pod with +// inbound HTTP calls arriving at service port 8080 of the reviews service pod with // labels "app: reviews". // // ```yaml @@ -32,6 +35,7 @@ // - listenerMatch: // portNumber: 8080 // listenerType: SIDECAR_INBOUND # will match with the inbound listener for reviews:8080 +// listenerProtocol: HTTP // filterName: envoy.lua // filterType: HTTP // filterConfig: @@ -194,15 +198,12 @@ func (EnvoyFilter_Filter_FilterType) EnumDescriptor() ([]byte, []int) { } type EnvoyFilter struct { - // One or more labels that indicate a specific set of pods/VMs whose + // Zero or more labels that indicate a specific set of pods/VMs whose // proxies should be configured to use these additional filters. The // scope of label search is platform dependent. On Kubernetes, for // example, the scope includes pods running in all reachable // namespaces. Omitting the selector applies the filter to all proxies in // the mesh. - // NOTE: There can be only one EnvoyFilter bound to a specific workload. - // The behavior is undefined if multiple EnvoyFilter configurations are - // specified for the same workload. WorkloadLabels map[string]string `protobuf:"bytes,1,rep,name=workload_labels,json=workloadLabels,proto3" json:"workload_labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` // REQUIRED: Envoy network filters/http filters to be added to matching // listeners. When adding network filters to http connections, care @@ -278,11 +279,11 @@ type EnvoyFilter_ListenerMatch struct { // Inbound vs outbound sidecar listener or gateway listener. If not specified, // matches all listeners. ListenerType EnvoyFilter_ListenerMatch_ListenerType `protobuf:"varint,3,opt,name=listener_type,json=listenerType,proto3,enum=istio.networking.v1alpha3.EnvoyFilter_ListenerMatch_ListenerType" json:"listener_type,omitempty"` - // Selects a class of listeners for the same protocol. If not - // specified, applies to listeners on all protocols. Use the protocol + // Selects a class of listeners for the same protocol. Use the protocol // selection to select all HTTP listeners (includes HTTP2/gRPC/HTTPS // where Envoy terminates TLS) or all TCP listeners (includes HTTPS - // passthrough using SNI). + // passthrough using SNI). When adding a HTTP filter, the listenerProtocol + // should be set to HTTP. ListenerProtocol EnvoyFilter_ListenerMatch_ListenerProtocol `protobuf:"varint,4,opt,name=listener_protocol,json=listenerProtocol,proto3,enum=istio.networking.v1alpha3.EnvoyFilter_ListenerMatch_ListenerProtocol" json:"listener_protocol,omitempty"` // One or more IP addresses to which the listener is bound. If // specified, should match at least one address in the list. @@ -421,8 +422,11 @@ func (m *EnvoyFilter_InsertPosition) GetRelativeTo() string { // Envoy filters to be added to a network or http filter chain. type EnvoyFilter_Filter struct { - // Filter will be added to the listener only if the match conditions are true. - // If not specified, the filters will be applied to all listeners. + // Filter will be added to the listener only if the match + // conditions are true. If not specified, the filters will be + // applied to all listeners where possible, potentially resulting + // in invalid configurations. It is recommended to specify the + // listener match criteria for all filter insertions. ListenerMatch *EnvoyFilter_ListenerMatch `protobuf:"bytes,1,opt,name=listener_match,json=listenerMatch,proto3" json:"listener_match,omitempty"` // Insert position in the filter chain. Defaults to FIRST InsertPosition *EnvoyFilter_InsertPosition `protobuf:"bytes,2,opt,name=insert_position,json=insertPosition,proto3" json:"insert_position,omitempty"` diff --git a/networking/v1alpha3/envoy_filter.pb.html b/networking/v1alpha3/envoy_filter.pb.html index 3144a0d15d2..d2be82dc024 100644 --- a/networking/v1alpha3/envoy_filter.pb.html +++ b/networking/v1alpha3/envoy_filter.pb.html @@ -21,8 +21,11 @@ The behavior is undefined if multiple EnvoyFilter configurations conflict with each other.
+NOTE 3: For filters of filterType: HTTP you must include a listenerMatch section
+with a listenerProtocol: HTTP or the filter have no effect.
The following example for Kubernetes enables Envoy’s Lua filter for all -inbound calls arriving at service port 8080 of the reviews service pod with +inbound HTTP calls arriving at service port 8080 of the reviews service pod with labels “app: reviews”.
apiVersion: networking.istio.io/v1alpha3
@@ -36,6 +39,7 @@
- listenerMatch:
portNumber: 8080
listenerType: SIDECAR_INBOUND # will match with the inbound listener for reviews:8080
+ listenerProtocol: HTTP
filterName: envoy.lua
filterType: HTTP
filterConfig:
@@ -58,15 +62,12 @@ EnvoyFilter
workloadLabelsmap<string, string>
-One or more labels that indicate a specific set of pods/VMs whose
+
Zero or more labels that indicate a specific set of pods/VMs whose
proxies should be configured to use these additional filters. The
scope of label search is platform dependent. On Kubernetes, for
example, the scope includes pods running in all reachable
namespaces. Omitting the selector applies the filter to all proxies in
-the mesh.
-NOTE: There can be only one EnvoyFilter bound to a specific workload.
-The behavior is undefined if multiple EnvoyFilter configurations are
-specified for the same workload.
+the mesh.
@@ -101,8 +102,11 @@ EnvoyFilter.Filter
listenerMatchEnvoyFilter.ListenerMatch
-Filter will be added to the listener only if the match conditions are true.
-If not specified, the filters will be applied to all listeners.
+Filter will be added to the listener only if the match
+conditions are true. If not specified, the filters will be
+applied to all listeners where possible, potentially resulting
+in invalid configurations. It is recommended to specify the
+listener match criteria for all filter insertions.
@@ -303,11 +307,11 @@ EnvoyFilter.ListenerMatch
listenerProtocolEnvoyFilter.ListenerMatch.ListenerProtocol
-Selects a class of listeners for the same protocol. If not
-specified, applies to listeners on all protocols. Use the protocol
+
Selects a class of listeners for the same protocol. Use the protocol
selection to select all HTTP listeners (includes HTTP2/gRPC/HTTPS
where Envoy terminates TLS) or all TCP listeners (includes HTTPS
-passthrough using SNI).
+passthrough using SNI). When adding a HTTP filter, the listenerProtocol
+should be set to HTTP.
diff --git a/networking/v1alpha3/envoy_filter.proto b/networking/v1alpha3/envoy_filter.proto
index 6f271d1f0a9..a0aab1b7273 100644
--- a/networking/v1alpha3/envoy_filter.proto
+++ b/networking/v1alpha3/envoy_filter.proto
@@ -35,8 +35,11 @@ import "google/protobuf/struct.proto";
// The behavior is undefined if multiple EnvoyFilter configurations conflict
// with each other.
//
+// NOTE 3: For filters of `filterType: HTTP` you must include a `listenerMatch` section
+// with a `listenerProtocol: HTTP` or the filter have no effect.
+//
// The following example for Kubernetes enables Envoy's Lua filter for all
-// inbound calls arriving at service port 8080 of the reviews service pod with
+// inbound HTTP calls arriving at service port 8080 of the reviews service pod with
// labels "app: reviews".
//
// ```yaml
@@ -51,6 +54,7 @@ import "google/protobuf/struct.proto";
// - listenerMatch:
// portNumber: 8080
// listenerType: SIDECAR_INBOUND # will match with the inbound listener for reviews:8080
+// listenerProtocol: HTTP
// filterName: envoy.lua
// filterType: HTTP
// filterConfig:
@@ -62,15 +66,12 @@ package istio.networking.v1alpha3;
option go_package = "istio.io/api/networking/v1alpha3";
message EnvoyFilter {
- // One or more labels that indicate a specific set of pods/VMs whose
+ // Zero or more labels that indicate a specific set of pods/VMs whose
// proxies should be configured to use these additional filters. The
// scope of label search is platform dependent. On Kubernetes, for
// example, the scope includes pods running in all reachable
// namespaces. Omitting the selector applies the filter to all proxies in
// the mesh.
- // NOTE: There can be only one EnvoyFilter bound to a specific workload.
- // The behavior is undefined if multiple EnvoyFilter configurations are
- // specified for the same workload.
map workload_labels = 1;
// Select a listener to add the filter to based on the match conditions.
@@ -116,11 +117,11 @@ message EnvoyFilter {
TCP = 2;
};
- // Selects a class of listeners for the same protocol. If not
- // specified, applies to listeners on all protocols. Use the protocol
+ // Selects a class of listeners for the same protocol. Use the protocol
// selection to select all HTTP listeners (includes HTTP2/gRPC/HTTPS
// where Envoy terminates TLS) or all TCP listeners (includes HTTPS
- // passthrough using SNI).
+ // passthrough using SNI). When adding a HTTP filter, the listenerProtocol
+ // should be set to HTTP.
ListenerProtocol listener_protocol = 4;
// One or more IP addresses to which the listener is bound. If
@@ -155,8 +156,11 @@ message EnvoyFilter {
// Envoy filters to be added to a network or http filter chain.
message Filter {
- // Filter will be added to the listener only if the match conditions are true.
- // If not specified, the filters will be applied to all listeners.
+ // Filter will be added to the listener only if the match
+ // conditions are true. If not specified, the filters will be
+ // applied to all listeners where possible, potentially resulting
+ // in invalid configurations. It is recommended to specify the
+ // listener match criteria for all filter insertions.
ListenerMatch listener_match = 1;
// Insert position in the filter chain. Defaults to FIRST
diff --git a/networking/v1alpha3/gateway.pb.go b/networking/v1alpha3/gateway.pb.go
index 09dac14fbd5..16a2c07e4b7 100644
--- a/networking/v1alpha3/gateway.pb.go
+++ b/networking/v1alpha3/gateway.pb.go
@@ -52,7 +52,7 @@
// - "bookinfo-namespace/*.bookinfo.com"
// tls:
// mode: SIMPLE # enables HTTPS on this port
-// credentialName: bookinfo-secret # fetches certs from kubernetes secret
+// credentialName: bookinfo-secret # fetches certs from Kubernetes secret
// - port:
// number: 9080
// name: http-wildcard
@@ -72,15 +72,15 @@
// the forwarding of traffic arriving at a particular host or gateway port.
//
// For example, the following VirtualService splits traffic for
-// "https://uk.bookinfo.com/reviews", "https://eu.bookinfo.com/reviews",
-// "http://uk.bookinfo.com:9080/reviews",
-// "http://eu.bookinfo.com:9080/reviews" into two versions (prod and qa) of
+// `https://uk.bookinfo.com/reviews`, `https://eu.bookinfo.com/reviews`,
+// `http://uk.bookinfo.com:9080/reviews`,
+// `http://eu.bookinfo.com:9080/reviews` into two versions (prod and qa) of
// an internal reviews service on port 9080. In addition, requests
// containing the cookie "user: dev-123" will be sent to special port 7777
// in the qa version. The same rule is also applicable inside the mesh for
// requests to the "reviews.prod.svc.cluster.local" service. This rule is
-// applicable across ports 443, 9080. Note that "http://uk.bookinfo.com"
-// gets redirected to "https://uk.bookinfo.com" (i.e. 80 redirects to 443).
+// applicable across ports 443, 9080. Note that `http://uk.bookinfo.com`
+// gets redirected to `https://uk.bookinfo.com` (i.e. 80 redirects to 443).
//
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
@@ -410,14 +410,14 @@ type Server struct {
// $hide_from_docs
// The ip or the Unix domain socket to which the listener should be bound
// to. Format: `x.x.x.x` or `unix:///path/to/uds` or `unix://@foobar`
- // (Linux abstract namespace). When using unix domain sockets, the port
+ // (Linux abstract namespace). When using Unix domain sockets, the port
// number should be 0.
Bind string `protobuf:"bytes,4,opt,name=bind,proto3" json:"bind,omitempty"`
// REQUIRED. One or more hosts exposed by this gateway.
// While typically applicable to
// HTTP services, it can also be used for TCP services using TLS with SNI.
// A host is specified as a `dnsName` with an optional `namespace/` prefix.
- // The `dnsName` should be specified using FQDN format, opionally including
+ // The `dnsName` should be specified using FQDN format, optionally including
// a wildcard character in the left-most component (e.g., `prod/*.example.com`).
// Set the `dnsName` to `*` to select all `VirtualService` hosts from the
// specified namespace (e.g.,`prod/*`). If no `namespace/` is specified,
@@ -542,7 +542,7 @@ type Server_TLSOptions struct {
// credentialName appended with suffix "-cacert" is used to identify
// the CaCertificates associated with this server. Gateway workloads
// capable of fetching credentials from a remote credential store such
- // as kubernetes secrets, will be configured to retrieve the
+ // as Kubernetes secrets, will be configured to retrieve the
// serverCertificate and the privateKey using credentialName, instead
// of using the file system paths specified above. If using mutual TLS,
// gateway workloads will retrieve the CaCertificates using
diff --git a/networking/v1alpha3/gateway.pb.html b/networking/v1alpha3/gateway.pb.html
index b33c8596418..d47131deaf7 100644
--- a/networking/v1alpha3/gateway.pb.html
+++ b/networking/v1alpha3/gateway.pb.html
@@ -56,7 +56,7 @@
- "bookinfo-namespace/*.bookinfo.com"
tls:
mode: SIMPLE # enables HTTPS on this port
- credentialName: bookinfo-secret # fetches certs from kubernetes secret
+ credentialName: bookinfo-secret # fetches certs from Kubernetes secret
- port:
number: 9080
name: http-wildcard
@@ -76,15 +76,15 @@
the forwarding of traffic arriving at a particular host or gateway port.
For example, the following VirtualService splits traffic for
-“https://uk.bookinfo.com/reviews”, “https://eu.bookinfo.com/reviews”,
-“http://uk.bookinfo.com:9080/reviews”,
-“http://eu.bookinfo.com:9080/reviews” into two versions (prod and qa) of
+https://uk.bookinfo.com/reviews, https://eu.bookinfo.com/reviews,
+http://uk.bookinfo.com:9080/reviews,
+http://eu.bookinfo.com:9080/reviews into two versions (prod and qa) of
an internal reviews service on port 9080. In addition, requests
containing the cookie “user: dev-123” will be sent to special port 7777
in the qa version. The same rule is also applicable inside the mesh for
requests to the “reviews.prod.svc.cluster.local” service. This rule is
-applicable across ports 443, 9080. Note that “http://uk.bookinfo.com”
-gets redirected to “https://uk.bookinfo.com” (i.e. 80 redirects to 443).
+applicable across ports 443, 9080. Note that http://uk.bookinfo.com
+gets redirected to https://uk.bookinfo.com (i.e. 80 redirects to 443).
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
@@ -337,7 +337,7 @@ Server
While typically applicable to
HTTP services, it can also be used for TCP services using TLS with SNI.
A host is specified as a dnsName with an optional namespace/ prefix.
-The dnsName should be specified using FQDN format, opionally including
+The dnsName should be specified using FQDN format, optionally including
a wildcard character in the left-most component (e.g., prod/*.example.com).
Set the dnsName to * to select all VirtualService hosts from the
specified namespace (e.g.,prod/*). If no namespace/ is specified,
@@ -450,7 +450,7 @@ Server.TLSOptions
credentialName appended with suffix “-cacert” is used to identify
the CaCertificates associated with this server. Gateway workloads
capable of fetching credentials from a remote credential store such
-as kubernetes secrets, will be configured to retrieve the
+as Kubernetes secrets, will be configured to retrieve the
serverCertificate and the privateKey using credentialName, instead
of using the file system paths specified above. If using mutual TLS,
gateway workloads will retrieve the CaCertificates using
diff --git a/networking/v1alpha3/gateway.proto b/networking/v1alpha3/gateway.proto
index f2eda7789ff..838863d60db 100644
--- a/networking/v1alpha3/gateway.proto
+++ b/networking/v1alpha3/gateway.proto
@@ -69,7 +69,7 @@ syntax = "proto3";
// - "bookinfo-namespace/*.bookinfo.com"
// tls:
// mode: SIMPLE # enables HTTPS on this port
-// credentialName: bookinfo-secret # fetches certs from kubernetes secret
+// credentialName: bookinfo-secret # fetches certs from Kubernetes secret
// - port:
// number: 9080
// name: http-wildcard
@@ -89,15 +89,15 @@ syntax = "proto3";
// the forwarding of traffic arriving at a particular host or gateway port.
//
// For example, the following VirtualService splits traffic for
-// "https://uk.bookinfo.com/reviews", "https://eu.bookinfo.com/reviews",
-// "http://uk.bookinfo.com:9080/reviews",
-// "http://eu.bookinfo.com:9080/reviews" into two versions (prod and qa) of
+// `https://uk.bookinfo.com/reviews`, `https://eu.bookinfo.com/reviews`,
+// `http://uk.bookinfo.com:9080/reviews`,
+// `http://eu.bookinfo.com:9080/reviews` into two versions (prod and qa) of
// an internal reviews service on port 9080. In addition, requests
// containing the cookie "user: dev-123" will be sent to special port 7777
// in the qa version. The same rule is also applicable inside the mesh for
// requests to the "reviews.prod.svc.cluster.local" service. This rule is
-// applicable across ports 443, 9080. Note that "http://uk.bookinfo.com"
-// gets redirected to "https://uk.bookinfo.com" (i.e. 80 redirects to 443).
+// applicable across ports 443, 9080. Note that `http://uk.bookinfo.com`
+// gets redirected to `https://uk.bookinfo.com` (i.e. 80 redirects to 443).
//
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
@@ -274,7 +274,7 @@ message Server {
// $hide_from_docs
// The ip or the Unix domain socket to which the listener should be bound
// to. Format: `x.x.x.x` or `unix:///path/to/uds` or `unix://@foobar`
- // (Linux abstract namespace). When using unix domain sockets, the port
+ // (Linux abstract namespace). When using Unix domain sockets, the port
// number should be 0.
string bind = 4;
@@ -282,7 +282,7 @@ message Server {
// While typically applicable to
// HTTP services, it can also be used for TCP services using TLS with SNI.
// A host is specified as a `dnsName` with an optional `namespace/` prefix.
- // The `dnsName` should be specified using FQDN format, opionally including
+ // The `dnsName` should be specified using FQDN format, optionally including
// a wildcard character in the left-most component (e.g., `prod/*.example.com`).
// Set the `dnsName` to `*` to select all `VirtualService` hosts from the
// specified namespace (e.g.,`prod/*`). If no `namespace/` is specified,
@@ -359,7 +359,7 @@ message Server {
// credentialName appended with suffix "-cacert" is used to identify
// the CaCertificates associated with this server. Gateway workloads
// capable of fetching credentials from a remote credential store such
- // as kubernetes secrets, will be configured to retrieve the
+ // as Kubernetes secrets, will be configured to retrieve the
// serverCertificate and the privateKey using credentialName, instead
// of using the file system paths specified above. If using mutual TLS,
// gateway workloads will retrieve the CaCertificates using
diff --git a/networking/v1alpha3/service_entry.pb.go b/networking/v1alpha3/service_entry.pb.go
index 89e85e94ca3..f098aec468d 100644
--- a/networking/v1alpha3/service_entry.pb.go
+++ b/networking/v1alpha3/service_entry.pb.go
@@ -167,8 +167,8 @@
// - "*"
// ```
//
-// And the associated VirtualService to route from the sidecar to the
-// gateway service (istio-egressgateway.istio-system.svc.cluster.local), as
+// And the associated `VirtualService` to route from the sidecar to the
+// gateway service (`istio-egressgateway.istio-system.svc.cluster.local`), as
// well as route from the gateway to the external service. Note that the
// virtual service is exported to all namespaces enabling them to route traffic
// through the gateway to the external service. Forcing traffic to go through
@@ -228,7 +228,7 @@
//
// The following example demonstrates a service that is available via a
// Unix Domain Socket on the host of the client. The resolution must be
-// set to STATIC to use unix address endpoints.
+// set to STATIC to use Unix address endpoints.
//
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
@@ -248,10 +248,10 @@
// - address: unix:///var/run/example/socket
// ```
//
-// For HTTP-based services, it is possible to create a VirtualService
+// For HTTP-based services, it is possible to create a `VirtualService`
// backed by multiple DNS addressable endpoints. In such a scenario, the
-// application can use the HTTP_PROXY environment variable to transparently
-// reroute API calls for the VirtualService to a chosen backend. For
+// application can use the `HTTP_PROXY` environment variable to transparently
+// reroute API calls for the `VirtualService` to a chosen backend. For
// example, the following configuration creates a non-existent external
// service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
// uk.foo.bar.com:9080, and in.foo.bar.com:7080
@@ -287,10 +287,9 @@
// specified above. In other words, a call to `http://foo.bar.com/baz` would
// be translated to `http://uk.foo.bar.com/baz`.
//
-// The following example illustrates the usage of a ServiceEntry
+// The following example illustrates the usage of a `ServiceEntry`
// containing a subject alternate name
-// whose format conforms to the SPIFEE standard
-// :
+// whose format conforms to the [SPIFEE standard](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md):
//
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
@@ -399,7 +398,7 @@ const (
// will resolve the DNS address specified in the hosts field, if
// wildcards are not used. If endpoints are specified, the DNS
// addresses specified in the endpoints will be resolved to determine
- // the destination IP address. DNS resolution cannot be used with unix
+ // the destination IP address. DNS resolution cannot be used with Unix
// domain socket endpoints.
ServiceEntry_DNS ServiceEntry_Resolution = 2
)
@@ -426,17 +425,19 @@ func (ServiceEntry_Resolution) EnumDescriptor() ([]byte, []int) {
type ServiceEntry struct {
// REQUIRED. The hosts associated with the ServiceEntry. Could be a DNS
- // name with wildcard prefix (external services only). DNS names in hosts
- // will be ignored if the application accesses the service over non-HTTP
- // protocols such as mongo/opaque TCP/HTTPS. In such scenarios, the
- // IP addresses specified in the Addresses field or the port will be used
- // to uniquely identify the destination.
+ // name with wildcard prefix (external services only). For HTTP traffic
+ // the HTTP Host/Authority header will be matched against the hosts field.
+ // For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value
+ // will be matched against the hosts field. For all other protocols
+ // the hosts will be ignored, and the port and addresses fields
+ // will be used if present. Note that when resolution is set to type DNS
+ // and no endpoints are specified, the host field will be used as the DNS name
+ // of the endpoint to route traffic to.
Hosts []string `protobuf:"bytes,1,rep,name=hosts,proto3" json:"hosts,omitempty"`
// The virtual IP addresses associated with the service. Could be CIDR
- // prefix. For HTTP services, the addresses field will be ignored and
+ // prefix. For HTTP traffic the addresses field will be ignored and
// the destination will be identified based on the HTTP Host/Authority
- // header. For non-HTTP protocols such as mongo/opaque TCP/HTTPS,
- // the hosts will be ignored. If one or more IP addresses are specified,
+ // header. If one or more IP addresses are specified,
// the incoming traffic will be identified as belonging to this service
// if the destination IP matches the IP/CIDRs specified in the addresses
// field. If the Addresses field is empty, traffic will be identified
@@ -591,7 +592,7 @@ type ServiceEntry_Endpoint struct {
Address string `protobuf:"bytes,1,opt,name=address,proto3" json:"address,omitempty"`
// Set of ports associated with the endpoint. The ports must be
// associated with a port name that was declared as part of the
- // service. Do not use for unix:// addresses.
+ // service. Do not use for `unix://` addresses.
Ports map[string]uint32 `protobuf:"bytes,2,rep,name=ports,proto3" json:"ports,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"varint,2,opt,name=value,proto3"`
// One or more labels associated with the endpoint.
Labels map[string]string `protobuf:"bytes,3,rep,name=labels,proto3" json:"labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"`
diff --git a/networking/v1alpha3/service_entry.pb.html b/networking/v1alpha3/service_entry.pb.html
index f63172e9037..7b657fbfb50 100644
--- a/networking/v1alpha3/service_entry.pb.html
+++ b/networking/v1alpha3/service_entry.pb.html
@@ -165,8 +165,8 @@
- "*"
-And the associated VirtualService to route from the sidecar to the
-gateway service (istio-egressgateway.istio-system.svc.cluster.local), as
+
And the associated VirtualService to route from the sidecar to the
+gateway service (istio-egressgateway.istio-system.svc.cluster.local), as
well as route from the gateway to the external service. Note that the
virtual service is exported to all namespaces enabling them to route traffic
through the gateway to the external service. Forcing traffic to go through
@@ -224,7 +224,7 @@
The following example demonstrates a service that is available via a
Unix Domain Socket on the host of the client. The resolution must be
-set to STATIC to use unix address endpoints.
+set to STATIC to use Unix address endpoints.
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
@@ -243,10 +243,10 @@
- address: unix:///var/run/example/socket
-For HTTP-based services, it is possible to create a VirtualService
+
For HTTP-based services, it is possible to create a VirtualService
backed by multiple DNS addressable endpoints. In such a scenario, the
-application can use the HTTP_PROXY environment variable to transparently
-reroute API calls for the VirtualService to a chosen backend. For
+application can use the HTTP_PROXY environment variable to transparently
+reroute API calls for the VirtualService to a chosen backend. For
example, the following configuration creates a non-existent external
service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
uk.foo.bar.com:9080, and in.foo.bar.com:7080
@@ -281,10 +281,9 @@
specified above. In other words, a call to http://foo.bar.com/baz would
be translated to http://uk.foo.bar.com/baz.
-The following example illustrates the usage of a ServiceEntry
+
The following example illustrates the usage of a ServiceEntry
containing a subject alternate name
-whose format conforms to the SPIFEE standard
-https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md:
+whose format conforms to the SPIFEE standard:
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
@@ -323,11 +322,14 @@ ServiceEntry
string[]
REQUIRED. The hosts associated with the ServiceEntry. Could be a DNS
-name with wildcard prefix (external services only). DNS names in hosts
-will be ignored if the application accesses the service over non-HTTP
-protocols such as mongo/opaque TCP/HTTPS. In such scenarios, the
-IP addresses specified in the Addresses field or the port will be used
-to uniquely identify the destination.
+name with wildcard prefix (external services only). For HTTP traffic
+the HTTP Host/Authority header will be matched against the hosts field.
+For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value
+will be matched against the hosts field. For all other protocols
+the hosts will be ignored, and the port and addresses fields
+will be used if present. Note that when resolution is set to type DNS
+and no endpoints are specified, the host field will be used as the DNS name
+of the endpoint to route traffic to.
@@ -336,10 +338,9 @@ ServiceEntry
string[]
The virtual IP addresses associated with the service. Could be CIDR
-prefix. For HTTP services, the addresses field will be ignored and
+prefix. For HTTP traffic the addresses field will be ignored and
the destination will be identified based on the HTTP Host/Authority
-header. For non-HTTP protocols such as mongo/opaque TCP/HTTPS,
-the hosts will be ignored. If one or more IP addresses are specified,
+header. If one or more IP addresses are specified,
the incoming traffic will be identified as belonging to this service
if the destination IP matches the IP/CIDRs specified in the addresses
field. If the Addresses field is empty, traffic will be identified
@@ -462,7 +463,7 @@
ServiceEntry.Endpoint
Set of ports associated with the endpoint. The ports must be
associated with a port name that was declared as part of the
-service. Do not use for unix:// addresses.
+service. Do not use for unix:// addresses.
@@ -611,7 +612,7 @@ ServiceEntry.Resolution
will resolve the DNS address specified in the hosts field, if
wildcards are not used. If endpoints are specified, the DNS
addresses specified in the endpoints will be resolved to determine
-the destination IP address. DNS resolution cannot be used with unix
+the destination IP address. DNS resolution cannot be used with Unix
domain socket endpoints.
diff --git a/networking/v1alpha3/service_entry.proto b/networking/v1alpha3/service_entry.proto
index 3c83b89fcd6..5a301b146af 100644
--- a/networking/v1alpha3/service_entry.proto
+++ b/networking/v1alpha3/service_entry.proto
@@ -186,8 +186,8 @@ import "networking/v1alpha3/gateway.proto";
// - "*"
// ```
//
-// And the associated VirtualService to route from the sidecar to the
-// gateway service (istio-egressgateway.istio-system.svc.cluster.local), as
+// And the associated `VirtualService` to route from the sidecar to the
+// gateway service (`istio-egressgateway.istio-system.svc.cluster.local`), as
// well as route from the gateway to the external service. Note that the
// virtual service is exported to all namespaces enabling them to route traffic
// through the gateway to the external service. Forcing traffic to go through
@@ -247,7 +247,7 @@ import "networking/v1alpha3/gateway.proto";
//
// The following example demonstrates a service that is available via a
// Unix Domain Socket on the host of the client. The resolution must be
-// set to STATIC to use unix address endpoints.
+// set to STATIC to use Unix address endpoints.
//
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
@@ -267,10 +267,10 @@ import "networking/v1alpha3/gateway.proto";
// - address: unix:///var/run/example/socket
// ```
//
-// For HTTP-based services, it is possible to create a VirtualService
+// For HTTP-based services, it is possible to create a `VirtualService`
// backed by multiple DNS addressable endpoints. In such a scenario, the
-// application can use the HTTP_PROXY environment variable to transparently
-// reroute API calls for the VirtualService to a chosen backend. For
+// application can use the `HTTP_PROXY` environment variable to transparently
+// reroute API calls for the `VirtualService` to a chosen backend. For
// example, the following configuration creates a non-existent external
// service called foo.bar.com backed by three domains: us.foo.bar.com:8080,
// uk.foo.bar.com:9080, and in.foo.bar.com:7080
@@ -306,10 +306,9 @@ import "networking/v1alpha3/gateway.proto";
// specified above. In other words, a call to `http://foo.bar.com/baz` would
// be translated to `http://uk.foo.bar.com/baz`.
//
-// The following example illustrates the usage of a ServiceEntry
+// The following example illustrates the usage of a `ServiceEntry`
// containing a subject alternate name
-// whose format conforms to the SPIFEE standard
-// :
+// whose format conforms to the [SPIFEE standard](https://github.com/spiffe/spiffe/blob/master/standards/SPIFFE-ID.md):
//
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
@@ -339,18 +338,20 @@ option go_package = "istio.io/api/networking/v1alpha3";
message ServiceEntry {
// REQUIRED. The hosts associated with the ServiceEntry. Could be a DNS
- // name with wildcard prefix (external services only). DNS names in hosts
- // will be ignored if the application accesses the service over non-HTTP
- // protocols such as mongo/opaque TCP/HTTPS. In such scenarios, the
- // IP addresses specified in the Addresses field or the port will be used
- // to uniquely identify the destination.
+ // name with wildcard prefix (external services only). For HTTP traffic
+ // the HTTP Host/Authority header will be matched against the hosts field.
+ // For HTTPs or TLS traffic containing Server Name Indication (SNI), the SNI value
+ // will be matched against the hosts field. For all other protocols
+ // the hosts will be ignored, and the port and addresses fields
+ // will be used if present. Note that when resolution is set to type DNS
+ // and no endpoints are specified, the host field will be used as the DNS name
+ // of the endpoint to route traffic to.
repeated string hosts = 1;
// The virtual IP addresses associated with the service. Could be CIDR
- // prefix. For HTTP services, the addresses field will be ignored and
+ // prefix. For HTTP traffic the addresses field will be ignored and
// the destination will be identified based on the HTTP Host/Authority
- // header. For non-HTTP protocols such as mongo/opaque TCP/HTTPS,
- // the hosts will be ignored. If one or more IP addresses are specified,
+ // header. If one or more IP addresses are specified,
// the incoming traffic will be identified as belonging to this service
// if the destination IP matches the IP/CIDRs specified in the addresses
// field. If the Addresses field is empty, traffic will be identified
@@ -416,7 +417,7 @@ message ServiceEntry {
// will resolve the DNS address specified in the hosts field, if
// wildcards are not used. If endpoints are specified, the DNS
// addresses specified in the endpoints will be resolved to determine
- // the destination IP address. DNS resolution cannot be used with unix
+ // the destination IP address. DNS resolution cannot be used with Unix
// domain socket endpoints.
DNS = 2;
};
@@ -438,7 +439,7 @@ message ServiceEntry {
// Set of ports associated with the endpoint. The ports must be
// associated with a port name that was declared as part of the
- // service. Do not use for unix:// addresses.
+ // service. Do not use for `unix://` addresses.
map ports = 2;
// One or more labels associated with the endpoint.
diff --git a/networking/v1alpha3/sidecar.pb.go b/networking/v1alpha3/sidecar.pb.go
index fcdcafc8974..e632e477031 100644
--- a/networking/v1alpha3/sidecar.pb.go
+++ b/networking/v1alpha3/sidecar.pb.go
@@ -68,14 +68,14 @@
// name: somename
// defaultEndpoint: unix:///var/run/someuds.sock
// egress:
+// - hosts:
+// - "istio-system/*"
// - port:
// number: 9080
// protocol: HTTP
// name: egresshttp
// hosts:
// - "prod-us1/*"
-// - hosts:
-// - "istio-system/*"
// ```
//
// If the workload is deployed without IP tables based traffic capture, the
@@ -239,8 +239,7 @@ func (CaptureMode) EnumDescriptor() ([]byte, []int) {
type Sidecar struct {
// Criteria used to select the specific set of pods/VMs on which this
// sidecar configuration should be applied. If omitted, the sidecar
- // configuration will be applied to all workloads in the same config
- // namespace.
+ // configuration will be applied to all workloads in the same namespace.
WorkloadSelector *WorkloadSelector `protobuf:"bytes,1,opt,name=workload_selector,json=workloadSelector,proto3" json:"workload_selector,omitempty"`
// Ingress specifies the configuration of the sidecar for processing
// inbound traffic to the attached workload. If omitted, Istio will
@@ -334,7 +333,7 @@ type IstioIngressListener struct {
// traffic should be forwarded to. This configuration can be used to
// redirect traffic arriving at the bind point on the sidecar to a port
// or Unix domain socket where the application workload is listening for
- // connections. Format should be 127.0.0.1:PORT or unix:///path/to/socket
+ // connections. Format should be 127.0.0.1:PORT or `unix:///path/to/socket`
DefaultEndpoint string `protobuf:"bytes,4,opt,name=default_endpoint,json=defaultEndpoint,proto3" json:"default_endpoint,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
@@ -435,7 +434,7 @@ type IstioEgressListener struct {
// using a `ServiceEntry` or `VirtualService` configuration. Any
// associated `DestinationRule` in the same namespace will also be used.
//
- // The `dnsName` should be specified using FQDN format, opionally including
+ // The `dnsName` should be specified using FQDN format, optionally including
// a wildcard character in the left-most component (e.g., `prod/*.example.com`).
// Set the `dnsName` to `*` to select all services from the specified namespace
// (e.g.,`prod/*`). The `namespace` can also be set to `*` to select a particular
diff --git a/networking/v1alpha3/sidecar.pb.html b/networking/v1alpha3/sidecar.pb.html
index 950cce06260..240e6e3662c 100644
--- a/networking/v1alpha3/sidecar.pb.html
+++ b/networking/v1alpha3/sidecar.pb.html
@@ -71,14 +71,14 @@
name: somename
defaultEndpoint: unix:///var/run/someuds.sock
egress:
+ - hosts:
+ - "istio-system/*"
- port:
number: 9080
protocol: HTTP
name: egresshttp
hosts:
- "prod-us1/*"
- - hosts:
- - "istio-system/*"
If the workload is deployed without IP tables based traffic capture, the
@@ -285,7 +285,7 @@
IstioEgressListener
using a ServiceEntry or VirtualService configuration. Any
associated DestinationRule in the same namespace will also be used.
-The dnsName should be specified using FQDN format, opionally including
+
The dnsName should be specified using FQDN format, optionally including
a wildcard character in the left-most component (e.g., prod/*.example.com).
Set the dnsName to * to select all services from the specified namespace
(e.g.,prod/*). The namespace can also be set to * to select a particular
@@ -356,7 +356,7 @@
IstioIngressListener
traffic should be forwarded to. This configuration can be used to
redirect traffic arriving at the bind point on the sidecar to a port
or Unix domain socket where the application workload is listening for
-connections. Format should be 127.0.0.1:PORT or unix:///path/to/socket
+connections. Format should be 127.0.0.1:PORT or unix:///path/to/socket
@@ -380,8 +380,7 @@ Sidecar
Criteria used to select the specific set of pods/VMs on which this
sidecar configuration should be applied. If omitted, the sidecar
-configuration will be applied to all workloads in the same config
-namespace.
+configuration will be applied to all workloads in the same namespace.
diff --git a/networking/v1alpha3/sidecar.proto b/networking/v1alpha3/sidecar.proto
index 3b099c0b2fa..06907065435 100644
--- a/networking/v1alpha3/sidecar.proto
+++ b/networking/v1alpha3/sidecar.proto
@@ -87,14 +87,14 @@ import "networking/v1alpha3/gateway.proto";
// name: somename
// defaultEndpoint: unix:///var/run/someuds.sock
// egress:
+// - hosts:
+// - "istio-system/*"
// - port:
// number: 9080
// protocol: HTTP
// name: egresshttp
// hosts:
// - "prod-us1/*"
-// - hosts:
-// - "istio-system/*"
// ```
//
// If the workload is deployed without IP tables based traffic capture, the
@@ -204,8 +204,7 @@ option go_package = "istio.io/api/networking/v1alpha3";
message Sidecar {
// Criteria used to select the specific set of pods/VMs on which this
// sidecar configuration should be applied. If omitted, the sidecar
- // configuration will be applied to all workloads in the same config
- // namespace.
+ // configuration will be applied to all workloads in the same namespace.
WorkloadSelector workload_selector = 1;
// Ingress specifies the configuration of the sidecar for processing
@@ -247,7 +246,7 @@ message IstioIngressListener {
// traffic should be forwarded to. This configuration can be used to
// redirect traffic arriving at the bind point on the sidecar to a port
// or Unix domain socket where the application workload is listening for
- // connections. Format should be 127.0.0.1:PORT or unix:///path/to/socket
+ // connections. Format should be 127.0.0.1:PORT or `unix:///path/to/socket`
string default_endpoint = 4;
}
@@ -287,7 +286,7 @@ message IstioEgressListener {
// using a `ServiceEntry` or `VirtualService` configuration. Any
// associated `DestinationRule` in the same namespace will also be used.
//
- // The `dnsName` should be specified using FQDN format, opionally including
+ // The `dnsName` should be specified using FQDN format, optionally including
// a wildcard character in the left-most component (e.g., `prod/*.example.com`).
// Set the `dnsName` to `*` to select all services from the specified namespace
// (e.g.,`prod/*`). The `namespace` can also be set to `*` to select a particular
diff --git a/networking/v1alpha3/virtual_service.pb.go b/networking/v1alpha3/virtual_service.pb.go
index 70b9761954b..e39c6392512 100644
--- a/networking/v1alpha3/virtual_service.pb.go
+++ b/networking/v1alpha3/virtual_service.pb.go
@@ -1641,9 +1641,9 @@ func (m *TLSMatchAttributes) GetGateways() []string {
// - match:
// - uri:
// exact: /v1/getProductRatings
-// redirect:
-// uri: /v1/bookRatings
-// authority: newratings.default.svc.cluster.local
+// redirect:
+// uri: /v1/bookRatings
+// authority: newratings.default.svc.cluster.local
// ...
// ```
type HTTPRedirect struct {
@@ -1998,9 +1998,8 @@ type HTTPRetry struct {
PerTryTimeout *types.Duration `protobuf:"bytes,2,opt,name=per_try_timeout,json=perTryTimeout,proto3" json:"per_try_timeout,omitempty"`
// Specifies the conditions under which retry takes place.
// One or more policies can be specified using a ‘,’ delimited list.
- // The supported policies can be found in
- //
- // and
+ // See the [supported policies](https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-on)
+ // and [here](https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-grpc-on) for more details.
RetryOn string `protobuf:"bytes,3,opt,name=retry_on,json=retryOn,proto3" json:"retry_on,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
@@ -2062,8 +2061,7 @@ func (m *HTTPRetry) GetRetryOn() string {
}
// Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
-// service. Refer to
-//
+// service. Refer to [CORS](https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS)
// for further details about cross origin resource sharing. For example,
// the following rule restricts cross origin requests to those originating
// from example.com domain using HTTP POST/GET, and sets the
diff --git a/networking/v1alpha3/virtual_service.pb.html b/networking/v1alpha3/virtual_service.pb.html
index c11babb33d4..aa61515fe10 100644
--- a/networking/v1alpha3/virtual_service.pb.html
+++ b/networking/v1alpha3/virtual_service.pb.html
@@ -95,8 +95,7 @@
CorsPolicy
Describes the Cross-Origin Resource Sharing (CORS) policy, for a given
-service. Refer to
-https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
+service. Refer to CORS
for further details about cross origin resource sharing. For example,
the following rule restricts cross origin requests to those originating
from example.com domain using HTTP POST/GET, and sets the
@@ -735,9 +734,9 @@
HTTPRedirect
- match:
- uri:
exact: /v1/getProductRatings
- redirect:
- uri: /v1/bookRatings
- authority: newratings.default.svc.cluster.local
+ redirect:
+ uri: /v1/bookRatings
+ authority: newratings.default.svc.cluster.local
...
Specifies the conditions under which retry takes place. One or more policies can be specified using a ‘,’ delimited list. -The supported policies can be found in -https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-on -and https://www.envoyproxy.io/docs/envoy/latest/configuration/http_filters/router_filter#x-envoy-retry-grpc-on
+See the supported policies +and here for more details.stringRequired. Name of the component producing these attributes. This can be
-the proxy (with the canonical name “istio-proxy”) or the name of an
+the proxy (with the canonical name istio-proxy) or the name of an
attributes kind adapter in Mixer.
[\.-].
Attribute names must be unique within a single Istio deployment. The set of canonical -attributes are described at https://istio.io/docs/reference/attribute-vocabulary.html. +attributes are described at here. Attributes not in that list should be named with a component-specific suffix such as -request.count-my.component.
+request.count-my.component.
@@ -1012,8 +1012,9 @@ serverNamestringIndicates the name of adapter backend server which is useful for routing with -proxy-fronted backend.
+Used to configure mixer mutual TLS client to supply server name for SNI. +It is not used to verify the hostname of the peer certificate, since +Istio verifies whitelisted SAN fields in mutual TLS.
A Rule is a selector and a set of intentions to be executed when the
selector is true
The following example instructs Mixer to invoke ‘prometheus-handler’ handler for all services and pass it the +
The following example instructs Mixer to invoke prometheus-handler handler for all services and pass it the
instance constructed using the ‘RequestCountByService’ instance.
- match: match(destination.service.host, "*")
@@ -1328,8 +1329,8 @@ Tls
serverNamestring
-Indicates the name of adapter backend which is useful for routing with
-proxy-fronted backend.
+Used to configure mixer TLS client to verify the hostname on the returned
+certificates. It is also included in the client’s handshake to support SNI.
diff --git a/python/istio_api/mixer/v1/attributes_pb2.py b/python/istio_api/mixer/v1/attributes_pb2.py
index 9d37998e421..5f94c4c8832 100644
--- a/python/istio_api/mixer/v1/attributes_pb2.py
+++ b/python/istio_api/mixer/v1/attributes_pb2.py
@@ -22,7 +22,7 @@
name='mixer/v1/attributes.proto',
package='istio.mixer.v1',
syntax='proto3',
- serialized_pb=_b('\n\x19mixer/v1/attributes.proto\x12\x0eistio.mixer.v1\x1a\x14gogoproto/gogo.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"\xe9\x04\n\nAttributes\x12>\n\nattributes\x18\x01 \x03(\x0b\x32*.istio.mixer.v1.Attributes.AttributesEntry\x1a\\\n\x0f\x41ttributesEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\x38\n\x05value\x18\x02 \x01(\x0b\x32).istio.mixer.v1.Attributes.AttributeValue:\x02\x38\x01\x1a\xbb\x02\n\x0e\x41ttributeValue\x12\x16\n\x0cstring_value\x18\x02 \x01(\tH\x00\x12\x15\n\x0bint64_value\x18\x03 \x01(\x03H\x00\x12\x16\n\x0c\x64ouble_value\x18\x04 \x01(\x01H\x00\x12\x14\n\nbool_value\x18\x05 \x01(\x08H\x00\x12\x15\n\x0b\x62ytes_value\x18\x06 \x01(\x0cH\x00\x12\x35\n\x0ftimestamp_value\x18\x07 \x01(\x0b\x32\x1a.google.protobuf.TimestampH\x00\x12\x33\n\x0e\x64uration_value\x18\x08 \x01(\x0b\x32\x19.google.protobuf.DurationH\x00\x12@\n\x10string_map_value\x18\t \x01(\x0b\x32$.istio.mixer.v1.Attributes.StringMapH\x00\x42\x07\n\x05value\x1a\x7f\n\tStringMap\x12\x42\n\x07\x65ntries\x18\x01 \x03(\x0b\x32\x31.istio.mixer.v1.Attributes.StringMap.EntriesEntry\x1a.\n\x0c\x45ntriesEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xbb\x08\n\x14\x43ompressedAttributes\x12\r\n\x05words\x18\x01 \x03(\t\x12\x42\n\x07strings\x18\x02 \x03(\x0b\x32\x31.istio.mixer.v1.CompressedAttributes.StringsEntry\x12@\n\x06int64s\x18\x03 \x03(\x0b\x32\x30.istio.mixer.v1.CompressedAttributes.Int64sEntry\x12\x42\n\x07\x64oubles\x18\x04 \x03(\x0b\x32\x31.istio.mixer.v1.CompressedAttributes.DoublesEntry\x12>\n\x05\x62ools\x18\x05 \x03(\x0b\x32/.istio.mixer.v1.CompressedAttributes.BoolsEntry\x12R\n\ntimestamps\x18\x06 \x03(\x0b\x32\x34.istio.mixer.v1.CompressedAttributes.TimestampsEntryB\x08\xc8\xde\x1f\x00\x90\xdf\x1f\x01\x12P\n\tdurations\x18\x07 \x03(\x0b\x32\x33.istio.mixer.v1.CompressedAttributes.DurationsEntryB\x08\xc8\xde\x1f\x00\x98\xdf\x1f\x01\x12>\n\x05\x62ytes\x18\x08 \x03(\x0b\x32/.istio.mixer.v1.CompressedAttributes.BytesEntry\x12O\n\x0bstring_maps\x18\t \x03(\x0b\x32\x34.istio.mixer.v1.CompressedAttributes.StringMapsEntryB\x04\xc8\xde\x1f\x00\x1a.\n\x0cStringsEntry\x12\x0b\n\x03key\x18\x01 \x01(\x11\x12\r\n\x05value\x18\x02 \x01(\x11:\x02\x38\x01\x1a-\n\x0bInt64sEntry\x12\x0b\n\x03key\x18\x01 \x01(\x11\x12\r\n\x05value\x18\x02 \x01(\x03:\x02\x38\x01\x1a.\n\x0c\x44oublesEntry\x12\x0b\n\x03key\x18\x01 \x01(\x11\x12\r\n\x05value\x18\x02 \x01(\x01:\x02\x38\x01\x1a,\n\nBoolsEntry\x12\x0b\n\x03key\x18\x01 \x01(\x11\x12\r\n\x05value\x18\x02 \x01(\x08:\x02\x38\x01\x1aM\n\x0fTimestampsEntry\x12\x0b\n\x03key\x18\x01 \x01(\x11\x12)\n\x05value\x18\x02 \x01(\x0b\x32\x1a.google.protobuf.Timestamp:\x02\x38\x01\x1aK\n\x0e\x44urationsEntry\x12\x0b\n\x03key\x18\x01 \x01(\x11\x12(\n\x05value\x18\x02 \x01(\x0b\x32\x19.google.protobuf.Duration:\x02\x38\x01\x1a,\n\nBytesEntry\x12\x0b\n\x03key\x18\x01 \x01(\x11\x12\r\n\x05value\x18\x02 \x01(\x0c:\x02\x38\x01\x1aL\n\x0fStringMapsEntry\x12\x0b\n\x03key\x18\x01 \x01(\x11\x12(\n\x05value\x18\x02 \x01(\x0b\x32\x19.istio.mixer.v1.StringMap:\x02\x38\x01\"t\n\tStringMap\x12\x37\n\x07\x65ntries\x18\x01 \x03(\x0b\x32&.istio.mixer.v1.StringMap.EntriesEntry\x1a.\n\x0c\x45ntriesEntry\x12\x0b\n\x03key\x18\x01 \x01(\x11\x12\r\n\x05value\x18\x02 \x01(\x11:\x02\x38\x01\x42&Z\x15istio.io/api/mixer/v1\xf8\x01\x01\xc8\xe1\x1e\x00\xa8\xe2\x1e\x00\xf0\xe1\x1e\x00\x62\x06proto3')
+ serialized_pb=_b('\n\x19mixer/v1/attributes.proto\x12\x0eistio.mixer.v1\x1a\x14gogoproto/gogo.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x1fgoogle/protobuf/timestamp.proto\"\xe9\x04\n\nAttributes\x12>\n\nattributes\x18\x01 \x03(\x0b\x32*.istio.mixer.v1.Attributes.AttributesEntry\x1a\\\n\x0f\x41ttributesEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\x38\n\x05value\x18\x02 \x01(\x0b\x32).istio.mixer.v1.Attributes.AttributeValue:\x02\x38\x01\x1a\xbb\x02\n\x0e\x41ttributeValue\x12\x16\n\x0cstring_value\x18\x02 \x01(\tH\x00\x12\x15\n\x0bint64_value\x18\x03 \x01(\x03H\x00\x12\x16\n\x0c\x64ouble_value\x18\x04 \x01(\x01H\x00\x12\x14\n\nbool_value\x18\x05 \x01(\x08H\x00\x12\x15\n\x0b\x62ytes_value\x18\x06 \x01(\x0cH\x00\x12\x35\n\x0ftimestamp_value\x18\x07 \x01(\x0b\x32\x1a.google.protobuf.TimestampH\x00\x12\x33\n\x0e\x64uration_value\x18\x08 \x01(\x0b\x32\x19.google.protobuf.DurationH\x00\x12@\n\x10string_map_value\x18\t \x01(\x0b\x32$.istio.mixer.v1.Attributes.StringMapH\x00\x42\x07\n\x05value\x1a\x7f\n\tStringMap\x12\x42\n\x07\x65ntries\x18\x01 \x03(\x0b\x32\x31.istio.mixer.v1.Attributes.StringMap.EntriesEntry\x1a.\n\x0c\x45ntriesEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xbb\x08\n\x14\x43ompressedAttributes\x12\r\n\x05words\x18\x01 \x03(\t\x12\x42\n\x07strings\x18\x02 \x03(\x0b\x32\x31.istio.mixer.v1.CompressedAttributes.StringsEntry\x12@\n\x06int64s\x18\x03 \x03(\x0b\x32\x30.istio.mixer.v1.CompressedAttributes.Int64sEntry\x12\x42\n\x07\x64oubles\x18\x04 \x03(\x0b\x32\x31.istio.mixer.v1.CompressedAttributes.DoublesEntry\x12>\n\x05\x62ools\x18\x05 \x03(\x0b\x32/.istio.mixer.v1.CompressedAttributes.BoolsEntry\x12R\n\ntimestamps\x18\x06 \x03(\x0b\x32\x34.istio.mixer.v1.CompressedAttributes.TimestampsEntryB\x08\xc8\xde\x1f\x00\x90\xdf\x1f\x01\x12P\n\tdurations\x18\x07 \x03(\x0b\x32\x33.istio.mixer.v1.CompressedAttributes.DurationsEntryB\x08\xc8\xde\x1f\x00\x98\xdf\x1f\x01\x12>\n\x05\x62ytes\x18\x08 \x03(\x0b\x32/.istio.mixer.v1.CompressedAttributes.BytesEntry\x12O\n\x0bstring_maps\x18\t \x03(\x0b\x32\x34.istio.mixer.v1.CompressedAttributes.StringMapsEntryB\x04\xc8\xde\x1f\x00\x1a.\n\x0cStringsEntry\x12\x0b\n\x03key\x18\x01 \x01(\x11\x12\r\n\x05value\x18\x02 \x01(\x11:\x02\x38\x01\x1a-\n\x0bInt64sEntry\x12\x0b\n\x03key\x18\x01 \x01(\x11\x12\r\n\x05value\x18\x02 \x01(\x03:\x02\x38\x01\x1a.\n\x0c\x44oublesEntry\x12\x0b\n\x03key\x18\x01 \x01(\x11\x12\r\n\x05value\x18\x02 \x01(\x01:\x02\x38\x01\x1a,\n\nBoolsEntry\x12\x0b\n\x03key\x18\x01 \x01(\x11\x12\r\n\x05value\x18\x02 \x01(\x08:\x02\x38\x01\x1aM\n\x0fTimestampsEntry\x12\x0b\n\x03key\x18\x01 \x01(\x11\x12)\n\x05value\x18\x02 \x01(\x0b\x32\x1a.google.protobuf.Timestamp:\x02\x38\x01\x1aK\n\x0e\x44urationsEntry\x12\x0b\n\x03key\x18\x01 \x01(\x11\x12(\n\x05value\x18\x02 \x01(\x0b\x32\x19.google.protobuf.Duration:\x02\x38\x01\x1a,\n\nBytesEntry\x12\x0b\n\x03key\x18\x01 \x01(\x11\x12\r\n\x05value\x18\x02 \x01(\x0c:\x02\x38\x01\x1aL\n\x0fStringMapsEntry\x12\x0b\n\x03key\x18\x01 \x01(\x11\x12(\n\x05value\x18\x02 \x01(\x0b\x32\x19.istio.mixer.v1.StringMap:\x02\x38\x01\"t\n\tStringMap\x12\x37\n\x07\x65ntries\x18\x01 \x03(\x0b\x32&.istio.mixer.v1.StringMap.EntriesEntry\x1a.\n\x0c\x45ntriesEntry\x12\x0b\n\x03key\x18\x01 \x01(\x11\x12\r\n\x05value\x18\x02 \x01(\x11:\x02\x38\x01\x42*Z\x15istio.io/api/mixer/v1\xf8\x01\x01\xc8\xe1\x1e\x00\xa8\xe2\x1e\x00\xf0\xe1\x1e\x00\xd8\xe2\x1e\x01\x62\x06proto3')
,
dependencies=[gogoproto_dot_gogo__pb2.DESCRIPTOR,google_dot_protobuf_dot_duration__pb2.DESCRIPTOR,google_dot_protobuf_dot_timestamp__pb2.DESCRIPTOR,])
@@ -883,7 +883,7 @@
DESCRIPTOR.has_options = True
-DESCRIPTOR._options = _descriptor._ParseOptions(descriptor_pb2.FileOptions(), _b('Z\025istio.io/api/mixer/v1\370\001\001\310\341\036\000\250\342\036\000\360\341\036\000'))
+DESCRIPTOR._options = _descriptor._ParseOptions(descriptor_pb2.FileOptions(), _b('Z\025istio.io/api/mixer/v1\370\001\001\310\341\036\000\250\342\036\000\360\341\036\000\330\342\036\001'))
_ATTRIBUTES_ATTRIBUTESENTRY.has_options = True
_ATTRIBUTES_ATTRIBUTESENTRY._options = _descriptor._ParseOptions(descriptor_pb2.MessageOptions(), _b('8\001'))
_ATTRIBUTES_STRINGMAP_ENTRIESENTRY.has_options = True
diff --git a/python/istio_api/mixer/v1/config/client/api_spec_pb2.py b/python/istio_api/mixer/v1/config/client/api_spec_pb2.py
index f71baa78a75..09acbb24046 100644
--- a/python/istio_api/mixer/v1/config/client/api_spec_pb2.py
+++ b/python/istio_api/mixer/v1/config/client/api_spec_pb2.py
@@ -22,7 +22,7 @@
name='mixer/v1/config/client/api_spec.proto',
package='istio.mixer.v1.config.client',
syntax='proto3',
- serialized_pb=_b('\n%mixer/v1/config/client/api_spec.proto\x12\x1cistio.mixer.v1.config.client\x1a\x14gogoproto/gogo.proto\x1a\x19mixer/v1/attributes.proto\x1a$mixer/v1/config/client/service.proto\"\xb9\x01\n\x0bHTTPAPISpec\x12.\n\nattributes\x18\x01 \x01(\x0b\x32\x1a.istio.mixer.v1.Attributes\x12\x42\n\x08patterns\x18\x02 \x03(\x0b\x32\x30.istio.mixer.v1.config.client.HTTPAPISpecPattern\x12\x36\n\x08\x61pi_keys\x18\x03 \x03(\x0b\x32$.istio.mixer.v1.config.client.APIKey\"\x8d\x01\n\x12HTTPAPISpecPattern\x12.\n\nattributes\x18\x01 \x01(\x0b\x32\x1a.istio.mixer.v1.Attributes\x12\x13\n\x0bhttp_method\x18\x02 \x01(\t\x12\x16\n\x0curi_template\x18\x03 \x01(\tH\x00\x12\x0f\n\x05regex\x18\x04 \x01(\tH\x00\x42\t\n\x07pattern\"D\n\x06\x41PIKey\x12\x0f\n\x05query\x18\x01 \x01(\tH\x00\x12\x10\n\x06header\x18\x02 \x01(\tH\x00\x12\x10\n\x06\x63ookie\x18\x03 \x01(\tH\x00\x42\x05\n\x03key\"7\n\x14HTTPAPISpecReference\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x11\n\tnamespace\x18\x02 \x01(\t\"\x99\x01\n\x12HTTPAPISpecBinding\x12<\n\x08services\x18\x01 \x03(\x0b\x32*.istio.mixer.v1.config.client.IstioService\x12\x45\n\tapi_specs\x18\x02 \x03(\x0b\x32\x32.istio.mixer.v1.config.client.HTTPAPISpecReferenceB1Z#istio.io/api/mixer/v1/config/client\xc8\xe1\x1e\x00\xa8\xe2\x1e\x00\xf0\xe1\x1e\x00\x62\x06proto3')
+ serialized_pb=_b('\n%mixer/v1/config/client/api_spec.proto\x12\x1cistio.mixer.v1.config.client\x1a\x14gogoproto/gogo.proto\x1a\x19mixer/v1/attributes.proto\x1a$mixer/v1/config/client/service.proto\"\xb9\x01\n\x0bHTTPAPISpec\x12.\n\nattributes\x18\x01 \x01(\x0b\x32\x1a.istio.mixer.v1.Attributes\x12\x42\n\x08patterns\x18\x02 \x03(\x0b\x32\x30.istio.mixer.v1.config.client.HTTPAPISpecPattern\x12\x36\n\x08\x61pi_keys\x18\x03 \x03(\x0b\x32$.istio.mixer.v1.config.client.APIKey\"\x8d\x01\n\x12HTTPAPISpecPattern\x12.\n\nattributes\x18\x01 \x01(\x0b\x32\x1a.istio.mixer.v1.Attributes\x12\x13\n\x0bhttp_method\x18\x02 \x01(\t\x12\x16\n\x0curi_template\x18\x03 \x01(\tH\x00\x12\x0f\n\x05regex\x18\x04 \x01(\tH\x00\x42\t\n\x07pattern\"D\n\x06\x41PIKey\x12\x0f\n\x05query\x18\x01 \x01(\tH\x00\x12\x10\n\x06header\x18\x02 \x01(\tH\x00\x12\x10\n\x06\x63ookie\x18\x03 \x01(\tH\x00\x42\x05\n\x03key\"7\n\x14HTTPAPISpecReference\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x11\n\tnamespace\x18\x02 \x01(\t\"\x99\x01\n\x12HTTPAPISpecBinding\x12<\n\x08services\x18\x01 \x03(\x0b\x32*.istio.mixer.v1.config.client.IstioService\x12\x45\n\tapi_specs\x18\x02 \x03(\x0b\x32\x32.istio.mixer.v1.config.client.HTTPAPISpecReferenceB5Z#istio.io/api/mixer/v1/config/client\xc8\xe1\x1e\x00\xa8\xe2\x1e\x00\xf0\xe1\x1e\x00\xd8\xe2\x1e\x01\x62\x06proto3')
,
dependencies=[gogoproto_dot_gogo__pb2.DESCRIPTOR,mixer_dot_v1_dot_attributes__pb2.DESCRIPTOR,mixer_dot_v1_dot_config_dot_client_dot_service__pb2.DESCRIPTOR,])
@@ -317,5 +317,5 @@
DESCRIPTOR.has_options = True
-DESCRIPTOR._options = _descriptor._ParseOptions(descriptor_pb2.FileOptions(), _b('Z#istio.io/api/mixer/v1/config/client\310\341\036\000\250\342\036\000\360\341\036\000'))
+DESCRIPTOR._options = _descriptor._ParseOptions(descriptor_pb2.FileOptions(), _b('Z#istio.io/api/mixer/v1/config/client\310\341\036\000\250\342\036\000\360\341\036\000\330\342\036\001'))
# @@protoc_insertion_point(module_scope)
diff --git a/python/istio_api/mixer/v1/config/client/client_config_pb2.py b/python/istio_api/mixer/v1/config/client/client_config_pb2.py
index d384b645e1f..f9646b5cb96 100644
--- a/python/istio_api/mixer/v1/config/client/client_config_pb2.py
+++ b/python/istio_api/mixer/v1/config/client/client_config_pb2.py
@@ -24,7 +24,7 @@
name='mixer/v1/config/client/client_config.proto',
package='istio.mixer.v1.config.client',
syntax='proto3',
- serialized_pb=_b('\n*mixer/v1/config/client/client_config.proto\x12\x1cistio.mixer.v1.config.client\x1a\x14gogoproto/gogo.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x19mixer/v1/attributes.proto\x1a%mixer/v1/config/client/api_spec.proto\x1a\"mixer/v1/config/client/quota.proto\"\x86\x02\n\x11NetworkFailPolicy\x12J\n\x06policy\x18\x01 \x01(\x0e\x32:.istio.mixer.v1.config.client.NetworkFailPolicy.FailPolicy\x12\x11\n\tmax_retry\x18\x02 \x01(\r\x12\x32\n\x0f\x62\x61se_retry_wait\x18\x03 \x01(\x0b\x32\x19.google.protobuf.Duration\x12\x31\n\x0emax_retry_wait\x18\x04 \x01(\x0b\x32\x19.google.protobuf.Duration\"+\n\nFailPolicy\x12\r\n\tFAIL_OPEN\x10\x00\x12\x0e\n\nFAIL_CLOSE\x10\x01\"\x85\x03\n\rServiceConfig\x12\x1b\n\x13\x64isable_check_calls\x18\x01 \x01(\x08\x12\x1c\n\x14\x64isable_report_calls\x18\x02 \x01(\x08\x12\x34\n\x10mixer_attributes\x18\x03 \x01(\x0b\x32\x1a.istio.mixer.v1.Attributes\x12@\n\rhttp_api_spec\x18\x04 \x03(\x0b\x32).istio.mixer.v1.config.client.HTTPAPISpec\x12;\n\nquota_spec\x18\x05 \x03(\x0b\x32\'.istio.mixer.v1.config.client.QuotaSpec\x12L\n\x13network_fail_policy\x18\x07 \x01(\x0b\x32/.istio.mixer.v1.config.client.NetworkFailPolicy\x12\x36\n\x12\x66orward_attributes\x18\x08 \x01(\x0b\x32\x1a.istio.mixer.v1.Attributes\"\xe0\x02\n\x0fTransportConfig\x12\x1b\n\x13\x64isable_check_cache\x18\x01 \x01(\x08\x12\x1b\n\x13\x64isable_quota_cache\x18\x02 \x01(\x08\x12\x1c\n\x14\x64isable_report_batch\x18\x03 \x01(\x08\x12L\n\x13network_fail_policy\x18\x04 \x01(\x0b\x32/.istio.mixer.v1.config.client.NetworkFailPolicy\x12\x38\n\x15stats_update_interval\x18\x05 \x01(\x0b\x32\x19.google.protobuf.Duration\x12\x15\n\rcheck_cluster\x18\x06 \x01(\t\x12\x16\n\x0ereport_cluster\x18\x07 \x01(\t\x12>\n\x1a\x61ttributes_for_mixer_proxy\x18\x08 \x01(\x0b\x32\x1a.istio.mixer.v1.Attributes\"\xa8\x03\n\x10HttpClientConfig\x12@\n\ttransport\x18\x01 \x01(\x0b\x32-.istio.mixer.v1.config.client.TransportConfig\x12[\n\x0fservice_configs\x18\x02 \x03(\x0b\x32\x42.istio.mixer.v1.config.client.HttpClientConfig.ServiceConfigsEntry\x12#\n\x1b\x64\x65\x66\x61ult_destination_service\x18\x03 \x01(\t\x12\x34\n\x10mixer_attributes\x18\x04 \x01(\x0b\x32\x1a.istio.mixer.v1.Attributes\x12\x36\n\x12\x66orward_attributes\x18\x05 \x01(\x0b\x32\x1a.istio.mixer.v1.Attributes\x1a\x62\n\x13ServiceConfigsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12:\n\x05value\x18\x02 \x01(\x0b\x32+.istio.mixer.v1.config.client.ServiceConfig:\x02\x38\x01\"\xc0\x02\n\x0fTcpClientConfig\x12@\n\ttransport\x18\x01 \x01(\x0b\x32-.istio.mixer.v1.config.client.TransportConfig\x12\x34\n\x10mixer_attributes\x18\x02 \x01(\x0b\x32\x1a.istio.mixer.v1.Attributes\x12\x1b\n\x13\x64isable_check_calls\x18\x03 \x01(\x08\x12\x1c\n\x14\x64isable_report_calls\x18\x04 \x01(\x08\x12\x46\n\x15\x63onnection_quota_spec\x18\x05 \x01(\x0b\x32\'.istio.mixer.v1.config.client.QuotaSpec\x12\x32\n\x0freport_interval\x18\x06 \x01(\x0b\x32\x19.google.protobuf.DurationB1Z#istio.io/api/mixer/v1/config/client\xc8\xe1\x1e\x00\xa8\xe2\x1e\x00\xf0\xe1\x1e\x00\x62\x06proto3')
+ serialized_pb=_b('\n*mixer/v1/config/client/client_config.proto\x12\x1cistio.mixer.v1.config.client\x1a\x14gogoproto/gogo.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x19mixer/v1/attributes.proto\x1a%mixer/v1/config/client/api_spec.proto\x1a\"mixer/v1/config/client/quota.proto\"\x86\x02\n\x11NetworkFailPolicy\x12J\n\x06policy\x18\x01 \x01(\x0e\x32:.istio.mixer.v1.config.client.NetworkFailPolicy.FailPolicy\x12\x11\n\tmax_retry\x18\x02 \x01(\r\x12\x32\n\x0f\x62\x61se_retry_wait\x18\x03 \x01(\x0b\x32\x19.google.protobuf.Duration\x12\x31\n\x0emax_retry_wait\x18\x04 \x01(\x0b\x32\x19.google.protobuf.Duration\"+\n\nFailPolicy\x12\r\n\tFAIL_OPEN\x10\x00\x12\x0e\n\nFAIL_CLOSE\x10\x01\"\x85\x03\n\rServiceConfig\x12\x1b\n\x13\x64isable_check_calls\x18\x01 \x01(\x08\x12\x1c\n\x14\x64isable_report_calls\x18\x02 \x01(\x08\x12\x34\n\x10mixer_attributes\x18\x03 \x01(\x0b\x32\x1a.istio.mixer.v1.Attributes\x12@\n\rhttp_api_spec\x18\x04 \x03(\x0b\x32).istio.mixer.v1.config.client.HTTPAPISpec\x12;\n\nquota_spec\x18\x05 \x03(\x0b\x32\'.istio.mixer.v1.config.client.QuotaSpec\x12L\n\x13network_fail_policy\x18\x07 \x01(\x0b\x32/.istio.mixer.v1.config.client.NetworkFailPolicy\x12\x36\n\x12\x66orward_attributes\x18\x08 \x01(\x0b\x32\x1a.istio.mixer.v1.Attributes\"\xe0\x02\n\x0fTransportConfig\x12\x1b\n\x13\x64isable_check_cache\x18\x01 \x01(\x08\x12\x1b\n\x13\x64isable_quota_cache\x18\x02 \x01(\x08\x12\x1c\n\x14\x64isable_report_batch\x18\x03 \x01(\x08\x12L\n\x13network_fail_policy\x18\x04 \x01(\x0b\x32/.istio.mixer.v1.config.client.NetworkFailPolicy\x12\x38\n\x15stats_update_interval\x18\x05 \x01(\x0b\x32\x19.google.protobuf.Duration\x12\x15\n\rcheck_cluster\x18\x06 \x01(\t\x12\x16\n\x0ereport_cluster\x18\x07 \x01(\t\x12>\n\x1a\x61ttributes_for_mixer_proxy\x18\x08 \x01(\x0b\x32\x1a.istio.mixer.v1.Attributes\"\xa8\x03\n\x10HttpClientConfig\x12@\n\ttransport\x18\x01 \x01(\x0b\x32-.istio.mixer.v1.config.client.TransportConfig\x12[\n\x0fservice_configs\x18\x02 \x03(\x0b\x32\x42.istio.mixer.v1.config.client.HttpClientConfig.ServiceConfigsEntry\x12#\n\x1b\x64\x65\x66\x61ult_destination_service\x18\x03 \x01(\t\x12\x34\n\x10mixer_attributes\x18\x04 \x01(\x0b\x32\x1a.istio.mixer.v1.Attributes\x12\x36\n\x12\x66orward_attributes\x18\x05 \x01(\x0b\x32\x1a.istio.mixer.v1.Attributes\x1a\x62\n\x13ServiceConfigsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12:\n\x05value\x18\x02 \x01(\x0b\x32+.istio.mixer.v1.config.client.ServiceConfig:\x02\x38\x01\"\xc0\x02\n\x0fTcpClientConfig\x12@\n\ttransport\x18\x01 \x01(\x0b\x32-.istio.mixer.v1.config.client.TransportConfig\x12\x34\n\x10mixer_attributes\x18\x02 \x01(\x0b\x32\x1a.istio.mixer.v1.Attributes\x12\x1b\n\x13\x64isable_check_calls\x18\x03 \x01(\x08\x12\x1c\n\x14\x64isable_report_calls\x18\x04 \x01(\x08\x12\x46\n\x15\x63onnection_quota_spec\x18\x05 \x01(\x0b\x32\'.istio.mixer.v1.config.client.QuotaSpec\x12\x32\n\x0freport_interval\x18\x06 \x01(\x0b\x32\x19.google.protobuf.DurationB5Z#istio.io/api/mixer/v1/config/client\xc8\xe1\x1e\x00\xa8\xe2\x1e\x00\xf0\xe1\x1e\x00\xd8\xe2\x1e\x01\x62\x06proto3')
,
dependencies=[gogoproto_dot_gogo__pb2.DESCRIPTOR,google_dot_protobuf_dot_duration__pb2.DESCRIPTOR,mixer_dot_v1_dot_attributes__pb2.DESCRIPTOR,mixer_dot_v1_dot_config_dot_client_dot_api__spec__pb2.DESCRIPTOR,mixer_dot_v1_dot_config_dot_client_dot_quota__pb2.DESCRIPTOR,])
@@ -494,7 +494,7 @@
DESCRIPTOR.has_options = True
-DESCRIPTOR._options = _descriptor._ParseOptions(descriptor_pb2.FileOptions(), _b('Z#istio.io/api/mixer/v1/config/client\310\341\036\000\250\342\036\000\360\341\036\000'))
+DESCRIPTOR._options = _descriptor._ParseOptions(descriptor_pb2.FileOptions(), _b('Z#istio.io/api/mixer/v1/config/client\310\341\036\000\250\342\036\000\360\341\036\000\330\342\036\001'))
_HTTPCLIENTCONFIG_SERVICECONFIGSENTRY.has_options = True
_HTTPCLIENTCONFIG_SERVICECONFIGSENTRY._options = _descriptor._ParseOptions(descriptor_pb2.MessageOptions(), _b('8\001'))
# @@protoc_insertion_point(module_scope)
diff --git a/python/istio_api/mixer/v1/config/client/quota_pb2.py b/python/istio_api/mixer/v1/config/client/quota_pb2.py
index 074868bb1ab..d3e74703c38 100644
--- a/python/istio_api/mixer/v1/config/client/quota_pb2.py
+++ b/python/istio_api/mixer/v1/config/client/quota_pb2.py
@@ -21,7 +21,7 @@
name='mixer/v1/config/client/quota.proto',
package='istio.mixer.v1.config.client',
syntax='proto3',
- serialized_pb=_b('\n\"mixer/v1/config/client/quota.proto\x12\x1cistio.mixer.v1.config.client\x1a\x14gogoproto/gogo.proto\x1a$mixer/v1/config/client/service.proto\"C\n\tQuotaSpec\x12\x36\n\x05rules\x18\x01 \x03(\x0b\x32\'.istio.mixer.v1.config.client.QuotaRule\"}\n\tQuotaRule\x12;\n\x05match\x18\x01 \x03(\x0b\x32,.istio.mixer.v1.config.client.AttributeMatch\x12\x33\n\x06quotas\x18\x02 \x03(\x0b\x32#.istio.mixer.v1.config.client.Quota\"O\n\x0bStringMatch\x12\x0f\n\x05\x65xact\x18\x01 \x01(\tH\x00\x12\x10\n\x06prefix\x18\x02 \x01(\tH\x00\x12\x0f\n\x05regex\x18\x03 \x01(\tH\x00\x42\x0c\n\nmatch_type\"\xb4\x01\n\x0e\x41ttributeMatch\x12H\n\x06\x63lause\x18\x01 \x03(\x0b\x32\x38.istio.mixer.v1.config.client.AttributeMatch.ClauseEntry\x1aX\n\x0b\x43lauseEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\x38\n\x05value\x18\x02 \x01(\x0b\x32).istio.mixer.v1.config.client.StringMatch:\x02\x38\x01\"&\n\x05Quota\x12\r\n\x05quota\x18\x01 \x01(\t\x12\x0e\n\x06\x63harge\x18\x02 \x01(\x03\"\xdf\x01\n\x10QuotaSpecBinding\x12<\n\x08services\x18\x01 \x03(\x0b\x32*.istio.mixer.v1.config.client.IstioService\x12V\n\x0bquota_specs\x18\x02 \x03(\x0b\x32\x41.istio.mixer.v1.config.client.QuotaSpecBinding.QuotaSpecReference\x1a\x35\n\x12QuotaSpecReference\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x11\n\tnamespace\x18\x02 \x01(\tB1Z#istio.io/api/mixer/v1/config/client\xc8\xe1\x1e\x00\xa8\xe2\x1e\x00\xf0\xe1\x1e\x00\x62\x06proto3')
+ serialized_pb=_b('\n\"mixer/v1/config/client/quota.proto\x12\x1cistio.mixer.v1.config.client\x1a\x14gogoproto/gogo.proto\x1a$mixer/v1/config/client/service.proto\"C\n\tQuotaSpec\x12\x36\n\x05rules\x18\x01 \x03(\x0b\x32\'.istio.mixer.v1.config.client.QuotaRule\"}\n\tQuotaRule\x12;\n\x05match\x18\x01 \x03(\x0b\x32,.istio.mixer.v1.config.client.AttributeMatch\x12\x33\n\x06quotas\x18\x02 \x03(\x0b\x32#.istio.mixer.v1.config.client.Quota\"O\n\x0bStringMatch\x12\x0f\n\x05\x65xact\x18\x01 \x01(\tH\x00\x12\x10\n\x06prefix\x18\x02 \x01(\tH\x00\x12\x0f\n\x05regex\x18\x03 \x01(\tH\x00\x42\x0c\n\nmatch_type\"\xb4\x01\n\x0e\x41ttributeMatch\x12H\n\x06\x63lause\x18\x01 \x03(\x0b\x32\x38.istio.mixer.v1.config.client.AttributeMatch.ClauseEntry\x1aX\n\x0b\x43lauseEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\x38\n\x05value\x18\x02 \x01(\x0b\x32).istio.mixer.v1.config.client.StringMatch:\x02\x38\x01\"&\n\x05Quota\x12\r\n\x05quota\x18\x01 \x01(\t\x12\x0e\n\x06\x63harge\x18\x02 \x01(\x03\"\xdf\x01\n\x10QuotaSpecBinding\x12<\n\x08services\x18\x01 \x03(\x0b\x32*.istio.mixer.v1.config.client.IstioService\x12V\n\x0bquota_specs\x18\x02 \x03(\x0b\x32\x41.istio.mixer.v1.config.client.QuotaSpecBinding.QuotaSpecReference\x1a\x35\n\x12QuotaSpecReference\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x11\n\tnamespace\x18\x02 \x01(\tB5Z#istio.io/api/mixer/v1/config/client\xc8\xe1\x1e\x00\xa8\xe2\x1e\x00\xf0\xe1\x1e\x00\xd8\xe2\x1e\x01\x62\x06proto3')
,
dependencies=[gogoproto_dot_gogo__pb2.DESCRIPTOR,mixer_dot_v1_dot_config_dot_client_dot_service__pb2.DESCRIPTOR,])
@@ -411,7 +411,7 @@
DESCRIPTOR.has_options = True
-DESCRIPTOR._options = _descriptor._ParseOptions(descriptor_pb2.FileOptions(), _b('Z#istio.io/api/mixer/v1/config/client\310\341\036\000\250\342\036\000\360\341\036\000'))
+DESCRIPTOR._options = _descriptor._ParseOptions(descriptor_pb2.FileOptions(), _b('Z#istio.io/api/mixer/v1/config/client\310\341\036\000\250\342\036\000\360\341\036\000\330\342\036\001'))
_ATTRIBUTEMATCH_CLAUSEENTRY.has_options = True
_ATTRIBUTEMATCH_CLAUSEENTRY._options = _descriptor._ParseOptions(descriptor_pb2.MessageOptions(), _b('8\001'))
# @@protoc_insertion_point(module_scope)
diff --git a/python/istio_api/mixer/v1/config/client/service_pb2.py b/python/istio_api/mixer/v1/config/client/service_pb2.py
index 59fd4f42165..f1e5dfed544 100644
--- a/python/istio_api/mixer/v1/config/client/service_pb2.py
+++ b/python/istio_api/mixer/v1/config/client/service_pb2.py
@@ -20,7 +20,7 @@
name='mixer/v1/config/client/service.proto',
package='istio.mixer.v1.config.client',
syntax='proto3',
- serialized_pb=_b('\n$mixer/v1/config/client/service.proto\x12\x1cistio.mixer.v1.config.client\x1a\x14gogoproto/gogo.proto\"\xc7\x01\n\x0cIstioService\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x11\n\tnamespace\x18\x02 \x01(\t\x12\x0e\n\x06\x64omain\x18\x03 \x01(\t\x12\x0f\n\x07service\x18\x04 \x01(\t\x12\x46\n\x06labels\x18\x05 \x03(\x0b\x32\x36.istio.mixer.v1.config.client.IstioService.LabelsEntry\x1a-\n\x0bLabelsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\x42\x31Z#istio.io/api/mixer/v1/config/client\xc8\xe1\x1e\x00\xa8\xe2\x1e\x00\xf0\xe1\x1e\x00\x62\x06proto3')
+ serialized_pb=_b('\n$mixer/v1/config/client/service.proto\x12\x1cistio.mixer.v1.config.client\x1a\x14gogoproto/gogo.proto\"\xc7\x01\n\x0cIstioService\x12\x0c\n\x04name\x18\x01 \x01(\t\x12\x11\n\tnamespace\x18\x02 \x01(\t\x12\x0e\n\x06\x64omain\x18\x03 \x01(\t\x12\x0f\n\x07service\x18\x04 \x01(\t\x12\x46\n\x06labels\x18\x05 \x03(\x0b\x32\x36.istio.mixer.v1.config.client.IstioService.LabelsEntry\x1a-\n\x0bLabelsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\x42\x35Z#istio.io/api/mixer/v1/config/client\xc8\xe1\x1e\x00\xa8\xe2\x1e\x00\xf0\xe1\x1e\x00\xd8\xe2\x1e\x01\x62\x06proto3')
,
dependencies=[gogoproto_dot_gogo__pb2.DESCRIPTOR,])
@@ -144,7 +144,7 @@
DESCRIPTOR.has_options = True
-DESCRIPTOR._options = _descriptor._ParseOptions(descriptor_pb2.FileOptions(), _b('Z#istio.io/api/mixer/v1/config/client\310\341\036\000\250\342\036\000\360\341\036\000'))
+DESCRIPTOR._options = _descriptor._ParseOptions(descriptor_pb2.FileOptions(), _b('Z#istio.io/api/mixer/v1/config/client\310\341\036\000\250\342\036\000\360\341\036\000\330\342\036\001'))
_ISTIOSERVICE_LABELSENTRY.has_options = True
_ISTIOSERVICE_LABELSENTRY._options = _descriptor._ParseOptions(descriptor_pb2.MessageOptions(), _b('8\001'))
# @@protoc_insertion_point(module_scope)
diff --git a/rbac/v1alpha1/rbac.pb.go b/rbac/v1alpha1/rbac.pb.go
index 0323505e2b5..3202dc00371 100644
--- a/rbac/v1alpha1/rbac.pb.go
+++ b/rbac/v1alpha1/rbac.pb.go
@@ -871,11 +871,11 @@ func (m *RoleRef) GetName() string {
// $hide_from_docs
// RbacConfig is deprecated. RbacConfig defined the global config to control Istio RBAC behavior.
// This Custom Resource is a singleton where only one Custom Resource should be created globally in
-// the mesh and the namespace should be the same to other Istio components, which usually is istio-system.
-// Note: This is enforced in both istioctl and server side, new Custom Resource will be rejected if found any
+// the mesh and the namespace should be the same to other Istio components, which usually is `istio-system`.
+// Note: This is enforced in both `istioctl` and server side, new Custom Resource will be rejected if found any
// existing one, the user should either delete the existing one or change the existing one directly.
//
-// Below is an example of RbacConfig object "istio-rbac-config" which enables Istio RBAC for all
+// Below is an example of an `RbacConfig` resource called `istio-rbac-config` which enables Istio RBAC for all
// services in the default namespace.
//
// ```yaml
diff --git a/rbac/v1alpha1/rbac.proto b/rbac/v1alpha1/rbac.proto
index 8a973a8691d..d83e52e27dc 100644
--- a/rbac/v1alpha1/rbac.proto
+++ b/rbac/v1alpha1/rbac.proto
@@ -325,11 +325,11 @@ message RoleRef {
// $hide_from_docs
// RbacConfig is deprecated. RbacConfig defined the global config to control Istio RBAC behavior.
// This Custom Resource is a singleton where only one Custom Resource should be created globally in
-// the mesh and the namespace should be the same to other Istio components, which usually is istio-system.
-// Note: This is enforced in both istioctl and server side, new Custom Resource will be rejected if found any
+// the mesh and the namespace should be the same to other Istio components, which usually is `istio-system`.
+// Note: This is enforced in both `istioctl` and server side, new Custom Resource will be rejected if found any
// existing one, the user should either delete the existing one or change the existing one directly.
//
-// Below is an example of RbacConfig object "istio-rbac-config" which enables Istio RBAC for all
+// Below is an example of an `RbacConfig` resource called `istio-rbac-config` which enables Istio RBAC for all
// services in the default namespace.
//
// ```yaml
@@ -384,7 +384,7 @@ message RbacConfig {
// $hide_from_docs
// Indicates enforcement mode of the RbacConfig, in ENFORCED mode by default.
- // It's used to verify new RbacConfig work as expected before rolling to production.
+ // It's used to verify new RbacConfig work as expected before rolling to production.
// When setting as PERMISSIVE, RBAC isn't enforced and has no impact on users.
// RBAC engine run RbacConfig in PERMISSIVE mode and logs stats.
// Invalid to set RbacConfig in PERMISSIVE and ServiceRoleBinding in ENFORCED mode.