Istio Authorization Policy enables access control on workloads in the mesh.
-
Authorization policy supports CUSTOM, DENY and ALLOW actions for access control. When CUSTOM, DENY and ALLOW actions
are used for a workload at the same time, the CUSTOM action is evaluated first, then the DENY action, and finally the ALLOW action.
The evaluation is determined by the following rules:
-
Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
AUDIT policies do not affect whether requests are allowed or denied to the workload.
Requests will be allowed or denied based solely on CUSTOM, DENY and ALLOW actions.
-
A request will be internally marked that it should be audited if there is an AUDIT policy on the workload that matches the request.
A separate plugin must be configured and enabled to actually fulfill the audit decision and complete the audit behavior.
The request will not be audited if there are no such supporting plugins enabled.
Currently, the only supported plugin is the Stackdriver plugin.
-
when the request has a valid JWT token issued by “https://accounts.google.com”.
-
+Any other requests will be denied.
-
Authorization Policy scope (target) is determined by “metadata/namespace” and
-an optional “selector”.
-
+an optional The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
-all requests to workloads in namespace foo.
-
+For example, the following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
+all requests to workloads in namespace foo.
The following authorization policy allows all requests to workloads in namespace foo.
-
+The following authorization policy allows all requests to workloads in namespace foo.
The following authorization policy applies to workloads containing label “app: httpbin” in namespace bar. It allows
+
The following authorization policy applies to workloads containing label “version: v1” in all namespaces in the mesh.
-(Assuming the root namespace is configured to “istio-system”).
-
+The dry-run annotation allows you to better understand the effect of an authorization policy before applying it to the production traffic.
+This helps to reduce the risk of breaking the production traffic caused by an incorrect authorization policy.
+For more information, see dry-run tasks.
+
@@ -204,7 +216,6 @@ AuthorizationPolicy
Optional. The selector decides where to apply the authorization policy. The selector will match with workloads
in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector
will additionally match with workloads in all namespaces.
-
If not set, the selector will match all workloads.
@@ -217,7 +228,6 @@ AuthorizationPolicy
Rule[] |
Optional. A list of rules to match the request. A match occurs when at least one rule matches the request.
-
If not set, the match will never occur. This is equivalent to setting a default of deny for the target workloads if
the action is ALLOW.
@@ -256,9 +266,7 @@ Rule
Rule matches requests from a list of sources that perform a list of operations subject to a
list of conditions. A match occurs when at least one source, one operation and all conditions
matches the request. An empty rule is always matched.
-
Any string field in the rule supports Exact, Prefix, Suffix and Presence match:
-
- Exact match: “abc” will match on value “abc”.
- Prefix match: “abc*” will match on value “abc” and “abcd”.
@@ -281,7 +289,6 @@ Rule
From[] |
Optional. from specifies the source of a request.
-
If not set, any source is allowed.
|
@@ -294,7 +301,6 @@ Rule
To[] |
Optional. to specifies the operation of a request.
-
If not set, any operation is allowed.
|
@@ -307,7 +313,6 @@ Rule
Condition[] |
Optional. when specifies a list of additional conditions of a request.
-
If not set, any condition is allowed.
|
@@ -322,13 +327,11 @@ Source
Source specifies the source identities of a request. Fields in the source are
ANDed together.
-
For example, the following source matches if the principal is “admin” or “dev”
-and the namespace is “prod” or “test” and the ip is not “1.2.3.4”.
-
+and the namespace is “prod” or “test” and the ip is not “203.0.113.4”.
principals: ["admin", "dev"]
namespaces: ["prod", "test"]
-notIpBlocks: ["1.2.3.4"]
+notIpBlocks: ["203.0.113.4"]
@@ -348,7 +351,6 @@ Source
Optional. A list of peer identities derived from the peer certificate. The peer identity is in the format of
"<TRUST_DOMAIN>/ns/<NAMESPACE>/sa/<SERVICE_ACCOUNT>", for example, "cluster.local/ns/default/sa/productpage".
This field requires mTLS enabled and is the same as the source.principal attribute.
-
If not set, any principal is allowed.
@@ -374,7 +376,6 @@ Source
Optional. A list of request identities derived from the JWT. The request identity is in the format of
"<ISS>/<SUB>", for example, "example.com/sub-1". This field requires request authentication enabled and is the
same as the request.auth.principal attribute.
-
If not set, any request principal is allowed.
@@ -399,7 +400,6 @@ Source
Optional. A list of namespaces derived from the peer certificate.
This field requires mTLS enabled and is the same as the source.namespace attribute.
-
If not set, any namespace is allowed.
|
@@ -422,9 +422,8 @@ Source
ipBlocks |
string[] |
- Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. “1.2.3.4”) and
-CIDR (e.g. “1.2.3.0/24”) are supported. This is the same as the source.ip attribute.
-
+Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. “203.0.113.4”) and
+CIDR (e.g. “203.0.113.0/24”) are supported. This is the same as the source.ip attribute.
If not set, any IP is allowed.
|
@@ -451,9 +450,8 @@ Source
To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig
when you install Istio or using an annotation on the ingress gateway. See the documentation here:
Configuring Gateway Network Topology.
-Single IP (e.g. “1.2.3.4”) and CIDR (e.g. “1.2.3.0/24”) are supported.
+Single IP (e.g. “203.0.113.4”) and CIDR (e.g. “203.0.113.0/24”) are supported.
This is the same as the remote.ip attribute.
-
If not set, any IP is allowed.
@@ -479,10 +477,8 @@ Operation
Operation specifies the operations of a request. Fields in the operation are
ANDed together.
-
For example, the following operation matches if the host has suffix “.example.com”
and the method is “GET” or “HEAD” and the path doesn’t have prefix “/admin”.
-
hosts: ["*.example.com"]
methods: ["GET", "HEAD"]
notPaths: ["/admin*"]
@@ -505,7 +501,6 @@ Operation
Optional. A list of hosts as specified in the HTTP request. The match is case-insensitive.
See the security best practices for
recommended usage of this field.
-
If not set, any host is allowed. Must be used only with HTTP.
@@ -529,7 +524,6 @@ Operation
string[] |
Optional. A list of ports as specified in the connection.
-
If not set, any port is allowed.
|
@@ -554,7 +548,6 @@ Operation
Optional. A list of methods as specified in the HTTP request.
For gRPC service, this will always be “POST”.
-
If not set, any method is allowed. Must be used only with HTTP.
|
@@ -580,7 +573,6 @@ Operation
Optional. A list of paths as specified in the HTTP request. See the Authorization Policy Normalization
for details of the path normalization.
For gRPC service, this will be the fully-qualified name in the form of “/package.service/method”.
-
If not set, any path is allowed. Must be used only with HTTP.
@@ -684,7 +676,7 @@ AuthorizationPolicy.ExtensionProv
Rule.From
-From includes a list or sources.
+From includes a list of sources.
@@ -712,7 +704,7 @@ Rule.From
Rule.To
-To includes a list or operations.
+To includes a list of operations.
@@ -782,28 +774,25 @@ AuthorizationPolicy.Action
the extension by specifying the name of the provider.
One example use case of the extension is to integrate with a custom external authorization system to delegate
the authorization decision to it.
-
Note: The CUSTOM action is currently an alpha feature and is subject to breaking changes in later versions.
-
The following authorization policy applies to an ingress gateway and delegates the authorization check to a named extension
“my-custom-authz” if the request path has prefix “/admin/”.
-
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
- name: ext-authz
- namespace: istio-system
+ name: ext-authz
+ namespace: istio-system
spec:
- selector:
- matchLabels:
- app: istio-ingressgateway
- action: CUSTOM
- provider:
- name: "my-custom-authz"
- rules:
- - to:
- - operation:
- paths: ["/admin/*"]
+ selector:
+ matchLabels:
+ app: istio-ingressgateway
+ action: CUSTOM
+ provider:
+ name: "my-custom-authz"
+ rules:
+ - to:
+ - operation:
+ paths: ["/admin/*"]
diff --git a/vendor/istio.io/api/security/v1beta1/authorization_policy.proto b/vendor/istio.io/api/security/v1beta1/authorization_policy.proto
index a90d715c7..993eae8c2 100644
--- a/vendor/istio.io/api/security/v1beta1/authorization_policy.proto
+++ b/vendor/istio.io/api/security/v1beta1/authorization_policy.proto
@@ -46,20 +46,20 @@ import "type/v1beta1/selector.proto";
//
// Here is an example of Istio Authorization Policy:
//
-// It sets the `action` to "ALLOW" to create an allow policy. The default action is "ALLOW"
+// It sets the `action` to `ALLOW` to create an allow policy. The default action is `ALLOW`
// but it is useful to be explicit in the policy.
//
// It allows requests from:
//
-// - service account "cluster.local/ns/default/sa/sleep" or
-// - namespace "test"
+// - service account `cluster.local/ns/default/sa/sleep` or
+// - namespace `test`
//
// to access the workload with:
//
-// - "GET" method at paths of prefix "/info" or,
-// - "POST" method at path "/data".
+// - `GET` method at paths of prefix `/info` or,
+// - `POST` method at path `/data`.
//
-// when the request has a valid JWT token issued by "https://accounts.google.com".
+// when the request has a valid JWT token issued by `https://accounts.google.com`.
//
// Any other requests will be denied.
//
@@ -89,9 +89,9 @@ import "type/v1beta1/selector.proto";
// values: ["https://accounts.google.com"]
// ```
//
-// The following is another example that sets `action` to "DENY" to create a deny policy.
-// It denies requests from the "dev" namespace to the "POST" method on all workloads
-// in the "foo" namespace.
+// The following is another example that sets `action` to `DENY` to create a deny policy.
+// It denies requests from the `dev` namespace to the `POST` method on all workloads
+// in the `foo` namespace.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
@@ -110,8 +110,32 @@ import "type/v1beta1/selector.proto";
// methods: ["POST"]
// ```
//
-// The following authorization policy sets the `action` to "AUDIT". It will audit any GET requests to the path with the
-// prefix "/user/profile".
+// The following is another example that sets `action` to `DENY` to create a deny policy.
+// It denies all the requests with `POST` method on port `8080` on all workloads
+// in the `foo` namespace.
+//
+// ```yaml
+// apiVersion: security.istio.io/v1beta1
+// kind: AuthorizaionPolicy
+// metadata:
+// name: httpbin
+// namespace: foo
+// spec:
+// action: DENY
+// rules:
+// - to:
+// - operation:
+// methods: ["POST"]
+// ports: ["8080"]
+// ```
+//
+// When this rule is applied to TCP traffic, the `method` field (as will all HTTP based attributes) cannot be processed.
+// For a `DENY` rule, missing attributes are treated as matches. This means all TCP traffic on port `8080` would be denied in the example above.
+// If we were to remove the `ports` match, all TCP traffic would be denied. As a result, it is recommended to always scope `DENY` policies to a specific port,
+// especially when using HTTP attributes [Authorization Policy for TCP Ports](https://istio.io/latest/docs/tasks/security/authorization/authz-tcp/).
+//
+// The following authorization policy sets the `action` to `AUDIT`. It will audit any `GET` requests to the path with the
+// prefix `/user/profile`.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
@@ -132,16 +156,14 @@ import "type/v1beta1/selector.proto";
// ```
//
// Authorization Policy scope (target) is determined by "metadata/namespace" and
-// an optional "selector".
+// an optional `selector`.
//
// - "metadata/namespace" tells which namespace the policy applies. If set to root
// namespace, the policy applies to all namespaces in a mesh.
-// - workload "selector" can be used to further restrict where a policy applies.
+// - workload `selector` can be used to further restrict where a policy applies.
//
-// For example,
-//
-// The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
-// all requests to workloads in namespace foo.
+// For example, the following authorization policy applies to all workloads in namespace `foo`. It allows nothing and effectively denies
+// all requests to workloads in namespace `foo`.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
@@ -153,7 +175,7 @@ import "type/v1beta1/selector.proto";
// {}
// ```
//
-// The following authorization policy allows all requests to workloads in namespace foo.
+// The following authorization policy allows all requests to workloads in namespace `foo`.
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
@@ -166,7 +188,7 @@ import "type/v1beta1/selector.proto";
// - {}
// ```
//
-// The following authorization policy applies to workloads containing label "app: httpbin" in namespace bar. It allows
+// The following authorization policy applies to workloads containing label `app: httpbin` in namespace `bar`. It allows
// nothing and effectively denies all requests to the selected workloads.
//
// ```yaml
@@ -181,8 +203,8 @@ import "type/v1beta1/selector.proto";
// app: httpbin
// ```
//
-// The following authorization policy applies to workloads containing label "version: v1" in all namespaces in the mesh.
-// (Assuming the root namespace is configured to "istio-system").
+// The following authorization policy applies to workloads containing label `version: v1` in all namespaces in the mesh.
+// (Assuming the root namespace is configured to `istio-system`).
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
@@ -195,6 +217,31 @@ import "type/v1beta1/selector.proto";
// matchLabels:
// version: v1
// ```
+//
+// The following example shows you how to set up an authorization policy using an [experimental annotation](https://istio.io/latest/docs/reference/config/annotations/)
+// `istio.io/dry-run` to dry-run the policy without actually enforcing it.
+//
+// The dry-run annotation allows you to better understand the effect of an authorization policy before applying it to the production traffic.
+// This helps to reduce the risk of breaking the production traffic caused by an incorrect authorization policy.
+// For more information, see [dry-run tasks](https://istio.io/latest/docs/tasks/security/authorization/authz-dry-run/).
+//
+// ```yaml
+// apiVersion: security.istio.io/v1beta1
+// kind: AuthorizationPolicy
+// metadata:
+// name: dry-run-example
+// annotations:
+// "istio.io/dry-run": "true"
+// spec:
+// selector:
+// matchLabels:
+// app: httpbin
+// action: DENY
+// rules:
+// - to:
+// - operation:
+// paths: ["/headers"]
+// ```
package istio.security.v1beta1;
option go_package="istio.io/api/security/v1beta1";
@@ -219,6 +266,9 @@ option go_package="istio.io/api/security/v1beta1";
// +genclient
// +k8s:deepcopy-gen=true
// -->
+//
message AuthorizationPolicy {
// Optional. The selector decides where to apply the authorization policy. The selector will match with workloads
// in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector
@@ -266,19 +316,19 @@ message AuthorizationPolicy {
// apiVersion: security.istio.io/v1beta1
// kind: AuthorizationPolicy
// metadata:
- // name: ext-authz
- // namespace: istio-system
+ // name: ext-authz
+ // namespace: istio-system
// spec:
- // selector:
- // matchLabels:
- // app: istio-ingressgateway
- // action: CUSTOM
- // provider:
- // name: "my-custom-authz"
- // rules:
- // - to:
- // - operation:
- // paths: ["/admin/*"]
+ // selector:
+ // matchLabels:
+ // app: istio-ingressgateway
+ // action: CUSTOM
+ // provider:
+ // name: "my-custom-authz"
+ // rules:
+ // - to:
+ // - operation:
+ // paths: ["/admin/*"]
// ```
CUSTOM = 3;
}
@@ -309,7 +359,7 @@ message AuthorizationPolicy {
// - Suffix match: "*abc" will match on value "abc" and "xabc".
// - Presence match: "*" will match when value is not empty.
message Rule {
- // From includes a list or sources.
+ // From includes a list of sources.
message From {
// Source specifies the source of a request.
Source source = 1;
@@ -320,7 +370,7 @@ message Rule {
// If not set, any source is allowed.
repeated From from = 1;
- // To includes a list or operations.
+ // To includes a list of operations.
message To {
// Operation specifies the operation of a request.
Operation operation = 1;
@@ -341,12 +391,12 @@ message Rule {
// ANDed together.
//
// For example, the following source matches if the principal is "admin" or "dev"
-// and the namespace is "prod" or "test" and the ip is not "1.2.3.4".
+// and the namespace is "prod" or "test" and the ip is not "203.0.113.4".
//
// ```yaml
// principals: ["admin", "dev"]
// namespaces: ["prod", "test"]
-// notIpBlocks: ["1.2.3.4"]
+// notIpBlocks: ["203.0.113.4"]
// ```
message Source {
// Optional. A list of peer identities derived from the peer certificate. The peer identity is in the format of
@@ -378,8 +428,8 @@ message Source {
// Optional. A list of negative match of namespaces.
repeated string not_namespaces = 7;
- // Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. "1.2.3.4") and
- // CIDR (e.g. "1.2.3.0/24") are supported. This is the same as the `source.ip` attribute.
+ // Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. "203.0.113.4") and
+ // CIDR (e.g. "203.0.113.0/24") are supported. This is the same as the `source.ip` attribute.
//
// If not set, any IP is allowed.
repeated string ip_blocks = 4;
@@ -388,10 +438,10 @@ message Source {
repeated string not_ip_blocks = 8;
// Optional. A list of IP blocks, populated from X-Forwarded-For header or proxy protocol.
- // To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig
+ // To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig
// when you install Istio or using an annotation on the ingress gateway. See the documentation here:
// [Configuring Gateway Network Topology](https://istio.io/latest/docs/ops/configuration/traffic-management/network-topologies/).
- // Single IP (e.g. "1.2.3.4") and CIDR (e.g. "1.2.3.0/24") are supported.
+ // Single IP (e.g. "203.0.113.4") and CIDR (e.g. "203.0.113.0/24") are supported.
// This is the same as the `remote.ip` attribute.
//
// If not set, any IP is allowed.
diff --git a/vendor/istio.io/api/security/v1beta1/authorization_policy_deepcopy.gen.go b/vendor/istio.io/api/security/v1beta1/authorization_policy_deepcopy.gen.go
index 4df03f74a..7be28bc1f 100644
--- a/vendor/istio.io/api/security/v1beta1/authorization_policy_deepcopy.gen.go
+++ b/vendor/istio.io/api/security/v1beta1/authorization_policy_deepcopy.gen.go
@@ -2,7 +2,7 @@
package v1beta1
import (
- proto "github.com/golang/protobuf/proto"
+ proto "google.golang.org/protobuf/proto"
)
// DeepCopyInto supports using AuthorizationPolicy within kubernetes types, where deepcopy-gen is used.
diff --git a/vendor/istio.io/api/security/v1beta1/jwt.gen.json b/vendor/istio.io/api/security/v1beta1/jwt.gen.json
index a7fbbc746..92cf1f8ba 100644
--- a/vendor/istio.io/api/security/v1beta1/jwt.gen.json
+++ b/vendor/istio.io/api/security/v1beta1/jwt.gen.json
@@ -6,6 +6,20 @@
},
"components": {
"schemas": {
+ "istio.security.v1beta1.ClaimToHeader": {
+ "description": "This message specifies the detail for copying claim to header.",
+ "type": "object",
+ "properties": {
+ "header": {
+ "description": "The name of the header to be created. The header will be overridden if it already exists in the request.",
+ "type": "string"
+ },
+ "claim": {
+ "description": "The name of the claim to be copied from. Only claim of type string/int/bool is supported. The header will not be there if the claim does not exist or the type of the claim is not supported.",
+ "type": "string"
+ }
+ }
+ },
"istio.security.v1beta1.JWTHeader": {
"description": "This message specifies a header location to extract JWT token.",
"type": "object",
@@ -15,13 +29,13 @@
"type": "string"
},
"prefix": {
- "description": "The prefix that should be stripped before decoding the token. For example, for \"Authorization: Bearer \u003ctoken\u003e\", prefix=\"Bearer \" with a space at the end. If the header doesn't have this exact prefix, it is considered invalid.",
+ "description": "The prefix that should be stripped before decoding the token. For example, for `Authorization: Bearer \u003ctoken\u003e`, prefix=`Bearer` with a space at the end. If the header doesn't have this exact prefix, it is considered invalid.",
"type": "string"
}
}
},
"istio.security.v1beta1.JWTRule": {
- "description": "JSON Web Token (JWT) token format for authentication as defined by [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and [OIDC 1.0](http://openid.net/connect) for how this is used in the whole authentication flow.",
+ "description": "\u003c!-- istio code generation tags +istio.io/sync-start --\u003e JSON Web Token (JWT) token format for authentication as defined by [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and [OIDC 1.0](http://openid.net/connect) for how this is used in the whole authentication flow.",
"type": "object",
"properties": {
"issuer": {
@@ -29,7 +43,7 @@
"type": "string"
},
"audiences": {
- "description": "The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3). that are allowed to access. A JWT containing any of these audiences will be accepted.",
+ "description": "The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access. A JWT containing any of these audiences will be accepted.",
"type": "array",
"items": {
"type": "string"
@@ -44,14 +58,14 @@
"type": "string"
},
"fromHeaders": {
- "description": "List of header locations from which JWT is expected. For example, below is the location spec if JWT is expected to be found in `x-jwt-assertion` header, and have \"Bearer \" prefix: ```yaml fromHeaders: - name: x-jwt-assertion prefix: \"Bearer \" ```",
+ "description": "List of header locations from which JWT is expected. For example, below is the location spec if JWT is expected to be found in `x-jwt-assertion` header, and have `Bearer` prefix: ```yaml fromHeaders: - name: x-jwt-assertion prefix: \"Bearer \" ```",
"type": "array",
"items": {
"$ref": "#/components/schemas/istio.security.v1beta1.JWTHeader"
}
},
"fromParams": {
- "description": "List of query parameters from which JWT is expected. For example, if JWT is provided via query parameter `my_token` (e.g /path?my_token=\u003cJWT\u003e), the config is: ```yaml fromParams: - \"my_token\" ```",
+ "description": "List of query parameters from which JWT is expected. For example, if JWT is provided via query parameter `my_token` (e.g `/path?my_token=\u003cJWT\u003e`), the config is: ```yaml fromParams: - \"my_token\" ```",
"type": "array",
"items": {
"type": "string"
@@ -64,6 +78,13 @@
"forwardOriginalToken": {
"description": "If set to true, the original token will be kept for the upstream request. Default is false.",
"type": "boolean"
+ },
+ "outputClaimToHeaders": {
+ "description": "This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token. This differs from the `output_payload_to_header` by allowing outputting individual claims instead of the whole payload. The header specified in each operation in the list must be unique. Nested claims of type string/int/bool is supported as well. ``` outputClaimToHeaders: - header: x-my-company-jwt-group claim: my-group - header: x-test-environment-flag claim: test-flag - header: x-jwt-claim-group claim: nested.key.group ``` [Experimental] This feature is a experimental feature.",
+ "type": "array",
+ "items": {
+ "$ref": "#/components/schemas/istio.security.v1beta1.ClaimToHeader"
+ }
}
}
}
diff --git a/vendor/istio.io/api/security/v1beta1/jwt.pb.go b/vendor/istio.io/api/security/v1beta1/jwt.pb.go
index 3d83414c2..5c23ac4c2 100644
--- a/vendor/istio.io/api/security/v1beta1/jwt.pb.go
+++ b/vendor/istio.io/api/security/v1beta1/jwt.pb.go
@@ -14,7 +14,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
-// protoc-gen-go v1.27.1
+// protoc-gen-go v1.30.0
// protoc (unknown)
// source: security/v1beta1/jwt.proto
@@ -41,6 +41,9 @@ const (
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)
+//
// JSON Web Token (JWT) token format for authentication as defined by
// [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and
// [OIDC 1.0](http://openid.net/connect) for how this is used in the whole
@@ -56,8 +59,9 @@ const (
// ```yaml
// issuer: https://example.com
// audiences:
-// - bookstore_android.apps.example.com
-// bookstore_web.apps.example.com
+// - bookstore_android.apps.example.com
+// bookstore_web.apps.example.com
+//
// ```
//
// This example specifies a token in a non-default location (`x-goog-iap-jwt-assertion` header). It also
@@ -78,11 +82,11 @@ type JWTRule struct {
// [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1)
// A JWT with different `iss` claim will be rejected.
//
- // Example: https://foobar.auth0.com
- // Example: 1234567-compute@developer.gserviceaccount.com
+ // Example: `https://foobar.auth0.com`
+ // Example: `1234567-compute@developer.gserviceaccount.com`
Issuer string `protobuf:"bytes,1,opt,name=issuer,proto3" json:"issuer,omitempty"`
// The list of JWT
- // [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3).
+ // [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
// that are allowed to access. A JWT containing any of these
// audiences will be accepted.
//
@@ -92,8 +96,9 @@ type JWTRule struct {
//
// ```yaml
// audiences:
- // - bookstore_android.apps.example.com
- // bookstore_web.apps.example.com
+ // - bookstore_android.apps.example.com
+ // bookstore_web.apps.example.com
+ //
// ```
Audiences []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"`
// URL of the provider's public key set to validate signature of the
@@ -115,23 +120,27 @@ type JWTRule struct {
// Note: Only one of `jwksUri` and `jwks` should be used.
Jwks string `protobuf:"bytes,10,opt,name=jwks,proto3" json:"jwks,omitempty"`
// List of header locations from which JWT is expected. For example, below is the location spec
- // if JWT is expected to be found in `x-jwt-assertion` header, and have "Bearer " prefix:
+ // if JWT is expected to be found in `x-jwt-assertion` header, and have `Bearer` prefix:
//
// ```yaml
- // fromHeaders:
- // - name: x-jwt-assertion
- // prefix: "Bearer "
+ //
+ // fromHeaders:
+ // - name: x-jwt-assertion
+ // prefix: "Bearer "
+ //
// ```
//
// Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
// such requests is undefined.
FromHeaders []*JWTHeader `protobuf:"bytes,6,rep,name=from_headers,json=fromHeaders,proto3" json:"from_headers,omitempty"`
// List of query parameters from which JWT is expected. For example, if JWT is provided via query
- // parameter `my_token` (e.g /path?my_token=), the config is:
+ // parameter `my_token` (e.g `/path?my_token=`), the config is:
//
// ```yaml
- // fromParams:
- // - "my_token"
+ //
+ // fromParams:
+ // - "my_token"
+ //
// ```
//
// Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
@@ -143,6 +152,22 @@ type JWTRule struct {
OutputPayloadToHeader string `protobuf:"bytes,8,opt,name=output_payload_to_header,json=outputPayloadToHeader,proto3" json:"output_payload_to_header,omitempty"`
// If set to true, the original token will be kept for the upstream request. Default is false.
ForwardOriginalToken bool `protobuf:"varint,9,opt,name=forward_original_token,json=forwardOriginalToken,proto3" json:"forward_original_token,omitempty"`
+ // This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.
+ // This differs from the `output_payload_to_header` by allowing outputting individual claims instead of the whole payload.
+ // The header specified in each operation in the list must be unique. Nested claims of type string/int/bool is supported as well.
+ // ```
+ //
+ // outputClaimToHeaders:
+ // - header: x-my-company-jwt-group
+ // claim: my-group
+ // - header: x-test-environment-flag
+ // claim: test-flag
+ // - header: x-jwt-claim-group
+ // claim: nested.key.group
+ //
+ // ```
+ // [Experimental] This feature is a experimental feature.
+ OutputClaimToHeaders []*ClaimToHeader `protobuf:"bytes,11,rep,name=output_claim_to_headers,json=outputClaimToHeaders,proto3" json:"output_claim_to_headers,omitempty"` // [TODO:Update the status whenever this feature is promoted.]
}
func (x *JWTRule) Reset() {
@@ -233,6 +258,13 @@ func (x *JWTRule) GetForwardOriginalToken() bool {
return false
}
+func (x *JWTRule) GetOutputClaimToHeaders() []*ClaimToHeader {
+ if x != nil {
+ return x.OutputClaimToHeaders
+ }
+ return nil
+}
+
// This message specifies a header location to extract JWT token.
type JWTHeader struct {
state protoimpl.MessageState
@@ -242,7 +274,7 @@ type JWTHeader struct {
// The HTTP header name.
Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
// The prefix that should be stripped before decoding the token.
- // For example, for "Authorization: Bearer ", prefix="Bearer " with a space at the end.
+ // For example, for `Authorization: Bearer `, prefix=`Bearer` with a space at the end.
// If the header doesn't have this exact prefix, it is considered invalid.
Prefix string `protobuf:"bytes,2,opt,name=prefix,proto3" json:"prefix,omitempty"`
}
@@ -293,6 +325,65 @@ func (x *JWTHeader) GetPrefix() string {
return ""
}
+// This message specifies the detail for copying claim to header.
+type ClaimToHeader struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // The name of the header to be created. The header will be overridden if it already exists in the request.
+ Header string `protobuf:"bytes,1,opt,name=header,proto3" json:"header,omitempty"`
+ // The name of the claim to be copied from. Only claim of type string/int/bool is supported.
+ // The header will not be there if the claim does not exist or the type of the claim is not supported.
+ Claim string `protobuf:"bytes,2,opt,name=claim,proto3" json:"claim,omitempty"`
+}
+
+func (x *ClaimToHeader) Reset() {
+ *x = ClaimToHeader{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_security_v1beta1_jwt_proto_msgTypes[2]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *ClaimToHeader) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*ClaimToHeader) ProtoMessage() {}
+
+func (x *ClaimToHeader) ProtoReflect() protoreflect.Message {
+ mi := &file_security_v1beta1_jwt_proto_msgTypes[2]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use ClaimToHeader.ProtoReflect.Descriptor instead.
+func (*ClaimToHeader) Descriptor() ([]byte, []int) {
+ return file_security_v1beta1_jwt_proto_rawDescGZIP(), []int{2}
+}
+
+func (x *ClaimToHeader) GetHeader() string {
+ if x != nil {
+ return x.Header
+ }
+ return ""
+}
+
+func (x *ClaimToHeader) GetClaim() string {
+ if x != nil {
+ return x.Claim
+ }
+ return ""
+}
+
var File_security_v1beta1_jwt_proto protoreflect.FileDescriptor
var file_security_v1beta1_jwt_proto_rawDesc = []byte{
@@ -301,34 +392,44 @@ var file_security_v1beta1_jwt_proto_rawDesc = []byte{
0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x62,
0x65, 0x74, 0x61, 0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69,
0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e,
- 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xca, 0x02, 0x0a, 0x07, 0x4a, 0x57, 0x54, 0x52, 0x75, 0x6c,
- 0x65, 0x12, 0x1c, 0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28,
- 0x09, 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x12,
- 0x1c, 0x0a, 0x09, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03,
- 0x28, 0x09, 0x52, 0x09, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x12, 0x19, 0x0a,
- 0x08, 0x6a, 0x77, 0x6b, 0x73, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52,
- 0x07, 0x6a, 0x77, 0x6b, 0x73, 0x55, 0x72, 0x69, 0x12, 0x12, 0x0a, 0x04, 0x6a, 0x77, 0x6b, 0x73,
- 0x18, 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6a, 0x77, 0x6b, 0x73, 0x12, 0x44, 0x0a, 0x0c,
- 0x66, 0x72, 0x6f, 0x6d, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x18, 0x06, 0x20, 0x03,
- 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72,
- 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x4a, 0x57, 0x54, 0x48,
- 0x65, 0x61, 0x64, 0x65, 0x72, 0x52, 0x0b, 0x66, 0x72, 0x6f, 0x6d, 0x48, 0x65, 0x61, 0x64, 0x65,
- 0x72, 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x66, 0x72, 0x6f, 0x6d, 0x5f, 0x70, 0x61, 0x72, 0x61, 0x6d,
- 0x73, 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x66, 0x72, 0x6f, 0x6d, 0x50, 0x61, 0x72,
- 0x61, 0x6d, 0x73, 0x12, 0x37, 0x0a, 0x18, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x5f, 0x70, 0x61,
- 0x79, 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x74, 0x6f, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18,
- 0x08, 0x20, 0x01, 0x28, 0x09, 0x52, 0x15, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x50, 0x61, 0x79,
- 0x6c, 0x6f, 0x61, 0x64, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x34, 0x0a, 0x16,
- 0x66, 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x5f, 0x6f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x61, 0x6c,
- 0x5f, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x14, 0x66, 0x6f,
- 0x72, 0x77, 0x61, 0x72, 0x64, 0x4f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x61, 0x6c, 0x54, 0x6f, 0x6b,
- 0x65, 0x6e, 0x22, 0x3d, 0x0a, 0x09, 0x4a, 0x57, 0x54, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12,
- 0x18, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x04, 0xe2,
- 0x41, 0x01, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x72, 0x65,
- 0x66, 0x69, 0x78, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69,
- 0x78, 0x42, 0x1f, 0x5a, 0x1d, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70,
- 0x69, 0x2f, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74,
- 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xa7, 0x03, 0x0a, 0x07, 0x4a, 0x57, 0x54, 0x52, 0x75, 0x6c,
+ 0x65, 0x12, 0x1b, 0x0a, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28,
+ 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x06, 0x69, 0x73, 0x73, 0x75, 0x65, 0x72, 0x12, 0x1c,
+ 0x0a, 0x09, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28,
+ 0x09, 0x52, 0x09, 0x61, 0x75, 0x64, 0x69, 0x65, 0x6e, 0x63, 0x65, 0x73, 0x12, 0x19, 0x0a, 0x08,
+ 0x6a, 0x77, 0x6b, 0x73, 0x5f, 0x75, 0x72, 0x69, 0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x07,
+ 0x6a, 0x77, 0x6b, 0x73, 0x55, 0x72, 0x69, 0x12, 0x12, 0x0a, 0x04, 0x6a, 0x77, 0x6b, 0x73, 0x18,
+ 0x0a, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6a, 0x77, 0x6b, 0x73, 0x12, 0x44, 0x0a, 0x0c, 0x66,
+ 0x72, 0x6f, 0x6d, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x18, 0x06, 0x20, 0x03, 0x28,
+ 0x0b, 0x32, 0x21, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69,
+ 0x74, 0x79, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x4a, 0x57, 0x54, 0x48, 0x65,
+ 0x61, 0x64, 0x65, 0x72, 0x52, 0x0b, 0x66, 0x72, 0x6f, 0x6d, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72,
+ 0x73, 0x12, 0x1f, 0x0a, 0x0b, 0x66, 0x72, 0x6f, 0x6d, 0x5f, 0x70, 0x61, 0x72, 0x61, 0x6d, 0x73,
+ 0x18, 0x07, 0x20, 0x03, 0x28, 0x09, 0x52, 0x0a, 0x66, 0x72, 0x6f, 0x6d, 0x50, 0x61, 0x72, 0x61,
+ 0x6d, 0x73, 0x12, 0x37, 0x0a, 0x18, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x5f, 0x70, 0x61, 0x79,
+ 0x6c, 0x6f, 0x61, 0x64, 0x5f, 0x74, 0x6f, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x08,
+ 0x20, 0x01, 0x28, 0x09, 0x52, 0x15, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x50, 0x61, 0x79, 0x6c,
+ 0x6f, 0x61, 0x64, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x34, 0x0a, 0x16, 0x66,
+ 0x6f, 0x72, 0x77, 0x61, 0x72, 0x64, 0x5f, 0x6f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x61, 0x6c, 0x5f,
+ 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x09, 0x20, 0x01, 0x28, 0x08, 0x52, 0x14, 0x66, 0x6f, 0x72,
+ 0x77, 0x61, 0x72, 0x64, 0x4f, 0x72, 0x69, 0x67, 0x69, 0x6e, 0x61, 0x6c, 0x54, 0x6f, 0x6b, 0x65,
+ 0x6e, 0x12, 0x5c, 0x0a, 0x17, 0x6f, 0x75, 0x74, 0x70, 0x75, 0x74, 0x5f, 0x63, 0x6c, 0x61, 0x69,
+ 0x6d, 0x5f, 0x74, 0x6f, 0x5f, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x18, 0x0b, 0x20, 0x03,
+ 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72,
+ 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x43, 0x6c, 0x61, 0x69,
+ 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x52, 0x14, 0x6f, 0x75, 0x74, 0x70, 0x75,
+ 0x74, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x22,
+ 0x3c, 0x0a, 0x09, 0x4a, 0x57, 0x54, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x17, 0x0a, 0x04,
+ 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52,
+ 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x16, 0x0a, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x18,
+ 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06, 0x70, 0x72, 0x65, 0x66, 0x69, 0x78, 0x22, 0x3d, 0x0a,
+ 0x0d, 0x43, 0x6c, 0x61, 0x69, 0x6d, 0x54, 0x6f, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x16,
+ 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x06,
+ 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x14, 0x0a, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x18,
+ 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x63, 0x6c, 0x61, 0x69, 0x6d, 0x42, 0x1f, 0x5a, 0x1d,
+ 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x73, 0x65, 0x63,
+ 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70,
+ 0x72, 0x6f, 0x74, 0x6f, 0x33,
}
var (
@@ -343,18 +444,20 @@ func file_security_v1beta1_jwt_proto_rawDescGZIP() []byte {
return file_security_v1beta1_jwt_proto_rawDescData
}
-var file_security_v1beta1_jwt_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_security_v1beta1_jwt_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
var file_security_v1beta1_jwt_proto_goTypes = []interface{}{
- (*JWTRule)(nil), // 0: istio.security.v1beta1.JWTRule
- (*JWTHeader)(nil), // 1: istio.security.v1beta1.JWTHeader
+ (*JWTRule)(nil), // 0: istio.security.v1beta1.JWTRule
+ (*JWTHeader)(nil), // 1: istio.security.v1beta1.JWTHeader
+ (*ClaimToHeader)(nil), // 2: istio.security.v1beta1.ClaimToHeader
}
var file_security_v1beta1_jwt_proto_depIdxs = []int32{
1, // 0: istio.security.v1beta1.JWTRule.from_headers:type_name -> istio.security.v1beta1.JWTHeader
- 1, // [1:1] is the sub-list for method output_type
- 1, // [1:1] is the sub-list for method input_type
- 1, // [1:1] is the sub-list for extension type_name
- 1, // [1:1] is the sub-list for extension extendee
- 0, // [0:1] is the sub-list for field type_name
+ 2, // 1: istio.security.v1beta1.JWTRule.output_claim_to_headers:type_name -> istio.security.v1beta1.ClaimToHeader
+ 2, // [2:2] is the sub-list for method output_type
+ 2, // [2:2] is the sub-list for method input_type
+ 2, // [2:2] is the sub-list for extension type_name
+ 2, // [2:2] is the sub-list for extension extendee
+ 0, // [0:2] is the sub-list for field type_name
}
func init() { file_security_v1beta1_jwt_proto_init() }
@@ -387,6 +490,18 @@ func file_security_v1beta1_jwt_proto_init() {
return nil
}
}
+ file_security_v1beta1_jwt_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*ClaimToHeader); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
}
type x struct{}
out := protoimpl.TypeBuilder{
@@ -394,7 +509,7 @@ func file_security_v1beta1_jwt_proto_init() {
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_security_v1beta1_jwt_proto_rawDesc,
NumEnums: 0,
- NumMessages: 2,
+ NumMessages: 3,
NumExtensions: 0,
NumServices: 0,
},
diff --git a/vendor/istio.io/api/security/v1beta1/jwt.pb.html b/vendor/istio.io/api/security/v1beta1/jwt.pb.html
index efb5da0eb..2e9b6c8d2 100644
--- a/vendor/istio.io/api/security/v1beta1/jwt.pb.html
+++ b/vendor/istio.io/api/security/v1beta1/jwt.pb.html
@@ -6,7 +6,7 @@
generator: protoc-gen-docs
schema: istio.security.v1beta1.JWTRule
aliases: [/docs/reference/config/security/v1beta1/jwt]
-number_of_entries: 2
+number_of_entries: 3
---
JWTRule
@@ -14,23 +14,18 @@ JWTRule
RFC 7519. See OAuth 2.0 and
OIDC 1.0 for how this is used in the whole
authentication flow.
-
Examples:
-
Spec for a JWT that is issued by https://example.com, with the audience claims must be either
bookstore_android.apps.example.com or bookstore_web.apps.example.com.
The token should be presented at the Authorization header (default). The JSON Web Key Set (JWKS)
will be discovered following OpenID Connect protocol.
-
issuer: https://example.com
audiences:
- bookstore_android.apps.example.com
bookstore_web.apps.example.com
-
This example specifies a token in a non-default location (x-goog-iap-jwt-assertion header). It also
defines the URI to fetch JWKS explicitly.
-
issuer: https://example.com
jwksUri: https://example.com/.secret/jwks.json
fromHeaders:
@@ -54,9 +49,8 @@ JWTRule
Identifies the issuer that issued the JWT. See
issuer
A JWT with different iss claim will be rejected.
-
-Example: https://foobar.auth0.com
-Example: 1234567-compute@developer.gserviceaccount.com
+Example: https://foobar.auth0.com
+Example: 1234567-compute@developer.gserviceaccount.com
@@ -68,14 +62,11 @@ JWTRule
| string[] |
The list of JWT
-audiences.
+audiences
that are allowed to access. A JWT containing any of these
audiences will be accepted.
-
The service name will be accepted if audiences is empty.
-
Example:
-
audiences:
- bookstore_android.apps.example.com
bookstore_web.apps.example.com
@@ -92,15 +83,12 @@ JWTRule
URL of the provider’s public key set to validate signature of the
JWT. See OpenID Discovery.
-
Optional if the key set document can either (a) be retrieved from
OpenID
Discovery of
the issuer or (b) inferred from the email domain of the issuer (e.g. a
Google service account).
-
Example: https://www.googleapis.com/oauth2/v1/certs
-
Note: Only one of jwksUri and jwks should be used.
|
@@ -113,8 +101,7 @@ JWTRule
string |
JSON Web Key Set of public keys to validate signature of the JWT.
-See https://auth0.com/docs/jwks.
-
+See https://auth0.com/docs/jwks.
Note: Only one of jwksUri and jwks should be used.
|
@@ -127,13 +114,11 @@ JWTRule
JWTHeader[] |
List of header locations from which JWT is expected. For example, below is the location spec
-if JWT is expected to be found in x-jwt-assertion header, and have “Bearer ” prefix:
-
+if JWT is expected to be found in x-jwt-assertion header, and have Bearer prefix:
fromHeaders:
- name: x-jwt-assertion
prefix: "Bearer "
-
Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
such requests is undefined.
@@ -147,12 +132,10 @@ JWTRule
| string[] |
List of query parameters from which JWT is expected. For example, if JWT is provided via query
-parameter my_token (e.g /path?my_token=), the config is:
-
+parameter my_token (e.g /path?my_token=<JWT>), the config is:
fromParams:
- "my_token"
-
Note: Requests with multiple tokens (at different locations) are not supported, the output principal of
such requests is undefined.
@@ -180,6 +163,28 @@ JWTRule
|
If set to true, the original token will be kept for the upstream request. Default is false.
+ |
+
+No
+ |
+
+
|
+
+
+This message specifies the detail for copying claim to header.
+
+
+
+
+| Field |
+Type |
+Description |
+Required |
+
+
+
+
+
+
+
+
diff --git a/vendor/istio.io/api/security/v1beta1/jwt.proto b/vendor/istio.io/api/security/v1beta1/jwt.proto
index 858b7f283..fbd8d5a79 100644
--- a/vendor/istio.io/api/security/v1beta1/jwt.proto
+++ b/vendor/istio.io/api/security/v1beta1/jwt.proto
@@ -25,6 +25,9 @@ package istio.security.v1beta1;
option go_package="istio.io/api/security/v1beta1";
+//
// JSON Web Token (JWT) token format for authentication as defined by
// [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and
// [OIDC 1.0](http://openid.net/connect) for how this is used in the whole
@@ -58,12 +61,12 @@ message JWTRule {
// [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1)
// A JWT with different `iss` claim will be rejected.
//
- // Example: https://foobar.auth0.com
- // Example: 1234567-compute@developer.gserviceaccount.com
+ // Example: `https://foobar.auth0.com`
+ // Example: `1234567-compute@developer.gserviceaccount.com`
string issuer = 1 [(google.api.field_behavior) = REQUIRED];
// The list of JWT
- // [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3).
+ // [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
// that are allowed to access. A JWT containing any of these
// audiences will be accepted.
//
@@ -112,7 +115,7 @@ message JWTRule {
// [URI Query Parameter](https://tools.ietf.org/html/rfc6750#section-2.3))
// List of header locations from which JWT is expected. For example, below is the location spec
- // if JWT is expected to be found in `x-jwt-assertion` header, and have "Bearer " prefix:
+ // if JWT is expected to be found in `x-jwt-assertion` header, and have `Bearer` prefix:
//
// ```yaml
// fromHeaders:
@@ -125,7 +128,7 @@ message JWTRule {
repeated JWTHeader from_headers = 6;
// List of query parameters from which JWT is expected. For example, if JWT is provided via query
- // parameter `my_token` (e.g /path?my_token=), the config is:
+ // parameter `my_token` (e.g `/path?my_token=`), the config is:
//
// ```yaml
// fromParams:
@@ -143,6 +146,22 @@ message JWTRule {
// If set to true, the original token will be kept for the upstream request. Default is false.
bool forward_original_token = 9;
+
+
+ // This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.
+ // This differs from the `output_payload_to_header` by allowing outputting individual claims instead of the whole payload.
+ // The header specified in each operation in the list must be unique. Nested claims of type string/int/bool is supported as well.
+ // ```
+ // outputClaimToHeaders:
+ // - header: x-my-company-jwt-group
+ // claim: my-group
+ // - header: x-test-environment-flag
+ // claim: test-flag
+ // - header: x-jwt-claim-group
+ // claim: nested.key.group
+ // ```
+ // [Experimental] This feature is a experimental feature.
+ repeated ClaimToHeader output_claim_to_headers = 11; // [TODO:Update the status whenever this feature is promoted.]
}
// This message specifies a header location to extract JWT token.
@@ -151,7 +170,17 @@ message JWTHeader {
string name = 1 [(google.api.field_behavior) = REQUIRED];
// The prefix that should be stripped before decoding the token.
- // For example, for "Authorization: Bearer ", prefix="Bearer " with a space at the end.
+ // For example, for `Authorization: Bearer `, prefix=`Bearer` with a space at the end.
// If the header doesn't have this exact prefix, it is considered invalid.
string prefix = 2;
}
+
+// This message specifies the detail for copying claim to header.
+message ClaimToHeader {
+ // The name of the header to be created. The header will be overridden if it already exists in the request.
+ string header = 1;
+
+ // The name of the claim to be copied from. Only claim of type string/int/bool is supported.
+ // The header will not be there if the claim does not exist or the type of the claim is not supported.
+ string claim = 2;
+}
diff --git a/vendor/istio.io/api/security/v1beta1/jwt_deepcopy.gen.go b/vendor/istio.io/api/security/v1beta1/jwt_deepcopy.gen.go
index af5a302bf..54f52f017 100644
--- a/vendor/istio.io/api/security/v1beta1/jwt_deepcopy.gen.go
+++ b/vendor/istio.io/api/security/v1beta1/jwt_deepcopy.gen.go
@@ -2,7 +2,7 @@
package v1beta1
import (
- proto "github.com/golang/protobuf/proto"
+ proto "google.golang.org/protobuf/proto"
)
// DeepCopyInto supports using JWTRule within kubernetes types, where deepcopy-gen is used.
@@ -46,3 +46,24 @@ func (in *JWTHeader) DeepCopy() *JWTHeader {
func (in *JWTHeader) DeepCopyInterface() interface{} {
return in.DeepCopy()
}
+
+// DeepCopyInto supports using ClaimToHeader within kubernetes types, where deepcopy-gen is used.
+func (in *ClaimToHeader) DeepCopyInto(out *ClaimToHeader) {
+ p := proto.Clone(in).(*ClaimToHeader)
+ *out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClaimToHeader. Required by controller-gen.
+func (in *ClaimToHeader) DeepCopy() *ClaimToHeader {
+ if in == nil {
+ return nil
+ }
+ out := new(ClaimToHeader)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new ClaimToHeader. Required by controller-gen.
+func (in *ClaimToHeader) DeepCopyInterface() interface{} {
+ return in.DeepCopy()
+}
diff --git a/vendor/istio.io/api/security/v1beta1/jwt_json.gen.go b/vendor/istio.io/api/security/v1beta1/jwt_json.gen.go
index 0f688cb2d..2612d3a32 100644
--- a/vendor/istio.io/api/security/v1beta1/jwt_json.gen.go
+++ b/vendor/istio.io/api/security/v1beta1/jwt_json.gen.go
@@ -28,6 +28,17 @@ func (this *JWTHeader) UnmarshalJSON(b []byte) error {
return JwtUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
+// MarshalJSON is a custom marshaler for ClaimToHeader
+func (this *ClaimToHeader) MarshalJSON() ([]byte, error) {
+ str, err := JwtMarshaler.MarshalToString(this)
+ return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for ClaimToHeader
+func (this *ClaimToHeader) UnmarshalJSON(b []byte) error {
+ return JwtUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
var (
JwtMarshaler = &jsonpb.Marshaler{}
JwtUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true}
diff --git a/vendor/istio.io/api/security/v1beta1/peer_authentication.pb.go b/vendor/istio.io/api/security/v1beta1/peer_authentication.pb.go
index 79c812669..f31944c78 100644
--- a/vendor/istio.io/api/security/v1beta1/peer_authentication.pb.go
+++ b/vendor/istio.io/api/security/v1beta1/peer_authentication.pb.go
@@ -14,7 +14,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
-// protoc-gen-go v1.27.1
+// protoc-gen-go v1.30.0
// protoc (unknown)
// source: security/v1beta1/peer_authentication.proto
@@ -106,11 +106,15 @@ func (PeerAuthentication_MutualTLS_Mode) EnumDescriptor() ([]byte, []int) {
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
-// name: default
-// namespace: foo
+//
+// name: default
+// namespace: foo
+//
// spec:
-// mtls:
-// mode: STRICT
+//
+// mtls:
+// mode: STRICT
+//
// ```
// For mesh level, put the policy in root-namespace according to your Istio installation.
//
@@ -120,23 +124,31 @@ func (PeerAuthentication_MutualTLS_Mode) EnumDescriptor() ([]byte, []int) {
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
-// name: default
-// namespace: foo
+//
+// name: default
+// namespace: foo
+//
// spec:
-// mtls:
-// mode: PERMISSIVE
+//
+// mtls:
+// mode: PERMISSIVE
+//
// ---
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
-// name: default
-// namespace: foo
+//
+// name: finance
+// namespace: foo
+//
// spec:
-// selector:
-// matchLabels:
-// app: finance
-// mtls:
-// mode: STRICT
+//
+// selector:
+// matchLabels:
+// app: finance
+// mtls:
+// mode: STRICT
+//
// ```
// Policy to allow mTLS strict for all workloads, but leave port 8080 to
// plaintext:
@@ -144,17 +156,21 @@ func (PeerAuthentication_MutualTLS_Mode) EnumDescriptor() ([]byte, []int) {
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
-// name: default
-// namespace: foo
+//
+// name: default
+// namespace: foo
+//
// spec:
-// selector:
-// matchLabels:
-// app: finance
-// mtls:
-// mode: STRICT
-// portLevelMtls:
-// 8080:
-// mode: DISABLE
+//
+// selector:
+// matchLabels:
+// app: finance
+// mtls:
+// mode: STRICT
+// portLevelMtls:
+// 8080:
+// mode: DISABLE
+//
// ```
// Policy to inherit mTLS mode from namespace (or mesh) settings, and overwrite
// settings for port 8080
@@ -162,17 +178,21 @@ func (PeerAuthentication_MutualTLS_Mode) EnumDescriptor() ([]byte, []int) {
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
-// name: default
-// namespace: foo
+//
+// name: default
+// namespace: foo
+//
// spec:
-// selector:
-// matchLabels:
-// app: finance
-// mtls:
-// mode: UNSET
-// portLevelMtls:
-// 8080:
-// mode: DISABLE
+//
+// selector:
+// matchLabels:
+// app: finance
+// mtls:
+// mode: UNSET
+// portLevelMtls:
+// 8080:
+// mode: DISABLE
+//
// ```
//
//
+//
type RequestAuthentication struct {
state protoimpl.MessageState
sizeCache protoimpl.SizeCache
diff --git a/vendor/istio.io/api/security/v1beta1/request_authentication.pb.html b/vendor/istio.io/api/security/v1beta1/request_authentication.pb.html
index 8e9adf780..dad687324 100644
--- a/vendor/istio.io/api/security/v1beta1/request_authentication.pb.html
+++ b/vendor/istio.io/api/security/v1beta1/request_authentication.pb.html
@@ -16,11 +16,9 @@ RequestAuthentication
will be accepted but will not have any authenticated identity. To restrict access to authenticated
requests only, this should be accompanied by an authorization rule.
Examples:
-
- Require JWT for all request for workloads that have label
app:httpbin
-
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
@@ -48,13 +46,11 @@ RequestAuthentication
- source:
requestPrincipals: ["*"]
-
- A policy in the root namespace (“istio-system” by default) applies to workloads in all namespaces
in a mesh. The following policy makes all workloads only accept requests that contain a
valid JWT token.
-
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
@@ -76,13 +72,11 @@ RequestAuthentication
- source:
requestPrincipals: ["*"]
-
- The next example shows how to set a different JWT requirement for a different
host. The RequestAuthentication
declares it can accept JWTs issued by either issuer-foo or issuer-bar (the public key set is implicitly
set from the OpenID Connect spec).
-
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
@@ -119,13 +113,11 @@ RequestAuthentication
- operation:
hosts: ["another-host.com"]
-
- You can fine tune the authorization policy to set different requirement per path. For example,
to require JWT on all paths, except /healthz, the same
RequestAuthentication can be used, but the
authorization policy could be:
-
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
@@ -143,33 +135,28 @@ RequestAuthentication
- operation:
paths: ["/healthz"]
-
[Experimental] Routing based on derived metadata
is now supported. A prefix ‘@’ is used to denote a match against internal metadata instead of the headers in the request.
Currently this feature is only supported for the following metadata:
-
request.auth.claims.{claim-name}[.{sub-claim}]* which are extracted from validated JWT tokens. The claim name
currently does not support the . character. Examples: request.auth.claims.sub and request.auth.claims.name.givenName.
-
The use of matches against JWT claim metadata is only supported in Gateways. The following example shows:
-
- RequestAuthentication to decode and validate a JWT. This also makes the
@request.auth.claims available for use in the VirtualService.
- AuthorizationPolicy to check for valid principals in the request. This makes the JWT required for the request.
- VirtualService to route the request based on the “sub” claim.
-
apiVersion: security.istio.io/v1beta1
kind: RequestAuthentication
metadata:
name: jwt-on-ingress
namespace: istio-system
spec:
- selector:
- matchLabels:
- app: istio-ingressgateway
+ selector:
+ matchLabels:
+ app: istio-ingressgateway
jwtRules:
- issuer: "example.com"
jwksUri: https://example.com/.well-known/jwks.json
@@ -180,9 +167,9 @@ RequestAuthentication
name: require-jwt
namespace: istio-system
spec:
- selector:
- matchLabels:
- app: istio-ingressgateway
+ selector:
+ matchLabels:
+ app: istio-ingressgateway
rules:
- from:
- source:
@@ -231,7 +218,6 @@ RequestAuthentication
Optional. The selector decides where to apply the request authentication policy. The selector will match with workloads
in the same namespace as the request authentication policy. If the request authentication policy is in the root namespace,
the selector will additionally match with workloads in all namespaces.
-
If not set, the selector will match all workloads.
diff --git a/vendor/istio.io/api/security/v1beta1/request_authentication.proto b/vendor/istio.io/api/security/v1beta1/request_authentication.proto
index 0bfb0bc40..f8cdd5f1a 100644
--- a/vendor/istio.io/api/security/v1beta1/request_authentication.proto
+++ b/vendor/istio.io/api/security/v1beta1/request_authentication.proto
@@ -176,9 +176,9 @@ option go_package="istio.io/api/security/v1beta1";
// name: jwt-on-ingress
// namespace: istio-system
// spec:
-// selector:
-// matchLabels:
-// app: istio-ingressgateway
+// selector:
+// matchLabels:
+// app: istio-ingressgateway
// jwtRules:
// - issuer: "example.com"
// jwksUri: https://example.com/.well-known/jwks.json
@@ -189,9 +189,9 @@ option go_package="istio.io/api/security/v1beta1";
// name: require-jwt
// namespace: istio-system
// spec:
-// selector:
-// matchLabels:
-// app: istio-ingressgateway
+// selector:
+// matchLabels:
+// app: istio-ingressgateway
// rules:
// - from:
// - source:
@@ -241,6 +241,9 @@ option go_package="istio.io/api/security/v1beta1";
// +genclient
// +k8s:deepcopy-gen=true
// -->
+//
message RequestAuthentication {
// Optional. The selector decides where to apply the request authentication policy. The selector will match with workloads
// in the same namespace as the request authentication policy. If the request authentication policy is in the root namespace,
diff --git a/vendor/istio.io/api/security/v1beta1/request_authentication_deepcopy.gen.go b/vendor/istio.io/api/security/v1beta1/request_authentication_deepcopy.gen.go
index 9b63f44dc..a6c645b84 100644
--- a/vendor/istio.io/api/security/v1beta1/request_authentication_deepcopy.gen.go
+++ b/vendor/istio.io/api/security/v1beta1/request_authentication_deepcopy.gen.go
@@ -2,7 +2,7 @@
package v1beta1
import (
- proto "github.com/golang/protobuf/proto"
+ proto "google.golang.org/protobuf/proto"
)
// DeepCopyInto supports using RequestAuthentication within kubernetes types, where deepcopy-gen is used.
diff --git a/vendor/istio.io/api/telemetry/v1alpha1/telemetry.pb.go b/vendor/istio.io/api/telemetry/v1alpha1/telemetry.pb.go
index 6f074230e..a785194ac 100644
--- a/vendor/istio.io/api/telemetry/v1alpha1/telemetry.pb.go
+++ b/vendor/istio.io/api/telemetry/v1alpha1/telemetry.pb.go
@@ -14,7 +14,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
-// protoc-gen-go v1.27.1
+// protoc-gen-go v1.30.0
// protoc (unknown)
// source: telemetry/v1alpha1/telemetry.proto
@@ -173,12 +173,12 @@
// response_code:
// operation: REMOVE
// - match:
-// metric: REQUEST_BYTES
+// metric: REQUEST_SIZE
// tagOverrides:
// response_code:
// operation: REMOVE
// - match:
-// metric: RESPONSE_BYTES
+// metric: RESPONSE_SIZE
// tagOverrides:
// response_code:
// operation: REMOVE
@@ -196,11 +196,10 @@
// accessLogging:
// - providers:
// - name: envoy
-// # By default, this turns on access logging (no need to set `disabled:
-// false`). # Unspecified `disabled` will be treated as `disabled: false`,
-// except in # cases where a parent configuration has marked as `disabled:
-// true`. In # those cases, `disabled: false` must be set explicitly to
-// override.
+// # By default, this turns on access logging (no need to set `disabled: false`).
+// # Unspecified `disabled` will be treated as `disabled: false`, except in
+// # cases where a parent configuration has marked as `disabled: true`. In
+// # those cases, `disabled: false` must be set explicitly to override.
// ```
//
// Policy to disable access logging for the `foo` namespace:
@@ -220,7 +219,9 @@
package v1alpha1
import (
+ duration "github.com/golang/protobuf/ptypes/duration"
wrappers "github.com/golang/protobuf/ptypes/wrappers"
+ _ "google.golang.org/genproto/googleapis/api/annotations"
protoreflect "google.golang.org/protobuf/reflect/protoreflect"
protoimpl "google.golang.org/protobuf/runtime/protoimpl"
v1beta1 "istio.io/api/type/v1beta1"
@@ -627,7 +628,7 @@ type Tracing struct {
Match *Tracing_TracingSelector `protobuf:"bytes,7,opt,name=match,proto3" json:"match,omitempty"`
// Optional. Name of provider(s) to use for span reporting. If a provider is
// not specified, the [default tracing
- // provider][istio.mesh.v1alpha1.MeshConfig.default_providers.tracing] will be
+ // provider](https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-DefaultProviders) will be
// used. NOTE: At the moment, only a single provider can be specified in a
// given Tracing rule.
Providers []*ProviderRef `protobuf:"bytes,2,rep,name=providers,proto3" json:"providers,omitempty"`
@@ -795,7 +796,7 @@ type Metrics struct {
// Optional. Name of providers to which this configuration should apply.
// If a provider is not specified, the [default metrics
- // provider][istio.mesh.v1alpha1.MeshConfig.default_providers.metrics] will be
+ // provider](https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-DefaultProviders) will be
// used.
Providers []*ProviderRef `protobuf:"bytes,1,rep,name=providers,proto3" json:"providers,omitempty"`
// Optional. Ordered list of overrides to metrics generation behavior.
@@ -812,6 +813,10 @@ type Metrics struct {
// a best practice to list any universal overrides first, with tailored
// overrides following them.
Overrides []*MetricsOverrides `protobuf:"bytes,2,rep,name=overrides,proto3" json:"overrides,omitempty"`
+ // Optional. Reporting interval allows configuration of the time between calls out to for metrics reporting.
+ // This currently only supports TCP metrics but we may use this for long duration HTTP streams in the future.
+ // The default duration is `5s`.
+ ReportingInterval *duration.Duration `protobuf:"bytes,3,opt,name=reporting_interval,json=reportingInterval,proto3" json:"reporting_interval,omitempty"`
}
func (x *Metrics) Reset() {
@@ -860,6 +865,13 @@ func (x *Metrics) GetOverrides() []*MetricsOverrides {
return nil
}
+func (x *Metrics) GetReportingInterval() *duration.Duration {
+ if x != nil {
+ return x.ReportingInterval
+ }
+ return nil
+}
+
// Provides a mechanism for matching metrics for the application of override
// behaviors.
type MetricSelector struct {
@@ -870,6 +882,7 @@ type MetricSelector struct {
// Controls which metric(s) are selected by the selector.
//
// Types that are assignable to MetricMatch:
+ //
// *MetricSelector_Metric
// *MetricSelector_CustomMetric
MetricMatch isMetricSelector_MetricMatch `protobuf_oneof:"metric_match"`
@@ -1050,7 +1063,7 @@ type AccessLogging struct {
Match *AccessLogging_LogSelector `protobuf:"bytes,4,opt,name=match,proto3" json:"match,omitempty"`
// Optional. Name of providers to which this configuration should apply.
// If a provider is not specified, the [default logging
- // provider][istio.mesh.v1alpha1.MeshConfig.default_providers.] will be used.
+ // provider](https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-DefaultProviders) will be used.
Providers []*ProviderRef `protobuf:"bytes,1,rep,name=providers,proto3" json:"providers,omitempty"`
// Controls logging. If set to true, no access logs will be generated for
// impacted workloads (for the specified providers).
@@ -1187,6 +1200,7 @@ type Tracing_CustomTag struct {
unknownFields protoimpl.UnknownFields
// Types that are assignable to Type:
+ //
// *Tracing_CustomTag_Literal
// *Tracing_CustomTag_Environment
// *Tracing_CustomTag_Header
@@ -1627,109 +1641,118 @@ var file_telemetry_v1alpha1_telemetry_proto_rawDesc = []byte{
0x72, 0x6f, 0x74, 0x6f, 0x12, 0x18, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x65, 0x6c, 0x65,
0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x1a, 0x1b,
0x74, 0x79, 0x70, 0x65, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x73, 0x65, 0x6c,
- 0x65, 0x63, 0x74, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1e, 0x67, 0x6f, 0x6f,
- 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x77, 0x72, 0x61,
- 0x70, 0x70, 0x65, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x97, 0x02, 0x0a, 0x09,
- 0x54, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x12, 0x40, 0x0a, 0x08, 0x73, 0x65, 0x6c,
- 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x69, 0x73,
- 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31,
- 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f,
- 0x72, 0x52, 0x08, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x3b, 0x0a, 0x07, 0x74,
- 0x72, 0x61, 0x63, 0x69, 0x6e, 0x67, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x69,
- 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x76,
- 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x63, 0x69, 0x6e, 0x67, 0x52,
- 0x07, 0x74, 0x72, 0x61, 0x63, 0x69, 0x6e, 0x67, 0x12, 0x3b, 0x0a, 0x07, 0x6d, 0x65, 0x74, 0x72,
- 0x69, 0x63, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x69, 0x73, 0x74, 0x69,
- 0x6f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x76, 0x31, 0x61, 0x6c,
- 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x52, 0x07, 0x6d, 0x65,
- 0x74, 0x72, 0x69, 0x63, 0x73, 0x12, 0x4e, 0x0a, 0x0e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x5f,
- 0x6c, 0x6f, 0x67, 0x67, 0x69, 0x6e, 0x67, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x27, 0x2e,
- 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e,
- 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c,
- 0x6f, 0x67, 0x67, 0x69, 0x6e, 0x67, 0x52, 0x0d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c, 0x6f,
- 0x67, 0x67, 0x69, 0x6e, 0x67, 0x22, 0xe7, 0x08, 0x0a, 0x07, 0x54, 0x72, 0x61, 0x63, 0x69, 0x6e,
- 0x67, 0x12, 0x47, 0x0a, 0x05, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x18, 0x07, 0x20, 0x01, 0x28, 0x0b,
- 0x32, 0x31, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74,
- 0x72, 0x79, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x63,
- 0x69, 0x6e, 0x67, 0x2e, 0x54, 0x72, 0x61, 0x63, 0x69, 0x6e, 0x67, 0x53, 0x65, 0x6c, 0x65, 0x63,
- 0x74, 0x6f, 0x72, 0x52, 0x05, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x12, 0x43, 0x0a, 0x09, 0x70, 0x72,
- 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x25, 0x2e,
- 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e,
- 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65,
- 0x72, 0x52, 0x65, 0x66, 0x52, 0x09, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x73, 0x12,
- 0x5a, 0x0a, 0x1a, 0x72, 0x61, 0x6e, 0x64, 0x6f, 0x6d, 0x5f, 0x73, 0x61, 0x6d, 0x70, 0x6c, 0x69,
- 0x6e, 0x67, 0x5f, 0x70, 0x65, 0x72, 0x63, 0x65, 0x6e, 0x74, 0x61, 0x67, 0x65, 0x18, 0x03, 0x20,
- 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
- 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x6f, 0x75, 0x62, 0x6c, 0x65, 0x56, 0x61, 0x6c, 0x75,
- 0x65, 0x52, 0x18, 0x72, 0x61, 0x6e, 0x64, 0x6f, 0x6d, 0x53, 0x61, 0x6d, 0x70, 0x6c, 0x69, 0x6e,
- 0x67, 0x50, 0x65, 0x72, 0x63, 0x65, 0x6e, 0x74, 0x61, 0x67, 0x65, 0x12, 0x50, 0x0a, 0x16, 0x64,
- 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x73, 0x70, 0x61, 0x6e, 0x5f, 0x72, 0x65, 0x70, 0x6f,
- 0x72, 0x74, 0x69, 0x6e, 0x67, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67, 0x6f,
- 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42, 0x6f,
- 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x14, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65,
- 0x53, 0x70, 0x61, 0x6e, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x69, 0x6e, 0x67, 0x12, 0x52, 0x0a,
- 0x0b, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5f, 0x74, 0x61, 0x67, 0x73, 0x18, 0x05, 0x20, 0x03,
- 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x6d,
- 0x65, 0x74, 0x72, 0x79, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x54, 0x72,
- 0x61, 0x63, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x54, 0x61, 0x67, 0x73,
- 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0a, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x54, 0x61, 0x67,
- 0x73, 0x12, 0x63, 0x0a, 0x21, 0x75, 0x73, 0x65, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
- 0x5f, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x5f, 0x74, 0x72, 0x61, 0x63, 0x65, 0x5f, 0x73, 0x61,
- 0x6d, 0x70, 0x6c, 0x69, 0x6e, 0x67, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67,
- 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42,
- 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x1c, 0x75, 0x73, 0x65, 0x52, 0x65, 0x71,
- 0x75, 0x65, 0x73, 0x74, 0x49, 0x64, 0x46, 0x6f, 0x72, 0x54, 0x72, 0x61, 0x63, 0x65, 0x53, 0x61,
- 0x6d, 0x70, 0x6c, 0x69, 0x6e, 0x67, 0x1a, 0x4d, 0x0a, 0x0f, 0x54, 0x72, 0x61, 0x63, 0x69, 0x6e,
- 0x67, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x3a, 0x0a, 0x04, 0x6d, 0x6f, 0x64,
- 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x26, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e,
- 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68,
- 0x61, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x4d, 0x6f, 0x64, 0x65, 0x52,
- 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x1a, 0xf8, 0x01, 0x0a, 0x09, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d,
- 0x54, 0x61, 0x67, 0x12, 0x45, 0x0a, 0x07, 0x6c, 0x69, 0x74, 0x65, 0x72, 0x61, 0x6c, 0x18, 0x01,
- 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x65, 0x6c,
- 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e,
- 0x54, 0x72, 0x61, 0x63, 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x74, 0x65, 0x72, 0x61, 0x6c, 0x48,
- 0x00, 0x52, 0x07, 0x6c, 0x69, 0x74, 0x65, 0x72, 0x61, 0x6c, 0x12, 0x51, 0x0a, 0x0b, 0x65, 0x6e,
- 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32,
- 0x2d, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72,
- 0x79, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x63, 0x69,
- 0x6e, 0x67, 0x2e, 0x45, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x48, 0x00,
- 0x52, 0x0b, 0x65, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x49, 0x0a,
- 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2f, 0x2e,
+ 0x65, 0x63, 0x74, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1f, 0x67, 0x6f, 0x6f,
+ 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69, 0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65,
+ 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1e, 0x67, 0x6f,
+ 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x64, 0x75,
+ 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1e, 0x67, 0x6f,
+ 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x77, 0x72,
+ 0x61, 0x70, 0x70, 0x65, 0x72, 0x73, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x97, 0x02, 0x0a,
+ 0x09, 0x54, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x12, 0x40, 0x0a, 0x08, 0x73, 0x65,
+ 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x69,
+ 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61,
+ 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74,
+ 0x6f, 0x72, 0x52, 0x08, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x3b, 0x0a, 0x07,
+ 0x74, 0x72, 0x61, 0x63, 0x69, 0x6e, 0x67, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e,
0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e,
0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x63, 0x69, 0x6e, 0x67,
- 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x48, 0x00,
- 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x42, 0x06, 0x0a, 0x04, 0x74, 0x79, 0x70, 0x65,
- 0x1a, 0x1f, 0x0a, 0x07, 0x4c, 0x69, 0x74, 0x65, 0x72, 0x61, 0x6c, 0x12, 0x14, 0x0a, 0x05, 0x76,
- 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75,
- 0x65, 0x1a, 0x46, 0x0a, 0x0b, 0x45, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74,
- 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04,
- 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x23, 0x0a, 0x0d, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f,
- 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x64, 0x65, 0x66,
- 0x61, 0x75, 0x6c, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x1a, 0x48, 0x0a, 0x0d, 0x52, 0x65, 0x71,
- 0x75, 0x65, 0x73, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61,
- 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x23,
- 0x0a, 0x0d, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18,
- 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x56, 0x61,
- 0x6c, 0x75, 0x65, 0x1a, 0x6a, 0x0a, 0x0f, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x54, 0x61, 0x67,
- 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20,
- 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x41, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75,
- 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e,
+ 0x52, 0x07, 0x74, 0x72, 0x61, 0x63, 0x69, 0x6e, 0x67, 0x12, 0x3b, 0x0a, 0x07, 0x6d, 0x65, 0x74,
+ 0x72, 0x69, 0x63, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x69, 0x73, 0x74,
+ 0x69, 0x6f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x76, 0x31, 0x61,
+ 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x52, 0x07, 0x6d,
+ 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x12, 0x4e, 0x0a, 0x0e, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73,
+ 0x5f, 0x6c, 0x6f, 0x67, 0x67, 0x69, 0x6e, 0x67, 0x18, 0x04, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x27,
+ 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79,
+ 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x41, 0x63, 0x63, 0x65, 0x73, 0x73,
+ 0x4c, 0x6f, 0x67, 0x67, 0x69, 0x6e, 0x67, 0x52, 0x0d, 0x61, 0x63, 0x63, 0x65, 0x73, 0x73, 0x4c,
+ 0x6f, 0x67, 0x67, 0x69, 0x6e, 0x67, 0x22, 0xe7, 0x08, 0x0a, 0x07, 0x54, 0x72, 0x61, 0x63, 0x69,
+ 0x6e, 0x67, 0x12, 0x47, 0x0a, 0x05, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x18, 0x07, 0x20, 0x01, 0x28,
+ 0x0b, 0x32, 0x31, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65,
+ 0x74, 0x72, 0x79, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x54, 0x72, 0x61,
+ 0x63, 0x69, 0x6e, 0x67, 0x2e, 0x54, 0x72, 0x61, 0x63, 0x69, 0x6e, 0x67, 0x53, 0x65, 0x6c, 0x65,
+ 0x63, 0x74, 0x6f, 0x72, 0x52, 0x05, 0x6d, 0x61, 0x74, 0x63, 0x68, 0x12, 0x43, 0x0a, 0x09, 0x70,
+ 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x25,
+ 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79,
+ 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64,
+ 0x65, 0x72, 0x52, 0x65, 0x66, 0x52, 0x09, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x73,
+ 0x12, 0x5a, 0x0a, 0x1a, 0x72, 0x61, 0x6e, 0x64, 0x6f, 0x6d, 0x5f, 0x73, 0x61, 0x6d, 0x70, 0x6c,
+ 0x69, 0x6e, 0x67, 0x5f, 0x70, 0x65, 0x72, 0x63, 0x65, 0x6e, 0x74, 0x61, 0x67, 0x65, 0x18, 0x03,
+ 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72,
+ 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x6f, 0x75, 0x62, 0x6c, 0x65, 0x56, 0x61, 0x6c,
+ 0x75, 0x65, 0x52, 0x18, 0x72, 0x61, 0x6e, 0x64, 0x6f, 0x6d, 0x53, 0x61, 0x6d, 0x70, 0x6c, 0x69,
+ 0x6e, 0x67, 0x50, 0x65, 0x72, 0x63, 0x65, 0x6e, 0x74, 0x61, 0x67, 0x65, 0x12, 0x50, 0x0a, 0x16,
+ 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x5f, 0x73, 0x70, 0x61, 0x6e, 0x5f, 0x72, 0x65, 0x70,
+ 0x6f, 0x72, 0x74, 0x69, 0x6e, 0x67, 0x18, 0x04, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e, 0x67,
+ 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x42,
+ 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x14, 0x64, 0x69, 0x73, 0x61, 0x62, 0x6c,
+ 0x65, 0x53, 0x70, 0x61, 0x6e, 0x52, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x69, 0x6e, 0x67, 0x12, 0x52,
+ 0x0a, 0x0b, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x5f, 0x74, 0x61, 0x67, 0x73, 0x18, 0x05, 0x20,
+ 0x03, 0x28, 0x0b, 0x32, 0x31, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x65, 0x6c, 0x65,
+ 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x54,
+ 0x72, 0x61, 0x63, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x54, 0x61, 0x67,
+ 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0a, 0x63, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x54, 0x61,
+ 0x67, 0x73, 0x12, 0x63, 0x0a, 0x21, 0x75, 0x73, 0x65, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73,
+ 0x74, 0x5f, 0x69, 0x64, 0x5f, 0x66, 0x6f, 0x72, 0x5f, 0x74, 0x72, 0x61, 0x63, 0x65, 0x5f, 0x73,
+ 0x61, 0x6d, 0x70, 0x6c, 0x69, 0x6e, 0x67, 0x18, 0x06, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1a, 0x2e,
+ 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e,
+ 0x42, 0x6f, 0x6f, 0x6c, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x52, 0x1c, 0x75, 0x73, 0x65, 0x52, 0x65,
+ 0x71, 0x75, 0x65, 0x73, 0x74, 0x49, 0x64, 0x46, 0x6f, 0x72, 0x54, 0x72, 0x61, 0x63, 0x65, 0x53,
+ 0x61, 0x6d, 0x70, 0x6c, 0x69, 0x6e, 0x67, 0x1a, 0x4d, 0x0a, 0x0f, 0x54, 0x72, 0x61, 0x63, 0x69,
+ 0x6e, 0x67, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x3a, 0x0a, 0x04, 0x6d, 0x6f,
+ 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x26, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f,
+ 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70,
+ 0x68, 0x61, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x4d, 0x6f, 0x64, 0x65,
+ 0x52, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x1a, 0xf8, 0x01, 0x0a, 0x09, 0x43, 0x75, 0x73, 0x74, 0x6f,
+ 0x6d, 0x54, 0x61, 0x67, 0x12, 0x45, 0x0a, 0x07, 0x6c, 0x69, 0x74, 0x65, 0x72, 0x61, 0x6c, 0x18,
+ 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x29, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x65,
+ 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31,
+ 0x2e, 0x54, 0x72, 0x61, 0x63, 0x69, 0x6e, 0x67, 0x2e, 0x4c, 0x69, 0x74, 0x65, 0x72, 0x61, 0x6c,
+ 0x48, 0x00, 0x52, 0x07, 0x6c, 0x69, 0x74, 0x65, 0x72, 0x61, 0x6c, 0x12, 0x51, 0x0a, 0x0b, 0x65,
+ 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b,
+ 0x32, 0x2d, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74,
+ 0x72, 0x79, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x63,
+ 0x69, 0x6e, 0x67, 0x2e, 0x45, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x48,
+ 0x00, 0x52, 0x0b, 0x65, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e, 0x74, 0x12, 0x49,
+ 0x0a, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2f,
+ 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79,
+ 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x63, 0x69, 0x6e,
+ 0x67, 0x2e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x48,
+ 0x00, 0x52, 0x06, 0x68, 0x65, 0x61, 0x64, 0x65, 0x72, 0x42, 0x06, 0x0a, 0x04, 0x74, 0x79, 0x70,
+ 0x65, 0x1a, 0x1f, 0x0a, 0x07, 0x4c, 0x69, 0x74, 0x65, 0x72, 0x61, 0x6c, 0x12, 0x14, 0x0a, 0x05,
+ 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c,
+ 0x75, 0x65, 0x1a, 0x46, 0x0a, 0x0b, 0x45, 0x6e, 0x76, 0x69, 0x72, 0x6f, 0x6e, 0x6d, 0x65, 0x6e,
+ 0x74, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52,
+ 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x23, 0x0a, 0x0d, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74,
+ 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x64, 0x65,
+ 0x66, 0x61, 0x75, 0x6c, 0x74, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x1a, 0x48, 0x0a, 0x0d, 0x52, 0x65,
+ 0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x12, 0x12, 0x0a, 0x04, 0x6e,
+ 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12,
+ 0x23, 0x0a, 0x0d, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x5f, 0x76, 0x61, 0x6c, 0x75, 0x65,
+ 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x0c, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x56,
+ 0x61, 0x6c, 0x75, 0x65, 0x1a, 0x6a, 0x0a, 0x0f, 0x43, 0x75, 0x73, 0x74, 0x6f, 0x6d, 0x54, 0x61,
+ 0x67, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01,
+ 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x41, 0x0a, 0x05, 0x76, 0x61, 0x6c,
+ 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f,
+ 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70,
+ 0x68, 0x61, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x63, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x75, 0x73, 0x74,
+ 0x6f, 0x6d, 0x54, 0x61, 0x67, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01,
+ 0x22, 0x26, 0x0a, 0x0b, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x52, 0x65, 0x66, 0x12,
+ 0x17, 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0x03, 0xe0,
+ 0x41, 0x02, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x22, 0xe2, 0x01, 0x0a, 0x07, 0x4d, 0x65, 0x74,
+ 0x72, 0x69, 0x63, 0x73, 0x12, 0x43, 0x0a, 0x09, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72,
+ 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e,
0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68,
- 0x61, 0x31, 0x2e, 0x54, 0x72, 0x61, 0x63, 0x69, 0x6e, 0x67, 0x2e, 0x43, 0x75, 0x73, 0x74, 0x6f,
- 0x6d, 0x54, 0x61, 0x67, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22,
- 0x21, 0x0a, 0x0b, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x52, 0x65, 0x66, 0x12, 0x12,
- 0x0a, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61,
- 0x6d, 0x65, 0x22, 0x98, 0x01, 0x0a, 0x07, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x12, 0x43,
- 0x0a, 0x09, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28,
- 0x0b, 0x32, 0x25, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65,
- 0x74, 0x72, 0x79, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x50, 0x72, 0x6f,
- 0x76, 0x69, 0x64, 0x65, 0x72, 0x52, 0x65, 0x66, 0x52, 0x09, 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64,
- 0x65, 0x72, 0x73, 0x12, 0x48, 0x0a, 0x09, 0x6f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x73,
- 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74,
- 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61,
- 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x4f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64,
- 0x65, 0x73, 0x52, 0x09, 0x6f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x73, 0x22, 0xdd, 0x03,
+ 0x61, 0x31, 0x2e, 0x50, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x52, 0x65, 0x66, 0x52, 0x09,
+ 0x70, 0x72, 0x6f, 0x76, 0x69, 0x64, 0x65, 0x72, 0x73, 0x12, 0x48, 0x0a, 0x09, 0x6f, 0x76, 0x65,
+ 0x72, 0x72, 0x69, 0x64, 0x65, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x2a, 0x2e, 0x69,
+ 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x2e, 0x76,
+ 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x4f,
+ 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x73, 0x52, 0x09, 0x6f, 0x76, 0x65, 0x72, 0x72, 0x69,
+ 0x64, 0x65, 0x73, 0x12, 0x48, 0x0a, 0x12, 0x72, 0x65, 0x70, 0x6f, 0x72, 0x74, 0x69, 0x6e, 0x67,
+ 0x5f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x76, 0x61, 0x6c, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32,
+ 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75,
+ 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x11, 0x72, 0x65, 0x70, 0x6f,
+ 0x72, 0x74, 0x69, 0x6e, 0x67, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x76, 0x61, 0x6c, 0x22, 0xdd, 0x03,
0x0a, 0x0e, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72,
0x12, 0x4e, 0x0a, 0x06, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e,
0x32, 0x34, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74,
@@ -1866,6 +1889,7 @@ var file_telemetry_v1alpha1_telemetry_proto_goTypes = []interface{}{
(*v1beta1.WorkloadSelector)(nil), // 20: istio.type.v1beta1.WorkloadSelector
(*wrappers.DoubleValue)(nil), // 21: google.protobuf.DoubleValue
(*wrappers.BoolValue)(nil), // 22: google.protobuf.BoolValue
+ (*duration.Duration)(nil), // 23: google.protobuf.Duration
}
var file_telemetry_v1alpha1_telemetry_proto_depIdxs = []int32{
20, // 0: istio.telemetry.v1alpha1.Telemetry.selector:type_name -> istio.type.v1beta1.WorkloadSelector
@@ -1880,28 +1904,29 @@ var file_telemetry_v1alpha1_telemetry_proto_depIdxs = []int32{
22, // 9: istio.telemetry.v1alpha1.Tracing.use_request_id_for_trace_sampling:type_name -> google.protobuf.BoolValue
5, // 10: istio.telemetry.v1alpha1.Metrics.providers:type_name -> istio.telemetry.v1alpha1.ProviderRef
8, // 11: istio.telemetry.v1alpha1.Metrics.overrides:type_name -> istio.telemetry.v1alpha1.MetricsOverrides
- 1, // 12: istio.telemetry.v1alpha1.MetricSelector.metric:type_name -> istio.telemetry.v1alpha1.MetricSelector.IstioMetric
- 0, // 13: istio.telemetry.v1alpha1.MetricSelector.mode:type_name -> istio.telemetry.v1alpha1.WorkloadMode
- 7, // 14: istio.telemetry.v1alpha1.MetricsOverrides.match:type_name -> istio.telemetry.v1alpha1.MetricSelector
- 22, // 15: istio.telemetry.v1alpha1.MetricsOverrides.disabled:type_name -> google.protobuf.BoolValue
- 17, // 16: istio.telemetry.v1alpha1.MetricsOverrides.tag_overrides:type_name -> istio.telemetry.v1alpha1.MetricsOverrides.TagOverridesEntry
- 18, // 17: istio.telemetry.v1alpha1.AccessLogging.match:type_name -> istio.telemetry.v1alpha1.AccessLogging.LogSelector
- 5, // 18: istio.telemetry.v1alpha1.AccessLogging.providers:type_name -> istio.telemetry.v1alpha1.ProviderRef
- 22, // 19: istio.telemetry.v1alpha1.AccessLogging.disabled:type_name -> google.protobuf.BoolValue
- 19, // 20: istio.telemetry.v1alpha1.AccessLogging.filter:type_name -> istio.telemetry.v1alpha1.AccessLogging.Filter
- 0, // 21: istio.telemetry.v1alpha1.Tracing.TracingSelector.mode:type_name -> istio.telemetry.v1alpha1.WorkloadMode
- 12, // 22: istio.telemetry.v1alpha1.Tracing.CustomTag.literal:type_name -> istio.telemetry.v1alpha1.Tracing.Literal
- 13, // 23: istio.telemetry.v1alpha1.Tracing.CustomTag.environment:type_name -> istio.telemetry.v1alpha1.Tracing.Environment
- 14, // 24: istio.telemetry.v1alpha1.Tracing.CustomTag.header:type_name -> istio.telemetry.v1alpha1.Tracing.RequestHeader
- 11, // 25: istio.telemetry.v1alpha1.Tracing.CustomTagsEntry.value:type_name -> istio.telemetry.v1alpha1.Tracing.CustomTag
- 2, // 26: istio.telemetry.v1alpha1.MetricsOverrides.TagOverride.operation:type_name -> istio.telemetry.v1alpha1.MetricsOverrides.TagOverride.Operation
- 16, // 27: istio.telemetry.v1alpha1.MetricsOverrides.TagOverridesEntry.value:type_name -> istio.telemetry.v1alpha1.MetricsOverrides.TagOverride
- 0, // 28: istio.telemetry.v1alpha1.AccessLogging.LogSelector.mode:type_name -> istio.telemetry.v1alpha1.WorkloadMode
- 29, // [29:29] is the sub-list for method output_type
- 29, // [29:29] is the sub-list for method input_type
- 29, // [29:29] is the sub-list for extension type_name
- 29, // [29:29] is the sub-list for extension extendee
- 0, // [0:29] is the sub-list for field type_name
+ 23, // 12: istio.telemetry.v1alpha1.Metrics.reporting_interval:type_name -> google.protobuf.Duration
+ 1, // 13: istio.telemetry.v1alpha1.MetricSelector.metric:type_name -> istio.telemetry.v1alpha1.MetricSelector.IstioMetric
+ 0, // 14: istio.telemetry.v1alpha1.MetricSelector.mode:type_name -> istio.telemetry.v1alpha1.WorkloadMode
+ 7, // 15: istio.telemetry.v1alpha1.MetricsOverrides.match:type_name -> istio.telemetry.v1alpha1.MetricSelector
+ 22, // 16: istio.telemetry.v1alpha1.MetricsOverrides.disabled:type_name -> google.protobuf.BoolValue
+ 17, // 17: istio.telemetry.v1alpha1.MetricsOverrides.tag_overrides:type_name -> istio.telemetry.v1alpha1.MetricsOverrides.TagOverridesEntry
+ 18, // 18: istio.telemetry.v1alpha1.AccessLogging.match:type_name -> istio.telemetry.v1alpha1.AccessLogging.LogSelector
+ 5, // 19: istio.telemetry.v1alpha1.AccessLogging.providers:type_name -> istio.telemetry.v1alpha1.ProviderRef
+ 22, // 20: istio.telemetry.v1alpha1.AccessLogging.disabled:type_name -> google.protobuf.BoolValue
+ 19, // 21: istio.telemetry.v1alpha1.AccessLogging.filter:type_name -> istio.telemetry.v1alpha1.AccessLogging.Filter
+ 0, // 22: istio.telemetry.v1alpha1.Tracing.TracingSelector.mode:type_name -> istio.telemetry.v1alpha1.WorkloadMode
+ 12, // 23: istio.telemetry.v1alpha1.Tracing.CustomTag.literal:type_name -> istio.telemetry.v1alpha1.Tracing.Literal
+ 13, // 24: istio.telemetry.v1alpha1.Tracing.CustomTag.environment:type_name -> istio.telemetry.v1alpha1.Tracing.Environment
+ 14, // 25: istio.telemetry.v1alpha1.Tracing.CustomTag.header:type_name -> istio.telemetry.v1alpha1.Tracing.RequestHeader
+ 11, // 26: istio.telemetry.v1alpha1.Tracing.CustomTagsEntry.value:type_name -> istio.telemetry.v1alpha1.Tracing.CustomTag
+ 2, // 27: istio.telemetry.v1alpha1.MetricsOverrides.TagOverride.operation:type_name -> istio.telemetry.v1alpha1.MetricsOverrides.TagOverride.Operation
+ 16, // 28: istio.telemetry.v1alpha1.MetricsOverrides.TagOverridesEntry.value:type_name -> istio.telemetry.v1alpha1.MetricsOverrides.TagOverride
+ 0, // 29: istio.telemetry.v1alpha1.AccessLogging.LogSelector.mode:type_name -> istio.telemetry.v1alpha1.WorkloadMode
+ 30, // [30:30] is the sub-list for method output_type
+ 30, // [30:30] is the sub-list for method input_type
+ 30, // [30:30] is the sub-list for extension type_name
+ 30, // [30:30] is the sub-list for extension extendee
+ 0, // [0:30] is the sub-list for field type_name
}
func init() { file_telemetry_v1alpha1_telemetry_proto_init() }
diff --git a/vendor/istio.io/api/telemetry/v1alpha1/telemetry.pb.html b/vendor/istio.io/api/telemetry/v1alpha1/telemetry.pb.html
index 4ae877f81..2eb17822c 100644
--- a/vendor/istio.io/api/telemetry/v1alpha1/telemetry.pb.html
+++ b/vendor/istio.io/api/telemetry/v1alpha1/telemetry.pb.html
@@ -9,28 +9,20 @@
number_of_entries: 18
---
Telemetry defines how the telemetry is generated for workloads within a mesh.
-
For mesh level configuration, put the resource in root configuration
namespace for your Istio installation without a workload selector.
-
For any namespace, including the root configuration namespace, it is only
valid to have a single workload selector-less Telemetry resource.
-
For resources with a workload selector, it is only valid to have one resource
selecting any given workload.
-
The hierarchy of Telemetry configuration is as follows:
-
- Workload-specific configuration
- Namespace-specific configuration
- Root namespace configuration
-
Examples:
-
Policy to enable random sampling for 10% of traffic:
-
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
@@ -41,10 +33,8 @@
tracing:
- randomSamplingPercentage: 10.00
-
Policy to disable trace reporting for the “foo” workload (note: tracing
context will still be propagated):
-
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
@@ -57,9 +47,7 @@
tracing:
- disableSpanReporting: true
-
Policy to select the alternate zipkin provider for trace reporting:
-
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
@@ -74,9 +62,7 @@
- name: "zipkin-alternate"
randomSamplingPercentage: 10.00
-
Policy to add a custom tag from a literal value:
-
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
@@ -91,9 +77,7 @@
literal:
value: "foo"
-
Policy to disable server-side metrics for Stackdriver for an entire mesh:
-
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
@@ -110,9 +94,7 @@
mode: SERVER
disabled: true
-
Policy to add dimensions to all Prometheus metrics for the foo namespace:
-
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
@@ -131,10 +113,8 @@
request_host:
value: "request.host"
-
Policy to remove the response_code dimension on some Prometheus metrics for
the bar.foo workload:
-
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
@@ -159,19 +139,17 @@
response_code:
operation: REMOVE
- match:
- metric: REQUEST_BYTES
+ metric: REQUEST_SIZE
tagOverrides:
response_code:
operation: REMOVE
- match:
- metric: RESPONSE_BYTES
+ metric: RESPONSE_SIZE
tagOverrides:
response_code:
operation: REMOVE
-
Policy to enable access logging for the entire mesh:
-
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
@@ -182,15 +160,12 @@
accessLogging:
- providers:
- name: envoy
- # By default, this turns on access logging (no need to set `disabled:
- false`). # Unspecified `disabled` will be treated as `disabled: false`,
- except in # cases where a parent configuration has marked as `disabled:
- true`. In # those cases, `disabled: false` must be set explicitly to
- override.
+ # By default, this turns on access logging (no need to set `disabled: false`).
+ # Unspecified `disabled` will be treated as `disabled: false`, except in
+ # cases where a parent configuration has marked as `disabled: true`. In
+ # those cases, `disabled: false` must be set explicitly to override.
-
Policy to disable access logging for the foo namespace:
-
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
@@ -272,7 +247,6 @@ Tracing
Tracing configures tracing behavior for workloads within a mesh.
It can be used to enable/disable tracing, as well as to set sampling
rates and custom tag extraction.
-
Tracing configuration support overrides of the fields providers,
random_sampling_percentage, disable_span_reporting, and custom_tags at
each level in the configuration hierarchy, with missing values filled in
@@ -305,8 +279,8 @@ Tracing
ProviderRef[] |
Optional. Name of provider(s) to use for span reporting. If a provider is
-not specified, the [default tracing
-provider][istio.mesh.v1alpha1.MeshConfig.default_providers.tracing] will be
+not specified, the default tracing
+provider will be
used. NOTE: At the moment, only a single provider can be specified in a
given Tracing rule.
@@ -325,7 +299,6 @@ Tracing
decision has been made (example: no x-b3-sampled tracing header was
present in the requests), the traffic will be selected for telemetry
generation at the percentage specified.
-
Defaults to 0%. Valid values [0.00-100.00]. Can be specified in 0.01%
increments.
@@ -384,7 +357,7 @@ ProviderRef
|
-No
+Yes
|
@@ -411,8 +384,8 @@ Metrics
ProviderRef[] |
Optional. Name of providers to which this configuration should apply.
-If a provider is not specified, the [default metrics
-provider][istio.mesh.v1alpha1.MeshConfig.default_providers.metrics] will be
+If a provider is not specified, the default metrics
+provider will be
used.
|
@@ -425,19 +398,32 @@ Metrics
MetricsOverrides[] |
Optional. Ordered list of overrides to metrics generation behavior.
-
Specified overrides will be applied in order. They will be applied on
top of inherited overrides from other resources in the hierarchy in the
-following order:
-1. Mesh-scoped overrides
-2. Namespace-scoped overrides
-3. Workload-scoped overrides
-
+following order:
+
+- Mesh-scoped overrides
+- Namespace-scoped overrides
+- Workload-scoped overrides
+
Because overrides are applied in order, users are advised to order their
overrides from least specific to most specific matches. That is, it is
a best practice to list any universal overrides first, with tailored
overrides following them.
+ |
+
+No
+ |
+
+
+reportingInterval |
+Duration |
+
+ Optional. Reporting interval allows configuration of the time between calls out to for metrics reporting.
+This currently only supports TCP metrics but we may use this for long duration HTTP streams in the future.
+The default duration is 5s.
+
|
No
@@ -521,7 +507,6 @@ MetricsOverrides
Match allows provides the scope of the override. It can be used to select
individual metrics, as well as the workload modes (server and/or client)
in which the metrics will be generated.
-
If match is not specified, the overrides will apply to all metrics for
both modes of operation (client and server).
@@ -553,7 +538,7 @@ MetricsOverrides
The key in the map is the name of the tag.
The value in the map is the operation to perform on the the tag.
WARNING: some providers may not support adding/removing tags.
-See also: https://istio.io/latest/docs/reference/config/metrics/#labels
+See also: https://istio.io/latest/docs/reference/config/metrics/#labels
|
@@ -595,8 +580,8 @@ AccessLogging
| ProviderRef[] |
Optional. Name of providers to which this configuration should apply.
-If a provider is not specified, the [default logging
-provider][istio.mesh.v1alpha1.MeshConfig.default_providers.] will be used.
+If a provider is not specified, the default logging
+provider will be used.
|
@@ -669,7 +654,6 @@ Tracing.CustomTag
an operator-supplied value. This value can either be a hard-coded value,
a value taken from an environment variable known to the sidecar proxy, or
from a request header.
-
NOTE: when specified, custom_tags will fully replace any values provided
by parent configuration.
@@ -923,9 +907,7 @@ AccessLogging.Filter
| string |
CEL expression for selecting when requests/connections should be logged.
-
Examples:
-
response.code >= 400connection.mtls && request.url_path.contains('v1beta3')MetricSelector.IstioMetric
Curated list of known metric types that is supported by Istio metric
providers. See also:
-https://istio.io/latest/docs/reference/config/metrics/#metrics
+https://istio.io/latest/docs/reference/config/metrics/#metrics
@@ -966,11 +948,8 @@ MetricSelector.IstioMetric
Counter of requests to/from an application, generated for HTTP, HTTP/2,
and GRPC traffic.
-
The Prometheus provider exports this metric as: istio_requests_total.
-
The Stackdriver provider exports this metric as:
-
istio.io/service/server/request_count (SERVER mode)istio.io/service/client/request_count (CLIENT mode)MetricSelector.IstioMetric
Histogram of request durations, generated for HTTP, HTTP/2, and GRPC
traffic.
-
The Prometheus provider exports this metric as:
istio_request_duration_milliseconds.
-
The Stackdriver provider exports this metric as:
-
istio.io/service/server/response_latencies (SERVER mode)istio.io/service/client/roundtrip_latencies (CLIENT mode)MetricSelector.IstioMetric
Histogram of request body sizes, generated for HTTP, HTTP/2, and GRPC
traffic.
-
The Prometheus provider exports this metric as: istio_request_bytes.
-
The Stackdriver provider exports this metric as:
-
istio.io/service/server/request_bytes (SERVER mode)istio.io/service/client/request_bytes (CLIENT mode)MetricSelector.IstioMetric
Histogram of response body sizes, generated for HTTP, HTTP/2, and GRPC
traffic.
-
The Prometheus provider exports this metric as: istio_response_bytes.
-
The Stackdriver provider exports this metric as:
-
istio.io/service/server/response_bytes (SERVER mode)istio.io/service/client/response_bytes (CLIENT mode)MetricSelector.IstioMetric
TCP_OPENED_CONNECTIONS |
Counter of TCP connections opened over lifetime of workload.
-
The Prometheus provider exports this metric as:
istio_tcp_connections_opened_total.
-
The Stackdriver provider exports this metric as:
-
istio.io/service/server/connection_open_count (SERVER mode)istio.io/service/client/connection_open_count (CLIENT mode)MetricSelector.IstioMetric
TCP_CLOSED_CONNECTIONS |
Counter of TCP connections closed over lifetime of workload.
-
The Prometheus provider exports this metric as:
istio_tcp_connections_closed_total.
-
The Stackdriver provider exports this metric as:
-
istio.io/service/server/connection_close_count (SERVER mode)istio.io/service/client/connection_close_count (CLIENT mode)MetricSelector.IstioMetric
TCP_SENT_BYTES |
Counter of bytes sent during a response over a TCP connection.
-
The Prometheus provider exports this metric as:
istio_tcp_sent_bytes_total.
-
The Stackdriver provider exports this metric as:
-
istio.io/service/server/sent_bytes_count (SERVER mode)istio.io/service/client/sent_bytes_count (CLIENT mode)MetricSelector.IstioMetric
TCP_RECEIVED_BYTES |
Counter of bytes received during a request over a TCP connection.
-
The Prometheus provider exports this metric as:
istio_tcp_received_bytes_total.
-
The Stackdriver provider exports this metric as:
-
istio.io/service/server/received_bytes_count (SERVER mode)istio.io/service/client/received_bytes_count (CLIENT mode)MetricSelector.IstioMetric
GRPC_REQUEST_MESSAGES |
Counter incremented for every gRPC messages sent from a client.
-
The Prometheus provider exports this metric as:
istio_request_messages_total
@@ -1112,7 +1069,6 @@ MetricSelector.IstioMetric
| GRPC_RESPONSE_MESSAGES |
Counter incremented for every gRPC messages sent from a server.
-
The Prometheus provider exports this metric as:
istio_response_messages_total
diff --git a/vendor/istio.io/api/telemetry/v1alpha1/telemetry.proto b/vendor/istio.io/api/telemetry/v1alpha1/telemetry.proto
index 06554e6d0..e34803c31 100644
--- a/vendor/istio.io/api/telemetry/v1alpha1/telemetry.proto
+++ b/vendor/istio.io/api/telemetry/v1alpha1/telemetry.proto
@@ -15,6 +15,8 @@
syntax = "proto3";
import "type/v1beta1/selector.proto";
+import "google/api/field_behavior.proto";
+import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
// $schema: istio.telemetry.v1alpha1.Telemetry
@@ -172,12 +174,12 @@ import "google/protobuf/wrappers.proto";
// response_code:
// operation: REMOVE
// - match:
-// metric: REQUEST_BYTES
+// metric: REQUEST_SIZE
// tagOverrides:
// response_code:
// operation: REMOVE
// - match:
-// metric: RESPONSE_BYTES
+// metric: RESPONSE_SIZE
// tagOverrides:
// response_code:
// operation: REMOVE
@@ -195,11 +197,10 @@ import "google/protobuf/wrappers.proto";
// accessLogging:
// - providers:
// - name: envoy
-// # By default, this turns on access logging (no need to set `disabled:
-// false`). # Unspecified `disabled` will be treated as `disabled: false`,
-// except in # cases where a parent configuration has marked as `disabled:
-// true`. In # those cases, `disabled: false` must be set explicitly to
-// override.
+// # By default, this turns on access logging (no need to set `disabled: false`).
+// # Unspecified `disabled` will be treated as `disabled: false`, except in
+// # cases where a parent configuration has marked as `disabled: true`. In
+// # those cases, `disabled: false` must be set explicitly to override.
// ```
//
// Policy to disable access logging for the `foo` namespace:
@@ -286,7 +287,7 @@ message Tracing {
// Optional. Name of provider(s) to use for span reporting. If a provider is
// not specified, the [default tracing
- // provider][istio.mesh.v1alpha1.MeshConfig.default_providers.tracing] will be
+ // provider](https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-DefaultProviders) will be
// used. NOTE: At the moment, only a single provider can be specified in a
// given Tracing rule.
repeated ProviderRef providers = 2;
@@ -369,7 +370,7 @@ message Tracing {
// targeted customization.
message ProviderRef {
// Required. Name of Telemetry provider in MeshConfig.
- string name = 1;
+ string name = 1 [(google.api.field_behavior) = REQUIRED];
}
// Metrics defines the workload-level overrides for metrics generation behavior
@@ -378,7 +379,7 @@ message ProviderRef {
message Metrics {
// Optional. Name of providers to which this configuration should apply.
// If a provider is not specified, the [default metrics
- // provider][istio.mesh.v1alpha1.MeshConfig.default_providers.metrics] will be
+ // provider](https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-DefaultProviders) will be
// used.
repeated ProviderRef providers = 1;
@@ -396,6 +397,11 @@ message Metrics {
// a best practice to list any universal overrides first, with tailored
// overrides following them.
repeated MetricsOverrides overrides = 2;
+
+ // Optional. Reporting interval allows configuration of the time between calls out to for metrics reporting.
+ // This currently only supports TCP metrics but we may use this for long duration HTTP streams in the future.
+ // The default duration is `5s`.
+ google.protobuf.Duration reporting_interval = 3;
}
// WorkloadMode allows selection of the role of the underlying workload in
@@ -623,7 +629,7 @@ message AccessLogging {
// Optional. Name of providers to which this configuration should apply.
// If a provider is not specified, the [default logging
- // provider][istio.mesh.v1alpha1.MeshConfig.default_providers.] will be used.
+ // provider](https://istio.io/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig-DefaultProviders) will be used.
repeated ProviderRef providers = 1;
// Controls logging. If set to true, no access logs will be generated for
diff --git a/vendor/istio.io/api/telemetry/v1alpha1/telemetry_deepcopy.gen.go b/vendor/istio.io/api/telemetry/v1alpha1/telemetry_deepcopy.gen.go
index 3db925aa6..b961bdfd2 100644
--- a/vendor/istio.io/api/telemetry/v1alpha1/telemetry_deepcopy.gen.go
+++ b/vendor/istio.io/api/telemetry/v1alpha1/telemetry_deepcopy.gen.go
@@ -2,7 +2,7 @@
package v1alpha1
import (
- proto "github.com/golang/protobuf/proto"
+ proto "google.golang.org/protobuf/proto"
)
// DeepCopyInto supports using Telemetry within kubernetes types, where deepcopy-gen is used.
diff --git a/vendor/istio.io/api/type/v1beta1/selector.gen.json b/vendor/istio.io/api/type/v1beta1/selector.gen.json
index 31b767210..28a4c060a 100644
--- a/vendor/istio.io/api/type/v1beta1/selector.gen.json
+++ b/vendor/istio.io/api/type/v1beta1/selector.gen.json
@@ -6,6 +6,26 @@
},
"components": {
"schemas": {
+ "istio.type.v1beta1.PortSelector": {
+ "description": "PortSelector is the criteria for specifying if a policy can be applied to a listener having a specific port.",
+ "type": "object",
+ "properties": {
+ "number": {
+ "description": "Port number",
+ "type": "integer"
+ }
+ }
+ },
+ "istio.type.v1beta1.WorkloadMode": {
+ "description": "WorkloadMode allows selection of the role of the underlying workload in network traffic. A workload is considered as acting as a SERVER if it is the destination of the traffic (that is, traffic direction, from the perspective of the workload is *inbound*). If the workload is the source of the network traffic, it is considered to be in CLIENT mode (traffic is *outbound* from the workload).",
+ "type": "string",
+ "enum": [
+ "UNDEFINED",
+ "CLIENT",
+ "SERVER",
+ "CLIENT_AND_SERVER"
+ ]
+ },
"istio.type.v1beta1.WorkloadSelector": {
"description": "WorkloadSelector specifies the criteria used to determine if a policy can be applied to a proxy. The matching criteria includes the metadata associated with a proxy, workload instance info such as labels attached to the pod/VM, or any other info that the proxy provides to Istio during the initial handshake. If multiple conditions are specified, all conditions need to match in order for the workload instance to be selected. Currently, only label based selection mechanism is supported.",
"type": "object",
diff --git a/vendor/istio.io/api/type/v1beta1/selector.pb.go b/vendor/istio.io/api/type/v1beta1/selector.pb.go
index a719ff714..57f7779fe 100644
--- a/vendor/istio.io/api/type/v1beta1/selector.pb.go
+++ b/vendor/istio.io/api/type/v1beta1/selector.pb.go
@@ -14,7 +14,7 @@
// Code generated by protoc-gen-go. DO NOT EDIT.
// versions:
-// protoc-gen-go v1.27.1
+// protoc-gen-go v1.30.0
// protoc (unknown)
// source: type/v1beta1/selector.proto
@@ -39,6 +39,72 @@ const (
_ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20)
)
+// WorkloadMode allows selection of the role of the underlying workload in
+// network traffic. A workload is considered as acting as a SERVER if it is
+// the destination of the traffic (that is, traffic direction, from the
+// perspective of the workload is *inbound*). If the workload is the source of
+// the network traffic, it is considered to be in CLIENT mode (traffic is
+// *outbound* from the workload).
+type WorkloadMode int32
+
+const (
+ // Default value, which will be interpreted by its own usage.
+ WorkloadMode_UNDEFINED WorkloadMode = 0
+ // Selects for scenarios when the workload is the
+ // source of the network traffic. In addition,
+ // if the workload is a gateway, selects this.
+ WorkloadMode_CLIENT WorkloadMode = 1
+ // Selects for scenarios when the workload is the
+ // destination of the network traffic.
+ WorkloadMode_SERVER WorkloadMode = 2
+ // Selects for scenarios when the workload is either the
+ // source or destination of the network traffic.
+ WorkloadMode_CLIENT_AND_SERVER WorkloadMode = 3
+)
+
+// Enum value maps for WorkloadMode.
+var (
+ WorkloadMode_name = map[int32]string{
+ 0: "UNDEFINED",
+ 1: "CLIENT",
+ 2: "SERVER",
+ 3: "CLIENT_AND_SERVER",
+ }
+ WorkloadMode_value = map[string]int32{
+ "UNDEFINED": 0,
+ "CLIENT": 1,
+ "SERVER": 2,
+ "CLIENT_AND_SERVER": 3,
+ }
+)
+
+func (x WorkloadMode) Enum() *WorkloadMode {
+ p := new(WorkloadMode)
+ *p = x
+ return p
+}
+
+func (x WorkloadMode) String() string {
+ return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x))
+}
+
+func (WorkloadMode) Descriptor() protoreflect.EnumDescriptor {
+ return file_type_v1beta1_selector_proto_enumTypes[0].Descriptor()
+}
+
+func (WorkloadMode) Type() protoreflect.EnumType {
+ return &file_type_v1beta1_selector_proto_enumTypes[0]
+}
+
+func (x WorkloadMode) Number() protoreflect.EnumNumber {
+ return protoreflect.EnumNumber(x)
+}
+
+// Deprecated: Use WorkloadMode.Descriptor instead.
+func (WorkloadMode) EnumDescriptor() ([]byte, []int) {
+ return file_type_v1beta1_selector_proto_rawDescGZIP(), []int{0}
+}
+
// WorkloadSelector specifies the criteria used to determine if a policy can be applied
// to a proxy. The matching criteria includes the metadata associated with a proxy,
// workload instance info such as labels attached to the pod/VM, or any other info
@@ -95,6 +161,56 @@ func (x *WorkloadSelector) GetMatchLabels() map[string]string {
return nil
}
+// PortSelector is the criteria for specifying if a policy can be applied to
+// a listener having a specific port.
+type PortSelector struct {
+ state protoimpl.MessageState
+ sizeCache protoimpl.SizeCache
+ unknownFields protoimpl.UnknownFields
+
+ // Port number
+ Number uint32 `protobuf:"varint,1,opt,name=number,proto3" json:"number,omitempty"`
+}
+
+func (x *PortSelector) Reset() {
+ *x = PortSelector{}
+ if protoimpl.UnsafeEnabled {
+ mi := &file_type_v1beta1_selector_proto_msgTypes[1]
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ ms.StoreMessageInfo(mi)
+ }
+}
+
+func (x *PortSelector) String() string {
+ return protoimpl.X.MessageStringOf(x)
+}
+
+func (*PortSelector) ProtoMessage() {}
+
+func (x *PortSelector) ProtoReflect() protoreflect.Message {
+ mi := &file_type_v1beta1_selector_proto_msgTypes[1]
+ if protoimpl.UnsafeEnabled && x != nil {
+ ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+ if ms.LoadMessageInfo() == nil {
+ ms.StoreMessageInfo(mi)
+ }
+ return ms
+ }
+ return mi.MessageOf(x)
+}
+
+// Deprecated: Use PortSelector.ProtoReflect.Descriptor instead.
+func (*PortSelector) Descriptor() ([]byte, []int) {
+ return file_type_v1beta1_selector_proto_rawDescGZIP(), []int{1}
+}
+
+func (x *PortSelector) GetNumber() uint32 {
+ if x != nil {
+ return x.Number
+ }
+ return 0
+}
+
var File_type_v1beta1_selector_proto protoreflect.FileDescriptor
var file_type_v1beta1_selector_proto_rawDesc = []byte{
@@ -103,20 +219,28 @@ var file_type_v1beta1_selector_proto_rawDesc = []byte{
0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61,
0x31, 0x1a, 0x1f, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x66, 0x69,
0x65, 0x6c, 0x64, 0x5f, 0x62, 0x65, 0x68, 0x61, 0x76, 0x69, 0x6f, 0x72, 0x2e, 0x70, 0x72, 0x6f,
- 0x74, 0x6f, 0x22, 0xb2, 0x01, 0x0a, 0x10, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x53,
- 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x5e, 0x0a, 0x0c, 0x6d, 0x61, 0x74, 0x63, 0x68,
+ 0x74, 0x6f, 0x22, 0xb1, 0x01, 0x0a, 0x10, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x53,
+ 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x5d, 0x0a, 0x0c, 0x6d, 0x61, 0x74, 0x63, 0x68,
0x5f, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x35, 0x2e,
0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74,
0x61, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x65, 0x6c, 0x65, 0x63,
0x74, 0x6f, 0x72, 0x2e, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x45,
- 0x6e, 0x74, 0x72, 0x79, 0x42, 0x04, 0xe2, 0x41, 0x01, 0x02, 0x52, 0x0b, 0x6d, 0x61, 0x74, 0x63,
- 0x68, 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x1a, 0x3e, 0x0a, 0x10, 0x4d, 0x61, 0x74, 0x63, 0x68,
- 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b,
- 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a,
- 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61,
- 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x1b, 0x5a, 0x19, 0x69, 0x73, 0x74, 0x69, 0x6f,
- 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x74, 0x79, 0x70, 0x65, 0x2f, 0x76, 0x31, 0x62,
- 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+ 0x6e, 0x74, 0x72, 0x79, 0x42, 0x03, 0xe0, 0x41, 0x02, 0x52, 0x0b, 0x6d, 0x61, 0x74, 0x63, 0x68,
+ 0x4c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x1a, 0x3e, 0x0a, 0x10, 0x4d, 0x61, 0x74, 0x63, 0x68, 0x4c,
+ 0x61, 0x62, 0x65, 0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65,
+ 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x03, 0x6b, 0x65, 0x79, 0x12, 0x14, 0x0a, 0x05,
+ 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c,
+ 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x22, 0x26, 0x0a, 0x0c, 0x50, 0x6f, 0x72, 0x74, 0x53, 0x65,
+ 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x16, 0x0a, 0x06, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72,
+ 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x06, 0x6e, 0x75, 0x6d, 0x62, 0x65, 0x72, 0x2a, 0x4c,
+ 0x0a, 0x0c, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x0d,
+ 0x0a, 0x09, 0x55, 0x4e, 0x44, 0x45, 0x46, 0x49, 0x4e, 0x45, 0x44, 0x10, 0x00, 0x12, 0x0a, 0x0a,
+ 0x06, 0x43, 0x4c, 0x49, 0x45, 0x4e, 0x54, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x53, 0x45, 0x52,
+ 0x56, 0x45, 0x52, 0x10, 0x02, 0x12, 0x15, 0x0a, 0x11, 0x43, 0x4c, 0x49, 0x45, 0x4e, 0x54, 0x5f,
+ 0x41, 0x4e, 0x44, 0x5f, 0x53, 0x45, 0x52, 0x56, 0x45, 0x52, 0x10, 0x03, 0x42, 0x1b, 0x5a, 0x19,
+ 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x74, 0x79, 0x70,
+ 0x65, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f,
+ 0x33,
}
var (
@@ -131,13 +255,16 @@ func file_type_v1beta1_selector_proto_rawDescGZIP() []byte {
return file_type_v1beta1_selector_proto_rawDescData
}
-var file_type_v1beta1_selector_proto_msgTypes = make([]protoimpl.MessageInfo, 2)
+var file_type_v1beta1_selector_proto_enumTypes = make([]protoimpl.EnumInfo, 1)
+var file_type_v1beta1_selector_proto_msgTypes = make([]protoimpl.MessageInfo, 3)
var file_type_v1beta1_selector_proto_goTypes = []interface{}{
- (*WorkloadSelector)(nil), // 0: istio.type.v1beta1.WorkloadSelector
- nil, // 1: istio.type.v1beta1.WorkloadSelector.MatchLabelsEntry
+ (WorkloadMode)(0), // 0: istio.type.v1beta1.WorkloadMode
+ (*WorkloadSelector)(nil), // 1: istio.type.v1beta1.WorkloadSelector
+ (*PortSelector)(nil), // 2: istio.type.v1beta1.PortSelector
+ nil, // 3: istio.type.v1beta1.WorkloadSelector.MatchLabelsEntry
}
var file_type_v1beta1_selector_proto_depIdxs = []int32{
- 1, // 0: istio.type.v1beta1.WorkloadSelector.match_labels:type_name -> istio.type.v1beta1.WorkloadSelector.MatchLabelsEntry
+ 3, // 0: istio.type.v1beta1.WorkloadSelector.match_labels:type_name -> istio.type.v1beta1.WorkloadSelector.MatchLabelsEntry
1, // [1:1] is the sub-list for method output_type
1, // [1:1] is the sub-list for method input_type
1, // [1:1] is the sub-list for extension type_name
@@ -163,19 +290,32 @@ func file_type_v1beta1_selector_proto_init() {
return nil
}
}
+ file_type_v1beta1_selector_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} {
+ switch v := v.(*PortSelector); i {
+ case 0:
+ return &v.state
+ case 1:
+ return &v.sizeCache
+ case 2:
+ return &v.unknownFields
+ default:
+ return nil
+ }
+ }
}
type x struct{}
out := protoimpl.TypeBuilder{
File: protoimpl.DescBuilder{
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: file_type_v1beta1_selector_proto_rawDesc,
- NumEnums: 0,
- NumMessages: 2,
+ NumEnums: 1,
+ NumMessages: 3,
NumExtensions: 0,
NumServices: 0,
},
GoTypes: file_type_v1beta1_selector_proto_goTypes,
DependencyIndexes: file_type_v1beta1_selector_proto_depIdxs,
+ EnumInfos: file_type_v1beta1_selector_proto_enumTypes,
MessageInfos: file_type_v1beta1_selector_proto_msgTypes,
}.Build()
File_type_v1beta1_selector_proto = out.File
diff --git a/vendor/istio.io/api/type/v1beta1/selector.pb.html b/vendor/istio.io/api/type/v1beta1/selector.pb.html
index a960cb242..0fccbb7fd 100644
--- a/vendor/istio.io/api/type/v1beta1/selector.pb.html
+++ b/vendor/istio.io/api/type/v1beta1/selector.pb.html
@@ -4,7 +4,7 @@
location: https://istio.io/docs/reference/config/type/workload-selector.html
layout: protoc-gen-docs
generator: protoc-gen-docs
-number_of_entries: 1
+number_of_entries: 3
---
WorkloadSelector
@@ -41,3 +41,84 @@ WorkloadSelector
| | | | | | | | |
+PortSelector
+
+PortSelector is the criteria for specifying if a policy can be applied to
+a listener having a specific port.
+
+
+
+
+| Field |
+Type |
+Description |
+Required |
+
+
+
+
+number |
+uint32 |
+
+ Port number
+
+ |
+
+No
+ |
+
+
+
+
+WorkloadMode
+
+WorkloadMode allows selection of the role of the underlying workload in
+network traffic. A workload is considered as acting as a SERVER if it is
+the destination of the traffic (that is, traffic direction, from the
+perspective of the workload is inbound). If the workload is the source of
+the network traffic, it is considered to be in CLIENT mode (traffic is
+outbound from the workload).
+
+
+
+
+| Name |
+Description |
+
+
+
+
+UNDEFINED |
+
+ Default value, which will be interpreted by its own usage.
+
+ |
+
+
+CLIENT |
+
+ Selects for scenarios when the workload is the
+source of the network traffic. In addition,
+if the workload is a gateway, selects this.
+
+ |
+
+
+SERVER |
+
+ Selects for scenarios when the workload is the
+destination of the network traffic.
+
+ |
+
+
+CLIENT_AND_SERVER |
+
+ Selects for scenarios when the workload is either the
+source or destination of the network traffic.
+
+ |
+
+
+
+
diff --git a/vendor/istio.io/api/type/v1beta1/selector.proto b/vendor/istio.io/api/type/v1beta1/selector.proto
index ec1889972..30cbd6275 100644
--- a/vendor/istio.io/api/type/v1beta1/selector.proto
+++ b/vendor/istio.io/api/type/v1beta1/selector.proto
@@ -35,3 +35,34 @@ message WorkloadSelector {
// the configuration namespace in which the resource is present.
map match_labels = 1 [(google.api.field_behavior) = REQUIRED];
}
+
+// PortSelector is the criteria for specifying if a policy can be applied to
+// a listener having a specific port.
+message PortSelector {
+ // Port number
+ uint32 number = 1;
+}
+
+// WorkloadMode allows selection of the role of the underlying workload in
+// network traffic. A workload is considered as acting as a SERVER if it is
+// the destination of the traffic (that is, traffic direction, from the
+// perspective of the workload is *inbound*). If the workload is the source of
+// the network traffic, it is considered to be in CLIENT mode (traffic is
+// *outbound* from the workload).
+enum WorkloadMode {
+ // Default value, which will be interpreted by its own usage.
+ UNDEFINED = 0;
+
+ // Selects for scenarios when the workload is the
+ // source of the network traffic. In addition,
+ // if the workload is a gateway, selects this.
+ CLIENT = 1;
+
+ // Selects for scenarios when the workload is the
+ // destination of the network traffic.
+ SERVER = 2;
+
+ // Selects for scenarios when the workload is either the
+ // source or destination of the network traffic.
+ CLIENT_AND_SERVER = 3;
+}
diff --git a/vendor/istio.io/api/type/v1beta1/selector_deepcopy.gen.go b/vendor/istio.io/api/type/v1beta1/selector_deepcopy.gen.go
index eb11c7cd3..1d34b0b81 100644
--- a/vendor/istio.io/api/type/v1beta1/selector_deepcopy.gen.go
+++ b/vendor/istio.io/api/type/v1beta1/selector_deepcopy.gen.go
@@ -2,7 +2,7 @@
package v1beta1
import (
- proto "github.com/golang/protobuf/proto"
+ proto "google.golang.org/protobuf/proto"
)
// DeepCopyInto supports using WorkloadSelector within kubernetes types, where deepcopy-gen is used.
@@ -25,3 +25,24 @@ func (in *WorkloadSelector) DeepCopy() *WorkloadSelector {
func (in *WorkloadSelector) DeepCopyInterface() interface{} {
return in.DeepCopy()
}
+
+// DeepCopyInto supports using PortSelector within kubernetes types, where deepcopy-gen is used.
+func (in *PortSelector) DeepCopyInto(out *PortSelector) {
+ p := proto.Clone(in).(*PortSelector)
+ *out = *p
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortSelector. Required by controller-gen.
+func (in *PortSelector) DeepCopy() *PortSelector {
+ if in == nil {
+ return nil
+ }
+ out := new(PortSelector)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new PortSelector. Required by controller-gen.
+func (in *PortSelector) DeepCopyInterface() interface{} {
+ return in.DeepCopy()
+}
diff --git a/vendor/istio.io/api/type/v1beta1/selector_json.gen.go b/vendor/istio.io/api/type/v1beta1/selector_json.gen.go
index c9d08dd7c..a42c97751 100644
--- a/vendor/istio.io/api/type/v1beta1/selector_json.gen.go
+++ b/vendor/istio.io/api/type/v1beta1/selector_json.gen.go
@@ -17,6 +17,17 @@ func (this *WorkloadSelector) UnmarshalJSON(b []byte) error {
return SelectorUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
+// MarshalJSON is a custom marshaler for PortSelector
+func (this *PortSelector) MarshalJSON() ([]byte, error) {
+ str, err := SelectorMarshaler.MarshalToString(this)
+ return []byte(str), err
+}
+
+// UnmarshalJSON is a custom unmarshaler for PortSelector
+func (this *PortSelector) UnmarshalJSON(b []byte) error {
+ return SelectorUnmarshaler.Unmarshal(bytes.NewReader(b), this)
+}
+
var (
SelectorMarshaler = &jsonpb.Marshaler{}
SelectorUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true}
diff --git a/vendor/istio.io/client-go/LICENSE b/vendor/istio.io/client-go/LICENSE
index 56e48aa37..bb7b19dec 100644
--- a/vendor/istio.io/client-go/LICENSE
+++ b/vendor/istio.io/client-go/LICENSE
@@ -187,7 +187,7 @@
same "printed page" as the copyright notice for easier
identification within third-party archives.
- Copyright 2016-2020 Istio Authors
+ Copyright 2016-2022 Istio Authors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
diff --git a/vendor/istio.io/client-go/pkg/apis/extensions/v1alpha1/types.gen.go b/vendor/istio.io/client-go/pkg/apis/extensions/v1alpha1/types.gen.go
index e6a2e5f2d..61ffb2598 100644
--- a/vendor/istio.io/client-go/pkg/apis/extensions/v1alpha1/types.gen.go
+++ b/vendor/istio.io/client-go/pkg/apis/extensions/v1alpha1/types.gen.go
@@ -69,5 +69,5 @@ type WasmPluginList struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- Items []WasmPlugin `json:"items" protobuf:"bytes,2,rep,name=items"`
+ Items []*WasmPlugin `json:"items" protobuf:"bytes,2,rep,name=items"`
}
diff --git a/vendor/istio.io/client-go/pkg/apis/extensions/v1alpha1/zz_generated.deepcopy.gen.go b/vendor/istio.io/client-go/pkg/apis/extensions/v1alpha1/zz_generated.deepcopy.gen.go
index aa6be4c64..e67d0ec60 100644
--- a/vendor/istio.io/client-go/pkg/apis/extensions/v1alpha1/zz_generated.deepcopy.gen.go
+++ b/vendor/istio.io/client-go/pkg/apis/extensions/v1alpha1/zz_generated.deepcopy.gen.go
@@ -58,9 +58,13 @@ func (in *WasmPluginList) DeepCopyInto(out *WasmPluginList) {
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
- *out = make([]WasmPlugin, len(*in))
+ *out = make([]*WasmPlugin, len(*in))
for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(WasmPlugin)
+ (*in).DeepCopyInto(*out)
+ }
}
}
return
diff --git a/vendor/istio.io/client-go/pkg/apis/networking/v1alpha3/types.gen.go b/vendor/istio.io/client-go/pkg/apis/networking/v1alpha3/types.gen.go
index 210b625c3..05ce790dd 100644
--- a/vendor/istio.io/client-go/pkg/apis/networking/v1alpha3/types.gen.go
+++ b/vendor/istio.io/client-go/pkg/apis/networking/v1alpha3/types.gen.go
@@ -73,7 +73,7 @@ type DestinationRuleList struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- Items []DestinationRule `json:"items" protobuf:"bytes,2,rep,name=items"`
+ Items []*DestinationRule `json:"items" protobuf:"bytes,2,rep,name=items"`
}
//
@@ -119,7 +119,7 @@ type EnvoyFilterList struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- Items []EnvoyFilter `json:"items" protobuf:"bytes,2,rep,name=items"`
+ Items []*EnvoyFilter `json:"items" protobuf:"bytes,2,rep,name=items"`
}
//
@@ -168,7 +168,7 @@ type GatewayList struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- Items []Gateway `json:"items" protobuf:"bytes,2,rep,name=items"`
+ Items []*Gateway `json:"items" protobuf:"bytes,2,rep,name=items"`
}
//
@@ -189,7 +189,7 @@ type GatewayList struct {
// +cue-gen:ServiceEntry:printerColumn:name=Hosts,type=string,JSONPath=.spec.hosts,description="The hosts associated with the ServiceEntry"
// +cue-gen:ServiceEntry:printerColumn:name=Location,type=string,JSONPath=.spec.location,description="Whether the service is external to the
// mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL)"
-// +cue-gen:ServiceEntry:printerColumn:name=Resolution,type=string,JSONPath=.spec.resolution,description="Service discovery mode for the hosts
+// +cue-gen:ServiceEntry:printerColumn:name=Resolution,type=string,JSONPath=.spec.resolution,description="Service resolution mode for the hosts
// (NONE, STATIC, or DNS)"
// +cue-gen:ServiceEntry:printerColumn:name=Age,type=date,JSONPath=.metadata.creationTimestamp,description="CreationTimestamp is a timestamp
// representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations.
@@ -226,7 +226,7 @@ type ServiceEntryList struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- Items []ServiceEntry `json:"items" protobuf:"bytes,2,rep,name=items"`
+ Items []*ServiceEntry `json:"items" protobuf:"bytes,2,rep,name=items"`
}
//
@@ -276,7 +276,7 @@ type SidecarList struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- Items []Sidecar `json:"items" protobuf:"bytes,2,rep,name=items"`
+ Items []*Sidecar `json:"items" protobuf:"bytes,2,rep,name=items"`
}
//
@@ -331,10 +331,10 @@ type VirtualServiceList struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- Items []VirtualService `json:"items" protobuf:"bytes,2,rep,name=items"`
+ Items []*VirtualService `json:"items" protobuf:"bytes,2,rep,name=items"`
}
-// please upgrade the proto package
+//
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// WorkloadEntry enables specifying the properties of a single non-Kubernetes workload such a VM or a bare metal services that can be referred to by service entries.
@@ -384,10 +384,10 @@ type WorkloadEntryList struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- Items []WorkloadEntry `json:"items" protobuf:"bytes,2,rep,name=items"`
+ Items []*WorkloadEntry `json:"items" protobuf:"bytes,2,rep,name=items"`
}
-// please upgrade the proto package
+//
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// `WorkloadGroup` enables specifying the properties of a single workload for bootstrap and
@@ -439,5 +439,5 @@ type WorkloadGroupList struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- Items []WorkloadGroup `json:"items" protobuf:"bytes,2,rep,name=items"`
+ Items []*WorkloadGroup `json:"items" protobuf:"bytes,2,rep,name=items"`
}
diff --git a/vendor/istio.io/client-go/pkg/apis/networking/v1alpha3/zz_generated.deepcopy.gen.go b/vendor/istio.io/client-go/pkg/apis/networking/v1alpha3/zz_generated.deepcopy.gen.go
index b95f8fc59..e0de4e28c 100644
--- a/vendor/istio.io/client-go/pkg/apis/networking/v1alpha3/zz_generated.deepcopy.gen.go
+++ b/vendor/istio.io/client-go/pkg/apis/networking/v1alpha3/zz_generated.deepcopy.gen.go
@@ -58,9 +58,13 @@ func (in *DestinationRuleList) DeepCopyInto(out *DestinationRuleList) {
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
- *out = make([]DestinationRule, len(*in))
+ *out = make([]*DestinationRule, len(*in))
for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(DestinationRule)
+ (*in).DeepCopyInto(*out)
+ }
}
}
return
@@ -119,9 +123,13 @@ func (in *EnvoyFilterList) DeepCopyInto(out *EnvoyFilterList) {
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
- *out = make([]EnvoyFilter, len(*in))
+ *out = make([]*EnvoyFilter, len(*in))
for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(EnvoyFilter)
+ (*in).DeepCopyInto(*out)
+ }
}
}
return
@@ -180,9 +188,13 @@ func (in *GatewayList) DeepCopyInto(out *GatewayList) {
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
- *out = make([]Gateway, len(*in))
+ *out = make([]*Gateway, len(*in))
for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(Gateway)
+ (*in).DeepCopyInto(*out)
+ }
}
}
return
@@ -241,9 +253,13 @@ func (in *ServiceEntryList) DeepCopyInto(out *ServiceEntryList) {
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
- *out = make([]ServiceEntry, len(*in))
+ *out = make([]*ServiceEntry, len(*in))
for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(ServiceEntry)
+ (*in).DeepCopyInto(*out)
+ }
}
}
return
@@ -302,9 +318,13 @@ func (in *SidecarList) DeepCopyInto(out *SidecarList) {
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
- *out = make([]Sidecar, len(*in))
+ *out = make([]*Sidecar, len(*in))
for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(Sidecar)
+ (*in).DeepCopyInto(*out)
+ }
}
}
return
@@ -363,9 +383,13 @@ func (in *VirtualServiceList) DeepCopyInto(out *VirtualServiceList) {
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
- *out = make([]VirtualService, len(*in))
+ *out = make([]*VirtualService, len(*in))
for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(VirtualService)
+ (*in).DeepCopyInto(*out)
+ }
}
}
return
@@ -424,9 +448,13 @@ func (in *WorkloadEntryList) DeepCopyInto(out *WorkloadEntryList) {
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
- *out = make([]WorkloadEntry, len(*in))
+ *out = make([]*WorkloadEntry, len(*in))
for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(WorkloadEntry)
+ (*in).DeepCopyInto(*out)
+ }
}
}
return
@@ -485,9 +513,13 @@ func (in *WorkloadGroupList) DeepCopyInto(out *WorkloadGroupList) {
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
- *out = make([]WorkloadGroup, len(*in))
+ *out = make([]*WorkloadGroup, len(*in))
for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(WorkloadGroup)
+ (*in).DeepCopyInto(*out)
+ }
}
}
return
diff --git a/vendor/istio.io/client-go/pkg/apis/networking/v1beta1/types.gen.go b/vendor/istio.io/client-go/pkg/apis/networking/v1beta1/types.gen.go
index 677aad410..cc678b53c 100644
--- a/vendor/istio.io/client-go/pkg/apis/networking/v1beta1/types.gen.go
+++ b/vendor/istio.io/client-go/pkg/apis/networking/v1beta1/types.gen.go
@@ -72,7 +72,7 @@ type DestinationRuleList struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- Items []DestinationRule `json:"items" protobuf:"bytes,2,rep,name=items"`
+ Items []*DestinationRule `json:"items" protobuf:"bytes,2,rep,name=items"`
}
//
@@ -120,10 +120,10 @@ type GatewayList struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- Items []Gateway `json:"items" protobuf:"bytes,2,rep,name=items"`
+ Items []*Gateway `json:"items" protobuf:"bytes,2,rep,name=items"`
}
-// please upgrade the proto package
+//
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// `ProxyConfig` exposes proxy level configuration options.
@@ -165,7 +165,7 @@ type ProxyConfigList struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- Items []ProxyConfig `json:"items" protobuf:"bytes,2,rep,name=items"`
+ Items []*ProxyConfig `json:"items" protobuf:"bytes,2,rep,name=items"`
}
//
@@ -185,7 +185,7 @@ type ProxyConfigList struct {
// +cue-gen:ServiceEntry:printerColumn:name=Hosts,type=string,JSONPath=.spec.hosts,description="The hosts associated with the ServiceEntry"
// +cue-gen:ServiceEntry:printerColumn:name=Location,type=string,JSONPath=.spec.location,description="Whether the service is external to the
// mesh or part of the mesh (MESH_EXTERNAL or MESH_INTERNAL)"
-// +cue-gen:ServiceEntry:printerColumn:name=Resolution,type=string,JSONPath=.spec.resolution,description="Service discovery mode for the hosts
+// +cue-gen:ServiceEntry:printerColumn:name=Resolution,type=string,JSONPath=.spec.resolution,description="Service resolution mode for the hosts
// (NONE, STATIC, or DNS)"
// +cue-gen:ServiceEntry:printerColumn:name=Age,type=date,JSONPath=.metadata.creationTimestamp,description="CreationTimestamp is a timestamp
// representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations.
@@ -222,7 +222,7 @@ type ServiceEntryList struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- Items []ServiceEntry `json:"items" protobuf:"bytes,2,rep,name=items"`
+ Items []*ServiceEntry `json:"items" protobuf:"bytes,2,rep,name=items"`
}
//
@@ -271,7 +271,7 @@ type SidecarList struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- Items []Sidecar `json:"items" protobuf:"bytes,2,rep,name=items"`
+ Items []*Sidecar `json:"items" protobuf:"bytes,2,rep,name=items"`
}
//
@@ -325,10 +325,10 @@ type VirtualServiceList struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- Items []VirtualService `json:"items" protobuf:"bytes,2,rep,name=items"`
+ Items []*VirtualService `json:"items" protobuf:"bytes,2,rep,name=items"`
}
-// please upgrade the proto package
+//
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// WorkloadEntry enables specifying the properties of a single non-Kubernetes workload such a VM or a bare metal services that can be referred to by service entries.
@@ -377,10 +377,10 @@ type WorkloadEntryList struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- Items []WorkloadEntry `json:"items" protobuf:"bytes,2,rep,name=items"`
+ Items []*WorkloadEntry `json:"items" protobuf:"bytes,2,rep,name=items"`
}
-// please upgrade the proto package
+//
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
// `WorkloadGroup` enables specifying the properties of a single workload for bootstrap and
@@ -431,5 +431,5 @@ type WorkloadGroupList struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- Items []WorkloadGroup `json:"items" protobuf:"bytes,2,rep,name=items"`
+ Items []*WorkloadGroup `json:"items" protobuf:"bytes,2,rep,name=items"`
}
diff --git a/vendor/istio.io/client-go/pkg/apis/networking/v1beta1/zz_generated.deepcopy.gen.go b/vendor/istio.io/client-go/pkg/apis/networking/v1beta1/zz_generated.deepcopy.gen.go
index 54fb39f60..e3a645732 100644
--- a/vendor/istio.io/client-go/pkg/apis/networking/v1beta1/zz_generated.deepcopy.gen.go
+++ b/vendor/istio.io/client-go/pkg/apis/networking/v1beta1/zz_generated.deepcopy.gen.go
@@ -58,9 +58,13 @@ func (in *DestinationRuleList) DeepCopyInto(out *DestinationRuleList) {
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
- *out = make([]DestinationRule, len(*in))
+ *out = make([]*DestinationRule, len(*in))
for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(DestinationRule)
+ (*in).DeepCopyInto(*out)
+ }
}
}
return
@@ -119,9 +123,13 @@ func (in *GatewayList) DeepCopyInto(out *GatewayList) {
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
- *out = make([]Gateway, len(*in))
+ *out = make([]*Gateway, len(*in))
for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(Gateway)
+ (*in).DeepCopyInto(*out)
+ }
}
}
return
@@ -180,9 +188,13 @@ func (in *ProxyConfigList) DeepCopyInto(out *ProxyConfigList) {
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
- *out = make([]ProxyConfig, len(*in))
+ *out = make([]*ProxyConfig, len(*in))
for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(ProxyConfig)
+ (*in).DeepCopyInto(*out)
+ }
}
}
return
@@ -241,9 +253,13 @@ func (in *ServiceEntryList) DeepCopyInto(out *ServiceEntryList) {
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
- *out = make([]ServiceEntry, len(*in))
+ *out = make([]*ServiceEntry, len(*in))
for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(ServiceEntry)
+ (*in).DeepCopyInto(*out)
+ }
}
}
return
@@ -302,9 +318,13 @@ func (in *SidecarList) DeepCopyInto(out *SidecarList) {
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
- *out = make([]Sidecar, len(*in))
+ *out = make([]*Sidecar, len(*in))
for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(Sidecar)
+ (*in).DeepCopyInto(*out)
+ }
}
}
return
@@ -363,9 +383,13 @@ func (in *VirtualServiceList) DeepCopyInto(out *VirtualServiceList) {
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
- *out = make([]VirtualService, len(*in))
+ *out = make([]*VirtualService, len(*in))
for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(VirtualService)
+ (*in).DeepCopyInto(*out)
+ }
}
}
return
@@ -424,9 +448,13 @@ func (in *WorkloadEntryList) DeepCopyInto(out *WorkloadEntryList) {
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
- *out = make([]WorkloadEntry, len(*in))
+ *out = make([]*WorkloadEntry, len(*in))
for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(WorkloadEntry)
+ (*in).DeepCopyInto(*out)
+ }
}
}
return
@@ -485,9 +513,13 @@ func (in *WorkloadGroupList) DeepCopyInto(out *WorkloadGroupList) {
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
- *out = make([]WorkloadGroup, len(*in))
+ *out = make([]*WorkloadGroup, len(*in))
for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(WorkloadGroup)
+ (*in).DeepCopyInto(*out)
+ }
}
}
return
diff --git a/vendor/istio.io/client-go/pkg/apis/security/v1/doc.go b/vendor/istio.io/client-go/pkg/apis/security/v1/doc.go
new file mode 100644
index 000000000..c0a8cd9ba
--- /dev/null
+++ b/vendor/istio.io/client-go/pkg/apis/security/v1/doc.go
@@ -0,0 +1,21 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by kubetype-gen. DO NOT EDIT.
+
+// Package has auto-generated kube type wrappers for raw types.
+// +k8s:openapi-gen=true
+// +k8s:deepcopy-gen=package
+// +groupName=security.istio.io
+package v1
diff --git a/vendor/istio.io/client-go/pkg/apis/security/v1/register.gen.go b/vendor/istio.io/client-go/pkg/apis/security/v1/register.gen.go
new file mode 100644
index 000000000..d179b988c
--- /dev/null
+++ b/vendor/istio.io/client-go/pkg/apis/security/v1/register.gen.go
@@ -0,0 +1,51 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by kubetype-gen. DO NOT EDIT.
+
+package v1
+
+import (
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ runtime "k8s.io/apimachinery/pkg/runtime"
+ schema "k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+var (
+ // Package-wide variables from generator "register".
+ SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1"}
+ SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+ localSchemeBuilder = &SchemeBuilder
+ AddToScheme = localSchemeBuilder.AddToScheme
+)
+
+const (
+ // Package-wide consts from generator "register".
+ GroupName = "security.istio.io"
+)
+
+func Resource(resource string) schema.GroupResource {
+ return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+func addKnownTypes(scheme *runtime.Scheme) error {
+ scheme.AddKnownTypes(SchemeGroupVersion,
+ &AuthorizationPolicy{},
+ &AuthorizationPolicyList{},
+ &RequestAuthentication{},
+ &RequestAuthenticationList{},
+ )
+ metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+ return nil
+}
diff --git a/vendor/istio.io/client-go/pkg/apis/security/v1/types.gen.go b/vendor/istio.io/client-go/pkg/apis/security/v1/types.gen.go
new file mode 100644
index 000000000..da1bdd160
--- /dev/null
+++ b/vendor/istio.io/client-go/pkg/apis/security/v1/types.gen.go
@@ -0,0 +1,352 @@
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by kubetype-gen. DO NOT EDIT.
+
+package v1
+
+import (
+ v1alpha1 "istio.io/api/meta/v1alpha1"
+ securityv1 "istio.io/api/security/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+//
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// AuthorizationPolicy enables access control on workloads.
+//
+//
+//
+//
+//
+type AuthorizationPolicy struct {
+ metav1.TypeMeta `json:",inline"`
+ // +optional
+ metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+ // Spec defines the implementation of this definition.
+ // +optional
+ Spec securityv1.AuthorizationPolicy `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+ Status v1alpha1.IstioStatus `json:"status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// AuthorizationPolicyList is a collection of AuthorizationPolicies.
+type AuthorizationPolicyList struct {
+ metav1.TypeMeta `json:",inline"`
+ // +optional
+ metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+ Items []*AuthorizationPolicy `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
+
+//
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// RequestAuthentication defines what request authentication methods are supported by a workload.
+// It will reject a request if the request contains invalid authentication information, based on the
+// configured authentication rules. A request that does not contain any authentication credentials
+// will be accepted but will not have any authenticated identity. To restrict access to authenticated
+// requests only, this should be accompanied by an authorization rule.
+// Examples:
+//
+// - Require JWT for all request for workloads that have label `app:httpbin`
+//
+// ```yaml
+// apiVersion: security.istio.io/v1
+// kind: RequestAuthentication
+// metadata:
+//
+// name: httpbin
+// namespace: foo
+//
+// spec:
+//
+// selector:
+// matchLabels:
+// app: httpbin
+// jwtRules:
+// - issuer: "issuer-foo"
+// jwksUri: https://example.com/.well-known/jwks.json
+//
+// ---
+// apiVersion: security.istio.io/v1
+// kind: AuthorizationPolicy
+// metadata:
+//
+// name: httpbin
+// namespace: foo
+//
+// spec:
+//
+// selector:
+// matchLabels:
+// app: httpbin
+// rules:
+// - from:
+// - source:
+// requestPrincipals: ["*"]
+//
+// ```
+//
+// - A policy in the root namespace ("istio-system" by default) applies to workloads in all namespaces
+// in a mesh. The following policy makes all workloads only accept requests that contain a
+// valid JWT token.
+//
+// ```yaml
+// apiVersion: security.istio.io/v1
+// kind: RequestAuthentication
+// metadata:
+//
+// name: req-authn-for-all
+// namespace: istio-system
+//
+// spec:
+//
+// jwtRules:
+// - issuer: "issuer-foo"
+// jwksUri: https://example.com/.well-known/jwks.json
+//
+// ---
+// apiVersion: security.istio.io/v1
+// kind: AuthorizationPolicy
+// metadata:
+//
+// name: require-jwt-for-all
+// namespace: istio-system
+//
+// spec:
+//
+// rules:
+// - from:
+// - source:
+// requestPrincipals: ["*"]
+//
+// ```
+//
+// - The next example shows how to set a different JWT requirement for a different `host`. The `RequestAuthentication`
+// declares it can accept JWTs issued by either `issuer-foo` or `issuer-bar` (the public key set is implicitly
+// set from the OpenID Connect spec).
+//
+// ```yaml
+// apiVersion: security.istio.io/v1
+// kind: RequestAuthentication
+// metadata:
+//
+// name: httpbin
+// namespace: foo
+//
+// spec:
+//
+// selector:
+// matchLabels:
+// app: httpbin
+// jwtRules:
+// - issuer: "issuer-foo"
+// - issuer: "issuer-bar"
+//
+// ---
+// apiVersion: security.istio.io/v1
+// kind: AuthorizationPolicy
+// metadata:
+//
+// name: httpbin
+// namespace: foo
+//
+// spec:
+//
+// selector:
+// matchLabels:
+// app: httpbin
+// rules:
+// - from:
+// - source:
+// requestPrincipals: ["issuer-foo/*"]
+// to:
+// - operation:
+// hosts: ["example.com"]
+// - from:
+// - source:
+// requestPrincipals: ["issuer-bar/*"]
+// to:
+// - operation:
+// hosts: ["another-host.com"]
+//
+// ```
+//
+// - You can fine tune the authorization policy to set different requirement per path. For example,
+// to require JWT on all paths, except /healthz, the same `RequestAuthentication` can be used, but the
+// authorization policy could be:
+//
+// ```yaml
+// apiVersion: security.istio.io/v1
+// kind: AuthorizationPolicy
+// metadata:
+//
+// name: httpbin
+// namespace: foo
+//
+// spec:
+//
+// selector:
+// matchLabels:
+// app: httpbin
+// rules:
+// - from:
+// - source:
+// requestPrincipals: ["*"]
+// - to:
+// - operation:
+// paths: ["/healthz"]
+//
+// ```
+//
+// [Experimental] Routing based on derived [metadata](https://istio.io/latest/docs/reference/config/security/conditions/)
+// is now supported. A prefix '@' is used to denote a match against internal metadata instead of the headers in the request.
+// Currently this feature is only supported for the following metadata:
+//
+// - `request.auth.claims.{claim-name}[.{sub-claim}]*` which are extracted from validated JWT tokens. The claim name
+// currently does not support the `.` character. Examples: `request.auth.claims.sub` and `request.auth.claims.name.givenName`.
+//
+// The use of matches against JWT claim metadata is only supported in Gateways. The following example shows:
+//
+// - RequestAuthentication to decode and validate a JWT. This also makes the `@request.auth.claims` available for use in the VirtualService.
+// - AuthorizationPolicy to check for valid principals in the request. This makes the JWT required for the request.
+// - VirtualService to route the request based on the "sub" claim.
+//
+// ```yaml
+// apiVersion: security.istio.io/v1
+// kind: RequestAuthentication
+// metadata:
+//
+// name: jwt-on-ingress
+// namespace: istio-system
+//
+// spec:
+//
+// selector:
+// matchLabels:
+// app: istio-ingressgateway
+// jwtRules:
+// - issuer: "example.com"
+// jwksUri: https://example.com/.well-known/jwks.json
+//
+// ---
+// apiVersion: security.istio.io/v1
+// kind: AuthorizationPolicy
+// metadata:
+//
+// name: require-jwt
+// namespace: istio-system
+//
+// spec:
+//
+// selector:
+// matchLabels:
+// app: istio-ingressgateway
+// rules:
+// - from:
+// - source:
+// requestPrincipals: ["*"]
+//
+// ---
+// apiVersion: networking.istio.io/v1alpha3
+// kind: VirtualService
+// metadata:
+//
+// name: route-jwt
+//
+// spec:
+//
+// hosts:
+// - foo.prod.svc.cluster.local
+// gateways:
+// - istio-ingressgateway
+// http:
+// - name: "v2"
+// match:
+// - headers:
+// "@request.auth.claims.sub":
+// exact: "dev"
+// route:
+// - destination:
+// host: foo.prod.svc.cluster.local
+// subset: v2
+// - name: "default"
+// route:
+// - destination:
+// host: foo.prod.svc.cluster.local
+// subset: v1
+//
+// ```
+//
+//
+//
+//
+//
+type RequestAuthentication struct {
+ metav1.TypeMeta `json:",inline"`
+ // +optional
+ metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+
+ // Spec defines the implementation of this definition.
+ // +optional
+ Spec securityv1.RequestAuthentication `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
+
+ Status v1alpha1.IstioStatus `json:"status"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// RequestAuthenticationList is a collection of RequestAuthentications.
+type RequestAuthenticationList struct {
+ metav1.TypeMeta `json:",inline"`
+ // +optional
+ metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
+ Items []*RequestAuthentication `json:"items" protobuf:"bytes,2,rep,name=items"`
+}
diff --git a/vendor/istio.io/client-go/pkg/apis/security/v1/zz_generated.deepcopy.gen.go b/vendor/istio.io/client-go/pkg/apis/security/v1/zz_generated.deepcopy.gen.go
new file mode 100644
index 000000000..e914bf57c
--- /dev/null
+++ b/vendor/istio.io/client-go/pkg/apis/security/v1/zz_generated.deepcopy.gen.go
@@ -0,0 +1,154 @@
+//go:build !ignore_autogenerated
+// +build !ignore_autogenerated
+
+// Copyright Istio Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Code generated by deepcopy-gen. DO NOT EDIT.
+
+package v1
+
+import (
+ runtime "k8s.io/apimachinery/pkg/runtime"
+)
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthorizationPolicy) DeepCopyInto(out *AuthorizationPolicy) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ in.Spec.DeepCopyInto(&out.Spec)
+ in.Status.DeepCopyInto(&out.Status)
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizationPolicy.
+func (in *AuthorizationPolicy) DeepCopy() *AuthorizationPolicy {
+ if in == nil {
+ return nil
+ }
+ out := new(AuthorizationPolicy)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *AuthorizationPolicy) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AuthorizationPolicyList) DeepCopyInto(out *AuthorizationPolicyList) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]*AuthorizationPolicy, len(*in))
+ for i := range *in {
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(AuthorizationPolicy)
+ (*in).DeepCopyInto(*out)
+ }
+ }
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizationPolicyList.
+func (in *AuthorizationPolicyList) DeepCopy() *AuthorizationPolicyList {
+ if in == nil {
+ return nil
+ }
+ out := new(AuthorizationPolicyList)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *AuthorizationPolicyList) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RequestAuthentication) DeepCopyInto(out *RequestAuthentication) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+ in.Spec.DeepCopyInto(&out.Spec)
+ in.Status.DeepCopyInto(&out.Status)
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestAuthentication.
+func (in *RequestAuthentication) DeepCopy() *RequestAuthentication {
+ if in == nil {
+ return nil
+ }
+ out := new(RequestAuthentication)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RequestAuthentication) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RequestAuthenticationList) DeepCopyInto(out *RequestAuthenticationList) {
+ *out = *in
+ out.TypeMeta = in.TypeMeta
+ in.ListMeta.DeepCopyInto(&out.ListMeta)
+ if in.Items != nil {
+ in, out := &in.Items, &out.Items
+ *out = make([]*RequestAuthentication, len(*in))
+ for i := range *in {
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(RequestAuthentication)
+ (*in).DeepCopyInto(*out)
+ }
+ }
+ }
+ return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestAuthenticationList.
+func (in *RequestAuthenticationList) DeepCopy() *RequestAuthenticationList {
+ if in == nil {
+ return nil
+ }
+ out := new(RequestAuthenticationList)
+ in.DeepCopyInto(out)
+ return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RequestAuthenticationList) DeepCopyObject() runtime.Object {
+ if c := in.DeepCopy(); c != nil {
+ return c
+ }
+ return nil
+}
diff --git a/vendor/istio.io/client-go/pkg/apis/security/v1beta1/types.gen.go b/vendor/istio.io/client-go/pkg/apis/security/v1beta1/types.gen.go
index 8a10df61a..1f5093645 100644
--- a/vendor/istio.io/client-go/pkg/apis/security/v1beta1/types.gen.go
+++ b/vendor/istio.io/client-go/pkg/apis/security/v1beta1/types.gen.go
@@ -45,6 +45,9 @@ import (
// +genclient
// +k8s:deepcopy-gen=true
// -->
+//
type AuthorizationPolicy struct {
v1.TypeMeta `json:",inline"`
// +optional
@@ -64,7 +67,7 @@ type AuthorizationPolicyList struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- Items []AuthorizationPolicy `json:"items" protobuf:"bytes,2,rep,name=items"`
+ Items []*AuthorizationPolicy `json:"items" protobuf:"bytes,2,rep,name=items"`
}
//
@@ -79,11 +82,15 @@ type AuthorizationPolicyList struct {
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
-// name: default
-// namespace: foo
+//
+// name: default
+// namespace: foo
+//
// spec:
-// mtls:
-// mode: STRICT
+//
+// mtls:
+// mode: STRICT
+//
// ```
// For mesh level, put the policy in root-namespace according to your Istio installation.
//
@@ -93,23 +100,31 @@ type AuthorizationPolicyList struct {
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
-// name: default
-// namespace: foo
+//
+// name: default
+// namespace: foo
+//
// spec:
-// mtls:
-// mode: PERMISSIVE
+//
+// mtls:
+// mode: PERMISSIVE
+//
// ---
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
-// name: default
-// namespace: foo
+//
+// name: finance
+// namespace: foo
+//
// spec:
-// selector:
-// matchLabels:
-// app: finance
-// mtls:
-// mode: STRICT
+//
+// selector:
+// matchLabels:
+// app: finance
+// mtls:
+// mode: STRICT
+//
// ```
// Policy to allow mTLS strict for all workloads, but leave port 8080 to
// plaintext:
@@ -117,17 +132,21 @@ type AuthorizationPolicyList struct {
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
-// name: default
-// namespace: foo
+//
+// name: default
+// namespace: foo
+//
// spec:
-// selector:
-// matchLabels:
-// app: finance
-// mtls:
-// mode: STRICT
-// portLevelMtls:
-// 8080:
-// mode: DISABLE
+//
+// selector:
+// matchLabels:
+// app: finance
+// mtls:
+// mode: STRICT
+// portLevelMtls:
+// 8080:
+// mode: DISABLE
+//
// ```
// Policy to inherit mTLS mode from namespace (or mesh) settings, and overwrite
// settings for port 8080
@@ -135,17 +154,21 @@ type AuthorizationPolicyList struct {
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
-// name: default
-// namespace: foo
+//
+// name: default
+// namespace: foo
+//
// spec:
-// selector:
-// matchLabels:
-// app: finance
-// mtls:
-// mode: UNSET
-// portLevelMtls:
-// 8080:
-// mode: DISABLE
+//
+// selector:
+// matchLabels:
+// app: finance
+// mtls:
+// mode: UNSET
+// portLevelMtls:
+// 8080:
+// mode: DISABLE
+//
// ```
//
//
+//
type RequestAuthentication struct {
v1.TypeMeta `json:",inline"`
// +optional
@@ -430,5 +496,5 @@ type RequestAuthenticationList struct {
v1.TypeMeta `json:",inline"`
// +optional
v1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
- Items []RequestAuthentication `json:"items" protobuf:"bytes,2,rep,name=items"`
+ Items []*RequestAuthentication `json:"items" protobuf:"bytes,2,rep,name=items"`
}
diff --git a/vendor/istio.io/client-go/pkg/apis/security/v1beta1/zz_generated.deepcopy.gen.go b/vendor/istio.io/client-go/pkg/apis/security/v1beta1/zz_generated.deepcopy.gen.go
index f5b073bf1..d1b699b48 100644
--- a/vendor/istio.io/client-go/pkg/apis/security/v1beta1/zz_generated.deepcopy.gen.go
+++ b/vendor/istio.io/client-go/pkg/apis/security/v1beta1/zz_generated.deepcopy.gen.go
@@ -58,9 +58,13 @@ func (in *AuthorizationPolicyList) DeepCopyInto(out *AuthorizationPolicyList) {
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
- *out = make([]AuthorizationPolicy, len(*in))
+ *out = make([]*AuthorizationPolicy, len(*in))
for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(AuthorizationPolicy)
+ (*in).DeepCopyInto(*out)
+ }
}
}
return
@@ -119,9 +123,13 @@ func (in *PeerAuthenticationList) DeepCopyInto(out *PeerAuthenticationList) {
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
- *out = make([]PeerAuthentication, len(*in))
+ *out = make([]*PeerAuthentication, len(*in))
for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(PeerAuthentication)
+ (*in).DeepCopyInto(*out)
+ }
}
}
return
@@ -180,9 +188,13 @@ func (in *RequestAuthenticationList) DeepCopyInto(out *RequestAuthenticationList
in.ListMeta.DeepCopyInto(&out.ListMeta)
if in.Items != nil {
in, out := &in.Items, &out.Items
- *out = make([]RequestAuthentication, len(*in))
+ *out = make([]*RequestAuthentication, len(*in))
for i := range *in {
- (*in)[i].DeepCopyInto(&(*out)[i])
+ if (*in)[i] != nil {
+ in, out := &(*in)[i], &(*out)[i]
+ *out = new(RequestAuthentication)
+ (*in).DeepCopyInto(*out)
+ }
}
}
return
diff --git a/vendor/istio.io/client-go/pkg/apis/telemetry/v1alpha1/types.gen.go b/vendor/istio.io/client-go/pkg/apis/telemetry/v1alpha1/types.gen.go
index 0c00c080b..621b23d6d 100644
--- a/vendor/istio.io/client-go/pkg/apis/telemetry/v1alpha1/types.gen.go
+++ b/vendor/istio.io/client-go/pkg/apis/telemetry/v1alpha1/types.gen.go
@@ -35,10 +35,12 @@ import (
// +cue-gen:Telemetry:scope:Namespaced
// +cue-gen:Telemetry:resource:categories=istio-io,telemetry-istio-io,shortNames=telemetry,plural=telemetries
// +cue-gen:Telemetry:preserveUnknownFields:false
-// +cue-gen:Telemetry:printerColumn:name=Age,type=date,JSONPath=.metadata.creationTimestamp,description="CreationTimestamp is a timestamp
-// representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations.
-// Clients may not set this value. It is represented in RFC3339 form and is in UTC.
-// Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
+// +cue-gen:Telemetry:printerColumn:name=Age,type=date,JSONPath=.metadata.creationTimestamp,description="CreationTimestamp
+// is a timestamp representing the server time when this object was created. It
+// is not guaranteed to be set in happens-before order across separate
+// operations. Clients may not set this value. It is represented in RFC3339 form
+// and is in UTC. Populated by the system. Read-only. Null for lists. More info:
+// https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
// -->
//
// |
|