From d341fc8fb63127bcdb407db6e6a5d0b6d24cb859 Mon Sep 17 00:00:00 2001 From: Shriram Rajagopalan Date: Mon, 14 Jan 2019 20:29:43 -0500 Subject: [PATCH 1/3] assorted doc updates (#757) Signed-off-by: Shriram Rajagopalan --- .../istio.networking.v1alpha3.pb.html | 207 +++++++++++++++++- networking/v1alpha3/sidecar.pb.go | 77 +++++-- networking/v1alpha3/sidecar.proto | 110 +++++----- 3 files changed, 303 insertions(+), 91 deletions(-) diff --git a/networking/v1alpha3/istio.networking.v1alpha3.pb.html b/networking/v1alpha3/istio.networking.v1alpha3.pb.html index 1face7462e..18540c5d6d 100644 --- a/networking/v1alpha3/istio.networking.v1alpha3.pb.html +++ b/networking/v1alpha3/istio.networking.v1alpha3.pb.html @@ -6,7 +6,7 @@ generator: protoc-gen-docs aliases: - /docs/reference/config/istio.routing.v1alpha1/ -number_of_entries: 60 +number_of_entries: 62 ---

Configuration affecting traffic routing. Here are a few terms useful to define in the context of traffic routing.

@@ -37,6 +37,47 @@ application code to decouple itself from the evolution of dependent services.

+

CaptureMode

+
+

CaptureMode describes how traffic to a listener is expected to be +captured. Applicable only when the listener is bound to an IP.

+ + + + + + + + + + + + + + + + + + + + + + +
NameDescription
DEFAULT +

The default capture mode defined by the environment

+ +
IPTABLES +

Capture traffic using IPtables redirection

+ +
NONE +

No traffic capture. When used in egress listener, the application is +expected to explicitly communicate with the listener port/unix +domain socket. When used in ingress listener, care needs to be taken +to ensure that the listener port is not in use by other processes on +the host.

+ +
+

ConfigScope

ConfigScope defines the visibility of an Istio configuration artifact in @@ -2151,12 +2192,43 @@

IstioEgressListener

+ +port +Port + +

The port associated with the listener. If using unix domain socket, +use 0 as the port number, with a valid protocol. The port if +specified, will be used as the default destination port associated +with the imported hosts. If the port is omitted, Istio will infer the +listener ports based on the imported hosts. Note that when multiple +egress listeners are specified, where one or more listeners have +specific ports while others have no port, the hosts exposed on a +listener port will be based on the listener with the most specific +port.

+ + + + +bind +string + +

The ip or the unix domain socket to which the listener should be bound +to. Port MUST be specified if bind is not empty. Format: x.x.x.x or +unix:///path/to/uds or unix://@foobar (Linux abstract namespace). If +omitted, Istio will autoconfigure the defaults based on imported +services, the workload to which this configuration is applied to and +the captureMode. If captureMode is NONE, bind will default to +127.0.0.1.

+ + + captureMode CaptureMode

When the bind address is an IP, the captureMode option dictates -how traffic to the listener is expected to be captured (or not).

+how traffic to the listener is expected to be captured (or not). +captureMode must be DEFAULT or NONE for unix domain socket binds.

@@ -2164,8 +2236,8 @@

IstioEgressListener

hosts string[] -

One or more services/virtualServices exposed by the listener in -namespace/dnsName format. Publicly scoped services and +

REQUIRED: One or more services/virtualServices exposed by the listener +in namespace/dnsName format. Publicly scoped services and VirtualServices from remote namespaces corresponding to the specified hosts will be imported. The service in a namespace can be a service in the service registry (e.g., a kubernetes or cloud foundry service) or @@ -2183,6 +2255,67 @@

IstioEgressListener

imported. Refer to the scope setting associated with VirtualService, DestinationRule, ServiceEntry, etc. for details.

+ + + + +
+

IstioIngressListener

+
+

IstioIngressListener specifies the properties of an inbound +traffic listener on the sidecar proxy attached to a workload.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -3652,8 +3785,9 @@

Sidecar

with a workload selector select the same workload.

The example below delcares a Sidecar resource in the prod-us1 namespace -that configures the sidecar to allow egress traffic to public services -in the prod-us1, prod-apis, and the istio-system namespaces.

+that configures the sidecars in the namespace to allow egress traffic to +public services in the prod-us1, prod-apis, and the istio-system +namespaces.

apiVersion: networking.istio.io/v1alpha3
 kind: Sidecar
@@ -3668,6 +3802,36 @@ 
Sidecar

     - "istio-system/*"
+

The example below delcares a Sidecar resource in the prod-us1 namespace +that accepts inbound HTTP traffic on port 9080 and forwards +it to the attached workload listening on a unix domain socket. In the +egress direction, in addition to the istio-system namespace, the sidecar +proxies only HTTP traffic bound for port 9080 for services in the +prod-us1 namespace.

+ +
apiVersion: networking.istio.io/v1alpha3
+kind: Sidecar
+metadata:
+  name: default
+  namespace: prod-us1
+spec:
+  ingress:
+  - port:
+      number: 9080
+      protocol: HTTP
+      name: somename
+    defaultEndpoint: unix:///var/run/someuds.sock
+  egress:
+  - hosts:
+    - "istio-system/*"
+  - port:
+      number: 9080
+      protocol: HTTP
+      name: egresshttp
+    hosts:
+    - "prod-us1/*"
+
+
FieldTypeDescription
portPort +

REQUIRED. The port associated with the listener. If using +unix domain socket, use 0 as the port number, with a valid +protocol.

+ +
bindstring +

The ip or the unix domain socket to which the listener should be bound +to. Format: x.x.x.x or unix:///path/to/uds or unix://@foobar (Linux +abstract namespace). If omitted, Istio will autoconfigure the defaults +based on imported services and the workload to which this +configuration is applied to.

+ +
captureModeCaptureMode +

When the bind address is an IP, the captureMode option dictates +how traffic to the listener is expected to be captured (or not). +captureMode must be DEFAULT or NONE for unix domain socket binds.

+ +
defaultEndpointstring +

REQUIRED: The loopback IP endpoint or unix domain socket to which +traffic should be forwarded to. This configuration can be used to +redirect traffic arriving at the bind point on the sidecar to a port +or unix domain socket where the application workload is listening for +connections. Format should be 127.0.0.1:PORT or unix:///path/to/socket

+
@@ -3677,6 +3841,29 @@

Sidecar

+ + + + + + + + + + @@ -4479,10 +4666,10 @@

WorkloadSelector

diff --git a/networking/v1alpha3/sidecar.pb.go b/networking/v1alpha3/sidecar.pb.go index 6c4e074c0f..0c2afe181a 100644 --- a/networking/v1alpha3/sidecar.pb.go +++ b/networking/v1alpha3/sidecar.pb.go @@ -43,7 +43,6 @@ func (x ConfigScope) String() string { } func (ConfigScope) EnumDescriptor() ([]byte, []int) { return fileDescriptorSidecar, []int{0} } -// $hide_from_docs // CaptureMode describes how traffic to a listener is expected to be // captured. Applicable only when the listener is bound to an IP. type CaptureMode int32 @@ -105,8 +104,9 @@ func (CaptureMode) EnumDescriptor() ([]byte, []int) { return fileDescriptorSidec // with a workload selector select the same workload. // // The example below delcares a Sidecar resource in the prod-us1 namespace -// that configures the sidecar to allow egress traffic to public services -// in the prod-us1, prod-apis, and the istio-system namespaces. +// that configures the sidecars in the namespace to allow egress traffic to +// public services in the prod-us1, prod-apis, and the istio-system +// namespaces. // // ```yaml // apiVersion: networking.istio.io/v1alpha3 @@ -122,14 +122,43 @@ func (CaptureMode) EnumDescriptor() ([]byte, []int) { return fileDescriptorSidec // - "istio-system/*" // ``` // +// The example below delcares a Sidecar resource in the prod-us1 namespace +// that accepts inbound HTTP traffic on port 9080 and forwards +// it to the attached workload listening on a unix domain socket. In the +// egress direction, in addition to the istio-system namespace, the sidecar +// proxies only HTTP traffic bound for port 9080 for services in the +// prod-us1 namespace. +// +// ```yaml +// apiVersion: networking.istio.io/v1alpha3 +// kind: Sidecar +// metadata: +// name: default +// namespace: prod-us1 +// spec: +// ingress: +// - port: +// number: 9080 +// protocol: HTTP +// name: somename +// defaultEndpoint: unix:///var/run/someuds.sock +// egress: +// - hosts: +// - "istio-system/*" +// - port: +// number: 9080 +// protocol: HTTP +// name: egresshttp +// hosts: +// - "prod-us1/*" +// ``` +// type Sidecar struct { - // $hide_from_docs // Criteria used to select the specific set of pods/VMs on which this // sidecar configuration should be applied. If omitted, the sidecar - // configuration will be applied to all workloads in the current config + // configuration will be applied to all workloads in the same config // namespace. WorkloadSelector *WorkloadSelector `protobuf:"bytes,1,opt,name=workload_selector,json=workloadSelector" json:"workload_selector,omitempty"` - // $hide_from_docs // Ingress specifies the configuration of the sidecar for processing // inbound traffic to the attached workload. If omitted, Istio will // autoconfigure the sidecar based on the information about the workload @@ -169,7 +198,6 @@ func (m *Sidecar) GetEgress() []*IstioEgressListener { return nil } -// $hide_from_docs // IstioIngressListener specifies the properties of an inbound // traffic listener on the sidecar proxy attached to a workload. type IstioIngressListener struct { @@ -185,11 +213,12 @@ type IstioIngressListener struct { Bind string `protobuf:"bytes,2,opt,name=bind,proto3" json:"bind,omitempty"` // When the bind address is an IP, the captureMode option dictates // how traffic to the listener is expected to be captured (or not). + // captureMode must be DEFAULT or NONE for unix domain socket binds. CaptureMode CaptureMode `protobuf:"varint,3,opt,name=capture_mode,json=captureMode,proto3,enum=istio.networking.v1alpha3.CaptureMode" json:"capture_mode,omitempty"` - // The loopback IP endpoint or unix domain socket to which traffic should - // be forwarded to by default. This configuration can be used to redirect - // traffic arriving at the bind point on the sidecar to a port or unix - // domain socket where the application workload is listening for + // REQUIRED: The loopback IP endpoint or unix domain socket to which + // traffic should be forwarded to. This configuration can be used to + // redirect traffic arriving at the bind point on the sidecar to a port + // or unix domain socket where the application workload is listening for // connections. Format should be 127.0.0.1:PORT or unix:///path/to/socket DefaultEndpoint string `protobuf:"bytes,4,opt,name=default_endpoint,json=defaultEndpoint,proto3" json:"default_endpoint,omitempty"` } @@ -230,7 +259,6 @@ func (m *IstioIngressListener) GetDefaultEndpoint() string { // IstioEgressListener specifies the properties of an outbound traffic // listener on the sidecar proxy attached to a workload. type IstioEgressListener struct { - // $hide_from_docs // The port associated with the listener. If using unix domain socket, // use 0 as the port number, with a valid protocol. The port if // specified, will be used as the default destination port associated @@ -241,19 +269,20 @@ type IstioEgressListener struct { // listener port will be based on the listener with the most specific // port. Port *Port `protobuf:"bytes,1,opt,name=port" json:"port,omitempty"` - // $hide_from_docs // The ip or the unix domain socket to which the listener should be bound - // to. Port MUST be specified if bind is not empty. Format: - // x.x.x.x or unix:///path/to/uds or unix://@foobar (Linux abstract - // namespace). If omitted, Istio will autoconfigure the defaults based on - // imported services and the workload to which this configuration is - // applied to. + // to. Port MUST be specified if bind is not empty. Format: x.x.x.x or + // unix:///path/to/uds or unix://@foobar (Linux abstract namespace). If + // omitted, Istio will autoconfigure the defaults based on imported + // services, the workload to which this configuration is applied to and + // the captureMode. If captureMode is NONE, bind will default to + // 127.0.0.1. Bind string `protobuf:"bytes,2,opt,name=bind,proto3" json:"bind,omitempty"` // When the bind address is an IP, the captureMode option dictates // how traffic to the listener is expected to be captured (or not). + // captureMode must be DEFAULT or NONE for unix domain socket binds. CaptureMode CaptureMode `protobuf:"varint,3,opt,name=capture_mode,json=captureMode,proto3,enum=istio.networking.v1alpha3.CaptureMode" json:"capture_mode,omitempty"` - // One or more services/virtualServices exposed by the listener in - // namespace/dnsName format. Publicly scoped services and + // REQUIRED: One or more services/virtualServices exposed by the listener + // in namespace/dnsName format. Publicly scoped services and // VirtualServices from remote namespaces corresponding to the specified // hosts will be imported. The service in a namespace can be a service in // the service registry (e.g., a kubernetes or cloud foundry service) or @@ -314,10 +343,10 @@ func (m *IstioEgressListener) GetHosts() []string { // specified, all conditions need to match in order for the workload to be // selected. Currently, only label based selection mechanism is supported. type WorkloadSelector struct { - // One or more labels that indicate a specific set of pods/VMs on which - // this sidecar configuration should be applied. The scope of label - // search is restricted to the configuration namespace in which the the - // resource is present. + // REQUIRED: One or more labels that indicate a specific set of pods/VMs + // on which this sidecar configuration should be applied. The scope of + // label search is restricted to the configuration namespace in which the + // the resource is present. Labels map[string]string `protobuf:"bytes,1,rep,name=labels" json:"labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` } diff --git a/networking/v1alpha3/sidecar.proto b/networking/v1alpha3/sidecar.proto index 369b6be38c..f927fe919c 100644 --- a/networking/v1alpha3/sidecar.proto +++ b/networking/v1alpha3/sidecar.proto @@ -48,8 +48,9 @@ option go_package = "istio.io/api/networking/v1alpha3"; // with a workload selector select the same workload. // // The example below delcares a Sidecar resource in the prod-us1 namespace -// that configures the sidecar to allow egress traffic to public services -// in the prod-us1, prod-apis, and the istio-system namespaces. +// that configures the sidecars in the namespace to allow egress traffic to +// public services in the prod-us1, prod-apis, and the istio-system +// namespaces. // // ```yaml // apiVersion: networking.istio.io/v1alpha3 @@ -65,15 +66,44 @@ option go_package = "istio.io/api/networking/v1alpha3"; // - "istio-system/*" // ``` // +// The example below delcares a Sidecar resource in the prod-us1 namespace +// that accepts inbound HTTP traffic on port 9080 and forwards +// it to the attached workload listening on a unix domain socket. In the +// egress direction, in addition to the istio-system namespace, the sidecar +// proxies only HTTP traffic bound for port 9080 for services in the +// prod-us1 namespace. +// +// ```yaml +// apiVersion: networking.istio.io/v1alpha3 +// kind: Sidecar +// metadata: +// name: default +// namespace: prod-us1 +// spec: +// ingress: +// - port: +// number: 9080 +// protocol: HTTP +// name: somename +// defaultEndpoint: unix:///var/run/someuds.sock +// egress: +// - hosts: +// - "istio-system/*" +// - port: +// number: 9080 +// protocol: HTTP +// name: egresshttp +// hosts: +// - "prod-us1/*" +// ``` +// message Sidecar { - // $hide_from_docs // Criteria used to select the specific set of pods/VMs on which this // sidecar configuration should be applied. If omitted, the sidecar - // configuration will be applied to all workloads in the current config + // configuration will be applied to all workloads in the same config // namespace. WorkloadSelector workload_selector = 1; - // $hide_from_docs // Ingress specifies the configuration of the sidecar for processing // inbound traffic to the attached workload. If omitted, Istio will // autoconfigure the sidecar based on the information about the workload @@ -88,7 +118,6 @@ message Sidecar { repeated IstioEgressListener egress = 3; } -// $hide_from_docs // IstioIngressListener specifies the properties of an inbound // traffic listener on the sidecar proxy attached to a workload. message IstioIngressListener { @@ -106,12 +135,13 @@ message IstioIngressListener { // When the bind address is an IP, the captureMode option dictates // how traffic to the listener is expected to be captured (or not). + // captureMode must be DEFAULT or NONE for unix domain socket binds. CaptureMode capture_mode = 3; - // The loopback IP endpoint or unix domain socket to which traffic should - // be forwarded to by default. This configuration can be used to redirect - // traffic arriving at the bind point on the sidecar to a port or unix - // domain socket where the application workload is listening for + // REQUIRED: The loopback IP endpoint or unix domain socket to which + // traffic should be forwarded to. This configuration can be used to + // redirect traffic arriving at the bind point on the sidecar to a port + // or unix domain socket where the application workload is listening for // connections. Format should be 127.0.0.1:PORT or unix:///path/to/socket string default_endpoint = 4; } @@ -119,7 +149,6 @@ message IstioIngressListener { // IstioEgressListener specifies the properties of an outbound traffic // listener on the sidecar proxy attached to a workload. message IstioEgressListener { - // $hide_from_docs // The port associated with the listener. If using unix domain socket, // use 0 as the port number, with a valid protocol. The port if // specified, will be used as the default destination port associated @@ -131,21 +160,22 @@ message IstioEgressListener { // port. Port port = 1; - // $hide_from_docs // The ip or the unix domain socket to which the listener should be bound - // to. Port MUST be specified if bind is not empty. Format: - // x.x.x.x or unix:///path/to/uds or unix://@foobar (Linux abstract - // namespace). If omitted, Istio will autoconfigure the defaults based on - // imported services and the workload to which this configuration is - // applied to. + // to. Port MUST be specified if bind is not empty. Format: x.x.x.x or + // unix:///path/to/uds or unix://@foobar (Linux abstract namespace). If + // omitted, Istio will autoconfigure the defaults based on imported + // services, the workload to which this configuration is applied to and + // the captureMode. If captureMode is NONE, bind will default to + // 127.0.0.1. string bind = 2; // When the bind address is an IP, the captureMode option dictates // how traffic to the listener is expected to be captured (or not). + // captureMode must be DEFAULT or NONE for unix domain socket binds. CaptureMode capture_mode = 3; - // One or more services/virtualServices exposed by the listener in - // namespace/dnsName format. Publicly scoped services and + // REQUIRED: One or more services/virtualServices exposed by the listener + // in namespace/dnsName format. Publicly scoped services and // VirtualServices from remote namespaces corresponding to the specified // hosts will be imported. The service in a namespace can be a service in // the service registry (e.g., a kubernetes or cloud foundry service) or @@ -187,10 +217,10 @@ enum ConfigScope { // specified, all conditions need to match in order for the workload to be // selected. Currently, only label based selection mechanism is supported. message WorkloadSelector { - // One or more labels that indicate a specific set of pods/VMs on which - // this sidecar configuration should be applied. The scope of label - // search is restricted to the configuration namespace in which the the - // resource is present. + // REQUIRED: One or more labels that indicate a specific set of pods/VMs + // on which this sidecar configuration should be applied. The scope of + // label search is restricted to the configuration namespace in which the + // the resource is present. map labels = 1; // $hide_from_docs @@ -199,7 +229,6 @@ message WorkloadSelector { // etc. This has nothing to do with the request level authN etc. } -// $hide_from_docs // CaptureMode describes how traffic to a listener is expected to be // captured. Applicable only when the listener is bound to an IP. enum CaptureMode { @@ -216,36 +245,3 @@ enum CaptureMode { // the host. NONE = 2; } - -// $hide_from_docs -// The example below delcares a Sidecar resource in the prod-us1 namespace -// that accepts inbound HTTP traffic on port 9080 and forwards -// it to the attached workload listening on a unix domain socket. In the -// egress direction, in addition to the istio-system namespace, the sidecar -// proxies only HTTP traffic bound for port 9080 for services in the -// prod-us1 namespace. -// -// ```yaml -// apiVersion: networking.istio.io/v1alpha3 -// kind: Sidecar -// metadata: -// name: default -// namespace: prod-us1 -// spec: -// ingress: -// - port: -// number: 9080 -// protocol: HTTP -// name: somename -// defaultEndpoint: unix:///var/run/someuds.sock -// egress: -// - hosts: -// - "istio-system/*" -// - port: -// number: 9080 -// protocol: HTTP -// name: egresshttp -// hosts: -// - "prod-us1/*" -// ``` -// From 2dadb9eaaff49821043c04347828a2c83aaef3c9 Mon Sep 17 00:00:00 2001 From: Jason Young Date: Wed, 16 Jan 2019 09:24:49 -0800 Subject: [PATCH 2/3] add optional incremental flag to ResponseSink and ResourceSource services (#762) --- mcp/v1alpha1/istio.mcp.v1alpha1.pb.html | 31 ++++ mcp/v1alpha1/mcp.pb.go | 204 +++++++++++++++++------ mcp/v1alpha1/mcp.proto | 21 +++ proto.lock | 10 ++ python/istio_api/mcp/v1alpha1/mcp_pb2.py | 34 ++-- 5 files changed, 241 insertions(+), 59 deletions(-) diff --git a/mcp/v1alpha1/istio.mcp.v1alpha1.pb.html b/mcp/v1alpha1/istio.mcp.v1alpha1.pb.html index bcee77a76a..cfc253afdf 100644 --- a/mcp/v1alpha1/istio.mcp.v1alpha1.pb.html +++ b/mcp/v1alpha1/istio.mcp.v1alpha1.pb.html @@ -486,6 +486,16 @@

RequestResources

The message field in error_details provides the source internal error related to the failure.

+ + + + + + @@ -573,6 +583,12 @@

Resources

These are typed resources that match the type url in the RequestResources message.

+

When incremental is true, this contains an array of resources to add/update +for the specified collection. This modifies the existing collection at the sink

+ +

When incremental is false, this contains the full set of resources for the +specified collection. This replaces any previously delivered resources.

+ @@ -583,6 +599,12 @@

Resources

removed from the MCP sink node. Removed resources for missing resources can be ignored.

+

When incremental is true, this contains an array of resource names to remove +for the specified collection. This modifies the existing resource collection at +the sink.

+ +

When incremental is false, this field should be ignored.

+ @@ -592,6 +614,15 @@

Resources

Required. The nonce provides a way for RequestChange to uniquely reference a RequestResources.

+ + + + + + diff --git a/mcp/v1alpha1/mcp.pb.go b/mcp/v1alpha1/mcp.pb.go index 764783c4da..c38f7e36a0 100644 --- a/mcp/v1alpha1/mcp.pb.go +++ b/mcp/v1alpha1/mcp.pb.go @@ -367,6 +367,10 @@ type RequestResources struct { // The *message* field in *error_details* provides the source internal error // related to the failure. ErrorDetail *google_rpc.Status `protobuf:"bytes,5,opt,name=error_detail,json=errorDetail" json:"error_detail,omitempty"` + // Request an incremental update for the specified collection. The source may choose to + // honor this request or ignore and and provide a full-state update in the corresponding + // `Resource` response. + Incremental bool `protobuf:"varint,6,opt,name=incremental,proto3" json:"incremental,omitempty"` } func (m *RequestResources) Reset() { *m = RequestResources{} } @@ -409,6 +413,13 @@ func (m *RequestResources) GetErrorDetail() *google_rpc.Status { return nil } +func (m *RequestResources) GetIncremental() bool { + if m != nil { + return m.Incremental + } + return false +} + // Resources do not need to include a full snapshot of the tracked // resources. Instead they are a diff to the state of a MCP client. // Per resource versions allow sources and sinks to track state at @@ -430,14 +441,29 @@ type Resources struct { // The response resources wrapped in the common MCP *Resource* message. // These are typed resources that match the type url in the // RequestResources message. + // + // When `incremental` is true, this contains an array of resources to add/update + // for the specified collection. This modifies the existing collection at the sink + // + // When `incremental` is false, this contains the full set of resources for the + // specified collection. This replaces any previously delivered resources. Resources []Resource `protobuf:"bytes,3,rep,name=resources" json:"resources"` // Names of resources that have been deleted and to be // removed from the MCP sink node. Removed resources for missing // resources can be ignored. + // + // When `incremental` is true, this contains an array of resource names to remove + // for the specified collection. This modifies the existing resource collection at + // the sink. + // + // When `incremental` is false, this field should be ignored. RemovedResources []string `protobuf:"bytes,4,rep,name=removed_resources,json=removedResources" json:"removed_resources,omitempty"` // Required. The nonce provides a way for RequestChange to uniquely // reference a RequestResources. Nonce string `protobuf:"bytes,5,opt,name=nonce,proto3" json:"nonce,omitempty"` + // This resource response is an incremental update. The source should only send + // incremental updates if the sink requested them. + Incremental bool `protobuf:"varint,6,opt,name=incremental,proto3" json:"incremental,omitempty"` } func (m *Resources) Reset() { *m = Resources{} } @@ -480,6 +506,13 @@ func (m *Resources) GetNonce() string { return "" } +func (m *Resources) GetIncremental() bool { + if m != nil { + return m.Incremental + } + return false +} + func init() { proto.RegisterType((*SinkNode)(nil), "istio.mcp.v1alpha1.SinkNode") proto.RegisterType((*MeshConfigRequest)(nil), "istio.mcp.v1alpha1.MeshConfigRequest") @@ -718,6 +751,9 @@ func (this *RequestResources) Equal(that interface{}) bool { if !this.ErrorDetail.Equal(that1.ErrorDetail) { return false } + if this.Incremental != that1.Incremental { + return false + } return true } func (this *Resources) Equal(that interface{}) bool { @@ -764,6 +800,9 @@ func (this *Resources) Equal(that interface{}) bool { if this.Nonce != that1.Nonce { return false } + if this.Incremental != that1.Incremental { + return false + } return true } @@ -1487,6 +1526,16 @@ func (m *RequestResources) MarshalTo(dAtA []byte) (int, error) { } i += n6 } + if m.Incremental { + dAtA[i] = 0x30 + i++ + if m.Incremental { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i++ + } return i, nil } @@ -1550,6 +1599,16 @@ func (m *Resources) MarshalTo(dAtA []byte) (int, error) { i = encodeVarintMcp(dAtA, i, uint64(len(m.Nonce))) i += copy(dAtA[i:], m.Nonce) } + if m.Incremental { + dAtA[i] = 0x30 + i++ + if m.Incremental { + dAtA[i] = 1 + } else { + dAtA[i] = 0 + } + i++ + } return i, nil } @@ -1713,6 +1772,9 @@ func (m *RequestResources) Size() (n int) { l = m.ErrorDetail.Size() n += 1 + l + sovMcp(uint64(l)) } + if m.Incremental { + n += 2 + } return n } @@ -1743,6 +1805,9 @@ func (m *Resources) Size() (n int) { if l > 0 { n += 1 + l + sovMcp(uint64(l)) } + if m.Incremental { + n += 2 + } return n } @@ -3058,6 +3123,26 @@ func (m *RequestResources) Unmarshal(dAtA []byte) error { return err } iNdEx = postIndex + case 6: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field Incremental", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowMcp + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + m.Incremental = bool(v != 0) default: iNdEx = preIndex skippy, err := skipMcp(dAtA[iNdEx:]) @@ -3255,6 +3340,26 @@ func (m *Resources) Unmarshal(dAtA []byte) error { } m.Nonce = string(dAtA[iNdEx:postIndex]) iNdEx = postIndex + case 6: + if wireType != 0 { + return fmt.Errorf("proto: wrong wireType = %d for field Incremental", wireType) + } + var v int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowMcp + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + v |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + m.Incremental = bool(v != 0) default: iNdEx = preIndex skippy, err := skipMcp(dAtA[iNdEx:]) @@ -3384,53 +3489,54 @@ var ( func init() { proto.RegisterFile("mcp/v1alpha1/mcp.proto", fileDescriptorMcp) } var fileDescriptorMcp = []byte{ - // 755 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x56, 0x4f, 0x4f, 0x1b, 0x47, - 0x14, 0x67, 0x6c, 0xdc, 0xe2, 0x67, 0x8a, 0xcc, 0x14, 0x15, 0x7b, 0x01, 0x97, 0x5a, 0xa5, 0x42, - 0x42, 0x5d, 0x83, 0xab, 0x4a, 0x6d, 0x0f, 0x55, 0xa1, 0xe5, 0x40, 0x25, 0xa8, 0xb4, 0x56, 0x39, - 0xe4, 0xb2, 0x5a, 0x76, 0x87, 0x65, 0xe4, 0xf5, 0xcc, 0x66, 0x66, 0x6c, 0xc9, 0x87, 0x7c, 0x80, - 0x28, 0xf7, 0xdc, 0x72, 0x8f, 0xc8, 0x17, 0xe1, 0x98, 0x43, 0xce, 0x11, 0xf2, 0x31, 0x9f, 0x22, - 0xda, 0x7f, 0xec, 0x3a, 0x2c, 0x36, 0x4e, 0xc8, 0x25, 0x97, 0xd5, 0xcc, 0x7b, 0x6f, 0x7e, 0xef, - 0xcf, 0xef, 0x37, 0xa3, 0x85, 0xef, 0x7a, 0xb6, 0xdf, 0x1a, 0xec, 0x59, 0x9e, 0x7f, 0x61, 0xed, - 0xb5, 0x7a, 0xb6, 0xaf, 0xfb, 0x82, 0x2b, 0x8e, 0x31, 0x95, 0x8a, 0x72, 0x3d, 0x30, 0x24, 0x5e, - 0x6d, 0xd5, 0xe5, 0xdc, 0xf5, 0x48, 0x4b, 0xf8, 0x76, 0x4b, 0x2a, 0x4b, 0xf5, 0x65, 0x14, 0xac, - 0xad, 0xb8, 0xdc, 0xe5, 0xe1, 0xb2, 0x15, 0xac, 0x62, 0xeb, 0xda, 0x18, 0xb4, 0x20, 0x92, 0xf7, - 0x85, 0x4d, 0x22, 0x67, 0xf3, 0x15, 0x82, 0x85, 0x0e, 0x65, 0xdd, 0x13, 0xee, 0x10, 0xbc, 0x04, - 0x05, 0xea, 0xd4, 0xd0, 0x26, 0xda, 0x2e, 0x1b, 0x05, 0xea, 0xe0, 0xff, 0xa0, 0x62, 0x31, 0xc6, - 0x95, 0xa5, 0x28, 0x67, 0xb2, 0x56, 0xd8, 0x2c, 0x6e, 0x57, 0xda, 0x3f, 0xeb, 0xb7, 0x4b, 0xd2, - 0x13, 0x08, 0x7d, 0x3f, 0x8d, 0x3f, 0x64, 0x4a, 0x0c, 0x8d, 0x2c, 0x82, 0xf6, 0x27, 0x54, 0x3f, - 0x0c, 0xc0, 0x55, 0x28, 0x76, 0xc9, 0x30, 0xce, 0x1a, 0x2c, 0xf1, 0x0a, 0x94, 0x06, 0x96, 0xd7, - 0x27, 0xb5, 0x42, 0x68, 0x8b, 0x36, 0x7f, 0x14, 0x7e, 0x43, 0xcd, 0x77, 0x08, 0x96, 0x8f, 0x89, - 0xbc, 0xf8, 0x9b, 0xb3, 0x73, 0xea, 0x1a, 0xe4, 0x71, 0x9f, 0x48, 0x85, 0x7f, 0x80, 0xc5, 0x01, - 0x11, 0x92, 0x72, 0x66, 0x52, 0x76, 0xce, 0x63, 0xa8, 0x4a, 0x6c, 0x3b, 0x62, 0xe7, 0x1c, 0xff, - 0x0e, 0x65, 0x49, 0x59, 0xd7, 0x64, 0xdc, 0x89, 0x60, 0x2b, 0xed, 0xf5, 0x49, 0x7d, 0x18, 0x0b, - 0x32, 0x19, 0x4a, 0x1d, 0x16, 0xd4, 0xd0, 0x27, 0x66, 0x5f, 0x78, 0xb5, 0x62, 0x88, 0xfc, 0x75, - 0xb0, 0xff, 0x5f, 0x78, 0x78, 0x0b, 0x96, 0x04, 0x91, 0x3e, 0x67, 0x92, 0x98, 0x8c, 0x33, 0x9b, - 0xd4, 0xe6, 0xc3, 0x80, 0x6f, 0x12, 0xeb, 0x49, 0x60, 0xc4, 0xbf, 0xc2, 0x22, 0x11, 0x82, 0x0b, - 0xd3, 0x21, 0xca, 0xa2, 0x5e, 0xad, 0x14, 0xe6, 0xc7, 0x7a, 0x44, 0xa3, 0x2e, 0x7c, 0x5b, 0xef, - 0x84, 0x34, 0x1a, 0x95, 0x30, 0xee, 0x9f, 0x30, 0xac, 0x79, 0x89, 0x00, 0x67, 0x9b, 0x8d, 0x20, - 0xef, 0xd3, 0xed, 0x5f, 0x50, 0x4e, 0x68, 0x4e, 0x58, 0xcb, 0xed, 0xd6, 0x88, 0x83, 0x0e, 0xe6, - 0xaf, 0xde, 0x7e, 0x3f, 0x67, 0xa4, 0x87, 0x26, 0x35, 0xbd, 0x02, 0xa5, 0x6c, 0xaf, 0xd1, 0xa6, - 0x79, 0x59, 0x84, 0xf5, 0x23, 0x66, 0x0b, 0xd2, 0x23, 0x4c, 0x59, 0xde, 0x6d, 0x92, 0xc6, 0x18, - 0x40, 0x1f, 0xcd, 0x40, 0x61, 0xbc, 0x98, 0xa7, 0x08, 0xea, 0x94, 0x51, 0x45, 0x2d, 0xcf, 0x4c, - 0xaa, 0x37, 0xe3, 0x51, 0xc8, 0x5a, 0x31, 0x6c, 0xfd, 0x38, 0x2f, 0xcd, 0xa4, 0x5a, 0xf5, 0xa3, - 0x08, 0x31, 0x19, 0xcf, 0x69, 0x8c, 0x17, 0x09, 0x7a, 0x95, 0xe6, 0x7b, 0x3f, 0xaf, 0x1a, 0xb4, - 0x7f, 0x83, 0xf9, 0xde, 0x5d, 0xd6, 0x4c, 0xd7, 0xe8, 0x0d, 0x82, 0x8d, 0x3b, 0x06, 0x10, 0x8b, - 0x4c, 0x87, 0x6f, 0xe5, 0x50, 0x2a, 0xd2, 0x33, 0x73, 0xb4, 0xb6, 0x1c, 0xb9, 0x4e, 0x1f, 0x54, - 0x71, 0x3b, 0xb0, 0x2c, 0x48, 0x8f, 0x0f, 0x88, 0x63, 0xa6, 0x48, 0x01, 0x81, 0x65, 0xa3, 0x1a, - 0x3b, 0x8c, 0x9b, 0xe0, 0x7c, 0x0d, 0x3e, 0x2f, 0x42, 0x35, 0xa6, 0x30, 0x0d, 0xfd, 0x04, 0xdd, - 0x35, 0x00, 0x6c, 0xee, 0x79, 0xc4, 0x0e, 0x5e, 0xab, 0x78, 0x8a, 0x19, 0x0b, 0x7e, 0x32, 0x5d, - 0x7b, 0xfb, 0xf9, 0x43, 0x18, 0xaf, 0xf1, 0x8b, 0xd7, 0xdb, 0x35, 0x82, 0x72, 0xca, 0xc8, 0xac, - 0xda, 0x9a, 0x46, 0xc3, 0x98, 0xf6, 0x8a, 0x0f, 0xa6, 0xbd, 0xf9, 0x69, 0xda, 0x2b, 0x65, 0xb4, - 0xd7, 0x7e, 0x51, 0x80, 0xb5, 0x7d, 0xd7, 0x15, 0xc4, 0xb5, 0x14, 0x71, 0xd2, 0x1b, 0xd5, 0x21, - 0x62, 0x40, 0x6d, 0x82, 0x7d, 0xa8, 0x77, 0x94, 0x20, 0x56, 0x2f, 0x0d, 0x4a, 0x21, 0xb7, 0xf2, - 0xca, 0xbd, 0xf5, 0x2c, 0x69, 0x3f, 0x4d, 0x0b, 0x8b, 0x68, 0x6f, 0xce, 0x6d, 0xa3, 0x5d, 0x84, - 0x9f, 0x21, 0x68, 0x64, 0x2e, 0x79, 0x5e, 0xde, 0xdd, 0x59, 0x5f, 0x46, 0x6d, 0x6f, 0x86, 0x13, - 0xd9, 0x6a, 0xda, 0x03, 0x58, 0x4a, 0xf2, 0x76, 0xc2, 0x2f, 0x76, 0x60, 0xf5, 0x50, 0x2a, 0xeb, - 0xcc, 0xa3, 0xf2, 0xe2, 0xc6, 0x15, 0x8e, 0x08, 0xff, 0x78, 0x9f, 0x5b, 0xa3, 0x6d, 0x4c, 0x22, - 0x59, 0xc6, 0x79, 0x15, 0x2c, 0xde, 0x80, 0x53, 0xd6, 0x9d, 0x94, 0x75, 0x32, 0x9e, 0x76, 0xaf, - 0xa2, 0xa2, 0xac, 0x07, 0x3b, 0x2f, 0x47, 0x0d, 0x74, 0x35, 0x6a, 0xa0, 0xd7, 0xa3, 0x06, 0xba, - 0x1e, 0x35, 0xd0, 0xa3, 0x7a, 0x74, 0x98, 0xf2, 0x96, 0xe5, 0xd3, 0x56, 0xf6, 0x8f, 0xec, 0xec, - 0xab, 0xf0, 0x4f, 0xec, 0x97, 0xf7, 0x01, 0x00, 0x00, 0xff, 0xff, 0xa7, 0xf2, 0x04, 0xf7, 0x03, - 0x0a, 0x00, 0x00, + // 774 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xcc, 0x56, 0xcd, 0x6e, 0xeb, 0x44, + 0x14, 0xbe, 0xe3, 0x34, 0x97, 0xe4, 0xa4, 0x54, 0xe9, 0x50, 0x51, 0xc7, 0xf7, 0xde, 0x10, 0x22, + 0x8a, 0x22, 0x55, 0x38, 0x6d, 0x10, 0x12, 0xb0, 0x40, 0xb4, 0xd0, 0x45, 0x91, 0x5a, 0x24, 0x47, + 0x74, 0xc1, 0xc6, 0x72, 0xed, 0xa9, 0x3b, 0x8a, 0x33, 0x63, 0x66, 0x26, 0x91, 0xb2, 0x60, 0xc3, + 0x0e, 0xf1, 0x0c, 0xec, 0x51, 0x79, 0x01, 0x1e, 0xa1, 0x4b, 0x16, 0xac, 0x11, 0xca, 0x92, 0xa7, + 0x40, 0xfe, 0xab, 0x1d, 0xea, 0x26, 0x0d, 0x14, 0x89, 0x8d, 0x35, 0x73, 0xce, 0x99, 0xef, 0xfc, + 0x7c, 0xdf, 0x8c, 0x0c, 0x6f, 0x8e, 0xdd, 0xb0, 0x3f, 0x3d, 0x74, 0x82, 0xf0, 0xda, 0x39, 0xec, + 0x8f, 0xdd, 0xd0, 0x0c, 0x05, 0x57, 0x1c, 0x63, 0x2a, 0x15, 0xe5, 0x66, 0x64, 0xc8, 0xbc, 0xc6, + 0xae, 0xcf, 0xb9, 0x1f, 0x90, 0xbe, 0x08, 0xdd, 0xbe, 0x54, 0x8e, 0x9a, 0xc8, 0x24, 0xd8, 0xd8, + 0xf1, 0xb9, 0xcf, 0xe3, 0x65, 0x3f, 0x5a, 0xa5, 0xd6, 0x17, 0x0b, 0xd0, 0x82, 0x48, 0x3e, 0x11, + 0x2e, 0x49, 0x9c, 0xdd, 0x9f, 0x11, 0xd4, 0x86, 0x94, 0x8d, 0xce, 0xb9, 0x47, 0xf0, 0x16, 0x68, + 0xd4, 0xd3, 0x51, 0x07, 0xf5, 0xea, 0x96, 0x46, 0x3d, 0xfc, 0x25, 0x34, 0x1c, 0xc6, 0xb8, 0x72, + 0x14, 0xe5, 0x4c, 0xea, 0x5a, 0xa7, 0xd2, 0x6b, 0x0c, 0xde, 0x33, 0xef, 0x97, 0x64, 0x66, 0x10, + 0xe6, 0x51, 0x1e, 0x7f, 0xc2, 0x94, 0x98, 0x59, 0x45, 0x04, 0xe3, 0x13, 0x68, 0xfe, 0x3d, 0x00, + 0x37, 0xa1, 0x32, 0x22, 0xb3, 0x34, 0x6b, 0xb4, 0xc4, 0x3b, 0x50, 0x9d, 0x3a, 0xc1, 0x84, 0xe8, + 0x5a, 0x6c, 0x4b, 0x36, 0x1f, 0x6b, 0x1f, 0xa2, 0xee, 0x9f, 0x08, 0xb6, 0xcf, 0x88, 0xbc, 0xfe, + 0x8c, 0xb3, 0x2b, 0xea, 0x5b, 0xe4, 0x9b, 0x09, 0x91, 0x0a, 0xbf, 0x0d, 0x9b, 0x53, 0x22, 0x24, + 0xe5, 0xcc, 0xa6, 0xec, 0x8a, 0xa7, 0x50, 0x8d, 0xd4, 0x76, 0xca, 0xae, 0x38, 0xfe, 0x08, 0xea, + 0x92, 0xb2, 0x91, 0xcd, 0xb8, 0x97, 0xc0, 0x36, 0x06, 0x2f, 0x97, 0xf5, 0x61, 0xd5, 0x64, 0x36, + 0x94, 0x16, 0xd4, 0xd4, 0x2c, 0x24, 0xf6, 0x44, 0x04, 0x7a, 0x25, 0x46, 0x7e, 0x2d, 0xda, 0x7f, + 0x25, 0x02, 0xbc, 0x07, 0x5b, 0x82, 0xc8, 0x90, 0x33, 0x49, 0x6c, 0xc6, 0x99, 0x4b, 0xf4, 0x8d, + 0x38, 0xe0, 0xf5, 0xcc, 0x7a, 0x1e, 0x19, 0xf1, 0x07, 0xb0, 0x49, 0x84, 0xe0, 0xc2, 0xf6, 0x88, + 0x72, 0x68, 0xa0, 0x57, 0xe3, 0xfc, 0xd8, 0x4c, 0x68, 0x34, 0x45, 0xe8, 0x9a, 0xc3, 0x98, 0x46, + 0xab, 0x11, 0xc7, 0x7d, 0x1e, 0x87, 0x75, 0x6f, 0x10, 0xe0, 0x62, 0xb3, 0x09, 0xe4, 0x63, 0xba, + 0xfd, 0x14, 0xea, 0x19, 0xcd, 0x19, 0x6b, 0xa5, 0xdd, 0x5a, 0x69, 0xd0, 0xf1, 0xc6, 0xed, 0xef, + 0x6f, 0x3d, 0xb3, 0xf2, 0x43, 0xcb, 0x9a, 0xde, 0x81, 0x6a, 0xb1, 0xd7, 0x64, 0xd3, 0xbd, 0xa9, + 0xc0, 0xcb, 0x53, 0xe6, 0x0a, 0x32, 0x26, 0x4c, 0x39, 0xc1, 0x7d, 0x92, 0x16, 0x18, 0x40, 0xff, + 0x98, 0x01, 0x6d, 0xb1, 0x98, 0xef, 0x11, 0xb4, 0x28, 0xa3, 0x8a, 0x3a, 0x81, 0x9d, 0x55, 0x6f, + 0xa7, 0xa3, 0x90, 0x7a, 0x25, 0x6e, 0xfd, 0xac, 0x2c, 0xcd, 0xb2, 0x5a, 0xcd, 0xd3, 0x04, 0x31, + 0x1b, 0xcf, 0x45, 0x8a, 0x97, 0x08, 0x7a, 0x97, 0x96, 0x7b, 0xff, 0x5b, 0x35, 0x18, 0x5f, 0x44, + 0xf3, 0x7d, 0xb8, 0xac, 0xb5, 0xae, 0xd1, 0x6f, 0x08, 0x5e, 0x3d, 0x30, 0x80, 0x54, 0x64, 0x26, + 0xbc, 0x21, 0x67, 0x52, 0x91, 0xb1, 0x5d, 0xa2, 0xb5, 0xed, 0xc4, 0x75, 0xf1, 0xa4, 0x8a, 0xdb, + 0x87, 0x6d, 0x41, 0xc6, 0x7c, 0x4a, 0x3c, 0x3b, 0x47, 0x8a, 0x08, 0xac, 0x5b, 0xcd, 0xd4, 0x61, + 0xdd, 0x05, 0x97, 0x6b, 0xf0, 0x97, 0x0a, 0x34, 0x53, 0x0a, 0xf3, 0xd0, 0x7f, 0xa1, 0xbb, 0x36, + 0x80, 0xcb, 0x83, 0x80, 0xb8, 0xd1, 0x6b, 0x95, 0x4e, 0xb1, 0x60, 0xc1, 0xdf, 0xae, 0xd6, 0xde, + 0x51, 0xf9, 0x10, 0x16, 0x6b, 0xfc, 0x3f, 0xea, 0x0d, 0x77, 0xa0, 0x41, 0x73, 0x89, 0xe8, 0xcf, + 0x3b, 0xa8, 0x57, 0xb3, 0x8a, 0xa6, 0x27, 0x55, 0xe4, 0x77, 0x1a, 0xd4, 0x73, 0xce, 0xd6, 0x55, + 0xdf, 0x2a, 0xa2, 0x16, 0xd4, 0x59, 0x79, 0x32, 0x75, 0x6e, 0xac, 0x52, 0x67, 0xb5, 0xa0, 0xce, + 0xd5, 0x03, 0x1d, 0xfc, 0xa8, 0xc1, 0x8b, 0x23, 0xdf, 0x17, 0xc4, 0x77, 0x14, 0xf1, 0xf2, 0x5b, + 0x39, 0x24, 0x62, 0x4a, 0x5d, 0x82, 0x43, 0x68, 0x0d, 0x95, 0x20, 0xce, 0x38, 0x0f, 0xca, 0x93, + 0xee, 0x95, 0x35, 0x74, 0xef, 0x69, 0x33, 0xde, 0x5d, 0x15, 0x96, 0x48, 0xa7, 0xfb, 0xac, 0x87, + 0x0e, 0x10, 0xfe, 0x01, 0x41, 0xbb, 0xf0, 0x50, 0x94, 0xe5, 0x3d, 0x58, 0xf7, 0x75, 0x35, 0x0e, + 0xd7, 0x38, 0x51, 0xac, 0x66, 0x30, 0x85, 0xad, 0x2c, 0xef, 0x30, 0xfe, 0x62, 0x0f, 0x76, 0x4f, + 0xa4, 0x72, 0x2e, 0x03, 0x2a, 0xaf, 0xef, 0x5c, 0xf1, 0x88, 0xf0, 0x3b, 0x8f, 0xb9, 0x79, 0xc6, + 0xab, 0x65, 0x32, 0x90, 0x69, 0x5e, 0x05, 0x9b, 0x77, 0xe0, 0x94, 0x8d, 0x96, 0x65, 0x5d, 0x8e, + 0x67, 0x3c, 0xaa, 0xa8, 0x24, 0xeb, 0xf1, 0xfe, 0x4f, 0xf3, 0x36, 0xba, 0x9d, 0xb7, 0xd1, 0xaf, + 0xf3, 0x36, 0xfa, 0x63, 0xde, 0x46, 0x5f, 0xb7, 0x92, 0xc3, 0x94, 0xf7, 0x9d, 0x90, 0xf6, 0x8b, + 0x7f, 0x75, 0x97, 0xcf, 0xe3, 0xbf, 0xb9, 0xf7, 0xff, 0x0a, 0x00, 0x00, 0xff, 0xff, 0x4e, 0x31, + 0xdd, 0xdb, 0x47, 0x0a, 0x00, 0x00, } diff --git a/mcp/v1alpha1/mcp.proto b/mcp/v1alpha1/mcp.proto index 777f6ae0c6..3071452694 100644 --- a/mcp/v1alpha1/mcp.proto +++ b/mcp/v1alpha1/mcp.proto @@ -221,6 +221,11 @@ message RequestResources { // The *message* field in *error_details* provides the source internal error // related to the failure. google.rpc.Status error_detail = 5; + + // Request an incremental update for the specified collection. The source may choose to + // honor this request or ignore and and provide a full-state update in the corresponding + // `Resource` response. + bool incremental = 6; } // Resources do not need to include a full snapshot of the tracked @@ -246,16 +251,32 @@ message Resources { // The response resources wrapped in the common MCP *Resource* message. // These are typed resources that match the type url in the // RequestResources message. + // + // When `incremental` is true, this contains an array of resources to add/update + // for the specified collection. This modifies the existing collection at the sink + // + // When `incremental` is false, this contains the full set of resources for the + // specified collection. This replaces any previously delivered resources. repeated Resource resources = 3 [(gogoproto.nullable) = false]; // Names of resources that have been deleted and to be // removed from the MCP sink node. Removed resources for missing // resources can be ignored. + // + // When `incremental` is true, this contains an array of resource names to remove + // for the specified collection. This modifies the existing resource collection at + // the sink. + // + // When `incremental` is false, this field should be ignored. repeated string removed_resources = 4; // Required. The nonce provides a way for RequestChange to uniquely // reference a RequestResources. string nonce = 5; + + // This resource response is an incremental update. The source should only send + // incremental updates if the sink requested them. + bool incremental = 6; } // ResourceSource and ResourceSink services are semantically diff --git a/proto.lock b/proto.lock index 36b370e7cd..79d740c36d 100644 --- a/proto.lock +++ b/proto.lock @@ -581,6 +581,11 @@ "id": 5, "name": "error_detail", "type": "google.rpc.Status" + }, + { + "id": 6, + "name": "incremental", + "type": "bool" } ], "maps": [ @@ -623,6 +628,11 @@ "id": 5, "name": "nonce", "type": "string" + }, + { + "id": 6, + "name": "incremental", + "type": "bool" } ] } diff --git a/python/istio_api/mcp/v1alpha1/mcp_pb2.py b/python/istio_api/mcp/v1alpha1/mcp_pb2.py index c380d4d828..5607d90f33 100644 --- a/python/istio_api/mcp/v1alpha1/mcp_pb2.py +++ b/python/istio_api/mcp/v1alpha1/mcp_pb2.py @@ -22,7 +22,7 @@ name='mcp/v1alpha1/mcp.proto', package='istio.mcp.v1alpha1', syntax='proto3', - serialized_pb=_b('\n\x16mcp/v1alpha1/mcp.proto\x12\x12istio.mcp.v1alpha1\x1a\x17google/rpc/status.proto\x1a\x14gogoproto/gogo.proto\x1a\x1bmcp/v1alpha1/resource.proto\"\x8e\x01\n\x08SinkNode\x12\n\n\x02id\x18\x01 \x01(\t\x12\x42\n\x0b\x61nnotations\x18\x02 \x03(\x0b\x32-.istio.mcp.v1alpha1.SinkNode.AnnotationsEntry\x1a\x32\n\x10\x41nnotationsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xae\x01\n\x11MeshConfigRequest\x12\x14\n\x0cversion_info\x18\x01 \x01(\t\x12/\n\tsink_node\x18\x02 \x01(\x0b\x32\x1c.istio.mcp.v1alpha1.SinkNode\x12\x10\n\x08type_url\x18\x03 \x01(\t\x12\x16\n\x0eresponse_nonce\x18\x04 \x01(\t\x12(\n\x0c\x65rror_detail\x18\x05 \x01(\x0b\x32\x12.google.rpc.Status\"\x82\x01\n\x12MeshConfigResponse\x12\x14\n\x0cversion_info\x18\x01 \x01(\t\x12\x35\n\tresources\x18\x02 \x03(\x0b\x32\x1c.istio.mcp.v1alpha1.ResourceB\x04\xc8\xde\x1f\x00\x12\x10\n\x08type_url\x18\x03 \x01(\t\x12\r\n\x05nonce\x18\x04 \x01(\t\"\xd5\x02\n\x1cIncrementalMeshConfigRequest\x12/\n\tsink_node\x18\x01 \x01(\x0b\x32\x1c.istio.mcp.v1alpha1.SinkNode\x12\x10\n\x08type_url\x18\x02 \x01(\t\x12p\n\x19initial_resource_versions\x18\x03 \x03(\x0b\x32M.istio.mcp.v1alpha1.IncrementalMeshConfigRequest.InitialResourceVersionsEntry\x12\x16\n\x0eresponse_nonce\x18\x04 \x01(\t\x12(\n\x0c\x65rror_detail\x18\x05 \x01(\x0b\x32\x12.google.rpc.Status\x1a>\n\x1cInitialResourceVersionsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\x9d\x01\n\x1dIncrementalMeshConfigResponse\x12\x1b\n\x13system_version_info\x18\x01 \x01(\t\x12\x35\n\tresources\x18\x02 \x03(\x0b\x32\x1c.istio.mcp.v1alpha1.ResourceB\x04\xc8\xde\x1f\x00\x12\x19\n\x11removed_resources\x18\x03 \x03(\t\x12\r\n\x05nonce\x18\x04 \x01(\t\"\xbf\x02\n\x10RequestResources\x12/\n\tsink_node\x18\x01 \x01(\x0b\x32\x1c.istio.mcp.v1alpha1.SinkNode\x12\x12\n\ncollection\x18\x02 \x01(\t\x12\x64\n\x19initial_resource_versions\x18\x03 \x03(\x0b\x32\x41.istio.mcp.v1alpha1.RequestResources.InitialResourceVersionsEntry\x12\x16\n\x0eresponse_nonce\x18\x04 \x01(\t\x12(\n\x0c\x65rror_detail\x18\x05 \x01(\x0b\x32\x12.google.rpc.Status\x1a>\n\x1cInitialResourceVersionsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\x9d\x01\n\tResources\x12\x1b\n\x13system_version_info\x18\x01 \x01(\t\x12\x12\n\ncollection\x18\x02 \x01(\t\x12\x35\n\tresources\x18\x03 \x03(\x0b\x32\x1c.istio.mcp.v1alpha1.ResourceB\x04\xc8\xde\x1f\x00\x12\x19\n\x11removed_resources\x18\x04 \x03(\t\x12\r\n\x05nonce\x18\x05 \x01(\t2\x9d\x02\n\x1b\x41ggregatedMeshConfigService\x12p\n\x19StreamAggregatedResources\x12%.istio.mcp.v1alpha1.MeshConfigRequest\x1a&.istio.mcp.v1alpha1.MeshConfigResponse\"\x00(\x01\x30\x01\x12\x8b\x01\n\x1eIncrementalAggregatedResources\x12\x30.istio.mcp.v1alpha1.IncrementalMeshConfigRequest\x1a\x31.istio.mcp.v1alpha1.IncrementalMeshConfigResponse\"\x00(\x01\x30\x01\x32v\n\x0eResourceSource\x12\x64\n\x17\x45stablishResourceStream\x12$.istio.mcp.v1alpha1.RequestResources\x1a\x1d.istio.mcp.v1alpha1.Resources\"\x00(\x01\x30\x01\x32t\n\x0cResourceSink\x12\x64\n\x17\x45stablishResourceStream\x12\x1d.istio.mcp.v1alpha1.Resources\x1a$.istio.mcp.v1alpha1.RequestResources\"\x00(\x01\x30\x01\x42\x1fZ\x19istio.io/api/mcp/v1alpha1\xa8\xe2\x1e\x01\x62\x06proto3') + serialized_pb=_b('\n\x16mcp/v1alpha1/mcp.proto\x12\x12istio.mcp.v1alpha1\x1a\x17google/rpc/status.proto\x1a\x14gogoproto/gogo.proto\x1a\x1bmcp/v1alpha1/resource.proto\"\x8e\x01\n\x08SinkNode\x12\n\n\x02id\x18\x01 \x01(\t\x12\x42\n\x0b\x61nnotations\x18\x02 \x03(\x0b\x32-.istio.mcp.v1alpha1.SinkNode.AnnotationsEntry\x1a\x32\n\x10\x41nnotationsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xae\x01\n\x11MeshConfigRequest\x12\x14\n\x0cversion_info\x18\x01 \x01(\t\x12/\n\tsink_node\x18\x02 \x01(\x0b\x32\x1c.istio.mcp.v1alpha1.SinkNode\x12\x10\n\x08type_url\x18\x03 \x01(\t\x12\x16\n\x0eresponse_nonce\x18\x04 \x01(\t\x12(\n\x0c\x65rror_detail\x18\x05 \x01(\x0b\x32\x12.google.rpc.Status\"\x82\x01\n\x12MeshConfigResponse\x12\x14\n\x0cversion_info\x18\x01 \x01(\t\x12\x35\n\tresources\x18\x02 \x03(\x0b\x32\x1c.istio.mcp.v1alpha1.ResourceB\x04\xc8\xde\x1f\x00\x12\x10\n\x08type_url\x18\x03 \x01(\t\x12\r\n\x05nonce\x18\x04 \x01(\t\"\xd5\x02\n\x1cIncrementalMeshConfigRequest\x12/\n\tsink_node\x18\x01 \x01(\x0b\x32\x1c.istio.mcp.v1alpha1.SinkNode\x12\x10\n\x08type_url\x18\x02 \x01(\t\x12p\n\x19initial_resource_versions\x18\x03 \x03(\x0b\x32M.istio.mcp.v1alpha1.IncrementalMeshConfigRequest.InitialResourceVersionsEntry\x12\x16\n\x0eresponse_nonce\x18\x04 \x01(\t\x12(\n\x0c\x65rror_detail\x18\x05 \x01(\x0b\x32\x12.google.rpc.Status\x1a>\n\x1cInitialResourceVersionsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\x9d\x01\n\x1dIncrementalMeshConfigResponse\x12\x1b\n\x13system_version_info\x18\x01 \x01(\t\x12\x35\n\tresources\x18\x02 \x03(\x0b\x32\x1c.istio.mcp.v1alpha1.ResourceB\x04\xc8\xde\x1f\x00\x12\x19\n\x11removed_resources\x18\x03 \x03(\t\x12\r\n\x05nonce\x18\x04 \x01(\t\"\xd4\x02\n\x10RequestResources\x12/\n\tsink_node\x18\x01 \x01(\x0b\x32\x1c.istio.mcp.v1alpha1.SinkNode\x12\x12\n\ncollection\x18\x02 \x01(\t\x12\x64\n\x19initial_resource_versions\x18\x03 \x03(\x0b\x32\x41.istio.mcp.v1alpha1.RequestResources.InitialResourceVersionsEntry\x12\x16\n\x0eresponse_nonce\x18\x04 \x01(\t\x12(\n\x0c\x65rror_detail\x18\x05 \x01(\x0b\x32\x12.google.rpc.Status\x12\x13\n\x0bincremental\x18\x06 \x01(\x08\x1a>\n\x1cInitialResourceVersionsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xb2\x01\n\tResources\x12\x1b\n\x13system_version_info\x18\x01 \x01(\t\x12\x12\n\ncollection\x18\x02 \x01(\t\x12\x35\n\tresources\x18\x03 \x03(\x0b\x32\x1c.istio.mcp.v1alpha1.ResourceB\x04\xc8\xde\x1f\x00\x12\x19\n\x11removed_resources\x18\x04 \x03(\t\x12\r\n\x05nonce\x18\x05 \x01(\t\x12\x13\n\x0bincremental\x18\x06 \x01(\x08\x32\x9d\x02\n\x1b\x41ggregatedMeshConfigService\x12p\n\x19StreamAggregatedResources\x12%.istio.mcp.v1alpha1.MeshConfigRequest\x1a&.istio.mcp.v1alpha1.MeshConfigResponse\"\x00(\x01\x30\x01\x12\x8b\x01\n\x1eIncrementalAggregatedResources\x12\x30.istio.mcp.v1alpha1.IncrementalMeshConfigRequest\x1a\x31.istio.mcp.v1alpha1.IncrementalMeshConfigResponse\"\x00(\x01\x30\x01\x32v\n\x0eResourceSource\x12\x64\n\x17\x45stablishResourceStream\x12$.istio.mcp.v1alpha1.RequestResources\x1a\x1d.istio.mcp.v1alpha1.Resources\"\x00(\x01\x30\x01\x32t\n\x0cResourceSink\x12\x64\n\x17\x45stablishResourceStream\x12\x1d.istio.mcp.v1alpha1.Resources\x1a$.istio.mcp.v1alpha1.RequestResources\"\x00(\x01\x30\x01\x42\x1fZ\x19istio.io/api/mcp/v1alpha1\xa8\xe2\x1e\x01\x62\x06proto3') , dependencies=[google_dot_rpc_dot_status__pb2.DESCRIPTOR,gogoproto_dot_gogo__pb2.DESCRIPTOR,mcp_dot_v1alpha1_dot_resource__pb2.DESCRIPTOR,]) @@ -442,6 +442,13 @@ message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, options=None, file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='incremental', full_name='istio.mcp.v1alpha1.RequestResources.incremental', index=5, + number=6, type=8, cpp_type=7, label=1, + has_default_value=False, default_value=False, + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + options=None, file=DESCRIPTOR), ], extensions=[ ], @@ -455,7 +462,7 @@ oneofs=[ ], serialized_start=1082, - serialized_end=1401, + serialized_end=1422, ) @@ -501,6 +508,13 @@ message_type=None, enum_type=None, containing_type=None, is_extension=False, extension_scope=None, options=None, file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='incremental', full_name='istio.mcp.v1alpha1.Resources.incremental', index=5, + number=6, type=8, cpp_type=7, label=1, + has_default_value=False, default_value=False, + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + options=None, file=DESCRIPTOR), ], extensions=[ ], @@ -513,8 +527,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=1404, - serialized_end=1561, + serialized_start=1425, + serialized_end=1603, ) _SINKNODE_ANNOTATIONSENTRY.containing_type = _SINKNODE @@ -636,8 +650,8 @@ file=DESCRIPTOR, index=0, options=None, - serialized_start=1564, - serialized_end=1849, + serialized_start=1606, + serialized_end=1891, methods=[ _descriptor.MethodDescriptor( name='StreamAggregatedResources', @@ -669,8 +683,8 @@ file=DESCRIPTOR, index=1, options=None, - serialized_start=1851, - serialized_end=1969, + serialized_start=1893, + serialized_end=2011, methods=[ _descriptor.MethodDescriptor( name='EstablishResourceStream', @@ -693,8 +707,8 @@ file=DESCRIPTOR, index=2, options=None, - serialized_start=1971, - serialized_end=2087, + serialized_start=2013, + serialized_end=2129, methods=[ _descriptor.MethodDescriptor( name='EstablishResourceStream', From aec9db9d9a57faf688b4d5606fddede85d4d3855 Mon Sep 17 00:00:00 2001 From: Diem Vu <25132401+diemtvu@users.noreply.github.com> Date: Wed, 16 Jan 2019 12:55:48 -0800 Subject: [PATCH 3/3] Add option to select worload using lables for authn policy. (#755) * Add option to select workload using labels for authn policy * Make proto-commit --- authentication/v1alpha1/policy.pb.go | 259 ++++++++++++++---- authentication/v1alpha1/policy.proto | 6 + proto.lock | 10 + .../authentication/v1alpha1/policy_pb2.py | 74 ++++- 4 files changed, 290 insertions(+), 59 deletions(-) diff --git a/authentication/v1alpha1/policy.pb.go b/authentication/v1alpha1/policy.pb.go index c5a8a66419..dd8e1fa157 100644 --- a/authentication/v1alpha1/policy.pb.go +++ b/authentication/v1alpha1/policy.pb.go @@ -786,6 +786,11 @@ type TargetSelector struct { // REQUIRED. The name must be a short name from the service registry. The // fully qualified domain name will be resolved in a platform specific manner. Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` + // $hide_from_docs + // $not-implemented-hide + // Select workload by labels. + // Once implemented, this is a prefer way over using service name. + Labels map[string]string `protobuf:"bytes,3,rep,name=labels" json:"labels,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` // Specifies the ports. Note that this is the port(s) exposed by the service, not workload ports. // For example, if a service is defined as below, then `8000` should be used, not `9000`. // ``` @@ -816,6 +821,13 @@ func (m *TargetSelector) GetName() string { return "" } +func (m *TargetSelector) GetLabels() map[string]string { + if m != nil { + return m.Labels + } + return nil +} + func (m *TargetSelector) GetPorts() []*PortSelector { if m != nil { return m.Ports @@ -1365,6 +1377,23 @@ func (m *TargetSelector) MarshalTo(dAtA []byte) (int, error) { i += n } } + if len(m.Labels) > 0 { + for k, _ := range m.Labels { + dAtA[i] = 0x1a + i++ + v := m.Labels[k] + mapSize := 1 + len(k) + sovPolicy(uint64(len(k))) + 1 + len(v) + sovPolicy(uint64(len(v))) + i = encodeVarintPolicy(dAtA, i, uint64(mapSize)) + dAtA[i] = 0xa + i++ + i = encodeVarintPolicy(dAtA, i, uint64(len(k))) + i += copy(dAtA[i:], k) + dAtA[i] = 0x12 + i++ + i = encodeVarintPolicy(dAtA, i, uint64(len(v))) + i += copy(dAtA[i:], v) + } + } return i, nil } @@ -1605,6 +1634,14 @@ func (m *TargetSelector) Size() (n int) { n += 1 + l + sovPolicy(uint64(l)) } } + if len(m.Labels) > 0 { + for k, v := range m.Labels { + _ = k + _ = v + mapEntrySize := 1 + len(k) + sovPolicy(uint64(len(k))) + 1 + len(v) + sovPolicy(uint64(len(v))) + n += mapEntrySize + 1 + sovPolicy(uint64(mapEntrySize)) + } + } return n } @@ -2725,6 +2762,124 @@ func (m *TargetSelector) Unmarshal(dAtA []byte) error { return err } iNdEx = postIndex + case 3: + if wireType != 2 { + return fmt.Errorf("proto: wrong wireType = %d for field Labels", wireType) + } + var msglen int + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowPolicy + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + msglen |= (int(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + if msglen < 0 { + return ErrInvalidLengthPolicy + } + postIndex := iNdEx + msglen + if postIndex > l { + return io.ErrUnexpectedEOF + } + if m.Labels == nil { + m.Labels = make(map[string]string) + } + var mapkey string + var mapvalue string + for iNdEx < postIndex { + entryPreIndex := iNdEx + var wire uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowPolicy + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + wire |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + fieldNum := int32(wire >> 3) + if fieldNum == 1 { + var stringLenmapkey uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowPolicy + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLenmapkey |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLenmapkey := int(stringLenmapkey) + if intStringLenmapkey < 0 { + return ErrInvalidLengthPolicy + } + postStringIndexmapkey := iNdEx + intStringLenmapkey + if postStringIndexmapkey > l { + return io.ErrUnexpectedEOF + } + mapkey = string(dAtA[iNdEx:postStringIndexmapkey]) + iNdEx = postStringIndexmapkey + } else if fieldNum == 2 { + var stringLenmapvalue uint64 + for shift := uint(0); ; shift += 7 { + if shift >= 64 { + return ErrIntOverflowPolicy + } + if iNdEx >= l { + return io.ErrUnexpectedEOF + } + b := dAtA[iNdEx] + iNdEx++ + stringLenmapvalue |= (uint64(b) & 0x7F) << shift + if b < 0x80 { + break + } + } + intStringLenmapvalue := int(stringLenmapvalue) + if intStringLenmapvalue < 0 { + return ErrInvalidLengthPolicy + } + postStringIndexmapvalue := iNdEx + intStringLenmapvalue + if postStringIndexmapvalue > l { + return io.ErrUnexpectedEOF + } + mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue]) + iNdEx = postStringIndexmapvalue + } else { + iNdEx = entryPreIndex + skippy, err := skipPolicy(dAtA[iNdEx:]) + if err != nil { + return err + } + if skippy < 0 { + return ErrInvalidLengthPolicy + } + if (iNdEx + skippy) > postIndex { + return io.ErrUnexpectedEOF + } + iNdEx += skippy + } + } + m.Labels[mapkey] = mapvalue + iNdEx = postIndex default: iNdEx = preIndex skippy, err := skipPolicy(dAtA[iNdEx:]) @@ -2953,54 +3108,58 @@ var ( func init() { proto.RegisterFile("authentication/v1alpha1/policy.proto", fileDescriptorPolicy) } var fileDescriptorPolicy = []byte{ - // 779 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x55, 0x41, 0x8f, 0xe3, 0x34, - 0x14, 0x6e, 0xa6, 0x6d, 0xda, 0xbe, 0x76, 0xaa, 0x62, 0xa1, 0x55, 0x58, 0xd8, 0x61, 0x14, 0xed, - 0xa1, 0x5a, 0x20, 0x65, 0x0b, 0x02, 0x71, 0x41, 0x9a, 0xa2, 0xb2, 0xed, 0x4a, 0x65, 0x8a, 0xd3, - 0xe5, 0x80, 0x90, 0x22, 0x4f, 0xe2, 0x4d, 0x5d, 0xd2, 0x24, 0x72, 0x1c, 0xd2, 0x39, 0xf1, 0x13, - 0xf8, 0x03, 0x5c, 0x38, 0x73, 0xe4, 0x4f, 0x70, 0xe4, 0x27, 0xa0, 0xf9, 0x25, 0xc8, 0x76, 0xc3, - 0xb4, 0x23, 0x86, 0xcc, 0xde, 0xfc, 0xbd, 0xe7, 0xef, 0x7b, 0x2f, 0x9f, 0xed, 0x17, 0x78, 0x4a, - 0x72, 0xb1, 0xa6, 0xb1, 0x60, 0x3e, 0x11, 0x2c, 0x89, 0x47, 0x3f, 0x3d, 0x27, 0x51, 0xba, 0x26, - 0xcf, 0x47, 0x69, 0x12, 0x31, 0xff, 0xda, 0x49, 0x79, 0x22, 0x12, 0xf4, 0x84, 0x65, 0x82, 0x25, - 0xce, 0xf1, 0x5e, 0xa7, 0xdc, 0x6b, 0xff, 0x0c, 0x5d, 0x57, 0x70, 0x16, 0x87, 0x0b, 0x22, 0xfc, - 0x35, 0x7a, 0x04, 0x4d, 0xba, 0x23, 0xbe, 0xb0, 0x8c, 0x73, 0x63, 0xd8, 0x99, 0xd5, 0xb0, 0x86, - 0xc8, 0x02, 0x33, 0xe5, 0xf4, 0x35, 0xdb, 0x59, 0x27, 0xfb, 0xc4, 0x1e, 0xcb, 0x4c, 0x96, 0xbf, - 0x96, 0x99, 0x7a, 0x99, 0xd1, 0x58, 0x6a, 0x71, 0x1a, 0xd2, 0x9d, 0xd5, 0x28, 0xb5, 0x14, 0x9c, - 0xf4, 0x00, 0xb6, 0xb2, 0x98, 0x27, 0xae, 0x53, 0x6a, 0xff, 0x62, 0x40, 0x67, 0x91, 0x8b, 0x9c, - 0x44, 0xab, 0x28, 0x43, 0xef, 0x42, 0x87, 0x44, 0x51, 0x52, 0x78, 0x22, 0xca, 0x54, 0x0f, 0x6d, - 0xdc, 0x56, 0x01, 0x99, 0xbc, 0x80, 0xc6, 0x36, 0x09, 0xa8, 0x6a, 0xa1, 0x3f, 0xfe, 0xc8, 0xf9, - 0xdf, 0x2f, 0x73, 0xfe, 0x15, 0x75, 0x16, 0x49, 0x40, 0xb1, 0xa2, 0xda, 0x36, 0x34, 0x24, 0x42, - 0x00, 0xa6, 0xbb, 0xc2, 0xf3, 0xaf, 0x56, 0x83, 0x1a, 0xea, 0x03, 0x2c, 0xa7, 0x78, 0x31, 0x77, - 0xdd, 0xf9, 0x77, 0xd3, 0x81, 0x61, 0xff, 0x56, 0x87, 0xfa, 0xcb, 0x42, 0xa0, 0x47, 0x60, 0xb2, - 0x2c, 0xcb, 0x29, 0xd7, 0x66, 0xe0, 0x3d, 0x42, 0xef, 0x41, 0x87, 0xe4, 0x01, 0xa3, 0xb1, 0x4f, - 0x33, 0xeb, 0xe4, 0xbc, 0x3e, 0xec, 0xe0, 0xdb, 0x00, 0x7a, 0x07, 0xda, 0x9b, 0xe2, 0xc7, 0xcc, - 0xcb, 0x39, 0xd3, 0x8e, 0xe0, 0x96, 0xc4, 0xaf, 0x38, 0x43, 0xef, 0x43, 0x77, 0x53, 0x08, 0x6f, - 0x4d, 0x49, 0x40, 0x79, 0x66, 0x99, 0x8a, 0x0a, 0x9b, 0x42, 0xcc, 0x74, 0x04, 0x3d, 0x01, 0x89, - 0xbc, 0x94, 0x70, 0xb2, 0xcd, 0xac, 0x96, 0x96, 0xde, 0x14, 0x62, 0xa9, 0x02, 0xc8, 0x85, 0x53, - 0xc1, 0x59, 0x18, 0x52, 0xee, 0xf1, 0x3c, 0xa2, 0x99, 0xd5, 0x39, 0xaf, 0x0f, 0xbb, 0x63, 0xa7, - 0xc2, 0x88, 0x97, 0x85, 0x70, 0x56, 0x9a, 0x87, 0xf3, 0x88, 0xe2, 0x9e, 0xb8, 0x05, 0xd9, 0xe3, - 0x3f, 0x0c, 0xe8, 0x1e, 0x64, 0xd1, 0xb7, 0xd0, 0xa7, 0x3b, 0x3f, 0xca, 0x03, 0x1a, 0x78, 0x29, - 0x11, 0x6b, 0x79, 0x0c, 0xb2, 0xca, 0xb3, 0x8a, 0x2a, 0x07, 0xb7, 0x08, 0x9f, 0x96, 0x0a, 0x4b, - 0x29, 0x20, 0x25, 0x59, 0x7c, 0x24, 0x79, 0xf2, 0xe6, 0x92, 0xa5, 0x82, 0x92, 0xb4, 0x7f, 0x35, - 0xc0, 0x5a, 0x52, 0xca, 0x2f, 0x8e, 0xa8, 0x0b, 0x2a, 0xd6, 0x49, 0x80, 0xbe, 0x84, 0xc6, 0xb6, - 0xbc, 0x3f, 0xdd, 0xf1, 0xf0, 0xa1, 0xf7, 0x64, 0x56, 0xc3, 0x8a, 0x87, 0x3e, 0x83, 0xfa, 0xa6, - 0x10, 0xea, 0x9a, 0x75, 0xc7, 0x76, 0xb5, 0xbb, 0xb3, 0x1a, 0x96, 0x84, 0x49, 0x1b, 0x4c, 0x7d, - 0x74, 0x36, 0x86, 0xc7, 0x97, 0x9c, 0x85, 0x2c, 0xfe, 0xcf, 0xfe, 0x3e, 0xd5, 0xfa, 0xc6, 0x43, - 0xf5, 0x95, 0xba, 0xfd, 0x7b, 0x1d, 0xcc, 0xa5, 0x7a, 0xd9, 0xe8, 0x05, 0xb4, 0x04, 0xe1, 0x21, - 0x15, 0xe5, 0xe1, 0x54, 0xbd, 0x85, 0x95, 0xda, 0xed, 0xd2, 0x88, 0xfa, 0x22, 0xe1, 0xb8, 0x64, - 0xa3, 0x05, 0x34, 0x53, 0x2a, 0xef, 0xa2, 0x3e, 0x90, 0xcf, 0x2b, 0x64, 0xee, 0x73, 0x1c, 0x6b, - 0x15, 0x34, 0x84, 0x81, 0x5c, 0x78, 0x2c, 0xf3, 0x92, 0x54, 0xa6, 0x49, 0xa4, 0xde, 0x40, 0x1b, - 0xf7, 0x65, 0x7c, 0x9e, 0x5d, 0xee, 0xa3, 0xc8, 0x85, 0x56, 0xa2, 0x0c, 0xca, 0xac, 0x86, 0x2a, - 0xfd, 0x45, 0x45, 0xe9, 0xfb, 0xed, 0xc4, 0xa5, 0x12, 0xfa, 0x10, 0x90, 0x5e, 0x1e, 0x35, 0xd0, - 0x54, 0x0d, 0x0c, 0x74, 0xe6, 0xa0, 0x85, 0x1f, 0xe0, 0xad, 0x94, 0xb3, 0xd8, 0x67, 0x29, 0x89, - 0xbc, 0x2b, 0x16, 0x07, 0x2c, 0x0e, 0x2d, 0x53, 0x8d, 0x96, 0x51, 0x95, 0x0f, 0x25, 0x6f, 0xa2, - 0x69, 0x78, 0x90, 0xde, 0x89, 0xd8, 0x21, 0xf4, 0x8f, 0x4d, 0x47, 0x08, 0x1a, 0x31, 0xd9, 0xd2, - 0xfd, 0x30, 0x51, 0x6b, 0x74, 0x01, 0xcd, 0x34, 0xe1, 0xa2, 0xf4, 0xff, 0x83, 0xaa, 0xba, 0x09, - 0xbf, 0x3d, 0x44, 0xcd, 0xb4, 0xbf, 0x86, 0xde, 0x61, 0x58, 0xce, 0xe3, 0x38, 0xdf, 0x5e, 0xed, - 0xa7, 0xd6, 0xa9, 0x9c, 0xc7, 0x1a, 0xa3, 0xb7, 0xf7, 0x0d, 0x94, 0x13, 0x5c, 0xa1, 0x89, 0x09, - 0x0d, 0x29, 0xf4, 0xec, 0x63, 0x18, 0xdc, 0xfd, 0x2c, 0xd4, 0x83, 0xf6, 0x2b, 0x77, 0xea, 0x2d, - 0xa7, 0x53, 0xac, 0xe7, 0xa4, 0x44, 0x97, 0x78, 0xfe, 0x62, 0xfe, 0xcd, 0xc0, 0x98, 0x8c, 0xff, - 0xbc, 0x39, 0x33, 0xfe, 0xba, 0x39, 0x33, 0xfe, 0xbe, 0x39, 0x33, 0xbe, 0x7f, 0xaa, 0x5b, 0x67, - 0xc9, 0x88, 0xa4, 0x6c, 0x74, 0xcf, 0xaf, 0xe9, 0xca, 0x54, 0x3f, 0xa5, 0x4f, 0xfe, 0x09, 0x00, - 0x00, 0xff, 0xff, 0x9e, 0x76, 0x95, 0xa9, 0xbc, 0x06, 0x00, 0x00, + // 839 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x55, 0x4f, 0x6f, 0xe3, 0x44, + 0x14, 0xaf, 0xeb, 0xc4, 0x4d, 0x5e, 0xda, 0x28, 0x8c, 0x56, 0x2b, 0x53, 0xd8, 0x52, 0x59, 0x7b, + 0x88, 0x16, 0x70, 0xd8, 0x80, 0x80, 0xe5, 0x80, 0xd4, 0xa0, 0xb0, 0xcd, 0x8a, 0xd0, 0xec, 0x24, + 0xcb, 0x01, 0x21, 0x59, 0xd3, 0x64, 0x36, 0x99, 0xec, 0xc4, 0xb6, 0x66, 0xc6, 0x9b, 0xe6, 0xc4, + 0x47, 0xe0, 0x0b, 0x70, 0xe1, 0xcc, 0x91, 0x2f, 0xc1, 0x91, 0x8f, 0x80, 0xfa, 0x1d, 0xb8, 0xa3, + 0x99, 0xb1, 0x69, 0xb2, 0xa2, 0xb8, 0xdc, 0xe6, 0xf7, 0x9e, 0x7f, 0xbf, 0xf7, 0xfc, 0x7b, 0xf3, + 0x07, 0x1e, 0x92, 0x4c, 0x2d, 0x68, 0xac, 0xd8, 0x94, 0x28, 0x96, 0xc4, 0x9d, 0xd7, 0x8f, 0x09, + 0x4f, 0x17, 0xe4, 0x71, 0x27, 0x4d, 0x38, 0x9b, 0x6e, 0xc2, 0x54, 0x24, 0x2a, 0x41, 0x0f, 0x98, + 0x54, 0x2c, 0x09, 0x77, 0xbf, 0x0d, 0x8b, 0x6f, 0x83, 0x1f, 0xa1, 0x31, 0x56, 0x82, 0xc5, 0xf3, + 0x21, 0x51, 0xd3, 0x05, 0xba, 0x0f, 0x55, 0x7a, 0x45, 0xa6, 0xca, 0x77, 0x4e, 0x9d, 0x76, 0xfd, + 0x7c, 0x0f, 0x5b, 0x88, 0x7c, 0xf0, 0x52, 0x41, 0x5f, 0xb2, 0x2b, 0x7f, 0x3f, 0x4f, 0xe4, 0x58, + 0x67, 0x64, 0xf6, 0x52, 0x67, 0xdc, 0x22, 0x63, 0xb1, 0xd6, 0x12, 0x74, 0x4e, 0xaf, 0xfc, 0x4a, + 0xa1, 0x65, 0x60, 0xef, 0x10, 0x60, 0xa5, 0x8b, 0x45, 0x6a, 0x93, 0xd2, 0xe0, 0x27, 0x07, 0xea, + 0xc3, 0x4c, 0x65, 0x84, 0x4f, 0xb8, 0x44, 0xef, 0x40, 0x9d, 0x70, 0x9e, 0xac, 0x23, 0xc5, 0xa5, + 0xe9, 0xa1, 0x86, 0x6b, 0x26, 0xa0, 0x93, 0x67, 0x50, 0x59, 0x25, 0x33, 0x6a, 0x5a, 0x68, 0x76, + 0x3f, 0x0c, 0xff, 0xf3, 0xcf, 0xc2, 0x7f, 0x44, 0xc3, 0x61, 0x32, 0xa3, 0xd8, 0x50, 0x83, 0x00, + 0x2a, 0x1a, 0x21, 0x00, 0x6f, 0x3c, 0xc1, 0x83, 0xaf, 0x26, 0xad, 0x3d, 0xd4, 0x04, 0x18, 0xf5, + 0xf1, 0x70, 0x30, 0x1e, 0x0f, 0xbe, 0xeb, 0xb7, 0x9c, 0xe0, 0x17, 0x17, 0xdc, 0x67, 0x6b, 0x85, + 0xee, 0x83, 0xc7, 0xa4, 0xcc, 0xa8, 0xb0, 0x66, 0xe0, 0x1c, 0xa1, 0x77, 0xa1, 0x4e, 0xb2, 0x19, + 0xa3, 0xf1, 0x94, 0x4a, 0x7f, 0xff, 0xd4, 0x6d, 0xd7, 0xf1, 0x4d, 0x00, 0xbd, 0x0d, 0xb5, 0xe5, + 0xfa, 0x95, 0x8c, 0x32, 0xc1, 0xac, 0x23, 0xf8, 0x40, 0xe3, 0x17, 0x82, 0xa1, 0xf7, 0xa0, 0xb1, + 0x5c, 0xab, 0x68, 0x41, 0xc9, 0x8c, 0x0a, 0xe9, 0x7b, 0x86, 0x0a, 0xcb, 0xb5, 0x3a, 0xb7, 0x11, + 0xf4, 0x00, 0x34, 0x8a, 0x52, 0x22, 0xc8, 0x4a, 0xfa, 0x07, 0x56, 0x7a, 0xb9, 0x56, 0x23, 0x13, + 0x40, 0x63, 0x38, 0x52, 0x82, 0xcd, 0xe7, 0x54, 0x44, 0x22, 0xe3, 0x54, 0xfa, 0xf5, 0x53, 0xb7, + 0xdd, 0xe8, 0x86, 0x25, 0x46, 0x3c, 0x5b, 0xab, 0x70, 0x62, 0x79, 0x38, 0xe3, 0x14, 0x1f, 0xaa, + 0x1b, 0x20, 0x8f, 0x7f, 0x73, 0xa0, 0xb1, 0x95, 0x45, 0xcf, 0xa1, 0x49, 0xaf, 0xa6, 0x3c, 0x9b, + 0xd1, 0x59, 0x94, 0x12, 0xb5, 0xd0, 0x63, 0xd0, 0x55, 0x1e, 0x95, 0x54, 0xd9, 0xda, 0x45, 0xf8, + 0xa8, 0x50, 0x18, 0x69, 0x01, 0x2d, 0xc9, 0xe2, 0x1d, 0xc9, 0xfd, 0xff, 0x2f, 0x59, 0x28, 0x18, + 0xc9, 0xe0, 0x67, 0x07, 0xfc, 0x11, 0xa5, 0xe2, 0x6c, 0x87, 0x3a, 0xa4, 0x6a, 0x91, 0xcc, 0xd0, + 0x97, 0x50, 0x59, 0x15, 0xfb, 0xa7, 0xd1, 0x6d, 0xdf, 0x75, 0x9f, 0x9c, 0xef, 0x61, 0xc3, 0x43, + 0x9f, 0x82, 0xbb, 0x5c, 0x2b, 0xb3, 0xcd, 0x1a, 0xdd, 0xa0, 0xdc, 0xdd, 0xf3, 0x3d, 0xac, 0x09, + 0xbd, 0x1a, 0x78, 0x76, 0x74, 0x01, 0x86, 0xe3, 0x0b, 0xc1, 0xe6, 0x2c, 0xfe, 0xd7, 0xfe, 0x3e, + 0xb1, 0xfa, 0xce, 0x5d, 0xf5, 0x8d, 0x7a, 0xf0, 0xab, 0x0b, 0xde, 0xc8, 0x9c, 0x6c, 0xf4, 0x14, + 0x0e, 0x14, 0x11, 0x73, 0xaa, 0x8a, 0xe1, 0x94, 0x9d, 0x85, 0x89, 0xf9, 0x7a, 0x4c, 0x39, 0x9d, + 0xaa, 0x44, 0xe0, 0x82, 0x8d, 0x86, 0x50, 0x4d, 0xa9, 0xde, 0x8b, 0x76, 0x20, 0x9f, 0x95, 0xc8, + 0xdc, 0xe6, 0x38, 0xb6, 0x2a, 0xa8, 0x0d, 0x2d, 0xbd, 0x88, 0x98, 0x8c, 0x92, 0x54, 0xa7, 0x09, + 0x37, 0x67, 0xa0, 0x86, 0x9b, 0x3a, 0x3e, 0x90, 0x17, 0x79, 0x14, 0x8d, 0xe1, 0x20, 0x31, 0x06, + 0x49, 0xbf, 0x62, 0x4a, 0x3f, 0x29, 0x29, 0x7d, 0xbb, 0x9d, 0xb8, 0x50, 0x42, 0x1f, 0x00, 0xb2, + 0xcb, 0x9d, 0x06, 0xaa, 0xa6, 0x81, 0x96, 0xcd, 0x6c, 0xb5, 0xf0, 0x03, 0xbc, 0x95, 0x0a, 0x16, + 0x4f, 0x59, 0x4a, 0x78, 0x74, 0xc9, 0xe2, 0x19, 0x8b, 0xe7, 0xbe, 0x67, 0xae, 0x96, 0x4e, 0x99, + 0x0f, 0x05, 0xaf, 0x67, 0x69, 0xb8, 0x95, 0xbe, 0x11, 0x09, 0xfe, 0x72, 0xa0, 0xb9, 0xeb, 0x3a, + 0x42, 0x50, 0x89, 0xc9, 0x8a, 0xe6, 0xb7, 0x89, 0x59, 0xa3, 0x33, 0xa8, 0xa6, 0x89, 0x50, 0xc5, + 0x00, 0xde, 0x2f, 0x2b, 0x9c, 0x88, 0x9b, 0x29, 0x5a, 0x26, 0x7a, 0x0e, 0x1e, 0x27, 0x97, 0x94, + 0x4b, 0xdf, 0xbd, 0x93, 0x93, 0xbb, 0x5d, 0x85, 0xdf, 0x18, 0x6e, 0x3f, 0x56, 0x62, 0x83, 0x73, + 0xa1, 0xe3, 0x27, 0xd0, 0xd8, 0x0a, 0xa3, 0x16, 0xb8, 0xaf, 0xe8, 0x26, 0xef, 0x5b, 0x2f, 0xd1, + 0x3d, 0xa8, 0xbe, 0x26, 0x3c, 0xb3, 0x57, 0x71, 0x1d, 0x5b, 0xf0, 0xc5, 0xfe, 0xe7, 0x4e, 0xf0, + 0x35, 0x1c, 0x6e, 0x37, 0xa9, 0x9f, 0x87, 0x38, 0x5b, 0x5d, 0xe6, 0x97, 0xe8, 0x91, 0x7e, 0x1e, + 0x2c, 0x46, 0xf7, 0x72, 0x3b, 0x8a, 0x07, 0xc5, 0xa0, 0x9e, 0x07, 0x15, 0xfd, 0x5b, 0x8f, 0x3e, + 0x82, 0xd6, 0x9b, 0x2e, 0xa3, 0x43, 0xa8, 0xbd, 0x18, 0xf7, 0xa3, 0x51, 0xbf, 0x8f, 0xed, 0xb5, + 0xad, 0xd1, 0x05, 0x1e, 0x3c, 0x1d, 0x7c, 0xdb, 0x72, 0x7a, 0xdd, 0xdf, 0xaf, 0x4f, 0x9c, 0x3f, + 0xae, 0x4f, 0x9c, 0x3f, 0xaf, 0x4f, 0x9c, 0xef, 0x1f, 0x5a, 0x13, 0x58, 0xd2, 0x21, 0x29, 0xeb, + 0xdc, 0xf2, 0x52, 0x5e, 0x7a, 0xe6, 0x8d, 0xfc, 0xf8, 0xef, 0x00, 0x00, 0x00, 0xff, 0xff, 0x46, + 0xc2, 0xaa, 0x6f, 0x4b, 0x07, 0x00, 0x00, } diff --git a/authentication/v1alpha1/policy.proto b/authentication/v1alpha1/policy.proto index 32a56ac0f5..5701835bed 100644 --- a/authentication/v1alpha1/policy.proto +++ b/authentication/v1alpha1/policy.proto @@ -360,6 +360,12 @@ message TargetSelector { // fully qualified domain name will be resolved in a platform specific manner. string name = 1; + // $hide_from_docs + // $not-implemented-hide + // Select workload by labels. + // Once implemented, this is a prefer way over using service name. + map labels = 3; + // Specifies the ports. Note that this is the port(s) exposed by the service, not workload ports. // For example, if a service is defined as below, then `8000` should be used, not `9000`. // ``` diff --git a/proto.lock b/proto.lock index 79d740c36d..67af790a4d 100644 --- a/proto.lock +++ b/proto.lock @@ -207,6 +207,16 @@ "type": "PortSelector", "is_repeated": true } + ], + "maps": [ + { + "key_type": "string", + "field": { + "id": 3, + "name": "labels", + "type": "string" + } + } ] }, { diff --git a/python/istio_api/authentication/v1alpha1/policy_pb2.py b/python/istio_api/authentication/v1alpha1/policy_pb2.py index 2ba26d5697..070cf8c75c 100644 --- a/python/istio_api/authentication/v1alpha1/policy_pb2.py +++ b/python/istio_api/authentication/v1alpha1/policy_pb2.py @@ -20,7 +20,7 @@ name='authentication/v1alpha1/policy.proto', package='istio.authentication.v1alpha1', syntax='proto3', - serialized_pb=_b('\n$authentication/v1alpha1/policy.proto\x12\x1distio.authentication.v1alpha1\"a\n\x0bStringMatch\x12\x0f\n\x05\x65xact\x18\x01 \x01(\tH\x00\x12\x10\n\x06prefix\x18\x02 \x01(\tH\x00\x12\x10\n\x06suffix\x18\x03 \x01(\tH\x00\x12\x0f\n\x05regex\x18\x04 \x01(\tH\x00\x42\x0c\n\nmatch_type\"\x7f\n\tMutualTls\x12\x11\n\tallow_tls\x18\x01 \x01(\x08\x12;\n\x04mode\x18\x02 \x01(\x0e\x32-.istio.authentication.v1alpha1.MutualTls.Mode\"\"\n\x04Mode\x12\n\n\x06STRICT\x10\x00\x12\x0e\n\nPERMISSIVE\x10\x01\"\xc2\x02\n\x03Jwt\x12\x0e\n\x06issuer\x18\x01 \x01(\t\x12\x11\n\taudiences\x18\x02 \x03(\t\x12\x10\n\x08jwks_uri\x18\x03 \x01(\t\x12\x13\n\x0bjwt_headers\x18\x06 \x03(\t\x12\x12\n\njwt_params\x18\x07 \x03(\t\x12\x45\n\rtrigger_rules\x18\t \x03(\x0b\x32..istio.authentication.v1alpha1.Jwt.TriggerRule\x1a\x95\x01\n\x0bTriggerRule\x12\x42\n\x0e\x65xcluded_paths\x18\x01 \x03(\x0b\x32*.istio.authentication.v1alpha1.StringMatch\x12\x42\n\x0eincluded_paths\x18\x02 \x03(\x0b\x32*.istio.authentication.v1alpha1.StringMatch\"\x91\x01\n\x18PeerAuthenticationMethod\x12\x38\n\x04mtls\x18\x01 \x01(\x0b\x32(.istio.authentication.v1alpha1.MutualTlsH\x00\x12\x31\n\x03jwt\x18\x02 \x01(\x0b\x32\".istio.authentication.v1alpha1.JwtH\x00\x42\x08\n\x06params\"M\n\x1aOriginAuthenticationMethod\x12/\n\x03jwt\x18\x01 \x01(\x0b\x32\".istio.authentication.v1alpha1.Jwt\"\xde\x02\n\x06Policy\x12>\n\x07targets\x18\x01 \x03(\x0b\x32-.istio.authentication.v1alpha1.TargetSelector\x12\x46\n\x05peers\x18\x02 \x03(\x0b\x32\x37.istio.authentication.v1alpha1.PeerAuthenticationMethod\x12\x18\n\x10peer_is_optional\x18\x03 \x01(\x08\x12J\n\x07origins\x18\x04 \x03(\x0b\x32\x39.istio.authentication.v1alpha1.OriginAuthenticationMethod\x12\x1a\n\x12origin_is_optional\x18\x05 \x01(\x08\x12J\n\x11principal_binding\x18\x06 \x01(\x0e\x32/.istio.authentication.v1alpha1.PrincipalBinding\"Z\n\x0eTargetSelector\x12\x0c\n\x04name\x18\x01 \x01(\t\x12:\n\x05ports\x18\x02 \x03(\x0b\x32+.istio.authentication.v1alpha1.PortSelector\"8\n\x0cPortSelector\x12\x10\n\x06number\x18\x01 \x01(\rH\x00\x12\x0e\n\x04name\x18\x02 \x01(\tH\x00\x42\x06\n\x04port*0\n\x10PrincipalBinding\x12\x0c\n\x08USE_PEER\x10\x00\x12\x0e\n\nUSE_ORIGIN\x10\x01\x42&Z$istio.io/api/authentication/v1alpha1b\x06proto3') + serialized_pb=_b('\n$authentication/v1alpha1/policy.proto\x12\x1distio.authentication.v1alpha1\"a\n\x0bStringMatch\x12\x0f\n\x05\x65xact\x18\x01 \x01(\tH\x00\x12\x10\n\x06prefix\x18\x02 \x01(\tH\x00\x12\x10\n\x06suffix\x18\x03 \x01(\tH\x00\x12\x0f\n\x05regex\x18\x04 \x01(\tH\x00\x42\x0c\n\nmatch_type\"\x7f\n\tMutualTls\x12\x11\n\tallow_tls\x18\x01 \x01(\x08\x12;\n\x04mode\x18\x02 \x01(\x0e\x32-.istio.authentication.v1alpha1.MutualTls.Mode\"\"\n\x04Mode\x12\n\n\x06STRICT\x10\x00\x12\x0e\n\nPERMISSIVE\x10\x01\"\xc2\x02\n\x03Jwt\x12\x0e\n\x06issuer\x18\x01 \x01(\t\x12\x11\n\taudiences\x18\x02 \x03(\t\x12\x10\n\x08jwks_uri\x18\x03 \x01(\t\x12\x13\n\x0bjwt_headers\x18\x06 \x03(\t\x12\x12\n\njwt_params\x18\x07 \x03(\t\x12\x45\n\rtrigger_rules\x18\t \x03(\x0b\x32..istio.authentication.v1alpha1.Jwt.TriggerRule\x1a\x95\x01\n\x0bTriggerRule\x12\x42\n\x0e\x65xcluded_paths\x18\x01 \x03(\x0b\x32*.istio.authentication.v1alpha1.StringMatch\x12\x42\n\x0eincluded_paths\x18\x02 \x03(\x0b\x32*.istio.authentication.v1alpha1.StringMatch\"\x91\x01\n\x18PeerAuthenticationMethod\x12\x38\n\x04mtls\x18\x01 \x01(\x0b\x32(.istio.authentication.v1alpha1.MutualTlsH\x00\x12\x31\n\x03jwt\x18\x02 \x01(\x0b\x32\".istio.authentication.v1alpha1.JwtH\x00\x42\x08\n\x06params\"M\n\x1aOriginAuthenticationMethod\x12/\n\x03jwt\x18\x01 \x01(\x0b\x32\".istio.authentication.v1alpha1.Jwt\"\xde\x02\n\x06Policy\x12>\n\x07targets\x18\x01 \x03(\x0b\x32-.istio.authentication.v1alpha1.TargetSelector\x12\x46\n\x05peers\x18\x02 \x03(\x0b\x32\x37.istio.authentication.v1alpha1.PeerAuthenticationMethod\x12\x18\n\x10peer_is_optional\x18\x03 \x01(\x08\x12J\n\x07origins\x18\x04 \x03(\x0b\x32\x39.istio.authentication.v1alpha1.OriginAuthenticationMethod\x12\x1a\n\x12origin_is_optional\x18\x05 \x01(\x08\x12J\n\x11principal_binding\x18\x06 \x01(\x0e\x32/.istio.authentication.v1alpha1.PrincipalBinding\"\xd4\x01\n\x0eTargetSelector\x12\x0c\n\x04name\x18\x01 \x01(\t\x12I\n\x06labels\x18\x03 \x03(\x0b\x32\x39.istio.authentication.v1alpha1.TargetSelector.LabelsEntry\x12:\n\x05ports\x18\x02 \x03(\x0b\x32+.istio.authentication.v1alpha1.PortSelector\x1a-\n\x0bLabelsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"8\n\x0cPortSelector\x12\x10\n\x06number\x18\x01 \x01(\rH\x00\x12\x0e\n\x04name\x18\x02 \x01(\tH\x00\x42\x06\n\x04port*0\n\x10PrincipalBinding\x12\x0c\n\x08USE_PEER\x10\x00\x12\x0e\n\nUSE_ORIGIN\x10\x01\x42&Z$istio.io/api/authentication/v1alpha1b\x06proto3') ) _PRINCIPALBINDING = _descriptor.EnumDescriptor( @@ -40,8 +40,8 @@ ], containing_type=None, options=None, - serialized_start=1354, - serialized_end=1402, + serialized_start=1477, + serialized_end=1525, ) _sym_db.RegisterEnumDescriptor(_PRINCIPALBINDING) @@ -408,6 +408,43 @@ ) +_TARGETSELECTOR_LABELSENTRY = _descriptor.Descriptor( + name='LabelsEntry', + full_name='istio.authentication.v1alpha1.TargetSelector.LabelsEntry', + filename=None, + file=DESCRIPTOR, + containing_type=None, + fields=[ + _descriptor.FieldDescriptor( + name='key', full_name='istio.authentication.v1alpha1.TargetSelector.LabelsEntry.key', index=0, + number=1, type=9, cpp_type=9, label=1, + has_default_value=False, default_value=_b("").decode('utf-8'), + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + options=None, file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='value', full_name='istio.authentication.v1alpha1.TargetSelector.LabelsEntry.value', index=1, + number=2, type=9, cpp_type=9, label=1, + has_default_value=False, default_value=_b("").decode('utf-8'), + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + options=None, file=DESCRIPTOR), + ], + extensions=[ + ], + nested_types=[], + enum_types=[ + ], + options=_descriptor._ParseOptions(descriptor_pb2.MessageOptions(), _b('8\001')), + is_extendable=False, + syntax='proto3', + extension_ranges=[], + oneofs=[ + ], + serialized_start=1372, + serialized_end=1417, +) + _TARGETSELECTOR = _descriptor.Descriptor( name='TargetSelector', full_name='istio.authentication.v1alpha1.TargetSelector', @@ -423,7 +460,14 @@ is_extension=False, extension_scope=None, options=None, file=DESCRIPTOR), _descriptor.FieldDescriptor( - name='ports', full_name='istio.authentication.v1alpha1.TargetSelector.ports', index=1, + name='labels', full_name='istio.authentication.v1alpha1.TargetSelector.labels', index=1, + number=3, type=11, cpp_type=10, label=3, + has_default_value=False, default_value=[], + message_type=None, enum_type=None, containing_type=None, + is_extension=False, extension_scope=None, + options=None, file=DESCRIPTOR), + _descriptor.FieldDescriptor( + name='ports', full_name='istio.authentication.v1alpha1.TargetSelector.ports', index=2, number=2, type=11, cpp_type=10, label=3, has_default_value=False, default_value=[], message_type=None, enum_type=None, containing_type=None, @@ -432,7 +476,7 @@ ], extensions=[ ], - nested_types=[], + nested_types=[_TARGETSELECTOR_LABELSENTRY, ], enum_types=[ ], options=None, @@ -441,8 +485,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=1204, - serialized_end=1294, + serialized_start=1205, + serialized_end=1417, ) @@ -482,8 +526,8 @@ name='port', full_name='istio.authentication.v1alpha1.PortSelector.port', index=0, containing_type=None, fields=[]), ], - serialized_start=1296, - serialized_end=1352, + serialized_start=1419, + serialized_end=1475, ) _STRINGMATCH.oneofs_by_name['match_type'].fields.append( @@ -517,6 +561,8 @@ _POLICY.fields_by_name['peers'].message_type = _PEERAUTHENTICATIONMETHOD _POLICY.fields_by_name['origins'].message_type = _ORIGINAUTHENTICATIONMETHOD _POLICY.fields_by_name['principal_binding'].enum_type = _PRINCIPALBINDING +_TARGETSELECTOR_LABELSENTRY.containing_type = _TARGETSELECTOR +_TARGETSELECTOR.fields_by_name['labels'].message_type = _TARGETSELECTOR_LABELSENTRY _TARGETSELECTOR.fields_by_name['ports'].message_type = _PORTSELECTOR _PORTSELECTOR.oneofs_by_name['port'].fields.append( _PORTSELECTOR.fields_by_name['number']) @@ -586,11 +632,19 @@ _sym_db.RegisterMessage(Policy) TargetSelector = _reflection.GeneratedProtocolMessageType('TargetSelector', (_message.Message,), dict( + + LabelsEntry = _reflection.GeneratedProtocolMessageType('LabelsEntry', (_message.Message,), dict( + DESCRIPTOR = _TARGETSELECTOR_LABELSENTRY, + __module__ = 'authentication.v1alpha1.policy_pb2' + # @@protoc_insertion_point(class_scope:istio.authentication.v1alpha1.TargetSelector.LabelsEntry) + )) + , DESCRIPTOR = _TARGETSELECTOR, __module__ = 'authentication.v1alpha1.policy_pb2' # @@protoc_insertion_point(class_scope:istio.authentication.v1alpha1.TargetSelector) )) _sym_db.RegisterMessage(TargetSelector) +_sym_db.RegisterMessage(TargetSelector.LabelsEntry) PortSelector = _reflection.GeneratedProtocolMessageType('PortSelector', (_message.Message,), dict( DESCRIPTOR = _PORTSELECTOR, @@ -602,4 +656,6 @@ DESCRIPTOR.has_options = True DESCRIPTOR._options = _descriptor._ParseOptions(descriptor_pb2.FileOptions(), _b('Z$istio.io/api/authentication/v1alpha1')) +_TARGETSELECTOR_LABELSENTRY.has_options = True +_TARGETSELECTOR_LABELSENTRY._options = _descriptor._ParseOptions(descriptor_pb2.MessageOptions(), _b('8\001')) # @@protoc_insertion_point(module_scope)
workloadSelectorWorkloadSelector +

Criteria used to select the specific set of pods/VMs on which this +sidecar configuration should be applied. If omitted, the sidecar +configuration will be applied to all workloads in the same config +namespace.

+ +
ingressIstioIngressListener[] +

Ingress specifies the configuration of the sidecar for processing +inbound traffic to the attached workload. If omitted, Istio will +autoconfigure the sidecar based on the information about the workload +obtained from the orchestration platform (e.g., exposed ports, services, +etc.).

+ +
egress IstioEgressListener[] labels map<string, string> -

One or more labels that indicate a specific set of pods/VMs on which -this sidecar configuration should be applied. The scope of label -search is restricted to the configuration namespace in which the the -resource is present.

+

REQUIRED: One or more labels that indicate a specific set of pods/VMs +on which this sidecar configuration should be applied. The scope of +label search is restricted to the configuration namespace in which the +the resource is present.
incrementalbool +

Request an incremental update for the specified collection. The source may choose to +honor this request or ignore and and provide a full-state update in the corresponding +Resource response.

+
incrementalbool +

This resource response is an incremental update. The source should only send +incremental updates if the sink requested them.

+