istio
/
api
mirror of https://github.com/istio/api.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

revert #1248 - sidecar inboundTls (#1330) 

* revert #1248 - sidecar inboundTls

Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>

* protos

Signed-off-by: Shriram Rajagopalan <rshriram@tetrate.io>
This commit is contained in:
Shriram Rajagopalan 2020-03-17 09:45:32 -04:00 committed by GitHub
parent dc6271ee34
commit 200da86cbc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
22 changed files with 196 additions and 1814 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

137
kubernetes/customresourcedefinitions.gen.yaml generated
View File

@ -3530,74 +3530,6 @@ spec:
type: object
type: object
type: array
inboundTls:
properties:
caCertificates:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
cipherSuites:
description: 'Optional: If specified, only support the specified
cipher list.'
items:
format: string
type: string
type: array
credentialName:
format: string
type: string
httpsRedirect:
type: boolean
maxProtocolVersion:
description: 'Optional: Maximum TLS protocol version.'
enum:
- TLS_AUTO
- TLSV1_0
- TLSV1_1
- TLSV1_2
- TLSV1_3
type: string
minProtocolVersion:
description: 'Optional: Minimum TLS protocol version.'
enum:
- TLS_AUTO
- TLSV1_0
- TLSV1_1
- TLSV1_2
- TLSV1_3
type: string
mode:
enum:
- PASSTHROUGH
- SIMPLE
- MUTUAL
- AUTO_PASSTHROUGH
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
format: string
type: string
serverCertificate:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
verifyCertificateHash:
items:
format: string
type: string
type: array
verifyCertificateSpki:
items:
format: string
type: string
type: array
type: object
ingress:
items:
properties:
@ -3614,75 +3546,6 @@ spec:
defaultEndpoint:
format: string
type: string
inboundTls:
description: Overrides Sidecar level `inboundTls` settings.
properties:
caCertificates:
description: REQUIRED if mode is `MUTUAL`.
format: string
type: string
cipherSuites:
description: 'Optional: If specified, only support the specified
cipher list.'
items:
format: string
type: string
type: array
credentialName:
format: string
type: string
httpsRedirect:
type: boolean
maxProtocolVersion:
description: 'Optional: Maximum TLS protocol version.'
enum:
- TLS_AUTO
- TLSV1_0
- TLSV1_1
- TLSV1_2
- TLSV1_3
type: string
minProtocolVersion:
description: 'Optional: Minimum TLS protocol version.'
enum:
- TLS_AUTO
- TLSV1_0
- TLSV1_1
- TLSV1_2
- TLSV1_3
type: string
mode:
enum:
- PASSTHROUGH
- SIMPLE
- MUTUAL
- AUTO_PASSTHROUGH
- ISTIO_MUTUAL
type: string
privateKey:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
format: string
type: string
serverCertificate:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
format: string
type: string
subjectAltNames:
items:
format: string
type: string
type: array
verifyCertificateHash:
items:
format: string
type: string
type: array
verifyCertificateSpki:
items:
format: string
type: string
type: array
type: object
port:
description: The port associated with the listener.
properties:

2
networking/v1alpha3/gateway.gen.json
View File

@ -102,7 +102,7 @@
}
},
"httpsRedirect": {
"description": "If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. Not applicable in Sidecar API.",
"description": "If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS.",
"type": "boolean"
},
"serverCertificate": {

10
networking/v1alpha3/gateway.pb.go generated
View File

@ -357,9 +357,7 @@ type Server_TLSOptions_TLSmode int32
const (
// The SNI string presented by the client will be used as the
// match criterion in a VirtualService TLS route to determine
// the destination service from the service registry. On a
// sidecar, TLS traffic will be forwarded as is to the default
// endpoint defined in the Ingress Listener.
// the destination service from the service registry.
Server_TLSOptions_PASSTHROUGH Server_TLSOptions_TLSmode = 0
// Secure connections with standard TLS semantics.
Server_TLSOptions_SIMPLE Server_TLSOptions_TLSmode = 1
@ -376,8 +374,7 @@ const (
// between services in disparate L3 networks that otherwise do
// not have direct connectivity between their respective
// endpoints. Use of this mode assumes that both the source and
// the destination are using Istio mTLS to secure traffic. Not
// applicable in Sidecar API.
// the destination are using Istio mTLS to secure traffic.
Server_TLSOptions_AUTO_PASSTHROUGH Server_TLSOptions_TLSmode = 3
// Secure connections from the downstream using mutual TLS by
// presenting server certificates for authentication. Compared
@ -793,8 +790,7 @@ func (m *Server) GetDefaultEndpoint() string {
type Server_TLSOptions struct {
// If set to true, the load balancer will send a 301 redirect for
// all http connections, asking the clients to use HTTPS. Not
// applicable in Sidecar API.
// all http connections, asking the clients to use HTTPS.
HttpsRedirect bool `protobuf:"varint,1,opt,name=https_redirect,json=httpsRedirect,proto3" json:"https_redirect,omitempty"`
// Optional: Indicates whether connections to this port should be
// secured using TLS. The value of this field determines how TLS is

10
networking/v1alpha3/gateway.pb.html generated
View File

@ -677,8 +677,7 @@ No
<td><code>bool</code></td>
<td>
<p>If set to true, the load balancer will send a 301 redirect for
all http connections, asking the clients to use HTTPS. Not
applicable in Sidecar API.</p>
all http connections, asking the clients to use HTTPS.</p>
</td>
<td>
@ -908,9 +907,7 @@ No
<td>
<p>The SNI string presented by the client will be used as the
match criterion in a VirtualService TLS route to determine
the destination service from the service registry. On a
sidecar, TLS traffic will be forwarded as is to the default
endpoint defined in the Ingress Listener.</p>
the destination service from the service registry.</p>
</td>
</tr>
@ -942,8 +939,7 @@ value. This server is typically used to provide connectivity
between services in disparate L3 networks that otherwise do
not have direct connectivity between their respective
endpoints. Use of this mode assumes that both the source and
the destination are using Istio mTLS to secure traffic. Not
applicable in Sidecar API.</p>
the destination are using Istio mTLS to secure traffic.</p>
</td>
</tr>

10
networking/v1alpha3/gateway.proto
View File

@ -565,17 +565,14 @@ message Server {
message TLSOptions {
// If set to true, the load balancer will send a 301 redirect for
// all http connections, asking the clients to use HTTPS. Not
// applicable in Sidecar API.
// all http connections, asking the clients to use HTTPS.
bool https_redirect = 1;
// TLS modes enforced by the proxy
enum TLSmode {
// The SNI string presented by the client will be used as the
// match criterion in a VirtualService TLS route to determine
// the destination service from the service registry. On a
// sidecar, TLS traffic will be forwarded as is to the default
// endpoint defined in the Ingress Listener.
// the destination service from the service registry.
PASSTHROUGH = 0;
// Secure connections with standard TLS semantics.
@ -595,8 +592,7 @@ message Server {
// between services in disparate L3 networks that otherwise do
// not have direct connectivity between their respective
// endpoints. Use of this mode assumes that both the source and
// the destination are using Istio mTLS to secure traffic. Not
// applicable in Sidecar API.
// the destination are using Istio mTLS to secure traffic.
AUTO_PASSTHROUGH = 3;
// Secure connections from the downstream using mutual TLS by

98
networking/v1alpha3/sidecar.gen.json
View File

@ -50,98 +50,6 @@
}
}
},
"istio.networking.v1alpha3.Server.TLSOptions": {
"type": "object",
"properties": {
"mode": {
"$ref": "#/components/schemas/istio.networking.v1alpha3.Server.TLSOptions.TLSmode"
},
"privateKey": {
"description": "REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file holding the server's private key.",
"type": "string",
"format": "string"
},
"caCertificates": {
"description": "REQUIRED if mode is `MUTUAL`. The path to a file containing certificate authority certificates to use in verifying a presented client side certificate.",
"type": "string",
"format": "string"
},
"subjectAltNames": {
"description": "A list of alternate names to verify the subject identity in the certificate presented by the client.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"httpsRedirect": {
"description": "If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. Not applicable in Sidecar API.",
"type": "boolean"
},
"serverCertificate": {
"description": "REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file holding the server-side TLS certificate to use.",
"type": "string",
"format": "string"
},
"credentialName": {
"description": "The credentialName stands for a unique identifier that can be used to identify the serverCertificate and the privateKey. The credentialName appended with suffix \"-cacert\" is used to identify the CaCertificates associated with this server. Proxies capable of fetching credentials from a remote credential store such as Kubernetes secrets, will be configured to retrieve the serverCertificate and the privateKey using credentialName, instead of using the file system paths specified above. If using mutual TLS, proxy instances will retrieve the CaCertificates using credentialName-cacert. The semantics of the name are platform dependent. In Kubernetes, the default Istio supplied credential server expects the credentialName to match the name of the Kubernetes secret that holds the server certificate, the private key, and the CA certificate (if using mutual TLS). Set the `ISTIO_META_USER_SDS` metadata variable in the proxy to enable the dynamic credential fetching feature.",
"type": "string",
"format": "string"
},
"verifyCertificateSpki": {
"description": "An optional list of base64-encoded SHA-256 hashes of the SKPIs of authorized client certificates. Note: When both verify_certificate_hash and verify_certificate_spki are specified, a hash matching either value will result in the certificate being accepted.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"verifyCertificateHash": {
"description": "An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. Both simple and colon separated formats are acceptable. Note: When both verify_certificate_hash and verify_certificate_spki are specified, a hash matching either value will result in the certificate being accepted.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"minProtocolVersion": {
"$ref": "#/components/schemas/istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol"
},
"maxProtocolVersion": {
"$ref": "#/components/schemas/istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol"
},
"cipherSuites": {
"description": "Optional: If specified, only support the specified cipher list. Otherwise default to the default cipher list supported by Envoy.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
}
}
},
"istio.networking.v1alpha3.Server.TLSOptions.TLSmode": {
"description": "TLS modes enforced by the proxy",
"type": "string",
"enum": [
"PASSTHROUGH",
"SIMPLE",
"MUTUAL",
"AUTO_PASSTHROUGH",
"ISTIO_MUTUAL"
]
},
"istio.networking.v1alpha3.Server.TLSOptions.TLSProtocol": {
"description": "TLS protocol versions.",
"type": "string",
"enum": [
"TLS_AUTO",
"TLSV1_0",
"TLSV1_1",
"TLSV1_2",
"TLSV1_3"
]
},
"istio.networking.v1alpha3.Sidecar": {
"description": "`Sidecar` describes the configuration of the sidecar proxy that mediates inbound and outbound communication of the workload instance to which it is attached.",
"type": "object",
@ -165,9 +73,6 @@
},
"outboundTrafficPolicy": {
"$ref": "#/components/schemas/istio.networking.v1alpha3.OutboundTrafficPolicy"
},
"inboundTls": {
"$ref": "#/components/schemas/istio.networking.v1alpha3.Server.TLSOptions"
}
}
},
@ -188,9 +93,6 @@
"type": "string",
"format": "string"
},
"inboundTls": {
"$ref": "#/components/schemas/istio.networking.v1alpha3.Server.TLSOptions"
},
"captureMode": {
"$ref": "#/components/schemas/istio.networking.v1alpha3.CaptureMode"
}

338
networking/v1alpha3/sidecar.pb.go generated
View File

@ -118,18 +118,11 @@
// The following example declares a `Sidecar` configuration in the
// `prod-us1` namespace for all pods with labels `app: ratings`
// belonging to the `ratings.prod-us1` service. The workload accepts
// inbound HTTP traffic on port 9080 without any authentication, and
// HTTPS traffic on port 9443 with one-way TLS termination using
// custom certificates. _To accomplish custom TLS termination on this
// workload, the `PeerAuthentication` security policy must be declared
// to disable Istio mutual TLS on these two ports. Any other
// auto-generated listener for this workload will still obey the
// mutual TLS termination requirements set forth in the
// PeerAuthentication policy_. The traffic is then forwarded to the
// attached workload instance listening on a Unix domain socket. In
// the egress direction, in addition to the `istio-system` namespace,
// the sidecar proxies only HTTP traffic bound for port 9080 for
// services in the `prod-us1` namespace.
// inbound HTTP traffic on port 9080. The traffic is then forwarded to
// the attached workload instance listening on a Unix domain
// socket. In the egress direction, in addition to the `istio-system`
// namespace, the sidecar proxies only HTTP traffic bound for port
// 9080 for services in the `prod-us1` namespace.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
@ -149,15 +142,6 @@
// protocol: HTTP
// name: somename
// defaultEndpoint: unix:///var/run/someuds.sock
// - port:
// number: 9443
// protocol: HTTPS
// name: httpsport
// inboundTls:
// mode: SIMPLE # overrides namespace default
// serverCertificate: /etc/certs/servercert.pem
// privateKey: /etc/certs/privatekey.pem
// defaultEndpoint: unix:///var/run/someuds.sock
// egress:
// - port:
// number: 9080
@ -187,15 +171,6 @@
// protocol: HTTP
// name: somename
// defaultEndpoint: unix:///var/run/someuds.sock
// - port:
// number: 9443
// protocol: HTTPS
// name: httpsport
// inboundTls:
// mode: SIMPLE # overrides namespace default
// serverCertificate: /etc/certs/servercert.pem
// privateKey: /etc/certs/privatekey.pem
// defaultEndpoint: unix:///var/run/someuds.sock
// egress:
// - port:
// number: 9080
@ -209,80 +184,6 @@
// {{</tab>}}
// {{</tabset>}}
//
// and the associated PeerAuthentication security policy to ensure
// that mutual TLS based authentication is not configured for ports
// 9080 and 9443:
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// selector:
// matchLabels:
// app: ratings
// # other ports inherit the settings from namespace-wide policy.
// portLevelMtls:
// 9080:
// mode: DISABLE
// 9443:
// mode: DISABLE
// ```
//
// and the associated DestinationRule to ensure that the clients use
// the appropriate TLS settings:
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: DestinationRule
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// host: ratings.prod-us1.svc.cluster.local
// trafficPolicy:
// portLevelSettings:
// - port:
// number: 9080
// tls:
// mode: DISABLE
// - port:
// number: 9443
// tls:
// mode: SIMPLE
// caCertificates: /etc/certs/ca-certs.pem
// ```
//
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: DestinationRule
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// host: ratings.prod-us1.svc.cluster.local
// trafficPolicy:
// portLevelSettings:
// - port:
// number: 9080
// tls:
// mode: DISABLE
// - port:
// number: 9443
// tls:
// mode: SIMPLE
// caCertificates: /etc/certs/ca-certs.pem
// ```
// {{</tab>}}
// {{</tabset>}}
//
// If the workload is deployed without IPTables-based traffic capture,
// the `Sidecar` configuration is the only way to configure the ports
// on the proxy attached to the workload instance. The following
@ -612,17 +513,9 @@ type Sidecar struct {
// inherits the system detected defaults from the namespace-wide or
// the global default Sidecar.
OutboundTrafficPolicy *OutboundTrafficPolicy `protobuf:"bytes,4,opt,name=outbound_traffic_policy,json=outboundTrafficPolicy,proto3" json:"outbound_traffic_policy,omitempty"`
// Set of TLS related options that allow a listener to terminate
// SIMPLE or MUTUAL TLS connections at the
// sidecar. `PeerAuthentication` policy's settings take precedance
// over custom TLS settings for the workload. When the
// PeerAuthentication policy disables mTLS tunneling for one or more
// ports in the workload, the TLS settings specified here will be
// applied.
InboundTls *Server_TLSOptions `protobuf:"bytes,5,opt,name=inbound_tls,json=inboundTls,proto3" json:"inbound_tls,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
}
func (m *Sidecar) Reset() { *m = Sidecar{} }
@ -686,13 +579,6 @@ func (m *Sidecar) GetOutboundTrafficPolicy() *OutboundTrafficPolicy {
return nil
}
func (m *Sidecar) GetInboundTls() *Server_TLSOptions {
if m != nil {
return m.InboundTls
}
return nil
}
// `IstioIngressListener` specifies the properties of an inbound
// traffic listener on the sidecar proxy attached to a workload instance.
type IstioIngressListener struct {
@ -713,15 +599,10 @@ type IstioIngressListener struct {
// redirect traffic arriving at the bind `IP:Port` on the sidecar to a `localhost:port`
// or Unix domain socket where the application workload instance is listening for
// connections. Format should be `127.0.0.1:PORT` or `unix:///path/to/socket`
DefaultEndpoint string `protobuf:"bytes,4,opt,name=default_endpoint,json=defaultEndpoint,proto3" json:"default_endpoint,omitempty"`
// Overrides Sidecar level `inboundTls` settings. Has same
// restrictions as the Sidecar level inboundTls,
// i.e. PeerAuthentication policy takes precedance unless explicitly
// disabled.
InboundTls *Server_TLSOptions `protobuf:"bytes,5,opt,name=inbound_tls,json=inboundTls,proto3" json:"inbound_tls,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
DefaultEndpoint string `protobuf:"bytes,4,opt,name=default_endpoint,json=defaultEndpoint,proto3" json:"default_endpoint,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
}
func (m *IstioIngressListener) Reset() { *m = IstioIngressListener{} }
@ -785,13 +666,6 @@ func (m *IstioIngressListener) GetDefaultEndpoint() string {
return ""
}
func (m *IstioIngressListener) GetInboundTls() *Server_TLSOptions {
if m != nil {
return m.InboundTls
}
return nil
}
// `IstioEgressListener` specifies the properties of an outbound traffic
// listener on the sidecar proxy attached to a workload instance.
type IstioEgressListener struct {
@ -1070,50 +944,48 @@ func init() {
func init() { proto.RegisterFile("networking/v1alpha3/sidecar.proto", fileDescriptor_b5c11342f04ad3d1) }
var fileDescriptor_b5c11342f04ad3d1 = []byte{
// 678 bytes of a gzipped FileDescriptorProto
// 641 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x94, 0xcf, 0x6e, 0xd3, 0x4a,
0x14, 0xc6, 0x3b, 0x49, 0xfa, 0x27, 0xc7, 0xed, 0xbd, 0xee, 0xdc, 0x56, 0xd7, 0xed, 0xa2, 0x0d,
0x59, 0xa0, 0xf0, 0x47, 0x0e, 0xa4, 0x42, 0x14, 0x76, 0x29, 0x4d, 0x51, 0x24, 0x37, 0x89, 0x9c,
0xa0, 0x52, 0x36, 0xd6, 0xc4, 0x9e, 0x24, 0xa3, 0x1a, 0x8f, 0x35, 0x33, 0x49, 0xc9, 0xf3, 0xb0,
0x87, 0x97, 0x60, 0xc1, 0x92, 0x1d, 0xdb, 0xaa, 0x4f, 0x82, 0x32, 0x76, 0xd5, 0x52, 0x99, 0xa0,
0x4a, 0x88, 0x9d, 0x3d, 0xe7, 0xfb, 0xbe, 0x39, 0xfe, 0x79, 0xce, 0xc0, 0xbd, 0x88, 0xaa, 0x73,
0x2e, 0xce, 0x58, 0x34, 0xac, 0x4e, 0x9e, 0x92, 0x30, 0x1e, 0x91, 0xbd, 0xaa, 0x64, 0x01, 0xf5,
0x89, 0xb0, 0x63, 0xc1, 0x15, 0xc7, 0x5b, 0x4c, 0x2a, 0xc6, 0xed, 0x6b, 0xa1, 0x7d, 0x25, 0xdc,
0xde, 0x1d, 0x72, 0x3e, 0x0c, 0x69, 0x95, 0xc4, 0xac, 0x3a, 0x60, 0x34, 0x0c, 0xbc, 0x3e, 0x1d,
0x91, 0x09, 0xe3, 0xa9, 0x77, 0x3b, 0x33, 0x7e, 0x48, 0x14, 0x3d, 0x27, 0xd3, 0x54, 0xf2, 0x20,
0x4b, 0x32, 0x61, 0x42, 0x8d, 0x49, 0xe8, 0x49, 0x2a, 0x26, 0xcc, 0xa7, 0x89, 0xb4, 0xfc, 0x39,
0x0f, 0xcb, 0xdd, 0xa4, 0x37, 0xfc, 0x16, 0xd6, 0x67, 0xae, 0x90, 0x93, 0xc0, 0x93, 0x34, 0xa4,
0xbe, 0xe2, 0xc2, 0x42, 0x25, 0x54, 0x31, 0x6a, 0x8f, 0xec, 0x5f, 0x76, 0x6c, 0x9f, 0xa4, 0x9e,
0x6e, 0x6a, 0x71, 0xcd, 0xf3, 0x5b, 0x2b, 0xb8, 0x09, 0xcb, 0x2c, 0x1a, 0x0a, 0x2a, 0xa5, 0x95,
0x2b, 0xe5, 0x2b, 0x46, 0xad, 0x3a, 0x27, 0xaf, 0x39, 0xab, 0x34, 0x13, 0xb9, 0xc3, 0xa4, 0xa2,
0x11, 0x15, 0xee, 0x95, 0x1f, 0x1f, 0xc1, 0x12, 0x4d, 0x92, 0xf2, 0x3a, 0xc9, 0xfe, 0x5d, 0x52,
0xe3, 0xe7, 0xa0, 0xd4, 0x8d, 0x47, 0xf0, 0x3f, 0x1f, 0xab, 0x3e, 0x1f, 0x47, 0x81, 0xa7, 0x04,
0x19, 0x0c, 0x98, 0xef, 0xc5, 0x3c, 0x64, 0xfe, 0xd4, 0x2a, 0xe8, 0x4f, 0x7e, 0x32, 0x27, 0xb8,
0x9d, 0x3a, 0x7b, 0x89, 0xb1, 0xa3, 0x7d, 0xee, 0x26, 0xcf, 0x5a, 0xc6, 0xc7, 0x60, 0xb0, 0x28,
0xdd, 0x28, 0x94, 0xd6, 0xa2, 0x4e, 0x7f, 0x3c, 0x27, 0xbd, 0x4b, 0xc5, 0x84, 0x0a, 0xbb, 0xe7,
0x74, 0xdb, 0xb1, 0x62, 0x3c, 0x92, 0x2e, 0xa4, 0x01, 0xbd, 0x50, 0x96, 0x3f, 0xe5, 0x60, 0x23,
0x0b, 0x11, 0xde, 0x87, 0x42, 0xcc, 0x85, 0x4a, 0xff, 0xd8, 0xee, 0x9c, 0x0d, 0x3a, 0x5c, 0xa8,
0x83, 0xfc, 0x45, 0x3d, 0xe7, 0x6a, 0x07, 0xc6, 0x50, 0xe8, 0xb3, 0x28, 0xb0, 0x72, 0x25, 0x54,
0x29, 0xba, 0xfa, 0x19, 0x37, 0x61, 0xd5, 0x27, 0xb1, 0x1a, 0x0b, 0xea, 0xbd, 0xe7, 0x01, 0xb5,
0xf2, 0x25, 0x54, 0xf9, 0xa7, 0x76, 0x7f, 0x4e, 0xea, 0xab, 0x44, 0x7e, 0xcc, 0x03, 0xea, 0x1a,
0xfe, 0xf5, 0x0b, 0xb6, 0xc1, 0x0c, 0xe8, 0x80, 0x8c, 0x43, 0xe5, 0xd1, 0x28, 0x88, 0x39, 0x8b,
0x94, 0x66, 0x5c, 0x4c, 0x7a, 0xf8, 0x37, 0x2d, 0x36, 0xd2, 0xda, 0x9f, 0x06, 0xf6, 0x05, 0xc1,
0x7f, 0x19, 0x27, 0x01, 0xef, 0xdd, 0x89, 0xd7, 0xdf, 0x41, 0xb5, 0x05, 0x8b, 0x23, 0x2e, 0x95,
0xb4, 0x0a, 0xa5, 0xfc, 0x15, 0x9f, 0x64, 0xa5, 0xfc, 0x11, 0x81, 0x79, 0x7b, 0xd4, 0x70, 0x0f,
0x96, 0x42, 0xd2, 0xa7, 0xa1, 0xb4, 0x90, 0x9e, 0x86, 0xe7, 0x77, 0x98, 0x53, 0xdb, 0xd1, 0xce,
0x46, 0xa4, 0xc4, 0x34, 0xd9, 0x29, 0xcd, 0xda, 0x7e, 0x01, 0xc6, 0x8d, 0x1a, 0x36, 0x21, 0x7f,
0x46, 0xa7, 0x9a, 0x53, 0xd1, 0x9d, 0x3d, 0xe2, 0x0d, 0x58, 0x9c, 0x90, 0x70, 0x4c, 0x53, 0x0c,
0xc9, 0xcb, 0xcb, 0xdc, 0x3e, 0x2a, 0x7f, 0x47, 0xb0, 0x99, 0x39, 0x1d, 0xb8, 0x09, 0x05, 0x4d,
0x07, 0x69, 0x3a, 0xcf, 0xee, 0x3a, 0x5d, 0xb6, 0x86, 0xa5, 0x23, 0x66, 0xc0, 0x93, 0x29, 0xf6,
0x62, 0xc1, 0x3f, 0x4c, 0x75, 0x17, 0xc6, 0x5c, 0xe0, 0x87, 0x54, 0x2a, 0x16, 0x91, 0xd9, 0xe1,
0x70, 0x8d, 0xc4, 0xdb, 0x99, 0x59, 0xcb, 0x15, 0x28, 0x68, 0xf0, 0xeb, 0xb0, 0xe6, 0x36, 0x5e,
0x37, 0xbb, 0x3d, 0xf7, 0xd4, 0x6b, 0xb7, 0x9c, 0x53, 0x73, 0x01, 0xaf, 0x41, 0xb1, 0xee, 0x38,
0xed, 0x13, 0xaf, 0xde, 0x3a, 0x35, 0xd1, 0xc3, 0x1a, 0x18, 0x37, 0x7e, 0x1b, 0x36, 0x60, 0xf9,
0xb0, 0x71, 0x54, 0x7f, 0xe3, 0xf4, 0xcc, 0x05, 0xbc, 0x0a, 0x2b, 0xcd, 0x4e, 0xaf, 0x7e, 0xe0,
0x34, 0xba, 0x26, 0xc2, 0x2b, 0x50, 0x68, 0xb5, 0x5b, 0x0d, 0x33, 0x77, 0x60, 0x7f, 0xbd, 0xdc,
0x41, 0xdf, 0x2e, 0x77, 0xd0, 0xc5, 0xe5, 0x0e, 0x7a, 0x57, 0x4a, 0xfa, 0x63, 0x5c, 0x5f, 0xee,
0x19, 0x77, 0x74, 0x7f, 0x49, 0x5f, 0xca, 0x7b, 0x3f, 0x02, 0x00, 0x00, 0xff, 0xff, 0xdf, 0xa9,
0x08, 0xee, 0x43, 0x06, 0x00, 0x00,
0x14, 0xc6, 0x3b, 0x89, 0xfb, 0x27, 0xc7, 0xed, 0xbd, 0xee, 0xdc, 0x56, 0xd7, 0xed, 0xa2, 0x0d,
0x59, 0xa0, 0x00, 0x92, 0x03, 0xa9, 0x10, 0x85, 0x5d, 0x4a, 0x5d, 0x64, 0xc9, 0x24, 0x91, 0x13,
0x54, 0xca, 0xc6, 0x9a, 0xd8, 0x93, 0x64, 0x54, 0xe3, 0xb1, 0xc6, 0x93, 0x94, 0x3c, 0x0f, 0xaf,
0xc2, 0x82, 0x25, 0x3b, 0x96, 0x54, 0x7d, 0x12, 0x94, 0xb1, 0xab, 0x96, 0xca, 0x04, 0x75, 0xc3,
0xce, 0x33, 0xe7, 0xfc, 0xbe, 0x39, 0xe7, 0xf3, 0x99, 0x81, 0x07, 0x31, 0x95, 0x17, 0x5c, 0x9c,
0xb3, 0x78, 0xd4, 0x98, 0x3e, 0x23, 0x51, 0x32, 0x26, 0x07, 0x8d, 0x94, 0x85, 0x34, 0x20, 0xc2,
0x4a, 0x04, 0x97, 0x1c, 0xef, 0xb0, 0x54, 0x32, 0x6e, 0xdd, 0x24, 0x5a, 0xd7, 0x89, 0xbb, 0xfb,
0x23, 0xce, 0x47, 0x11, 0x6d, 0x90, 0x84, 0x35, 0x86, 0x8c, 0x46, 0xa1, 0x3f, 0xa0, 0x63, 0x32,
0x65, 0x3c, 0x67, 0x77, 0x0b, 0xe5, 0x47, 0x44, 0xd2, 0x0b, 0x32, 0xcb, 0x53, 0x1e, 0x15, 0xa5,
0x4c, 0x99, 0x90, 0x13, 0x12, 0xf9, 0x29, 0x15, 0x53, 0x16, 0xd0, 0x2c, 0xb5, 0x76, 0x59, 0x82,
0xd5, 0x5e, 0x56, 0x1b, 0x7e, 0x0f, 0x9b, 0x73, 0x2a, 0xe2, 0x24, 0xf4, 0x53, 0x1a, 0xd1, 0x40,
0x72, 0x61, 0xa2, 0x2a, 0xaa, 0xeb, 0xcd, 0x27, 0xd6, 0x6f, 0x2b, 0xb6, 0x4e, 0x73, 0xa6, 0x97,
0x23, 0x9e, 0x71, 0x71, 0x67, 0x07, 0x3b, 0xb0, 0xca, 0xe2, 0x91, 0xa0, 0x69, 0x6a, 0x96, 0xaa,
0xe5, 0xba, 0xde, 0x6c, 0x2c, 0xd0, 0x73, 0xe6, 0x11, 0x27, 0x4b, 0x77, 0x59, 0x2a, 0x69, 0x4c,
0x85, 0x77, 0xcd, 0xe3, 0x13, 0x58, 0xa1, 0x99, 0x52, 0x59, 0x29, 0x59, 0x7f, 0x52, 0xb2, 0x7f,
0x15, 0xca, 0x69, 0x3c, 0x86, 0xff, 0xf9, 0x44, 0x0e, 0xf8, 0x24, 0x0e, 0x7d, 0x29, 0xc8, 0x70,
0xc8, 0x02, 0x3f, 0xe1, 0x11, 0x0b, 0x66, 0xa6, 0xa6, 0x5a, 0x7e, 0xba, 0x40, 0xb8, 0x93, 0x93,
0xfd, 0x0c, 0xec, 0x2a, 0xce, 0xdb, 0xe6, 0x45, 0xdb, 0xb5, 0x1f, 0x08, 0xb6, 0x8a, 0x7a, 0xc2,
0x87, 0xa0, 0x25, 0x5c, 0xc8, 0xdc, 0xe2, 0xfd, 0x05, 0xe7, 0x75, 0xb9, 0x90, 0x47, 0xe5, 0xcb,
0x56, 0xc9, 0x53, 0x04, 0xc6, 0xa0, 0x0d, 0x58, 0x1c, 0x9a, 0xa5, 0x2a, 0xaa, 0x57, 0x3c, 0xf5,
0x8d, 0x1d, 0x58, 0x0f, 0x48, 0x22, 0x27, 0x82, 0xfa, 0x1f, 0x79, 0x48, 0xcd, 0x72, 0x15, 0xd5,
0xff, 0x69, 0x3e, 0x5c, 0xa0, 0xfa, 0x3a, 0x4b, 0x7f, 0xcb, 0x43, 0xea, 0xe9, 0xc1, 0xcd, 0x02,
0x5b, 0x60, 0x84, 0x74, 0x48, 0x26, 0x91, 0xf4, 0x69, 0x1c, 0x26, 0x9c, 0xc5, 0x52, 0x99, 0x52,
0xc9, 0x6a, 0xf8, 0x37, 0x0f, 0xda, 0x79, 0xac, 0xf6, 0x05, 0xc1, 0x7f, 0x05, 0x5e, 0xe3, 0x83,
0x7b, 0x35, 0xf8, 0x77, 0x7a, 0xdb, 0x81, 0xe5, 0x31, 0x4f, 0x65, 0x6a, 0x6a, 0xd5, 0xf2, 0x75,
0x43, 0xd9, 0x4e, 0xed, 0x33, 0x02, 0xe3, 0xee, 0x30, 0xe3, 0x3e, 0xac, 0x44, 0x64, 0x40, 0xa3,
0xd4, 0x44, 0x6a, 0xde, 0x5e, 0xdc, 0xe3, 0x26, 0x58, 0xae, 0x22, 0xed, 0x58, 0x8a, 0x59, 0x76,
0x52, 0xae, 0xb5, 0xfb, 0x12, 0xf4, 0x5b, 0x31, 0x6c, 0x40, 0xf9, 0x9c, 0xce, 0x94, 0x4f, 0x15,
0x6f, 0xfe, 0x89, 0xb7, 0x60, 0x79, 0x4a, 0xa2, 0x09, 0xcd, 0x6d, 0xc8, 0x16, 0xaf, 0x4a, 0x87,
0xa8, 0xf6, 0x1d, 0xc1, 0x76, 0xe1, 0xfc, 0x61, 0x07, 0x34, 0xe5, 0x0e, 0x52, 0xee, 0x3c, 0xbf,
0xef, 0xfc, 0x5a, 0xca, 0x2c, 0x25, 0x31, 0x37, 0x3c, 0xbb, 0x27, 0x7e, 0x22, 0xf8, 0xa7, 0x99,
0xaa, 0x42, 0x5f, 0x68, 0xf8, 0x31, 0x4d, 0x25, 0x8b, 0x89, 0x64, 0x3c, 0xf6, 0xf4, 0x8c, 0xed,
0xce, 0xd1, 0x5a, 0x1d, 0x34, 0x65, 0xfc, 0x26, 0x6c, 0x78, 0xf6, 0x1b, 0xa7, 0xd7, 0xf7, 0xce,
0xfc, 0x4e, 0xdb, 0x3d, 0x33, 0x96, 0xf0, 0x06, 0x54, 0x5a, 0xae, 0xdb, 0x39, 0xf5, 0x5b, 0xed,
0x33, 0x03, 0x3d, 0x6e, 0x82, 0x7e, 0xeb, 0xb7, 0x61, 0x1d, 0x56, 0x8f, 0xed, 0x93, 0xd6, 0x3b,
0xb7, 0x6f, 0x2c, 0xe1, 0x75, 0x58, 0x73, 0xba, 0xfd, 0xd6, 0x91, 0x6b, 0xf7, 0x0c, 0x84, 0xd7,
0x40, 0x6b, 0x77, 0xda, 0xb6, 0x51, 0x3a, 0xb2, 0xbe, 0x5e, 0xed, 0xa1, 0x6f, 0x57, 0x7b, 0xe8,
0xf2, 0x6a, 0x0f, 0x7d, 0xa8, 0x66, 0xf5, 0x31, 0xae, 0x9e, 0xcf, 0x82, 0x57, 0x70, 0xb0, 0xa2,
0x9e, 0xbd, 0x83, 0x9f, 0x01, 0x00, 0x00, 0xff, 0xff, 0x97, 0x10, 0xcc, 0x28, 0xa5, 0x05, 0x00,
0x00,
}
func (m *Sidecar) Marshal() (dAtA []byte, err error) {
@ -1140,18 +1012,6 @@ func (m *Sidecar) MarshalToSizedBuffer(dAtA []byte) (int, error) {
i -= len(m.XXX_unrecognized)
copy(dAtA[i:], m.XXX_unrecognized)
}
if m.InboundTls != nil {
{
size, err := m.InboundTls.MarshalToSizedBuffer(dAtA[:i])
if err != nil {
return 0, err
}
i -= size
i = encodeVarintSidecar(dAtA, i, uint64(size))
}
i--
dAtA[i] = 0x2a
}
if m.OutboundTrafficPolicy != nil {
{
size, err := m.OutboundTrafficPolicy.MarshalToSizedBuffer(dAtA[:i])
@ -1231,18 +1091,6 @@ func (m *IstioIngressListener) MarshalToSizedBuffer(dAtA []byte) (int, error) {
i -= len(m.XXX_unrecognized)
copy(dAtA[i:], m.XXX_unrecognized)
}
if m.InboundTls != nil {
{
size, err := m.InboundTls.MarshalToSizedBuffer(dAtA[:i])
if err != nil {
return 0, err
}
i -= size
i = encodeVarintSidecar(dAtA, i, uint64(size))
}
i--
dAtA[i] = 0x2a
}
if len(m.DefaultEndpoint) > 0 {
i -= len(m.DefaultEndpoint)
copy(dAtA[i:], m.DefaultEndpoint)
@ -1464,10 +1312,6 @@ func (m *Sidecar) Size() (n int) {
l = m.OutboundTrafficPolicy.Size()
n += 1 + l + sovSidecar(uint64(l))
}
if m.InboundTls != nil {
l = m.InboundTls.Size()
n += 1 + l + sovSidecar(uint64(l))
}
if m.XXX_unrecognized != nil {
n += len(m.XXX_unrecognized)
}
@ -1495,10 +1339,6 @@ func (m *IstioIngressListener) Size() (n int) {
if l > 0 {
n += 1 + l + sovSidecar(uint64(l))
}
if m.InboundTls != nil {
l = m.InboundTls.Size()
n += 1 + l + sovSidecar(uint64(l))
}
if m.XXX_unrecognized != nil {
n += len(m.XXX_unrecognized)
}
@ -1748,42 +1588,6 @@ func (m *Sidecar) Unmarshal(dAtA []byte) error {
return err
}
iNdEx = postIndex
case 5:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field InboundTls", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowSidecar
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
msglen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthSidecar
}
postIndex := iNdEx + msglen
if postIndex < 0 {
return ErrInvalidLengthSidecar
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
if m.InboundTls == nil {
m.InboundTls = &Server_TLSOptions{}
}
if err := m.InboundTls.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
return err
}
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipSidecar(dAtA[iNdEx:])
@ -1957,42 +1761,6 @@ func (m *IstioIngressListener) Unmarshal(dAtA []byte) error {
}
m.DefaultEndpoint = string(dAtA[iNdEx:postIndex])
iNdEx = postIndex
case 5:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field InboundTls", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowSidecar
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
msglen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthSidecar
}
postIndex := iNdEx + msglen
if postIndex < 0 {
return ErrInvalidLengthSidecar
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
if m.InboundTls == nil {
m.InboundTls = &Server_TLSOptions{}
}
if err := m.InboundTls.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
return err
}
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipSidecar(dAtA[iNdEx:])

140
networking/v1alpha3/sidecar.pb.html generated
View File

@ -129,18 +129,11 @@ spec:
<p>The following example declares a <code>Sidecar</code> configuration in the
<code>prod-us1</code> namespace for all pods with labels <code>app: ratings</code>
belonging to the <code>ratings.prod-us1</code> service. The workload accepts
inbound HTTP traffic on port 9080 without any authentication, and
HTTPS traffic on port 9443 with one-way TLS termination using
custom certificates. <em>To accomplish custom TLS termination on this
workload, the <code>PeerAuthentication</code> security policy must be declared
to disable Istio mutual TLS on these two ports. Any other
auto-generated listener for this workload will still obey the
mutual TLS termination requirements set forth in the
PeerAuthentication policy</em>. The traffic is then forwarded to the
attached workload instance listening on a Unix domain socket. In
the egress direction, in addition to the <code>istio-system</code> namespace,
the sidecar proxies only HTTP traffic bound for port 9080 for
services in the <code>prod-us1</code> namespace.</p>
inbound HTTP traffic on port 9080. The traffic is then forwarded to
the attached workload instance listening on a Unix domain
socket. In the egress direction, in addition to the <code>istio-system</code>
namespace, the sidecar proxies only HTTP traffic bound for port
9080 for services in the <code>prod-us1</code> namespace.</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
@ -160,15 +153,6 @@ spec:
protocol: HTTP
name: somename
defaultEndpoint: unix:///var/run/someuds.sock
- port:
number: 9443
protocol: HTTPS
name: httpsport
inboundTls:
mode: SIMPLE # overrides namespace default
serverCertificate: /etc/certs/servercert.pem
privateKey: /etc/certs/privatekey.pem
defaultEndpoint: unix:///var/run/someuds.sock
egress:
- port:
number: 9080
@ -199,15 +183,6 @@ spec:
protocol: HTTP
name: somename
defaultEndpoint: unix:///var/run/someuds.sock
- port:
number: 9443
protocol: HTTPS
name: httpsport
inboundTls:
mode: SIMPLE # overrides namespace default
serverCertificate: /etc/certs/servercert.pem
privateKey: /etc/certs/privatekey.pem
defaultEndpoint: unix:///var/run/someuds.sock
egress:
- port:
number: 9080
@ -222,80 +197,6 @@ spec:
<p>{{</tab>}}
{{</tabset>}}</p>
<p>and the associated PeerAuthentication security policy to ensure
that mutual TLS based authentication is not configured for ports
9080 and 9443:</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: ratings-istio-mtls-exception
namespace: prod-us1
spec:
selector:
matchLabels:
app: ratings
# other ports inherit the settings from namespace-wide policy.
portLevelMtls:
9080:
mode: DISABLE
9443:
mode: DISABLE
</code></pre>
<p>and the associated DestinationRule to ensure that the clients use
the appropriate TLS settings:</p>
<p>{{<tabset category-name="example">}}
{{<tab name="v1alpha3" category-value="v1alpha3">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: ratings-istio-mtls-exception
namespace: prod-us1
spec:
host: ratings.prod-us1.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 9080
tls:
mode: DISABLE
- port:
number: 9443
tls:
mode: SIMPLE
caCertificates: /etc/certs/ca-certs.pem
</code></pre>
<p>{{</tab>}}</p>
<p>{{<tab name="v1beta1" category-value="v1beta1">}}</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1beta1
kind: DestinationRule
metadata:
name: ratings-istio-mtls-exception
namespace: prod-us1
spec:
host: ratings.prod-us1.svc.cluster.local
trafficPolicy:
portLevelSettings:
- port:
number: 9080
tls:
mode: DISABLE
- port:
number: 9443
tls:
mode: SIMPLE
caCertificates: /etc/certs/ca-certs.pem
</code></pre>
<p>{{</tab>}}
{{</tabset>}}</p>
<p>If the workload is deployed without IPTables-based traffic capture,
the <code>Sidecar</code> configuration is the only way to configure the ports
on the proxy attached to the workload instance. The following
@ -719,20 +620,6 @@ connections. Format should be <code>127.0.0.1:PORT</code> or <code>unix:///path/
Yes
</td>
</tr>
<tr id="IstioIngressListener-inbound_tls">
<td><code>inboundTls</code></td>
<td><code><a href="https://istio.io/docs/reference/config/networking/gateway.html#Server-TLSOptions">TLSOptions</a></code></td>
<td>
<p>Overrides Sidecar level <code>inboundTls</code> settings. Has same
restrictions as the Sidecar level inboundTls,
i.e. PeerAuthentication policy takes precedance unless explicitly
disabled.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
@ -870,23 +757,6 @@ application to its requested destination. If not specified,
inherits the system detected defaults from the namespace-wide or
the global default Sidecar.</p>
</td>
<td>
No
</td>
</tr>
<tr id="Sidecar-inbound_tls">
<td><code>inboundTls</code></td>
<td><code><a href="https://istio.io/docs/reference/config/networking/gateway.html#Server-TLSOptions">TLSOptions</a></code></td>
<td>
<p>Set of TLS related options that allow a listener to terminate
SIMPLE or MUTUAL TLS connections at the
sidecar. <code>PeerAuthentication</code> policy&rsquo;s settings take precedance
over custom TLS settings for the workload. When the
PeerAuthentication policy disables mTLS tunneling for one or more
ports in the workload, the TLS settings specified here will be
applied.</p>
</td>
<td>
No

124
networking/v1alpha3/sidecar.proto
View File

@ -141,18 +141,11 @@ import "networking/v1alpha3/virtual_service.proto";
// The following example declares a `Sidecar` configuration in the
// `prod-us1` namespace for all pods with labels `app: ratings`
// belonging to the `ratings.prod-us1` service. The workload accepts
// inbound HTTP traffic on port 9080 without any authentication, and
// HTTPS traffic on port 9443 with one-way TLS termination using
// custom certificates. _To accomplish custom TLS termination on this
// workload, the `PeerAuthentication` security policy must be declared
// to disable Istio mutual TLS on these two ports. Any other
// auto-generated listener for this workload will still obey the
// mutual TLS termination requirements set forth in the
// PeerAuthentication policy_. The traffic is then forwarded to the
// attached workload instance listening on a Unix domain socket. In
// the egress direction, in addition to the `istio-system` namespace,
// the sidecar proxies only HTTP traffic bound for port 9080 for
// services in the `prod-us1` namespace.
// inbound HTTP traffic on port 9080. The traffic is then forwarded to
// the attached workload instance listening on a Unix domain
// socket. In the egress direction, in addition to the `istio-system`
// namespace, the sidecar proxies only HTTP traffic bound for port
// 9080 for services in the `prod-us1` namespace.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
@ -172,15 +165,6 @@ import "networking/v1alpha3/virtual_service.proto";
// protocol: HTTP
// name: somename
// defaultEndpoint: unix:///var/run/someuds.sock
// - port:
// number: 9443
// protocol: HTTPS
// name: httpsport
// inboundTls:
// mode: SIMPLE # overrides namespace default
// serverCertificate: /etc/certs/servercert.pem
// privateKey: /etc/certs/privatekey.pem
// defaultEndpoint: unix:///var/run/someuds.sock
// egress:
// - port:
// number: 9080
@ -210,15 +194,6 @@ import "networking/v1alpha3/virtual_service.proto";
// protocol: HTTP
// name: somename
// defaultEndpoint: unix:///var/run/someuds.sock
// - port:
// number: 9443
// protocol: HTTPS
// name: httpsport
// inboundTls:
// mode: SIMPLE # overrides namespace default
// serverCertificate: /etc/certs/servercert.pem
// privateKey: /etc/certs/privatekey.pem
// defaultEndpoint: unix:///var/run/someuds.sock
// egress:
// - port:
// number: 9080
@ -232,80 +207,6 @@ import "networking/v1alpha3/virtual_service.proto";
// {{</tab>}}
// {{</tabset>}}
//
// and the associated PeerAuthentication security policy to ensure
// that mutual TLS based authentication is not configured for ports
// 9080 and 9443:
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// selector:
// matchLabels:
// app: ratings
// # other ports inherit the settings from namespace-wide policy.
// portLevelMtls:
// 9080:
// mode: DISABLE
// 9443:
// mode: DISABLE
// ```
//
// and the associated DestinationRule to ensure that the clients use
// the appropriate TLS settings:
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: DestinationRule
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// host: ratings.prod-us1.svc.cluster.local
// trafficPolicy:
// portLevelSettings:
// - port:
// number: 9080
// tls:
// mode: DISABLE
// - port:
// number: 9443
// tls:
// mode: SIMPLE
// caCertificates: /etc/certs/ca-certs.pem
// ```
//
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: DestinationRule
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// host: ratings.prod-us1.svc.cluster.local
// trafficPolicy:
// portLevelSettings:
// - port:
// number: 9080
// tls:
// mode: DISABLE
// - port:
// number: 9443
// tls:
// mode: SIMPLE
// caCertificates: /etc/certs/ca-certs.pem
// ```
// {{</tab>}}
// {{</tabset>}}
//
// If the workload is deployed without IPTables-based traffic capture,
// the `Sidecar` configuration is the only way to configure the ports
// on the proxy attached to the workload instance. The following
@ -553,15 +454,6 @@ message Sidecar {
// inherits the system detected defaults from the namespace-wide or
// the global default Sidecar.
OutboundTrafficPolicy outbound_traffic_policy = 4;
// Set of TLS related options that allow a listener to terminate
// SIMPLE or MUTUAL TLS connections at the
// sidecar. `PeerAuthentication` policy's settings take precedance
// over custom TLS settings for the workload. When the
// PeerAuthentication policy disables mTLS tunneling for one or more
// ports in the workload, the TLS settings specified here will be
// applied.
Server.TLSOptions inbound_tls = 5;
}
// `IstioIngressListener` specifies the properties of an inbound
@ -588,12 +480,6 @@ message IstioIngressListener {
// or Unix domain socket where the application workload instance is listening for
// connections. Format should be `127.0.0.1:PORT` or `unix:///path/to/socket`
string default_endpoint = 4 [(google.api.field_behavior) = REQUIRED];
// Overrides Sidecar level `inboundTls` settings. Has same
// restrictions as the Sidecar level inboundTls,
// i.e. PeerAuthentication policy takes precedance unless explicitly
// disabled.
Server.TLSOptions inbound_tls = 5;
}
// `IstioEgressListener` specifies the properties of an outbound traffic

109
networking/v1alpha3/sidecar_deepcopy.gen.go generated
View File

@ -118,18 +118,11 @@
// The following example declares a `Sidecar` configuration in the
// `prod-us1` namespace for all pods with labels `app: ratings`
// belonging to the `ratings.prod-us1` service. The workload accepts
// inbound HTTP traffic on port 9080 without any authentication, and
// HTTPS traffic on port 9443 with one-way TLS termination using
// custom certificates. _To accomplish custom TLS termination on this
// workload, the `PeerAuthentication` security policy must be declared
// to disable Istio mutual TLS on these two ports. Any other
// auto-generated listener for this workload will still obey the
// mutual TLS termination requirements set forth in the
// PeerAuthentication policy_. The traffic is then forwarded to the
// attached workload instance listening on a Unix domain socket. In
// the egress direction, in addition to the `istio-system` namespace,
// the sidecar proxies only HTTP traffic bound for port 9080 for
// services in the `prod-us1` namespace.
// inbound HTTP traffic on port 9080. The traffic is then forwarded to
// the attached workload instance listening on a Unix domain
// socket. In the egress direction, in addition to the `istio-system`
// namespace, the sidecar proxies only HTTP traffic bound for port
// 9080 for services in the `prod-us1` namespace.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
@ -149,15 +142,6 @@
// protocol: HTTP
// name: somename
// defaultEndpoint: unix:///var/run/someuds.sock
// - port:
// number: 9443
// protocol: HTTPS
// name: httpsport
// inboundTls:
// mode: SIMPLE # overrides namespace default
// serverCertificate: /etc/certs/servercert.pem
// privateKey: /etc/certs/privatekey.pem
// defaultEndpoint: unix:///var/run/someuds.sock
// egress:
// - port:
// number: 9080
@ -187,15 +171,6 @@
// protocol: HTTP
// name: somename
// defaultEndpoint: unix:///var/run/someuds.sock
// - port:
// number: 9443
// protocol: HTTPS
// name: httpsport
// inboundTls:
// mode: SIMPLE # overrides namespace default
// serverCertificate: /etc/certs/servercert.pem
// privateKey: /etc/certs/privatekey.pem
// defaultEndpoint: unix:///var/run/someuds.sock
// egress:
// - port:
// number: 9080
@ -209,80 +184,6 @@
// {{</tab>}}
// {{</tabset>}}
//
// and the associated PeerAuthentication security policy to ensure
// that mutual TLS based authentication is not configured for ports
// 9080 and 9443:
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// selector:
// matchLabels:
// app: ratings
// # other ports inherit the settings from namespace-wide policy.
// portLevelMtls:
// 9080:
// mode: DISABLE
// 9443:
// mode: DISABLE
// ```
//
// and the associated DestinationRule to ensure that the clients use
// the appropriate TLS settings:
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: DestinationRule
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// host: ratings.prod-us1.svc.cluster.local
// trafficPolicy:
// portLevelSettings:
// - port:
// number: 9080
// tls:
// mode: DISABLE
// - port:
// number: 9443
// tls:
// mode: SIMPLE
// caCertificates: /etc/certs/ca-certs.pem
// ```
//
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: DestinationRule
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// host: ratings.prod-us1.svc.cluster.local
// trafficPolicy:
// portLevelSettings:
// - port:
// number: 9080
// tls:
// mode: DISABLE
// - port:
// number: 9443
// tls:
// mode: SIMPLE
// caCertificates: /etc/certs/ca-certs.pem
// ```
// {{</tab>}}
// {{</tabset>}}
//
// If the workload is deployed without IPTables-based traffic capture,
// the `Sidecar` configuration is the only way to configure the ports
// on the proxy attached to the workload instance. The following

109
networking/v1alpha3/sidecar_json.gen.go generated
View File

@ -118,18 +118,11 @@
// The following example declares a `Sidecar` configuration in the
// `prod-us1` namespace for all pods with labels `app: ratings`
// belonging to the `ratings.prod-us1` service. The workload accepts
// inbound HTTP traffic on port 9080 without any authentication, and
// HTTPS traffic on port 9443 with one-way TLS termination using
// custom certificates. _To accomplish custom TLS termination on this
// workload, the `PeerAuthentication` security policy must be declared
// to disable Istio mutual TLS on these two ports. Any other
// auto-generated listener for this workload will still obey the
// mutual TLS termination requirements set forth in the
// PeerAuthentication policy_. The traffic is then forwarded to the
// attached workload instance listening on a Unix domain socket. In
// the egress direction, in addition to the `istio-system` namespace,
// the sidecar proxies only HTTP traffic bound for port 9080 for
// services in the `prod-us1` namespace.
// inbound HTTP traffic on port 9080. The traffic is then forwarded to
// the attached workload instance listening on a Unix domain
// socket. In the egress direction, in addition to the `istio-system`
// namespace, the sidecar proxies only HTTP traffic bound for port
// 9080 for services in the `prod-us1` namespace.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
@ -149,15 +142,6 @@
// protocol: HTTP
// name: somename
// defaultEndpoint: unix:///var/run/someuds.sock
// - port:
// number: 9443
// protocol: HTTPS
// name: httpsport
// inboundTls:
// mode: SIMPLE # overrides namespace default
// serverCertificate: /etc/certs/servercert.pem
// privateKey: /etc/certs/privatekey.pem
// defaultEndpoint: unix:///var/run/someuds.sock
// egress:
// - port:
// number: 9080
@ -187,15 +171,6 @@
// protocol: HTTP
// name: somename
// defaultEndpoint: unix:///var/run/someuds.sock
// - port:
// number: 9443
// protocol: HTTPS
// name: httpsport
// inboundTls:
// mode: SIMPLE # overrides namespace default
// serverCertificate: /etc/certs/servercert.pem
// privateKey: /etc/certs/privatekey.pem
// defaultEndpoint: unix:///var/run/someuds.sock
// egress:
// - port:
// number: 9080
@ -209,80 +184,6 @@
// {{</tab>}}
// {{</tabset>}}
//
// and the associated PeerAuthentication security policy to ensure
// that mutual TLS based authentication is not configured for ports
// 9080 and 9443:
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// selector:
// matchLabels:
// app: ratings
// # other ports inherit the settings from namespace-wide policy.
// portLevelMtls:
// 9080:
// mode: DISABLE
// 9443:
// mode: DISABLE
// ```
//
// and the associated DestinationRule to ensure that the clients use
// the appropriate TLS settings:
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: DestinationRule
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// host: ratings.prod-us1.svc.cluster.local
// trafficPolicy:
// portLevelSettings:
// - port:
// number: 9080
// tls:
// mode: DISABLE
// - port:
// number: 9443
// tls:
// mode: SIMPLE
// caCertificates: /etc/certs/ca-certs.pem
// ```
//
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: DestinationRule
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// host: ratings.prod-us1.svc.cluster.local
// trafficPolicy:
// portLevelSettings:
// - port:
// number: 9080
// tls:
// mode: DISABLE
// - port:
// number: 9443
// tls:
// mode: SIMPLE
// caCertificates: /etc/certs/ca-certs.pem
// ```
// {{</tab>}}
// {{</tabset>}}
//
// If the workload is deployed without IPTables-based traffic capture,
// the `Sidecar` configuration is the only way to configure the ports
// on the proxy attached to the workload instance. The following

2
networking/v1beta1/gateway.gen.json
View File

@ -102,7 +102,7 @@
}
},
"httpsRedirect": {
"description": "If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. Not applicable in Sidecar API.",
"description": "If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS.",
"type": "boolean"
},
"serverCertificate": {

10
networking/v1beta1/gateway.pb.go generated
View File

@ -357,9 +357,7 @@ type Server_TLSOptions_TLSmode int32
const (
// The SNI string presented by the client will be used as the
// match criterion in a VirtualService TLS route to determine
// the destination service from the service registry. On a
// sidecar, TLS traffic will be forwarded as is to the default
// endpoint defined in the Ingress Listener.
// the destination service from the service registry.
Server_TLSOptions_PASSTHROUGH Server_TLSOptions_TLSmode = 0
// Secure connections with standard TLS semantics.
Server_TLSOptions_SIMPLE Server_TLSOptions_TLSmode = 1
@ -376,8 +374,7 @@ const (
// between services in disparate L3 networks that otherwise do
// not have direct connectivity between their respective
// endpoints. Use of this mode assumes that both the source and
// the destination are using Istio mTLS to secure traffic. Not
// applicable in Sidecar API.
// the destination are using Istio mTLS to secure traffic.
Server_TLSOptions_AUTO_PASSTHROUGH Server_TLSOptions_TLSmode = 3
// Secure connections from the downstream using mutual TLS by
// presenting server certificates for authentication. Compared
@ -792,8 +789,7 @@ func (m *Server) GetDefaultEndpoint() string {
type Server_TLSOptions struct {
// If set to true, the load balancer will send a 301 redirect for
// all http connections, asking the clients to use HTTPS. Not
// applicable in Sidecar API.
// all http connections, asking the clients to use HTTPS.
HttpsRedirect bool `protobuf:"varint,1,opt,name=https_redirect,json=httpsRedirect,proto3" json:"https_redirect,omitempty"`
// Optional: Indicates whether connections to this port should be
// secured using TLS. The value of this field determines how TLS is

10
networking/v1beta1/gateway.proto
View File

@ -564,17 +564,14 @@ message Server {
message TLSOptions {
// If set to true, the load balancer will send a 301 redirect for
// all http connections, asking the clients to use HTTPS. Not
// applicable in Sidecar API.
// all http connections, asking the clients to use HTTPS.
bool https_redirect = 1;
// TLS modes enforced by the proxy
enum TLSmode {
// The SNI string presented by the client will be used as the
// match criterion in a VirtualService TLS route to determine
// the destination service from the service registry. On a
// sidecar, TLS traffic will be forwarded as is to the default
// endpoint defined in the Ingress Listener.
// the destination service from the service registry.
PASSTHROUGH = 0;
// Secure connections with standard TLS semantics.
@ -594,8 +591,7 @@ message Server {
// between services in disparate L3 networks that otherwise do
// not have direct connectivity between their respective
// endpoints. Use of this mode assumes that both the source and
// the destination are using Istio mTLS to secure traffic. Not
// applicable in Sidecar API.
// the destination are using Istio mTLS to secure traffic.
AUTO_PASSTHROUGH = 3;
// Secure connections from the downstream using mutual TLS by

98
networking/v1beta1/sidecar.gen.json
View File

@ -36,98 +36,6 @@
}
}
},
"istio.networking.v1beta1.Server.TLSOptions": {
"type": "object",
"properties": {
"mode": {
"$ref": "#/components/schemas/istio.networking.v1beta1.Server.TLSOptions.TLSmode"
},
"privateKey": {
"description": "REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file holding the server's private key.",
"type": "string",
"format": "string"
},
"caCertificates": {
"description": "REQUIRED if mode is `MUTUAL`. The path to a file containing certificate authority certificates to use in verifying a presented client side certificate.",
"type": "string",
"format": "string"
},
"subjectAltNames": {
"description": "A list of alternate names to verify the subject identity in the certificate presented by the client.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"httpsRedirect": {
"description": "If set to true, the load balancer will send a 301 redirect for all http connections, asking the clients to use HTTPS. Not applicable in Sidecar API.",
"type": "boolean"
},
"serverCertificate": {
"description": "REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file holding the server-side TLS certificate to use.",
"type": "string",
"format": "string"
},
"credentialName": {
"description": "The credentialName stands for a unique identifier that can be used to identify the serverCertificate and the privateKey. The credentialName appended with suffix \"-cacert\" is used to identify the CaCertificates associated with this server. Proxies capable of fetching credentials from a remote credential store such as Kubernetes secrets, will be configured to retrieve the serverCertificate and the privateKey using credentialName, instead of using the file system paths specified above. If using mutual TLS, proxy instances will retrieve the CaCertificates using credentialName-cacert. The semantics of the name are platform dependent. In Kubernetes, the default Istio supplied credential server expects the credentialName to match the name of the Kubernetes secret that holds the server certificate, the private key, and the CA certificate (if using mutual TLS). Set the `ISTIO_META_USER_SDS` metadata variable in the proxy to enable the dynamic credential fetching feature.",
"type": "string",
"format": "string"
},
"verifyCertificateSpki": {
"description": "An optional list of base64-encoded SHA-256 hashes of the SKPIs of authorized client certificates. Note: When both verify_certificate_hash and verify_certificate_spki are specified, a hash matching either value will result in the certificate being accepted.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"verifyCertificateHash": {
"description": "An optional list of hex-encoded SHA-256 hashes of the authorized client certificates. Both simple and colon separated formats are acceptable. Note: When both verify_certificate_hash and verify_certificate_spki are specified, a hash matching either value will result in the certificate being accepted.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
},
"minProtocolVersion": {
"$ref": "#/components/schemas/istio.networking.v1beta1.Server.TLSOptions.TLSProtocol"
},
"maxProtocolVersion": {
"$ref": "#/components/schemas/istio.networking.v1beta1.Server.TLSOptions.TLSProtocol"
},
"cipherSuites": {
"description": "Optional: If specified, only support the specified cipher list. Otherwise default to the default cipher list supported by Envoy.",
"type": "array",
"items": {
"type": "string",
"format": "string"
}
}
}
},
"istio.networking.v1beta1.Server.TLSOptions.TLSmode": {
"description": "TLS modes enforced by the proxy",
"type": "string",
"enum": [
"PASSTHROUGH",
"SIMPLE",
"MUTUAL",
"AUTO_PASSTHROUGH",
"ISTIO_MUTUAL"
]
},
"istio.networking.v1beta1.Server.TLSOptions.TLSProtocol": {
"description": "TLS protocol versions.",
"type": "string",
"enum": [
"TLS_AUTO",
"TLSV1_0",
"TLSV1_1",
"TLSV1_2",
"TLSV1_3"
]
},
"istio.networking.v1beta1.Sidecar": {
"description": "`Sidecar` describes the configuration of the sidecar proxy that mediates inbound and outbound communication of the workload instance to which it is attached.",
"type": "object",
@ -151,9 +59,6 @@
},
"outboundTrafficPolicy": {
"$ref": "#/components/schemas/istio.networking.v1beta1.OutboundTrafficPolicy"
},
"inboundTls": {
"$ref": "#/components/schemas/istio.networking.v1beta1.Server.TLSOptions"
}
}
},
@ -188,9 +93,6 @@
"type": "string",
"format": "string"
},
"inboundTls": {
"$ref": "#/components/schemas/istio.networking.v1beta1.Server.TLSOptions"
},
"captureMode": {
"$ref": "#/components/schemas/istio.networking.v1beta1.CaptureMode"
}

340
networking/v1beta1/sidecar.pb.go generated
View File

@ -118,18 +118,11 @@
// The following example declares a `Sidecar` configuration in the
// `prod-us1` namespace for all pods with labels `app: ratings`
// belonging to the `ratings.prod-us1` service. The workload accepts
// inbound HTTP traffic on port 9080 without any authentication, and
// HTTPS traffic on port 9443 with one-way TLS termination using
// custom certificates. _To accomplish custom TLS termination on this
// workload, the `PeerAuthentication` security policy must be declared
// to disable Istio mutual TLS on these two ports. Any other
// auto-generated listener for this workload will still obey the
// mutual TLS termination requirements set forth in the
// PeerAuthentication policy_. The traffic is then forwarded to the
// attached workload instance listening on a Unix domain socket. In
// the egress direction, in addition to the `istio-system` namespace,
// the sidecar proxies only HTTP traffic bound for port 9080 for
// services in the `prod-us1` namespace.
// inbound HTTP traffic on port 9080. The traffic is then forwarded to
// the attached workload instance listening on a Unix domain
// socket. In the egress direction, in addition to the `istio-system`
// namespace, the sidecar proxies only HTTP traffic bound for port
// 9080 for services in the `prod-us1` namespace.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
@ -149,15 +142,6 @@
// protocol: HTTP
// name: somename
// defaultEndpoint: unix:///var/run/someuds.sock
// - port:
// number: 9443
// protocol: HTTPS
// name: httpsport
// inboundTls:
// mode: SIMPLE # overrides namespace default
// serverCertificate: /etc/certs/servercert.pem
// privateKey: /etc/certs/privatekey.pem
// defaultEndpoint: unix:///var/run/someuds.sock
// egress:
// - port:
// number: 9080
@ -187,15 +171,6 @@
// protocol: HTTP
// name: somename
// defaultEndpoint: unix:///var/run/someuds.sock
// - port:
// number: 9443
// protocol: HTTPS
// name: httpsport
// inboundTls:
// mode: SIMPLE # overrides namespace default
// serverCertificate: /etc/certs/servercert.pem
// privateKey: /etc/certs/privatekey.pem
// defaultEndpoint: unix:///var/run/someuds.sock
// egress:
// - port:
// number: 9080
@ -209,80 +184,6 @@
// {{</tab>}}
// {{</tabset>}}
//
// and the associated PeerAuthentication security policy to ensure
// that mutual TLS based authentication is not configured for ports
// 9080 and 9443:
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// selector:
// matchLabels:
// app: ratings
// # other ports inherit the settings from namespace-wide policy.
// portLevelMtls:
// 9080:
// mode: DISABLE
// 9443:
// mode: DISABLE
// ```
//
// and the associated DestinationRule to ensure that the clients use
// the appropriate TLS settings:
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: DestinationRule
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// host: ratings.prod-us1.svc.cluster.local
// trafficPolicy:
// portLevelSettings:
// - port:
// number: 9080
// tls:
// mode: DISABLE
// - port:
// number: 9443
// tls:
// mode: SIMPLE
// caCertificates: /etc/certs/ca-certs.pem
// ```
//
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: DestinationRule
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// host: ratings.prod-us1.svc.cluster.local
// trafficPolicy:
// portLevelSettings:
// - port:
// number: 9080
// tls:
// mode: DISABLE
// - port:
// number: 9443
// tls:
// mode: SIMPLE
// caCertificates: /etc/certs/ca-certs.pem
// ```
// {{</tab>}}
// {{</tabset>}}
//
// If the workload is deployed without IPTables-based traffic capture,
// the `Sidecar` configuration is the only way to configure the ports
// on the proxy attached to the workload instance. The following
@ -611,17 +512,9 @@ type Sidecar struct {
// inherits the system detected defaults from the namespace-wide or
// the global default Sidecar.
OutboundTrafficPolicy *OutboundTrafficPolicy `protobuf:"bytes,4,opt,name=outbound_traffic_policy,json=outboundTrafficPolicy,proto3" json:"outbound_traffic_policy,omitempty"`
// Set of TLS related options that allow a listener to terminate
// SIMPLE or MUTUAL TLS connections at the
// sidecar. `PeerAuthentication` policy's settings take precedance
// over custom TLS settings for the workload. When the
// PeerAuthentication policy disables mTLS tunneling for one or more
// ports in the workload, the TLS settings specified here will be
// applied.
InboundTls *Server_TLSOptions `protobuf:"bytes,5,opt,name=inbound_tls,json=inboundTls,proto3" json:"inbound_tls,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
}
func (m *Sidecar) Reset() { *m = Sidecar{} }
@ -685,13 +578,6 @@ func (m *Sidecar) GetOutboundTrafficPolicy() *OutboundTrafficPolicy {
return nil
}
func (m *Sidecar) GetInboundTls() *Server_TLSOptions {
if m != nil {
return m.InboundTls
}
return nil
}
// `IstioIngressListener` specifies the properties of an inbound
// traffic listener on the sidecar proxy attached to a workload instance.
type IstioIngressListener struct {
@ -712,15 +598,10 @@ type IstioIngressListener struct {
// redirect traffic arriving at the bind `IP:Port` on the sidecar to a `localhost:port`
// or Unix domain socket where the application workload instance is listening for
// connections. Format should be `127.0.0.1:PORT` or `unix:///path/to/socket`
DefaultEndpoint string `protobuf:"bytes,4,opt,name=default_endpoint,json=defaultEndpoint,proto3" json:"default_endpoint,omitempty"`
// Overrides Sidecar level `inboundTls` settings. Has same
// restrictions as the Sidecar level inboundTls,
// i.e. PeerAuthentication policy takes precedance unless explicitly
// disabled.
InboundTls *Server_TLSOptions `protobuf:"bytes,5,opt,name=inbound_tls,json=inboundTls,proto3" json:"inbound_tls,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
DefaultEndpoint string `protobuf:"bytes,4,opt,name=default_endpoint,json=defaultEndpoint,proto3" json:"default_endpoint,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"`
}
func (m *IstioIngressListener) Reset() { *m = IstioIngressListener{} }
@ -784,13 +665,6 @@ func (m *IstioIngressListener) GetDefaultEndpoint() string {
return ""
}
func (m *IstioIngressListener) GetInboundTls() *Server_TLSOptions {
if m != nil {
return m.InboundTls
}
return nil
}
// `IstioEgressListener` specifies the properties of an outbound traffic
// listener on the sidecar proxy attached to a workload instance.
type IstioEgressListener struct {
@ -1069,50 +943,48 @@ func init() {
func init() { proto.RegisterFile("networking/v1beta1/sidecar.proto", fileDescriptor_e7023408fb338e10) }
var fileDescriptor_e7023408fb338e10 = []byte{
// 675 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x94, 0xcd, 0x6e, 0xd3, 0x4e,
0x14, 0xc5, 0x3b, 0x49, 0xfa, 0x91, 0xeb, 0xf6, 0xff, 0x77, 0x87, 0x56, 0x98, 0x2e, 0xd2, 0x28,
0x12, 0x52, 0x54, 0x54, 0x47, 0x0d, 0x88, 0xaf, 0x5d, 0x4a, 0x0d, 0x8d, 0x64, 0x92, 0xc8, 0x09,
0xaa, 0xca, 0xc6, 0x72, 0xec, 0x49, 0x3a, 0xaa, 0xf1, 0x58, 0x33, 0x93, 0x94, 0xbc, 0x0e, 0x4b,
0x78, 0x0b, 0x56, 0x2c, 0xd9, 0xb0, 0xaf, 0xfa, 0x24, 0x28, 0xe3, 0xa9, 0x5a, 0x4a, 0x02, 0x54,
0x42, 0xec, 0xec, 0xb9, 0xe7, 0x1c, 0x5f, 0xff, 0x66, 0xee, 0x40, 0x39, 0x21, 0xf2, 0x8c, 0xf1,
0x53, 0x9a, 0x0c, 0x6b, 0xe3, 0xbd, 0x3e, 0x91, 0xc1, 0x5e, 0x4d, 0xd0, 0x88, 0x84, 0x01, 0xb7,
0x53, 0xce, 0x24, 0xc3, 0x16, 0x15, 0x92, 0x32, 0xfb, 0x4a, 0x67, 0x6b, 0xdd, 0xd6, 0xf6, 0x90,
0xb1, 0x61, 0x4c, 0x6a, 0x41, 0x4a, 0x6b, 0x03, 0x4a, 0xe2, 0xc8, 0xef, 0x93, 0x93, 0x60, 0x4c,
0x99, 0xb6, 0x6e, 0xcd, 0x0a, 0x1f, 0x06, 0x92, 0x9c, 0x05, 0x13, 0xad, 0xa8, 0xce, 0x50, 0x8c,
0x29, 0x97, 0xa3, 0x20, 0xf6, 0x05, 0xe1, 0x63, 0x1a, 0x92, 0x4c, 0x59, 0xf9, 0x98, 0x87, 0xe5,
0x6e, 0xd6, 0x18, 0x3e, 0x82, 0xf5, 0xa9, 0x29, 0x66, 0x41, 0xe4, 0x0b, 0x12, 0x93, 0x50, 0x32,
0x6e, 0xa1, 0x32, 0xaa, 0x1a, 0xf5, 0x1d, 0x7b, 0x5e, 0xbb, 0xf6, 0x91, 0xb6, 0x74, 0xb5, 0xc3,
0x33, 0xcf, 0x6e, 0xac, 0xe0, 0x43, 0x58, 0xa6, 0xc9, 0x90, 0x13, 0x21, 0xac, 0x5c, 0x39, 0x5f,
0x35, 0xea, 0xf6, 0xfc, 0xb8, 0xe6, 0xb4, 0xd0, 0xcc, 0xd4, 0x2e, 0x15, 0x92, 0x24, 0x84, 0x7b,
0x97, 0x76, 0xec, 0xc0, 0x12, 0xc9, 0x82, 0xf2, 0x2a, 0x68, 0xf7, 0x37, 0x41, 0xce, 0x8f, 0x39,
0xda, 0x8c, 0x87, 0x70, 0x97, 0x8d, 0x64, 0x9f, 0x8d, 0x92, 0xc8, 0x97, 0x3c, 0x18, 0x0c, 0x68,
0xe8, 0xa7, 0x2c, 0xa6, 0xe1, 0xc4, 0x2a, 0xa8, 0xff, 0xad, 0xcd, 0xcf, 0x6d, 0x6b, 0x63, 0x2f,
0xf3, 0x75, 0x94, 0xcd, 0xdb, 0x64, 0xb3, 0x96, 0xb1, 0x0b, 0x06, 0x4d, 0xf4, 0x77, 0x62, 0x61,
0x2d, 0xaa, 0xf0, 0x07, 0xf3, 0xc3, 0xbb, 0x84, 0x8f, 0x09, 0xb7, 0x7b, 0x6e, 0xb7, 0x9d, 0x4a,
0xca, 0x12, 0xe1, 0x81, 0xf6, 0xf7, 0x62, 0x51, 0xf9, 0x94, 0x83, 0x8d, 0x59, 0x7c, 0xf0, 0x13,
0x28, 0xa4, 0x8c, 0x4b, 0xbd, 0x59, 0xa5, 0xf9, 0xf9, 0x1d, 0xc6, 0xe5, 0x7e, 0xfe, 0xbc, 0x91,
0xf3, 0x94, 0x01, 0x63, 0x28, 0xf4, 0x69, 0x12, 0x59, 0xb9, 0x32, 0xaa, 0x16, 0x3d, 0xf5, 0x8c,
0x0f, 0x61, 0x35, 0x0c, 0x52, 0x39, 0xe2, 0xc4, 0x7f, 0xc7, 0x22, 0x62, 0xe5, 0xcb, 0xa8, 0xfa,
0x5f, 0xfd, 0xfe, 0xfc, 0xd0, 0x17, 0x99, 0xfa, 0x35, 0x8b, 0x88, 0x67, 0x84, 0x57, 0x2f, 0xd8,
0x06, 0x33, 0x22, 0x83, 0x60, 0x14, 0x4b, 0x9f, 0x24, 0x51, 0xca, 0x68, 0x22, 0x15, 0xdf, 0x62,
0xd6, 0xc2, 0xff, 0xba, 0xe8, 0xe8, 0xda, 0x5f, 0xa6, 0xf5, 0x19, 0xc1, 0x9d, 0x19, 0x87, 0x00,
0xd7, 0x6f, 0x03, 0xeb, 0x9f, 0x70, 0xba, 0x07, 0x8b, 0x27, 0x4c, 0x48, 0x61, 0x15, 0xca, 0xf9,
0x4b, 0x38, 0xd9, 0x4a, 0xe5, 0x03, 0x02, 0xf3, 0xe6, 0x84, 0xe1, 0x2e, 0x2c, 0xc5, 0x41, 0x9f,
0xc4, 0xc2, 0x42, 0x6a, 0x0a, 0x1e, 0xff, 0xf9, 0x74, 0xda, 0xae, 0x32, 0x3a, 0x89, 0xe4, 0x93,
0xec, 0x43, 0x3a, 0x6a, 0xeb, 0x19, 0x18, 0xd7, 0x6a, 0xd8, 0x84, 0xfc, 0x29, 0x99, 0x28, 0x48,
0x45, 0x6f, 0xfa, 0x88, 0x37, 0x60, 0x71, 0x1c, 0xc4, 0x23, 0xa2, 0x21, 0x64, 0x2f, 0xcf, 0x73,
0x4f, 0x51, 0xe5, 0x1b, 0x82, 0xcd, 0x99, 0x63, 0x81, 0x0f, 0xa1, 0xa0, 0xd8, 0x20, 0xc5, 0xe6,
0xd1, 0x2d, 0xa7, 0xca, 0x56, 0xa8, 0x54, 0xc2, 0x94, 0x76, 0x36, 0xbc, 0x7e, 0xca, 0xd9, 0xfb,
0x89, 0x6a, 0xc2, 0xf8, 0x15, 0xed, 0x03, 0x22, 0x24, 0x4d, 0x82, 0xe9, 0xb9, 0xf0, 0x8c, 0xcc,
0xda, 0x99, 0x3a, 0x2b, 0x55, 0x28, 0x28, 0xea, 0xeb, 0xb0, 0xe6, 0x39, 0xaf, 0x9a, 0xdd, 0x9e,
0x77, 0xec, 0xb7, 0x5b, 0xee, 0xb1, 0xb9, 0x80, 0xd7, 0xa0, 0xd8, 0x70, 0xdd, 0xf6, 0x91, 0xdf,
0x68, 0x1d, 0x9b, 0x68, 0xa7, 0x0e, 0xc6, 0xb5, 0x3d, 0xc3, 0x06, 0x2c, 0x1f, 0x38, 0x2f, 0x1b,
0x6f, 0xdc, 0x9e, 0xb9, 0x80, 0x57, 0x61, 0xa5, 0xd9, 0xe9, 0x35, 0xf6, 0x5d, 0xa7, 0x6b, 0x22,
0xbc, 0x02, 0x85, 0x56, 0xbb, 0xe5, 0x98, 0xb9, 0xfd, 0xdd, 0x2f, 0x17, 0x25, 0xf4, 0xf5, 0xa2,
0x84, 0xce, 0x2f, 0x4a, 0xe8, 0xed, 0x76, 0xd6, 0x1e, 0x65, 0xea, 0x36, 0xff, 0xf9, 0x56, 0xee,
0x2f, 0xa9, 0x6b, 0xf8, 0xe1, 0xf7, 0x00, 0x00, 0x00, 0xff, 0xff, 0xeb, 0x73, 0x3b, 0xe1, 0x31,
0x06, 0x00, 0x00,
// 642 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xbc, 0x94, 0xcd, 0x4e, 0xdb, 0x4a,
0x14, 0xc7, 0x99, 0xc4, 0x7c, 0xe4, 0x18, 0xee, 0x35, 0x73, 0x41, 0xd7, 0x97, 0x45, 0x88, 0x22,
0x5d, 0x29, 0x42, 0xc2, 0x11, 0x69, 0xd5, 0xaf, 0x5d, 0x28, 0x6e, 0x89, 0xe4, 0x26, 0x91, 0x93,
0x0a, 0xd1, 0x8d, 0x35, 0xb1, 0x27, 0x61, 0x84, 0xeb, 0xb1, 0xc6, 0x93, 0xd0, 0xbc, 0x4e, 0x1f,
0xa5, 0xab, 0x2e, 0xbb, 0xe9, 0xae, 0x95, 0x10, 0x4f, 0x52, 0x65, 0xc6, 0x08, 0x4a, 0x93, 0xb6,
0x6c, 0xba, 0xf3, 0xcc, 0x39, 0xbf, 0xff, 0x9c, 0xf3, 0xf7, 0x99, 0x81, 0x4a, 0x42, 0xe5, 0x05,
0x17, 0xe7, 0x2c, 0x19, 0xd5, 0x27, 0x07, 0x03, 0x2a, 0xc9, 0x41, 0x3d, 0x63, 0x11, 0x0d, 0x89,
0x70, 0x52, 0xc1, 0x25, 0xc7, 0x36, 0xcb, 0x24, 0xe3, 0xce, 0x4d, 0x9e, 0x93, 0xe7, 0xed, 0xec,
0x8e, 0x38, 0x1f, 0xc5, 0xb4, 0x4e, 0x52, 0x56, 0x1f, 0x32, 0x1a, 0x47, 0xc1, 0x80, 0x9e, 0x91,
0x09, 0xe3, 0x39, 0xba, 0x33, 0x4f, 0x7c, 0x44, 0x24, 0xbd, 0x20, 0xd3, 0x3c, 0xa3, 0x36, 0x27,
0x63, 0xc2, 0x84, 0x1c, 0x93, 0x38, 0xc8, 0xa8, 0x98, 0xb0, 0x90, 0xea, 0xcc, 0xea, 0x97, 0x02,
0xac, 0xf6, 0x74, 0x61, 0xf8, 0x04, 0x36, 0x67, 0x50, 0xcc, 0x49, 0x14, 0x64, 0x34, 0xa6, 0xa1,
0xe4, 0xc2, 0x46, 0x15, 0x54, 0x33, 0x1b, 0x7b, 0xce, 0xa2, 0x72, 0x9d, 0x93, 0x1c, 0xe9, 0xe5,
0x84, 0x6f, 0x5d, 0xdc, 0xd9, 0xc1, 0xc7, 0xb0, 0xca, 0x92, 0x91, 0xa0, 0x59, 0x66, 0x17, 0x2a,
0xc5, 0x9a, 0xd9, 0x70, 0x16, 0xcb, 0xb5, 0x66, 0x81, 0x96, 0xce, 0xf6, 0x58, 0x26, 0x69, 0x42,
0x85, 0x7f, 0x8d, 0x63, 0x17, 0x56, 0xa8, 0x16, 0x2a, 0x2a, 0xa1, 0xfd, 0x5f, 0x08, 0xb9, 0xdf,
0xeb, 0xe4, 0x30, 0x1e, 0xc1, 0xbf, 0x7c, 0x2c, 0x07, 0x7c, 0x9c, 0x44, 0x81, 0x14, 0x64, 0x38,
0x64, 0x61, 0x90, 0xf2, 0x98, 0x85, 0x53, 0xdb, 0x50, 0xfd, 0xd6, 0x17, 0xeb, 0x76, 0x72, 0xb0,
0xaf, 0xb9, 0xae, 0xc2, 0xfc, 0x6d, 0x3e, 0x6f, 0xbb, 0xfa, 0x15, 0xc1, 0xd6, 0xbc, 0x8e, 0xf0,
0x63, 0x30, 0x52, 0x2e, 0x64, 0x6e, 0x6f, 0x79, 0xf1, 0x71, 0x5d, 0x2e, 0xe4, 0x61, 0xf1, 0xb2,
0x59, 0xf0, 0x15, 0x80, 0x31, 0x18, 0x03, 0x96, 0x44, 0x76, 0xa1, 0x82, 0x6a, 0x25, 0x5f, 0x7d,
0xe3, 0x63, 0x58, 0x0f, 0x49, 0x2a, 0xc7, 0x82, 0x06, 0x6f, 0x79, 0x44, 0xed, 0x62, 0x05, 0xd5,
0xfe, 0x6a, 0xfc, 0xbf, 0x58, 0xf4, 0xb9, 0xce, 0x7e, 0xc5, 0x23, 0xea, 0x9b, 0xe1, 0xcd, 0x02,
0x3b, 0x60, 0x45, 0x74, 0x48, 0xc6, 0xb1, 0x0c, 0x68, 0x12, 0xa5, 0x9c, 0x25, 0x52, 0x39, 0x52,
0xd2, 0x25, 0xfc, 0x9d, 0x07, 0xdd, 0x3c, 0x56, 0xfd, 0x80, 0xe0, 0x9f, 0x39, 0x46, 0xe3, 0xc6,
0x7d, 0xda, 0xfb, 0x23, 0x9d, 0xfd, 0x07, 0xcb, 0x67, 0x3c, 0x93, 0x99, 0x6d, 0x54, 0x8a, 0xd7,
0xed, 0xe8, 0x9d, 0xea, 0x7b, 0x04, 0xd6, 0xdd, 0x29, 0xc6, 0x3d, 0x58, 0x89, 0xc9, 0x80, 0xc6,
0x99, 0x8d, 0xd4, 0xa4, 0x3d, 0xfa, 0xfd, 0x1b, 0xe0, 0x78, 0x0a, 0x74, 0x13, 0x29, 0xa6, 0xfa,
0xa0, 0x5c, 0x6a, 0xe7, 0x29, 0x98, 0xb7, 0x62, 0xd8, 0x82, 0xe2, 0x39, 0x9d, 0x2a, 0x93, 0x4a,
0xfe, 0xec, 0x13, 0x6f, 0xc1, 0xf2, 0x84, 0xc4, 0x63, 0x9a, 0x9b, 0xa0, 0x17, 0xcf, 0x0a, 0x4f,
0x50, 0xf5, 0x33, 0x82, 0xed, 0xb9, 0xa3, 0x87, 0x8f, 0xc1, 0x50, 0xde, 0x20, 0xe5, 0xcd, 0xc3,
0x7b, 0x4e, 0xae, 0xa3, 0xac, 0x52, 0x0a, 0x33, 0xb7, 0xf5, 0x05, 0x09, 0x52, 0xc1, 0xdf, 0x4d,
0x55, 0x11, 0xe6, 0xcf, 0xdc, 0x3e, 0xa2, 0x99, 0x64, 0x09, 0x91, 0x8c, 0x27, 0xbe, 0xa9, 0xd1,
0xee, 0x8c, 0xac, 0xd6, 0xc0, 0x50, 0xae, 0x6f, 0xc2, 0x86, 0xef, 0xbe, 0x6c, 0xf5, 0xfa, 0xfe,
0x69, 0xd0, 0x69, 0x7b, 0xa7, 0xd6, 0x12, 0xde, 0x80, 0x52, 0xd3, 0xf3, 0x3a, 0x27, 0x41, 0xb3,
0x7d, 0x6a, 0xa1, 0xbd, 0x06, 0x98, 0xb7, 0xfe, 0x19, 0x36, 0x61, 0xf5, 0xc8, 0x7d, 0xd1, 0x7c,
0xed, 0xf5, 0xad, 0x25, 0xbc, 0x0e, 0x6b, 0xad, 0x6e, 0xbf, 0x79, 0xe8, 0xb9, 0x3d, 0x0b, 0xe1,
0x35, 0x30, 0xda, 0x9d, 0xb6, 0x6b, 0x15, 0x0e, 0xf7, 0x3f, 0x5e, 0x95, 0xd1, 0xa7, 0xab, 0x32,
0xba, 0xbc, 0x2a, 0xa3, 0x37, 0xbb, 0xba, 0x3c, 0xc6, 0xd5, 0x8b, 0xf9, 0xe3, 0xcb, 0x37, 0x58,
0x51, 0x4f, 0xdd, 0x83, 0x6f, 0x01, 0x00, 0x00, 0xff, 0xff, 0x9d, 0xad, 0x0d, 0xdb, 0x95, 0x05,
0x00, 0x00,
}
func (m *Sidecar) Marshal() (dAtA []byte, err error) {
@ -1139,18 +1011,6 @@ func (m *Sidecar) MarshalToSizedBuffer(dAtA []byte) (int, error) {
i -= len(m.XXX_unrecognized)
copy(dAtA[i:], m.XXX_unrecognized)
}
if m.InboundTls != nil {
{
size, err := m.InboundTls.MarshalToSizedBuffer(dAtA[:i])
if err != nil {
return 0, err
}
i -= size
i = encodeVarintSidecar(dAtA, i, uint64(size))
}
i--
dAtA[i] = 0x2a
}
if m.OutboundTrafficPolicy != nil {
{
size, err := m.OutboundTrafficPolicy.MarshalToSizedBuffer(dAtA[:i])
@ -1230,18 +1090,6 @@ func (m *IstioIngressListener) MarshalToSizedBuffer(dAtA []byte) (int, error) {
i -= len(m.XXX_unrecognized)
copy(dAtA[i:], m.XXX_unrecognized)
}
if m.InboundTls != nil {
{
size, err := m.InboundTls.MarshalToSizedBuffer(dAtA[:i])
if err != nil {
return 0, err
}
i -= size
i = encodeVarintSidecar(dAtA, i, uint64(size))
}
i--
dAtA[i] = 0x2a
}
if len(m.DefaultEndpoint) > 0 {
i -= len(m.DefaultEndpoint)
copy(dAtA[i:], m.DefaultEndpoint)
@ -1463,10 +1311,6 @@ func (m *Sidecar) Size() (n int) {
l = m.OutboundTrafficPolicy.Size()
n += 1 + l + sovSidecar(uint64(l))
}
if m.InboundTls != nil {
l = m.InboundTls.Size()
n += 1 + l + sovSidecar(uint64(l))
}
if m.XXX_unrecognized != nil {
n += len(m.XXX_unrecognized)
}
@ -1494,10 +1338,6 @@ func (m *IstioIngressListener) Size() (n int) {
if l > 0 {
n += 1 + l + sovSidecar(uint64(l))
}
if m.InboundTls != nil {
l = m.InboundTls.Size()
n += 1 + l + sovSidecar(uint64(l))
}
if m.XXX_unrecognized != nil {
n += len(m.XXX_unrecognized)
}
@ -1747,42 +1587,6 @@ func (m *Sidecar) Unmarshal(dAtA []byte) error {
return err
}
iNdEx = postIndex
case 5:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field InboundTls", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowSidecar
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
msglen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthSidecar
}
postIndex := iNdEx + msglen
if postIndex < 0 {
return ErrInvalidLengthSidecar
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
if m.InboundTls == nil {
m.InboundTls = &Server_TLSOptions{}
}
if err := m.InboundTls.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
return err
}
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipSidecar(dAtA[iNdEx:])
@ -1956,42 +1760,6 @@ func (m *IstioIngressListener) Unmarshal(dAtA []byte) error {
}
m.DefaultEndpoint = string(dAtA[iNdEx:postIndex])
iNdEx = postIndex
case 5:
if wireType != 2 {
return fmt.Errorf("proto: wrong wireType = %d for field InboundTls", wireType)
}
var msglen int
for shift := uint(0); ; shift += 7 {
if shift >= 64 {
return ErrIntOverflowSidecar
}
if iNdEx >= l {
return io.ErrUnexpectedEOF
}
b := dAtA[iNdEx]
iNdEx++
msglen |= int(b&0x7F) << shift
if b < 0x80 {
break
}
}
if msglen < 0 {
return ErrInvalidLengthSidecar
}
postIndex := iNdEx + msglen
if postIndex < 0 {
return ErrInvalidLengthSidecar
}
if postIndex > l {
return io.ErrUnexpectedEOF
}
if m.InboundTls == nil {
m.InboundTls = &Server_TLSOptions{}
}
if err := m.InboundTls.Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
return err
}
iNdEx = postIndex
default:
iNdEx = preIndex
skippy, err := skipSidecar(dAtA[iNdEx:])

124
networking/v1beta1/sidecar.proto
View File

@ -141,18 +141,11 @@ import "networking/v1beta1/virtual_service.proto";
// The following example declares a `Sidecar` configuration in the
// `prod-us1` namespace for all pods with labels `app: ratings`
// belonging to the `ratings.prod-us1` service. The workload accepts
// inbound HTTP traffic on port 9080 without any authentication, and
// HTTPS traffic on port 9443 with one-way TLS termination using
// custom certificates. _To accomplish custom TLS termination on this
// workload, the `PeerAuthentication` security policy must be declared
// to disable Istio mutual TLS on these two ports. Any other
// auto-generated listener for this workload will still obey the
// mutual TLS termination requirements set forth in the
// PeerAuthentication policy_. The traffic is then forwarded to the
// attached workload instance listening on a Unix domain socket. In
// the egress direction, in addition to the `istio-system` namespace,
// the sidecar proxies only HTTP traffic bound for port 9080 for
// services in the `prod-us1` namespace.
// inbound HTTP traffic on port 9080. The traffic is then forwarded to
// the attached workload instance listening on a Unix domain
// socket. In the egress direction, in addition to the `istio-system`
// namespace, the sidecar proxies only HTTP traffic bound for port
// 9080 for services in the `prod-us1` namespace.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
@ -172,15 +165,6 @@ import "networking/v1beta1/virtual_service.proto";
// protocol: HTTP
// name: somename
// defaultEndpoint: unix:///var/run/someuds.sock
// - port:
// number: 9443
// protocol: HTTPS
// name: httpsport
// inboundTls:
// mode: SIMPLE # overrides namespace default
// serverCertificate: /etc/certs/servercert.pem
// privateKey: /etc/certs/privatekey.pem
// defaultEndpoint: unix:///var/run/someuds.sock
// egress:
// - port:
// number: 9080
@ -210,15 +194,6 @@ import "networking/v1beta1/virtual_service.proto";
// protocol: HTTP
// name: somename
// defaultEndpoint: unix:///var/run/someuds.sock
// - port:
// number: 9443
// protocol: HTTPS
// name: httpsport
// inboundTls:
// mode: SIMPLE # overrides namespace default
// serverCertificate: /etc/certs/servercert.pem
// privateKey: /etc/certs/privatekey.pem
// defaultEndpoint: unix:///var/run/someuds.sock
// egress:
// - port:
// number: 9080
@ -232,80 +207,6 @@ import "networking/v1beta1/virtual_service.proto";
// {{</tab>}}
// {{</tabset>}}
//
// and the associated PeerAuthentication security policy to ensure
// that mutual TLS based authentication is not configured for ports
// 9080 and 9443:
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// selector:
// matchLabels:
// app: ratings
// # other ports inherit the settings from namespace-wide policy.
// portLevelMtls:
// 9080:
// mode: DISABLE
// 9443:
// mode: DISABLE
// ```
//
// and the associated DestinationRule to ensure that the clients use
// the appropriate TLS settings:
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: DestinationRule
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// host: ratings.prod-us1.svc.cluster.local
// trafficPolicy:
// portLevelSettings:
// - port:
// number: 9080
// tls:
// mode: DISABLE
// - port:
// number: 9443
// tls:
// mode: SIMPLE
// caCertificates: /etc/certs/ca-certs.pem
// ```
//
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: DestinationRule
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// host: ratings.prod-us1.svc.cluster.local
// trafficPolicy:
// portLevelSettings:
// - port:
// number: 9080
// tls:
// mode: DISABLE
// - port:
// number: 9443
// tls:
// mode: SIMPLE
// caCertificates: /etc/certs/ca-certs.pem
// ```
// {{</tab>}}
// {{</tabset>}}
//
// If the workload is deployed without IPTables-based traffic capture,
// the `Sidecar` configuration is the only way to configure the ports
// on the proxy attached to the workload instance. The following
@ -552,15 +453,6 @@ message Sidecar {
// inherits the system detected defaults from the namespace-wide or
// the global default Sidecar.
OutboundTrafficPolicy outbound_traffic_policy = 4;
// Set of TLS related options that allow a listener to terminate
// SIMPLE or MUTUAL TLS connections at the
// sidecar. `PeerAuthentication` policy's settings take precedance
// over custom TLS settings for the workload. When the
// PeerAuthentication policy disables mTLS tunneling for one or more
// ports in the workload, the TLS settings specified here will be
// applied.
Server.TLSOptions inbound_tls = 5;
}
// `IstioIngressListener` specifies the properties of an inbound
@ -587,12 +479,6 @@ message IstioIngressListener {
// or Unix domain socket where the application workload instance is listening for
// connections. Format should be `127.0.0.1:PORT` or `unix:///path/to/socket`
string default_endpoint = 4 [(google.api.field_behavior) = REQUIRED];
// Overrides Sidecar level `inboundTls` settings. Has same
// restrictions as the Sidecar level inboundTls,
// i.e. PeerAuthentication policy takes precedance unless explicitly
// disabled.
Server.TLSOptions inbound_tls = 5;
}
// `IstioEgressListener` specifies the properties of an outbound traffic

109
networking/v1beta1/sidecar_deepcopy.gen.go generated
View File

@ -118,18 +118,11 @@
// The following example declares a `Sidecar` configuration in the
// `prod-us1` namespace for all pods with labels `app: ratings`
// belonging to the `ratings.prod-us1` service. The workload accepts
// inbound HTTP traffic on port 9080 without any authentication, and
// HTTPS traffic on port 9443 with one-way TLS termination using
// custom certificates. _To accomplish custom TLS termination on this
// workload, the `PeerAuthentication` security policy must be declared
// to disable Istio mutual TLS on these two ports. Any other
// auto-generated listener for this workload will still obey the
// mutual TLS termination requirements set forth in the
// PeerAuthentication policy_. The traffic is then forwarded to the
// attached workload instance listening on a Unix domain socket. In
// the egress direction, in addition to the `istio-system` namespace,
// the sidecar proxies only HTTP traffic bound for port 9080 for
// services in the `prod-us1` namespace.
// inbound HTTP traffic on port 9080. The traffic is then forwarded to
// the attached workload instance listening on a Unix domain
// socket. In the egress direction, in addition to the `istio-system`
// namespace, the sidecar proxies only HTTP traffic bound for port
// 9080 for services in the `prod-us1` namespace.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
@ -149,15 +142,6 @@
// protocol: HTTP
// name: somename
// defaultEndpoint: unix:///var/run/someuds.sock
// - port:
// number: 9443
// protocol: HTTPS
// name: httpsport
// inboundTls:
// mode: SIMPLE # overrides namespace default
// serverCertificate: /etc/certs/servercert.pem
// privateKey: /etc/certs/privatekey.pem
// defaultEndpoint: unix:///var/run/someuds.sock
// egress:
// - port:
// number: 9080
@ -187,15 +171,6 @@
// protocol: HTTP
// name: somename
// defaultEndpoint: unix:///var/run/someuds.sock
// - port:
// number: 9443
// protocol: HTTPS
// name: httpsport
// inboundTls:
// mode: SIMPLE # overrides namespace default
// serverCertificate: /etc/certs/servercert.pem
// privateKey: /etc/certs/privatekey.pem
// defaultEndpoint: unix:///var/run/someuds.sock
// egress:
// - port:
// number: 9080
@ -209,80 +184,6 @@
// {{</tab>}}
// {{</tabset>}}
//
// and the associated PeerAuthentication security policy to ensure
// that mutual TLS based authentication is not configured for ports
// 9080 and 9443:
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// selector:
// matchLabels:
// app: ratings
// # other ports inherit the settings from namespace-wide policy.
// portLevelMtls:
// 9080:
// mode: DISABLE
// 9443:
// mode: DISABLE
// ```
//
// and the associated DestinationRule to ensure that the clients use
// the appropriate TLS settings:
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: DestinationRule
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// host: ratings.prod-us1.svc.cluster.local
// trafficPolicy:
// portLevelSettings:
// - port:
// number: 9080
// tls:
// mode: DISABLE
// - port:
// number: 9443
// tls:
// mode: SIMPLE
// caCertificates: /etc/certs/ca-certs.pem
// ```
//
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: DestinationRule
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// host: ratings.prod-us1.svc.cluster.local
// trafficPolicy:
// portLevelSettings:
// - port:
// number: 9080
// tls:
// mode: DISABLE
// - port:
// number: 9443
// tls:
// mode: SIMPLE
// caCertificates: /etc/certs/ca-certs.pem
// ```
// {{</tab>}}
// {{</tabset>}}
//
// If the workload is deployed without IPTables-based traffic capture,
// the `Sidecar` configuration is the only way to configure the ports
// on the proxy attached to the workload instance. The following

109
networking/v1beta1/sidecar_json.gen.go generated
View File

@ -118,18 +118,11 @@
// The following example declares a `Sidecar` configuration in the
// `prod-us1` namespace for all pods with labels `app: ratings`
// belonging to the `ratings.prod-us1` service. The workload accepts
// inbound HTTP traffic on port 9080 without any authentication, and
// HTTPS traffic on port 9443 with one-way TLS termination using
// custom certificates. _To accomplish custom TLS termination on this
// workload, the `PeerAuthentication` security policy must be declared
// to disable Istio mutual TLS on these two ports. Any other
// auto-generated listener for this workload will still obey the
// mutual TLS termination requirements set forth in the
// PeerAuthentication policy_. The traffic is then forwarded to the
// attached workload instance listening on a Unix domain socket. In
// the egress direction, in addition to the `istio-system` namespace,
// the sidecar proxies only HTTP traffic bound for port 9080 for
// services in the `prod-us1` namespace.
// inbound HTTP traffic on port 9080. The traffic is then forwarded to
// the attached workload instance listening on a Unix domain
// socket. In the egress direction, in addition to the `istio-system`
// namespace, the sidecar proxies only HTTP traffic bound for port
// 9080 for services in the `prod-us1` namespace.
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
@ -149,15 +142,6 @@
// protocol: HTTP
// name: somename
// defaultEndpoint: unix:///var/run/someuds.sock
// - port:
// number: 9443
// protocol: HTTPS
// name: httpsport
// inboundTls:
// mode: SIMPLE # overrides namespace default
// serverCertificate: /etc/certs/servercert.pem
// privateKey: /etc/certs/privatekey.pem
// defaultEndpoint: unix:///var/run/someuds.sock
// egress:
// - port:
// number: 9080
@ -187,15 +171,6 @@
// protocol: HTTP
// name: somename
// defaultEndpoint: unix:///var/run/someuds.sock
// - port:
// number: 9443
// protocol: HTTPS
// name: httpsport
// inboundTls:
// mode: SIMPLE # overrides namespace default
// serverCertificate: /etc/certs/servercert.pem
// privateKey: /etc/certs/privatekey.pem
// defaultEndpoint: unix:///var/run/someuds.sock
// egress:
// - port:
// number: 9080
@ -209,80 +184,6 @@
// {{</tab>}}
// {{</tabset>}}
//
// and the associated PeerAuthentication security policy to ensure
// that mutual TLS based authentication is not configured for ports
// 9080 and 9443:
//
// ```yaml
// apiVersion: security.istio.io/v1beta1
// kind: PeerAuthentication
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// selector:
// matchLabels:
// app: ratings
// # other ports inherit the settings from namespace-wide policy.
// portLevelMtls:
// 9080:
// mode: DISABLE
// 9443:
// mode: DISABLE
// ```
//
// and the associated DestinationRule to ensure that the clients use
// the appropriate TLS settings:
//
// {{<tabset category-name="example">}}
// {{<tab name="v1alpha3" category-value="v1alpha3">}}
// ```yaml
// apiVersion: networking.istio.io/v1alpha3
// kind: DestinationRule
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// host: ratings.prod-us1.svc.cluster.local
// trafficPolicy:
// portLevelSettings:
// - port:
// number: 9080
// tls:
// mode: DISABLE
// - port:
// number: 9443
// tls:
// mode: SIMPLE
// caCertificates: /etc/certs/ca-certs.pem
// ```
//
// {{</tab>}}
//
// {{<tab name="v1beta1" category-value="v1beta1">}}
// ```yaml
// apiVersion: networking.istio.io/v1beta1
// kind: DestinationRule
// metadata:
// name: ratings-istio-mtls-exception
// namespace: prod-us1
// spec:
// host: ratings.prod-us1.svc.cluster.local
// trafficPolicy:
// portLevelSettings:
// - port:
// number: 9080
// tls:
// mode: DISABLE
// - port:
// number: 9443
// tls:
// mode: SIMPLE
// caCertificates: /etc/certs/ca-certs.pem
// ```
// {{</tab>}}
// {{</tabset>}}
//
// If the workload is deployed without IPTables-based traffic capture,
// the `Sidecar` configuration is the only way to configure the ports
// on the proxy attached to the workload instance. The following

25
proto.lock
View File

@ -36595,6 +36595,11 @@
"id": 23,
"name": "envoy_metrics_service",
"type": "RemoteService"
},
{
"id": 26,
"name": "status_port",
"type": "int32"
}
],
"maps": [
@ -40157,11 +40162,6 @@
"id": 4,
"name": "outbound_traffic_policy",
"type": "OutboundTrafficPolicy"
},
{
"id": 5,
"name": "inbound_tls",
"type": "Server.TLSOptions"
}
]
},
@ -40199,11 +40199,6 @@
"value": "REQUIRED"
}
]
},
{
"id": 5,
"name": "inbound_tls",
"type": "Server.TLSOptions"
}
]
},
@ -42098,11 +42093,6 @@
"id": 4,
"name": "outbound_traffic_policy",
"type": "OutboundTrafficPolicy"
},
{
"id": 5,
"name": "inbound_tls",
"type": "Server.TLSOptions"
}
]
},
@ -42140,11 +42130,6 @@
"value": "REQUIRED"
}
]
},
{
"id": 5,
"name": "inbound_tls",
"type": "Server.TLSOptions"
}
]
},

48
python/istio_api/networking/v1alpha3/sidecar_pb2.py generated
View File

@ -24,7 +24,7 @@ DESCRIPTOR = _descriptor.FileDescriptor(
package='istio.networking.v1alpha3',
syntax='proto3',
serialized_options=_b('Z istio.io/api/networking/v1alpha3'),
serialized_pb=_b('\n!networking/v1alpha3/sidecar.proto\x12\x19istio.networking.v1alpha3\x1a\x1fgoogle/api/field_behavior.proto\x1a!networking/v1alpha3/gateway.proto\x1a)networking/v1alpha3/virtual_service.proto\"\xe9\x02\n\x07Sidecar\x12\x46\n\x11workload_selector\x18\x01 \x01(\x0b\x32+.istio.networking.v1alpha3.WorkloadSelector\x12@\n\x07ingress\x18\x02 \x03(\x0b\x32/.istio.networking.v1alpha3.IstioIngressListener\x12>\n\x06\x65gress\x18\x03 \x03(\x0b\x32..istio.networking.v1alpha3.IstioEgressListener\x12Q\n\x17outbound_traffic_policy\x18\x04 \x01(\x0b\x32\x30.istio.networking.v1alpha3.OutboundTrafficPolicy\x12\x41\n\x0binbound_tls\x18\x05 \x01(\x0b\x32,.istio.networking.v1alpha3.Server.TLSOptions\"\xf8\x01\n\x14IstioIngressListener\x12\x32\n\x04port\x18\x01 \x01(\x0b\x32\x1f.istio.networking.v1alpha3.PortB\x03\xe0\x41\x02\x12\x0c\n\x04\x62ind\x18\x02 \x01(\t\x12<\n\x0c\x63\x61pture_mode\x18\x03 \x01(\x0e\x32&.istio.networking.v1alpha3.CaptureMode\x12\x1d\n\x10\x64\x65\x66\x61ult_endpoint\x18\x04 \x01(\tB\x03\xe0\x41\x02\x12\x41\n\x0binbound_tls\x18\x05 \x01(\x0b\x32,.istio.networking.v1alpha3.Server.TLSOptions\"\xa4\x01\n\x13IstioEgressListener\x12-\n\x04port\x18\x01 \x01(\x0b\x32\x1f.istio.networking.v1alpha3.Port\x12\x0c\n\x04\x62ind\x18\x02 \x01(\t\x12<\n\x0c\x63\x61pture_mode\x18\x03 \x01(\x0e\x32&.istio.networking.v1alpha3.CaptureMode\x12\x12\n\x05hosts\x18\x04 \x03(\tB\x03\xe0\x41\x02\"\x8f\x01\n\x10WorkloadSelector\x12L\n\x06labels\x18\x01 \x03(\x0b\x32\x37.istio.networking.v1alpha3.WorkloadSelector.LabelsEntryB\x03\xe0\x41\x02\x1a-\n\x0bLabelsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xc4\x01\n\x15OutboundTrafficPolicy\x12\x43\n\x04mode\x18\x01 \x01(\x0e\x32\x35.istio.networking.v1alpha3.OutboundTrafficPolicy.Mode\x12<\n\x0c\x65gress_proxy\x18\x02 \x01(\x0b\x32&.istio.networking.v1alpha3.Destination\"(\n\x04Mode\x12\x11\n\rREGISTRY_ONLY\x10\x00\x12\r\n\tALLOW_ANY\x10\x01*2\n\x0b\x43\x61ptureMode\x12\x0b\n\x07\x44\x45\x46\x41ULT\x10\x00\x12\x0c\n\x08IPTABLES\x10\x01\x12\x08\n\x04NONE\x10\x02\x42\"Z istio.io/api/networking/v1alpha3b\x06proto3')
serialized_pb=_b('\n!networking/v1alpha3/sidecar.proto\x12\x19istio.networking.v1alpha3\x1a\x1fgoogle/api/field_behavior.proto\x1a!networking/v1alpha3/gateway.proto\x1a)networking/v1alpha3/virtual_service.proto\"\xa6\x02\n\x07Sidecar\x12\x46\n\x11workload_selector\x18\x01 \x01(\x0b\x32+.istio.networking.v1alpha3.WorkloadSelector\x12@\n\x07ingress\x18\x02 \x03(\x0b\x32/.istio.networking.v1alpha3.IstioIngressListener\x12>\n\x06\x65gress\x18\x03 \x03(\x0b\x32..istio.networking.v1alpha3.IstioEgressListener\x12Q\n\x17outbound_traffic_policy\x18\x04 \x01(\x0b\x32\x30.istio.networking.v1alpha3.OutboundTrafficPolicy\"\xb5\x01\n\x14IstioIngressListener\x12\x32\n\x04port\x18\x01 \x01(\x0b\x32\x1f.istio.networking.v1alpha3.PortB\x03\xe0\x41\x02\x12\x0c\n\x04\x62ind\x18\x02 \x01(\t\x12<\n\x0c\x63\x61pture_mode\x18\x03 \x01(\x0e\x32&.istio.networking.v1alpha3.CaptureMode\x12\x1d\n\x10\x64\x65\x66\x61ult_endpoint\x18\x04 \x01(\tB\x03\xe0\x41\x02\"\xa4\x01\n\x13IstioEgressListener\x12-\n\x04port\x18\x01 \x01(\x0b\x32\x1f.istio.networking.v1alpha3.Port\x12\x0c\n\x04\x62ind\x18\x02 \x01(\t\x12<\n\x0c\x63\x61pture_mode\x18\x03 \x01(\x0e\x32&.istio.networking.v1alpha3.CaptureMode\x12\x12\n\x05hosts\x18\x04 \x03(\tB\x03\xe0\x41\x02\"\x8f\x01\n\x10WorkloadSelector\x12L\n\x06labels\x18\x01 \x03(\x0b\x32\x37.istio.networking.v1alpha3.WorkloadSelector.LabelsEntryB\x03\xe0\x41\x02\x1a-\n\x0bLabelsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xc4\x01\n\x15OutboundTrafficPolicy\x12\x43\n\x04mode\x18\x01 \x01(\x0e\x32\x35.istio.networking.v1alpha3.OutboundTrafficPolicy.Mode\x12<\n\x0c\x65gress_proxy\x18\x02 \x01(\x0b\x32&.istio.networking.v1alpha3.Destination\"(\n\x04Mode\x12\x11\n\rREGISTRY_ONLY\x10\x00\x12\r\n\tALLOW_ANY\x10\x01*2\n\x0b\x43\x61ptureMode\x12\x0b\n\x07\x44\x45\x46\x41ULT\x10\x00\x12\x0c\n\x08IPTABLES\x10\x01\x12\x08\n\x04NONE\x10\x02\x42\"Z istio.io/api/networking/v1alpha3b\x06proto3')
,
dependencies=[google_dot_api_dot_field__behavior__pb2.DESCRIPTOR,networking_dot_v1alpha3_dot_gateway__pb2.DESCRIPTOR,networking_dot_v1alpha3_dot_virtual__service__pb2.DESCRIPTOR,])
@ -49,8 +49,8 @@ _CAPTUREMODE = _descriptor.EnumDescriptor(
],
containing_type=None,
serialized_options=None,
serialized_start=1302,
serialized_end=1352,
serialized_start=1168,
serialized_end=1218,
)
_sym_db.RegisterEnumDescriptor(_CAPTUREMODE)
@ -77,8 +77,8 @@ _OUTBOUNDTRAFFICPOLICY_MODE = _descriptor.EnumDescriptor(
],
containing_type=None,
serialized_options=None,
serialized_start=1260,
serialized_end=1300,
serialized_start=1126,
serialized_end=1166,
)
_sym_db.RegisterEnumDescriptor(_OUTBOUNDTRAFFICPOLICY_MODE)
@ -118,13 +118,6 @@ _SIDECAR = _descriptor.Descriptor(
message_type=None, enum_type=None, containing_type=None,
is_extension=False, extension_scope=None,
serialized_options=None, file=DESCRIPTOR),
_descriptor.FieldDescriptor(
name='inbound_tls', full_name='istio.networking.v1alpha3.Sidecar.inbound_tls', index=4,
number=5, type=11, cpp_type=10, label=1,
has_default_value=False, default_value=None,
message_type=None, enum_type=None, containing_type=None,
is_extension=False, extension_scope=None,
serialized_options=None, file=DESCRIPTOR),
],
extensions=[
],
@ -138,7 +131,7 @@ _SIDECAR = _descriptor.Descriptor(
oneofs=[
],
serialized_start=176,
serialized_end=537,
serialized_end=470,
)
@ -177,13 +170,6 @@ _ISTIOINGRESSLISTENER = _descriptor.Descriptor(
message_type=None, enum_type=None, containing_type=None,
is_extension=False, extension_scope=None,
serialized_options=_b('\340A\002'), file=DESCRIPTOR),
_descriptor.FieldDescriptor(
name='inbound_tls', full_name='istio.networking.v1alpha3.IstioIngressListener.inbound_tls', index=4,
number=5, type=11, cpp_type=10, label=1,
has_default_value=False, default_value=None,
message_type=None, enum_type=None, containing_type=None,
is_extension=False, extension_scope=None,
serialized_options=None, file=DESCRIPTOR),
],
extensions=[
],
@ -196,8 +182,8 @@ _ISTIOINGRESSLISTENER = _descriptor.Descriptor(
extension_ranges=[],
oneofs=[
],
serialized_start=540,
serialized_end=788,
serialized_start=473,
serialized_end=654,
)
@ -248,8 +234,8 @@ _ISTIOEGRESSLISTENER = _descriptor.Descriptor(
extension_ranges=[],
oneofs=[
],
serialized_start=791,
serialized_end=955,
serialized_start=657,
serialized_end=821,
)
@ -286,8 +272,8 @@ _WORKLOADSELECTOR_LABELSENTRY = _descriptor.Descriptor(
extension_ranges=[],
oneofs=[
],
serialized_start=1056,
serialized_end=1101,
serialized_start=922,
serialized_end=967,
)
_WORKLOADSELECTOR = _descriptor.Descriptor(
@ -316,8 +302,8 @@ _WORKLOADSELECTOR = _descriptor.Descriptor(
extension_ranges=[],
oneofs=[
],
serialized_start=958,
serialized_end=1101,
serialized_start=824,
serialized_end=967,
)
@ -355,18 +341,16 @@ _OUTBOUNDTRAFFICPOLICY = _descriptor.Descriptor(
extension_ranges=[],
oneofs=[
],
serialized_start=1104,
serialized_end=1300,
serialized_start=970,
serialized_end=1166,
)
_SIDECAR.fields_by_name['workload_selector'].message_type = _WORKLOADSELECTOR
_SIDECAR.fields_by_name['ingress'].message_type = _ISTIOINGRESSLISTENER
_SIDECAR.fields_by_name['egress'].message_type = _ISTIOEGRESSLISTENER
_SIDECAR.fields_by_name['outbound_traffic_policy'].message_type = _OUTBOUNDTRAFFICPOLICY
_SIDECAR.fields_by_name['inbound_tls'].message_type = networking_dot_v1alpha3_dot_gateway__pb2._SERVER_TLSOPTIONS
_ISTIOINGRESSLISTENER.fields_by_name['port'].message_type = networking_dot_v1alpha3_dot_gateway__pb2._PORT
_ISTIOINGRESSLISTENER.fields_by_name['capture_mode'].enum_type = _CAPTUREMODE
_ISTIOINGRESSLISTENER.fields_by_name['inbound_tls'].message_type = networking_dot_v1alpha3_dot_gateway__pb2._SERVER_TLSOPTIONS
_ISTIOEGRESSLISTENER.fields_by_name['port'].message_type = networking_dot_v1alpha3_dot_gateway__pb2._PORT
_ISTIOEGRESSLISTENER.fields_by_name['capture_mode'].enum_type = _CAPTUREMODE
_WORKLOADSELECTOR_LABELSENTRY.containing_type = _WORKLOADSELECTOR

48
python/istio_api/networking/v1beta1/sidecar_pb2.py generated
View File

@ -24,7 +24,7 @@ DESCRIPTOR = _descriptor.FileDescriptor(
package='istio.networking.v1beta1',
syntax='proto3',
serialized_options=_b('Z\037istio.io/api/networking/v1beta1'),
serialized_pb=_b('\n networking/v1beta1/sidecar.proto\x12\x18istio.networking.v1beta1\x1a\x1fgoogle/api/field_behavior.proto\x1a networking/v1beta1/gateway.proto\x1a(networking/v1beta1/virtual_service.proto\"\xe4\x02\n\x07Sidecar\x12\x45\n\x11workload_selector\x18\x01 \x01(\x0b\x32*.istio.networking.v1beta1.WorkloadSelector\x12?\n\x07ingress\x18\x02 \x03(\x0b\x32..istio.networking.v1beta1.IstioIngressListener\x12=\n\x06\x65gress\x18\x03 \x03(\x0b\x32-.istio.networking.v1beta1.IstioEgressListener\x12P\n\x17outbound_traffic_policy\x18\x04 \x01(\x0b\x32/.istio.networking.v1beta1.OutboundTrafficPolicy\x12@\n\x0binbound_tls\x18\x05 \x01(\x0b\x32+.istio.networking.v1beta1.Server.TLSOptions\"\xf5\x01\n\x14IstioIngressListener\x12\x31\n\x04port\x18\x01 \x01(\x0b\x32\x1e.istio.networking.v1beta1.PortB\x03\xe0\x41\x02\x12\x0c\n\x04\x62ind\x18\x02 \x01(\t\x12;\n\x0c\x63\x61pture_mode\x18\x03 \x01(\x0e\x32%.istio.networking.v1beta1.CaptureMode\x12\x1d\n\x10\x64\x65\x66\x61ult_endpoint\x18\x04 \x01(\tB\x03\xe0\x41\x02\x12@\n\x0binbound_tls\x18\x05 \x01(\x0b\x32+.istio.networking.v1beta1.Server.TLSOptions\"\xa2\x01\n\x13IstioEgressListener\x12,\n\x04port\x18\x01 \x01(\x0b\x32\x1e.istio.networking.v1beta1.Port\x12\x0c\n\x04\x62ind\x18\x02 \x01(\t\x12;\n\x0c\x63\x61pture_mode\x18\x03 \x01(\x0e\x32%.istio.networking.v1beta1.CaptureMode\x12\x12\n\x05hosts\x18\x04 \x03(\tB\x03\xe0\x41\x02\"\x8e\x01\n\x10WorkloadSelector\x12K\n\x06labels\x18\x01 \x03(\x0b\x32\x36.istio.networking.v1beta1.WorkloadSelector.LabelsEntryB\x03\xe0\x41\x02\x1a-\n\x0bLabelsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xc2\x01\n\x15OutboundTrafficPolicy\x12\x42\n\x04mode\x18\x01 \x01(\x0e\x32\x34.istio.networking.v1beta1.OutboundTrafficPolicy.Mode\x12;\n\x0c\x65gress_proxy\x18\x02 \x01(\x0b\x32%.istio.networking.v1beta1.Destination\"(\n\x04Mode\x12\x11\n\rREGISTRY_ONLY\x10\x00\x12\r\n\tALLOW_ANY\x10\x01*2\n\x0b\x43\x61ptureMode\x12\x0b\n\x07\x44\x45\x46\x41ULT\x10\x00\x12\x0c\n\x08IPTABLES\x10\x01\x12\x08\n\x04NONE\x10\x02\x42!Z\x1fistio.io/api/networking/v1beta1b\x06proto3')
serialized_pb=_b('\n networking/v1beta1/sidecar.proto\x12\x18istio.networking.v1beta1\x1a\x1fgoogle/api/field_behavior.proto\x1a networking/v1beta1/gateway.proto\x1a(networking/v1beta1/virtual_service.proto\"\xa2\x02\n\x07Sidecar\x12\x45\n\x11workload_selector\x18\x01 \x01(\x0b\x32*.istio.networking.v1beta1.WorkloadSelector\x12?\n\x07ingress\x18\x02 \x03(\x0b\x32..istio.networking.v1beta1.IstioIngressListener\x12=\n\x06\x65gress\x18\x03 \x03(\x0b\x32-.istio.networking.v1beta1.IstioEgressListener\x12P\n\x17outbound_traffic_policy\x18\x04 \x01(\x0b\x32/.istio.networking.v1beta1.OutboundTrafficPolicy\"\xb3\x01\n\x14IstioIngressListener\x12\x31\n\x04port\x18\x01 \x01(\x0b\x32\x1e.istio.networking.v1beta1.PortB\x03\xe0\x41\x02\x12\x0c\n\x04\x62ind\x18\x02 \x01(\t\x12;\n\x0c\x63\x61pture_mode\x18\x03 \x01(\x0e\x32%.istio.networking.v1beta1.CaptureMode\x12\x1d\n\x10\x64\x65\x66\x61ult_endpoint\x18\x04 \x01(\tB\x03\xe0\x41\x02\"\xa2\x01\n\x13IstioEgressListener\x12,\n\x04port\x18\x01 \x01(\x0b\x32\x1e.istio.networking.v1beta1.Port\x12\x0c\n\x04\x62ind\x18\x02 \x01(\t\x12;\n\x0c\x63\x61pture_mode\x18\x03 \x01(\x0e\x32%.istio.networking.v1beta1.CaptureMode\x12\x12\n\x05hosts\x18\x04 \x03(\tB\x03\xe0\x41\x02\"\x8e\x01\n\x10WorkloadSelector\x12K\n\x06labels\x18\x01 \x03(\x0b\x32\x36.istio.networking.v1beta1.WorkloadSelector.LabelsEntryB\x03\xe0\x41\x02\x1a-\n\x0bLabelsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"\xc2\x01\n\x15OutboundTrafficPolicy\x12\x42\n\x04mode\x18\x01 \x01(\x0e\x32\x34.istio.networking.v1beta1.OutboundTrafficPolicy.Mode\x12;\n\x0c\x65gress_proxy\x18\x02 \x01(\x0b\x32%.istio.networking.v1beta1.Destination\"(\n\x04Mode\x12\x11\n\rREGISTRY_ONLY\x10\x00\x12\r\n\tALLOW_ANY\x10\x01*2\n\x0b\x43\x61ptureMode\x12\x0b\n\x07\x44\x45\x46\x41ULT\x10\x00\x12\x0c\n\x08IPTABLES\x10\x01\x12\x08\n\x04NONE\x10\x02\x42!Z\x1fistio.io/api/networking/v1beta1b\x06proto3')
,
dependencies=[google_dot_api_dot_field__behavior__pb2.DESCRIPTOR,networking_dot_v1beta1_dot_gateway__pb2.DESCRIPTOR,networking_dot_v1beta1_dot_virtual__service__pb2.DESCRIPTOR,])
@ -49,8 +49,8 @@ _CAPTUREMODE = _descriptor.EnumDescriptor(
],
containing_type=None,
serialized_options=None,
serialized_start=1285,
serialized_end=1335,
serialized_start=1153,
serialized_end=1203,
)
_sym_db.RegisterEnumDescriptor(_CAPTUREMODE)
@ -77,8 +77,8 @@ _OUTBOUNDTRAFFICPOLICY_MODE = _descriptor.EnumDescriptor(
],
containing_type=None,
serialized_options=None,
serialized_start=1243,
serialized_end=1283,
serialized_start=1111,
serialized_end=1151,
)
_sym_db.RegisterEnumDescriptor(_OUTBOUNDTRAFFICPOLICY_MODE)
@ -118,13 +118,6 @@ _SIDECAR = _descriptor.Descriptor(
message_type=None, enum_type=None, containing_type=None,
is_extension=False, extension_scope=None,
serialized_options=None, file=DESCRIPTOR),
_descriptor.FieldDescriptor(
name='inbound_tls', full_name='istio.networking.v1beta1.Sidecar.inbound_tls', index=4,
number=5, type=11, cpp_type=10, label=1,
has_default_value=False, default_value=None,
message_type=None, enum_type=None, containing_type=None,
is_extension=False, extension_scope=None,
serialized_options=None, file=DESCRIPTOR),
],
extensions=[
],
@ -138,7 +131,7 @@ _SIDECAR = _descriptor.Descriptor(
oneofs=[
],
serialized_start=172,
serialized_end=528,
serialized_end=462,
)
@ -177,13 +170,6 @@ _ISTIOINGRESSLISTENER = _descriptor.Descriptor(
message_type=None, enum_type=None, containing_type=None,
is_extension=False, extension_scope=None,
serialized_options=_b('\340A\002'), file=DESCRIPTOR),
_descriptor.FieldDescriptor(
name='inbound_tls', full_name='istio.networking.v1beta1.IstioIngressListener.inbound_tls', index=4,
number=5, type=11, cpp_type=10, label=1,
has_default_value=False, default_value=None,
message_type=None, enum_type=None, containing_type=None,
is_extension=False, extension_scope=None,
serialized_options=None, file=DESCRIPTOR),
],
extensions=[
],
@ -196,8 +182,8 @@ _ISTIOINGRESSLISTENER = _descriptor.Descriptor(
extension_ranges=[],
oneofs=[
],
serialized_start=531,
serialized_end=776,
serialized_start=465,
serialized_end=644,
)
@ -248,8 +234,8 @@ _ISTIOEGRESSLISTENER = _descriptor.Descriptor(
extension_ranges=[],
oneofs=[
],
serialized_start=779,
serialized_end=941,
serialized_start=647,
serialized_end=809,
)
@ -286,8 +272,8 @@ _WORKLOADSELECTOR_LABELSENTRY = _descriptor.Descriptor(
extension_ranges=[],
oneofs=[
],
serialized_start=1041,
serialized_end=1086,
serialized_start=909,
serialized_end=954,
)
_WORKLOADSELECTOR = _descriptor.Descriptor(
@ -316,8 +302,8 @@ _WORKLOADSELECTOR = _descriptor.Descriptor(
extension_ranges=[],
oneofs=[
],
serialized_start=944,
serialized_end=1086,
serialized_start=812,
serialized_end=954,
)
@ -355,18 +341,16 @@ _OUTBOUNDTRAFFICPOLICY = _descriptor.Descriptor(
extension_ranges=[],
oneofs=[
],
serialized_start=1089,
serialized_end=1283,
serialized_start=957,
serialized_end=1151,
)
_SIDECAR.fields_by_name['workload_selector'].message_type = _WORKLOADSELECTOR
_SIDECAR.fields_by_name['ingress'].message_type = _ISTIOINGRESSLISTENER
_SIDECAR.fields_by_name['egress'].message_type = _ISTIOEGRESSLISTENER
_SIDECAR.fields_by_name['outbound_traffic_policy'].message_type = _OUTBOUNDTRAFFICPOLICY
_SIDECAR.fields_by_name['inbound_tls'].message_type = networking_dot_v1beta1_dot_gateway__pb2._SERVER_TLSOPTIONS
_ISTIOINGRESSLISTENER.fields_by_name['port'].message_type = networking_dot_v1beta1_dot_gateway__pb2._PORT
_ISTIOINGRESSLISTENER.fields_by_name['capture_mode'].enum_type = _CAPTUREMODE
_ISTIOINGRESSLISTENER.fields_by_name['inbound_tls'].message_type = networking_dot_v1beta1_dot_gateway__pb2._SERVER_TLSOPTIONS
_ISTIOEGRESSLISTENER.fields_by_name['port'].message_type = networking_dot_v1beta1_dot_gateway__pb2._PORT
_ISTIOEGRESSLISTENER.fields_by_name['capture_mode'].enum_type = _CAPTUREMODE
_WORKLOADSELECTOR_LABELSENTRY.containing_type = _WORKLOADSELECTOR