diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index fae0c2b7..2c37d65f 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -8056,6 +8056,79 @@ spec: singular: peerauthentication scope: Namespaced versions: + - additionalPrinterColumns: + - description: Defines the mTLS mode used for peer authentication. + jsonPath: .spec.mtls.mode + name: Mode + type: string + - description: 'CreationTimestamp is a timestamp representing the server time + when this object was created. It is not guaranteed to be set in happens-before + order across separate operations. Clients may not set this value. It is represented + in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for + lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + description: 'Peer authentication configuration for workloads. See more + details at: https://istio.io/docs/reference/config/security/peer_authentication.html' + properties: + mtls: + description: Mutual TLS settings for workload. + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + portLevelMtls: + additionalProperties: + properties: + mode: + description: |- + Defines the mTLS mode used for peer authentication. + + Valid Options: DISABLE, PERMISSIVE, STRICT + enum: + - UNSET + - DISABLE + - PERMISSIVE + - STRICT + type: string + type: object + description: Port specific mutual TLS settings. + type: object + selector: + description: The selector determines the workloads to apply the PeerAuthentication + on. + properties: + matchLabels: + additionalProperties: + type: string + description: One or more labels that indicate a specific set of + pods/VMs on which a policy should be applied. + type: object + type: object + type: object + status: + type: object + x-kubernetes-preserve-unknown-fields: true + type: object + served: true + storage: false + subresources: + status: {} - additionalPrinterColumns: - description: Defines the mTLS mode used for peer authentication. jsonPath: .spec.mtls.mode diff --git a/releasenotes/notes/promote-peer-auth-v1.yaml b/releasenotes/notes/promote-peer-auth-v1.yaml new file mode 100644 index 00000000..1dc35382 --- /dev/null +++ b/releasenotes/notes/promote-peer-auth-v1.yaml @@ -0,0 +1,6 @@ +apiVersion: release-notes/v2 +kind: feature +area: security +releaseNotes: + - | + **Promoted** PeerAuthentication API to v1. \ No newline at end of file diff --git a/security/v1/peer_authentication.pb.go b/security/v1/peer_authentication.pb.go new file mode 100644 index 00000000..3be5b45c --- /dev/null +++ b/security/v1/peer_authentication.pb.go @@ -0,0 +1,476 @@ +// Copyright 2020 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Code generated by protoc-gen-go. DO NOT EDIT. +// versions: +// protoc-gen-go v1.33.0 +// protoc (unknown) +// source: security/v1/peer_authentication.proto + +// $schema: istio.security.v1.PeerAuthentication +// $title: PeerAuthentication +// $description: Peer authentication configuration for workloads. +// $location: https://istio.io/docs/reference/config/security/peer_authentication.html +// $aliases: [/docs/reference/config/security/v1/peer_authentication] +// $mode: none + +package v1 + +import ( + protoreflect "google.golang.org/protobuf/reflect/protoreflect" + protoimpl "google.golang.org/protobuf/runtime/protoimpl" + v1beta1 "istio.io/api/type/v1beta1" + reflect "reflect" + sync "sync" +) + +const ( + // Verify that this generated code is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(20 - protoimpl.MinVersion) + // Verify that runtime/protoimpl is sufficiently up-to-date. + _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) +) + +type PeerAuthentication_MutualTLS_Mode int32 + +const ( + // Inherit from parent, if has one. Otherwise treated as `PERMISSIVE`. + PeerAuthentication_MutualTLS_UNSET PeerAuthentication_MutualTLS_Mode = 0 + // Connection is not tunneled. + PeerAuthentication_MutualTLS_DISABLE PeerAuthentication_MutualTLS_Mode = 1 + // Connection can be either plaintext or mTLS tunnel. + PeerAuthentication_MutualTLS_PERMISSIVE PeerAuthentication_MutualTLS_Mode = 2 + // Connection is an mTLS tunnel (TLS with client cert must be presented). + PeerAuthentication_MutualTLS_STRICT PeerAuthentication_MutualTLS_Mode = 3 +) + +// Enum value maps for PeerAuthentication_MutualTLS_Mode. +var ( + PeerAuthentication_MutualTLS_Mode_name = map[int32]string{ + 0: "UNSET", + 1: "DISABLE", + 2: "PERMISSIVE", + 3: "STRICT", + } + PeerAuthentication_MutualTLS_Mode_value = map[string]int32{ + "UNSET": 0, + "DISABLE": 1, + "PERMISSIVE": 2, + "STRICT": 3, + } +) + +func (x PeerAuthentication_MutualTLS_Mode) Enum() *PeerAuthentication_MutualTLS_Mode { + p := new(PeerAuthentication_MutualTLS_Mode) + *p = x + return p +} + +func (x PeerAuthentication_MutualTLS_Mode) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (PeerAuthentication_MutualTLS_Mode) Descriptor() protoreflect.EnumDescriptor { + return file_security_v1_peer_authentication_proto_enumTypes[0].Descriptor() +} + +func (PeerAuthentication_MutualTLS_Mode) Type() protoreflect.EnumType { + return &file_security_v1_peer_authentication_proto_enumTypes[0] +} + +func (x PeerAuthentication_MutualTLS_Mode) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use PeerAuthentication_MutualTLS_Mode.Descriptor instead. +func (PeerAuthentication_MutualTLS_Mode) EnumDescriptor() ([]byte, []int) { + return file_security_v1_peer_authentication_proto_rawDescGZIP(), []int{0, 0, 0} +} + +// PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar. +// +// Examples: +// +// Policy to allow mTLS traffic for all workloads under namespace `foo`: +// ```yaml +// apiVersion: security.istio.io/v1 +// kind: PeerAuthentication +// metadata: +// +// name: default +// namespace: foo +// +// spec: +// +// mtls: +// mode: STRICT +// +// ``` +// For mesh level, put the policy in root-namespace according to your Istio installation. +// +// Policies to allow both mTLS and plaintext traffic for all workloads under namespace `foo`, but +// require mTLS for workload `finance`. +// ```yaml +// apiVersion: security.istio.io/v1 +// kind: PeerAuthentication +// metadata: +// +// name: default +// namespace: foo +// +// spec: +// +// mtls: +// mode: PERMISSIVE +// +// --- +// apiVersion: security.istio.io/v1 +// kind: PeerAuthentication +// metadata: +// +// name: finance +// namespace: foo +// +// spec: +// +// selector: +// matchLabels: +// app: finance +// mtls: +// mode: STRICT +// +// ``` +// Policy that enables strict mTLS for all workloads, but leaves the port `8080` to +// plaintext. Note the port value in the `portLevelMtls` field refers to the port +// of the workload, not the port of the Kubernetes service. +// ```yaml +// apiVersion: security.istio.io/v1 +// kind: PeerAuthentication +// metadata: +// +// name: default +// namespace: foo +// +// spec: +// +// selector: +// matchLabels: +// app: finance +// mtls: +// mode: STRICT +// portLevelMtls: +// 8080: +// mode: DISABLE +// +// ``` +// Policy that inherits mTLS mode from namespace (or mesh) settings, and disables +// mTLS for workload port `8080`. +// ```yaml +// apiVersion: security.istio.io/v1 +// kind: PeerAuthentication +// metadata: +// +// name: default +// namespace: foo +// +// spec: +// +// selector: +// matchLabels: +// app: finance +// mtls: +// mode: UNSET +// portLevelMtls: +// 8080: +// mode: DISABLE +// +// ``` +// +// +// +// +// +type PeerAuthentication struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The selector determines the workloads to apply the PeerAuthentication on. The selector will match with workloads in the + // same namespace as the policy. If the policy is in the root namespace, the selector will additionally match with workloads in all namespace. + // + // If not set, the policy will be applied to all workloads in the same namespace as the policy. If it is in the root namespace, it would be applied + // to all workloads in the mesh. + Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"` + // Mutual TLS settings for workload. If not defined, inherit from parent. + Mtls *PeerAuthentication_MutualTLS `protobuf:"bytes,2,opt,name=mtls,proto3" json:"mtls,omitempty"` + // Port specific mutual TLS settings. These only apply when a workload selector + // is specified. The port refers to the port of the workload, not the port of the + // Kubernetes service. + PortLevelMtls map[uint32]*PeerAuthentication_MutualTLS `protobuf:"bytes,3,rep,name=port_level_mtls,json=portLevelMtls,proto3" json:"port_level_mtls,omitempty" protobuf_key:"varint,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` +} + +func (x *PeerAuthentication) Reset() { + *x = PeerAuthentication{} + if protoimpl.UnsafeEnabled { + mi := &file_security_v1_peer_authentication_proto_msgTypes[0] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *PeerAuthentication) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*PeerAuthentication) ProtoMessage() {} + +func (x *PeerAuthentication) ProtoReflect() protoreflect.Message { + mi := &file_security_v1_peer_authentication_proto_msgTypes[0] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use PeerAuthentication.ProtoReflect.Descriptor instead. +func (*PeerAuthentication) Descriptor() ([]byte, []int) { + return file_security_v1_peer_authentication_proto_rawDescGZIP(), []int{0} +} + +func (x *PeerAuthentication) GetSelector() *v1beta1.WorkloadSelector { + if x != nil { + return x.Selector + } + return nil +} + +func (x *PeerAuthentication) GetMtls() *PeerAuthentication_MutualTLS { + if x != nil { + return x.Mtls + } + return nil +} + +func (x *PeerAuthentication) GetPortLevelMtls() map[uint32]*PeerAuthentication_MutualTLS { + if x != nil { + return x.PortLevelMtls + } + return nil +} + +// Mutual TLS settings. +type PeerAuthentication_MutualTLS struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Defines the mTLS mode used for peer authentication. + Mode PeerAuthentication_MutualTLS_Mode `protobuf:"varint,1,opt,name=mode,proto3,enum=istio.security.v1.PeerAuthentication_MutualTLS_Mode" json:"mode,omitempty"` +} + +func (x *PeerAuthentication_MutualTLS) Reset() { + *x = PeerAuthentication_MutualTLS{} + if protoimpl.UnsafeEnabled { + mi := &file_security_v1_peer_authentication_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *PeerAuthentication_MutualTLS) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*PeerAuthentication_MutualTLS) ProtoMessage() {} + +func (x *PeerAuthentication_MutualTLS) ProtoReflect() protoreflect.Message { + mi := &file_security_v1_peer_authentication_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use PeerAuthentication_MutualTLS.ProtoReflect.Descriptor instead. +func (*PeerAuthentication_MutualTLS) Descriptor() ([]byte, []int) { + return file_security_v1_peer_authentication_proto_rawDescGZIP(), []int{0, 0} +} + +func (x *PeerAuthentication_MutualTLS) GetMode() PeerAuthentication_MutualTLS_Mode { + if x != nil { + return x.Mode + } + return PeerAuthentication_MutualTLS_UNSET +} + +var File_security_v1_peer_authentication_proto protoreflect.FileDescriptor + +var file_security_v1_peer_authentication_proto_rawDesc = []byte{ + 0x0a, 0x25, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x2f, 0x70, 0x65, + 0x65, 0x72, 0x5f, 0x61, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, + 0x6e, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x12, 0x11, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, + 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x1a, 0x1b, 0x74, 0x79, 0x70, 0x65, + 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, + 0x72, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x84, 0x04, 0x0a, 0x12, 0x50, 0x65, 0x65, 0x72, + 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x40, + 0x0a, 0x08, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, + 0x32, 0x24, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x76, 0x31, + 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x53, 0x65, + 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x52, 0x08, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, + 0x12, 0x43, 0x0a, 0x04, 0x6d, 0x74, 0x6c, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2f, + 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, + 0x76, 0x31, 0x2e, 0x50, 0x65, 0x65, 0x72, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x4d, 0x75, 0x74, 0x75, 0x61, 0x6c, 0x54, 0x4c, 0x53, 0x52, + 0x04, 0x6d, 0x74, 0x6c, 0x73, 0x12, 0x60, 0x0a, 0x0f, 0x70, 0x6f, 0x72, 0x74, 0x5f, 0x6c, 0x65, + 0x76, 0x65, 0x6c, 0x5f, 0x6d, 0x74, 0x6c, 0x73, 0x18, 0x03, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x38, + 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2e, + 0x76, 0x31, 0x2e, 0x50, 0x65, 0x65, 0x72, 0x41, 0x75, 0x74, 0x68, 0x65, 0x6e, 0x74, 0x69, 0x63, + 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x4d, + 0x74, 0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, 0x79, 0x52, 0x0d, 0x70, 0x6f, 0x72, 0x74, 0x4c, 0x65, + 0x76, 0x65, 0x6c, 0x4d, 0x74, 0x6c, 0x73, 0x1a, 0x91, 0x01, 0x0a, 0x09, 0x4d, 0x75, 0x74, 0x75, + 0x61, 0x6c, 0x54, 0x4c, 0x53, 0x12, 0x48, 0x0a, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, + 0x01, 0x28, 0x0e, 0x32, 0x34, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, + 0x72, 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x65, 0x65, 0x72, 0x41, 0x75, 0x74, 0x68, + 0x65, 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x4d, 0x75, 0x74, 0x75, 0x61, + 0x6c, 0x54, 0x4c, 0x53, 0x2e, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x22, + 0x3a, 0x0a, 0x04, 0x4d, 0x6f, 0x64, 0x65, 0x12, 0x09, 0x0a, 0x05, 0x55, 0x4e, 0x53, 0x45, 0x54, + 0x10, 0x00, 0x12, 0x0b, 0x0a, 0x07, 0x44, 0x49, 0x53, 0x41, 0x42, 0x4c, 0x45, 0x10, 0x01, 0x12, + 0x0e, 0x0a, 0x0a, 0x50, 0x45, 0x52, 0x4d, 0x49, 0x53, 0x53, 0x49, 0x56, 0x45, 0x10, 0x02, 0x12, + 0x0a, 0x0a, 0x06, 0x53, 0x54, 0x52, 0x49, 0x43, 0x54, 0x10, 0x03, 0x1a, 0x71, 0x0a, 0x12, 0x50, + 0x6f, 0x72, 0x74, 0x4c, 0x65, 0x76, 0x65, 0x6c, 0x4d, 0x74, 0x6c, 0x73, 0x45, 0x6e, 0x74, 0x72, + 0x79, 0x12, 0x10, 0x0a, 0x03, 0x6b, 0x65, 0x79, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0d, 0x52, 0x03, + 0x6b, 0x65, 0x79, 0x12, 0x45, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, + 0x28, 0x0b, 0x32, 0x2f, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x73, 0x65, 0x63, 0x75, 0x72, + 0x69, 0x74, 0x79, 0x2e, 0x76, 0x31, 0x2e, 0x50, 0x65, 0x65, 0x72, 0x41, 0x75, 0x74, 0x68, 0x65, + 0x6e, 0x74, 0x69, 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x2e, 0x4d, 0x75, 0x74, 0x75, 0x61, 0x6c, + 0x54, 0x4c, 0x53, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x3a, 0x02, 0x38, 0x01, 0x42, 0x1a, + 0x5a, 0x18, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x73, + 0x65, 0x63, 0x75, 0x72, 0x69, 0x74, 0x79, 0x2f, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, + 0x6f, 0x33, +} + +var ( + file_security_v1_peer_authentication_proto_rawDescOnce sync.Once + file_security_v1_peer_authentication_proto_rawDescData = file_security_v1_peer_authentication_proto_rawDesc +) + +func file_security_v1_peer_authentication_proto_rawDescGZIP() []byte { + file_security_v1_peer_authentication_proto_rawDescOnce.Do(func() { + file_security_v1_peer_authentication_proto_rawDescData = protoimpl.X.CompressGZIP(file_security_v1_peer_authentication_proto_rawDescData) + }) + return file_security_v1_peer_authentication_proto_rawDescData +} + +var file_security_v1_peer_authentication_proto_enumTypes = make([]protoimpl.EnumInfo, 1) +var file_security_v1_peer_authentication_proto_msgTypes = make([]protoimpl.MessageInfo, 3) +var file_security_v1_peer_authentication_proto_goTypes = []interface{}{ + (PeerAuthentication_MutualTLS_Mode)(0), // 0: istio.security.v1.PeerAuthentication.MutualTLS.Mode + (*PeerAuthentication)(nil), // 1: istio.security.v1.PeerAuthentication + (*PeerAuthentication_MutualTLS)(nil), // 2: istio.security.v1.PeerAuthentication.MutualTLS + nil, // 3: istio.security.v1.PeerAuthentication.PortLevelMtlsEntry + (*v1beta1.WorkloadSelector)(nil), // 4: istio.type.v1beta1.WorkloadSelector +} +var file_security_v1_peer_authentication_proto_depIdxs = []int32{ + 4, // 0: istio.security.v1.PeerAuthentication.selector:type_name -> istio.type.v1beta1.WorkloadSelector + 2, // 1: istio.security.v1.PeerAuthentication.mtls:type_name -> istio.security.v1.PeerAuthentication.MutualTLS + 3, // 2: istio.security.v1.PeerAuthentication.port_level_mtls:type_name -> istio.security.v1.PeerAuthentication.PortLevelMtlsEntry + 0, // 3: istio.security.v1.PeerAuthentication.MutualTLS.mode:type_name -> istio.security.v1.PeerAuthentication.MutualTLS.Mode + 2, // 4: istio.security.v1.PeerAuthentication.PortLevelMtlsEntry.value:type_name -> istio.security.v1.PeerAuthentication.MutualTLS + 5, // [5:5] is the sub-list for method output_type + 5, // [5:5] is the sub-list for method input_type + 5, // [5:5] is the sub-list for extension type_name + 5, // [5:5] is the sub-list for extension extendee + 0, // [0:5] is the sub-list for field type_name +} + +func init() { file_security_v1_peer_authentication_proto_init() } +func file_security_v1_peer_authentication_proto_init() { + if File_security_v1_peer_authentication_proto != nil { + return + } + if !protoimpl.UnsafeEnabled { + file_security_v1_peer_authentication_proto_msgTypes[0].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*PeerAuthentication); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_security_v1_peer_authentication_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*PeerAuthentication_MutualTLS); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + } + type x struct{} + out := protoimpl.TypeBuilder{ + File: protoimpl.DescBuilder{ + GoPackagePath: reflect.TypeOf(x{}).PkgPath(), + RawDescriptor: file_security_v1_peer_authentication_proto_rawDesc, + NumEnums: 1, + NumMessages: 3, + NumExtensions: 0, + NumServices: 0, + }, + GoTypes: file_security_v1_peer_authentication_proto_goTypes, + DependencyIndexes: file_security_v1_peer_authentication_proto_depIdxs, + EnumInfos: file_security_v1_peer_authentication_proto_enumTypes, + MessageInfos: file_security_v1_peer_authentication_proto_msgTypes, + }.Build() + File_security_v1_peer_authentication_proto = out.File + file_security_v1_peer_authentication_proto_rawDesc = nil + file_security_v1_peer_authentication_proto_goTypes = nil + file_security_v1_peer_authentication_proto_depIdxs = nil +} diff --git a/security/v1/peer_authentication.proto b/security/v1/peer_authentication.proto new file mode 100644 index 00000000..1a6d4810 --- /dev/null +++ b/security/v1/peer_authentication.proto @@ -0,0 +1,168 @@ +// Copyright 2020 Istio Authors +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +syntax = "proto3"; + +import "type/v1beta1/selector.proto"; + +// $schema: istio.security.v1.PeerAuthentication +// $title: PeerAuthentication +// $description: Peer authentication configuration for workloads. +// $location: https://istio.io/docs/reference/config/security/peer_authentication.html +// $aliases: [/docs/reference/config/security/v1/peer_authentication] +// $mode: none + +package istio.security.v1; + +option go_package="istio.io/api/security/v1"; + +// PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar. +// +// Examples: +// +// Policy to allow mTLS traffic for all workloads under namespace `foo`: +// ```yaml +// apiVersion: security.istio.io/v1 +// kind: PeerAuthentication +// metadata: +// name: default +// namespace: foo +// spec: +// mtls: +// mode: STRICT +// ``` +// For mesh level, put the policy in root-namespace according to your Istio installation. +// +// Policies to allow both mTLS and plaintext traffic for all workloads under namespace `foo`, but +// require mTLS for workload `finance`. +// ```yaml +// apiVersion: security.istio.io/v1 +// kind: PeerAuthentication +// metadata: +// name: default +// namespace: foo +// spec: +// mtls: +// mode: PERMISSIVE +// --- +// apiVersion: security.istio.io/v1 +// kind: PeerAuthentication +// metadata: +// name: finance +// namespace: foo +// spec: +// selector: +// matchLabels: +// app: finance +// mtls: +// mode: STRICT +// ``` +// Policy that enables strict mTLS for all workloads, but leaves the port `8080` to +// plaintext. Note the port value in the `portLevelMtls` field refers to the port +// of the workload, not the port of the Kubernetes service. +// ```yaml +// apiVersion: security.istio.io/v1 +// kind: PeerAuthentication +// metadata: +// name: default +// namespace: foo +// spec: +// selector: +// matchLabels: +// app: finance +// mtls: +// mode: STRICT +// portLevelMtls: +// 8080: +// mode: DISABLE +// ``` +// Policy that inherits mTLS mode from namespace (or mesh) settings, and disables +// mTLS for workload port `8080`. +// ```yaml +// apiVersion: security.istio.io/v1 +// kind: PeerAuthentication +// metadata: +// name: default +// namespace: foo +// spec: +// selector: +// matchLabels: +// app: finance +// mtls: +// mode: UNSET +// portLevelMtls: +// 8080: +// mode: DISABLE +// ``` +// +// +// +// +// +message PeerAuthentication { + // The selector determines the workloads to apply the PeerAuthentication on. The selector will match with workloads in the + // same namespace as the policy. If the policy is in the root namespace, the selector will additionally match with workloads in all namespace. + // + // If not set, the policy will be applied to all workloads in the same namespace as the policy. If it is in the root namespace, it would be applied + // to all workloads in the mesh. + istio.type.v1beta1.WorkloadSelector selector = 1; + + // Mutual TLS settings. + message MutualTLS { + enum Mode { + // Inherit from parent, if has one. Otherwise treated as `PERMISSIVE`. + UNSET = 0; + + // Connection is not tunneled. + DISABLE = 1; + + // Connection can be either plaintext or mTLS tunnel. + PERMISSIVE = 2; + + // Connection is an mTLS tunnel (TLS with client cert must be presented). + STRICT = 3; + } + + // Defines the mTLS mode used for peer authentication. + Mode mode = 1; + } + + // Mutual TLS settings for workload. If not defined, inherit from parent. + MutualTLS mtls = 2; + + // Port specific mutual TLS settings. These only apply when a workload selector + // is specified. The port refers to the port of the workload, not the port of the + // Kubernetes service. + map port_level_mtls = 3; +} diff --git a/security/v1/peer_authentication_deepcopy.gen.go b/security/v1/peer_authentication_deepcopy.gen.go new file mode 100644 index 00000000..56fc81ce --- /dev/null +++ b/security/v1/peer_authentication_deepcopy.gen.go @@ -0,0 +1,48 @@ +// Code generated by protoc-gen-deepcopy. DO NOT EDIT. +package v1 + +import ( + proto "google.golang.org/protobuf/proto" +) + +// DeepCopyInto supports using PeerAuthentication within kubernetes types, where deepcopy-gen is used. +func (in *PeerAuthentication) DeepCopyInto(out *PeerAuthentication) { + p := proto.Clone(in).(*PeerAuthentication) + *out = *p +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthentication. Required by controller-gen. +func (in *PeerAuthentication) DeepCopy() *PeerAuthentication { + if in == nil { + return nil + } + out := new(PeerAuthentication) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthentication. Required by controller-gen. +func (in *PeerAuthentication) DeepCopyInterface() interface{} { + return in.DeepCopy() +} + +// DeepCopyInto supports using PeerAuthentication_MutualTLS within kubernetes types, where deepcopy-gen is used. +func (in *PeerAuthentication_MutualTLS) DeepCopyInto(out *PeerAuthentication_MutualTLS) { + p := proto.Clone(in).(*PeerAuthentication_MutualTLS) + *out = *p +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthentication_MutualTLS. Required by controller-gen. +func (in *PeerAuthentication_MutualTLS) DeepCopy() *PeerAuthentication_MutualTLS { + if in == nil { + return nil + } + out := new(PeerAuthentication_MutualTLS) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthentication_MutualTLS. Required by controller-gen. +func (in *PeerAuthentication_MutualTLS) DeepCopyInterface() interface{} { + return in.DeepCopy() +} diff --git a/security/v1/peer_authentication_json.gen.go b/security/v1/peer_authentication_json.gen.go new file mode 100644 index 00000000..e7869582 --- /dev/null +++ b/security/v1/peer_authentication_json.gen.go @@ -0,0 +1,34 @@ +// Code generated by protoc-gen-jsonshim. DO NOT EDIT. +package v1 + +import ( + bytes "bytes" + jsonpb "github.com/golang/protobuf/jsonpb" +) + +// MarshalJSON is a custom marshaler for PeerAuthentication +func (this *PeerAuthentication) MarshalJSON() ([]byte, error) { + str, err := PeerAuthenticationMarshaler.MarshalToString(this) + return []byte(str), err +} + +// UnmarshalJSON is a custom unmarshaler for PeerAuthentication +func (this *PeerAuthentication) UnmarshalJSON(b []byte) error { + return PeerAuthenticationUnmarshaler.Unmarshal(bytes.NewReader(b), this) +} + +// MarshalJSON is a custom marshaler for PeerAuthentication_MutualTLS +func (this *PeerAuthentication_MutualTLS) MarshalJSON() ([]byte, error) { + str, err := PeerAuthenticationMarshaler.MarshalToString(this) + return []byte(str), err +} + +// UnmarshalJSON is a custom unmarshaler for PeerAuthentication_MutualTLS +func (this *PeerAuthentication_MutualTLS) UnmarshalJSON(b []byte) error { + return PeerAuthenticationUnmarshaler.Unmarshal(bytes.NewReader(b), this) +} + +var ( + PeerAuthenticationMarshaler = &jsonpb.Marshaler{} + PeerAuthenticationUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true} +) diff --git a/security/v1beta1/peer_authentication.pb.go b/security/v1beta1/peer_authentication.pb.go index b0fbc29f..6a23e6b5 100644 --- a/security/v1beta1/peer_authentication.pb.go +++ b/security/v1beta1/peer_authentication.pb.go @@ -219,6 +219,9 @@ func (PeerAuthentication_MutualTLS_Mode) EnumDescriptor() ([]byte, []int) { // +genclient // +k8s:deepcopy-gen=true // --> +// type PeerAuthentication struct { state protoimpl.MessageState sizeCache protoimpl.SizeCache diff --git a/security/v1beta1/peer_authentication.proto b/security/v1beta1/peer_authentication.proto index 05eb7103..62f55772 100644 --- a/security/v1beta1/peer_authentication.proto +++ b/security/v1beta1/peer_authentication.proto @@ -127,6 +127,9 @@ option go_package="istio.io/api/security/v1beta1"; // +genclient // +k8s:deepcopy-gen=true // --> +// message PeerAuthentication { // The selector determines the workloads to apply the PeerAuthentication on. The selector will match with workloads in the // same namespace as the policy. If the policy is in the root namespace, the selector will additionally match with workloads in all namespace.