* Validation: CEL adjusted to allow PolicyTargetReference to target gtwapi GatewayClass
Signed-off-by: Ian Rudie <ian.rudie@solo.io>
* adding releasenote
Signed-off-by: Ian Rudie <ian.rudie@solo.io>
* remove CEL validations for PolicyTargetRef to allow vendor extensions
Signed-off-by: Ian Rudie <ian.rudie@solo.io>
* remove centralized group/kind detail and move to where targetRef is used in resources
Signed-off-by: Ian Rudie <ian.rudie@solo.io>
---------
Signed-off-by: Ian Rudie <ian.rudie@solo.io>
* Fix CEL validation on older k8s versions
Also add testing so we can catch this (though its tied to a single k8s
version, so its not perfect -- but should be able to catch most cases).
CEL before k8s 1.30 did not estimate the cost correctly so its basically
impossible
* actually keep it
* Validate wildcard label selectors
* More CEL improvements
This gives WasmPlugin and Telemetry full parity with the webhook.
Verified by fuzzing, which I will merge into istio/istio after this
(tests fail before this lands)
Previously, only a Gateway resource was defined as a supported
attachment type. This PR updates the API docs to include a Service
as a supported type and also fixes an incorrect link to Gateway API
documentation.
Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io>
The `REQUIRED` proto label currently does nothing. As a result, some of
them are misaligned with reality -- fields marked REQUIRED are actually
not required, and often even have valid behaviors and are used in the
real world.
Unfortunately, many of these are fields that *should* be required but
are not. To maintain backwards compatibility, these cannot be made
required at this point, sadly.
In a future PR, I intend to make `REQUIRED` *actually make it required*,
so this PR is a pre-requisite to doing that.
We only generate this for some resources and not others, and no one has
complained -- so there doesn't seem to be much value in maintaining
this, but it provides a lot of boilerplate.
Rather than "fixing" it to be used for all types, seems better to just
drop this. We already have the schema as proto and OpenAPI (via CRD).
* Fix indentation of jwt doc
* Update comment line of jwtrule
* Fix indentation of jwt doc
* Update comment line of jwtrule
* Rebase with latest master
---------
Co-authored-by: Sathish Swaminathan <sathish.swaminathan@ibm.com>
* Add a match scheme to WasmPlugin to select more specific traffic
* Make gen
* Move PortSelector and WorkloadMode to type/v1beta1/selector.proto
* Reflect the comments
* Catch up the missing "make gen"
* Reflect the comments
* Reflect the comments
* Reflect the comments, again
* Do "make gen"
https://docs.buf.build/
Buf is the successor to https://github.com/uber/prototool which we
already use for linting.
This dramatically simplifies our Makefiles, which are both extremely
complicated and have led to numerous bugs historically, such as
https://github.com/istio/api/issues/1678.
This will make changes to the generation much simpler as well. For
example, to migrate to gogo protobuf, we will just need to change `gogo`
-> `go` in one location, rather than trying to wrangle 500 lines of
Makefiles. Additionally, its quite a bit faster - the whole proto stuff
is done in <1s now.
* use field_behavior opiton for required fields
* modify makefile to replace import path for field_behavior
* generate after image update
* changes after comments from policy and telemetry team
* regen after changes
* update networking and rebase
jacob-delgado