istio
/
api
mirror of https://github.com/istio/api.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
2,183 Commits 56 Branches 466 Tags 41 MiB
Commit Graph

160 Commits

Author SHA1 Message Date
jacob-delgado 80b6f10e34
update protos (#3478) 
* update protos

* update dependencies

* make tidy
 2025-03-31 19:10:45 -04:00
Craig Box bccd18b8af
straighten some quotes (#3451) 
* straighten some quotes

* manually make the gens

* automatically make the gens
 2025-03-04 14:26:59 -05:00
jacob-delgado 41ef999fc6
Run make gen (#3440) 2025-02-13 19:11:45 -05:00
Ian Rudie 03360c1a87
Validation: remove CEL for PolicyTargetRef to allow vendor extensions (#3414) 
* Validation: CEL adjusted to allow PolicyTargetReference to target gtwapi GatewayClass

Signed-off-by: Ian Rudie <ian.rudie@solo.io>

* adding releasenote

Signed-off-by: Ian Rudie <ian.rudie@solo.io>

* remove CEL validations for PolicyTargetRef to allow vendor extensions

Signed-off-by: Ian Rudie <ian.rudie@solo.io>

* remove centralized group/kind detail and move to where targetRef is used in resources

Signed-off-by: Ian Rudie <ian.rudie@solo.io>

---------

Signed-off-by: Ian Rudie <ian.rudie@solo.io>
 2025-01-24 17:16:00 -05:00
John Howard 0e96d7b671
AuthorizationPolicy serviceAccount: allow same namespace (#3417) 2025-01-20 21:19:57 -05:00
jacob-delgado 8a62f1e437
Run make gen (#3415) 2025-01-16 16:29:54 -05:00
Istio Automation 6516922f64
Automator: update common-files@master in istio/api@master (#3405) 2025-01-03 18:49:58 -05:00
John Howard a684e698b8
Validation: add documentation and use CEL pre-processor (#3333) 
* Move to oneof

* more oneof

* simplify SE one

* simplify expressions

* add validation readme

* lint
 2024-12-31 19:32:56 -05:00
John Howard 27d505cbdb
AuthorizationPolicy: add `serviceAccounts` field (#3340) 
* AuthorizationPolicy: add `serviceAccounts` field

This is a minor implementation complexity in favor of a dramatic
simplification to usage of Istio authorization.

Today, if a user wants to dive into zero-trust 101, they are presented
with a requirement to set `principals`: `A list of peer identities
derived from the peer certificate`, and write
`<TRUST_DOMAIN>/ns/<NAMESPACE>/sa/<SERVICE_ACCOUNT>`.

This simple sentance is a huge cognitive overload for users in my
experience working with users, and unnecesarily pushes SPIFFE, trust
domains, and other unneccesary concepts onto users. Additionally, the
requirement to set 'trust domain', which is overwhelmingly not desired
by users who just want SA auth, leads to all sorts of wonky workarounds
in Istio like `cluster.local` being a magic value.

Instead, we just add a SA field directly. This takes the format `ns/sa`,
as you cannot safely reference a SA without a namespace field as well.
Note we do this, rather than just require you to set 'service account' and 'namespace'
as individual fields, since you could have `namespace=[a,b],sa=[d,e]`
which is ambiguous.

If this is directionally approved, I will add some more documentation
and CEL validation and testing.

* Tests and validation

* add doc

* Clarify comment that this is a KSA
 2024-12-18 16:55:32 -05:00
Craig Box 5fcb020312
New HTML (#3388) 2024-12-16 10:19:15 -05:00
Craig Box 83045844df
Fix some proto descriptions (#3384) 
* fix some protos

* change comments from proto_names to yamlCase

* missed some backticks

* add make gen from prow
 2024-12-12 12:02:02 -05:00
jacob-delgado 918717d1a2
Run make gen with latest image (#3368) 2024-11-23 04:07:16 -05:00
rob salmond 76c3278753
new schema format (#3352) 2024-11-07 02:19:27 -05:00
jacob-delgado a591eba3df
Run make gen (#3337) 2024-10-15 20:10:50 -04:00
Faseela K 14aff11e9f
Run make-gen for protoc-gen-go v1.35.1 (#3330) 
Signed-off-by: Faseela K <faseela.k@est.tech>
 2024-10-10 14:46:46 -04:00
John Howard 1708641991
Improve validation for targetRefs (#3312) 
Per
https://gateway-api.sigs.k8s.io/geps/gep-2648/?h=targetrefs#multiple,
only 16 max allowed -- which is quite reasonable.

Additionally, consistently allow only workloadSelector OR targetRef; we
had this only on some types
 2024-09-26 16:04:24 -04:00
John Howard abec44418d
Pick up changes to CRD template naming and fix excessive WG validation (#3295) 
* Rename tag names

* Drop embedding address validation in WG
 2024-08-20 17:22:23 -04:00
Steven Landow 325839bcae
docs: clarify target ref to service (#3274) 2024-07-26 17:23:39 -04:00
Craig Box b04c2565ff
Update PeerAuthentication docs (#3184) 
* Update PeerAuthentication docs for mTLS

* update

* update text

* made gen

* make gen

* fix gencheck
 2024-07-01 20:40:49 -04:00
jacob-delgado 74890bf7da
run make gen (#3248) 2024-06-27 20:22:26 -04:00
John Howard 0dbacc0160
CEL Validations for ProxyConfig, RequestAuthentication, and PeerAuthentication (#3223) 
* Add CEL validation for ProxyConfig

* add PA

* Add RequestAuthentication

* allow empty validation

* validate groups

* oops

* gen

* fix
 2024-06-04 17:16:07 -04:00
jacob-delgado fd44b55c2a
Make gen with latest tools image (#3220) 
* Use with latest tools image

* update grpc-go dependency
 2024-05-30 20:33:10 -04:00
Istio Automation e4a1b46d09
Automator: update common-files@master in istio/api@master (#3212) 2024-05-22 10:12:02 -04:00
Kim Sondrup c8f65e2f8b
Fix typo in closing tag for some code blocks (#3196) 2024-05-21 09:42:29 -04:00
Whitney Griffith db01f1058c
update docs to show latest API version examples (#3192) 
Signed-off-by: Whitney Griffith <whitney.griffith16@gmail.com>
 2024-05-20 13:50:35 -04:00
John Howard b9c26acf91
Generate alias for types instead of copies (#3188) 2024-05-20 11:48:31 -04:00
zirain 9d5445e3a9
update comment (#3204) 2024-05-20 09:25:31 -04:00
Daneyon Hansen 2b5bf4c8a0
Adds Service Type to PolicyTargetReference API Docs (#3199) 
Previously, only a Gateway resource was defined as a supported
attachment type. This PR updates the API docs to include a Service
as a supported type and also fixes an incorrect link to Gateway API
documentation.

Signed-off-by: Daneyon Hansen <daneyon.hansen@solo.io>
 2024-05-15 22:29:11 -04:00
John Howard 9ed092e1a0
Allow defining CRDs from a single version (#3186) 
* Allow defining CRDs from a single version

Part of https://github.com/istio/api/issues/3127. Goes with a
corresponding tools change; this will fail until that merges.

This just shows DR. The tool will support both the new and old way (we
can remove the old way if we want), so we don't have to move everything
at once. We will, though. I kept it to one so its easy to review first.

* Move all APIs over
 2024-05-14 15:09:49 -07:00
John Howard 7dfab5580f
Place JWTRule under RequestAuthentication like every other API (#3187) 
There is no reason for this to be split, it just makes the docs more
confusing.

I am fairly sure this change only impacts the HTML, merging two pages
into one. I tested with istio.io/istio still builds fine.
 2024-05-13 08:22:20 -07:00
Craig Box 768c994129
sort JWTRule after RequestAuthentication in the Istio docs. (#3179) 
* sort JWTRule after RequestAuthentication in the Istio docs.

* add make gen'd files
 2024-05-08 20:42:51 -07:00
Jackie Elliott 5b08a315cb
Add docs and examples for path templating (#3162) 
* Add docs and examples for path templating

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Clarify path segment vs glob

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* rebase

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Update docs to reflect more restrictive path templating support

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Clarify an invalid path template will result in a invalid auth
policy.

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

---------

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
 2024-04-22 07:09:57 -07:00
John Howard fe48267f86
policy attachment: allow `targetRefs` (#3159) 
* policy attachment: allow `targetRefs`

Based on https://github.com/kubernetes-sigs/gateway-api/pull/2966. Note
that we do not HAVE to follow the GatewayAPI here; we can make our own
decision. There is, however, a general desire to allow multiple for
ergonomics.

In this proposal, I hide `targetRef`, but the API will remain + be
implemented forever. Implementation cost here is near zero, as we can
easily translate it to a single `targetRefs`; we just hide from docs to
push users toward the new ones.

* codegen

* Align documentation

* consistency
 2024-04-12 13:44:31 -07:00
Sridhar Gaddam 13544404d3
Fix description of PeerAuthentication example (#3139) 2024-03-25 10:22:17 -07:00
Whitney Griffith 94d8c5322f
Resolves #3125 (#3128) 
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
 2024-03-21 09:52:07 -07:00
Whitney Griffith 339eb52daa
PeerAuthentication Graduation to v1 (#3112) 
* bump peer auth to v1

Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>

* update sync

Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>

* Add release notes

Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>

* run make gen

Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>

* Fix release notes

Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>

* Update release notes

Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>

* Update release notes

Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>

* make gen

Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>

* fix gen-check

Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>

---------

Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
 2024-03-13 16:19:34 -07:00
jacob-delgado 3d9a233170
Run make gen (#3120) 2024-03-11 17:59:56 -07:00
John Howard 76d8e65ae7
docs: remove per-version API tabs (#3100) 
Fixes https://github.com/istio/api/issues/2994
 2024-03-05 07:22:21 -08:00
John Howard 8c93bf5085
authz: add column for actions (#3094) 
```
$ kag authorizationpolicies.security.istio.io
NAMESPACE   NAME      ACTION   AGE
foo         httpbin   ALLOW    11m
```

Just a nice helper
 2024-02-23 08:41:22 -08:00
Leonardo Sarra bfa7ba498e
Add timeout field to JWTRule (#3018) 
* Add timeout field to JWTRule

* Change timeout comment

* Sync gen files

* Sync gen files 2

* Adjust comment

* minor changes to comment
 2024-02-20 12:30:40 -08:00
Peter Jausovec 1b6aded783
docs: add notes for ports used in AuthPolicy/PeerAuth (#3075) 
Signed-off-by: Peter Jausovec <peter.jausovec@solo.io>
 2024-01-31 12:47:37 -08:00
zirain 62e5dd9150
add shortname for authz (#3069) 
* add shortname for authz

* rename to ap

* release notes
 2024-01-29 12:55:32 -08:00
Peter Jausovec 796ac64a96
docs: field name and minor formatting fixes (#3057) 
Signed-off-by: Peter Jausovec <peter.jausovec@solo.io>
 2024-01-19 10:39:48 -08:00
jacob-delgado 06018d723c
Run make gen with new protoc (#3051) 
* Run make gen with new protoc

* Update dependencies
 2024-01-17 09:03:58 -08:00
Yao Zengzeng b92f58bb0b
align `selector` comments of PeerAuthentication with `RequestAuthentication` and `AuthorizationPolicy` (#3031) 
* align `selector` comments of PeerAuthentication with `RequestAuthentication` and `AuthorizationPolicy`

* make gen
 2024-01-03 06:38:01 -08:00
Keith Mattix II bb3cb9c034
Add note on targetRef + authorization policy in multi-revision environment (#3021) 
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
 2023-12-08 11:57:07 -08:00
Zhonghu Xu 7aaf411469
Added retrieve JWT from cookies support (#2997) 
* Add retrieve jwt from cookies support

* Add retrieve jwt from cookies support

* make gen
 2023-11-28 10:29:12 -08:00
Zhonghu Xu 2c49e44609
Update authz document (#2954) 
* update authorizationPolicy CUSTOM action feature status

* update authorizationPolicy CUSTOM action feature status
 2023-10-12 09:43:42 -07:00
John Howard 685ef7d06b
Migrate to protoc-gen-crd (#2941) 2023-10-05 16:16:01 -07:00
Jackie Elliott 283cc40b07
Define targetRef proto (#2888) 
* Define protobuf for PolicyTargetReference

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Add targetRef to AuthorizationPolicy, Telemetry, WasmPlugin,
ProxyConfig, and RequestAuthentication.

Need more examples.

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Add examples

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Moved targetRef def to selector.proto. Removed kubebuilder
comments. Added release note for targetRef.

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Add oneof to CRD protos. Add clarifying comments about intended
use of taretRef.

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Remove targetRef from ProxyConfig

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Removed root namespace references and ingress gateway targetRef
examples.

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Hide API changes from docs and remove examples until impl is
complete

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Remove telemtry example until impl complete

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* add clarification resource must be in same ns as policy and add
oneof to wasm plugin.

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Remove oneof in to avoid go changes.

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* update release note to clarify scope is limited to waypoints

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Update authorizationPolicy selector comment

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* clarify in targetRef description only waypoint is supported as a
targeted resource

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* add k8s gateway references

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Respond to PR feedback and add selector example.

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Address nits

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

---------

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
 2023-09-05 15:45:52 -07:00