638ceb91b1
Improvements to CEL validations ( #3218 )
...
* Validate wildcard label selectors
* More CEL improvements
This gives WasmPlugin and Telemetry full parity with the webhook.
Verified by fuzzing, which I will merge into istio/istio after this
(tests fail before this lands)
2024-05-29 22:58:03 -04:00
9ed092e1a0
Allow defining CRDs from a single version ( #3186 )
...
* Allow defining CRDs from a single version
Part of https://github.com/istio/api/issues/3127 . Goes with a
corresponding tools change; this will fail until that merges.
This just shows DR. The tool will support both the new and old way (we
can remove the old way if we want), so we don't have to move everything
at once. We will, though. I kept it to one so its easy to review first.
* Move all APIs over
2024-05-14 15:09:49 -07:00
188722e5ed
cors: add unmatched_preflights ( #3171 )
...
* cors: add forward_not_matching_preflights
* rename
* update with rama's comment
* use Enum instead of bool
* address john's suggestion
2024-05-09 13:59:52 -07:00
5b08a315cb
Add docs and examples for path templating ( #3162 )
...
* Add docs and examples for path templating
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* Clarify path segment vs glob
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* rebase
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* Update docs to reflect more restrictive path templating support
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* Clarify an invalid path template will result in a invalid auth
policy.
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
---------
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
2024-04-22 07:09:57 -07:00
fe48267f86
policy attachment: allow `targetRefs` ( #3159 )
...
* policy attachment: allow `targetRefs`
Based on https://github.com/kubernetes-sigs/gateway-api/pull/2966 . Note
that we do not HAVE to follow the GatewayAPI here; we can make our own
decision. There is, however, a general desire to allow multiple for
ergonomics.
In this proposal, I hide `targetRef`, but the API will remain + be
implemented forever. Implementation cost here is near zero, as we can
easily translate it to a single `targetRefs`; we just hide from docs to
push users toward the new ones.
* codegen
* Align documentation
* consistency
2024-04-12 13:44:31 -07:00
2410bbc01d
EnvoyFilter: implement `targetRefs` ( #3160 )
...
This is the only API we have a `selector` without `targetRef`.
The motivation at the time was that waypoints don't official support
EnvoyFilter, and targetRef was primarily for waypoints.
However, targetRef can be used with all Kubernetes Gateway, including
for ingress, where EnvoyFilter is supported. Also, long term it will
support waypoint as well I assume; the earlier we add the field the less
migration pain there is.
This PR goes directly to `targetRefs` in line with
https://github.com/istio/api/pull/3159 .
2024-04-12 13:01:31 -07:00
cf602b958d
Revert "add new phase to WasmPlugin ( #3143 )" ( #3157 )
...
This reverts commit 21eb08855c
2024-04-11 13:07:31 -07:00
21eb08855c
add new phase to WasmPlugin ( #3143 )
...
* add new phase to WasmPlugin
* fix build
* rename to INITIAL
2024-04-05 09:20:22 -07:00
d7ab31abb3
Promote Telemetry API to v1 ( #3133 )
...
* create v1 Telemetry API
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
* add tracing.match example
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
* update metrics.match example
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
---------
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
2024-04-04 10:59:08 -07:00
2b0bfde445
Networking APIs graduation to v1 ( #3111 )
...
* bump networking apis to v1
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
* set storageVersion as v1beta1
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
* Add release notes
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
* Update release notes
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
* make gen
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
* Remove ProxyConfig v1
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
* update release notes
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
* Remove update notes
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
---------
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
2024-03-15 10:52:50 -07:00
339eb52daa
PeerAuthentication Graduation to v1 ( #3112 )
...
* bump peer auth to v1
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
* update sync
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
* Add release notes
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
* run make gen
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
* Fix release notes
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
* Update release notes
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
* Update release notes
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
* make gen
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
* fix gen-check
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
---------
Signed-off-by: whitneygriffith <whitney.griffith16@gmail.com>
2024-03-13 16:19:34 -07:00
cb6950bf63
Document all CRD enum options in CRD description ( #3113 )
2024-03-11 08:44:24 -07:00
8c93bf5085
authz: add column for actions ( #3094 )
...
```
$ kag authorizationpolicies.security.istio.io
NAMESPACE NAME ACTION AGE
foo httpbin ALLOW 11m
```
Just a nice helper
2024-02-23 08:41:22 -08:00
bfa7ba498e
Add timeout field to JWTRule ( #3018 )
...
* Add timeout field to JWTRule
* Change timeout comment
* Sync gen files
* Sync gen files 2
* Adjust comment
* minor changes to comment
2024-02-20 12:30:40 -08:00
e73088544b
Support file mounted CRL ( #3052 )
...
* support file mounted CRL
Signed-off-by: Faseela K <faseela.k@est.tech>
* review comments
Signed-off-by: Faseela K <faseela.k@est.tech>
* enhance description of the field based on Lin's comments
Signed-off-by: Faseela K <faseela.k@est.tech>
---------
Signed-off-by: Faseela K <faseela.k@est.tech>
2024-02-09 00:43:25 -08:00
62e5dd9150
add shortname for authz ( #3069 )
...
* add shortname for authz
* rename to ap
* release notes
2024-01-29 12:55:32 -08:00
7b21c4ba4e
docs: formatting fixes in WasmPlugin ( #3070 )
...
Signed-off-by: Peter Jausovec <peter.jausovec@solo.io>
2024-01-29 11:46:34 -08:00
3f25d08b9c
docs: fix formatting issues, typo, add links ( #3065 )
...
Signed-off-by: Peter Jausovec <peter.jausovec@solo.io>
2024-01-24 16:17:02 -08:00
c1312a840e
Add docs for max_concurrent_streams ( #3059 )
...
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
2024-01-22 12:29:52 -08:00
b92f58bb0b
align `selector` comments of PeerAuthentication with `RequestAuthentication` and `AuthorizationPolicy` ( #3031 )
...
* align `selector` comments of PeerAuthentication with `RequestAuthentication` and `AuthorizationPolicy`
* make gen
2024-01-03 06:38:01 -08:00
258dcfe4fd
Add idle_timeout to DestinationRule.TcpSettings ( #2999 )
...
* Add idle_timeout to DestinationRule.TcpSettings
Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>
* Add release note
Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>
* Clarify that idle_timeout does not work for weighted clusters
Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>
* Describe idle_timeout in more detail
Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>
* Add suggested change
Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>
---------
Signed-off-by: Jacek Ewertowski <jewertow@redhat.com>
2023-12-15 17:26:37 -08:00
bb3cb9c034
Add note on targetRef + authorization policy in multi-revision environment ( #3021 )
...
Signed-off-by: Keith Mattix II <keithmattix@microsoft.com>
2023-12-08 11:57:07 -08:00
515df8dbc3
Fix env variable name for VerifyCertAtClient ( #3012 )
...
Signed-off-by: Faseela K <faseela.k@est.tech>
2023-12-05 08:34:53 -08:00
68d86fae7d
Unhide the targetRef docs ( #2983 )
...
* Unhide the targetRef docs
* run make gen
2023-11-30 12:21:26 -08:00
7aeccb2eee
Added upstream ProxyProtocol settings ( #3007 )
...
* Add upstream proxy protocol support
* make gen
* update
* update
2023-11-29 15:32:24 -08:00
7aaf411469
Added retrieve JWT from cookies support ( #2997 )
...
* Add retrieve jwt from cookies support
* Add retrieve jwt from cookies support
* make gen
2023-11-28 10:29:12 -08:00
7616d8fa4f
telemetry: add native CRD validation ( #2971 )
2023-10-23 18:03:02 -07:00
61be6001a3
Add max_concurrent_streams definition to DestinationRule ( #2952 )
...
* Add max_concurrent_streams definition to DestinationRule.
Part of https://github.com/istio/istio/issues/47166
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* Hide from docs
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* move misplaced field from tcp settings to http settings
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* Rebase and update crd gen yaml
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
---------
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
2023-10-17 12:23:37 -07:00
60a1b113da
Revert making gateway.spec.servers required ( #2962 )
2023-10-16 14:23:38 -07:00
a53bf82349
Adopt CRD native validation ( #2951 )
...
* Adopt CRD native validation: WasmPlugin
* fix banner
* Hide confusing errors
2023-10-16 12:49:37 -07:00
6d61c896cb
Mirror DestinationRule connection pool configuration on Sidecar ( #2961 )
...
* Add support for default and per-port connection pool settings for inbound connections to Envoy sidecars
* flesh out comments on connection pool and describe how they relate to destinationrule. Add a release note for the new field.
* missed comments in v1beta1 that should've been in v1alpha1
2023-10-15 18:53:35 -07:00
685ef7d06b
Migrate to protoc-gen-crd ( #2941 )
2023-10-05 16:16:01 -07:00
1c3997104b
Run 'make gen' with new build-tools image ( #2944 )
2023-10-03 14:43:48 -07:00
283cc40b07
Define targetRef proto ( #2888 )
...
* Define protobuf for PolicyTargetReference
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* Add targetRef to AuthorizationPolicy, Telemetry, WasmPlugin,
ProxyConfig, and RequestAuthentication.
Need more examples.
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* Add examples
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* Moved targetRef def to selector.proto. Removed kubebuilder
comments. Added release note for targetRef.
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* Add oneof to CRD protos. Add clarifying comments about intended
use of taretRef.
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* Remove targetRef from ProxyConfig
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* Removed root namespace references and ingress gateway targetRef
examples.
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* Hide API changes from docs and remove examples until impl is
complete
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* Remove telemtry example until impl complete
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* add clarification resource must be in same ns as policy and add
oneof to wasm plugin.
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* Remove oneof in to avoid go changes.
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* update release note to clarify scope is limited to waypoints
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* Update authorizationPolicy selector comment
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* clarify in targetRef description only waypoint is supported as a
targeted resource
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* add k8s gateway references
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* Respond to PR feedback and add selector example.
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
* Address nits
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
---------
Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
2023-09-05 15:45:52 -07:00
3cfacc6007
add support for network wasm filters ( #2904 )
...
* add support for network wasm filters
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* add undefined
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* move to top level enum
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* move to caps
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* add more docs
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* fix comments
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
---------
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
2023-08-22 02:38:49 -07:00
95b5260a18
remove hide_from_docs for http route mirrors ( #2893 )
2023-08-10 06:37:04 -07:00
f3753ed9ee
feature: virtual service supports traffic mirroring to multiple destinations ( #2805 )
2023-07-31 20:17:15 -07:00
7e4fb1598d
add a new TLS mode for validating client cert if presented ( #2820 )
...
* add support for validating client cert if presented
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* fix tab
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* fix comments
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* make gen
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* add more comments
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* fix comments
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* change wording
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
---------
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
2023-07-06 20:03:32 -07:00
9242317ada
wasm: add fail_open for telemetry plugins ( #2799 )
...
* wasm: add fail_open for telemetry plugins
Signed-off-by: Kuat Yessenov <kuat@google.com>
* wasm: add fail_open for telemetry plugins
Signed-off-by: Kuat Yessenov <kuat@google.com>
* review
Signed-off-by: Kuat Yessenov <kuat@google.com>
---------
Signed-off-by: Kuat Yessenov <kuat@google.com>
2023-06-02 10:53:02 -07:00
ba799b973e
add regex rewrite support for uris ( #2753 )
...
* add regex rewrite support for uris
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* rename
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* add examples
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
* add gen files
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
---------
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
2023-05-24 12:24:41 -07:00
336f5919b4
Deprecate Port.TargetPort ( #2634 )
...
* Mark targetPort as deprecated
* auto gen
2023-01-17 08:06:34 -08:00
06179ffd0b
Separate ServiceEntry port from Gateway Server and Sidecar ingress listener ( #2626 )
...
* Separate serviceentry port from gateway and sidecar, because only service entry port need target port
* make gen
* remove targer port from port struct
* remove unused import
* remove unused import
2023-01-12 08:06:14 -08:00
a39e7047c3
remove hide_from_docs for traffic selector ( #2575 )
2022-11-24 05:58:06 -08:00
bd9c37f95e
security policy graduation to v1 ( #2553 )
2022-11-22 12:03:23 -08:00
9c7e8716fa
copy jwt claim to header ( #2570 )
2022-11-17 14:44:03 -08:00
8461c8ae2e
telemetry: add support for reporting_interval ( #2556 )
...
* telemetry: add support for tcp_reporting_duration
* update with kuat's suggestion
* update comments
2022-11-14 11:47:33 -08:00
3017a057f7
Remove remnants of old example in ServiceEntry docs ( #2554 )
...
* doc(serviceentry): remove remnants of old example
This part was copied verbatim from workload_entry.proto and is not
relevant here.
* Run gen
2022-11-08 07:27:12 -08:00
1179712aec
Added listener filter patching ( #2514 )
...
* Added listener filter patch api
* make gen
* update comment
* make gen
2022-10-28 03:50:55 -07:00
d5358d93ef
Add a match scheme to WasmPlugin for passing more specific traffic to Wasm module ( #2412 )
...
* Add a match scheme to WasmPlugin to select more specific traffic
* Make gen
* Move PortSelector and WorkloadMode to type/v1beta1/selector.proto
* Reflect the comments
* Catch up the missing "make gen"
* Reflect the comments
* Reflect the comments
* Reflect the comments, again
* Do "make gen"
2022-09-06 08:37:31 -07:00
ef38878bf5
Update sidecar bind description to include IPv6 ( #2454 )
...
* Update sidecar bind description to include IPv6
The bind attribute already works with IPv6, but somehow
the documentation seems to be not updated.
Signed-off-by: Faseela K <faseela.k@est.tech>
* Re-add fullstop
Signed-off-by: Faseela K <faseela.k@est.tech>
Signed-off-by: Faseela K <faseela.k@est.tech>
2022-08-11 00:35:02 -07:00
John Howard