istio
/
api
mirror of https://github.com/istio/api.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: istio:v1.26.3
Branches Tags
istio:master
istio:release-1.27
istio:release-1.26
istio:release-1.25
istio:release-1.24
istio:dependabot/go_modules/tests/golang.org/x/net-0.38.0
istio:release-1.23
istio:dependabot/go_modules/tests/golang.org/x/net-0.36.0
istio:release-1.22
istio:release-1.21
istio:dependabot/go_modules/google.golang.org/grpc-1.64.1
istio:release-1.20
istio:update-api
istio:dependabot/go_modules/golang.org/x/net-0.23.0
istio:dependabot/go_modules/tests/golang.org/x/net-0.23.0
istio:release-1.19
istio:release-1.18
istio:release-1.17
istio:release-1.16
istio:release-1.15
istio:experimental-ambient
istio:release-1.14
istio:release-1.13
istio:release-1.12
istio:release-1.14-codeowners
istio:release-1.11
istio:release-1.10
istio:release-1.9
istio:release-1.8
istio:release-1.8.6-patch
istio:release-1.9.5-patch
istio:release-1.7
istio:release-1.6
istio:coreapi
istio:release-1.7-asm
istio:revert-1537-credentialName-cacert
istio:release-1.5
istio:release-1.2
istio:release-1.3
istio:release-1.4
istio:icp-integrate
istio:add-citadel-istio-namespace-labels
istio:config-model
istio:validation-gen
istio:rshriram-patch-2
istio:docker/use_consolidated_dockerfile
istio:container/protogen-go1.12
istio:collab-authn
istio:release-1.1
istio:release-1.0
istio:collab-gcp-identity
istio:release-1.0.0-snapshot.0
istio:release-0.8
istio:release-0.7
istio:release-0.5
istio:release-0.2
istio:v1.27.0-rc.0
istio:1.27.0-rc.0
istio:v1.25.4
istio:1.25.4
istio:v1.26.3
istio:1.26.3
istio:v1.27.0-beta.0
istio:1.27.0-beta.0
istio:v1.26.2
istio:1.26.2
istio:v1.26.1
istio:1.26.1
istio:v1.24.6
istio:1.24.6
istio:1.25.3
istio:v1.25.3
istio:v1.26.0
istio:1.26.0
istio:v1.26.0-rc.0
istio:1.26.0-rc.0
istio:1.26.0-beta.0
istio:v1.26.0-beta.0
istio:v1.26.0-alpha.0
istio:1.26.0-alpha.0
istio:v1.24.5
istio:1.24.5
istio:v1.25.2
istio:1.25.2
istio:v1.23.6
istio:1.23.6
istio:v1.25.1
istio:1.25.1
istio:v1.24.4
istio:1.24.4
istio:1.25.0
istio:v1.25.0
istio:v1.25.0-rc.1
istio:1.25.0-rc.1
istio:v1.25.0-rc.0
istio:1.25.0-rc.0
istio:v1.23.5
istio:1.23.5
istio:v1.24.3
istio:1.24.3
istio:v1.22.8
istio:1.22.8
istio:v1.25.0-alpha.0
istio:1.25.0-alpha.0
istio:v1.23.4
istio:1.23.4
istio:1.24.2
istio:v1.24.2
istio:v1.22.7
istio:1.22.7
istio:v1.24.1
istio:1.24.1
istio:1.24.0
istio:v1.24.0
istio:v1.24.0-rc.0
istio:1.24.0-rc.0
istio:v1.23.3
istio:1.23.3
istio:v1.22.6
istio:1.22.6
istio:v1.24.0-alpha.0
istio:1.24.0-alpha.0
istio:v1.21.6
istio:1.21.6
istio:v1.22.5
istio:1.22.5
istio:1.23.2
istio:v1.23.2
istio:v1.23.1
istio:1.23.1
istio:v1.22.4
istio:1.22.4
istio:v1.23.0
istio:1.23.0
istio:1.23.0-rc.1
istio:v1.23.0-rc.1
istio:v1.23.0-rc.0
istio:1.23.0-rc.0
istio:v1.22.3
istio:1.22.3
istio:v1.21.5
istio:1.21.5
istio:v1.23.0-alpha.0
istio:1.23.0-alpha.0
istio:v1.20.8
istio:1.20.8
istio:1.21.4
istio:v1.21.4
istio:v1.22.2
istio:1.22.2
istio:v1.21.3
istio:1.21.3
istio:v1.20.7
istio:1.20.7
istio:v1.22.1
istio:1.22.1
istio:1.22.0
istio:v1.22.0
istio:v1.22.0-rc.0
istio:1.22.0-rc.0
istio:1.22.0-beta.1
istio:v1.22.0-beta.1
istio:v1.22.0-beta.0
istio:1.22.0-beta.0
istio:v1.21.2
istio:1.21.2
istio:v1.20.6
istio:1.20.6
istio:v1.19.10
istio:1.19.10
istio:1.22.0-alpha.1
istio:v1.22.0-alpha.1
istio:v1.21.1
istio:1.21.1
istio:v1.20.5
istio:1.20.5
istio:v1.19.9
istio:1.19.9
istio:v1.20.4
istio:1.20.4
istio:v1.19.8
istio:1.19.8
istio:v1.21.0
istio:1.21.0
istio:v1.21.0-rc.1
istio:1.21.0-rc.1
istio:v1.21.0-rc.0
istio:1.21.0-rc.0
istio:1.19.7
istio:1.20.3
istio:v1.21.0-beta.1
istio:1.21.0-beta.1
istio:v1.21.0-beta.0
istio:1.21.0-beta.0
istio:v1.20.2
istio:1.20.2
istio:v1.19.6
istio:1.19.6
istio:1.18.7
istio:1.18.6
istio:v1.20.1
istio:1.20.1
istio:v1.19.5
istio:1.19.5
istio:v1.20.0
istio:1.20.0
istio:v1.19.4
istio:1.19.4
istio:v1.20.0-rc.0
istio:1.20.0-rc.0
istio:v1.20.0-beta.0
istio:1.20.0-beta.0
istio:1.17.8
istio:1.18.5
istio:v1.19.3
istio:1.19.3
istio:1.19.2
istio:v1.19.1
istio:1.19.1
istio:1.17.6
istio:1.18.3
istio:v1.19.0
istio:1.19.0
istio:v1.19.0-rc.0
istio:1.19.0-rc.0
istio:v1.19.0-beta.1
istio:1.19.0-beta.1
istio:v1.19.0-beta.0
istio:1.19.0-beta.0
istio:1.18.2
istio:1.17.5
istio:1.16.7
istio:1.18.1
istio:1.16.6
istio:1.17.4
istio:v1.19.0-alpha.1
istio:1.19.0-alpha.1
istio:v1.19.0-alpha.0
istio:1.19.0-alpha.0
istio:1.18.0
istio:1.17.3
istio:1.18.0-rc.0
istio:1.16.5
istio:1.18.0-beta.1
istio:1.18.0-beta.0
istio:1.17.2
istio:1.16.4
istio:1.15.7
istio:1.18.0-alpha.0
istio:1.17.1
istio:1.15.6
istio:1.16.3
istio:1.17.0
istio:1.17.0-rc.0
istio:1.17.0-beta.2
istio:1.17.0-beta.1
istio:1.15.5
istio:1.16.2
istio:1.17.0-beta.0
istio:1.14.6
istio:1.15.4
istio:1.16.1
istio:1.16.0
istio:1.16.0-rc.0
istio:1.15.3
istio:1.16.0-beta.2
istio:1.16.0-beta.1
istio:1.16.0-beta.0
istio:1.15.2
istio:1.13.9
istio:1.14.5
istio:1.15.1
istio:1.13.8
istio:1.14.4
istio:1.15.0
istio:1.15.0-rc.0
istio:1.15.0-beta.1
istio:1.15.0-beta.0
istio:1.15-beta.0
istio:1.13.7
istio:1.14.3
istio:1.13.6
istio:1.14.2
istio:1.12.9
istio:1.13.5
istio:1.14.1
istio:1.12.8
istio:1.14.0
istio:1.14.0-beta.1
istio:1.13.4
istio:1.14.0-beta.0
istio:1.12.7
istio:1.14.0-alpha.0
istio:1.13.3
istio:1.12.6
istio:1.12.5
istio:1.11.8
istio:1.13.2
istio:1.11.7
istio:1.12.4
istio:1.13.1
istio:1.13.0
istio:1.12.3
istio:1.11.6
istio:1.13.0-beta.1
istio:1.13.0-beta.0
istio:1.12.2
istio:1.12.1
istio:1.10.6
istio:1.11.5
istio:1.12.0
istio:1.12.0-rc.1
istio:1.12.0-beta.2
istio:1.12.0-beta.1
istio:1.12.0-beta.0
istio:1.11.4
istio:1.9.9
istio:1.12.0-alpha.5
istio:1.10.5
istio:1.11.3
istio:1.12.0-alpha.1
istio:1.12.0-alpha.0
istio:1.11.2
istio:1.9.8
istio:1.10.4
istio:1.11.1
istio:1.11.0
istio:1.11.0-rc.4
istio:1.11.0-rc.3
istio:1.11.0-rc.2
istio:1.11.0-rc.1
istio:1.11.0-beta.3
istio:1.11.0-beta.2
istio:1.9.7
istio:1.11.0-beta.1
istio:1.10.3
istio:1.11.0-beta.0
istio:1.10.2
istio:1.9.6
istio:1.10.1
istio:1.10.0
istio:1.9.5
istio:1.8.6
istio:1.10.0-rc.1
istio:1.10.0-rc.0
istio:1.9.4
istio:1.10.0-alpha.1
istio:1.9.3
istio:1.8.5
istio:1.10.0-alpha.0
istio:1.9.2
istio:1.8.4
istio:1.9.1
istio:1.7.8
istio:1.9.0
istio:1.8.3
istio:1.9.0-rc.0
istio:1.7.7
istio:1.9.0-beta.1
istio:1.9.0-beta.0
istio:1.8.2
istio:1.7.6
istio:1.8.1
istio:1.6.14
istio:1.7.5
istio:1.8.0
istio:1.8.0-rc.1
istio:1.8.0-rc.0
istio:1.8.0-alpha.2
istio:1.6.13
istio:1.7.4
istio:1.8.0-alpha.0
istio:1.6.12
istio:1.7.3
istio:1.6.11
istio:1.6.10
istio:1.7.2
istio:1.7.1
istio:1.6.9
istio:1.5.10
istio:1.7.0
istio:1.7.0-rc.4
istio:1.7.0-rc.3
istio:1.7.0-rc.2
istio:1.7.0-rc.1
istio:1.5.9
istio:1.6.8
istio:1.7.0-beta.2
istio:1.7.0-beta.1
istio:1.6.7
istio:1.6.6
istio:1.7.0-alpha.2
istio:1.7.0-alpha.1
istio:1.5.8
istio:1.6.5
istio:1.7.0-alpha.0
istio:1.5.7
istio:1.6.4
istio:1.4.10
istio:1.6.3
istio:1.5.6
istio:1.5.5
istio:1.6.2
istio:1.6.1
istio:1.6.0
istio:1.6.0-rc.2
istio:1.6.0-rc.1
istio:1.6.0-rc.0
istio:1.5.4
istio:1.5.3
istio:1.4.9
istio:1.6.0-beta.1
istio:1.6.0-beta.0
istio:1.5.2
istio:1.4.8
istio:1.6.0-alpha.2
istio:1.6.0-alpha.1
istio:1.5.1
istio:1.4.7
istio:1.6.0-alpha.0
istio:1.5.0
istio:1.4.6
istio:1.5.0-beta.5
istio:1.5.0-beta.4
istio:1.5.0-beta.3
istio:1.4.5
istio:1.5.0-beta.2
istio:1.4.4
istio:1.5.0-beta.1
istio:1.3.8
istio:1.3.7
istio:1.4.3
istio:1.5.0-alpha.0
istio:1.4.2
istio:1.4.1
istio:1.3.6
istio:1.2.10
istio:1.4.0
istio:1.4.0-beta.5
istio:1.4.0-beta.4
istio:1.4.0-beta.3
istio:1.3.5
istio:1.4.0-beta.2
istio:1.2.9
istio:1.4.0-beta.1
istio:1.3.4
istio:1.4.0-beta.0
istio:1.2.8
istio:1.1.17
istio:1.3.3
istio:1.3.2
istio:1.2.7
istio:1.1.16
istio:1.3.1
istio:1.2.6
istio:1.1.15
istio:1.3.0
istio:1.3.0-rc.3
istio:1.3.0-rc.2
istio:1.3.0-rc.1
istio:1.1.14
istio:1.2.5
istio:1.3.0-rc.0
istio:1.2.4
istio:1.1.13
istio:1.2.3
istio:1.1.12
istio:1.1.11
istio:1.2.2
istio:1.0.9
istio:1.1.10
istio:1.2.1
istio:1.2.0
istio:1.1.9
istio:1.0.8
istio:1.1.8
istio:1.1.7
istio:1.1.6
istio:1.1.5
istio:1.1.4
istio:1.1.3
istio:1.1.2
istio:1.0.7
istio:1.1.1
istio:1.1.0
istio:1.1.0-rc.6
istio:1.1.0-rc.5
istio:1.1.0-rc.4
istio:1.1.0-rc.3
istio:1.1.0-rc.2
istio:1.1.0-rc.1
istio:1.1.0-rc.0
istio:1.1.0-snapshot.6
istio:1.0.6
istio:1.1.0-snapshot.test
istio:1.1.0-snapshot.5
istio:1.1.0-snapshot.4
istio:1.0.5
istio:1.1.0-snapshot.3
istio:1.0.4
istio:1.0.3
istio:1.1.0-snapshot.2
istio:1.1.0.snapshot.1
istio:1.0.2
istio:1.1.0.snapshot.0
istio:1.0.1
istio:1.0.0
istio:1.0.0-snapshot.2
istio:1.0.0-snapshot.1
istio:1.0.0-snapshot.0
istio:0.8.0
istio:0.3.0
istio:0.2.7
istio:0.2.2
...
compare: istio:master
Branches Tags
istio:master
istio:release-1.27
istio:release-1.26
istio:release-1.25
istio:release-1.24
istio:dependabot/go_modules/tests/golang.org/x/net-0.38.0
istio:release-1.23
istio:dependabot/go_modules/tests/golang.org/x/net-0.36.0
istio:release-1.22
istio:release-1.21
istio:dependabot/go_modules/google.golang.org/grpc-1.64.1
istio:release-1.20
istio:update-api
istio:dependabot/go_modules/golang.org/x/net-0.23.0
istio:dependabot/go_modules/tests/golang.org/x/net-0.23.0
istio:release-1.19
istio:release-1.18
istio:release-1.17
istio:release-1.16
istio:release-1.15
istio:experimental-ambient
istio:release-1.14
istio:release-1.13
istio:release-1.12
istio:release-1.14-codeowners
istio:release-1.11
istio:release-1.10
istio:release-1.9
istio:release-1.8
istio:release-1.8.6-patch
istio:release-1.9.5-patch
istio:release-1.7
istio:release-1.6
istio:coreapi
istio:release-1.7-asm
istio:revert-1537-credentialName-cacert
istio:release-1.5
istio:release-1.2
istio:release-1.3
istio:release-1.4
istio:icp-integrate
istio:add-citadel-istio-namespace-labels
istio:config-model
istio:validation-gen
istio:rshriram-patch-2
istio:docker/use_consolidated_dockerfile
istio:container/protogen-go1.12
istio:collab-authn
istio:release-1.1
istio:release-1.0
istio:collab-gcp-identity
istio:release-1.0.0-snapshot.0
istio:release-0.8
istio:release-0.7
istio:release-0.5
istio:release-0.2
istio:v1.27.0-rc.0
istio:1.27.0-rc.0
istio:v1.25.4
istio:1.25.4
istio:v1.26.3
istio:1.26.3
istio:v1.27.0-beta.0
istio:1.27.0-beta.0
istio:v1.26.2
istio:1.26.2
istio:v1.26.1
istio:1.26.1
istio:v1.24.6
istio:1.24.6
istio:1.25.3
istio:v1.25.3
istio:v1.26.0
istio:1.26.0
istio:v1.26.0-rc.0
istio:1.26.0-rc.0
istio:1.26.0-beta.0
istio:v1.26.0-beta.0
istio:v1.26.0-alpha.0
istio:1.26.0-alpha.0
istio:v1.24.5
istio:1.24.5
istio:v1.25.2
istio:1.25.2
istio:v1.23.6
istio:1.23.6
istio:v1.25.1
istio:1.25.1
istio:v1.24.4
istio:1.24.4
istio:1.25.0
istio:v1.25.0
istio:v1.25.0-rc.1
istio:1.25.0-rc.1
istio:v1.25.0-rc.0
istio:1.25.0-rc.0
istio:v1.23.5
istio:1.23.5
istio:v1.24.3
istio:1.24.3
istio:v1.22.8
istio:1.22.8
istio:v1.25.0-alpha.0
istio:1.25.0-alpha.0
istio:v1.23.4
istio:1.23.4
istio:1.24.2
istio:v1.24.2
istio:v1.22.7
istio:1.22.7
istio:v1.24.1
istio:1.24.1
istio:1.24.0
istio:v1.24.0
istio:v1.24.0-rc.0
istio:1.24.0-rc.0
istio:v1.23.3
istio:1.23.3
istio:v1.22.6
istio:1.22.6
istio:v1.24.0-alpha.0
istio:1.24.0-alpha.0
istio:v1.21.6
istio:1.21.6
istio:v1.22.5
istio:1.22.5
istio:1.23.2
istio:v1.23.2
istio:v1.23.1
istio:1.23.1
istio:v1.22.4
istio:1.22.4
istio:v1.23.0
istio:1.23.0
istio:1.23.0-rc.1
istio:v1.23.0-rc.1
istio:v1.23.0-rc.0
istio:1.23.0-rc.0
istio:v1.22.3
istio:1.22.3
istio:v1.21.5
istio:1.21.5
istio:v1.23.0-alpha.0
istio:1.23.0-alpha.0
istio:v1.20.8
istio:1.20.8
istio:1.21.4
istio:v1.21.4
istio:v1.22.2
istio:1.22.2
istio:v1.21.3
istio:1.21.3
istio:v1.20.7
istio:1.20.7
istio:v1.22.1
istio:1.22.1
istio:1.22.0
istio:v1.22.0
istio:v1.22.0-rc.0
istio:1.22.0-rc.0
istio:1.22.0-beta.1
istio:v1.22.0-beta.1
istio:v1.22.0-beta.0
istio:1.22.0-beta.0
istio:v1.21.2
istio:1.21.2
istio:v1.20.6
istio:1.20.6
istio:v1.19.10
istio:1.19.10
istio:1.22.0-alpha.1
istio:v1.22.0-alpha.1
istio:v1.21.1
istio:1.21.1
istio:v1.20.5
istio:1.20.5
istio:v1.19.9
istio:1.19.9
istio:v1.20.4
istio:1.20.4
istio:v1.19.8
istio:1.19.8
istio:v1.21.0
istio:1.21.0
istio:v1.21.0-rc.1
istio:1.21.0-rc.1
istio:v1.21.0-rc.0
istio:1.21.0-rc.0
istio:1.19.7
istio:1.20.3
istio:v1.21.0-beta.1
istio:1.21.0-beta.1
istio:v1.21.0-beta.0
istio:1.21.0-beta.0
istio:v1.20.2
istio:1.20.2
istio:v1.19.6
istio:1.19.6
istio:1.18.7
istio:1.18.6
istio:v1.20.1
istio:1.20.1
istio:v1.19.5
istio:1.19.5
istio:v1.20.0
istio:1.20.0
istio:v1.19.4
istio:1.19.4
istio:v1.20.0-rc.0
istio:1.20.0-rc.0
istio:v1.20.0-beta.0
istio:1.20.0-beta.0
istio:1.17.8
istio:1.18.5
istio:v1.19.3
istio:1.19.3
istio:1.19.2
istio:v1.19.1
istio:1.19.1
istio:1.17.6
istio:1.18.3
istio:v1.19.0
istio:1.19.0
istio:v1.19.0-rc.0
istio:1.19.0-rc.0
istio:v1.19.0-beta.1
istio:1.19.0-beta.1
istio:v1.19.0-beta.0
istio:1.19.0-beta.0
istio:1.18.2
istio:1.17.5
istio:1.16.7
istio:1.18.1
istio:1.16.6
istio:1.17.4
istio:v1.19.0-alpha.1
istio:1.19.0-alpha.1
istio:v1.19.0-alpha.0
istio:1.19.0-alpha.0
istio:1.18.0
istio:1.17.3
istio:1.18.0-rc.0
istio:1.16.5
istio:1.18.0-beta.1
istio:1.18.0-beta.0
istio:1.17.2
istio:1.16.4
istio:1.15.7
istio:1.18.0-alpha.0
istio:1.17.1
istio:1.15.6
istio:1.16.3
istio:1.17.0
istio:1.17.0-rc.0
istio:1.17.0-beta.2
istio:1.17.0-beta.1
istio:1.15.5
istio:1.16.2
istio:1.17.0-beta.0
istio:1.14.6
istio:1.15.4
istio:1.16.1
istio:1.16.0
istio:1.16.0-rc.0
istio:1.15.3
istio:1.16.0-beta.2
istio:1.16.0-beta.1
istio:1.16.0-beta.0
istio:1.15.2
istio:1.13.9
istio:1.14.5
istio:1.15.1
istio:1.13.8
istio:1.14.4
istio:1.15.0
istio:1.15.0-rc.0
istio:1.15.0-beta.1
istio:1.15.0-beta.0
istio:1.15-beta.0
istio:1.13.7
istio:1.14.3
istio:1.13.6
istio:1.14.2
istio:1.12.9
istio:1.13.5
istio:1.14.1
istio:1.12.8
istio:1.14.0
istio:1.14.0-beta.1
istio:1.13.4
istio:1.14.0-beta.0
istio:1.12.7
istio:1.14.0-alpha.0
istio:1.13.3
istio:1.12.6
istio:1.12.5
istio:1.11.8
istio:1.13.2
istio:1.11.7
istio:1.12.4
istio:1.13.1
istio:1.13.0
istio:1.12.3
istio:1.11.6
istio:1.13.0-beta.1
istio:1.13.0-beta.0
istio:1.12.2
istio:1.12.1
istio:1.10.6
istio:1.11.5
istio:1.12.0
istio:1.12.0-rc.1
istio:1.12.0-beta.2
istio:1.12.0-beta.1
istio:1.12.0-beta.0
istio:1.11.4
istio:1.9.9
istio:1.12.0-alpha.5
istio:1.10.5
istio:1.11.3
istio:1.12.0-alpha.1
istio:1.12.0-alpha.0
istio:1.11.2
istio:1.9.8
istio:1.10.4
istio:1.11.1
istio:1.11.0
istio:1.11.0-rc.4
istio:1.11.0-rc.3
istio:1.11.0-rc.2
istio:1.11.0-rc.1
istio:1.11.0-beta.3
istio:1.11.0-beta.2
istio:1.9.7
istio:1.11.0-beta.1
istio:1.10.3
istio:1.11.0-beta.0
istio:1.10.2
istio:1.9.6
istio:1.10.1
istio:1.10.0
istio:1.9.5
istio:1.8.6
istio:1.10.0-rc.1
istio:1.10.0-rc.0
istio:1.9.4
istio:1.10.0-alpha.1
istio:1.9.3
istio:1.8.5
istio:1.10.0-alpha.0
istio:1.9.2
istio:1.8.4
istio:1.9.1
istio:1.7.8
istio:1.9.0
istio:1.8.3
istio:1.9.0-rc.0
istio:1.7.7
istio:1.9.0-beta.1
istio:1.9.0-beta.0
istio:1.8.2
istio:1.7.6
istio:1.8.1
istio:1.6.14
istio:1.7.5
istio:1.8.0
istio:1.8.0-rc.1
istio:1.8.0-rc.0
istio:1.8.0-alpha.2
istio:1.6.13
istio:1.7.4
istio:1.8.0-alpha.0
istio:1.6.12
istio:1.7.3
istio:1.6.11
istio:1.6.10
istio:1.7.2
istio:1.7.1
istio:1.6.9
istio:1.5.10
istio:1.7.0
istio:1.7.0-rc.4
istio:1.7.0-rc.3
istio:1.7.0-rc.2
istio:1.7.0-rc.1
istio:1.5.9
istio:1.6.8
istio:1.7.0-beta.2
istio:1.7.0-beta.1
istio:1.6.7
istio:1.6.6
istio:1.7.0-alpha.2
istio:1.7.0-alpha.1
istio:1.5.8
istio:1.6.5
istio:1.7.0-alpha.0
istio:1.5.7
istio:1.6.4
istio:1.4.10
istio:1.6.3
istio:1.5.6
istio:1.5.5
istio:1.6.2
istio:1.6.1
istio:1.6.0
istio:1.6.0-rc.2
istio:1.6.0-rc.1
istio:1.6.0-rc.0
istio:1.5.4
istio:1.5.3
istio:1.4.9
istio:1.6.0-beta.1
istio:1.6.0-beta.0
istio:1.5.2
istio:1.4.8
istio:1.6.0-alpha.2
istio:1.6.0-alpha.1
istio:1.5.1
istio:1.4.7
istio:1.6.0-alpha.0
istio:1.5.0
istio:1.4.6
istio:1.5.0-beta.5
istio:1.5.0-beta.4
istio:1.5.0-beta.3
istio:1.4.5
istio:1.5.0-beta.2
istio:1.4.4
istio:1.5.0-beta.1
istio:1.3.8
istio:1.3.7
istio:1.4.3
istio:1.5.0-alpha.0
istio:1.4.2
istio:1.4.1
istio:1.3.6
istio:1.2.10
istio:1.4.0
istio:1.4.0-beta.5
istio:1.4.0-beta.4
istio:1.4.0-beta.3
istio:1.3.5
istio:1.4.0-beta.2
istio:1.2.9
istio:1.4.0-beta.1
istio:1.3.4
istio:1.4.0-beta.0
istio:1.2.8
istio:1.1.17
istio:1.3.3
istio:1.3.2
istio:1.2.7
istio:1.1.16
istio:1.3.1
istio:1.2.6
istio:1.1.15
istio:1.3.0
istio:1.3.0-rc.3
istio:1.3.0-rc.2
istio:1.3.0-rc.1
istio:1.1.14
istio:1.2.5
istio:1.3.0-rc.0
istio:1.2.4
istio:1.1.13
istio:1.2.3
istio:1.1.12
istio:1.1.11
istio:1.2.2
istio:1.0.9
istio:1.1.10
istio:1.2.1
istio:1.2.0
istio:1.1.9
istio:1.0.8
istio:1.1.8
istio:1.1.7
istio:1.1.6
istio:1.1.5
istio:1.1.4
istio:1.1.3
istio:1.1.2
istio:1.0.7
istio:1.1.1
istio:1.1.0
istio:1.1.0-rc.6
istio:1.1.0-rc.5
istio:1.1.0-rc.4
istio:1.1.0-rc.3
istio:1.1.0-rc.2
istio:1.1.0-rc.1
istio:1.1.0-rc.0
istio:1.1.0-snapshot.6
istio:1.0.6
istio:1.1.0-snapshot.test
istio:1.1.0-snapshot.5
istio:1.1.0-snapshot.4
istio:1.0.5
istio:1.1.0-snapshot.3
istio:1.0.4
istio:1.0.3
istio:1.1.0-snapshot.2
istio:1.1.0.snapshot.1
istio:1.0.2
istio:1.1.0.snapshot.0
istio:1.0.1
istio:1.0.0
istio:1.0.0-snapshot.2
istio:1.0.0-snapshot.1
istio:1.0.0-snapshot.0
istio:0.8.0
istio:0.3.0
istio:0.2.7
istio:0.2.2

41 Commits
v1.26.3 ... master

Author SHA1 Message Date
Istio Automation dc36c0a88d
Automator: update common-files@master in istio/api@master (#3548) 2025-08-07 08:16:26 -04:00
Istio Automation 963bdaaf28
Automator: update common-files@master in istio/api@master (#3546) 2025-08-01 07:10:05 -04:00
Sergei Nikolaev 35764fa2f6
feat: add tls.caCertCredentialName (#3544) 
* feat: add tls.caCertCredentialName

Signed-off-by: Sergei Nikolaev <kinolaev@gmail.com>

* chore: add release note

Signed-off-by: Sergei Nikolaev <kinolaev@gmail.com>

---------

Signed-off-by: Sergei Nikolaev <kinolaev@gmail.com>
 2025-07-31 17:27:05 -04:00
Micah Nagel c7b3cb6027
unhide ambient.istio.io/bypass-inbound-capture annotation (#3543) 
* unhide ambient.istio.io/bypass-inbound-capture annotoation

* fix: autogen

* fix: autogen
 2025-07-23 04:14:48 -04:00
Rama Chavali e716877a15
add x-forwarded-host and x-forwarded-port in proxy headers (#3532) 
* add x-forwarded-host and x-forwarded-port in proxy headers

Signed-off-by: Rama Chavali <rama.rao@salesforce.com>

* comments

Signed-off-by: Rama Chavali <rama.rao@salesforce.com>

* make gen

Signed-off-by: Rama Chavali <rama.rao@salesforce.com>

---------

Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
 2025-07-20 21:18:44 -04:00
Istio Automation 4f1ba257a2
Automator: update common-files@master in istio/api@master (#3542) 2025-07-17 12:51:43 -04:00
jacob-delgado d9ba074fd3
update go.mod dependencies (#3541) 
* update deps

* use go 1.23, not go 1.24

* make gen

* fix: non-constant format string in call to fmt.Errorf
 2025-07-17 12:38:43 -04:00
Istio Automation 7c1a7c9441
Automator: update common-files@master in istio/api@master (#3540) 2025-07-15 11:20:38 -04:00
Istio Automation 59dcadc040
Automator: update common-files@master in istio/api@master (#3539) 2025-07-15 05:58:38 -04:00
Istio Automation 638d39554f
Automator: update common-files@master in istio/api@master (#3538) 2025-07-10 07:06:33 -04:00
Istio Automation ea38f1ceff
Automator: update common-files@master in istio/api@master (#3536) 2025-07-08 05:37:30 -04:00
Istio Automation 5abba36528
Automator: update common-files@master in istio/api@master (#3533) 2025-06-30 16:45:23 -04:00
Istio Automation 2aeaef9384
Automator: update common-files@master in istio/api@master (#3530) 2025-06-26 08:13:19 -04:00
zirain 09a4d534f2
add RetryBudget in DestinationRule (#3512) 
* add RetryBudget in DestinationRule

* address comment

* gen

Signed-off-by: zirain <zirain2009@gmail.com>

---------

Signed-off-by: zirain <zirain2009@gmail.com>
 2025-06-25 12:53:18 -04:00
Rama Chavali 54c00a1820
add gateway sds extension provider (#3529) 
* add gateway sds extension provider

Signed-off-by: Rama Chavali <rama.rao@salesforce.com>

* address comments

Signed-off-by: Rama Chavali <rama.rao@salesforce.com>

* revert change

Signed-off-by: Rama Chavali <rama.rao@salesforce.com>

---------

Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
 2025-06-25 11:14:18 -04:00
Istio Automation 3203c6c2b2
Automator: update common-files@master in istio/api@master (#3527) 2025-06-19 09:49:10 -04:00
Istio Automation 32aef48833
Automator: update common-files@master in istio/api@master (#3526) 2025-06-18 14:25:10 -04:00
zirain 65babd3c01
format protobuf files (#3522) 2025-06-16 11:17:16 -04:00
Craig Box 2d8537b42d
update sourceLabels and sourceNamespace docs (#3516) 
* update sourceLabels and sourceNamespace docs

* made gen
 2025-06-09 16:52:23 -04:00
Istio Automation 525552ff77
Automator: update common-files@master in istio/api@master (#3515) 2025-06-08 03:56:13 -04:00
Rama Chavali 5ce14890be
fix retry example in virtual service (#3514) 
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
 2025-06-07 10:13:53 -04:00
Istio Automation 840d4bf8e3
Automator: update common-files@master in istio/api@master (#3513) 2025-06-06 10:17:52 -04:00
zirain 59d36095c4
fix doc (#3511) 2025-06-05 07:24:52 -04:00
Istio Automation 2420d6915d
Automator: update common-files@master in istio/api@master (#3510) 2025-06-04 12:36:51 -04:00
Tyler Schade 47c8bc9152
remove required validation for JWTRule issuer field (#3504) 
Signed-off-by: tjons <tylerschade99@gmail.com>
 2025-05-22 10:13:22 -04:00
Istio Automation ba07c2c455
Automator: update common-files@master in istio/api@master (#3508) 2025-05-22 09:17:33 -04:00
Istio Automation 31de7139c7
Automator: update common-files@master in istio/api@master (#3507) 2025-05-22 04:26:32 -04:00
Istio Automation 1854e1991c
Automator: update common-files@master in istio/api@master (#3506) 2025-05-15 14:21:15 -04:00
Jackie Maertens (Elliott) 6c028fec98
Define ServiceScopeConfig in ServiceSettings (#3464) 
* Define ServiceScopeConfig in ServiceSettings

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Add release note

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* remove suffix

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* add back missing scope from example

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Remove nested list

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* make gen

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Update example

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* make gen

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Update gen

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Clarify example

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Clarify behavior of servicescopeconfig

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Respond to PR feedback about docs

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Move ServiceScopeConfigs to its own message. Define relationship
between ServiceSettings and ServiceScopeConfigs.

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Clarify declaritive intent

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Clarify API intent for mesh admin

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

* Fix example

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>

---------

Signed-off-by: Jackie Elliott <jaellio@microsoft.com>
 2025-05-15 13:12:15 -04:00
Istio Automation a630cf092d
Automator: update common-files@master in istio/api@master (#3505) 2025-05-13 17:58:13 -04:00
Rama Chavali 8c42862123
remove unnecessary comments (#3503) 
Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
 2025-05-10 10:51:46 -04:00
Istio Automation 6e80709806
Automator: update common-files@master in istio/api@master (#3501) 2025-05-09 09:55:45 -04:00
Istio Automation fc3334008b
Automator: update common-files@master in istio/api@master (#3500) 2025-05-09 06:04:48 -04:00
Istio Automation 278f26ce2e
Automator: update common-files@master in istio/api@master (#3499) 2025-05-07 14:19:44 -04:00
Rama Chavali 11442f3c76
hide ca cert from tls certificates (#3495) 
* hide ca cert from tls certificates

Signed-off-by: Rama Chavali <rama.rao@salesforce.com>

* fix hide

Signed-off-by: Rama Chavali <rama.rao@salesforce.com>

---------

Signed-off-by: Rama Chavali <rama.rao@salesforce.com>
 2025-05-05 09:52:43 -04:00
Faseela K 6944c75efc
Migrate storage version of networking APIs to v1 (#3498) 
* Migrate storage version of networking APIs to v1

Signed-off-by: Faseela K <faseela.k@est.tech>

* add release notes

Signed-off-by: Faseela K <faseela.k@est.tech>

* fix release notes

Signed-off-by: Faseela K <faseela.k@est.tech>

* generate crds

Signed-off-by: Faseela K <faseela.k@est.tech>

---------

Signed-off-by: Faseela K <faseela.k@est.tech>
 2025-05-02 05:35:47 -04:00
Adesh Ghadage d4002d7d0b
Update refdocs to use markdown links and standardize HTTP/2 notation in master (#3430) 
* update-refdocs-master-brokenUrl

* update-refdocs-release-1.24-brokenUrl

* updatedoc

* Regenerate API docs after changes

* Update networking/v1alpha3/destination_rule.proto

Co-authored-by: Craig Box <craig.box@gmail.com>

* Update networking/v1alpha3/destination_rule.proto

Co-authored-by: Craig Box <craig.box@gmail.com>

* Update networking/v1alpha3/destination_rule.proto

Co-authored-by: Craig Box <craig.box@gmail.com>

* Updated refdoc

---------

Co-authored-by: Craig Box <craig.box@gmail.com>
 2025-05-02 05:35:39 -04:00
Sridhar Gaddam d98ae9c845
Add note for reroute-virtual-interfaces usage with dind (#3494) 
* Add note for reroute-virtual-interfaces usage with dind

Signed-off-by: Sridhar Gaddam <sgaddam@redhat.com>

* Update the note to include docker-compose

Signed-off-by: Sridhar Gaddam <sgaddam@redhat.com>

---------

Signed-off-by: Sridhar Gaddam <sgaddam@redhat.com>
 2025-05-01 22:17:39 -04:00
Adam Cattermole 5e743e9aad
Add wasm plugin fail strategy reload (#3471) 2025-05-01 22:08:39 -04:00
Istio Automation 43c425818c
Automator: update common-files@master in istio/api@master (#3497) 2025-04-25 03:57:02 -04:00
Istio Automation 5b92b045e6
Automator: update common-files@master in istio/api@master (#3496) 2025-04-24 16:21:02 -04:00
83 changed files with 2533 additions and 1366 deletions
Show Stats Expand all files Collapse all files

2
.devcontainer/devcontainer.json
View File

@ -1,6 +1,6 @@
{
"name": "istio build-tools",
"image": "gcr.io/istio-testing/build-tools:master-fcd42145fc132acd1e8f607e9e7aca15058e9fb9",
"image": "gcr.io/istio-testing/build-tools:master-672e6089ff843019a2b28cf9e87754c7b74358ea",
"privileged": true,
"remoteEnv": {
"USE_GKE_GCLOUD_AUTH_PLUGIN": "True",

3
analysis/v1alpha1/message.proto
View File

@ -24,7 +24,7 @@ package istio.analysis.v1alpha1;
import "google/protobuf/struct.proto";
option go_package="istio.io/api/analysis/v1alpha1";
option go_package = "istio.io/api/analysis/v1alpha1";
// There are four messages described in this file. One of them is a struct
// common to the other three: AnalysisMessageBase. Using this, we can construct
@ -78,7 +78,6 @@ message AnalysisMessageBase {
// `^http(s)?://(preliminary\.)?istio.io/docs/reference/config/analysis/`
// Required.
string documentation_url = 3;
}
// AnalysisMessageWeakSchema is the set of information that's needed to define a

3
annotation/annotations.gen.go generated
View File

@ -118,7 +118,7 @@ var (
This is intended to be used when enrolling a workload that only receives traffic from out-of-the-mesh clients, such as third party ingress controllers.
`,
FeatureStatus: Alpha,
Hidden: true,
Hidden: false,
Deprecated: false,
Resources: []ResourceTypes{
Pod,
@ -288,6 +288,7 @@ This takes the format: "<protocol>" or "<protocol>/<port>".
IoIstioRerouteVirtualInterfaces = Instance {
Name: "istio.io/reroute-virtual-interfaces",
Description: `A comma separated list of virtual interfaces whose inbound traffic will be unconditionally treated as outbound. This allows workloads using virtualized networking (kubeVirt, VMs, docker-in-docker, etc) to function correctly with mesh traffic capture.
Note: When using docker-in-docker container, the default bridge interface name is typically "docker0". However, custom networks (often used with docker compose) are assigned a randomized interface name. To have a predictable name, you can configure the Docker option "com.docker.network.bridge.name" with a fixed value and use that name in the annotation.
`,
FeatureStatus: Alpha,
Hidden: false,

26
annotation/annotations.pb.html generated
View File

@ -9,6 +9,29 @@ weight: 60
This page presents the various resource <a href="https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/">annotations</a> that
Istio supports to control its behavior.
</p>
<h2 id="AmbientBypassInboundCapture">ambient.istio.io/bypass-inbound-capture</h2>
<table class="annotations">
<tbody>
<tr>
<th>Name</th>
<td><code>ambient.istio.io/bypass-inbound-capture</code></td>
</tr>
<tr>
<th>Feature Status</th>
<td>Alpha</td>
</tr>
<tr>
<th>Resource Types</th>
<td>[Pod]</td>
</tr>
<tr>
<th>Description</th>
<td><p>When specified on a <code>Pod</code> enrolled in ambient mesh, only outbound traffic will be captured.
This is intended to be used when enrolling a workload that only receives traffic from out-of-the-mesh clients, such as third party ingress controllers.</p>
</td>
</tr>
</tbody>
</table>
<h2 id="AmbientRedirection">ambient.istio.io/redirection</h2>
<table class="annotations">
<tbody>
@ -116,7 +139,8 @@ User should not manually modify this annotation.</p>
</tr>
<tr>
<th>Description</th>
<td><p>A comma separated list of virtual interfaces whose inbound traffic will be unconditionally treated as outbound. This allows workloads using virtualized networking (kubeVirt, VMs, docker-in-docker, etc) to function correctly with mesh traffic capture.</p>
<td><p>A comma separated list of virtual interfaces whose inbound traffic will be unconditionally treated as outbound. This allows workloads using virtualized networking (kubeVirt, VMs, docker-in-docker, etc) to function correctly with mesh traffic capture.
Note: When using docker-in-docker container, the default bridge interface name is typically <code>docker0</code>. However, custom networks (often used with docker compose) are assigned a randomized interface name. To have a predictable name, you can configure the Docker option <code>com.docker.network.bridge.name</code> with a fixed value and use that name in the annotation.</p>
</td>
</tr>
</tbody>

3
annotation/annotations.yaml
View File

@ -570,7 +570,7 @@ annotations:
When specified on a `Pod` enrolled in ambient mesh, only outbound traffic will be captured.
This is intended to be used when enrolling a workload that only receives traffic from out-of-the-mesh clients, such as third party ingress controllers.
deprecated: false
hidden: true
hidden: false
resources:
- Pod
@ -578,6 +578,7 @@ annotations:
featureStatus: Alpha
description: |
A comma separated list of virtual interfaces whose inbound traffic will be unconditionally treated as outbound. This allows workloads using virtualized networking (kubeVirt, VMs, docker-in-docker, etc) to function correctly with mesh traffic capture.
Note: When using docker-in-docker container, the default bridge interface name is typically `docker0`. However, custom networks (often used with docker compose) are assigned a randomized interface name. To have a predictable name, you can configure the Docker option `com.docker.network.bridge.name` with a fixed value and use that name in the annotation.
deprecated: false
hidden: false
resources:

2
common/.commonfiles.sha vendored
View File

@ -1 +1 @@
a1d5c4198ab79a14c09c034f2d95245efa3e2bcb
d235bc9f4a20f3c78c5aacbfa3f24d08a884a82e

4
common/config/.golangci.yml vendored
View File

@ -184,6 +184,10 @@ linters:
- linters:
- staticcheck
text: 'S1007'
# TODO: remove once we have updated package names
- linters:
- revive
text: "var-naming: avoid meaningless package names"
paths:
- .*\.pb\.go
- .*\.gen\.go

2
common/scripts/kind_provisioner.sh vendored
View File

@ -32,7 +32,7 @@ set -x
####################################################################
# DEFAULT_KIND_IMAGE is used to set the Kubernetes version for KinD unless overridden in params to setup_kind_cluster(s)
DEFAULT_KIND_IMAGE="gcr.io/istio-testing/kind-node:v1.32.0"
DEFAULT_KIND_IMAGE="gcr.io/istio-testing/kind-node:v1.33.1"
# the default kind cluster should be ipv4 if not otherwise specified
KIND_IP_FAMILY="${KIND_IP_FAMILY:-ipv4}"

2
common/scripts/setup_env.sh vendored
View File

@ -75,7 +75,7 @@ fi
TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io}
PROJECT_ID=${PROJECT_ID:-istio-testing}
if [[ "${IMAGE_VERSION:-}" == "" ]]; then
IMAGE_VERSION=master-fcd42145fc132acd1e8f607e9e7aca15058e9fb9
IMAGE_VERSION=master-672e6089ff843019a2b28cf9e87754c7b74358ea
fi
if [[ "${IMAGE_NAME:-}" == "" ]]; then
IMAGE_NAME=build-tools

4
envoy/config/filter/http/jwt_auth/v2alpha1/config.proto
View File

@ -14,10 +14,10 @@
syntax = "proto3";
import "google/protobuf/duration.proto";
package istio.envoy.config.filter.http.jwt_auth.v2alpha1;
import "google/protobuf/duration.proto";
option go_package = "istio.io/api/envoy/config/filter/http/jwt_auth/v2alpha1";
// Copied from @envoy/api/envoy/api/v2/core/http_uri.proto

6
envoy/config/filter/network/metadata_exchange/metadata_exchange.proto
View File

@ -17,10 +17,10 @@ syntax = "proto3";
package envoy.tcp.metadataexchange.config;
option java_outer_classname = "MetadataExchangeProto";
option java_multiple_files = true;
option java_package = "io.envoyproxy.envoy.tcp.metadataexchange.config";
option go_package = "istio.io/api/envoy/config/filter/network/metadata_exchange";
option java_multiple_files = true;
option java_outer_classname = "MetadataExchangeProto";
option java_package = "io.envoyproxy.envoy.tcp.metadataexchange.config";
// [#protodoc-title: MetadataExchange protocol match and data transfer]
// MetadataExchange protocol match and data transfer

25
envoy/extensions/stackdriver/config/v1alpha1/config.proto
View File

@ -24,11 +24,11 @@ syntax = "proto3";
package stackdriver.config.v1alpha1;
option go_package = "istio.io/api/envoy/extensions/stackdriver/config/v1alpha1";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
option go_package = "istio.io/api/envoy/extensions/stackdriver/config/v1alpha1";
// Custom instance configuration overrides.
// Provides a way to customize logs.
message CustomConfig {
@ -55,11 +55,11 @@ message PluginConfig {
// logs. A request is classified as error when `status>=400 or
// response_flag != "-"`
ERRORS_ONLY = 2;
};
}
// Optional. Controls whether to export server access log.
// This is deprecated in favor of AccessLogging enum.
bool disable_server_access_logging = 1 [ deprecated = true ];
bool disable_server_access_logging = 1 [deprecated = true];
// Optional. Allows configuration of the size of the LogWrite request. The
// size is in bytes, so that it allows for better performance. Default is 4MB.
@ -84,7 +84,7 @@ message PluginConfig {
// service. This is disabled by default.
// Deprecated -- Mesh edge reporting is no longer supported and this setting
// is no-op.
bool enable_mesh_edges_reporting = 3 [ deprecated = true ];
bool enable_mesh_edges_reporting = 3 [deprecated = true];
// Optional. Allows configuration of the time between calls out to the mesh
// edges service to report *NEW* edges. The minimum configurable duration is
@ -95,8 +95,7 @@ message PluginConfig {
// reporting every `10m`.
// Deprecated -- Mesh edge reporting is no longer supported and this setting
// is no-op.
google.protobuf.Duration mesh_edges_reporting_duration = 4
[ deprecated = true ];
google.protobuf.Duration mesh_edges_reporting_duration = 4 [deprecated = true];
// maximum size of the peer metadata cache.
// A long lived proxy that connects with many transient peers can build up a
@ -117,7 +116,7 @@ message PluginConfig {
// metrics are enabled).
// Deprecated -- use `metrics_overrides` instead.
// if `metrics_overrides` is used, this value will be ignored.
bool disable_http_size_metrics = 8 [ deprecated = true ];
bool disable_http_size_metrics = 8 [deprecated = true];
// Optional. Allows enabling log compression for stackdriver access logs.
google.protobuf.BoolValue enable_log_compression = 9;
@ -128,18 +127,18 @@ message PluginConfig {
// CEL expression for filtering access logging. If the expression evaluates
// to true, an access log entry will be generated. Otherwise, no access log
// entry will be generated. If there are any type errors, the CEL expression
// is evaluated as false. More details on type checking can be found
// is evaluated as false. More details on type checking can be found
// at https://kubernetes.io/docs/reference/using-api/cel/#type-checking.
// A common error is referring to a non-existent field in the log entry.
// It's crucial to note that in Envoy, the fields that appear in access log
// entries can vary. This variation is influenced by several factors,
// including the protocol in use (such as HTTP or TCP), the applied filters,
// and the specific configuration of the Envoy instance. Therefore, when
// and the specific configuration of the Envoy instance. Therefore, when
// using CEL expressions for filtering access logs, it's essential to ensure
// that the expressions accurately refer to existing fields in the log entry.
// The has() macro in CEL may be used in CEL expressions to check if a field
// is accessible before attempting to access the field's value.
// You can also quickly test CEL expressions at the CEL Playground
// The has() macro in CEL may be used in CEL expressions to check if a field
// is accessible before attempting to access the field's value.
// You can also quickly test CEL expressions at the CEL Playground
// at https://playcel.undistro.io/.
// NOTE: Audit logs ignore configured filters.
string access_logging_filter_expression = 17;

10
envoy/extensions/stats/config.proto
View File

@ -22,10 +22,10 @@ syntax = "proto3";
package stats;
option go_package = "istio.io/api/envoy/extensions/stats";
import "google/protobuf/duration.proto";
option go_package = "istio.io/api/envoy/extensions/stats";
// Metric instance configuration overrides.
// The metric value and the metric type are optional and permit changing the
// reported value for an existing metric.
@ -95,14 +95,14 @@ message PluginConfig {
// prefix to add to stats emitted by the plugin.
// DEPRECATED.
string stat_prefix = 3; // default: "istio_"
string stat_prefix = 3; // default: "istio_"
// Stats api squashes dimensions in a single string.
// The squashed string is parsed at prometheus scrape time to recover
// dimensions. The following 2 fields set the field and value separators {key:
// value} --> key{value_separator}value{field_separator}
string field_separator = 4; // default: ";;"
string value_separator = 5; // default: "=="
string field_separator = 4; // default: ";;"
string value_separator = 5; // default: "=="
// Optional: Disable using host header as a fallback if destination service is
// not available from the controlplane. Disable the fallback if the host

17
extensions/v1alpha1/wasm.pb.go generated
View File

@ -472,6 +472,10 @@ const (
// binary, an exception, or abort() on the VM. This flag is not recommended
// for the authentication or the authorization plugins.
FailStrategy_FAIL_OPEN FailStrategy = 1
// New plugin instance will be created for the new request if the Wasm plugin
// has failed. This only applies for “proxy_wasm::FailState::RuntimeError“.
// For all other error types this will fallback to “FAIL_CLOSED“.
FailStrategy_FAIL_RELOAD FailStrategy = 2
)
// Enum value maps for FailStrategy.
@ -479,10 +483,12 @@ var (
FailStrategy_name = map[int32]string{
0: "FAIL_CLOSE",
1: "FAIL_OPEN",
2: "FAIL_RELOAD",
}
FailStrategy_value = map[string]int32{
"FAIL_CLOSE": 0,
"FAIL_OPEN": 1,
"FAIL_CLOSE": 0,
"FAIL_OPEN": 1,
"FAIL_RELOAD": 2,
}
)
@ -994,7 +1000,7 @@ var File_extensions_v1alpha1_wasm_proto protoreflect.FileDescriptor
const file_extensions_v1alpha1_wasm_proto_rawDesc = "" +
"\n" +
"\x1eextensions/v1alpha1/wasm.proto\x12\x19istio.extensions.v1alpha1\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1btype/v1beta1/selector.proto\x1a\x1fgoogle/api/field_behavior.proto\"\xab\b\n" +
"\x1eextensions/v1alpha1/wasm.proto\x12\x19istio.extensions.v1alpha1\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1cgoogle/protobuf/struct.proto\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x1btype/v1beta1/selector.proto\"\xab\b\n" +
"\n" +
"WasmPlugin\x12@\n" +
"\bselector\x18\x01 \x01(\v2$.istio.type.v1beta1.WorkloadSelectorR\bselector\x12G\n" +
@ -1046,11 +1052,12 @@ const file_extensions_v1alpha1_wasm_proto_rawDesc = "" +
"\x0eEnvValueSource\x12\n" +
"\n" +
"\x06INLINE\x10\x00\x12\b\n" +
"\x04HOST\x10\x01*-\n" +
"\x04HOST\x10\x01*>\n" +
"\fFailStrategy\x12\x0e\n" +
"\n" +
"FAIL_CLOSE\x10\x00\x12\r\n" +
"\tFAIL_OPEN\x10\x01B\"Z istio.io/api/extensions/v1alpha1b\x06proto3"
"\tFAIL_OPEN\x10\x01\x12\x0f\n" +
"\vFAIL_RELOAD\x10\x02B\"Z istio.io/api/extensions/v1alpha1b\x06proto3"
var (
file_extensions_v1alpha1_wasm_proto_rawDescOnce sync.Once

9
extensions/v1alpha1/wasm.pb.html generated
View File

@ -663,6 +663,15 @@ the plugin execution. A fatal error can be a failure to fetch the remote
binary, an exception, or abort() on the VM. This flag is not recommended
for the authentication or the authorization plugins.</p>
</td>
</tr>
<tr id="FailStrategy-FAIL_RELOAD">
<td><code><a href="#FailStrategy-FAIL_RELOAD">FAIL_RELOAD</a></code></td>
<td>
<p>New plugin instance will be created for the new request if the Wasm plugin
has failed. This only applies for <code>proxy_wasm::FailState::RuntimeError</code>.
For all other error types this will fallback to <code>FAIL_CLOSED</code>.</p>
</td>
</tr>
</tbody>

20
extensions/v1alpha1/wasm.proto
View File

@ -14,11 +14,6 @@
syntax = "proto3";
import "google/protobuf/wrappers.proto";
import "google/protobuf/struct.proto";
import "type/v1beta1/selector.proto";
import "google/api/field_behavior.proto";
// $schema: istio.extensions.v1alpha1.WasmPlugin
// $title: Wasm Plugin
// $description: Extend the functionality provided by the Istio proxy through WebAssembly filters.
@ -207,7 +202,12 @@ import "google/api/field_behavior.proto";
//
package istio.extensions.v1alpha1;
option go_package="istio.io/api/extensions/v1alpha1";
import "google/api/field_behavior.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "type/v1beta1/selector.proto";
option go_package = "istio.io/api/extensions/v1alpha1";
// WasmPlugin provides a mechanism to extend the functionality provided by
// the Istio proxy through WebAssembly filters.
@ -389,7 +389,6 @@ message WasmPlugin {
PluginType type = 14;
}
// PluginType indicates the type of Wasm extension to be used.
// There are two types of extensions: `HTTP` and `NETWORK`.
//
@ -410,7 +409,7 @@ enum PluginType {
// Use HTTP Wasm Extension.
HTTP = 1;
// Use Network Wasm Extension.
NETWORK = 2;
}
@ -500,4 +499,9 @@ enum FailStrategy {
// binary, an exception, or abort() on the VM. This flag is not recommended
// for the authentication or the authorization plugins.
FAIL_OPEN = 1;
// New plugin instance will be created for the new request if the Wasm plugin
// has failed. This only applies for ``proxy_wasm::FailState::RuntimeError``.
// For all other error types this will fallback to ``FAIL_CLOSED``.
FAIL_RELOAD = 2;
}

3
gen.sh
View File

@ -36,3 +36,6 @@ buf generate --template buf.gen-noncrd.yaml \
# These plugins are sent to Envoy, which uses golang/protobuf, so do not use gogo
buf generate --template buf.gen-golang.yaml \
--path envoy
# Format Protobuf files
buf format -w

12
go.mod
View File

@ -6,14 +6,14 @@ toolchain go1.23.7
require (
github.com/golang/protobuf v1.5.4
google.golang.org/genproto/googleapis/api v0.0.0-20250324211829-b45e905df463
google.golang.org/grpc v1.71.0
google.golang.org/genproto/googleapis/api v0.0.0-20250715232539-7130f93afb79
google.golang.org/grpc v1.74.0
google.golang.org/protobuf v1.36.6
)
require (
golang.org/x/net v0.38.0 // indirect
golang.org/x/sys v0.31.0 // indirect
golang.org/x/text v0.23.0 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 // indirect
golang.org/x/net v0.42.0 // indirect
golang.org/x/sys v0.34.0 // indirect
golang.org/x/text v0.27.0 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20250715232539-7130f93afb79 // indirect
)

52
go.sum
View File

@ -1,36 +1,36 @@
github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
go.opentelemetry.io/otel v1.34.0 h1:zRLXxLCgL1WyKsPVrgbSdMN4c0FMkDAskSTQP+0hdUY=
go.opentelemetry.io/otel v1.34.0/go.mod h1:OWFPOQ+h4G8xpyjgqo4SxJYdDQ/qmRH+wivy7zzx9oI=
go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
go.opentelemetry.io/otel/sdk v1.34.0 h1:95zS4k/2GOy069d321O8jWgYsW3MzVV+KuSPKp7Wr1A=
go.opentelemetry.io/otel/sdk v1.34.0/go.mod h1:0e/pNiaMAqaykJGKbi+tSjWfNNHMTxoC9qANsCzbyxU=
go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8=
golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
google.golang.org/genproto/googleapis/api v0.0.0-20250324211829-b45e905df463 h1:hE3bRWtU6uceqlh4fhrSnUyjKHMKB9KrTLLG+bc0ddM=
google.golang.org/genproto/googleapis/api v0.0.0-20250324211829-b45e905df463/go.mod h1:U90ffi8eUL9MwPcrJylN5+Mk2v3vuPDptd5yyNUiRR8=
google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463 h1:e0AIkUUhxyBKh6ssZNrAMeqhA7RKUj42346d1y02i2g=
google.golang.org/genproto/googleapis/rpc v0.0.0-20250324211829-b45e905df463/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFwHX4dThiPis=
go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
google.golang.org/genproto/googleapis/api v0.0.0-20250715232539-7130f93afb79 h1:iOye66xuaAK0WnkPuhQPUFy8eJcmwUXqGGP3om6IxX8=
google.golang.org/genproto/googleapis/api v0.0.0-20250715232539-7130f93afb79/go.mod h1:HKJDgKsFUnv5VAGeQjz8kxcgDP0HoE0iZNp0OdZNlhE=
google.golang.org/genproto/googleapis/rpc v0.0.0-20250715232539-7130f93afb79 h1:1ZwqphdOdWYXsUHgMpU/101nCtf/kSp9hOrcvFsnl10=
google.golang.org/genproto/googleapis/rpc v0.0.0-20250715232539-7130f93afb79/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
google.golang.org/grpc v1.74.0 h1:sxRSkyLxlceWQiqDofxDot3d4u7DyoHPc7SBXMj8gGY=
google.golang.org/grpc v1.74.0/go.mod h1:NZUaK8dAMUfzhK6uxZ+9511LtOrk73UGWOFoNvz7z+s=
google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=

239
kubernetes/customresourcedefinitions.gen.yaml generated
View File

@ -43,10 +43,11 @@ spec:
description: |-
Specifies the failure behavior for the plugin due to fatal errors.
Valid Options: FAIL_CLOSE, FAIL_OPEN
Valid Options: FAIL_CLOSE, FAIL_OPEN, FAIL_RELOAD
enum:
- FAIL_CLOSE
- FAIL_OPEN
- FAIL_RELOAD
type: string
imagePullPolicy:
description: |-
@ -389,11 +390,11 @@ spec:
jsonPath: .spec.host
name: Host
type: string
- description: 'CreationTimestamp is a timestamp representing the server time
when this object was created. It is not guaranteed to be set in happens-before
- description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
lists. For more information, see [Kubernetes API Conventions](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
jsonPath: .metadata.creationTimestamp
name: Age
type: date
@ -1238,6 +1239,26 @@ spec:
- V2
type: string
type: object
retryBudget:
description: Specifies a limit on concurrent retries in
relation to the number of active requests.
properties:
minRetryConcurrency:
description: Specifies the minimum retry concurrency
allowed for the retry budget.
maximum: 4294967295
minimum: 0
type: integer
percent:
description: Specifies the limit on concurrent retries
as a percentage of the sum of active requests and
active pending requests.
format: double
maximum: 100
minimum: 0
nullable: true
type: number
type: object
tls:
description: TLS related settings for connections to the
upstream service.
@ -2104,6 +2125,26 @@ spec:
- V2
type: string
type: object
retryBudget:
description: Specifies a limit on concurrent retries in relation
to the number of active requests.
properties:
minRetryConcurrency:
description: Specifies the minimum retry concurrency allowed
for the retry budget.
maximum: 4294967295
minimum: 0
type: integer
percent:
description: Specifies the limit on concurrent retries as
a percentage of the sum of active requests and active pending
requests.
format: double
maximum: 100
minimum: 0
nullable: true
type: number
type: object
tls:
description: TLS related settings for connections to the upstream
service.
@ -2280,7 +2321,7 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: false
storage: true
subresources:
status: {}
- additionalPrinterColumns:
@ -2288,11 +2329,11 @@ spec:
jsonPath: .spec.host
name: Host
type: string
- description: 'CreationTimestamp is a timestamp representing the server time
when this object was created. It is not guaranteed to be set in happens-before
- description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
lists. For more information, see [Kubernetes API Conventions](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
jsonPath: .metadata.creationTimestamp
name: Age
type: date
@ -3137,6 +3178,26 @@ spec:
- V2
type: string
type: object
retryBudget:
description: Specifies a limit on concurrent retries in
relation to the number of active requests.
properties:
minRetryConcurrency:
description: Specifies the minimum retry concurrency
allowed for the retry budget.
maximum: 4294967295
minimum: 0
type: integer
percent:
description: Specifies the limit on concurrent retries
as a percentage of the sum of active requests and
active pending requests.
format: double
maximum: 100
minimum: 0
nullable: true
type: number
type: object
tls:
description: TLS related settings for connections to the
upstream service.
@ -4003,6 +4064,26 @@ spec:
- V2
type: string
type: object
retryBudget:
description: Specifies a limit on concurrent retries in relation
to the number of active requests.
properties:
minRetryConcurrency:
description: Specifies the minimum retry concurrency allowed
for the retry budget.
maximum: 4294967295
minimum: 0
type: integer
percent:
description: Specifies the limit on concurrent retries as
a percentage of the sum of active requests and active pending
requests.
format: double
maximum: 100
minimum: 0
nullable: true
type: number
type: object
tls:
description: TLS related settings for connections to the upstream
service.
@ -4187,11 +4268,11 @@ spec:
jsonPath: .spec.host
name: Host
type: string
- description: 'CreationTimestamp is a timestamp representing the server time
when this object was created. It is not guaranteed to be set in happens-before
- description: CreationTimestamp is a timestamp representing the server time when
this object was created. It is not guaranteed to be set in happens-before
order across separate operations. Clients may not set this value. It is represented
in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
lists. For more information, see [Kubernetes API Conventions](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)
jsonPath: .metadata.creationTimestamp
name: Age
type: date
@ -5036,6 +5117,26 @@ spec:
- V2
type: string
type: object
retryBudget:
description: Specifies a limit on concurrent retries in
relation to the number of active requests.
properties:
minRetryConcurrency:
description: Specifies the minimum retry concurrency
allowed for the retry budget.
maximum: 4294967295
minimum: 0
type: integer
percent:
description: Specifies the limit on concurrent retries
as a percentage of the sum of active requests and
active pending requests.
format: double
maximum: 100
minimum: 0
nullable: true
type: number
type: object
tls:
description: TLS related settings for connections to the
upstream service.
@ -5902,6 +6003,26 @@ spec:
- V2
type: string
type: object
retryBudget:
description: Specifies a limit on concurrent retries in relation
to the number of active requests.
properties:
minRetryConcurrency:
description: Specifies the minimum retry concurrency allowed
for the retry budget.
maximum: 4294967295
minimum: 0
type: integer
percent:
description: Specifies the limit on concurrent retries as
a percentage of the sum of active requests and active pending
requests.
format: double
maximum: 100
minimum: 0
nullable: true
type: number
type: object
tls:
description: TLS related settings for connections to the upstream
service.
@ -6078,7 +6199,7 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
storage: false
subresources:
status: {}
---
@ -6575,6 +6696,10 @@ spec:
description: Set of TLS related options that govern the server's
behavior.
properties:
caCertCredentialName:
description: For mutual TLS, the name of the secret or the
configmap that holds CA certificates.
type: string
caCertificates:
description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
type: string
@ -6656,13 +6781,12 @@ spec:
type: string
type: array
tlsCertificates:
description: Only one of `server_certificate`, `private_key`,
`ca_certificates` or `credential_name` or `credential_names`
or `tls_certificates` should be specified.
description: Only one of `server_certificate`, `private_key`
or `credential_name` or `credential_names` or `tls_certificates`
should be specified.
items:
properties:
caCertificates:
description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
type: string
privateKey:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
@ -6783,7 +6907,7 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: false
storage: true
subresources:
status: {}
- name: v1alpha3
@ -6847,6 +6971,10 @@ spec:
description: Set of TLS related options that govern the server's
behavior.
properties:
caCertCredentialName:
description: For mutual TLS, the name of the secret or the
configmap that holds CA certificates.
type: string
caCertificates:
description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
type: string
@ -6928,13 +7056,12 @@ spec:
type: string
type: array
tlsCertificates:
description: Only one of `server_certificate`, `private_key`,
`ca_certificates` or `credential_name` or `credential_names`
or `tls_certificates` should be specified.
description: Only one of `server_certificate`, `private_key`
or `credential_name` or `credential_names` or `tls_certificates`
should be specified.
items:
properties:
caCertificates:
description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
type: string
privateKey:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
@ -7119,6 +7246,10 @@ spec:
description: Set of TLS related options that govern the server's
behavior.
properties:
caCertCredentialName:
description: For mutual TLS, the name of the secret or the
configmap that holds CA certificates.
type: string
caCertificates:
description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
type: string
@ -7200,13 +7331,12 @@ spec:
type: string
type: array
tlsCertificates:
description: Only one of `server_certificate`, `private_key`,
`ca_certificates` or `credential_name` or `credential_names`
or `tls_certificates` should be specified.
description: Only one of `server_certificate`, `private_key`
or `credential_name` or `credential_names` or `tls_certificates`
should be specified.
items:
properties:
caCertificates:
description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
type: string
privateKey:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
@ -7327,7 +7457,7 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
storage: false
subresources:
status: {}
---
@ -7803,7 +7933,7 @@ spec:
- spec
type: object
served: true
storage: false
storage: true
subresources:
status: {}
- additionalPrinterColumns:
@ -8399,7 +8529,7 @@ spec:
- spec
type: object
served: true
storage: true
storage: false
subresources:
status: {}
---
@ -8741,6 +8871,10 @@ spec:
termination on the sidecar for requests originating from outside
the mesh.
properties:
caCertCredentialName:
description: For mutual TLS, the name of the secret or the
configmap that holds CA certificates.
type: string
caCertificates:
description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
type: string
@ -8822,13 +8956,12 @@ spec:
type: string
type: array
tlsCertificates:
description: Only one of `server_certificate`, `private_key`,
`ca_certificates` or `credential_name` or `credential_names`
or `tls_certificates` should be specified.
description: Only one of `server_certificate`, `private_key`
or `credential_name` or `credential_names` or `tls_certificates`
should be specified.
items:
properties:
caCertificates:
description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
type: string
privateKey:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
@ -8998,7 +9131,7 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: false
storage: true
subresources:
status: {}
- name: v1alpha3
@ -9316,6 +9449,10 @@ spec:
termination on the sidecar for requests originating from outside
the mesh.
properties:
caCertCredentialName:
description: For mutual TLS, the name of the secret or the
configmap that holds CA certificates.
type: string
caCertificates:
description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
type: string
@ -9397,13 +9534,12 @@ spec:
type: string
type: array
tlsCertificates:
description: Only one of `server_certificate`, `private_key`,
`ca_certificates` or `credential_name` or `credential_names`
or `tls_certificates` should be specified.
description: Only one of `server_certificate`, `private_key`
or `credential_name` or `credential_names` or `tls_certificates`
should be specified.
items:
properties:
caCertificates:
description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
type: string
privateKey:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
@ -9891,6 +10027,10 @@ spec:
termination on the sidecar for requests originating from outside
the mesh.
properties:
caCertCredentialName:
description: For mutual TLS, the name of the secret or the
configmap that holds CA certificates.
type: string
caCertificates:
description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
type: string
@ -9972,13 +10112,12 @@ spec:
type: string
type: array
tlsCertificates:
description: Only one of `server_certificate`, `private_key`,
`ca_certificates` or `credential_name` or `credential_names`
or `tls_certificates` should be specified.
description: Only one of `server_certificate`, `private_key`
or `credential_name` or `credential_names` or `tls_certificates`
should be specified.
items:
properties:
caCertificates:
description: REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`.
type: string
privateKey:
description: REQUIRED if mode is `SIMPLE` or `MUTUAL`.
@ -10148,7 +10287,7 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
storage: false
subresources:
status: {}
---
@ -11226,7 +11365,7 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: false
storage: true
subresources:
status: {}
- additionalPrinterColumns:
@ -13330,7 +13469,7 @@ spec:
x-kubernetes-preserve-unknown-fields: true
type: object
served: true
storage: true
storage: false
subresources:
status: {}
---
@ -13516,7 +13655,7 @@ spec:
- spec
type: object
served: true
storage: false
storage: true
subresources:
status: {}
- additionalPrinterColumns:
@ -13836,7 +13975,7 @@ spec:
- spec
type: object
served: true
storage: true
storage: false
subresources:
status: {}
---
@ -14168,7 +14307,7 @@ spec:
- spec
type: object
served: true
storage: false
storage: true
subresources:
status: {}
- additionalPrinterColumns:
@ -14784,7 +14923,7 @@ spec:
- spec
type: object
served: true
storage: true
storage: false
subresources:
status: {}
---
@ -16043,8 +16182,6 @@ spec:
x-kubernetes-validations:
- message: must be a valid duration greater than 1ms
rule: duration(self) >= duration('1ms')
required:
- issuer
type: object
x-kubernetes-validations:
- message: only one of jwks or jwksUri can be set
@ -16326,8 +16463,6 @@ spec:
x-kubernetes-validations:
- message: must be a valid duration greater than 1ms
rule: duration(self) >= duration('1ms')
required:
- issuer
type: object
x-kubernetes-validations:
- message: only one of jwks or jwksUri can be set

6
mcp/v1alpha1/metadata.proto
View File

@ -20,7 +20,7 @@ package istio.mcp.v1alpha1;
import "google/protobuf/timestamp.proto";
option go_package="istio.io/api/mcp/v1alpha1";
option go_package = "istio.io/api/mcp/v1alpha1";
// Metadata information that all resources within the Mesh Configuration Protocol must have.
message Metadata {
@ -67,9 +67,9 @@ message Metadata {
// Map of string keys and values that can be used to organize and categorize
// resources within a collection.
map<string,string> labels = 4;
map<string, string> labels = 4;
// Map of string keys and values that can be used by source and sink to communicate
// arbitrary metadata about this resource.
map<string,string> annotations = 5;
map<string, string> annotations = 5;
}

10
mcp/v1alpha1/resource.proto
View File

@ -22,14 +22,14 @@ package istio.mcp.v1alpha1;
import "google/protobuf/any.proto";
import "mcp/v1alpha1/metadata.proto";
option go_package="istio.io/api/mcp/v1alpha1";
option go_package = "istio.io/api/mcp/v1alpha1";
// Resource as transferred via the Mesh Configuration Protocol. Each
// resource is made up of common metadata, and a type-specific resource payload.
message Resource {
// Common metadata describing the resource.
istio.mcp.v1alpha1.Metadata metadata = 1;
// Common metadata describing the resource.
istio.mcp.v1alpha1.Metadata metadata = 1;
// The primary payload for the resource.
google.protobuf.Any body = 2;
// The primary payload for the resource.
google.protobuf.Any body = 2;
}

790
mesh/v1alpha1/config.pb.go generated
View File

File diff suppressed because it is too large Load Diff

198
mesh/v1alpha1/config.proto Normal file → Executable file
View File

@ -14,13 +14,6 @@
syntax = "proto3";
import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "mesh/v1alpha1/proxy.proto";
import "networking/v1alpha3/destination_rule.proto";
import "networking/v1alpha3/virtual_service.proto";
// $title: Global Mesh Options
// $description: Configuration affecting the service mesh as a whole.
// $location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html
@ -30,7 +23,14 @@ import "networking/v1alpha3/virtual_service.proto";
// Configuration affecting the service mesh as a whole.
package istio.mesh.v1alpha1;
option go_package="istio.io/api/mesh/v1alpha1";
import "google/protobuf/duration.proto";
import "google/protobuf/struct.proto";
import "google/protobuf/wrappers.proto";
import "mesh/v1alpha1/proxy.proto";
import "networking/v1alpha3/destination_rule.proto";
import "networking/v1alpha3/virtual_service.proto";
option go_package = "istio.io/api/mesh/v1alpha1";
// MeshConfig defines mesh-wide settings for the Istio service mesh.
message MeshConfig {
@ -394,7 +394,7 @@ message MeshConfig {
// Configure the provision of certificates.
//
// Note: Deprecated, please refer to Cert-Manager or other cert provisioning solutions to sign DNS certificates.
repeated Certificate certificates = 47 [deprecated=true];
repeated Certificate certificates = 47 [deprecated = true];
reserved 49;
reserved "thrift_config";
@ -413,6 +413,14 @@ message MeshConfig {
// - "*.foo.svc.cluster.local"
// - "bar.baz.svc.cluster.local"
// ```
//
// When in ambient mode, if ServiceSettings are defined they will be considered in addition to the
// ServiceScopeConfigs. If a service is defined by ServiceSetting to be cluster local and matches a
// global service scope selector, the service will be considered cluster local. If a service is
// considered global by ServiceSettings and does not match a global service scope selector
// the serive will be considered local. Local scope takes precedence over global scope. Since
// ServiceScopeConfigs is local by default, all services are considered local unless it is considered
// global by ServiceSettings AND ServiceScopeConfigs.
message ServiceSettings {
// Settings for the selected services.
message Settings {
@ -450,6 +458,54 @@ message MeshConfig {
// Settings to be applied to select services.
repeated ServiceSettings service_settings = 50;
// Configuration for ambient mode multicluster service scope. This setting allows mesh administrators
// to define the criteria by which the cluster's control plane determines which services in other
// clusters in the mesh are treated as global (accessible across multiple clusters) versus local
// (restricted to a single cluster). The configuration can be applied to services based on namespace
// and/or other matching criteria. This is particularly useful in multicluster service mesh deployments
// to control service visibility and access across clusters. This API is not intended to enforce
// security policies. Resources like DestinationRules should be used to enforce authorization policies.
// If a service matches a global service scope selector, the service's endpoints will be globally
// exposed. If a service is locally scoped, its endpoints will only be exposed to local cluster
// services.
//
// For example, the following configures the scope of all services with the "istio.io/global" label
// in matching namespaces to be available globally:
//
// ```yaml
// serviceScopeConfigs:
// - namespacesSelector:
// matchExpressions:
// - key: istio.io/global
// operator: In
// values: [true]
// servicesSelector:
// matchExpressions:
// - key: istio.io/global
// operator: Exists
// scope: GLOBAL
// ```
message ServiceScopeConfigs {
// The scope of the matching service. Used to determine if the service is available locally
// (cluster local) or globally (mesh-wide).
enum Scope {
LOCAL = 0;
GLOBAL = 1;
}
// Match expression for namespaces.
LabelSelector namespace_selector = 1;
// Match expression for serivces.
LabelSelector services_selector = 2;
// Specifics the available scope for matching services.
Scope scope = 3;
}
// Scope to be applied to select services.
repeated ServiceScopeConfigs service_scope_configs = 67;
// If enabled, Istio agent will merge metrics exposed by the application with metrics from Envoy
// and Istio agent. The sidecar injection will replace `prometheus.io` annotations present on the pod
// and redirect them towards Istio agent, which will then merge metrics of from the application with Istio metrics.
@ -482,7 +538,7 @@ message MeshConfig {
// For wildcard host name in DestinationRule, client-side proxy will do a suffix match. For example,
// if host is `*.x.y.com`, client-side proxy will verify the presented server certificate SAN matches
// `.x.y.com` suffix.
google.protobuf.BoolValue verify_certificate_at_client = 54 [deprecated=true];
google.protobuf.BoolValue verify_certificate_at_client = 54 [deprecated = true];
message CA {
// REQUIRED. Address of the CA server implementing the Istio CA gRPC API.
@ -524,7 +580,7 @@ message MeshConfig {
// $hide_from_docs
// Configures a Lightstep tracing provider.
// Deprecated: For Istio 1.15+, please use an OpenTelemetryTracingProvider instead, more details can be found at https://github.com/istio/istio/issues/40027
LightstepTracingProvider lightstep = 5 [deprecated=true];
LightstepTracingProvider lightstep = 5 [deprecated = true];
// Configures a Datadog tracing provider.
DatadogTracingProvider datadog = 6;
// $hide_from_docs
@ -533,7 +589,7 @@ message MeshConfig {
// $hide_from_docs
// Configures an OpenCensusAgent tracing provider.
// Deprecated: OpenCensus is deprecated, more details can be found at https://opentelemetry.io/blog/2023/sunsetting-opencensus/
OpenCensusAgentTracingProvider opencensus = 8 [deprecated=true];
OpenCensusAgentTracingProvider opencensus = 8 [deprecated = true];
// Configures a Apache SkyWalking provider.
SkyWalkingTracingProvider skywalking = 9;
// Configures an OpenTelemetry tracing provider.
@ -548,9 +604,14 @@ message MeshConfig {
EnvoyTcpGrpcV3LogProvider envoy_tcp_als = 13;
// Configures an Envoy Open Telemetry Access Logging Service provider.
EnvoyOpenTelemetryLogProvider envoy_otel_als = 14;
// Configures an Extension Provider for SDS. This can be used to
// configure an external SDS service to supply secrets for certain Gateways for example.
// This is useful for scenarios where the secrets are stored in an external secret store like Vault.
// The secret should be configured with sds://provider-name format.
SDSProvider sds = 16;
// $hide_from_docs
// next id: 16
// next id: 17
}
message EnvoyExternalAuthorizationRequestBody {
@ -611,7 +672,7 @@ message MeshConfig {
string status_on_error = 5;
// DEPRECATED. Use includeRequestHeadersInCheck instead.
repeated string include_headers_in_check = 6 [deprecated=true];
repeated string include_headers_in_check = 6 [deprecated = true];
// List of client request headers that should be included in the authorization request sent to the authorization service.
// Note that in addition to the headers specified here following headers are included by default:
@ -812,19 +873,19 @@ message MeshConfig {
message StackdriverProvider {
// debug enables trace output to stdout.
// $hide_from_docs
bool debug = 1 [deprecated=true];
bool debug = 1 [deprecated = true];
// The global default max number of attributes per span.
// default is 200.
// $hide_from_docs
google.protobuf.Int64Value max_number_of_attributes = 2 [deprecated=true];
google.protobuf.Int64Value max_number_of_attributes = 2 [deprecated = true];
// The global default max number of annotation events per span.
// default is 200.
// $hide_from_docs
google.protobuf.Int64Value max_number_of_annotations = 3 [deprecated=true];
google.protobuf.Int64Value max_number_of_annotations = 3 [deprecated = true];
// The global default max number of message events per span.
// default is 200.
// $hide_from_docs
google.protobuf.Int64Value max_number_of_message_events = 4 [deprecated=true];
google.protobuf.Int64Value max_number_of_message_events = 4 [deprecated = true];
// Optional. Controls the overall path length allowed in a reported span.
// NOTE: currently only controls max length of the path tag.
@ -1029,28 +1090,28 @@ message MeshConfig {
LogFormat log_format = 4;
message LogFormat {
// Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be
// used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
// provides more information.
// Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
// Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"`
string text = 1;
// Textual format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators) may be
// used in the format. The [format string documentation](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-strings)
// provides more information.
// Alias to `body` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
// Example: `text: "%LOCAL_REPLY_BODY%:%RESPONSE_CODE%:path=%REQ(:path)%"`
string text = 1;
// Optional. Additional attributes that describe the specific event occurrence.
// Structured format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
// can be used as values for fields within the Struct. Values are rendered
// as strings, numbers, or boolean values, as appropriate
// (see: [format dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is
// supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
// Alias to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
//
// Example:
// ```
// labels:
// status: "%RESPONSE_CODE%"
// message: "%LOCAL_REPLY_BODY%"
// ```
google.protobuf.Struct labels = 2;
// Optional. Additional attributes that describe the specific event occurrence.
// Structured format for the envoy access logs. Envoy [command operators](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators)
// can be used as values for fields within the Struct. Values are rendered
// as strings, numbers, or boolean values, as appropriate
// (see: [format dictionaries](https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#config-access-log-format-dictionaries)). Nested JSON is
// supported for some command operators (e.g. FILTER_STATE or DYNAMIC_METADATA).
// Alias to `attributes` field in [Open Telemetry](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/access_loggers/open_telemetry/v3/logs_service.proto)
//
// Example:
// ```
// labels:
// status: "%RESPONSE_CODE%"
// message: "%LOCAL_REPLY_BODY%"
// ```
google.protobuf.Struct labels = 2;
}
}
@ -1178,7 +1239,6 @@ message MeshConfig {
// Optional. Configure a [Sampler](https://opentelemetry.io/docs/specs/otel/trace/sdk/#sampler)
// to be used by the OpenTelemetry Tracer.
oneof sampling {
// The Dynatrace adaptive traffic management (ATM) sampler.
//
// Example configuration:
@ -1246,6 +1306,23 @@ message MeshConfig {
}
}
// Defines configuration for an Gateway SDS provider.
message SDSProvider {
// REQUIRED. Specifies the name of the provider. This should be used to configure the Gateway SDS.
string name = 1;
// REQUIRED. Specifies the service that implements the SDS service.
// The format is `[<Namespace>/]<Hostname>`. The specification of `<Namespace>` is required only when it is insufficient
// to unambiguously resolve a service in the service registry. The `<Hostname>` is a fully qualified host name of a
// service defined by the Kubernetes service or ServiceEntry.
//
// Example: "gateway-sds.foo.svc.cluster.local" or "bar/gateway-sds.example.com".
string service = 2;
// REQUIRED. Specifies the port of the service.
uint32 port = 3;
}
// Defines configuration for an HTTP service that can be used by an Extension Provider.
// that does communication via HTTP.
message HttpService {
@ -1287,14 +1364,14 @@ message MeshConfig {
// and adds them to the OpenTelemetry resource.
//
// See: [Resource specification](https://opentelemetry.io/docs/specs/otel/resource/sdk/#specifying-resource-information-via-an-environment-variable)
message EnvironmentResourceDetector { }
message EnvironmentResourceDetector {}
// Dynatrace Resource Detector.
// The resource detector reads from the Dynatrace enrichment files
// and adds host/process related attributes to the OpenTelemetry resource.
//
// See: [Enrich ingested data with Dynatrace-specific dimensions](https://docs.dynatrace.com/docs/shortlink/enrichment-files)
message DynatraceResourceDetector { }
message DynatraceResourceDetector {}
}
// Defines configuration for an GRPC service that can be used by an Extension Provider.
@ -1503,13 +1580,12 @@ message MeshConfig {
}
// Resource describes the source of configuration
enum Resource {
// Set to only receive service entries that are generated by the platform.
// These auto generated service entries are combination of services and endpoints
// that are generated by a specific platform e.g. k8
SERVICE_REGISTRY = 0;
}
enum Resource {
// Set to only receive service entries that are generated by the platform.
// These auto generated service entries are combination of services and endpoints
// that are generated by a specific platform e.g. k8
SERVICE_REGISTRY = 0;
}
// A label selector requirement is a selector that contains values, a key, and an operator that
// relates the key and values.
@ -1551,21 +1627,19 @@ message LabelSelectorRequirement {
// mesh. A single control plane instance can interact with one or more data
// sources.
message ConfigSource {
// Address of the server implementing the Istio Mesh Configuration
// protocol (MCP). Can be IP address or a fully qualified DNS name.
// Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or
// fs:/// to specify a file-based backend with absolute path to the directory.
string address = 1;
// Use the tlsSettings to specify the tls mode to use. If the MCP server
// uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
// mode as `ISTIO_MUTUAL`.
istio.networking.v1alpha3.ClientTLSSettings tls_settings = 2;
// Describes the source of configuration, if nothing is specified default is MCP
repeated Resource subscribed_resources = 3;
// Address of the server implementing the Istio Mesh Configuration
// protocol (MCP). Can be IP address or a fully qualified DNS name.
// Use xds:// to specify a grpc-based xds backend, k8s:// to specify a k8s controller or
// fs:/// to specify a file-based backend with absolute path to the directory.
string address = 1;
// Use the tlsSettings to specify the tls mode to use. If the MCP server
// uses Istio mutual TLS and shares the root CA with istiod, specify the TLS
// mode as `ISTIO_MUTUAL`.
istio.networking.v1alpha3.ClientTLSSettings tls_settings = 2;
// Describes the source of configuration, if nothing is specified default is MCP
repeated Resource subscribed_resources = 3;
}
// $hide_from_docs
// Certificate configures the provision of a certificate and its key.
// Example 1: key and cert stored in a secret

22
mesh/v1alpha1/config_json.gen.go generated
View File

@ -72,6 +72,17 @@ func (this *MeshConfig_ServiceSettings_Settings) UnmarshalJSON(b []byte) error {
return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
// MarshalJSON is a custom marshaler for MeshConfig_ServiceScopeConfigs
func (this *MeshConfig_ServiceScopeConfigs) MarshalJSON() ([]byte, error) {
str, err := ConfigMarshaler.MarshalToString(this)
return []byte(str), err
}
// UnmarshalJSON is a custom unmarshaler for MeshConfig_ServiceScopeConfigs
func (this *MeshConfig_ServiceScopeConfigs) UnmarshalJSON(b []byte) error {
return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
// MarshalJSON is a custom marshaler for MeshConfig_CA
func (this *MeshConfig_CA) MarshalJSON() ([]byte, error) {
str, err := ConfigMarshaler.MarshalToString(this)
@ -314,6 +325,17 @@ func (this *MeshConfig_ExtensionProvider_OpenTelemetryTracingProvider_DynatraceS
return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_SDSProvider
func (this *MeshConfig_ExtensionProvider_SDSProvider) MarshalJSON() ([]byte, error) {
str, err := ConfigMarshaler.MarshalToString(this)
return []byte(str), err
}
// UnmarshalJSON is a custom unmarshaler for MeshConfig_ExtensionProvider_SDSProvider
func (this *MeshConfig_ExtensionProvider_SDSProvider) UnmarshalJSON(b []byte) error {
return ConfigUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
// MarshalJSON is a custom marshaler for MeshConfig_ExtensionProvider_HttpService
func (this *MeshConfig_ExtensionProvider_HttpService) MarshalJSON() ([]byte, error) {
str, err := ConfigMarshaler.MarshalToString(this)

225
mesh/v1alpha1/istio.mesh.v1alpha1.pb.html generated
View File

@ -5,7 +5,7 @@ location: https://istio.io/docs/reference/config/istio.mesh.v1alpha1.html
layout: protoc-gen-docs
generator: protoc-gen-docs
weight: 20
number_of_entries: 78
number_of_entries: 83
---
<p>Configuration affecting the service mesh as a whole.</p>
@ -433,6 +433,15 @@ For example <code>outbound|8080|v2|reviews.prod.svc.cluster.local</code>. This c
<li><code>%SERVICE%</code> will use reviews.prod as the stats name.</li>
</ul>
</td>
</tr>
<tr id="MeshConfig-service_scope_configs">
<td><div class="field"><div class="name"><code><a href="#MeshConfig-service_scope_configs">serviceScopeConfigs</a></code></div>
<div class="type"><a href="#MeshConfig-ServiceScopeConfigs">ServiceScopeConfigs[]</a></div>
</div></td>
<td>
<p>Scope to be applied to select services.</p>
</td>
</tr>
<tr id="MeshConfig-enable_prometheus_merge">
@ -732,6 +741,97 @@ If only trustDomains is set, this trustAnchor is used for these trustDomains and
If only certSigners is set, this trustAnchor is used for these certSigners and all trust domains.
If both certSigners and trustDomains is set, this trustAnchor is only used for these signers and trust domains.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h3 id="MeshConfig-ServiceScopeConfigs">ServiceScopeConfigs</h3>
<section>
<p>Configuration for ambient mode multicluster service scope. This setting allows mesh administrators
to define the criteria by which the cluster&rsquo;s control plane determines which services in other
clusters in the mesh are treated as global (accessible across multiple clusters) versus local
(restricted to a single cluster). The configuration can be applied to services based on namespace
and/or other matching criteria. This is particularly useful in multicluster service mesh deployments
to control service visibility and access across clusters. This API is not intended to enforce
security policies. Resources like DestinationRules should be used to enforce authorization policies.
If a service matches a global service scope selector, the service&rsquo;s endpoints will be globally
exposed. If a service is locally scoped, its endpoints will only be exposed to local cluster
services.</p>
<p>For example, the following configures the scope of all services with the &ldquo;istio.io/global&rdquo; label
in matching namespaces to be available globally:</p>
<pre><code class="language-yaml">serviceScopeConfigs:
- namespacesSelector:
matchExpressions:
- key: istio.io/global
operator: In
values: [true]
servicesSelector:
matchExpressions:
- key: istio.io/global
operator: Exists
scope: GLOBAL
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ServiceScopeConfigs-namespace_selector">
<td><div class="field"><div class="name"><code><a href="#MeshConfig-ServiceScopeConfigs-namespace_selector">namespaceSelector</a></code></div>
<div class="type"><a href="#LabelSelector">LabelSelector</a></div>
</div></td>
<td>
<p>Match expression for namespaces.</p>
</td>
</tr>
<tr id="MeshConfig-ServiceScopeConfigs-services_selector">
<td><div class="field"><div class="name"><code><a href="#MeshConfig-ServiceScopeConfigs-services_selector">servicesSelector</a></code></div>
<div class="type"><a href="#LabelSelector">LabelSelector</a></div>
</div></td>
<td>
<p>Match expression for serivces.</p>
</td>
</tr>
<tr id="MeshConfig-ServiceScopeConfigs-scope">
<td><div class="field"><div class="name"><code><a href="#MeshConfig-ServiceScopeConfigs-scope">scope</a></code></div>
<div class="type"><a href="#MeshConfig-ServiceScopeConfigs-Scope">Scope</a></div>
</div></td>
<td>
<p>Specifics the available scope for matching services.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h4 id="MeshConfig-ServiceScopeConfigs-Scope">Scope</h4>
<section>
<p>The scope of the matching service. Used to determine if the service is available locally
(cluster local) or globally (mesh-wide).</p>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ServiceScopeConfigs-Scope-LOCAL">
<td><code><a href="#MeshConfig-ServiceScopeConfigs-Scope-LOCAL">LOCAL</a></code></td>
<td>
</td>
</tr>
<tr id="MeshConfig-ServiceScopeConfigs-Scope-GLOBAL">
<td><code><a href="#MeshConfig-ServiceScopeConfigs-Scope-GLOBAL">GLOBAL</a></code></td>
<td>
</td>
</tr>
</tbody>
@ -914,6 +1014,18 @@ Default: true</p>
<td>
<p>Configures an Envoy Open Telemetry Access Logging Service provider.</p>
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-sds" class="oneof">
<td><div class="field"><div class="name"><code><a href="#MeshConfig-ExtensionProvider-sds">sds</a></code></div>
<div class="type"><a href="#MeshConfig-ExtensionProvider-SDSProvider">SDSProvider (oneof)</a></div>
</div></td>
<td>
<p>Configures an Extension Provider for SDS. This can be used to
configure an external SDS service to supply secrets for certain Gateways for example.
This is useful for scenarios where the secrets are stored in an external secret store like Vault.
The secret should be configured with sds://provider-name format.</p>
</td>
</tr>
</tbody>
@ -2298,6 +2410,52 @@ host name defined in the ServiceEntry.</p>
<td>
<p>REQUIRED. Specifies sampling configuration URI.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h4 id="MeshConfig-ExtensionProvider-SDSProvider">SDSProvider</h4>
<section>
<p>Defines configuration for an Gateway SDS provider.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="MeshConfig-ExtensionProvider-SDSProvider-name">
<td><div class="field"><div class="name"><code><a href="#MeshConfig-ExtensionProvider-SDSProvider-name">name</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>REQUIRED. Specifies the name of the provider. This should be used to configure the Gateway SDS.</p>
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-SDSProvider-service">
<td><div class="field"><div class="name"><code><a href="#MeshConfig-ExtensionProvider-SDSProvider-service">service</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>REQUIRED. Specifies the service that implements the SDS service.
The format is <code>[&lt;Namespace&gt;/]&lt;Hostname&gt;</code>. The specification of <code>&lt;Namespace&gt;</code> is required only when it is insufficient
to unambiguously resolve a service in the service registry. The <code>&lt;Hostname&gt;</code> is a fully qualified host name of a
service defined by the Kubernetes service or ServiceEntry.</p>
<p>Example: &ldquo;gateway-sds.foo.svc.cluster.local&rdquo; or &ldquo;bar/gateway-sds.example.com&rdquo;.</p>
</td>
</tr>
<tr id="MeshConfig-ExtensionProvider-SDSProvider-port">
<td><div class="field"><div class="name"><code><a href="#MeshConfig-ExtensionProvider-SDSProvider-port">port</a></code></div>
<div class="type">uint32</div>
</div></td>
<td>
<p>REQUIRED. Specifies the port of the service.</p>
</td>
</tr>
</tbody>
@ -3755,7 +3913,7 @@ Note: currently all headers are enabled by default.</p>
</code></pre>
<p>Below shows an example of preserving the header case for HTTP 1.x requests</p>
<pre><code class="language-yaml">proxyHeaders:
perserveHttp1HeaderCase: true
preserveHttp1HeaderCase: true
</code></pre>
<p>Some headers are enabled by default, and require explicitly disabling. See below for an example of disabling all default-enabled headers:</p>
<pre><code class="language-yaml">proxyHeaders:
@ -3937,6 +4095,29 @@ to be lowercase per the protocol specification. Envoy will ignore this field for
requests and automatically normalize headers to lowercase, ensuring compliance with HTTP/2
standards.</p>
</td>
</tr>
<tr id="ProxyConfig-ProxyHeaders-x_forwarded_host">
<td><div class="field"><div class="name"><code><a href="#ProxyConfig-ProxyHeaders-x_forwarded_host">xForwardedHost</a></code></div>
<div class="type"><a href="#ProxyConfig-ProxyHeaders-XForwardedHost">XForwardedHost</a></div>
</div></td>
<td>
<p>Controls the <code>X-Forwarded-Host</code> header. If enabled, the <code>X-Forwarded-Host</code> header is appended
with the original host when it is rewritten.
This header is disabled by default.</p>
</td>
</tr>
<tr id="ProxyConfig-ProxyHeaders-x_forwarded_port">
<td><div class="field"><div class="name"><code><a href="#ProxyConfig-ProxyHeaders-x_forwarded_port">xForwardedPort</a></code></div>
<div class="type"><a href="#ProxyConfig-ProxyHeaders-XForwardedPort">XForwardedPort</a></div>
</div></td>
<td>
<p>Controls the <code>X-Forwarded-Port</code> header. If enabled, the <code>X-Forwarded-Port</code> header is header with the port value
client used to connect to Envoy. It will be ignored if the <code>x-forwarded-port</code> header has been set by any
trusted proxy in front of Envoy.
This header is disabled by default.</p>
</td>
</tr>
</tbody>
@ -4011,6 +4192,46 @@ standards.</p>
</tbody>
</table>
</section>
<h4 id="ProxyConfig-ProxyHeaders-XForwardedHost">XForwardedHost</h4>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="ProxyConfig-ProxyHeaders-XForwardedHost-enabled">
<td><div class="field"><div class="name"><code><a href="#ProxyConfig-ProxyHeaders-XForwardedHost-enabled">enabled</a></code></div>
<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></div>
</div></td>
<td>
</td>
</tr>
</tbody>
</table>
</section>
<h4 id="ProxyConfig-ProxyHeaders-XForwardedPort">XForwardedPort</h4>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="ProxyConfig-ProxyHeaders-XForwardedPort-enabled">
<td><div class="field"><div class="name"><code><a href="#ProxyConfig-ProxyHeaders-XForwardedPort-enabled">enabled</a></code></div>
<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#boolvalue">BoolValue</a></div>
</div></td>
<td>
</td>
</tr>
</tbody>
</table>
</section>
<h4 id="ProxyConfig-ProxyHeaders-EnvoyDebugHeaders">EnvoyDebugHeaders</h4>
<section>
<table class="message-fields">

18
mesh/v1alpha1/network.proto
View File

@ -18,7 +18,7 @@ package istio.mesh.v1alpha1;
import "google/api/field_behavior.proto";
option go_package="istio.io/api/mesh/v1alpha1";
option go_package = "istio.io/api/mesh/v1alpha1";
// Network provides information about the endpoints in a routable L3
// network. A single routable L3 network can have one or more service
@ -48,15 +48,15 @@ message Network {
// (2) will override (1) if both are present.
message NetworkEndpoints {
oneof ne {
// A CIDR range for the set of endpoints in this network. The CIDR
// ranges for endpoints from different networks must not overlap.
string from_cidr = 1;
// A CIDR range for the set of endpoints in this network. The CIDR
// ranges for endpoints from different networks must not overlap.
string from_cidr = 1;
// Add all endpoints from the specified registry into this network.
// The names of the registries should correspond to the kubeconfig file name
// inside the secret that was used to configure the registry (Kubernetes
// multicluster) or supplied by MCP server.
string from_registry = 2;
// Add all endpoints from the specified registry into this network.
// The names of the registries should correspond to the kubeconfig file name
// inside the secret that was used to configure the registry (Kubernetes
// multicluster) or supplied by MCP server.
string from_registry = 2;
}
}

319
mesh/v1alpha1/proxy.pb.go generated
View File

@ -1044,7 +1044,7 @@ type ProxyConfig struct {
// ```yaml
// proxyHeaders:
//
// perserveHttp1HeaderCase: true
// preserveHttp1HeaderCase: true
//
// ```
//
@ -2304,8 +2304,17 @@ type ProxyConfig_ProxyHeaders struct {
// requests and automatically normalize headers to lowercase, ensuring compliance with HTTP/2
// standards.
PreserveHttp1HeaderCase *wrappers.BoolValue `protobuf:"bytes,40,opt,name=preserve_http1_header_case,json=preserveHttp1HeaderCase,proto3" json:"preserve_http1_header_case,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
// Controls the `X-Forwarded-Host` header. If enabled, the `X-Forwarded-Host` header is appended
// with the original host when it is rewritten.
// This header is disabled by default.
XForwardedHost *ProxyConfig_ProxyHeaders_XForwardedHost `protobuf:"bytes,41,opt,name=x_forwarded_host,json=xForwardedHost,proto3" json:"x_forwarded_host,omitempty"`
// Controls the `X-Forwarded-Port` header. If enabled, the `X-Forwarded-Port` header is header with the port value
// client used to connect to Envoy. It will be ignored if the “x-forwarded-port“ header has been set by any
// trusted proxy in front of Envoy.
// This header is disabled by default.
XForwardedPort *ProxyConfig_ProxyHeaders_XForwardedPort `protobuf:"bytes,42,opt,name=x_forwarded_port,json=xForwardedPort,proto3" json:"x_forwarded_port,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
func (x *ProxyConfig_ProxyHeaders) Reset() {
@ -2394,6 +2403,20 @@ func (x *ProxyConfig_ProxyHeaders) GetPreserveHttp1HeaderCase() *wrappers.BoolVa
return nil
}
func (x *ProxyConfig_ProxyHeaders) GetXForwardedHost() *ProxyConfig_ProxyHeaders_XForwardedHost {
if x != nil {
return x.XForwardedHost
}
return nil
}
func (x *ProxyConfig_ProxyHeaders) GetXForwardedPort() *ProxyConfig_ProxyHeaders_XForwardedPort {
if x != nil {
return x.XForwardedPort
}
return nil
}
type ProxyConfig_ProxyHeaders_Server struct {
state protoimpl.MessageState `protogen:"open.v1"`
Disabled *wrappers.BoolValue `protobuf:"bytes,1,opt,name=disabled,proto3" json:"disabled,omitempty"`
@ -2535,6 +2558,94 @@ func (x *ProxyConfig_ProxyHeaders_AttemptCount) GetDisabled() *wrappers.BoolValu
return nil
}
type ProxyConfig_ProxyHeaders_XForwardedHost struct {
state protoimpl.MessageState `protogen:"open.v1"`
Enabled *wrappers.BoolValue `protobuf:"bytes,1,opt,name=enabled,proto3" json:"enabled,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
func (x *ProxyConfig_ProxyHeaders_XForwardedHost) Reset() {
*x = ProxyConfig_ProxyHeaders_XForwardedHost{}
mi := &file_mesh_v1alpha1_proxy_proto_msgTypes[26]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *ProxyConfig_ProxyHeaders_XForwardedHost) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*ProxyConfig_ProxyHeaders_XForwardedHost) ProtoMessage() {}
func (x *ProxyConfig_ProxyHeaders_XForwardedHost) ProtoReflect() protoreflect.Message {
mi := &file_mesh_v1alpha1_proxy_proto_msgTypes[26]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use ProxyConfig_ProxyHeaders_XForwardedHost.ProtoReflect.Descriptor instead.
func (*ProxyConfig_ProxyHeaders_XForwardedHost) Descriptor() ([]byte, []int) {
return file_mesh_v1alpha1_proxy_proto_rawDescGZIP(), []int{4, 3, 3}
}
func (x *ProxyConfig_ProxyHeaders_XForwardedHost) GetEnabled() *wrappers.BoolValue {
if x != nil {
return x.Enabled
}
return nil
}
type ProxyConfig_ProxyHeaders_XForwardedPort struct {
state protoimpl.MessageState `protogen:"open.v1"`
Enabled *wrappers.BoolValue `protobuf:"bytes,1,opt,name=enabled,proto3" json:"enabled,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
func (x *ProxyConfig_ProxyHeaders_XForwardedPort) Reset() {
*x = ProxyConfig_ProxyHeaders_XForwardedPort{}
mi := &file_mesh_v1alpha1_proxy_proto_msgTypes[27]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *ProxyConfig_ProxyHeaders_XForwardedPort) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*ProxyConfig_ProxyHeaders_XForwardedPort) ProtoMessage() {}
func (x *ProxyConfig_ProxyHeaders_XForwardedPort) ProtoReflect() protoreflect.Message {
mi := &file_mesh_v1alpha1_proxy_proto_msgTypes[27]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use ProxyConfig_ProxyHeaders_XForwardedPort.ProtoReflect.Descriptor instead.
func (*ProxyConfig_ProxyHeaders_XForwardedPort) Descriptor() ([]byte, []int) {
return file_mesh_v1alpha1_proxy_proto_rawDescGZIP(), []int{4, 3, 4}
}
func (x *ProxyConfig_ProxyHeaders_XForwardedPort) GetEnabled() *wrappers.BoolValue {
if x != nil {
return x.Enabled
}
return nil
}
type ProxyConfig_ProxyHeaders_EnvoyDebugHeaders struct {
state protoimpl.MessageState `protogen:"open.v1"`
Disabled *wrappers.BoolValue `protobuf:"bytes,1,opt,name=disabled,proto3" json:"disabled,omitempty"`
@ -2544,7 +2655,7 @@ type ProxyConfig_ProxyHeaders_EnvoyDebugHeaders struct {
func (x *ProxyConfig_ProxyHeaders_EnvoyDebugHeaders) Reset() {
*x = ProxyConfig_ProxyHeaders_EnvoyDebugHeaders{}
mi := &file_mesh_v1alpha1_proxy_proto_msgTypes[26]
mi := &file_mesh_v1alpha1_proxy_proto_msgTypes[28]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -2556,7 +2667,7 @@ func (x *ProxyConfig_ProxyHeaders_EnvoyDebugHeaders) String() string {
func (*ProxyConfig_ProxyHeaders_EnvoyDebugHeaders) ProtoMessage() {}
func (x *ProxyConfig_ProxyHeaders_EnvoyDebugHeaders) ProtoReflect() protoreflect.Message {
mi := &file_mesh_v1alpha1_proxy_proto_msgTypes[26]
mi := &file_mesh_v1alpha1_proxy_proto_msgTypes[28]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -2569,7 +2680,7 @@ func (x *ProxyConfig_ProxyHeaders_EnvoyDebugHeaders) ProtoReflect() protoreflect
// Deprecated: Use ProxyConfig_ProxyHeaders_EnvoyDebugHeaders.ProtoReflect.Descriptor instead.
func (*ProxyConfig_ProxyHeaders_EnvoyDebugHeaders) Descriptor() ([]byte, []int) {
return file_mesh_v1alpha1_proxy_proto_rawDescGZIP(), []int{4, 3, 3}
return file_mesh_v1alpha1_proxy_proto_rawDescGZIP(), []int{4, 3, 5}
}
func (x *ProxyConfig_ProxyHeaders_EnvoyDebugHeaders) GetDisabled() *wrappers.BoolValue {
@ -2588,7 +2699,7 @@ type ProxyConfig_ProxyHeaders_MetadataExchangeHeaders struct {
func (x *ProxyConfig_ProxyHeaders_MetadataExchangeHeaders) Reset() {
*x = ProxyConfig_ProxyHeaders_MetadataExchangeHeaders{}
mi := &file_mesh_v1alpha1_proxy_proto_msgTypes[27]
mi := &file_mesh_v1alpha1_proxy_proto_msgTypes[29]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -2600,7 +2711,7 @@ func (x *ProxyConfig_ProxyHeaders_MetadataExchangeHeaders) String() string {
func (*ProxyConfig_ProxyHeaders_MetadataExchangeHeaders) ProtoMessage() {}
func (x *ProxyConfig_ProxyHeaders_MetadataExchangeHeaders) ProtoReflect() protoreflect.Message {
mi := &file_mesh_v1alpha1_proxy_proto_msgTypes[27]
mi := &file_mesh_v1alpha1_proxy_proto_msgTypes[29]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -2613,7 +2724,7 @@ func (x *ProxyConfig_ProxyHeaders_MetadataExchangeHeaders) ProtoReflect() protor
// Deprecated: Use ProxyConfig_ProxyHeaders_MetadataExchangeHeaders.ProtoReflect.Descriptor instead.
func (*ProxyConfig_ProxyHeaders_MetadataExchangeHeaders) Descriptor() ([]byte, []int) {
return file_mesh_v1alpha1_proxy_proto_rawDescGZIP(), []int{4, 3, 4}
return file_mesh_v1alpha1_proxy_proto_rawDescGZIP(), []int{4, 3, 6}
}
func (x *ProxyConfig_ProxyHeaders_MetadataExchangeHeaders) GetMode() ProxyConfig_ProxyHeaders_MetadataExchangeMode {
@ -2648,7 +2759,7 @@ type ProxyConfig_ProxyHeaders_SetCurrentClientCertDetails struct {
func (x *ProxyConfig_ProxyHeaders_SetCurrentClientCertDetails) Reset() {
*x = ProxyConfig_ProxyHeaders_SetCurrentClientCertDetails{}
mi := &file_mesh_v1alpha1_proxy_proto_msgTypes[28]
mi := &file_mesh_v1alpha1_proxy_proto_msgTypes[30]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -2660,7 +2771,7 @@ func (x *ProxyConfig_ProxyHeaders_SetCurrentClientCertDetails) String() string {
func (*ProxyConfig_ProxyHeaders_SetCurrentClientCertDetails) ProtoMessage() {}
func (x *ProxyConfig_ProxyHeaders_SetCurrentClientCertDetails) ProtoReflect() protoreflect.Message {
mi := &file_mesh_v1alpha1_proxy_proto_msgTypes[28]
mi := &file_mesh_v1alpha1_proxy_proto_msgTypes[30]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -2673,7 +2784,7 @@ func (x *ProxyConfig_ProxyHeaders_SetCurrentClientCertDetails) ProtoReflect() pr
// Deprecated: Use ProxyConfig_ProxyHeaders_SetCurrentClientCertDetails.ProtoReflect.Descriptor instead.
func (*ProxyConfig_ProxyHeaders_SetCurrentClientCertDetails) Descriptor() ([]byte, []int) {
return file_mesh_v1alpha1_proxy_proto_rawDescGZIP(), []int{4, 3, 5}
return file_mesh_v1alpha1_proxy_proto_rawDescGZIP(), []int{4, 3, 7}
}
func (x *ProxyConfig_ProxyHeaders_SetCurrentClientCertDetails) GetSubject() *wrappers.BoolValue {
@ -2787,7 +2898,7 @@ const file_mesh_v1alpha1_proxy_proto_rawDesc = "" +
"poll_delay\x18\x01 \x01(\v2\x19.google.protobuf.DurationR\tpollDelay\x126\n" +
"\bfallback\x18\x02 \x01(\v2\x1a.google.protobuf.BoolValueR\bfallbackB\n" +
"\n" +
"\bprovider\"\xc3#\n" +
"\bprovider\"\xa3&\n" +
"\vProxyConfig\x12\x1f\n" +
"\vconfig_path\x18\x01 \x01(\tR\n" +
"configPath\x12\x1f\n" +
@ -2838,7 +2949,7 @@ const file_mesh_v1alpha1_proxy_proto_rawDesc = "" +
"\x11ProxyStatsMatcher\x12-\n" +
"\x12inclusion_prefixes\x18\x01 \x03(\tR\x11inclusionPrefixes\x12-\n" +
"\x12inclusion_suffixes\x18\x02 \x03(\tR\x11inclusionSuffixes\x12+\n" +
"\x11inclusion_regexps\x18\x03 \x03(\tR\x10inclusionRegexps\x1a\xc5\f\n" +
"\x11inclusion_regexps\x18\x03 \x03(\tR\x10inclusionRegexps\x1a\xa5\x0f\n" +
"\fProxyHeaders\x12a\n" +
"\x15forwarded_client_cert\x18\x01 \x01(\x0e2-.istio.mesh.v1alpha1.ForwardClientCertDetailsR\x13forwardedClientCert\x12\x8f\x01\n" +
"\x1fset_current_client_cert_details\x18\a \x01(\v2I.istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetailsR\x1bsetCurrentClientCertDetails\x12V\n" +
@ -2848,14 +2959,20 @@ const file_mesh_v1alpha1_proxy_proto_rawDesc = "" +
"\rattempt_count\x18\x04 \x01(\v2:.istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.AttemptCountR\fattemptCount\x12o\n" +
"\x13envoy_debug_headers\x18\x05 \x01(\v2?.istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.EnvoyDebugHeadersR\x11envoyDebugHeaders\x12\x81\x01\n" +
"\x19metadata_exchange_headers\x18\x06 \x01(\v2E.istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.MetadataExchangeHeadersR\x17metadataExchangeHeaders\x12W\n" +
"\x1apreserve_http1_header_case\x18( \x01(\v2\x1a.google.protobuf.BoolValueR\x17preserveHttp1HeaderCase\x1aV\n" +
"\x1apreserve_http1_header_case\x18( \x01(\v2\x1a.google.protobuf.BoolValueR\x17preserveHttp1HeaderCase\x12f\n" +
"\x10x_forwarded_host\x18) \x01(\v2<.istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.XForwardedHostR\x0exForwardedHost\x12f\n" +
"\x10x_forwarded_port\x18* \x01(\v2<.istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.XForwardedPortR\x0exForwardedPort\x1aV\n" +
"\x06Server\x126\n" +
"\bdisabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\bdisabled\x12\x14\n" +
"\x05value\x18\x02 \x01(\tR\x05value\x1aC\n" +
"\tRequestId\x126\n" +
"\bdisabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\bdisabled\x1aF\n" +
"\fAttemptCount\x126\n" +
"\bdisabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\bdisabled\x1aK\n" +
"\bdisabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\bdisabled\x1aF\n" +
"\x0eXForwardedHost\x124\n" +
"\aenabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled\x1aF\n" +
"\x0eXForwardedPort\x124\n" +
"\aenabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\aenabled\x1aK\n" +
"\x11EnvoyDebugHeaders\x126\n" +
"\bdisabled\x18\x01 \x01(\v2\x1a.google.protobuf.BoolValueR\bdisabled\x1aq\n" +
"\x17MetadataExchangeHeaders\x12V\n" +
@ -2910,51 +3027,53 @@ func file_mesh_v1alpha1_proxy_proto_rawDescGZIP() []byte {
}
var file_mesh_v1alpha1_proxy_proto_enumTypes = make([]protoimpl.EnumInfo, 6)
var file_mesh_v1alpha1_proxy_proto_msgTypes = make([]protoimpl.MessageInfo, 29)
var file_mesh_v1alpha1_proxy_proto_msgTypes = make([]protoimpl.MessageInfo, 31)
var file_mesh_v1alpha1_proxy_proto_goTypes = []any{
(AuthenticationPolicy)(0), // 0: istio.mesh.v1alpha1.AuthenticationPolicy
(ForwardClientCertDetails)(0), // 1: istio.mesh.v1alpha1.ForwardClientCertDetails
(Tracing_OpenCensusAgent_TraceContext)(0), // 2: istio.mesh.v1alpha1.Tracing.OpenCensusAgent.TraceContext
(ProxyConfig_TracingServiceName)(0), // 3: istio.mesh.v1alpha1.ProxyConfig.TracingServiceName
(ProxyConfig_InboundInterceptionMode)(0), // 4: istio.mesh.v1alpha1.ProxyConfig.InboundInterceptionMode
(ProxyConfig_ProxyHeaders_MetadataExchangeMode)(0), // 5: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.MetadataExchangeMode
(*Tracing)(nil), // 6: istio.mesh.v1alpha1.Tracing
(*SDS)(nil), // 7: istio.mesh.v1alpha1.SDS
(*Topology)(nil), // 8: istio.mesh.v1alpha1.Topology
(*PrivateKeyProvider)(nil), // 9: istio.mesh.v1alpha1.PrivateKeyProvider
(*ProxyConfig)(nil), // 10: istio.mesh.v1alpha1.ProxyConfig
(*RemoteService)(nil), // 11: istio.mesh.v1alpha1.RemoteService
(*Tracing_Zipkin)(nil), // 12: istio.mesh.v1alpha1.Tracing.Zipkin
(*Tracing_Lightstep)(nil), // 13: istio.mesh.v1alpha1.Tracing.Lightstep
(*Tracing_Datadog)(nil), // 14: istio.mesh.v1alpha1.Tracing.Datadog
(*Tracing_Stackdriver)(nil), // 15: istio.mesh.v1alpha1.Tracing.Stackdriver
(*Tracing_OpenCensusAgent)(nil), // 16: istio.mesh.v1alpha1.Tracing.OpenCensusAgent
(*Tracing_CustomTag)(nil), // 17: istio.mesh.v1alpha1.Tracing.CustomTag
(*Tracing_Literal)(nil), // 18: istio.mesh.v1alpha1.Tracing.Literal
(*Tracing_Environment)(nil), // 19: istio.mesh.v1alpha1.Tracing.Environment
(*Tracing_RequestHeader)(nil), // 20: istio.mesh.v1alpha1.Tracing.RequestHeader
nil, // 21: istio.mesh.v1alpha1.Tracing.CustomTagsEntry
(*Topology_ProxyProtocolConfiguration)(nil), // 22: istio.mesh.v1alpha1.Topology.ProxyProtocolConfiguration
(*PrivateKeyProvider_CryptoMb)(nil), // 23: istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb
(*PrivateKeyProvider_QAT)(nil), // 24: istio.mesh.v1alpha1.PrivateKeyProvider.QAT
nil, // 25: istio.mesh.v1alpha1.ProxyConfig.ProxyMetadataEntry
nil, // 26: istio.mesh.v1alpha1.ProxyConfig.RuntimeValuesEntry
(*ProxyConfig_ProxyStatsMatcher)(nil), // 27: istio.mesh.v1alpha1.ProxyConfig.ProxyStatsMatcher
(*ProxyConfig_ProxyHeaders)(nil), // 28: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders
(*ProxyConfig_ProxyHeaders_Server)(nil), // 29: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.Server
(*ProxyConfig_ProxyHeaders_RequestId)(nil), // 30: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.RequestId
(*ProxyConfig_ProxyHeaders_AttemptCount)(nil), // 31: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.AttemptCount
(*ProxyConfig_ProxyHeaders_EnvoyDebugHeaders)(nil), // 32: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.EnvoyDebugHeaders
(*ProxyConfig_ProxyHeaders_MetadataExchangeHeaders)(nil), // 33: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.MetadataExchangeHeaders
(*ProxyConfig_ProxyHeaders_SetCurrentClientCertDetails)(nil), // 34: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails
(*v1alpha3.ClientTLSSettings)(nil), // 35: istio.networking.v1alpha3.ClientTLSSettings
(*wrappers.BoolValue)(nil), // 36: google.protobuf.BoolValue
(*duration.Duration)(nil), // 37: google.protobuf.Duration
(*wrappers.Int32Value)(nil), // 38: google.protobuf.Int32Value
(*v1alpha3.ReadinessProbe)(nil), // 39: istio.networking.v1alpha3.ReadinessProbe
(*v1beta1.ProxyImage)(nil), // 40: istio.networking.v1beta1.ProxyImage
(*v1alpha3.ConnectionPoolSettings_TCPSettings_TcpKeepalive)(nil), // 41: istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive
(*wrappers.Int64Value)(nil), // 42: google.protobuf.Int64Value
(AuthenticationPolicy)(0), // 0: istio.mesh.v1alpha1.AuthenticationPolicy
(ForwardClientCertDetails)(0), // 1: istio.mesh.v1alpha1.ForwardClientCertDetails
(Tracing_OpenCensusAgent_TraceContext)(0), // 2: istio.mesh.v1alpha1.Tracing.OpenCensusAgent.TraceContext
(ProxyConfig_TracingServiceName)(0), // 3: istio.mesh.v1alpha1.ProxyConfig.TracingServiceName
(ProxyConfig_InboundInterceptionMode)(0), // 4: istio.mesh.v1alpha1.ProxyConfig.InboundInterceptionMode
(ProxyConfig_ProxyHeaders_MetadataExchangeMode)(0), // 5: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.MetadataExchangeMode
(*Tracing)(nil), // 6: istio.mesh.v1alpha1.Tracing
(*SDS)(nil), // 7: istio.mesh.v1alpha1.SDS
(*Topology)(nil), // 8: istio.mesh.v1alpha1.Topology
(*PrivateKeyProvider)(nil), // 9: istio.mesh.v1alpha1.PrivateKeyProvider
(*ProxyConfig)(nil), // 10: istio.mesh.v1alpha1.ProxyConfig
(*RemoteService)(nil), // 11: istio.mesh.v1alpha1.RemoteService
(*Tracing_Zipkin)(nil), // 12: istio.mesh.v1alpha1.Tracing.Zipkin
(*Tracing_Lightstep)(nil), // 13: istio.mesh.v1alpha1.Tracing.Lightstep
(*Tracing_Datadog)(nil), // 14: istio.mesh.v1alpha1.Tracing.Datadog
(*Tracing_Stackdriver)(nil), // 15: istio.mesh.v1alpha1.Tracing.Stackdriver
(*Tracing_OpenCensusAgent)(nil), // 16: istio.mesh.v1alpha1.Tracing.OpenCensusAgent
(*Tracing_CustomTag)(nil), // 17: istio.mesh.v1alpha1.Tracing.CustomTag
(*Tracing_Literal)(nil), // 18: istio.mesh.v1alpha1.Tracing.Literal
(*Tracing_Environment)(nil), // 19: istio.mesh.v1alpha1.Tracing.Environment
(*Tracing_RequestHeader)(nil), // 20: istio.mesh.v1alpha1.Tracing.RequestHeader
nil, // 21: istio.mesh.v1alpha1.Tracing.CustomTagsEntry
(*Topology_ProxyProtocolConfiguration)(nil), // 22: istio.mesh.v1alpha1.Topology.ProxyProtocolConfiguration
(*PrivateKeyProvider_CryptoMb)(nil), // 23: istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb
(*PrivateKeyProvider_QAT)(nil), // 24: istio.mesh.v1alpha1.PrivateKeyProvider.QAT
nil, // 25: istio.mesh.v1alpha1.ProxyConfig.ProxyMetadataEntry
nil, // 26: istio.mesh.v1alpha1.ProxyConfig.RuntimeValuesEntry
(*ProxyConfig_ProxyStatsMatcher)(nil), // 27: istio.mesh.v1alpha1.ProxyConfig.ProxyStatsMatcher
(*ProxyConfig_ProxyHeaders)(nil), // 28: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders
(*ProxyConfig_ProxyHeaders_Server)(nil), // 29: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.Server
(*ProxyConfig_ProxyHeaders_RequestId)(nil), // 30: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.RequestId
(*ProxyConfig_ProxyHeaders_AttemptCount)(nil), // 31: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.AttemptCount
(*ProxyConfig_ProxyHeaders_XForwardedHost)(nil), // 32: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.XForwardedHost
(*ProxyConfig_ProxyHeaders_XForwardedPort)(nil), // 33: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.XForwardedPort
(*ProxyConfig_ProxyHeaders_EnvoyDebugHeaders)(nil), // 34: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.EnvoyDebugHeaders
(*ProxyConfig_ProxyHeaders_MetadataExchangeHeaders)(nil), // 35: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.MetadataExchangeHeaders
(*ProxyConfig_ProxyHeaders_SetCurrentClientCertDetails)(nil), // 36: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails
(*v1alpha3.ClientTLSSettings)(nil), // 37: istio.networking.v1alpha3.ClientTLSSettings
(*wrappers.BoolValue)(nil), // 38: google.protobuf.BoolValue
(*duration.Duration)(nil), // 39: google.protobuf.Duration
(*wrappers.Int32Value)(nil), // 40: google.protobuf.Int32Value
(*v1alpha3.ReadinessProbe)(nil), // 41: istio.networking.v1alpha3.ReadinessProbe
(*v1beta1.ProxyImage)(nil), // 42: istio.networking.v1beta1.ProxyImage
(*v1alpha3.ConnectionPoolSettings_TCPSettings_TcpKeepalive)(nil), // 43: istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive
(*wrappers.Int64Value)(nil), // 44: google.protobuf.Int64Value
}
var file_mesh_v1alpha1_proxy_proto_depIdxs = []int32{
12, // 0: istio.mesh.v1alpha1.Tracing.zipkin:type_name -> istio.mesh.v1alpha1.Tracing.Zipkin
@ -2963,17 +3082,17 @@ var file_mesh_v1alpha1_proxy_proto_depIdxs = []int32{
15, // 3: istio.mesh.v1alpha1.Tracing.stackdriver:type_name -> istio.mesh.v1alpha1.Tracing.Stackdriver
16, // 4: istio.mesh.v1alpha1.Tracing.open_census_agent:type_name -> istio.mesh.v1alpha1.Tracing.OpenCensusAgent
21, // 5: istio.mesh.v1alpha1.Tracing.custom_tags:type_name -> istio.mesh.v1alpha1.Tracing.CustomTagsEntry
35, // 6: istio.mesh.v1alpha1.Tracing.tls_settings:type_name -> istio.networking.v1alpha3.ClientTLSSettings
36, // 7: istio.mesh.v1alpha1.Tracing.enable_istio_tags:type_name -> google.protobuf.BoolValue
37, // 6: istio.mesh.v1alpha1.Tracing.tls_settings:type_name -> istio.networking.v1alpha3.ClientTLSSettings
38, // 7: istio.mesh.v1alpha1.Tracing.enable_istio_tags:type_name -> google.protobuf.BoolValue
1, // 8: istio.mesh.v1alpha1.Topology.forward_client_cert_details:type_name -> istio.mesh.v1alpha1.ForwardClientCertDetails
22, // 9: istio.mesh.v1alpha1.Topology.proxy_protocol:type_name -> istio.mesh.v1alpha1.Topology.ProxyProtocolConfiguration
23, // 10: istio.mesh.v1alpha1.PrivateKeyProvider.cryptomb:type_name -> istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb
24, // 11: istio.mesh.v1alpha1.PrivateKeyProvider.qat:type_name -> istio.mesh.v1alpha1.PrivateKeyProvider.QAT
3, // 12: istio.mesh.v1alpha1.ProxyConfig.tracing_service_name:type_name -> istio.mesh.v1alpha1.ProxyConfig.TracingServiceName
37, // 13: istio.mesh.v1alpha1.ProxyConfig.drain_duration:type_name -> google.protobuf.Duration
37, // 14: istio.mesh.v1alpha1.ProxyConfig.discovery_refresh_delay:type_name -> google.protobuf.Duration
39, // 13: istio.mesh.v1alpha1.ProxyConfig.drain_duration:type_name -> google.protobuf.Duration
39, // 14: istio.mesh.v1alpha1.ProxyConfig.discovery_refresh_delay:type_name -> google.protobuf.Duration
0, // 15: istio.mesh.v1alpha1.ProxyConfig.control_plane_auth_policy:type_name -> istio.mesh.v1alpha1.AuthenticationPolicy
38, // 16: istio.mesh.v1alpha1.ProxyConfig.concurrency:type_name -> google.protobuf.Int32Value
40, // 16: istio.mesh.v1alpha1.ProxyConfig.concurrency:type_name -> google.protobuf.Int32Value
4, // 17: istio.mesh.v1alpha1.ProxyConfig.interception_mode:type_name -> istio.mesh.v1alpha1.ProxyConfig.InboundInterceptionMode
6, // 18: istio.mesh.v1alpha1.ProxyConfig.tracing:type_name -> istio.mesh.v1alpha1.Tracing
7, // 19: istio.mesh.v1alpha1.ProxyConfig.sds:type_name -> istio.mesh.v1alpha1.SDS
@ -2982,50 +3101,54 @@ var file_mesh_v1alpha1_proxy_proto_depIdxs = []int32{
25, // 22: istio.mesh.v1alpha1.ProxyConfig.proxy_metadata:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyMetadataEntry
26, // 23: istio.mesh.v1alpha1.ProxyConfig.runtime_values:type_name -> istio.mesh.v1alpha1.ProxyConfig.RuntimeValuesEntry
8, // 24: istio.mesh.v1alpha1.ProxyConfig.gateway_topology:type_name -> istio.mesh.v1alpha1.Topology
37, // 25: istio.mesh.v1alpha1.ProxyConfig.termination_drain_duration:type_name -> google.protobuf.Duration
39, // 26: istio.mesh.v1alpha1.ProxyConfig.readiness_probe:type_name -> istio.networking.v1alpha3.ReadinessProbe
39, // 25: istio.mesh.v1alpha1.ProxyConfig.termination_drain_duration:type_name -> google.protobuf.Duration
41, // 26: istio.mesh.v1alpha1.ProxyConfig.readiness_probe:type_name -> istio.networking.v1alpha3.ReadinessProbe
27, // 27: istio.mesh.v1alpha1.ProxyConfig.proxy_stats_matcher:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyStatsMatcher
36, // 28: istio.mesh.v1alpha1.ProxyConfig.hold_application_until_proxy_starts:type_name -> google.protobuf.BoolValue
40, // 29: istio.mesh.v1alpha1.ProxyConfig.image:type_name -> istio.networking.v1beta1.ProxyImage
38, // 28: istio.mesh.v1alpha1.ProxyConfig.hold_application_until_proxy_starts:type_name -> google.protobuf.BoolValue
42, // 29: istio.mesh.v1alpha1.ProxyConfig.image:type_name -> istio.networking.v1beta1.ProxyImage
9, // 30: istio.mesh.v1alpha1.ProxyConfig.private_key_provider:type_name -> istio.mesh.v1alpha1.PrivateKeyProvider
28, // 31: istio.mesh.v1alpha1.ProxyConfig.proxy_headers:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders
35, // 32: istio.mesh.v1alpha1.RemoteService.tls_settings:type_name -> istio.networking.v1alpha3.ClientTLSSettings
41, // 33: istio.mesh.v1alpha1.RemoteService.tcp_keepalive:type_name -> istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive
42, // 34: istio.mesh.v1alpha1.Tracing.Stackdriver.max_number_of_attributes:type_name -> google.protobuf.Int64Value
42, // 35: istio.mesh.v1alpha1.Tracing.Stackdriver.max_number_of_annotations:type_name -> google.protobuf.Int64Value
42, // 36: istio.mesh.v1alpha1.Tracing.Stackdriver.max_number_of_message_events:type_name -> google.protobuf.Int64Value
37, // 32: istio.mesh.v1alpha1.RemoteService.tls_settings:type_name -> istio.networking.v1alpha3.ClientTLSSettings
43, // 33: istio.mesh.v1alpha1.RemoteService.tcp_keepalive:type_name -> istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive
44, // 34: istio.mesh.v1alpha1.Tracing.Stackdriver.max_number_of_attributes:type_name -> google.protobuf.Int64Value
44, // 35: istio.mesh.v1alpha1.Tracing.Stackdriver.max_number_of_annotations:type_name -> google.protobuf.Int64Value
44, // 36: istio.mesh.v1alpha1.Tracing.Stackdriver.max_number_of_message_events:type_name -> google.protobuf.Int64Value
2, // 37: istio.mesh.v1alpha1.Tracing.OpenCensusAgent.context:type_name -> istio.mesh.v1alpha1.Tracing.OpenCensusAgent.TraceContext
18, // 38: istio.mesh.v1alpha1.Tracing.CustomTag.literal:type_name -> istio.mesh.v1alpha1.Tracing.Literal
19, // 39: istio.mesh.v1alpha1.Tracing.CustomTag.environment:type_name -> istio.mesh.v1alpha1.Tracing.Environment
20, // 40: istio.mesh.v1alpha1.Tracing.CustomTag.header:type_name -> istio.mesh.v1alpha1.Tracing.RequestHeader
17, // 41: istio.mesh.v1alpha1.Tracing.CustomTagsEntry.value:type_name -> istio.mesh.v1alpha1.Tracing.CustomTag
37, // 42: istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb.poll_delay:type_name -> google.protobuf.Duration
36, // 43: istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb.fallback:type_name -> google.protobuf.BoolValue
37, // 44: istio.mesh.v1alpha1.PrivateKeyProvider.QAT.poll_delay:type_name -> google.protobuf.Duration
36, // 45: istio.mesh.v1alpha1.PrivateKeyProvider.QAT.fallback:type_name -> google.protobuf.BoolValue
39, // 42: istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb.poll_delay:type_name -> google.protobuf.Duration
38, // 43: istio.mesh.v1alpha1.PrivateKeyProvider.CryptoMb.fallback:type_name -> google.protobuf.BoolValue
39, // 44: istio.mesh.v1alpha1.PrivateKeyProvider.QAT.poll_delay:type_name -> google.protobuf.Duration
38, // 45: istio.mesh.v1alpha1.PrivateKeyProvider.QAT.fallback:type_name -> google.protobuf.BoolValue
1, // 46: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.forwarded_client_cert:type_name -> istio.mesh.v1alpha1.ForwardClientCertDetails
34, // 47: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.set_current_client_cert_details:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails
36, // 47: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.set_current_client_cert_details:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails
30, // 48: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.request_id:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.RequestId
29, // 49: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.server:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.Server
31, // 50: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.attempt_count:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.AttemptCount
32, // 51: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.envoy_debug_headers:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.EnvoyDebugHeaders
33, // 52: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.metadata_exchange_headers:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.MetadataExchangeHeaders
36, // 53: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.preserve_http1_header_case:type_name -> google.protobuf.BoolValue
36, // 54: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.Server.disabled:type_name -> google.protobuf.BoolValue
36, // 55: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.RequestId.disabled:type_name -> google.protobuf.BoolValue
36, // 56: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.AttemptCount.disabled:type_name -> google.protobuf.BoolValue
36, // 57: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.EnvoyDebugHeaders.disabled:type_name -> google.protobuf.BoolValue
5, // 58: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.MetadataExchangeHeaders.mode:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.MetadataExchangeMode
36, // 59: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails.subject:type_name -> google.protobuf.BoolValue
36, // 60: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails.cert:type_name -> google.protobuf.BoolValue
36, // 61: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails.chain:type_name -> google.protobuf.BoolValue
36, // 62: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails.dns:type_name -> google.protobuf.BoolValue
36, // 63: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails.uri:type_name -> google.protobuf.BoolValue
64, // [64:64] is the sub-list for method output_type
64, // [64:64] is the sub-list for method input_type
64, // [64:64] is the sub-list for extension type_name
64, // [64:64] is the sub-list for extension extendee
0, // [0:64] is the sub-list for field type_name
34, // 51: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.envoy_debug_headers:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.EnvoyDebugHeaders
35, // 52: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.metadata_exchange_headers:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.MetadataExchangeHeaders
38, // 53: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.preserve_http1_header_case:type_name -> google.protobuf.BoolValue
32, // 54: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.x_forwarded_host:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.XForwardedHost
33, // 55: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.x_forwarded_port:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.XForwardedPort
38, // 56: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.Server.disabled:type_name -> google.protobuf.BoolValue
38, // 57: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.RequestId.disabled:type_name -> google.protobuf.BoolValue
38, // 58: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.AttemptCount.disabled:type_name -> google.protobuf.BoolValue
38, // 59: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.XForwardedHost.enabled:type_name -> google.protobuf.BoolValue
38, // 60: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.XForwardedPort.enabled:type_name -> google.protobuf.BoolValue
38, // 61: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.EnvoyDebugHeaders.disabled:type_name -> google.protobuf.BoolValue
5, // 62: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.MetadataExchangeHeaders.mode:type_name -> istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.MetadataExchangeMode
38, // 63: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails.subject:type_name -> google.protobuf.BoolValue
38, // 64: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails.cert:type_name -> google.protobuf.BoolValue
38, // 65: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails.chain:type_name -> google.protobuf.BoolValue
38, // 66: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails.dns:type_name -> google.protobuf.BoolValue
38, // 67: istio.mesh.v1alpha1.ProxyConfig.ProxyHeaders.SetCurrentClientCertDetails.uri:type_name -> google.protobuf.BoolValue
68, // [68:68] is the sub-list for method output_type
68, // [68:68] is the sub-list for method input_type
68, // [68:68] is the sub-list for extension type_name
68, // [68:68] is the sub-list for extension extendee
0, // [0:68] is the sub-list for field type_name
}
func init() { file_mesh_v1alpha1_proxy_proto_init() }
@ -3059,7 +3182,7 @@ func file_mesh_v1alpha1_proxy_proto_init() {
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: unsafe.Slice(unsafe.StringData(file_mesh_v1alpha1_proxy_proto_rawDesc), len(file_mesh_v1alpha1_proxy_proto_rawDesc)),
NumEnums: 6,
NumMessages: 29,
NumMessages: 31,
NumExtensions: 0,
NumServices: 0,
},

72
mesh/v1alpha1/proxy.proto
View File

@ -14,15 +14,15 @@
syntax = "proto3";
package istio.mesh.v1alpha1;
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
import "networking/v1alpha3/destination_rule.proto";
import "networking/v1alpha3/workload_group.proto";
import "networking/v1beta1/proxy_config.proto";
package istio.mesh.v1alpha1;
option go_package="istio.io/api/mesh/v1alpha1";
option go_package = "istio.io/api/mesh/v1alpha1";
// AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
// It can be set for two different scopes, mesh-wide or set on a per-pod basis using the ProxyConfig annotation.
@ -41,7 +41,6 @@ enum AuthenticationPolicy {
// Tracing defines configuration for the tracing performed by Envoy instances.
message Tracing {
// Zipkin defines configuration for a Zipkin tracer.
message Zipkin {
// Address of the Zipkin service (e.g. _zipkin:9411_).
@ -230,7 +229,6 @@ message Tracing {
// $hide_from_docs
// Next available field number: 11
}
// SDS defines secret discovery service(SDS) configuration to be used by the proxy.
@ -271,8 +269,7 @@ message Topology {
ForwardClientCertDetails forward_client_cert_details = 2;
// PROXY protocol configuration.
message ProxyProtocolConfiguration {
}
message ProxyProtocolConfiguration {}
// Enables [PROXY protocol](http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt) for
// downstream connections on a gateway.
@ -426,11 +423,11 @@ message ProxyConfig {
string discovery_address = 6;
// $hide_from_docs
google.protobuf.Duration discovery_refresh_delay = 7 [deprecated=true];
google.protobuf.Duration discovery_refresh_delay = 7 [deprecated = true];
// Address of the Zipkin service (e.g. _zipkin:9411_).
// DEPRECATED: Use [tracing][istio.mesh.v1alpha1.ProxyConfig.tracing] instead.
string zipkin_address = 8 [deprecated=true];
string zipkin_address = 8 [deprecated = true];
reserved "connect_timeout";
reserved 9;
@ -439,14 +436,14 @@ message ProxyConfig {
string statsd_udp_address = 10;
// $hide_from_docs
string envoy_metrics_service_address = 20 [deprecated=true];
string envoy_metrics_service_address = 20 [deprecated = true];
// Port on which Envoy should listen for administrative commands.
// Default port is `15000`.
int32 proxy_admin_port = 11;
// $hide_from_docs
string availability_zone = 12 [deprecated=true];
string availability_zone = 12 [deprecated = true];
// AuthenticationPolicy defines how the proxy is authenticated when it connects to the control plane.
// Default is set to `MUTUAL_TLS`.
@ -496,7 +493,7 @@ message ProxyConfig {
// Secret Discovery Service(SDS) configuration to be used by the proxy.
// $hide_from_docs
SDS sds = 21 [deprecated=true];
SDS sds = 21 [deprecated = true];
// Address of the service to which access logs from Envoys should be
// sent. (e.g. `accesslog-service:15000`). See [Access Log
@ -511,11 +508,11 @@ message ProxyConfig {
// Additional environment variables for the proxy.
// Names starting with `ISTIO_META_` will be included in the generated bootstrap and sent to the XDS server.
map<string,string> proxy_metadata = 24;
map<string, string> proxy_metadata = 24;
// Envoy [runtime configuration](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/operations/runtime) to set during bootstrapping.
// This enables setting experimental, unsafe, unsupported, and deprecated features that should be used with extreme caution.
map<string,string> runtime_values = 37;
map<string, string> runtime_values = 37;
// Port on which the agent should listen for administrative commands such as readiness probe.
// Default is set to port `15020`.
@ -536,11 +533,11 @@ message ProxyConfig {
Topology gateway_topology = 28;
// The amount of time allowed for connections to complete on proxy shutdown.
// On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining,
// discouraging any new connections and allowing existing connections to complete. It then
// On receiving `SIGTERM` or `SIGINT`, `istio-agent` tells the active Envoy to start gracefully draining,
// discouraging any new connections and allowing existing connections to complete. It then
// sleeps for the `terminationDrainDuration` and then kills any remaining active Envoy processes.
// If not set, a default of `5s` will be applied.
google.protobuf.Duration termination_drain_duration = 29;
google.protobuf.Duration termination_drain_duration = 29;
// The unique identifier for the [service mesh](https://istio.io/docs/reference/glossary/#service-mesh)
// All control planes running in the same service mesh should specify the same mesh ID.
@ -590,7 +587,6 @@ message ProxyConfig {
// resource provision and configuration to reduce cardinality.
ProxyStatsMatcher proxy_stats_matcher = 32;
// Boolean flag for enabling/disabling the holdApplicationUntilProxyStarts behavior.
// This feature adds hooks to delay application startup until the pod proxy
// is ready to accept traffic, mitigating some startup race conditions.
@ -631,7 +627,7 @@ message ProxyConfig {
//
// ```yaml
// proxyHeaders:
// perserveHttp1HeaderCase: true
// preserveHttp1HeaderCase: true
// ```
//
// Some headers are enabled by default, and require explicitly disabling. See below for an example of disabling all default-enabled headers:
@ -664,6 +660,12 @@ message ProxyConfig {
message AttemptCount {
google.protobuf.BoolValue disabled = 1;
}
message XForwardedHost {
google.protobuf.BoolValue enabled = 1;
}
message XForwardedPort {
google.protobuf.BoolValue enabled = 1;
}
message EnvoyDebugHeaders {
google.protobuf.BoolValue disabled = 1;
}
@ -681,22 +683,22 @@ message ProxyConfig {
message SetCurrentClientCertDetails {
// Whether to forward the subject of the client cert. Defaults to true.
google.protobuf.BoolValue subject = 1;
// Whether to forward the entire client cert in URL encoded PEM format. This will appear in the
// XFCC header comma separated from other values with the value Cert="PEM".
// Defaults to false.
google.protobuf.BoolValue cert = 2;
// Whether to forward the entire client cert chain (including the leaf cert) in URL encoded PEM
// format. This will appear in the XFCC header comma separated from other values with the value
// Chain="PEM".
// Defaults to false.
google.protobuf.BoolValue chain = 3;
// Whether to forward the DNS type Subject Alternative Names of the client cert.
// Defaults to true.
google.protobuf.BoolValue dns = 4;
// Whether to forward the URI type Subject Alternative Name of the client cert. Defaults to
// true.
google.protobuf.BoolValue uri = 5;
@ -705,7 +707,7 @@ message ProxyConfig {
// To disable the header, configure either `SANITIZE` (to always remove the header, if present) or `FORWARD_ONLY` (to leave the header as-is).
// By default, `APPEND_FORWARD` will be used.
ForwardClientCertDetails forwarded_client_cert = 1;
// This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET
// This field is valid only when forward_client_cert_details is APPEND_FORWARD or SANITIZE_SET
// and the client connection is mTLS. It specifies the fields in
// the client certificate to be forwarded. Note that `Hash` is always set, and
// `By` is always set when the client certificate presents the URI type Subject Alternative Name value.
@ -736,15 +738,23 @@ message ProxyConfig {
MetadataExchangeHeaders metadata_exchange_headers = 6;
// When true, the original case of HTTP/1.x headers will be preserved
// as they pass through the proxy, rather than normalizing them to lowercase.
// This field is particularly useful for applications that require case-sensitive
// headers for interoperability with downstream systems or APIs that expect specific
// This field is particularly useful for applications that require case-sensitive
// headers for interoperability with downstream systems or APIs that expect specific
// casing.
// The preserve_http1_header_case option only applies to HTTP/1.x traffic, as HTTP/2 requires all headers
// to be lowercase per the protocol specification. Envoy will ignore this field for HTTP/2
// requests and automatically normalize headers to lowercase, ensuring compliance with HTTP/2
// standards.
// The preserve_http1_header_case option only applies to HTTP/1.x traffic, as HTTP/2 requires all headers
// to be lowercase per the protocol specification. Envoy will ignore this field for HTTP/2
// requests and automatically normalize headers to lowercase, ensuring compliance with HTTP/2
// standards.
google.protobuf.BoolValue preserve_http1_header_case = 40;
// Controls the `X-Forwarded-Host` header. If enabled, the `X-Forwarded-Host` header is appended
// with the original host when it is rewritten.
// This header is disabled by default.
XForwardedHost x_forwarded_host = 41;
// Controls the `X-Forwarded-Port` header. If enabled, the `X-Forwarded-Port` header is header with the port value
// client used to connect to Envoy. It will be ignored if the ``x-forwarded-port`` header has been set by any
// trusted proxy in front of Envoy.
// This header is disabled by default.
XForwardedPort x_forwarded_port = 42;
}
}

22
mesh/v1alpha1/proxy_json.gen.go generated
View File

@ -248,6 +248,28 @@ func (this *ProxyConfig_ProxyHeaders_AttemptCount) UnmarshalJSON(b []byte) error
return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
// MarshalJSON is a custom marshaler for ProxyConfig_ProxyHeaders_XForwardedHost
func (this *ProxyConfig_ProxyHeaders_XForwardedHost) MarshalJSON() ([]byte, error) {
str, err := ProxyMarshaler.MarshalToString(this)
return []byte(str), err
}
// UnmarshalJSON is a custom unmarshaler for ProxyConfig_ProxyHeaders_XForwardedHost
func (this *ProxyConfig_ProxyHeaders_XForwardedHost) UnmarshalJSON(b []byte) error {
return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
// MarshalJSON is a custom marshaler for ProxyConfig_ProxyHeaders_XForwardedPort
func (this *ProxyConfig_ProxyHeaders_XForwardedPort) MarshalJSON() ([]byte, error) {
str, err := ProxyMarshaler.MarshalToString(this)
return []byte(str), err
}
// UnmarshalJSON is a custom unmarshaler for ProxyConfig_ProxyHeaders_XForwardedPort
func (this *ProxyConfig_ProxyHeaders_XForwardedPort) UnmarshalJSON(b []byte) error {
return ProxyUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
// MarshalJSON is a custom marshaler for ProxyConfig_ProxyHeaders_EnvoyDebugHeaders
func (this *ProxyConfig_ProxyHeaders_EnvoyDebugHeaders) MarshalJSON() ([]byte, error) {
str, err := ProxyMarshaler.MarshalToString(this)

9
meta/v1alpha1/status.proto
View File

@ -13,17 +13,16 @@
// limitations under the License.
syntax = "proto3";
import "analysis/v1alpha1/message.proto";
import "google/protobuf/timestamp.proto";
// $title: Istio Status
// $description: Common status field for all istio collections.
// $location: https://istio.io/docs/reference/config/meta/v1beta1/istio-status.html
package istio.meta.v1alpha1;
option go_package="istio.io/api/meta/v1alpha1";
import "analysis/v1alpha1/message.proto";
import "google/protobuf/timestamp.proto";
option go_package = "istio.io/api/meta/v1alpha1";
message IstioStatus {
// Current service state of the resource.

8
networking/v1/destination_rule_alias.gen.go generated
View File

@ -8,7 +8,7 @@ import "istio.io/api/networking/v1alpha3"
//
// <!-- crd generation tags
// +cue-gen:DestinationRule:groupName:networking.istio.io
// +cue-gen:DestinationRule:versions:v1beta1,v1alpha3,v1
// +cue-gen:DestinationRule:versions:v1,v1beta1,v1alpha3
// +cue-gen:DestinationRule:annotations:helm.sh/resource-policy=keep
// +cue-gen:DestinationRule:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:DestinationRule:subresource:status
@ -18,7 +18,7 @@ import "istio.io/api/networking/v1alpha3"
// +cue-gen:DestinationRule:printerColumn:name=Age,type=date,JSONPath=.metadata.creationTimestamp,description="CreationTimestamp is a timestamp
// representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations.
// Clients may not set this value. It is represented in RFC3339 form and is in UTC.
// Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
// Populated by the system. Read-only. Null for lists. For more information, see [Kubernetes API Conventions](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)"
// +cue-gen:DestinationRule:preserveUnknownFields:false
// -->
//
@ -46,6 +46,8 @@ const TrafficPolicy_ProxyProtocol_V1 TrafficPolicy_ProxyProtocol_VERSION = v1alp
// PROXY protocol version 2. Binary format.
const TrafficPolicy_ProxyProtocol_V2 TrafficPolicy_ProxyProtocol_VERSION = v1alpha3.TrafficPolicy_ProxyProtocol_V2
type TrafficPolicy_RetryBudget = v1alpha3.TrafficPolicy_RetryBudget
// A subset of endpoints of a service. Subsets can be used for scenarios
// like A/B testing, or routing to a specific version of a service. Refer
// to [VirtualService](https://istio.io/docs/reference/config/networking/virtual-service/#VirtualService) documentation for examples of using
@ -284,7 +286,7 @@ const ConnectionPoolSettings_HTTPSettings_UPGRADE ConnectionPoolSettings_HTTPSet
//
// The following rule sets a connection pool size of 100 HTTP1 connections
// with no more than 10 req/connection to the "reviews" service. In addition,
// it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
// it sets a limit of 1000 concurrent HTTP/2 requests and configures upstream
// hosts to be scanned every 5 mins so that any host that fails 7 consecutive
// times with a 502, 503, or 504 error code will be ejected for 15 minutes.
//

2
networking/v1/gateway_alias.gen.go generated
View File

@ -8,7 +8,7 @@ import "istio.io/api/networking/v1alpha3"
//
// <!-- crd generation tags
// +cue-gen:Gateway:groupName:networking.istio.io
// +cue-gen:Gateway:versions:v1beta1,v1alpha3,v1
// +cue-gen:Gateway:versions:v1,v1beta1,v1alpha3
// +cue-gen:Gateway:annotations:helm.sh/resource-policy=keep
// +cue-gen:Gateway:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:Gateway:subresource:status

2
networking/v1/service_entry_alias.gen.go generated
View File

@ -8,7 +8,7 @@ import "istio.io/api/networking/v1alpha3"
//
// <!-- crd generation tags
// +cue-gen:ServiceEntry:groupName:networking.istio.io
// +cue-gen:ServiceEntry:versions:v1beta1,v1alpha3,v1
// +cue-gen:ServiceEntry:versions:v1,v1beta1,v1alpha3
// +cue-gen:ServiceEntry:annotations:helm.sh/resource-policy=keep
// +cue-gen:ServiceEntry:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:ServiceEntry:subresource:status

2
networking/v1/sidecar_alias.gen.go generated
View File

@ -9,7 +9,7 @@ import "istio.io/api/networking/v1alpha3"
//
// <!-- crd generation tags
// +cue-gen:Sidecar:groupName:networking.istio.io
// +cue-gen:Sidecar:versions:v1beta1,v1alpha3,v1
// +cue-gen:Sidecar:versions:v1,v1beta1,v1alpha3
// +cue-gen:Sidecar:annotations:helm.sh/resource-policy=keep
// +cue-gen:Sidecar:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:Sidecar:subresource:status

2
networking/v1/virtual_service_alias.gen.go generated
View File

@ -7,7 +7,7 @@ import "istio.io/api/networking/v1alpha3"
//
// <!-- crd generation tags
// +cue-gen:VirtualService:groupName:networking.istio.io
// +cue-gen:VirtualService:versions:v1beta1,v1alpha3,v1
// +cue-gen:VirtualService:versions:v1,v1beta1,v1alpha3
// +cue-gen:VirtualService:annotations:helm.sh/resource-policy=keep
// +cue-gen:VirtualService:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:VirtualService:subresource:status

2
networking/v1/workload_entry_alias.gen.go generated
View File

@ -7,7 +7,7 @@ import "istio.io/api/networking/v1alpha3"
//
// <!-- crd generation tags
// +cue-gen:WorkloadEntry:groupName:networking.istio.io
// +cue-gen:WorkloadEntry:versions:v1beta1,v1alpha3,v1
// +cue-gen:WorkloadEntry:versions:v1,v1beta1,v1alpha3
// +cue-gen:WorkloadEntry:annotations:helm.sh/resource-policy=keep
// +cue-gen:WorkloadEntry:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:WorkloadEntry:subresource:status

2
networking/v1/workload_group_alias.gen.go generated
View File

@ -11,7 +11,7 @@ import "istio.io/api/networking/v1alpha3"
//
// <!-- crd generation tags
// +cue-gen:WorkloadGroup:groupName:networking.istio.io
// +cue-gen:WorkloadGroup:versions:v1beta1,v1alpha3,v1
// +cue-gen:WorkloadGroup:versions:v1,v1beta1,v1alpha3
// +cue-gen:WorkloadGroup:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:WorkloadGroup:subresource:status
// +cue-gen:WorkloadGroup:scope:Namespaced

280
networking/v1alpha3/destination_rule.pb.go generated
View File

@ -392,7 +392,7 @@ func (ClientTLSSettings_TLSmode) EnumDescriptor() ([]byte, []int) {
//
// <!-- crd generation tags
// +cue-gen:DestinationRule:groupName:networking.istio.io
// +cue-gen:DestinationRule:versions:v1beta1,v1alpha3,v1
// +cue-gen:DestinationRule:versions:v1,v1beta1,v1alpha3
// +cue-gen:DestinationRule:annotations:helm.sh/resource-policy=keep
// +cue-gen:DestinationRule:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:DestinationRule:subresource:status
@ -402,7 +402,7 @@ func (ClientTLSSettings_TLSmode) EnumDescriptor() ([]byte, []int) {
// +cue-gen:DestinationRule:printerColumn:name=Age,type=date,JSONPath=.metadata.creationTimestamp,description="CreationTimestamp is a timestamp
// representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations.
// Clients may not set this value. It is represented in RFC3339 form and is in UTC.
// Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
// Populated by the system. Read-only. Null for lists. For more information, see [Kubernetes API Conventions](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)"
// +cue-gen:DestinationRule:preserveUnknownFields:false
// -->
//
@ -555,6 +555,8 @@ type TrafficPolicy struct {
Tunnel *TrafficPolicy_TunnelSettings `protobuf:"bytes,6,opt,name=tunnel,proto3" json:"tunnel,omitempty"`
// The upstream PROXY protocol settings.
ProxyProtocol *TrafficPolicy_ProxyProtocol `protobuf:"bytes,7,opt,name=proxy_protocol,json=proxyProtocol,proto3" json:"proxy_protocol,omitempty"`
// Specifies a limit on concurrent retries in relation to the number of active requests.
RetryBudget *TrafficPolicy_RetryBudget `protobuf:"bytes,8,opt,name=retry_budget,json=retryBudget,proto3" json:"retry_budget,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
@ -638,6 +640,13 @@ func (x *TrafficPolicy) GetProxyProtocol() *TrafficPolicy_ProxyProtocol {
return nil
}
func (x *TrafficPolicy) GetRetryBudget() *TrafficPolicy_RetryBudget {
if x != nil {
return x.RetryBudget
}
return nil
}
// A subset of endpoints of a service. Subsets can be used for scenarios
// like A/B testing, or routing to a specific version of a service. Refer
// to [VirtualService](https://istio.io/docs/reference/config/networking/virtual-service/#VirtualService) documentation for examples of using
@ -1075,7 +1084,7 @@ func (x *ConnectionPoolSettings) GetHttp() *ConnectionPoolSettings_HTTPSettings
//
// The following rule sets a connection pool size of 100 HTTP1 connections
// with no more than 10 req/connection to the "reviews" service. In addition,
// it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
// it sets a limit of 1000 concurrent HTTP/2 requests and configures upstream
// hosts to be scanned every 5 mins so that any host that fails 7 consecutive
// times with a 502, 503, or 504 error code will be ejected for 15 minutes.
//
@ -1838,7 +1847,7 @@ func (x *TrafficPolicy_TunnelSettings) GetTargetPort() uint32 {
type TrafficPolicy_ProxyProtocol struct {
state protoimpl.MessageState `protogen:"open.v1"`
// The PROXY protocol version to use. See https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt for details.
// The PROXY protocol version to use. See [the protocol spec](https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt) for details.
// By default it is `V1`.
Version TrafficPolicy_ProxyProtocol_VERSION `protobuf:"varint,1,opt,name=version,proto3,enum=istio.networking.v1alpha3.TrafficPolicy_ProxyProtocol_VERSION" json:"version,omitempty"`
unknownFields protoimpl.UnknownFields
@ -1882,6 +1891,71 @@ func (x *TrafficPolicy_ProxyProtocol) GetVersion() TrafficPolicy_ProxyProtocol_V
return TrafficPolicy_ProxyProtocol_V1
}
type TrafficPolicy_RetryBudget struct {
state protoimpl.MessageState `protogen:"open.v1"`
// Specifies the limit on concurrent retries as a percentage of
// the sum of active requests and active pending requests.
// Defaults to 20%.
//
// +kubebuilder:validation:Maximum=100
// +kubebuilder:validation:Minimum=0
Percent *wrappers.DoubleValue `protobuf:"bytes,1,opt,name=percent,proto3" json:"percent,omitempty"`
// Specifies the minimum retry concurrency allowed for the retry budget.
// For example, a budget of 20% with a minimum retry concurrency of 3
// will allow 5 active retries while there are 25 active requests.
// If there are 2 active requests, there are still 3 active retries
// allowed because of the minimum retry concurrency.
//
// Defaults to 3.
MinRetryConcurrency uint32 `protobuf:"varint,2,opt,name=min_retry_concurrency,json=minRetryConcurrency,proto3" json:"min_retry_concurrency,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
}
func (x *TrafficPolicy_RetryBudget) Reset() {
*x = TrafficPolicy_RetryBudget{}
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[12]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
func (x *TrafficPolicy_RetryBudget) String() string {
return protoimpl.X.MessageStringOf(x)
}
func (*TrafficPolicy_RetryBudget) ProtoMessage() {}
func (x *TrafficPolicy_RetryBudget) ProtoReflect() protoreflect.Message {
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[12]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
ms.StoreMessageInfo(mi)
}
return ms
}
return mi.MessageOf(x)
}
// Deprecated: Use TrafficPolicy_RetryBudget.ProtoReflect.Descriptor instead.
func (*TrafficPolicy_RetryBudget) Descriptor() ([]byte, []int) {
return file_networking_v1alpha3_destination_rule_proto_rawDescGZIP(), []int{1, 3}
}
func (x *TrafficPolicy_RetryBudget) GetPercent() *wrappers.DoubleValue {
if x != nil {
return x.Percent
}
return nil
}
func (x *TrafficPolicy_RetryBudget) GetMinRetryConcurrency() uint32 {
if x != nil {
return x.MinRetryConcurrency
}
return 0
}
// Consistent Hash-based load balancing can be used to provide soft
// session affinity based on HTTP headers, cookies or other
// properties. The affinity to a particular destination host may be
@ -1910,8 +1984,8 @@ type LoadBalancerSettings_ConsistentHashLB struct {
// *LoadBalancerSettings_ConsistentHashLB_HttpQueryParameterName
HashKey isLoadBalancerSettings_ConsistentHashLB_HashKey `protobuf_oneof:"hash_key"`
// The hash algorithm to use.
// Please refer to https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#ring-hash
// and https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#maglev for
// Please refer to Envoy's [Ring Hash Load Balancer](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#ring-hash)
// and [Maglev Load Balancer](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#maglev) docs for
// considerations on choosing an algorithm.
// Defaults to RingHash if not specified.
//
@ -1930,7 +2004,7 @@ type LoadBalancerSettings_ConsistentHashLB struct {
func (x *LoadBalancerSettings_ConsistentHashLB) Reset() {
*x = LoadBalancerSettings_ConsistentHashLB{}
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[13]
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[14]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -1942,7 +2016,7 @@ func (x *LoadBalancerSettings_ConsistentHashLB) String() string {
func (*LoadBalancerSettings_ConsistentHashLB) ProtoMessage() {}
func (x *LoadBalancerSettings_ConsistentHashLB) ProtoReflect() protoreflect.Message {
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[13]
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[14]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -2105,7 +2179,7 @@ type LoadBalancerSettings_ConsistentHashLB_RingHash struct {
func (x *LoadBalancerSettings_ConsistentHashLB_RingHash) Reset() {
*x = LoadBalancerSettings_ConsistentHashLB_RingHash{}
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[14]
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[15]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -2117,7 +2191,7 @@ func (x *LoadBalancerSettings_ConsistentHashLB_RingHash) String() string {
func (*LoadBalancerSettings_ConsistentHashLB_RingHash) ProtoMessage() {}
func (x *LoadBalancerSettings_ConsistentHashLB_RingHash) ProtoReflect() protoreflect.Message {
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[14]
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[15]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -2154,7 +2228,7 @@ type LoadBalancerSettings_ConsistentHashLB_MagLev struct {
func (x *LoadBalancerSettings_ConsistentHashLB_MagLev) Reset() {
*x = LoadBalancerSettings_ConsistentHashLB_MagLev{}
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[15]
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[16]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -2166,7 +2240,7 @@ func (x *LoadBalancerSettings_ConsistentHashLB_MagLev) String() string {
func (*LoadBalancerSettings_ConsistentHashLB_MagLev) ProtoMessage() {}
func (x *LoadBalancerSettings_ConsistentHashLB_MagLev) ProtoReflect() protoreflect.Message {
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[15]
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[16]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -2208,7 +2282,7 @@ type LoadBalancerSettings_ConsistentHashLB_HTTPCookie struct {
func (x *LoadBalancerSettings_ConsistentHashLB_HTTPCookie) Reset() {
*x = LoadBalancerSettings_ConsistentHashLB_HTTPCookie{}
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[16]
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[17]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -2220,7 +2294,7 @@ func (x *LoadBalancerSettings_ConsistentHashLB_HTTPCookie) String() string {
func (*LoadBalancerSettings_ConsistentHashLB_HTTPCookie) ProtoMessage() {}
func (x *LoadBalancerSettings_ConsistentHashLB_HTTPCookie) ProtoReflect() protoreflect.Message {
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[16]
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[17]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -2287,7 +2361,7 @@ type ConnectionPoolSettings_TCPSettings struct {
func (x *ConnectionPoolSettings_TCPSettings) Reset() {
*x = ConnectionPoolSettings_TCPSettings{}
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[17]
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[18]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -2299,7 +2373,7 @@ func (x *ConnectionPoolSettings_TCPSettings) String() string {
func (*ConnectionPoolSettings_TCPSettings) ProtoMessage() {}
func (x *ConnectionPoolSettings_TCPSettings) ProtoReflect() protoreflect.Message {
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[17]
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[18]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -2355,12 +2429,12 @@ type ConnectionPoolSettings_HTTPSettings struct {
state protoimpl.MessageState `protogen:"open.v1"`
// Maximum number of requests that will be queued while waiting for
// a ready connection pool connection. Default 2^32-1.
// Refer to https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking
// under which conditions a new connection is created for HTTP2.
// Please note that this is applicable to both HTTP/1.1 and HTTP2.
// Refer to [Envoy Circuit Breaking](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking)
// under which conditions a new connection is created for HTTP/2.
// Please note that this is applicable to both HTTP/1.1 and HTTP/2.
Http1MaxPendingRequests int32 `protobuf:"varint,1,opt,name=http1_max_pending_requests,json=http1MaxPendingRequests,proto3" json:"http1_max_pending_requests,omitempty"`
// Maximum number of active requests to a destination. Default 2^32-1.
// Please note that this is applicable to both HTTP/1.1 and HTTP2.
// Please note that this is applicable to both HTTP/1.1 and HTTP/2.
Http2MaxRequests int32 `protobuf:"varint,2,opt,name=http2_max_requests,json=http2MaxRequests,proto3" json:"http2_max_requests,omitempty"`
// Maximum number of requests per connection to a backend. Setting this
// parameter to 1 disables keep alive. Default 0, meaning "unlimited",
@ -2375,7 +2449,7 @@ type ConnectionPoolSettings_HTTPSettings struct {
// the connection will be closed. If the connection is an HTTP/2
// connection a drain sequence will occur prior to closing the connection.
// Note that request based timeouts mean that HTTP/2 PINGs will not
// keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.
// keep the connection alive. Applies to both HTTP/1.1 and HTTP/2 connections.
IdleTimeout *duration.Duration `protobuf:"bytes,5,opt,name=idle_timeout,json=idleTimeout,proto3" json:"idle_timeout,omitempty"`
// Specify if http1.1 connection should be upgraded to http2 for the associated destination.
H2UpgradePolicy ConnectionPoolSettings_HTTPSettings_H2UpgradePolicy `protobuf:"varint,6,opt,name=h2_upgrade_policy,json=h2UpgradePolicy,proto3,enum=istio.networking.v1alpha3.ConnectionPoolSettings_HTTPSettings_H2UpgradePolicy" json:"h2_upgrade_policy,omitempty"`
@ -2392,7 +2466,7 @@ type ConnectionPoolSettings_HTTPSettings struct {
func (x *ConnectionPoolSettings_HTTPSettings) Reset() {
*x = ConnectionPoolSettings_HTTPSettings{}
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[18]
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[19]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -2404,7 +2478,7 @@ func (x *ConnectionPoolSettings_HTTPSettings) String() string {
func (*ConnectionPoolSettings_HTTPSettings) ProtoMessage() {}
func (x *ConnectionPoolSettings_HTTPSettings) ProtoReflect() protoreflect.Message {
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[18]
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[19]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -2497,7 +2571,7 @@ type ConnectionPoolSettings_TCPSettings_TcpKeepalive struct {
func (x *ConnectionPoolSettings_TCPSettings_TcpKeepalive) Reset() {
*x = ConnectionPoolSettings_TCPSettings_TcpKeepalive{}
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[19]
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[20]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -2509,7 +2583,7 @@ func (x *ConnectionPoolSettings_TCPSettings_TcpKeepalive) String() string {
func (*ConnectionPoolSettings_TCPSettings_TcpKeepalive) ProtoMessage() {}
func (x *ConnectionPoolSettings_TCPSettings_TcpKeepalive) ProtoReflect() protoreflect.Message {
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[19]
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[20]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -2570,7 +2644,7 @@ type LocalityLoadBalancerSetting_Distribute struct {
func (x *LocalityLoadBalancerSetting_Distribute) Reset() {
*x = LocalityLoadBalancerSetting_Distribute{}
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[20]
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[21]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -2582,7 +2656,7 @@ func (x *LocalityLoadBalancerSetting_Distribute) String() string {
func (*LocalityLoadBalancerSetting_Distribute) ProtoMessage() {}
func (x *LocalityLoadBalancerSetting_Distribute) ProtoReflect() protoreflect.Message {
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[20]
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[21]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -2632,7 +2706,7 @@ type LocalityLoadBalancerSetting_Failover struct {
func (x *LocalityLoadBalancerSetting_Failover) Reset() {
*x = LocalityLoadBalancerSetting_Failover{}
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[21]
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[22]
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
ms.StoreMessageInfo(mi)
}
@ -2644,7 +2718,7 @@ func (x *LocalityLoadBalancerSetting_Failover) String() string {
func (*LocalityLoadBalancerSetting_Failover) ProtoMessage() {}
func (x *LocalityLoadBalancerSetting_Failover) ProtoReflect() protoreflect.Message {
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[21]
mi := &file_networking_v1alpha3_destination_rule_proto_msgTypes[22]
if x != nil {
ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
if ms.LoadMessageInfo() == nil {
@ -2684,8 +2758,7 @@ const file_networking_v1alpha3_destination_rule_proto_rawDesc = "" +
"\x0etraffic_policy\x18\x02 \x01(\v2(.istio.networking.v1alpha3.TrafficPolicyR\rtrafficPolicy\x12;\n" +
"\asubsets\x18\x03 \x03(\v2!.istio.networking.v1alpha3.SubsetR\asubsets\x12\x1b\n" +
"\texport_to\x18\x04 \x03(\tR\bexportTo\x12Q\n" +
"\x11workload_selector\x18\x05 \x01(\v2$.istio.type.v1beta1.WorkloadSelectorR\x10workloadSelector\"\x99\n" +
"\n" +
"\x11workload_selector\x18\x05 \x01(\v2$.istio.type.v1beta1.WorkloadSelectorR\x10workloadSelector\"\xed\v\n" +
"\rTrafficPolicy\x12T\n" +
"\rload_balancer\x18\x01 \x01(\v2/.istio.networking.v1alpha3.LoadBalancerSettingsR\floadBalancer\x12Z\n" +
"\x0fconnection_pool\x18\x02 \x01(\v21.istio.networking.v1alpha3.ConnectionPoolSettingsR\x0econnectionPool\x12X\n" +
@ -2693,7 +2766,8 @@ const file_networking_v1alpha3_destination_rule_proto_rawDesc = "" +
"\x03tls\x18\x04 \x01(\v2,.istio.networking.v1alpha3.ClientTLSSettingsR\x03tls\x12j\n" +
"\x13port_level_settings\x18\x05 \x03(\v2:.istio.networking.v1alpha3.TrafficPolicy.PortTrafficPolicyR\x11portLevelSettings\x12O\n" +
"\x06tunnel\x18\x06 \x01(\v27.istio.networking.v1alpha3.TrafficPolicy.TunnelSettingsR\x06tunnel\x12]\n" +
"\x0eproxy_protocol\x18\a \x01(\v26.istio.networking.v1alpha3.TrafficPolicy.ProxyProtocolR\rproxyProtocol\x1a\x9c\x03\n" +
"\x0eproxy_protocol\x18\a \x01(\v26.istio.networking.v1alpha3.TrafficPolicy.ProxyProtocolR\rproxyProtocol\x12W\n" +
"\fretry_budget\x18\b \x01(\v24.istio.networking.v1alpha3.TrafficPolicy.RetryBudgetR\vretryBudget\x1a\x9c\x03\n" +
"\x11PortTrafficPolicy\x12;\n" +
"\x04port\x18\x01 \x01(\v2'.istio.networking.v1alpha3.PortSelectorR\x04port\x12T\n" +
"\rload_balancer\x18\x02 \x01(\v2/.istio.networking.v1alpha3.LoadBalancerSettingsR\floadBalancer\x12Z\n" +
@ -2710,7 +2784,10 @@ const file_networking_v1alpha3_destination_rule_proto_rawDesc = "" +
"\aversion\x18\x01 \x01(\x0e2>.istio.networking.v1alpha3.TrafficPolicy.ProxyProtocol.VERSIONR\aversion\"\x19\n" +
"\aVERSION\x12\x06\n" +
"\x02V1\x10\x00\x12\x06\n" +
"\x02V2\x10\x01\"\xf5\x01\n" +
"\x02V2\x10\x01\x1ay\n" +
"\vRetryBudget\x126\n" +
"\apercent\x18\x01 \x01(\v2\x1c.google.protobuf.DoubleValueR\apercent\x122\n" +
"\x15min_retry_concurrency\x18\x02 \x01(\rR\x13minRetryConcurrency\"\xf5\x01\n" +
"\x06Subset\x12\x18\n" +
"\x04name\x18\x01 \x01(\tB\x04\xe2A\x01\x02R\x04name\x12E\n" +
"\x06labels\x18\x02 \x03(\v2-.istio.networking.v1alpha3.Subset.LabelsEntryR\x06labels\x12O\n" +
@ -2850,7 +2927,7 @@ func file_networking_v1alpha3_destination_rule_proto_rawDescGZIP() []byte {
}
var file_networking_v1alpha3_destination_rule_proto_enumTypes = make([]protoimpl.EnumInfo, 4)
var file_networking_v1alpha3_destination_rule_proto_msgTypes = make([]protoimpl.MessageInfo, 23)
var file_networking_v1alpha3_destination_rule_proto_msgTypes = make([]protoimpl.MessageInfo, 24)
var file_networking_v1alpha3_destination_rule_proto_goTypes = []any{
(TrafficPolicy_ProxyProtocol_VERSION)(0), // 0: istio.networking.v1alpha3.TrafficPolicy.ProxyProtocol.VERSION
(LoadBalancerSettings_SimpleLB)(0), // 1: istio.networking.v1alpha3.LoadBalancerSettings.SimpleLB
@ -2868,28 +2945,29 @@ var file_networking_v1alpha3_destination_rule_proto_goTypes = []any{
(*TrafficPolicy_PortTrafficPolicy)(nil), // 13: istio.networking.v1alpha3.TrafficPolicy.PortTrafficPolicy
(*TrafficPolicy_TunnelSettings)(nil), // 14: istio.networking.v1alpha3.TrafficPolicy.TunnelSettings
(*TrafficPolicy_ProxyProtocol)(nil), // 15: istio.networking.v1alpha3.TrafficPolicy.ProxyProtocol
nil, // 16: istio.networking.v1alpha3.Subset.LabelsEntry
(*LoadBalancerSettings_ConsistentHashLB)(nil), // 17: istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB
(*LoadBalancerSettings_ConsistentHashLB_RingHash)(nil), // 18: istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB.RingHash
(*LoadBalancerSettings_ConsistentHashLB_MagLev)(nil), // 19: istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB.MagLev
(*LoadBalancerSettings_ConsistentHashLB_HTTPCookie)(nil), // 20: istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB.HTTPCookie
(*ConnectionPoolSettings_TCPSettings)(nil), // 21: istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings
(*ConnectionPoolSettings_HTTPSettings)(nil), // 22: istio.networking.v1alpha3.ConnectionPoolSettings.HTTPSettings
(*ConnectionPoolSettings_TCPSettings_TcpKeepalive)(nil), // 23: istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive
(*LocalityLoadBalancerSetting_Distribute)(nil), // 24: istio.networking.v1alpha3.LocalityLoadBalancerSetting.Distribute
(*LocalityLoadBalancerSetting_Failover)(nil), // 25: istio.networking.v1alpha3.LocalityLoadBalancerSetting.Failover
nil, // 26: istio.networking.v1alpha3.LocalityLoadBalancerSetting.Distribute.ToEntry
(*v1beta1.WorkloadSelector)(nil), // 27: istio.type.v1beta1.WorkloadSelector
(*duration.Duration)(nil), // 28: google.protobuf.Duration
(*wrappers.DoubleValue)(nil), // 29: google.protobuf.DoubleValue
(*wrappers.UInt32Value)(nil), // 30: google.protobuf.UInt32Value
(*wrappers.BoolValue)(nil), // 31: google.protobuf.BoolValue
(*PortSelector)(nil), // 32: istio.networking.v1alpha3.PortSelector
(*TrafficPolicy_RetryBudget)(nil), // 16: istio.networking.v1alpha3.TrafficPolicy.RetryBudget
nil, // 17: istio.networking.v1alpha3.Subset.LabelsEntry
(*LoadBalancerSettings_ConsistentHashLB)(nil), // 18: istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB
(*LoadBalancerSettings_ConsistentHashLB_RingHash)(nil), // 19: istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB.RingHash
(*LoadBalancerSettings_ConsistentHashLB_MagLev)(nil), // 20: istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB.MagLev
(*LoadBalancerSettings_ConsistentHashLB_HTTPCookie)(nil), // 21: istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB.HTTPCookie
(*ConnectionPoolSettings_TCPSettings)(nil), // 22: istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings
(*ConnectionPoolSettings_HTTPSettings)(nil), // 23: istio.networking.v1alpha3.ConnectionPoolSettings.HTTPSettings
(*ConnectionPoolSettings_TCPSettings_TcpKeepalive)(nil), // 24: istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive
(*LocalityLoadBalancerSetting_Distribute)(nil), // 25: istio.networking.v1alpha3.LocalityLoadBalancerSetting.Distribute
(*LocalityLoadBalancerSetting_Failover)(nil), // 26: istio.networking.v1alpha3.LocalityLoadBalancerSetting.Failover
nil, // 27: istio.networking.v1alpha3.LocalityLoadBalancerSetting.Distribute.ToEntry
(*v1beta1.WorkloadSelector)(nil), // 28: istio.type.v1beta1.WorkloadSelector
(*duration.Duration)(nil), // 29: google.protobuf.Duration
(*wrappers.DoubleValue)(nil), // 30: google.protobuf.DoubleValue
(*wrappers.UInt32Value)(nil), // 31: google.protobuf.UInt32Value
(*wrappers.BoolValue)(nil), // 32: google.protobuf.BoolValue
(*PortSelector)(nil), // 33: istio.networking.v1alpha3.PortSelector
}
var file_networking_v1alpha3_destination_rule_proto_depIdxs = []int32{
5, // 0: istio.networking.v1alpha3.DestinationRule.traffic_policy:type_name -> istio.networking.v1alpha3.TrafficPolicy
6, // 1: istio.networking.v1alpha3.DestinationRule.subsets:type_name -> istio.networking.v1alpha3.Subset
27, // 2: istio.networking.v1alpha3.DestinationRule.workload_selector:type_name -> istio.type.v1beta1.WorkloadSelector
28, // 2: istio.networking.v1alpha3.DestinationRule.workload_selector:type_name -> istio.type.v1beta1.WorkloadSelector
7, // 3: istio.networking.v1alpha3.TrafficPolicy.load_balancer:type_name -> istio.networking.v1alpha3.LoadBalancerSettings
9, // 4: istio.networking.v1alpha3.TrafficPolicy.connection_pool:type_name -> istio.networking.v1alpha3.ConnectionPoolSettings
10, // 5: istio.networking.v1alpha3.TrafficPolicy.outlier_detection:type_name -> istio.networking.v1alpha3.OutlierDetection
@ -2897,52 +2975,54 @@ var file_networking_v1alpha3_destination_rule_proto_depIdxs = []int32{
13, // 7: istio.networking.v1alpha3.TrafficPolicy.port_level_settings:type_name -> istio.networking.v1alpha3.TrafficPolicy.PortTrafficPolicy
14, // 8: istio.networking.v1alpha3.TrafficPolicy.tunnel:type_name -> istio.networking.v1alpha3.TrafficPolicy.TunnelSettings
15, // 9: istio.networking.v1alpha3.TrafficPolicy.proxy_protocol:type_name -> istio.networking.v1alpha3.TrafficPolicy.ProxyProtocol
16, // 10: istio.networking.v1alpha3.Subset.labels:type_name -> istio.networking.v1alpha3.Subset.LabelsEntry
5, // 11: istio.networking.v1alpha3.Subset.traffic_policy:type_name -> istio.networking.v1alpha3.TrafficPolicy
1, // 12: istio.networking.v1alpha3.LoadBalancerSettings.simple:type_name -> istio.networking.v1alpha3.LoadBalancerSettings.SimpleLB
17, // 13: istio.networking.v1alpha3.LoadBalancerSettings.consistent_hash:type_name -> istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB
12, // 14: istio.networking.v1alpha3.LoadBalancerSettings.locality_lb_setting:type_name -> istio.networking.v1alpha3.LocalityLoadBalancerSetting
28, // 15: istio.networking.v1alpha3.LoadBalancerSettings.warmup_duration_secs:type_name -> google.protobuf.Duration
8, // 16: istio.networking.v1alpha3.LoadBalancerSettings.warmup:type_name -> istio.networking.v1alpha3.WarmupConfiguration
28, // 17: istio.networking.v1alpha3.WarmupConfiguration.duration:type_name -> google.protobuf.Duration
29, // 18: istio.networking.v1alpha3.WarmupConfiguration.minimum_percent:type_name -> google.protobuf.DoubleValue
29, // 19: istio.networking.v1alpha3.WarmupConfiguration.aggression:type_name -> google.protobuf.DoubleValue
21, // 20: istio.networking.v1alpha3.ConnectionPoolSettings.tcp:type_name -> istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings
22, // 21: istio.networking.v1alpha3.ConnectionPoolSettings.http:type_name -> istio.networking.v1alpha3.ConnectionPoolSettings.HTTPSettings
30, // 22: istio.networking.v1alpha3.OutlierDetection.consecutive_local_origin_failures:type_name -> google.protobuf.UInt32Value
30, // 23: istio.networking.v1alpha3.OutlierDetection.consecutive_gateway_errors:type_name -> google.protobuf.UInt32Value
30, // 24: istio.networking.v1alpha3.OutlierDetection.consecutive_5xx_errors:type_name -> google.protobuf.UInt32Value
28, // 25: istio.networking.v1alpha3.OutlierDetection.interval:type_name -> google.protobuf.Duration
28, // 26: istio.networking.v1alpha3.OutlierDetection.base_ejection_time:type_name -> google.protobuf.Duration
3, // 27: istio.networking.v1alpha3.ClientTLSSettings.mode:type_name -> istio.networking.v1alpha3.ClientTLSSettings.TLSmode
31, // 28: istio.networking.v1alpha3.ClientTLSSettings.insecure_skip_verify:type_name -> google.protobuf.BoolValue
24, // 29: istio.networking.v1alpha3.LocalityLoadBalancerSetting.distribute:type_name -> istio.networking.v1alpha3.LocalityLoadBalancerSetting.Distribute
25, // 30: istio.networking.v1alpha3.LocalityLoadBalancerSetting.failover:type_name -> istio.networking.v1alpha3.LocalityLoadBalancerSetting.Failover
31, // 31: istio.networking.v1alpha3.LocalityLoadBalancerSetting.enabled:type_name -> google.protobuf.BoolValue
32, // 32: istio.networking.v1alpha3.TrafficPolicy.PortTrafficPolicy.port:type_name -> istio.networking.v1alpha3.PortSelector
7, // 33: istio.networking.v1alpha3.TrafficPolicy.PortTrafficPolicy.load_balancer:type_name -> istio.networking.v1alpha3.LoadBalancerSettings
9, // 34: istio.networking.v1alpha3.TrafficPolicy.PortTrafficPolicy.connection_pool:type_name -> istio.networking.v1alpha3.ConnectionPoolSettings
10, // 35: istio.networking.v1alpha3.TrafficPolicy.PortTrafficPolicy.outlier_detection:type_name -> istio.networking.v1alpha3.OutlierDetection
11, // 36: istio.networking.v1alpha3.TrafficPolicy.PortTrafficPolicy.tls:type_name -> istio.networking.v1alpha3.ClientTLSSettings
0, // 37: istio.networking.v1alpha3.TrafficPolicy.ProxyProtocol.version:type_name -> istio.networking.v1alpha3.TrafficPolicy.ProxyProtocol.VERSION
20, // 38: istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB.http_cookie:type_name -> istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB.HTTPCookie
18, // 39: istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB.ring_hash:type_name -> istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB.RingHash
19, // 40: istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB.maglev:type_name -> istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB.MagLev
28, // 41: istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB.HTTPCookie.ttl:type_name -> google.protobuf.Duration
28, // 42: istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.connect_timeout:type_name -> google.protobuf.Duration
23, // 43: istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.tcp_keepalive:type_name -> istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive
28, // 44: istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.max_connection_duration:type_name -> google.protobuf.Duration
28, // 45: istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.idle_timeout:type_name -> google.protobuf.Duration
28, // 46: istio.networking.v1alpha3.ConnectionPoolSettings.HTTPSettings.idle_timeout:type_name -> google.protobuf.Duration
2, // 47: istio.networking.v1alpha3.ConnectionPoolSettings.HTTPSettings.h2_upgrade_policy:type_name -> istio.networking.v1alpha3.ConnectionPoolSettings.HTTPSettings.H2UpgradePolicy
28, // 48: istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive.time:type_name -> google.protobuf.Duration
28, // 49: istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive.interval:type_name -> google.protobuf.Duration
26, // 50: istio.networking.v1alpha3.LocalityLoadBalancerSetting.Distribute.to:type_name -> istio.networking.v1alpha3.LocalityLoadBalancerSetting.Distribute.ToEntry
51, // [51:51] is the sub-list for method output_type
51, // [51:51] is the sub-list for method input_type
51, // [51:51] is the sub-list for extension type_name
51, // [51:51] is the sub-list for extension extendee
0, // [0:51] is the sub-list for field type_name
16, // 10: istio.networking.v1alpha3.TrafficPolicy.retry_budget:type_name -> istio.networking.v1alpha3.TrafficPolicy.RetryBudget
17, // 11: istio.networking.v1alpha3.Subset.labels:type_name -> istio.networking.v1alpha3.Subset.LabelsEntry
5, // 12: istio.networking.v1alpha3.Subset.traffic_policy:type_name -> istio.networking.v1alpha3.TrafficPolicy
1, // 13: istio.networking.v1alpha3.LoadBalancerSettings.simple:type_name -> istio.networking.v1alpha3.LoadBalancerSettings.SimpleLB
18, // 14: istio.networking.v1alpha3.LoadBalancerSettings.consistent_hash:type_name -> istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB
12, // 15: istio.networking.v1alpha3.LoadBalancerSettings.locality_lb_setting:type_name -> istio.networking.v1alpha3.LocalityLoadBalancerSetting
29, // 16: istio.networking.v1alpha3.LoadBalancerSettings.warmup_duration_secs:type_name -> google.protobuf.Duration
8, // 17: istio.networking.v1alpha3.LoadBalancerSettings.warmup:type_name -> istio.networking.v1alpha3.WarmupConfiguration
29, // 18: istio.networking.v1alpha3.WarmupConfiguration.duration:type_name -> google.protobuf.Duration
30, // 19: istio.networking.v1alpha3.WarmupConfiguration.minimum_percent:type_name -> google.protobuf.DoubleValue
30, // 20: istio.networking.v1alpha3.WarmupConfiguration.aggression:type_name -> google.protobuf.DoubleValue
22, // 21: istio.networking.v1alpha3.ConnectionPoolSettings.tcp:type_name -> istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings
23, // 22: istio.networking.v1alpha3.ConnectionPoolSettings.http:type_name -> istio.networking.v1alpha3.ConnectionPoolSettings.HTTPSettings
31, // 23: istio.networking.v1alpha3.OutlierDetection.consecutive_local_origin_failures:type_name -> google.protobuf.UInt32Value
31, // 24: istio.networking.v1alpha3.OutlierDetection.consecutive_gateway_errors:type_name -> google.protobuf.UInt32Value
31, // 25: istio.networking.v1alpha3.OutlierDetection.consecutive_5xx_errors:type_name -> google.protobuf.UInt32Value
29, // 26: istio.networking.v1alpha3.OutlierDetection.interval:type_name -> google.protobuf.Duration
29, // 27: istio.networking.v1alpha3.OutlierDetection.base_ejection_time:type_name -> google.protobuf.Duration
3, // 28: istio.networking.v1alpha3.ClientTLSSettings.mode:type_name -> istio.networking.v1alpha3.ClientTLSSettings.TLSmode
32, // 29: istio.networking.v1alpha3.ClientTLSSettings.insecure_skip_verify:type_name -> google.protobuf.BoolValue
25, // 30: istio.networking.v1alpha3.LocalityLoadBalancerSetting.distribute:type_name -> istio.networking.v1alpha3.LocalityLoadBalancerSetting.Distribute
26, // 31: istio.networking.v1alpha3.LocalityLoadBalancerSetting.failover:type_name -> istio.networking.v1alpha3.LocalityLoadBalancerSetting.Failover
32, // 32: istio.networking.v1alpha3.LocalityLoadBalancerSetting.enabled:type_name -> google.protobuf.BoolValue
33, // 33: istio.networking.v1alpha3.TrafficPolicy.PortTrafficPolicy.port:type_name -> istio.networking.v1alpha3.PortSelector
7, // 34: istio.networking.v1alpha3.TrafficPolicy.PortTrafficPolicy.load_balancer:type_name -> istio.networking.v1alpha3.LoadBalancerSettings
9, // 35: istio.networking.v1alpha3.TrafficPolicy.PortTrafficPolicy.connection_pool:type_name -> istio.networking.v1alpha3.ConnectionPoolSettings
10, // 36: istio.networking.v1alpha3.TrafficPolicy.PortTrafficPolicy.outlier_detection:type_name -> istio.networking.v1alpha3.OutlierDetection
11, // 37: istio.networking.v1alpha3.TrafficPolicy.PortTrafficPolicy.tls:type_name -> istio.networking.v1alpha3.ClientTLSSettings
0, // 38: istio.networking.v1alpha3.TrafficPolicy.ProxyProtocol.version:type_name -> istio.networking.v1alpha3.TrafficPolicy.ProxyProtocol.VERSION
30, // 39: istio.networking.v1alpha3.TrafficPolicy.RetryBudget.percent:type_name -> google.protobuf.DoubleValue
21, // 40: istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB.http_cookie:type_name -> istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB.HTTPCookie
19, // 41: istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB.ring_hash:type_name -> istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB.RingHash
20, // 42: istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB.maglev:type_name -> istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB.MagLev
29, // 43: istio.networking.v1alpha3.LoadBalancerSettings.ConsistentHashLB.HTTPCookie.ttl:type_name -> google.protobuf.Duration
29, // 44: istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.connect_timeout:type_name -> google.protobuf.Duration
24, // 45: istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.tcp_keepalive:type_name -> istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive
29, // 46: istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.max_connection_duration:type_name -> google.protobuf.Duration
29, // 47: istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.idle_timeout:type_name -> google.protobuf.Duration
29, // 48: istio.networking.v1alpha3.ConnectionPoolSettings.HTTPSettings.idle_timeout:type_name -> google.protobuf.Duration
2, // 49: istio.networking.v1alpha3.ConnectionPoolSettings.HTTPSettings.h2_upgrade_policy:type_name -> istio.networking.v1alpha3.ConnectionPoolSettings.HTTPSettings.H2UpgradePolicy
29, // 50: istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive.time:type_name -> google.protobuf.Duration
29, // 51: istio.networking.v1alpha3.ConnectionPoolSettings.TCPSettings.TcpKeepalive.interval:type_name -> google.protobuf.Duration
27, // 52: istio.networking.v1alpha3.LocalityLoadBalancerSetting.Distribute.to:type_name -> istio.networking.v1alpha3.LocalityLoadBalancerSetting.Distribute.ToEntry
53, // [53:53] is the sub-list for method output_type
53, // [53:53] is the sub-list for method input_type
53, // [53:53] is the sub-list for extension type_name
53, // [53:53] is the sub-list for extension extendee
0, // [0:53] is the sub-list for field type_name
}
func init() { file_networking_v1alpha3_destination_rule_proto_init() }
@ -2955,7 +3035,7 @@ func file_networking_v1alpha3_destination_rule_proto_init() {
(*LoadBalancerSettings_Simple)(nil),
(*LoadBalancerSettings_ConsistentHash)(nil),
}
file_networking_v1alpha3_destination_rule_proto_msgTypes[13].OneofWrappers = []any{
file_networking_v1alpha3_destination_rule_proto_msgTypes[14].OneofWrappers = []any{
(*LoadBalancerSettings_ConsistentHashLB_HttpHeaderName)(nil),
(*LoadBalancerSettings_ConsistentHashLB_HttpCookie)(nil),
(*LoadBalancerSettings_ConsistentHashLB_UseSourceIp)(nil),
@ -2969,7 +3049,7 @@ func file_networking_v1alpha3_destination_rule_proto_init() {
GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
RawDescriptor: unsafe.Slice(unsafe.StringData(file_networking_v1alpha3_destination_rule_proto_rawDesc), len(file_networking_v1alpha3_destination_rule_proto_rawDesc)),
NumEnums: 4,
NumMessages: 23,
NumMessages: 24,
NumExtensions: 0,
NumServices: 0,
},

63
networking/v1alpha3/destination_rule.pb.html generated
View File

@ -6,7 +6,7 @@ layout: protoc-gen-docs
generator: protoc-gen-docs
schema: istio.networking.v1alpha3.DestinationRule
aliases: [/docs/reference/config/networking/v1alpha3/destination-rule]
number_of_entries: 26
number_of_entries: 27
---
<p><code>DestinationRule</code> defines policies that apply to traffic intended for a
service after routing has occurred. These rules specify configuration
@ -267,6 +267,15 @@ Tunnel settings can be applied to TCP or TLS routes and can&rsquo;t be applied t
<td>
<p>The upstream PROXY protocol settings.</p>
</td>
</tr>
<tr id="TrafficPolicy-retry_budget">
<td><div class="field"><div class="name"><code><a href="#TrafficPolicy-retry_budget">retryBudget</a></code></div>
<div class="type"><a href="#TrafficPolicy-RetryBudget">RetryBudget</a></div>
</div></td>
<td>
<p>Specifies a limit on concurrent retries in relation to the number of active requests.</p>
</td>
</tr>
</tbody>
@ -398,7 +407,7 @@ Target host must be an FQDN or IP address.</p>
<div class="type"><a href="#TrafficPolicy-ProxyProtocol-VERSION">VERSION</a></div>
</div></td>
<td>
<p>The PROXY protocol version to use. See <a href="https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt">https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt</a> for details.
<p>The PROXY protocol version to use. See <a href="https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt">the protocol spec</a> for details.
By default it is <code>V1</code>.</p>
</td>
@ -428,6 +437,44 @@ By default it is <code>V1</code>.</p>
<td>
<p>PROXY protocol version 2. Binary format.</p>
</td>
</tr>
</tbody>
</table>
</section>
<h3 id="TrafficPolicy-RetryBudget">RetryBudget</h3>
<section>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="TrafficPolicy-RetryBudget-percent">
<td><div class="field"><div class="name"><code><a href="#TrafficPolicy-RetryBudget-percent">percent</a></code></div>
<div class="type"><a href="https://developers.google.com/protocol-buffers/docs/reference/google.protobuf#doublevalue">DoubleValue</a></div>
</div></td>
<td>
<p>Specifies the limit on concurrent retries as a percentage of
the sum of active requests and active pending requests.
Defaults to 20%.</p>
</td>
</tr>
<tr id="TrafficPolicy-RetryBudget-min_retry_concurrency">
<td><div class="field"><div class="name"><code><a href="#TrafficPolicy-RetryBudget-min_retry_concurrency">minRetryConcurrency</a></code></div>
<div class="type">uint32</div>
</div></td>
<td>
<p>Specifies the minimum retry concurrency allowed for the retry budget.
For example, a budget of 20% with a minimum retry concurrency of 3
will allow 5 active retries while there are 25 active requests.
If there are 2 active requests, there are still 3 active retries
allowed because of the minimum retry concurrency.</p>
<p>Defaults to 3.</p>
</td>
</tr>
</tbody>
@ -1102,9 +1149,9 @@ Default is to use the OS level configuration
<td>
<p>Maximum number of requests that will be queued while waiting for
a ready connection pool connection. Default 2^32-1.
Refer to <a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking">https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking</a>
under which conditions a new connection is created for HTTP2.
Please note that this is applicable to both HTTP/1.1 and HTTP2.</p>
Refer to <a href="https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking">Envoy Circuit Breaking</a>
under which conditions a new connection is created for HTTP/2.
Please note that this is applicable to both HTTP/1.1 and HTTP/2.</p>
</td>
</tr>
@ -1114,7 +1161,7 @@ Please note that this is applicable to both HTTP/1.1 and HTTP2.</p>
</div></td>
<td>
<p>Maximum number of active requests to a destination. Default 2^32-1.
Please note that this is applicable to both HTTP/1.1 and HTTP2.</p>
Please note that this is applicable to both HTTP/1.1 and HTTP/2.</p>
</td>
</tr>
@ -1150,7 +1197,7 @@ If not set, the default is 1 hour. When the idle timeout is reached,
the connection will be closed. If the connection is an HTTP/2
connection a drain sequence will occur prior to closing the connection.
Note that request based timeouts mean that HTTP/2 PINGs will not
keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.</p>
keep the connection alive. Applies to both HTTP/1.1 and HTTP/2 connections.</p>
</td>
</tr>
@ -1238,7 +1285,7 @@ detection</a>
for more details.</p>
<p>The following rule sets a connection pool size of 100 HTTP1 connections
with no more than 10 req/connection to the &ldquo;reviews&rdquo; service. In addition,
it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
it sets a limit of 1000 concurrent HTTP/2 requests and configures upstream
hosts to be scanned every 5 mins so that any host that fails 7 consecutive
times with a 502, 503, or 504 error code will be ejected for 15 minutes.</p>
<pre><code class="language-yaml">apiVersion: networking.istio.io/v1

328
networking/v1alpha3/destination_rule.proto
View File

@ -13,12 +13,6 @@
// limitations under the License.
syntax = "proto3";
import "google/api/field_behavior.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
import "networking/v1alpha3/virtual_service.proto";
import "type/v1beta1/selector.proto";
// $schema: istio.networking.v1alpha3.DestinationRule
// $title: Destination Rule
// $description: Configuration affecting load balancing, outlier detection, etc.
@ -122,6 +116,12 @@ import "type/v1beta1/selector.proto";
// ```
package istio.networking.v1alpha3;
import "google/api/field_behavior.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
import "networking/v1alpha3/virtual_service.proto";
import "type/v1beta1/selector.proto";
option go_package = "istio.io/api/networking/v1alpha3";
// DestinationRule defines policies that apply to traffic intended for a service
@ -129,7 +129,7 @@ option go_package = "istio.io/api/networking/v1alpha3";
//
// <!-- crd generation tags
// +cue-gen:DestinationRule:groupName:networking.istio.io
// +cue-gen:DestinationRule:versions:v1beta1,v1alpha3,v1
// +cue-gen:DestinationRule:versions:v1,v1beta1,v1alpha3
// +cue-gen:DestinationRule:annotations:helm.sh/resource-policy=keep
// +cue-gen:DestinationRule:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:DestinationRule:subresource:status
@ -139,7 +139,7 @@ option go_package = "istio.io/api/networking/v1alpha3";
// +cue-gen:DestinationRule:printerColumn:name=Age,type=date,JSONPath=.metadata.creationTimestamp,description="CreationTimestamp is a timestamp
// representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations.
// Clients may not set this value. It is represented in RFC3339 form and is in UTC.
// Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
// Populated by the system. Read-only. Null for lists. For more information, see [Kubernetes API Conventions](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)"
// +cue-gen:DestinationRule:preserveUnknownFields:false
// -->
//
@ -277,14 +277,36 @@ message TrafficPolicy {
// PROXY protocol version 2. Binary format.
V2 = 1;
};
// The PROXY protocol version to use. See https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt for details.
}
// The PROXY protocol version to use. See [the protocol spec](https://www.haproxy.org/download/2.1/doc/proxy-protocol.txt) for details.
// By default it is `V1`.
VERSION version = 1;
}
// The upstream PROXY protocol settings.
ProxyProtocol proxy_protocol = 7;
message RetryBudget {
// Specifies the limit on concurrent retries as a percentage of
// the sum of active requests and active pending requests.
// Defaults to 20%.
//
// +kubebuilder:validation:Maximum=100
// +kubebuilder:validation:Minimum=0
google.protobuf.DoubleValue percent = 1;
// Specifies the minimum retry concurrency allowed for the retry budget.
// For example, a budget of 20% with a minimum retry concurrency of 3
// will allow 5 active retries while there are 25 active requests.
// If there are 2 active requests, there are still 3 active retries
// allowed because of the minimum retry concurrency.
//
// Defaults to 3.
//
uint32 min_retry_concurrency = 2;
}
// Specifies a limit on concurrent retries in relation to the number of active requests.
RetryBudget retry_budget = 8;
}
// A subset of endpoints of a service. Subsets can be used for scenarios
@ -387,7 +409,7 @@ message LoadBalancerSettings {
UNSPECIFIED = 0;
// Deprecated. Use LEAST_REQUEST instead.
LEAST_CONN = 1 [deprecated=true];
LEAST_CONN = 1 [deprecated = true];
// The random load balancer selects a random healthy host. The random
// load balancer generally performs better than round robin if no health
@ -412,7 +434,7 @@ message LoadBalancerSettings {
// and outperforms ROUND_ROBIN in nearly all cases. Prefer to use
// LEAST_REQUEST as a drop-in replacement for ROUND_ROBIN.
LEAST_REQUEST = 5;
};
}
// Consistent Hash-based load balancing can be used to provide soft
// session affinity based on HTTP headers, cookies or other
@ -431,7 +453,6 @@ message LoadBalancerSettings {
// and consistent hash will only work together when all proxies are in the same locality,
// or a high level load balancer handles locality affinity.
message ConsistentHashLB {
message RingHash {
// The minimum number of virtual nodes to use for the hash
// ring. Defaults to 1024. Larger ring sizes result in more granular
@ -439,7 +460,7 @@ message LoadBalancerSettings {
// pool is larger than the ring size, each host will be assigned a
// single virtual node.
uint64 minimum_ring_size = 1;
};
}
message MagLev {
// The table size for Maglev hashing. This helps in controlling the
@ -448,7 +469,7 @@ message LoadBalancerSettings {
// The table size must be prime number less than 5000011.
// If it is not specified, the default is 65537.
uint64 table_size = 1;
};
}
// Describes a HTTP cookie that will be used as the hash key for the
// Consistent Hash load balancer.
message HTTPCookie {
@ -457,11 +478,11 @@ message LoadBalancerSettings {
// Path to set for the cookie.
string path = 2;
// Lifetime of the cookie. If specified, a cookie with the TTL will be
// generated if the cookie is not present. If the TTL is present and zero,
// generated if the cookie is not present. If the TTL is present and zero,
// the generated cookie will be a session cookie.
// +protoc-gen-crd:duration-validation:none
google.protobuf.Duration ttl = 3;
};
}
// The hash key to use.
oneof hash_key {
@ -477,27 +498,23 @@ message LoadBalancerSettings {
// Hash based on a specific HTTP query parameter.
string http_query_parameter_name = 5;
};
}
// The hash algorithm to use.
// Please refer to https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#ring-hash
// and https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#maglev for
// considerations on choosing an algorithm.
// Defaults to RingHash if not specified.
oneof hash_algorithm {
// The ring/modulo hash load balancer implements consistent hashing to backend hosts.
RingHash ring_hash = 6;
// The Maglev load balancer implements consistent hashing to backend hosts.
MagLev maglev = 7;
};
// The hash algorithm to use.
// Please refer to Envoy's [Ring Hash Load Balancer](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#ring-hash)
// and [Maglev Load Balancer](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/load_balancers#maglev) docs for
// considerations on choosing an algorithm.
// Defaults to RingHash if not specified.
oneof hash_algorithm {
// The ring/modulo hash load balancer implements consistent hashing to backend hosts.
RingHash ring_hash = 6;
// The Maglev load balancer implements consistent hashing to backend hosts.
MagLev maglev = 7;
}
// Deprecated. Use RingHash instead.
uint64 minimum_ring_size = 4 [deprecated=true];
};
// (-- TODO: Enable Subset load balancing after moving to v2 API Also
// look into enabling Priotity based load balancing for spilling over
// from one priority pool to another. --)
uint64 minimum_ring_size = 4 [deprecated = true];
}
// Upstream load balancing policy.
oneof lb_policy {
@ -539,6 +556,7 @@ message WarmupConfiguration {
// +kubebuilder:validation:Minimum=1
google.protobuf.DoubleValue aggression = 3;
}
// Connection pool settings for an upstream host. The settings apply to
// each individual host in the upstream service. See Envoy's [circuit
// breaker](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking)
@ -584,7 +602,7 @@ message ConnectionPoolSettings {
// Default is to use the OS level configuration
// (unless overridden, Linux defaults to 75s.)
google.protobuf.Duration interval = 3;
};
}
// Maximum number of HTTP1 /TCP connections to a destination host. Default 2^32-1.
int32 max_connections = 1;
@ -611,19 +629,19 @@ message ConnectionPoolSettings {
// which means also for all weighted routes.
// +protoc-gen-crd:duration-validation:none
google.protobuf.Duration idle_timeout = 5;
};
}
// Settings applicable to HTTP1.1/HTTP2/GRPC connections.
message HTTPSettings {
// Maximum number of requests that will be queued while waiting for
// a ready connection pool connection. Default 2^32-1.
// Refer to https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking
// under which conditions a new connection is created for HTTP2.
// Please note that this is applicable to both HTTP/1.1 and HTTP2.
// Refer to [Envoy Circuit Breaking](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/circuit_breaking)
// under which conditions a new connection is created for HTTP/2.
// Please note that this is applicable to both HTTP/1.1 and HTTP/2.
int32 http1_max_pending_requests = 1;
// Maximum number of active requests to a destination. Default 2^32-1.
// Please note that this is applicable to both HTTP/1.1 and HTTP2.
// Please note that this is applicable to both HTTP/1.1 and HTTP/2.
int32 http2_max_requests = 2;
// Maximum number of requests per connection to a backend. Setting this
@ -641,7 +659,7 @@ message ConnectionPoolSettings {
// the connection will be closed. If the connection is an HTTP/2
// connection a drain sequence will occur prior to closing the connection.
// Note that request based timeouts mean that HTTP/2 PINGs will not
// keep the connection alive. Applies to both HTTP1.1 and HTTP2 connections.
// keep the connection alive. Applies to both HTTP/1.1 and HTTP/2 connections.
google.protobuf.Duration idle_timeout = 5;
// Policy for upgrading http1.1 connections to http2.
@ -654,7 +672,7 @@ message ConnectionPoolSettings {
// Upgrade the connection to http2.
// This opt-in option overrides the default.
UPGRADE = 2;
};
}
// Specify if http1.1 connection should be upgraded to http2 for the associated destination.
H2UpgradePolicy h2_upgrade_policy = 6;
@ -664,9 +682,9 @@ message ConnectionPoolSettings {
bool use_client_protocol = 7;
// The maximum number of concurrent streams allowed for a peer on one HTTP/2 connection.
// Defaults to 2^31-1.
// Defaults to 2^31-1.
int32 max_concurrent_streams = 8;
};
}
// Settings common to both HTTP and TCP upstream connections.
TCPSettings tcp = 1;
@ -686,7 +704,7 @@ message ConnectionPoolSettings {
//
// The following rule sets a connection pool size of 100 HTTP1 connections
// with no more than 10 req/connection to the "reviews" service. In addition,
// it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
// it sets a limit of 1000 concurrent HTTP/2 requests and configures upstream
// hosts to be scanned every 5 mins so that any host that fails 7 consecutive
// times with a 502, 503, or 504 error code will be ejected for 15 minutes.
//
@ -717,7 +735,7 @@ message OutlierDetection {
// is accessed over an opaque TCP connection, connect timeouts and
// connection error/failure events qualify as an error.
// $hide_from_docs
int32 consecutive_errors = 1 [deprecated=true];
int32 consecutive_errors = 1 [deprecated = true];
// Determines whether to distinguish local origin failures from external errors. If set to true
// `consecutiveLocalOriginFailures` is taken into account for outlier detection calculations.
@ -859,7 +877,7 @@ message ClientTLSSettings {
// automatically by Istio for mTLS authentication. When this mode is
// used, all other fields in `ClientTLSSettings` should be empty.
ISTIO_MUTUAL = 3;
};
}
// Indicates whether connections to this port should be secured
// using TLS. The value of this field determines how TLS is enforced.
@ -977,118 +995,118 @@ message ClientTLSSettings {
// - from: us-west
// to: us-east
// ```
message LocalityLoadBalancerSetting{
// Describes how traffic originating in the 'from' zone or sub-zone is
// distributed over a set of 'to' zones. Syntax for specifying a zone is
// {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
// segment of the specification. Examples:
//
// `*` - matches all localities
//
// `us-west/*` - all zones and sub-zones within the us-west region
//
// `us-west/zone-1/*` - all sub-zones within us-west/zone-1
message Distribute{
// Originating locality, '/' separated, e.g. 'region/zone/sub_zone'.
string from = 1;
message LocalityLoadBalancerSetting {
// Describes how traffic originating in the 'from' zone or sub-zone is
// distributed over a set of 'to' zones. Syntax for specifying a zone is
// {region}/{zone}/{sub-zone} and terminal wildcards are allowed on any
// segment of the specification. Examples:
//
// `*` - matches all localities
//
// `us-west/*` - all zones and sub-zones within the us-west region
//
// `us-west/zone-1/*` - all sub-zones within us-west/zone-1
message Distribute {
// Originating locality, '/' separated, e.g. 'region/zone/sub_zone'.
string from = 1;
// Map of upstream localities to traffic distribution weights. The sum of
// all weights should be 100. Any locality not present will
// receive no traffic.
map<string, uint32> to = 2;
};
// Map of upstream localities to traffic distribution weights. The sum of
// all weights should be 100. Any locality not present will
// receive no traffic.
map<string, uint32> to = 2;
}
// Specify the traffic failover policy across regions. Since zone and sub-zone
// failover is supported by default this only needs to be specified for
// regions when the operator needs to constrain traffic failover so that
// the default behavior of failing over to any endpoint globally does not
// apply. This is useful when failing over traffic across regions would not
// improve service health or may need to be restricted for other reasons
// like regulatory controls.
message Failover{
// Originating region.
string from = 1;
// Specify the traffic failover policy across regions. Since zone and sub-zone
// failover is supported by default this only needs to be specified for
// regions when the operator needs to constrain traffic failover so that
// the default behavior of failing over to any endpoint globally does not
// apply. This is useful when failing over traffic across regions would not
// improve service health or may need to be restricted for other reasons
// like regulatory controls.
message Failover {
// Originating region.
string from = 1;
// Destination region the traffic will fail over to when endpoints in
// the 'from' region becomes unhealthy.
string to = 2;
};
// Destination region the traffic will fail over to when endpoints in
// the 'from' region becomes unhealthy.
string to = 2;
}
// Optional: only one of distribute, failover or failoverPriority can be set.
// Explicitly specify loadbalancing weight across different zones and geographical locations.
// Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight)
// If empty, the locality weight is set according to the endpoints number within it.
repeated Distribute distribute = 1;
// Optional: only one of distribute, failover or failoverPriority can be set.
// Explicitly specify loadbalancing weight across different zones and geographical locations.
// Refer to [Locality weighted load balancing](https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/locality_weight)
// If empty, the locality weight is set according to the endpoints number within it.
repeated Distribute distribute = 1;
// Optional: only one of distribute, failover or failoverPriority can be set.
// Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.
// Should be used together with OutlierDetection to detect unhealthy endpoints.
// Note: if no OutlierDetection specified, this will not take effect.
repeated Failover failover = 2;
// Optional: only one of distribute, failover or failoverPriority can be set.
// Explicitly specify the region traffic will land on when endpoints in local region becomes unhealthy.
// Should be used together with OutlierDetection to detect unhealthy endpoints.
// Note: if no OutlierDetection specified, this will not take effect.
repeated Failover failover = 2;
// failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing.
// This is to support traffic failover across different groups of endpoints.
// Two kinds of labels can be specified:
// - Specify only label keys `[key1, key2, key3]`, istio would compare the label values of client with endpoints.
// Suppose there are total N label keys `[key1, key2, key3, ...keyN]` specified:
//
// 1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority.
// 2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority.
// 3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority.
// 4. All the other endpoints have priority P(N) i.e. lowest priority.
//
// - Specify labels with key and value `[key1=value1, key2=value2, key3=value3]`, istio would compare the labels with endpoints.
// Suppose there are total N labels `[key1=value1, key2=value2, key3=value3, ...keyN=valueN]` specified:
//
// 1. Endpoints matching all N labels have priority P(0) i.e. the highest priority.
// 2. Endpoints matching the first N-1 labels have priority P(1) i.e. second highest priority.
// 3. By extension of this logic, endpoints matching only the first label has priority P(N-1) i.e. second lowest priority.
// 4. All the other endpoints have priority P(N) i.e. lowest priority.
//
// Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match.
//
// It can be any label specified on both client and server workloads.
// The following labels which have special semantic meaning are also supported:
//
// - `topology.istio.io/network` is used to match the network metadata of an endpoint, which can be specified by pod/namespace label `topology.istio.io/network`, sidecar env `ISTIO_META_NETWORK` or MeshNetworks.
// - `topology.istio.io/cluster` is used to match the clusterID of an endpoint, which can be specified by pod label `topology.istio.io/cluster` or pod env `ISTIO_META_CLUSTER_ID`.
// - `topology.kubernetes.io/region` is used to match the region metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/region` or the deprecated label `failure-domain.beta.kubernetes.io/region`.
// - `topology.kubernetes.io/zone` is used to match the zone metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/zone` or the deprecated label `failure-domain.beta.kubernetes.io/zone`.
// - `topology.istio.io/subzone` is used to match the subzone metadata of an endpoint, which maps to Istio node label `topology.istio.io/subzone`.
// - `kubernetes.io/hostname` is used to match the current node of an endpoint, which maps to Kubernetes node label `kubernetes.io/hostname`.
//
// The below topology config indicates the following priority levels:
//
// ```yaml
// failoverPriority:
// - "topology.istio.io/network"
// - "topology.kubernetes.io/region"
// - "topology.kubernetes.io/zone"
// - "topology.istio.io/subzone"
// ```
//
// 1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority.
// 2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority.
// 3. endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority.
// 4. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority.
// 5. all the other endpoints have the same lowest priority.
//
// Suppose a service associated endpoints reside in multi clusters, the below example represents:
// 1. endpoints in `clusterA` and has `version=v1` label have P(0) priority.
// 2. endpoints not in `clusterA` but has `version=v1` label have P(1) priority.
// 2. all the other endpoints have P(2) priority.
//
// ```yaml
// failoverPriority:
// - "version=v1"
// - "topology.istio.io/cluster=clusterA"
// ```
//
// Optional: only one of distribute, failover or failoverPriority can be set.
// And it should be used together with `OutlierDetection` to detect unhealthy endpoints, otherwise has no effect.
repeated string failover_priority = 4;
// failoverPriority is an ordered list of labels used to sort endpoints to do priority based load balancing.
// This is to support traffic failover across different groups of endpoints.
// Two kinds of labels can be specified:
// - Specify only label keys `[key1, key2, key3]`, istio would compare the label values of client with endpoints.
// Suppose there are total N label keys `[key1, key2, key3, ...keyN]` specified:
//
// 1. Endpoints matching all N labels with the client proxy have priority P(0) i.e. the highest priority.
// 2. Endpoints matching the first N-1 labels with the client proxy have priority P(1) i.e. second highest priority.
// 3. By extension of this logic, endpoints matching only the first label with the client proxy has priority P(N-1) i.e. second lowest priority.
// 4. All the other endpoints have priority P(N) i.e. lowest priority.
//
// - Specify labels with key and value `[key1=value1, key2=value2, key3=value3]`, istio would compare the labels with endpoints.
// Suppose there are total N labels `[key1=value1, key2=value2, key3=value3, ...keyN=valueN]` specified:
//
// 1. Endpoints matching all N labels have priority P(0) i.e. the highest priority.
// 2. Endpoints matching the first N-1 labels have priority P(1) i.e. second highest priority.
// 3. By extension of this logic, endpoints matching only the first label has priority P(N-1) i.e. second lowest priority.
// 4. All the other endpoints have priority P(N) i.e. lowest priority.
//
// Note: For a label to be considered for match, the previous labels must match, i.e. nth label would be considered matched only if first n-1 labels match.
//
// It can be any label specified on both client and server workloads.
// The following labels which have special semantic meaning are also supported:
//
// - `topology.istio.io/network` is used to match the network metadata of an endpoint, which can be specified by pod/namespace label `topology.istio.io/network`, sidecar env `ISTIO_META_NETWORK` or MeshNetworks.
// - `topology.istio.io/cluster` is used to match the clusterID of an endpoint, which can be specified by pod label `topology.istio.io/cluster` or pod env `ISTIO_META_CLUSTER_ID`.
// - `topology.kubernetes.io/region` is used to match the region metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/region` or the deprecated label `failure-domain.beta.kubernetes.io/region`.
// - `topology.kubernetes.io/zone` is used to match the zone metadata of an endpoint, which maps to Kubernetes node label `topology.kubernetes.io/zone` or the deprecated label `failure-domain.beta.kubernetes.io/zone`.
// - `topology.istio.io/subzone` is used to match the subzone metadata of an endpoint, which maps to Istio node label `topology.istio.io/subzone`.
// - `kubernetes.io/hostname` is used to match the current node of an endpoint, which maps to Kubernetes node label `kubernetes.io/hostname`.
//
// The below topology config indicates the following priority levels:
//
// ```yaml
// failoverPriority:
// - "topology.istio.io/network"
// - "topology.kubernetes.io/region"
// - "topology.kubernetes.io/zone"
// - "topology.istio.io/subzone"
// ```
//
// 1. endpoints match same [network, region, zone, subzone] label with the client proxy have the highest priority.
// 2. endpoints have same [network, region, zone] label but different [subzone] label with the client proxy have the second highest priority.
// 3. endpoints have same [network, region] label but different [zone] label with the client proxy have the third highest priority.
// 4. endpoints have same [network] but different [region] labels with the client proxy have the fourth highest priority.
// 5. all the other endpoints have the same lowest priority.
//
// Suppose a service associated endpoints reside in multi clusters, the below example represents:
// 1. endpoints in `clusterA` and has `version=v1` label have P(0) priority.
// 2. endpoints not in `clusterA` but has `version=v1` label have P(1) priority.
// 2. all the other endpoints have P(2) priority.
//
// ```yaml
// failoverPriority:
// - "version=v1"
// - "topology.istio.io/cluster=clusterA"
// ```
//
// Optional: only one of distribute, failover or failoverPriority can be set.
// And it should be used together with `OutlierDetection` to detect unhealthy endpoints, otherwise has no effect.
repeated string failover_priority = 4;
// Enable locality load balancing. This is DestinationRule-level and will override mesh-wide settings in entirety.
// e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh-wide settings is.
google.protobuf.BoolValue enabled = 3;
// Enable locality load balancing. This is DestinationRule-level and will override mesh-wide settings in entirety.
// e.g. true means that turn on locality load balancing for this DestinationRule no matter what mesh-wide settings is.
google.protobuf.BoolValue enabled = 3;
}

21
networking/v1alpha3/destination_rule_deepcopy.gen.go generated
View File

@ -110,6 +110,27 @@ func (in *TrafficPolicy_ProxyProtocol) DeepCopyInterface() interface{} {
return in.DeepCopy()
}
// DeepCopyInto supports using TrafficPolicy_RetryBudget within kubernetes types, where deepcopy-gen is used.
func (in *TrafficPolicy_RetryBudget) DeepCopyInto(out *TrafficPolicy_RetryBudget) {
p := proto.Clone(in).(*TrafficPolicy_RetryBudget)
*out = *p
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrafficPolicy_RetryBudget. Required by controller-gen.
func (in *TrafficPolicy_RetryBudget) DeepCopy() *TrafficPolicy_RetryBudget {
if in == nil {
return nil
}
out := new(TrafficPolicy_RetryBudget)
in.DeepCopyInto(out)
return out
}
// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new TrafficPolicy_RetryBudget. Required by controller-gen.
func (in *TrafficPolicy_RetryBudget) DeepCopyInterface() interface{} {
return in.DeepCopy()
}
// DeepCopyInto supports using Subset within kubernetes types, where deepcopy-gen is used.
func (in *Subset) DeepCopyInto(out *Subset) {
p := proto.Clone(in).(*Subset)

11
networking/v1alpha3/destination_rule_json.gen.go generated
View File

@ -61,6 +61,17 @@ func (this *TrafficPolicy_ProxyProtocol) UnmarshalJSON(b []byte) error {
return DestinationRuleUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
// MarshalJSON is a custom marshaler for TrafficPolicy_RetryBudget
func (this *TrafficPolicy_RetryBudget) MarshalJSON() ([]byte, error) {
str, err := DestinationRuleMarshaler.MarshalToString(this)
return []byte(str), err
}
// UnmarshalJSON is a custom unmarshaler for TrafficPolicy_RetryBudget
func (this *TrafficPolicy_RetryBudget) UnmarshalJSON(b []byte) error {
return DestinationRuleUnmarshaler.Unmarshal(bytes.NewReader(b), this)
}
// MarshalJSON is a custom marshaler for Subset
func (this *Subset) MarshalJSON() ([]byte, error) {
str, err := DestinationRuleMarshaler.MarshalToString(this)

2
networking/v1alpha3/envoy_filter.pb.html generated
View File

@ -371,7 +371,7 @@ spec:
value:
rate_limits:
actions:
- request_headers:
- request_headers:
header_name: &quot;authorization&quot;
descriptor_key: &quot;jwt&quot;
- request_headers:

62
networking/v1alpha3/envoy_filter.proto
View File

@ -14,10 +14,6 @@
syntax = "proto3";
import "google/protobuf/struct.proto";
import "networking/v1alpha3/sidecar.proto";
import "type/v1beta1/selector.proto";
// $schema: istio.networking.v1alpha3.EnvoyFilter
// $title: Envoy Filter
// $description: Customizing Envoy configuration generated by Istio.
@ -418,7 +414,7 @@ import "type/v1beta1/selector.proto";
// value:
// rate_limits:
// actions:
// - request_headers:
// - request_headers:
// header_name: "authorization"
// descriptor_key: "jwt"
// - request_headers:
@ -426,6 +422,10 @@ import "type/v1beta1/selector.proto";
// descriptor_key: "path"
package istio.networking.v1alpha3;
import "google/protobuf/struct.proto";
import "networking/v1alpha3/sidecar.proto";
import "type/v1beta1/selector.proto";
option go_package = "istio.io/api/networking/v1alpha3";
// EnvoyFilter provides a mechanism to customize the Envoy configuration
@ -454,7 +454,6 @@ option go_package = "istio.io/api/networking/v1alpha3";
message EnvoyFilter {
// `ApplyTo` specifies where in the Envoy configuration, the given patch should be applied.
enum ApplyTo {
INVALID = 0;
// Applies the patch to the listener.
@ -497,7 +496,7 @@ message EnvoyFilter {
// Applies the patch to the listener filter.
LISTENER_FILTER = 11;
};
}
// PatchContext selects a class of configurations based on the
// traffic flow direction and workload type.
@ -513,7 +512,7 @@ message EnvoyFilter {
// Gateway listener/route/cluster.
GATEWAY = 3;
};
}
// One or more properties of the proxy to match on.
message ProxyMatch {
@ -534,7 +533,7 @@ message EnvoyFilter {
// values. The match will fail if any of the specified keys are
// absent or the values fail to match.
map<string, string> metadata = 2;
};
}
// Conditions specified in `ClusterMatch` must be met for the patch
// to be applied to a cluster.
@ -560,7 +559,7 @@ message EnvoyFilter {
// cluster, leave all fields in clusterMatch empty, except the
// name.
string name = 4;
};
}
// Conditions specified in RouteConfigurationMatch must be met for
// the patch to be applied to a route configuration object or a
@ -576,15 +575,15 @@ message EnvoyFilter {
// Action refers to the route action taken by Envoy when a http route matches.
enum Action {
// All three route actions
ANY = 0;
// Route traffic to a cluster / weighted clusters.
ROUTE = 1;
// Redirect request.
REDIRECT = 2;
// directly respond to a request with specific payload.
DIRECT_RESPONSE = 3;
};
// All three route actions
ANY = 0;
// Route traffic to a cluster / weighted clusters.
ROUTE = 1;
// Redirect request.
REDIRECT = 2;
// directly respond to a request with specific payload.
DIRECT_RESPONSE = 3;
}
// Match a route with specific action type.
Action action = 2;
@ -601,7 +600,7 @@ message EnvoyFilter {
// Match a domain name in a virtual host. If this domain name is part of
// the list of domains that the virtual host serves, the patch will be
// applied.
string domain_name=3;
string domain_name = 3;
// Match a specific route within the virtual host.
RouteMatch route = 2;
@ -632,7 +631,7 @@ message EnvoyFilter {
// specific route configuration by name, such as the internally
// generated `http_proxy` route configuration for all sidecars.
string name = 5;
};
}
// Conditions specified in a listener match must be met for the
// patch to be applied to a specific listener across all filter
@ -677,10 +676,10 @@ message EnvoyFilter {
// patch to the HTTP connection manager.
FilterMatch filter = 5;
// The destination_port value used by a filter chain's match condition.
// This condition will evaluate to false if the filter chain has no destination_port match.
uint32 destination_port = 6;
};
// The destination_port value used by a filter chain's match condition.
// This condition will evaluate to false if the filter chain has no destination_port match.
uint32 destination_port = 6;
}
// Conditions to match a specific filter within a filter chain.
message FilterMatch {
@ -692,7 +691,7 @@ message EnvoyFilter {
// upon. Typically used for HTTP Connection Manager filters and
// Thrift filters.
SubFilterMatch sub_filter = 2;
};
}
// Conditions to match a specific filter within another
// filter. This field is typically useful to match a HTTP filter
@ -701,7 +700,7 @@ message EnvoyFilter {
message SubFilterMatch {
// The filter name to match on.
string name = 1;
};
}
// The service port/gateway port to which traffic is being
// sent/received. If not specified, matches all listeners. Even though
@ -729,11 +728,10 @@ message EnvoyFilter {
// Match a specific listener by its name. The listeners generated
// by istiod are typically named as IP:Port.
string name = 4;
};
}
// Patch specifies how the selected object should be modified.
message Patch {
// Operation denotes how the patch should be applied to the selected
// configuration.
enum Operation {
@ -826,11 +824,11 @@ message EnvoyFilter {
// Insert filter before Istio stats filters.
STATS = 3;
};
}
// Determines the filter insertion order.
FilterClass filter_class = 3;
};
}
// One or more match conditions to be met before a patch is applied
// to the generated configuration for a given proxy.
@ -851,7 +849,7 @@ message EnvoyFilter {
// Match on envoy cluster attributes.
ClusterMatch cluster = 5;
}
};
}
// Changes to be made to various envoy config objects.
message EnvoyConfigObjectPatch {

21
networking/v1alpha3/gateway.pb.go generated
View File

@ -370,7 +370,7 @@ func (ServerTLSSettings_TLSProtocol) EnumDescriptor() ([]byte, []int) {
//
// <!-- crd generation tags
// +cue-gen:Gateway:groupName:networking.istio.io
// +cue-gen:Gateway:versions:v1beta1,v1alpha3,v1
// +cue-gen:Gateway:versions:v1,v1beta1,v1alpha3
// +cue-gen:Gateway:annotations:helm.sh/resource-policy=keep
// +cue-gen:Gateway:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:Gateway:subresource:status
@ -783,7 +783,10 @@ type ServerTLSSettings struct {
// +kubebuilder:validation:MaxItems=2
// +kubebuilder:validation:MinItems=1
CredentialNames []string `protobuf:"bytes,14,rep,name=credential_names,json=credentialNames,proto3" json:"credential_names,omitempty"`
// Only one of `server_certificate`, `private_key`, `ca_certificates` or `credential_name`
// For mutual TLS, the name of the secret or the configmap that holds CA certificates.
// Takes precedence over CA certificates in the Secret referenced with `credentialName(s)`.
CaCertCredentialName string `protobuf:"bytes,16,opt,name=ca_cert_credential_name,json=caCertCredentialName,proto3" json:"ca_cert_credential_name,omitempty"`
// Only one of `server_certificate`, `private_key` or `credential_name`
// or `credential_names` or `tls_certificates` should be specified.
// This is mainly used for specifying RSA and ECDSA certificates for the same server.
// +kubebuilder:validation:MaxItems=2
@ -926,6 +929,13 @@ func (x *ServerTLSSettings) GetCredentialNames() []string {
return nil
}
func (x *ServerTLSSettings) GetCaCertCredentialName() string {
if x != nil {
return x.CaCertCredentialName
}
return ""
}
func (x *ServerTLSSettings) GetTlsCertificates() []*ServerTLSSettings_TLSCertificate {
if x != nil {
return x.TlsCertificates
@ -984,9 +994,11 @@ type ServerTLSSettings_TLSCertificate struct {
// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
// holding the server's private key.
PrivateKey string `protobuf:"bytes,2,opt,name=private_key,json=privateKey,proto3" json:"private_key,omitempty"`
// $hide_from_docs
// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. The path to a file
// containing certificate authority certificates to use in verifying a presented
// client side certificate.
// $hide_from_docs
CaCertificates string `protobuf:"bytes,3,opt,name=ca_certificates,json=caCertificates,proto3" json:"ca_certificates,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
@ -1066,7 +1078,7 @@ const file_networking_v1alpha3_gateway_proto_rawDesc = "" +
"\bprotocol\x18\x02 \x01(\tB\x04\xe2A\x01\x02R\bprotocol\x12\x18\n" +
"\x04name\x18\x03 \x01(\tB\x04\xe2A\x01\x02R\x04name\x12#\n" +
"\vtarget_port\x18\x04 \x01(\rB\x02\x18\x01R\n" +
"targetPort\"\xb7\t\n" +
"targetPort\"\xee\t\n" +
"\x11ServerTLSSettings\x12%\n" +
"\x0ehttps_redirect\x18\x01 \x01(\bR\rhttpsRedirect\x12H\n" +
"\x04mode\x18\x02 \x01(\x0e24.istio.networking.v1alpha3.ServerTLSSettings.TLSmodeR\x04mode\x12-\n" +
@ -1077,7 +1089,8 @@ const file_networking_v1alpha3_gateway_proto_rawDesc = "" +
"\x06ca_crl\x18\r \x01(\tR\x05caCrl\x12'\n" +
"\x0fcredential_name\x18\n" +
" \x01(\tR\x0ecredentialName\x12)\n" +
"\x10credential_names\x18\x0e \x03(\tR\x0fcredentialNames\x12f\n" +
"\x10credential_names\x18\x0e \x03(\tR\x0fcredentialNames\x125\n" +
"\x17ca_cert_credential_name\x18\x10 \x01(\tR\x14caCertCredentialName\x12f\n" +
"\x10tls_certificates\x18\x0f \x03(\v2;.istio.networking.v1alpha3.ServerTLSSettings.TLSCertificateR\x0ftlsCertificates\x12*\n" +
"\x11subject_alt_names\x18\x06 \x03(\tR\x0fsubjectAltNames\x126\n" +
"\x17verify_certificate_spki\x18\v \x03(\tR\x15verifyCertificateSpki\x126\n" +

23
networking/v1alpha3/gateway.pb.html generated
View File

@ -511,6 +511,16 @@ or credentialName can be specified.</p>
<p>Same as CredentialName but for multiple certificates. Mainly used for specifying
RSA and ECDSA certificates for the same server.</p>
</td>
</tr>
<tr id="ServerTLSSettings-ca_cert_credential_name">
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-ca_cert_credential_name">caCertCredentialName</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>For mutual TLS, the name of the secret or the configmap that holds CA certificates.
Takes precedence over CA certificates in the Secret referenced with <code>credentialName(s)</code>.</p>
</td>
</tr>
<tr id="ServerTLSSettings-tls_certificates">
@ -518,7 +528,7 @@ RSA and ECDSA certificates for the same server.</p>
<div class="type"><a href="#ServerTLSSettings-TLSCertificate">TLSCertificate[]</a></div>
</div></td>
<td>
<p>Only one of <code>server_certificate</code>, <code>private_key</code>, <code>ca_certificates</code> or <code>credential_name</code>
<p>Only one of <code>server_certificate</code>, <code>private_key</code> or <code>credential_name</code>
or <code>credential_names</code> or <code>tls_certificates</code> should be specified.
This is mainly used for specifying RSA and ECDSA certificates for the same server.</p>
@ -647,17 +657,6 @@ holding the server-side TLS certificate to use.</p>
<p>REQUIRED if mode is <code>SIMPLE</code> or <code>MUTUAL</code>. The path to the file
holding the server&rsquo;s private key.</p>
</td>
</tr>
<tr id="ServerTLSSettings-TLSCertificate-ca_certificates">
<td><div class="field"><div class="name"><code><a href="#ServerTLSSettings-TLSCertificate-ca_certificates">caCertificates</a></code></div>
<div class="type">string</div>
</div></td>
<td>
<p>REQUIRED if mode is <code>MUTUAL</code> or <code>OPTIONAL_MUTUAL</code>. The path to a file
containing certificate authority certificates to use in verifying a presented
client side certificate.</p>
</td>
</tr>
</tbody>

18
networking/v1alpha3/gateway.proto
View File

@ -14,8 +14,6 @@
syntax = "proto3";
import "google/api/field_behavior.proto";
// $schema: istio.networking.v1alpha3.Gateway
// $title: Gateway
// $description: Configuration affecting edge load balancer.
@ -194,6 +192,8 @@ import "google/api/field_behavior.proto";
//
package istio.networking.v1alpha3;
import "google/api/field_behavior.proto";
option go_package = "istio.io/api/networking/v1alpha3";
// Gateway describes a load balancer operating at the edge of the mesh
@ -201,7 +201,7 @@ option go_package = "istio.io/api/networking/v1alpha3";
//
// <!-- crd generation tags
// +cue-gen:Gateway:groupName:networking.istio.io
// +cue-gen:Gateway:versions:v1beta1,v1alpha3,v1
// +cue-gen:Gateway:versions:v1,v1beta1,v1alpha3
// +cue-gen:Gateway:annotations:helm.sh/resource-policy=keep
// +cue-gen:Gateway:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:Gateway:subresource:status
@ -377,7 +377,7 @@ message Port {
// The port number on the endpoint where the traffic will be
// received. Applicable only when used with ServiceEntries.
// $hide_from_docs
uint32 target_port = 4 [deprecated=true];
uint32 target_port = 4 [deprecated = true];
}
// +kubebuilder:validation:XValidation:message="only one of credentialNames or tlsCertificates can be set",rule="oneof(self.tlsCertificates, self.credentialNames)"
@ -433,7 +433,7 @@ message ServerTLSSettings {
// is presented, it will be validated. ca_certificates should
// be specified for validating client certificates.
OPTIONAL_MUTUAL = 5;
};
}
// Optional: Indicates whether connections to this port should be
// secured using TLS. The value of this field determines how TLS is
@ -480,6 +480,10 @@ message ServerTLSSettings {
// +kubebuilder:validation:MinItems=1
repeated string credential_names = 14;
// For mutual TLS, the name of the secret or the configmap that holds CA certificates.
// Takes precedence over CA certificates in the Secret referenced with `credentialName(s)`.
string ca_cert_credential_name = 16;
// TLSCertificate describes the server's TLS certificate.
message TLSCertificate {
// REQUIRED if mode is `SIMPLE` or `MUTUAL`. The path to the file
@ -490,13 +494,15 @@ message ServerTLSSettings {
// holding the server's private key.
string private_key = 2;
// $hide_from_docs
// REQUIRED if mode is `MUTUAL` or `OPTIONAL_MUTUAL`. The path to a file
// containing certificate authority certificates to use in verifying a presented
// client side certificate.
// $hide_from_docs
string ca_certificates = 3;
}
// Only one of `server_certificate`, `private_key`, `ca_certificates` or `credential_name`
// Only one of `server_certificate`, `private_key` or `credential_name`
// or `credential_names` or `tls_certificates` should be specified.
// This is mainly used for specifying RSA and ECDSA certificates for the same server.
// +kubebuilder:validation:MaxItems=2

4
networking/v1alpha3/service_entry.pb.go generated
View File

@ -567,7 +567,7 @@ func (ServiceEntry_Resolution) EnumDescriptor() ([]byte, []int) {
//
// <!-- crd generation tags
// +cue-gen:ServiceEntry:groupName:networking.istio.io
// +cue-gen:ServiceEntry:versions:v1beta1,v1alpha3,v1
// +cue-gen:ServiceEntry:versions:v1,v1beta1,v1alpha3
// +cue-gen:ServiceEntry:annotations:helm.sh/resource-policy=keep
// +cue-gen:ServiceEntry:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:ServiceEntry:subresource:status
@ -1016,7 +1016,7 @@ var File_networking_v1alpha3_service_entry_proto protoreflect.FileDescriptor
const file_networking_v1alpha3_service_entry_proto_rawDesc = "" +
"\n" +
"'networking/v1alpha3/service_entry.proto\x12\x19istio.networking.v1alpha3\x1a\x1fgoogle/api/field_behavior.proto\x1a!networking/v1alpha3/sidecar.proto\x1a(networking/v1alpha3/workload_entry.proto\x1a\x1fanalysis/v1alpha1/message.proto\x1a\x1ameta/v1alpha1/status.proto\"\x87\x05\n" +
"'networking/v1alpha3/service_entry.proto\x12\x19istio.networking.v1alpha3\x1a\x1fanalysis/v1alpha1/message.proto\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1ameta/v1alpha1/status.proto\x1a!networking/v1alpha3/sidecar.proto\x1a(networking/v1alpha3/workload_entry.proto\"\x87\x05\n" +
"\fServiceEntry\x12\x1a\n" +
"\x05hosts\x18\x01 \x03(\tB\x04\xe2A\x01\x02R\x05hosts\x12\x1c\n" +
"\taddresses\x18\x02 \x03(\tR\taddresses\x12<\n" +

22
networking/v1alpha3/service_entry.proto
View File

@ -14,12 +14,6 @@
syntax = "proto3";
import "google/api/field_behavior.proto";
import "networking/v1alpha3/sidecar.proto";
import "networking/v1alpha3/workload_entry.proto";
import "analysis/v1alpha1/message.proto";
import "meta/v1alpha1/status.proto";
// $schema: istio.networking.v1alpha3.ServiceEntry
// $title: Service Entry
// $description: Configuration affecting service registry.
@ -403,15 +397,20 @@ import "meta/v1alpha1/status.proto";
// ```
package istio.networking.v1alpha3;
option go_package = "istio.io/api/networking/v1alpha3";
import "analysis/v1alpha1/message.proto";
import "google/api/field_behavior.proto";
import "meta/v1alpha1/status.proto";
import "networking/v1alpha3/sidecar.proto";
import "networking/v1alpha3/workload_entry.proto";
option go_package = "istio.io/api/networking/v1alpha3";
// ServiceEntry enables adding additional entries into Istio's internal
// service registry.
//
// <!-- crd generation tags
// +cue-gen:ServiceEntry:groupName:networking.istio.io
// +cue-gen:ServiceEntry:versions:v1beta1,v1alpha3,v1
// +cue-gen:ServiceEntry:versions:v1,v1beta1,v1alpha3
// +cue-gen:ServiceEntry:annotations:helm.sh/resource-policy=keep
// +cue-gen:ServiceEntry:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:ServiceEntry:subresource:status
@ -511,7 +510,7 @@ message ServiceEntry {
// mesh to include unmanaged infrastructure (e.g., VMs added to a
// Kubernetes based service mesh).
MESH_INTERNAL = 1;
};
}
// Specify whether the service should be considered external to the mesh
// or part of the mesh.
@ -559,7 +558,7 @@ message ServiceEntry {
// specified in the hosts field, if wildcards are not used. DNS resolution
// cannot be used with Unix domain socket endpoints.
DNS_ROUND_ROBIN = 3;
};
}
// Service resolution mode for the hosts. Care must be taken
// when setting the resolution mode to NONE for a TCP port without
@ -659,11 +658,10 @@ message ServiceEntryStatus {
}
// A minor abstraction to allow for adding hostnames if relevant.
message ServiceEntryAddress{
message ServiceEntryAddress {
// The address (e.g. 192.168.0.2)
string value = 1;
// The host name associated with this address
string host = 2;
}

2
networking/v1alpha3/sidecar.pb.go generated
View File

@ -488,7 +488,7 @@ func (OutboundTrafficPolicy_Mode) EnumDescriptor() ([]byte, []int) {
//
// <!-- crd generation tags
// +cue-gen:Sidecar:groupName:networking.istio.io
// +cue-gen:Sidecar:versions:v1beta1,v1alpha3,v1
// +cue-gen:Sidecar:versions:v1,v1beta1,v1alpha3
// +cue-gen:Sidecar:annotations:helm.sh/resource-policy=keep
// +cue-gen:Sidecar:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:Sidecar:subresource:status

15
networking/v1alpha3/sidecar.proto
View File

@ -14,11 +14,6 @@
syntax = "proto3";
import "google/api/field_behavior.proto";
import "networking/v1alpha3/destination_rule.proto";
import "networking/v1alpha3/gateway.proto";
import "networking/v1alpha3/virtual_service.proto";
// $schema: istio.networking.v1alpha3.Sidecar
// $title: Sidecar
// $description: Configuration affecting network reachability of a sidecar.
@ -352,6 +347,11 @@ import "networking/v1alpha3/virtual_service.proto";
// ```
package istio.networking.v1alpha3;
import "google/api/field_behavior.proto";
import "networking/v1alpha3/destination_rule.proto";
import "networking/v1alpha3/gateway.proto";
import "networking/v1alpha3/virtual_service.proto";
option go_package = "istio.io/api/networking/v1alpha3";
// `Sidecar` describes the configuration of the sidecar proxy that mediates
@ -360,7 +360,7 @@ option go_package = "istio.io/api/networking/v1alpha3";
//
// <!-- crd generation tags
// +cue-gen:Sidecar:groupName:networking.istio.io
// +cue-gen:Sidecar:versions:v1beta1,v1alpha3,v1
// +cue-gen:Sidecar:versions:v1,v1beta1,v1alpha3
// +cue-gen:Sidecar:annotations:helm.sh/resource-policy=keep
// +cue-gen:Sidecar:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:Sidecar:subresource:status
@ -599,7 +599,6 @@ message OutboundTrafficPolicy {
Destination egress_proxy = 2;
}
// `CaptureMode` describes how traffic to a listener is expected to be
// captured. Applicable only when the listener is bound to an IP.
enum CaptureMode {
@ -634,5 +633,5 @@ message SidecarPort {
// Has no effect, only for backwards compatibility
// received. Applicable only when used with ServiceEntries.
// $hide_from_docs
uint32 target_port = 4 [deprecated=true];
uint32 target_port = 4 [deprecated = true];
}

22
networking/v1alpha3/virtual_service.pb.go generated
View File

@ -240,7 +240,7 @@ func (CorsPolicy_UnmatchedPreflights) EnumDescriptor() ([]byte, []int) {
//
// <!-- crd generation tags
// +cue-gen:VirtualService:groupName:networking.istio.io
// +cue-gen:VirtualService:versions:v1beta1,v1alpha3,v1
// +cue-gen:VirtualService:versions:v1,v1beta1,v1alpha3
// +cue-gen:VirtualService:annotations:helm.sh/resource-policy=keep
// +cue-gen:VirtualService:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:VirtualService:subresource:status
@ -698,7 +698,7 @@ type HTTPRoute struct {
//
// ```yaml
// attempts: 2
// retryOn: "connect-failure,refused-stream,unavailable,cancelled,503"
// retryOn: "connect-failure,refused-stream,unavailable,cancelled"
// ```
//
// This can be customized in [`Mesh Config` `defaultHttpRetryPolicy`](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig).
@ -1392,6 +1392,9 @@ type HTTPMatchRequest struct {
// with the given labels. If the VirtualService has a list of gateways specified
// in the top-level `gateways` field, it must include the reserved gateway
// `mesh` for this field to be applicable.
//
// **Note:** This is not a runtime match, but is a selector; it filters which workloads the
// VirtualService applies to.
SourceLabels map[string]string `protobuf:"bytes,7,rep,name=source_labels,json=sourceLabels,proto3" json:"source_labels,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
// Names of gateways where the rule should be applied. Gateway names
// in the top-level `gateways` field of the VirtualService (if any) are overridden. The gateway
@ -1425,6 +1428,9 @@ type HTTPMatchRequest struct {
// Source namespace constraining the applicability of a rule to workloads in that namespace.
// If the VirtualService has a list of gateways specified in the top-level `gateways` field,
// it must include the reserved gateway `mesh` for this field to be applicable.
//
// **Note:** This is not a runtime match, but is a selector; it filters which workloads the
// VirtualService applies to.
SourceNamespace string `protobuf:"bytes,13,opt,name=source_namespace,json=sourceNamespace,proto3" json:"source_namespace,omitempty"`
// The human readable prefix to use when emitting statistics for this route.
// The statistics are generated with prefix route.<stat_prefix>.
@ -1786,6 +1792,9 @@ type L4MatchAttributes struct {
// workloads with the given labels. If the VirtualService has a list of
// gateways specified in the top-level `gateways` field, it should include the reserved gateway
// `mesh` in order for this field to be applicable.
//
// **Note:** This is not a runtime match, but is a selector; it filters which workloads the
// VirtualService applies to.
SourceLabels map[string]string `protobuf:"bytes,4,rep,name=source_labels,json=sourceLabels,proto3" json:"source_labels,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
// Names of gateways where the rule should be applied. Gateway names
// in the top-level `gateways` field of the VirtualService (if any) are overridden. The gateway
@ -1794,6 +1803,9 @@ type L4MatchAttributes struct {
// Source namespace constraining the applicability of a rule to workloads in that namespace.
// If the VirtualService has a list of gateways specified in the top-level `gateways` field,
// it must include the reserved gateway `mesh` for this field to be applicable.
//
// **Note:** This is not a runtime match, but is a selector; it filters which workloads the
// VirtualService applies to.
SourceNamespace string `protobuf:"bytes,6,opt,name=source_namespace,json=sourceNamespace,proto3" json:"source_namespace,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache
@ -1891,6 +1903,9 @@ type TLSMatchAttributes struct {
// workloads with the given labels. If the VirtualService has a list of
// gateways specified in the top-level `gateways` field, it should include the reserved gateway
// `mesh` in order for this field to be applicable.
//
// **Note:** This is not a runtime match, but is a selector; it filters which workloads the
// VirtualService applies to.
SourceLabels map[string]string `protobuf:"bytes,5,rep,name=source_labels,json=sourceLabels,proto3" json:"source_labels,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"`
// Names of gateways where the rule should be applied. Gateway names
// in the top-level `gateways` field of the VirtualService (if any) are overridden. The gateway
@ -1899,6 +1914,9 @@ type TLSMatchAttributes struct {
// Source namespace constraining the applicability of a rule to workloads in that namespace.
// If the VirtualService has a list of gateways specified in the top-level `gateways` field,
// it must include the reserved gateway `mesh` for this field to be applicable.
//
// **Note:** This is not a runtime match, but is a selector; it filters which workloads the
// VirtualService applies to.
SourceNamespace string `protobuf:"bytes,7,opt,name=source_namespace,json=sourceNamespace,proto3" json:"source_namespace,omitempty"`
unknownFields protoimpl.UnknownFields
sizeCache protoimpl.SizeCache

14
networking/v1alpha3/virtual_service.pb.html generated
View File

@ -504,7 +504,7 @@ Redirect primitive. Rewrite will be performed before forwarding.</p>
<p>Retry policy for HTTP requests.</p>
<p>Note: the default cluster-wide retry policy, if not specified, is:</p>
<pre><code class="language-yaml">attempts: 2
retryOn: &quot;connect-failure,refused-stream,unavailable,cancelled,503&quot;
retryOn: &quot;connect-failure,refused-stream,unavailable,cancelled&quot;
</code></pre>
<p>This can be customized in <a href="https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig"><code>Mesh Config</code> <code>defaultHttpRetryPolicy</code></a>.</p>
@ -1086,6 +1086,8 @@ in these cases it is not required to explicitly select the port.</p>
with the given labels. If the VirtualService has a list of gateways specified
in the top-level <code>gateways</code> field, it must include the reserved gateway
<code>mesh</code> for this field to be applicable.</p>
<p><strong>Note:</strong> This is not a runtime match, but is a selector; it filters which workloads the
VirtualService applies to.</p>
</td>
</tr>
@ -1158,6 +1160,8 @@ If a header is matched with a matching rule among withoutHeader, the traffic bec
<p>Source namespace constraining the applicability of a rule to workloads in that namespace.
If the VirtualService has a list of gateways specified in the top-level <code>gateways</code> field,
it must include the reserved gateway <code>mesh</code> for this field to be applicable.</p>
<p><strong>Note:</strong> This is not a runtime match, but is a selector; it filters which workloads the
VirtualService applies to.</p>
</td>
</tr>
@ -1361,6 +1365,8 @@ in these cases it is not required to explicitly select the port.</p>
workloads with the given labels. If the VirtualService has a list of
gateways specified in the top-level <code>gateways</code> field, it should include the reserved gateway
<code>mesh</code> in order for this field to be applicable.</p>
<p><strong>Note:</strong> This is not a runtime match, but is a selector; it filters which workloads the
VirtualService applies to.</p>
</td>
</tr>
@ -1383,6 +1389,8 @@ match is independent of sourceLabels.</p>
<p>Source namespace constraining the applicability of a rule to workloads in that namespace.
If the VirtualService has a list of gateways specified in the top-level <code>gateways</code> field,
it must include the reserved gateway <code>mesh</code> for this field to be applicable.</p>
<p><strong>Note:</strong> This is not a runtime match, but is a selector; it filters which workloads the
VirtualService applies to.</p>
</td>
</tr>
@ -1445,6 +1453,8 @@ port.</p>
workloads with the given labels. If the VirtualService has a list of
gateways specified in the top-level <code>gateways</code> field, it should include the reserved gateway
<code>mesh</code> in order for this field to be applicable.</p>
<p><strong>Note:</strong> This is not a runtime match, but is a selector; it filters which workloads the
VirtualService applies to.</p>
</td>
</tr>
@ -1467,6 +1477,8 @@ match is independent of sourceLabels.</p>
<p>Source namespace constraining the applicability of a rule to workloads in that namespace.
If the VirtualService has a list of gateways specified in the top-level <code>gateways</code> field,
it must include the reserved gateway <code>mesh</code> for this field to be applicable.</p>
<p><strong>Note:</strong> This is not a runtime match, but is a selector; it filters which workloads the
VirtualService applies to.</p>
</td>
</tr>

49
networking/v1alpha3/virtual_service.proto
View File

@ -14,10 +14,6 @@
syntax = "proto3";
import "google/api/field_behavior.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
// $schema: istio.networking.v1alpha3.VirtualService
// $title: Virtual Service
// $description: Configuration affecting label/content routing, sni routing, etc.
@ -117,13 +113,17 @@ import "google/protobuf/wrappers.proto";
//
package istio.networking.v1alpha3;
import "google/api/field_behavior.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
option go_package = "istio.io/api/networking/v1alpha3";
// Configuration affecting traffic routing.
//
// <!-- crd generation tags
// +cue-gen:VirtualService:groupName:networking.istio.io
// +cue-gen:VirtualService:versions:v1beta1,v1alpha3,v1
// +cue-gen:VirtualService:versions:v1,v1beta1,v1alpha3
// +cue-gen:VirtualService:annotations:helm.sh/resource-policy=keep
// +cue-gen:VirtualService:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:VirtualService:subresource:status
@ -450,7 +450,7 @@ message HTTPRoute {
//
// ```yaml
// attempts: 2
// retryOn: "connect-failure,refused-stream,unavailable,cancelled,503"
// retryOn: "connect-failure,refused-stream,unavailable,cancelled"
// ```
//
// This can be customized in [`Mesh Config` `defaultHttpRetryPolicy`](https://istio.io/latest/docs/reference/config/istio.mesh.v1alpha1/#MeshConfig).
@ -482,7 +482,7 @@ message HTTPRoute {
// double `mirror_percentage` field instead
// $hide_from_docs
// +kubebuilder:altName=mirror_percent
google.protobuf.UInt32Value mirror_percent = 18 [deprecated=true];
google.protobuf.UInt32Value mirror_percent = 18 [deprecated = true];
// Percentage of the traffic to be mirrored by the `mirror` field.
// If this field is absent, all the traffic (100%) will be mirrored.
@ -495,7 +495,7 @@ message HTTPRoute {
CorsPolicy cors_policy = 10;
reserved 11 to 15;
reserved "append_headers", "remove_response_headers", "append_response_headers","remove_request_headers", "append_request_headers";
reserved "append_headers", "remove_response_headers", "append_response_headers", "remove_request_headers", "append_request_headers";
// Header manipulation rules
Headers headers = 16;
@ -504,7 +504,6 @@ message HTTPRoute {
// Next available field number: 23
}
// Describes the delegate VirtualService.
// The following routing rules forward the traffic to `/productpage` by a delegate VirtualService named `productpage`,
// forward the traffic to `/reviews` by a delegate VirtualService named `reviews`.
@ -573,7 +572,6 @@ message Delegate {
string namespace = 2;
}
// Message headers can be manipulated when Envoy forwards requests to,
// or responses from, a destination service. Header manipulation rules can
// be specified for a specific route destination or for all destinations.
@ -817,6 +815,9 @@ message HTTPMatchRequest {
// with the given labels. If the VirtualService has a list of gateways specified
// in the top-level `gateways` field, it must include the reserved gateway
// `mesh` for this field to be applicable.
//
// **Note:** This is not a runtime match, but is a selector; it filters which workloads the
// VirtualService applies to.
map<string, string> source_labels = 7;
// Names of gateways where the rule should be applied. Gateway names
@ -855,6 +856,9 @@ message HTTPMatchRequest {
// Source namespace constraining the applicability of a rule to workloads in that namespace.
// If the VirtualService has a list of gateways specified in the top-level `gateways` field,
// it must include the reserved gateway `mesh` for this field to be applicable.
//
// **Note:** This is not a runtime match, but is a selector; it filters which workloads the
// VirtualService applies to.
string source_namespace = 13;
// The human readable prefix to use when emitting statistics for this route.
@ -983,6 +987,9 @@ message L4MatchAttributes {
// workloads with the given labels. If the VirtualService has a list of
// gateways specified in the top-level `gateways` field, it should include the reserved gateway
// `mesh` in order for this field to be applicable.
//
// **Note:** This is not a runtime match, but is a selector; it filters which workloads the
// VirtualService applies to.
map<string, string> source_labels = 4;
// Names of gateways where the rule should be applied. Gateway names
@ -993,6 +1000,9 @@ message L4MatchAttributes {
// Source namespace constraining the applicability of a rule to workloads in that namespace.
// If the VirtualService has a list of gateways specified in the top-level `gateways` field,
// it must include the reserved gateway `mesh` for this field to be applicable.
//
// **Note:** This is not a runtime match, but is a selector; it filters which workloads the
// VirtualService applies to.
string source_namespace = 6;
}
@ -1021,6 +1031,9 @@ message TLSMatchAttributes {
// workloads with the given labels. If the VirtualService has a list of
// gateways specified in the top-level `gateways` field, it should include the reserved gateway
// `mesh` in order for this field to be applicable.
//
// **Note:** This is not a runtime match, but is a selector; it filters which workloads the
// VirtualService applies to.
map<string, string> source_labels = 5;
// Names of gateways where the rule should be applied. Gateway names
@ -1031,6 +1044,9 @@ message TLSMatchAttributes {
// Source namespace constraining the applicability of a rule to workloads in that namespace.
// If the VirtualService has a list of gateways specified in the top-level `gateways` field,
// it must include the reserved gateway `mesh` for this field to be applicable.
//
// **Note:** This is not a runtime match, but is a selector; it filters which workloads the
// VirtualService applies to.
string source_namespace = 7;
}
@ -1244,7 +1260,6 @@ message RegexRewrite {
// case-sensitive. `regex` matching supports case-insensitive matches.
message StringMatch {
oneof match_type {
// exact string match
string exact = 1;
@ -1321,7 +1336,7 @@ message HTTPRetry {
// Specifies the minimum duration between retry attempts.
// If unset, default minimum duration of 25ms is used as base interval for exponetial backoff.
// This has an impact on the total number of retries that will be attempted based on the `attempts` field
// and route timeout. For example, with attempts is set to 3, backoff to 2s and timeout to 3s, the request will
// and route timeout. For example, with attempts is set to 3, backoff to 2s and timeout to 3s, the request will
// be retried only once.
google.protobuf.Duration backoff = 6;
}
@ -1364,7 +1379,7 @@ message CorsPolicy {
// content will be serialized into the Access-Control-Allow-Origin
// header. Wildcard * will allow all origins.
// $hide_from_docs
repeated string allow_origin = 1 [deprecated=true];
repeated string allow_origin = 1 [deprecated = true];
// String patterns that match allowed origins.
// An origin is allowed if any of the string matchers match.
@ -1392,8 +1407,8 @@ message CorsPolicy {
// `Access-Control-Allow-Credentials` header.
google.protobuf.BoolValue allow_credentials = 6;
// Indicates whether preflight requests not matching the configured
// allowed origin shouldn't be forwarded to the upstream.
// Indicates whether preflight requests not matching the configured
// allowed origin shouldn't be forwarded to the upstream.
// Default is forward to upstream.
UnmatchedPreflights unmatched_preflights = 8;
@ -1461,7 +1476,7 @@ message HTTPFaultInjection {
// Percentage of requests on which the delay will be injected (0-100).
// Use of integer `percent` value is deprecated. Use the double `percentage`
// field instead.
int32 percent = 1 [deprecated=true];
int32 percent = 1 [deprecated = true];
oneof http_delay_type {
// Add a fixed delay before forwarding the request. Format:
@ -1469,7 +1484,7 @@ message HTTPFaultInjection {
google.protobuf.Duration fixed_delay = 2;
// $hide_from_docs
google.protobuf.Duration exponential_delay = 3 ;
google.protobuf.Duration exponential_delay = 3;
}
// Percentage of requests on which the delay will be injected.

2
networking/v1alpha3/workload_entry.pb.go generated
View File

@ -172,7 +172,7 @@ const (
//
// <!-- crd generation tags
// +cue-gen:WorkloadEntry:groupName:networking.istio.io
// +cue-gen:WorkloadEntry:versions:v1beta1,v1alpha3,v1
// +cue-gen:WorkloadEntry:versions:v1,v1beta1,v1alpha3
// +cue-gen:WorkloadEntry:annotations:helm.sh/resource-policy=keep
// +cue-gen:WorkloadEntry:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:WorkloadEntry:subresource:status

11
networking/v1alpha3/workload_entry.proto
View File

@ -129,9 +129,9 @@ syntax = "proto3";
// ```
//
// The following example declares a VM workload without an address.
// An alternative to having istiod read from remote API servers is
// to write a `WorkloadEntry` in the local cluster that represents
// the Workload(s) in the remote network with the given labels. A
// An alternative to having istiod read from remote API servers is
// to write a `WorkloadEntry` in the local cluster that represents
// the Workload(s) in the remote network with the given labels. A
// single `WorkloadEntry` with weights represent the aggregate of all
// the actual workloads in a given remote network.
//
@ -154,7 +154,7 @@ option go_package = "istio.io/api/networking/v1alpha3";
//
// <!-- crd generation tags
// +cue-gen:WorkloadEntry:groupName:networking.istio.io
// +cue-gen:WorkloadEntry:versions:v1beta1,v1alpha3,v1
// +cue-gen:WorkloadEntry:versions:v1,v1beta1,v1alpha3
// +cue-gen:WorkloadEntry:annotations:helm.sh/resource-policy=keep
// +cue-gen:WorkloadEntry:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:WorkloadEntry:subresource:status
@ -252,5 +252,4 @@ message WorkloadEntry {
// ServiceEntry)
// +kubebuilder:validation:MaxLength=253
string service_account = 7;
};
}

2
networking/v1alpha3/workload_group.pb.go generated
View File

@ -97,7 +97,7 @@ const (
//
// <!-- crd generation tags
// +cue-gen:WorkloadGroup:groupName:networking.istio.io
// +cue-gen:WorkloadGroup:versions:v1beta1,v1alpha3,v1
// +cue-gen:WorkloadGroup:versions:v1,v1beta1,v1alpha3
// +cue-gen:WorkloadGroup:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:WorkloadGroup:subresource:status
// +cue-gen:WorkloadGroup:scope:Namespaced

165
networking/v1alpha3/workload_group.proto
View File

@ -14,9 +14,6 @@
syntax = "proto3";
import "google/api/field_behavior.proto";
import "networking/v1alpha3/workload_entry.proto";
// $schema: istio.networking.v1alpha3.WorkloadGroup
// $title: Workload Group
// $description: Describes a collection of workload instances.
@ -24,15 +21,15 @@ import "networking/v1alpha3/workload_entry.proto";
// $aliases: [/docs/reference/config/networking/v1alpha3/workload-group]
// `WorkloadGroup` describes a collection of workload instances.
// It provides a specification that the workload instances can use to bootstrap
// their proxies, including the metadata and identity. It is only intended to
// be used with non-k8s workloads like Virtual Machines, and is meant to mimic
// the existing sidecar injection and deployment specification model used for
// It provides a specification that the workload instances can use to bootstrap
// their proxies, including the metadata and identity. It is only intended to
// be used with non-k8s workloads like Virtual Machines, and is meant to mimic
// the existing sidecar injection and deployment specification model used for
// Kubernetes workloads to bootstrap Istio proxies.
//
// The following example declares a workload group representing a collection
// The following example declares a workload group representing a collection
// of workloads that will be registered under `reviews` in namespace
// `bookinfo`. The set of labels will be associated with each workload
// `bookinfo`. The set of labels will be associated with each workload
// instance during the bootstrap process, and the ports 3550 and 8080
// will be associated with the workload group and use service account `default`.
// `app.kubernetes.io/version` is just an arbitrary example of a label.
@ -71,17 +68,20 @@ import "networking/v1alpha3/workload_entry.proto";
//
package istio.networking.v1alpha3;
import "google/api/field_behavior.proto";
import "networking/v1alpha3/workload_entry.proto";
option go_package = "istio.io/api/networking/v1alpha3";
// `WorkloadGroup` enables specifying the properties of a single workload for bootstrap and
// provides a template for `WorkloadEntry`, similar to how `Deployment` specifies properties
// of workloads via `Pod` templates. A `WorkloadGroup` can have more than one `WorkloadEntry`.
// `WorkloadGroup` has no relationship to resources which control service registry like `ServiceEntry`
// `WorkloadGroup` has no relationship to resources which control service registry like `ServiceEntry`
// and as such doesn't configure host name for these workloads.
//
// <!-- crd generation tags
// +cue-gen:WorkloadGroup:groupName:networking.istio.io
// +cue-gen:WorkloadGroup:versions:v1beta1,v1alpha3,v1
// +cue-gen:WorkloadGroup:versions:v1,v1beta1,v1alpha3
// +cue-gen:WorkloadGroup:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:WorkloadGroup:subresource:status
// +cue-gen:WorkloadGroup:scope:Namespaced
@ -116,13 +116,13 @@ message WorkloadGroup {
// `ObjectMeta` describes metadata that will be attached to a `WorkloadEntry`.
// It is a subset of the supported Kubernetes metadata.
message ObjectMeta {
// Labels to attach
// +kubebuilder:validation:MaxProperties=256
map<string, string> labels = 1;
// Labels to attach
// +kubebuilder:validation:MaxProperties=256
map<string, string> labels = 1;
// Annotations to attach
// +kubebuilder:validation:MaxProperties=256
map<string, string> annotations = 2;
// Annotations to attach
// +kubebuilder:validation:MaxProperties=256
map<string, string> annotations = 2;
}
// `ReadinessProbe` describes the configuration the user must provide for healthchecking on their workload.
@ -131,96 +131,95 @@ message WorkloadGroup {
}
message ReadinessProbe {
// Number of seconds after the container has started before readiness probes are initiated.
// +kubebuilder:validation:Minimum=0
int32 initial_delay_seconds = 2;
// Number of seconds after the container has started before readiness probes are initiated.
// +kubebuilder:validation:Minimum=0
int32 initial_delay_seconds = 2;
// Number of seconds after which the probe times out.
// Defaults to 1 second. Minimum value is 1 second.
// +kubebuilder:validation:Minimum=0
int32 timeout_seconds = 3;
// Number of seconds after which the probe times out.
// Defaults to 1 second. Minimum value is 1 second.
// +kubebuilder:validation:Minimum=0
int32 timeout_seconds = 3;
// How often (in seconds) to perform the probe.
// Default to 10 seconds. Minimum value is 1 second.
// +kubebuilder:validation:Minimum=0
int32 period_seconds = 4;
// How often (in seconds) to perform the probe.
// Default to 10 seconds. Minimum value is 1 second.
// +kubebuilder:validation:Minimum=0
int32 period_seconds = 4;
// Minimum consecutive successes for the probe to be considered successful after having failed.
// Defaults to 1 second.
// +kubebuilder:validation:Minimum=0
int32 success_threshold = 5;
// Minimum consecutive successes for the probe to be considered successful after having failed.
// Defaults to 1 second.
// +kubebuilder:validation:Minimum=0
int32 success_threshold = 5;
// Minimum consecutive failures for the probe to be considered failed after having succeeded.
// Defaults to 3 seconds.
// +kubebuilder:validation:Minimum=0
int32 failure_threshold = 6;
// Minimum consecutive failures for the probe to be considered failed after having succeeded.
// Defaults to 3 seconds.
// +kubebuilder:validation:Minimum=0
int32 failure_threshold = 6;
// Users can only provide one configuration for healthchecks (tcp, http, exec),
// and this is expressed as a oneof. All of the other configuration values
// hold true for any of the healthcheck methods.
oneof health_check_method {
// `httpGet` is performed to a given endpoint
// and the status/able to connect determines health.
HTTPHealthCheckConfig http_get = 7;
// Health is determined by if the proxy is able to connect.
TCPHealthCheckConfig tcp_socket = 8;
// Health is determined by how the command that is executed exited.
ExecHealthCheckConfig exec = 9;
// GRPC call is made and response/error is used to determine health.
GrpcHealthCheckConfig grpc = 10;
}
// Users can only provide one configuration for healthchecks (tcp, http, exec),
// and this is expressed as a oneof. All of the other configuration values
// hold true for any of the healthcheck methods.
oneof health_check_method {
// `httpGet` is performed to a given endpoint
// and the status/able to connect determines health.
HTTPHealthCheckConfig http_get = 7;
// Health is determined by if the proxy is able to connect.
TCPHealthCheckConfig tcp_socket = 8;
// Health is determined by how the command that is executed exited.
ExecHealthCheckConfig exec = 9;
// GRPC call is made and response/error is used to determine health.
GrpcHealthCheckConfig grpc = 10;
}
}
message HTTPHealthCheckConfig {
// Path to access on the HTTP server.
string path = 1;
// Path to access on the HTTP server.
string path = 1;
// Port on which the endpoint lives.
// +kubebuilder:validation:XValidation:message="port must be between 1-65535",rule="0 < self && self <= 65535"
uint32 port = 2 [(google.api.field_behavior) = REQUIRED];
// Port on which the endpoint lives.
// +kubebuilder:validation:XValidation:message="port must be between 1-65535",rule="0 < self && self <= 65535"
uint32 port = 2 [(google.api.field_behavior) = REQUIRED];
// Host name to connect to, defaults to the pod IP. You probably want to set
// "Host" in httpHeaders instead.
string host = 3;
// Host name to connect to, defaults to the pod IP. You probably want to set
// "Host" in httpHeaders instead.
string host = 3;
// HTTP or HTTPS, defaults to HTTP
// +kubebuilder:validation:XValidation:message="scheme must be one of [HTTP, HTTPS]",rule="self in ['', 'HTTP', 'HTTPS']"
string scheme = 4;
// HTTP or HTTPS, defaults to HTTP
// +kubebuilder:validation:XValidation:message="scheme must be one of [HTTP, HTTPS]",rule="self in ['', 'HTTP', 'HTTPS']"
string scheme = 4;
// Headers the proxy will pass on to make the request.
// Allows repeated headers.
repeated HTTPHeader http_headers = 5;
// Headers the proxy will pass on to make the request.
// Allows repeated headers.
repeated HTTPHeader http_headers = 5;
}
message GrpcHealthCheckConfig {
// Port on which the endpoint lives.
// +kubebuilder:validation:XValidation:message="port must be between 1-65535",rule="0 < self && self <= 65535"
uint32 port = 1;
// Port on which the endpoint lives.
// +kubebuilder:validation:XValidation:message="port must be between 1-65535",rule="0 < self && self <= 65535"
uint32 port = 1;
// Service is the fully qualified name of the service to send the grpc health check request
string service = 2;
// Service is the fully qualified name of the service to send the grpc health check request
string service = 2;
}
message HTTPHeader {
// The header field name
// +kubebuilder:validation:Pattern=^[-_A-Za-z0-9]+$
string name = 1;
// The header field name
// +kubebuilder:validation:Pattern=^[-_A-Za-z0-9]+$
string name = 1;
// The header field value
string value = 2;
// The header field value
string value = 2;
}
message TCPHealthCheckConfig {
// Host to connect to, defaults to localhost
string host = 1;
// Port of host
// +kubebuilder:validation:XValidation:message="port must be between 1-65535",rule="0 < self && self <= 65535"
uint32 port = 2 [(google.api.field_behavior) = REQUIRED];
// Host to connect to, defaults to localhost
string host = 1;
// Port of host
// +kubebuilder:validation:XValidation:message="port must be between 1-65535",rule="0 < self && self <= 65535"
uint32 port = 2 [(google.api.field_behavior) = REQUIRED];
}
message ExecHealthCheckConfig {
// Command to run. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
// +protoc-gen-crd:list-value-validation:MinLength=1
repeated string command = 1 [(google.api.field_behavior) = REQUIRED];
// Command to run. Exit status of 0 is treated as live/healthy and non-zero is unhealthy.
// +protoc-gen-crd:list-value-validation:MinLength=1
repeated string command = 1 [(google.api.field_behavior) = REQUIRED];
}

8
networking/v1beta1/destination_rule_alias.gen.go generated
View File

@ -8,7 +8,7 @@ import "istio.io/api/networking/v1alpha3"
//
// <!-- crd generation tags
// +cue-gen:DestinationRule:groupName:networking.istio.io
// +cue-gen:DestinationRule:versions:v1beta1,v1alpha3,v1
// +cue-gen:DestinationRule:versions:v1,v1beta1,v1alpha3
// +cue-gen:DestinationRule:annotations:helm.sh/resource-policy=keep
// +cue-gen:DestinationRule:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:DestinationRule:subresource:status
@ -18,7 +18,7 @@ import "istio.io/api/networking/v1alpha3"
// +cue-gen:DestinationRule:printerColumn:name=Age,type=date,JSONPath=.metadata.creationTimestamp,description="CreationTimestamp is a timestamp
// representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations.
// Clients may not set this value. It is represented in RFC3339 form and is in UTC.
// Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
// Populated by the system. Read-only. Null for lists. For more information, see [Kubernetes API Conventions](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md#metadata)"
// +cue-gen:DestinationRule:preserveUnknownFields:false
// -->
//
@ -46,6 +46,8 @@ const TrafficPolicy_ProxyProtocol_V1 TrafficPolicy_ProxyProtocol_VERSION = v1alp
// PROXY protocol version 2. Binary format.
const TrafficPolicy_ProxyProtocol_V2 TrafficPolicy_ProxyProtocol_VERSION = v1alpha3.TrafficPolicy_ProxyProtocol_V2
type TrafficPolicy_RetryBudget = v1alpha3.TrafficPolicy_RetryBudget
// A subset of endpoints of a service. Subsets can be used for scenarios
// like A/B testing, or routing to a specific version of a service. Refer
// to [VirtualService](https://istio.io/docs/reference/config/networking/virtual-service/#VirtualService) documentation for examples of using
@ -284,7 +286,7 @@ const ConnectionPoolSettings_HTTPSettings_UPGRADE ConnectionPoolSettings_HTTPSet
//
// The following rule sets a connection pool size of 100 HTTP1 connections
// with no more than 10 req/connection to the "reviews" service. In addition,
// it sets a limit of 1000 concurrent HTTP2 requests and configures upstream
// it sets a limit of 1000 concurrent HTTP/2 requests and configures upstream
// hosts to be scanned every 5 mins so that any host that fails 7 consecutive
// times with a 502, 503, or 504 error code will be ejected for 15 minutes.
//

2
networking/v1beta1/gateway_alias.gen.go generated
View File

@ -8,7 +8,7 @@ import "istio.io/api/networking/v1alpha3"
//
// <!-- crd generation tags
// +cue-gen:Gateway:groupName:networking.istio.io
// +cue-gen:Gateway:versions:v1beta1,v1alpha3,v1
// +cue-gen:Gateway:versions:v1,v1beta1,v1alpha3
// +cue-gen:Gateway:annotations:helm.sh/resource-policy=keep
// +cue-gen:Gateway:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:Gateway:subresource:status

10
networking/v1beta1/proxy_config.proto
View File

@ -14,9 +14,6 @@
syntax = "proto3";
import "google/protobuf/wrappers.proto";
import "type/v1beta1/selector.proto";
// $schema: istio.networking.v1beta1.ProxyConfig
// $title: ProxyConfig
// $description: Provides configuration for individual workloads.
@ -86,7 +83,10 @@ import "type/v1beta1/selector.proto";
//
package istio.networking.v1beta1;
option go_package= "istio.io/api/networking/v1beta1";
import "google/protobuf/wrappers.proto";
import "type/v1beta1/selector.proto";
option go_package = "istio.io/api/networking/v1beta1";
// `ProxyConfig` exposes proxy level configuration options.
//
@ -139,4 +139,4 @@ message ProxyImage {
// Other values are allowed if those image types (example: centos) are published to the specified hub.
// supported values: default, debug, distroless.
string image_type = 1;
}
}

2
networking/v1beta1/service_entry_alias.gen.go generated
View File

@ -8,7 +8,7 @@ import "istio.io/api/networking/v1alpha3"
//
// <!-- crd generation tags
// +cue-gen:ServiceEntry:groupName:networking.istio.io
// +cue-gen:ServiceEntry:versions:v1beta1,v1alpha3,v1
// +cue-gen:ServiceEntry:versions:v1,v1beta1,v1alpha3
// +cue-gen:ServiceEntry:annotations:helm.sh/resource-policy=keep
// +cue-gen:ServiceEntry:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:ServiceEntry:subresource:status

2
networking/v1beta1/sidecar_alias.gen.go generated
View File

@ -9,7 +9,7 @@ import "istio.io/api/networking/v1alpha3"
//
// <!-- crd generation tags
// +cue-gen:Sidecar:groupName:networking.istio.io
// +cue-gen:Sidecar:versions:v1beta1,v1alpha3,v1
// +cue-gen:Sidecar:versions:v1,v1beta1,v1alpha3
// +cue-gen:Sidecar:annotations:helm.sh/resource-policy=keep
// +cue-gen:Sidecar:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:Sidecar:subresource:status

2
networking/v1beta1/virtual_service_alias.gen.go generated
View File

@ -7,7 +7,7 @@ import "istio.io/api/networking/v1alpha3"
//
// <!-- crd generation tags
// +cue-gen:VirtualService:groupName:networking.istio.io
// +cue-gen:VirtualService:versions:v1beta1,v1alpha3,v1
// +cue-gen:VirtualService:versions:v1,v1beta1,v1alpha3
// +cue-gen:VirtualService:annotations:helm.sh/resource-policy=keep
// +cue-gen:VirtualService:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:VirtualService:subresource:status

2
networking/v1beta1/workload_entry_alias.gen.go generated
View File

@ -7,7 +7,7 @@ import "istio.io/api/networking/v1alpha3"
//
// <!-- crd generation tags
// +cue-gen:WorkloadEntry:groupName:networking.istio.io
// +cue-gen:WorkloadEntry:versions:v1beta1,v1alpha3,v1
// +cue-gen:WorkloadEntry:versions:v1,v1beta1,v1alpha3
// +cue-gen:WorkloadEntry:annotations:helm.sh/resource-policy=keep
// +cue-gen:WorkloadEntry:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:WorkloadEntry:subresource:status

2
networking/v1beta1/workload_group_alias.gen.go generated
View File

@ -11,7 +11,7 @@ import "istio.io/api/networking/v1alpha3"
//
// <!-- crd generation tags
// +cue-gen:WorkloadGroup:groupName:networking.istio.io
// +cue-gen:WorkloadGroup:versions:v1beta1,v1alpha3,v1
// +cue-gen:WorkloadGroup:versions:v1,v1beta1,v1alpha3
// +cue-gen:WorkloadGroup:labels:app=istio-pilot,chart=istio,heritage=Tiller,release=istio
// +cue-gen:WorkloadGroup:subresource:status
// +cue-gen:WorkloadGroup:scope:Namespaced

8
releasenotes/notes/3544.yaml Normal file
View File

@ -0,0 +1,8 @@
apiVersion: release-notes/v2
kind: feature
area: security
issue:
- https://github.com/istio/istio/issues/43966
releaseNotes:
- |
**Added** `caCertCredentialName` field in `ServerTLSSettings` to reference a Secret/ConfigMap that holds CA certificates for mTLS

9
releasenotes/notes/service-scope-config.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: release-notes/v2
kind: feature
area: traffic-management
issue:
- https://github.com/istio/istio/issues/54245
releaseNotes:
- |
**Added** API to configure service scopes in the MeshConfig.

9
releasenotes/notes/storage-version.yaml Normal file
View File

@ -0,0 +1,9 @@
apiVersion: release-notes/v2
kind: feature
area: traffic-management
issue:
- 55302
releaseNotes:
- |
**Updated** storageVersion for networking APIs to v1.

10
security/v1alpha1/ca.proto
View File

@ -14,12 +14,12 @@
syntax = "proto3";
import "google/protobuf/struct.proto";
// Keep this package for backward compatibility.
package istio.v1.auth;
option go_package="istio.io/api/security/v1alpha1";
import "google/protobuf/struct.proto";
option go_package = "istio.io/api/security/v1alpha1";
// Certificate request message. The authentication should be based on:
// 1. Bearer tokens carried in the side channel;
@ -51,7 +51,5 @@ message IstioCertificateResponse {
// Service for managing certificates issued by the CA.
service IstioCertificateService {
// Using provided CSR, returns a signed certificate.
rpc CreateCertificate(IstioCertificateRequest)
returns (IstioCertificateResponse) {
}
rpc CreateCertificate(IstioCertificateRequest) returns (IstioCertificateResponse) {}
}

8
security/v1beta1/authorization_policy.proto
View File

@ -13,9 +13,6 @@
// limitations under the License.
syntax = "proto3";
import "google/api/field_behavior.proto";
import "type/v1beta1/selector.proto";
// $schema: istio.security.v1beta1.AuthorizationPolicy
// $title: Authorization Policy
// $description: Configuration for access control on workloads.
@ -243,7 +240,10 @@ import "type/v1beta1/selector.proto";
// ```
package istio.security.v1beta1;
option go_package="istio.io/api/security/v1beta1";
import "google/api/field_behavior.proto";
import "type/v1beta1/selector.proto";
option go_package = "istio.io/api/security/v1beta1";
// AuthorizationPolicy enables access control on workloads.
//

6
security/v1beta1/peer_authentication.proto
View File

@ -13,8 +13,6 @@
// limitations under the License.
syntax = "proto3";
import "type/v1beta1/selector.proto";
// $schema: istio.security.v1beta1.PeerAuthentication
// $title: PeerAuthentication
// $description: Peer authentication configuration for workloads.
@ -109,7 +107,9 @@ import "type/v1beta1/selector.proto";
// ```
package istio.security.v1beta1;
option go_package="istio.io/api/security/v1beta1";
import "type/v1beta1/selector.proto";
option go_package = "istio.io/api/security/v1beta1";
// <!-- crd generation tags
// +cue-gen:PeerAuthentication:groupName:security.istio.io

8
security/v1beta1/request_authentication.pb.go generated
View File

@ -745,16 +745,16 @@ var File_security_v1beta1_request_authentication_proto protoreflect.FileDescript
const file_security_v1beta1_request_authentication_proto_rawDesc = "" +
"\n" +
"-security/v1beta1/request_authentication.proto\x12\x16istio.security.v1beta1\x1a\x1egoogle/protobuf/duration.proto\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1btype/v1beta1/selector.proto\"\xab\x02\n" +
"-security/v1beta1/request_authentication.proto\x12\x16istio.security.v1beta1\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x1btype/v1beta1/selector.proto\"\xab\x02\n" +
"\x15RequestAuthentication\x12@\n" +
"\bselector\x18\x01 \x01(\v2$.istio.type.v1beta1.WorkloadSelectorR\bselector\x12G\n" +
"\ttargetRef\x18\x03 \x01(\v2).istio.type.v1beta1.PolicyTargetReferenceR\ttargetRef\x12I\n" +
"\n" +
"targetRefs\x18\x04 \x03(\v2).istio.type.v1beta1.PolicyTargetReferenceR\n" +
"targetRefs\x12<\n" +
"\tjwt_rules\x18\x02 \x03(\v2\x1f.istio.security.v1beta1.JWTRuleR\bjwtRules\"\x80\x04\n" +
"\aJWTRule\x12\x1c\n" +
"\x06issuer\x18\x01 \x01(\tB\x04\xe2A\x01\x02R\x06issuer\x12\x1c\n" +
"\tjwt_rules\x18\x02 \x03(\v2\x1f.istio.security.v1beta1.JWTRuleR\bjwtRules\"\xfa\x03\n" +
"\aJWTRule\x12\x16\n" +
"\x06issuer\x18\x01 \x01(\tR\x06issuer\x12\x1c\n" +
"\taudiences\x18\x02 \x03(\tR\taudiences\x12\x19\n" +
"\bjwks_uri\x18\x03 \x01(\tR\ajwksUri\x12\x12\n" +
"\x04jwks\x18\n" +

1
security/v1beta1/request_authentication.pb.html generated
View File

@ -295,7 +295,6 @@ fromHeaders:
<tr id="JWTRule-issuer">
<td><div class="field"><div class="name"><code><a href="#JWTRule-issuer">issuer</a></code></div>
<div class="type">string</div>
<div class="required">Required</div>
</div></td>
<td>
<p>Identifies the issuer that issued the JWT. See

13
security/v1beta1/request_authentication.proto
View File

@ -13,10 +13,6 @@
// limitations under the License.
syntax = "proto3";
import "google/protobuf/duration.proto";
import "google/api/field_behavior.proto";
import "type/v1beta1/selector.proto";
// $schema: istio.security.v1beta1.RequestAuthentication
// $title: RequestAuthentication
// $description: Request authentication configuration for workloads.
@ -223,8 +219,11 @@ import "type/v1beta1/selector.proto";
// ```
package istio.security.v1beta1;
option go_package="istio.io/api/security/v1beta1";
import "google/api/field_behavior.proto";
import "google/protobuf/duration.proto";
import "type/v1beta1/selector.proto";
option go_package = "istio.io/api/security/v1beta1";
// <!-- crd generation tags
// +cue-gen:RequestAuthentication:groupName:security.istio.io
@ -290,6 +289,7 @@ message RequestAuthentication {
// +kubebuilder:validation:MaxItems=4096
repeated JWTRule jwt_rules = 2;
}
// JSON Web Token (JWT) token format for authentication as defined by
// [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and
// [OIDC 1.0](http://openid.net/connect) for how this is used in the whole
@ -327,7 +327,7 @@ message JWTRule {
// Example: `https://foobar.auth0.com`
// Example: `1234567-compute@developer.gserviceaccount.com`
// +kubebuilder:validation:MinLength=1
string issuer = 1 [(google.api.field_behavior) = REQUIRED];
string issuer = 1;
// The list of JWT
// [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3)
@ -431,7 +431,6 @@ message JWTRule {
// If set to true, the original token will be kept for the upstream request. Default is false.
bool forward_original_token = 9;
// This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.
// This differs from the `output_payload_to_header` by allowing outputting individual claims instead of the whole payload.
// The header specified in each operation in the list must be unique. Nested claims of type string/int/bool is supported as well.

10
stability/level.proto
View File

@ -16,12 +16,12 @@ syntax = "proto3";
package istio.stability;
option go_package="istio.io/api/stability";
option go_package = "istio.io/api/stability";
// Level defines the stability levels Istio uses.
enum Level {
EXPERIMENTAL = 0;
ALPHA = 1;
BETA = 2;
STABLE = 3;
EXPERIMENTAL = 0;
ALPHA = 1;
BETA = 2;
STABLE = 3;
}

2
telemetry/v1alpha1/telemetry.pb.go generated
View File

@ -1686,7 +1686,7 @@ var File_telemetry_v1alpha1_telemetry_proto protoreflect.FileDescriptor
const file_telemetry_v1alpha1_telemetry_proto_rawDesc = "" +
"\n" +
"\"telemetry/v1alpha1/telemetry.proto\x12\x18istio.telemetry.v1alpha1\x1a\x1btype/v1beta1/selector.proto\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x1egoogle/protobuf/wrappers.proto\"\xab\x03\n" +
"\"telemetry/v1alpha1/telemetry.proto\x12\x18istio.telemetry.v1alpha1\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1egoogle/protobuf/duration.proto\x1a\x1egoogle/protobuf/wrappers.proto\x1a\x1btype/v1beta1/selector.proto\"\xab\x03\n" +
"\tTelemetry\x12@\n" +
"\bselector\x18\x01 \x01(\v2$.istio.type.v1beta1.WorkloadSelectorR\bselector\x12G\n" +
"\ttargetRef\x18\x05 \x01(\v2).istio.type.v1beta1.PolicyTargetReferenceR\ttargetRef\x12I\n" +

17
telemetry/v1alpha1/telemetry.proto
View File

@ -14,11 +14,6 @@
syntax = "proto3";
import "type/v1beta1/selector.proto";
import "google/api/field_behavior.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
// $schema: istio.telemetry.v1alpha1.Telemetry
// $title: Telemetry
// $description: Telemetry configuration for workloads.
@ -26,7 +21,7 @@ import "google/protobuf/wrappers.proto";
// $aliases: [/docs/reference/config/telemetry/v1alpha1/telemetry]
// $weight: 45
// `Telemetry` defines how telemetry (metrics, logs and traces)
// `Telemetry` defines how telemetry (metrics, logs and traces)
// is generated for workloads within a mesh.
//
// The hierarchy of Telemetry configuration is as follows:
@ -238,6 +233,11 @@ import "google/protobuf/wrappers.proto";
//
package istio.telemetry.v1alpha1;
import "google/api/field_behavior.proto";
import "google/protobuf/duration.proto";
import "google/protobuf/wrappers.proto";
import "type/v1beta1/selector.proto";
option go_package = "istio.io/api/telemetry/v1alpha1";
// <!-- crd generation tags
@ -321,7 +321,6 @@ message Telemetry {
// from parent resources. However, when specified, `custom_tags` will
// fully replace any values provided by parent configuration.
message Tracing {
// TracingSelector provides a coarse-grained ability to configure tracing
// behavior based on certain traffic metadata (such as traffic direction).
message TracingSelector {
@ -459,7 +458,7 @@ message Metrics {
// a best practice to list any universal overrides first, with tailored
// overrides following them.
repeated MetricsOverrides overrides = 2;
// Optional. Reporting interval allows configuration of the time between calls out to for metrics reporting.
// This currently only supports TCP metrics but we may use this for long duration HTTP streams in the future.
// The default duration is `5s`.
@ -619,7 +618,6 @@ message MetricSelector {
// MetricsOverrides defines custom metric generation behavior for an individual
// metric or the set of all standard metrics.
message MetricsOverrides {
// Match allows providing the scope of the override. It can be used to select
// individual metrics, as well as the workload modes (server, client, or both)
// in which the metrics will be generated.
@ -677,7 +675,6 @@ message MetricsOverrides {
// generation. It can be used to select provider or enable/disable access log
// generation for a workload.
message AccessLogging {
// LogSelector provides a coarse-grained ability to configure logging behavior
// based on certain traffic metadata (such as traffic direction). LogSelector
// applies to traffic metadata which is not represented in the attribute set

130
tests/go.mod
View File

@ -1,90 +1,88 @@
module istio.io/api/tests
go 1.21.0
go 1.24.0
toolchain go1.24.5
require (
k8s.io/apiextensions-apiserver v0.29.0
k8s.io/apimachinery v0.29.0
k8s.io/apiserver v0.29.0
sigs.k8s.io/yaml v1.4.0
k8s.io/apiextensions-apiserver v0.33.3
k8s.io/apimachinery v0.33.3
k8s.io/apiserver v0.33.3
sigs.k8s.io/yaml v1.5.0
)
require (
github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
cel.dev/expr v0.24.0 // indirect
github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver/v4 v4.0.0 // indirect
github.com/cenkalti/backoff/v4 v4.2.1 // indirect
github.com/cespare/xxhash/v2 v2.2.0 // indirect
github.com/cenkalti/backoff/v5 v5.0.2 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
github.com/emicklei/go-restful/v3 v3.12.2 // indirect
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/go-logr/logr v1.3.0 // indirect
github.com/fxamacker/cbor/v2 v2.9.0 // indirect
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/jsonpointer v0.20.0 // indirect
github.com/go-openapi/jsonreference v0.20.2 // indirect
github.com/go-openapi/swag v0.22.4 // indirect
github.com/go-openapi/jsonpointer v0.21.1 // indirect
github.com/go-openapi/jsonreference v0.21.0 // indirect
github.com/go-openapi/swag v0.23.1 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang/protobuf v1.5.3 // indirect
github.com/google/cel-go v0.17.7 // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/pprof v0.0.0-20230705174524-200ffdc848b8 // indirect
github.com/google/uuid v1.5.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.1 // indirect
github.com/imdario/mergo v0.3.6 // indirect
github.com/google/cel-go v0.26.0 // indirect
github.com/google/gnostic-models v0.7.0 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
github.com/josharian/intern v1.0.0 // indirect
github.com/json-iterator/go v1.1.12 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
github.com/mailru/easyjson v0.9.0 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/prometheus/client_golang v1.17.0 // indirect
github.com/prometheus/client_model v0.5.0 // indirect
github.com/prometheus/common v0.45.0 // indirect
github.com/prometheus/procfs v0.12.0 // indirect
github.com/spf13/pflag v1.0.5 // indirect
github.com/stoewer/go-strcase v1.3.0 // indirect
go.etcd.io/etcd/client/pkg/v3 v3.5.11 // indirect
go.etcd.io/etcd/client/v3 v3.5.11 // indirect
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 // indirect
go.opentelemetry.io/otel v1.21.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 // indirect
go.opentelemetry.io/otel/metric v1.21.0 // indirect
go.opentelemetry.io/otel/sdk v1.21.0 // indirect
go.opentelemetry.io/otel/trace v1.21.0 // indirect
go.opentelemetry.io/proto/otlp v1.0.0 // indirect
go.uber.org/zap v1.26.0 // indirect
golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 // indirect
golang.org/x/net v0.23.0 // indirect
golang.org/x/oauth2 v0.15.0 // indirect
golang.org/x/sync v0.5.0 // indirect
golang.org/x/sys v0.18.0 // indirect
golang.org/x/term v0.18.0 // indirect
golang.org/x/text v0.14.0 // indirect
golang.org/x/time v0.5.0 // indirect
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/genproto v0.0.0-20231212172506-995d672761c0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20231212172506-995d672761c0 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20231212172506-995d672761c0 // indirect
google.golang.org/grpc v1.60.0 // indirect
google.golang.org/protobuf v1.33.0 // indirect
github.com/prometheus/client_golang v1.22.0 // indirect
github.com/prometheus/client_model v0.6.2 // indirect
github.com/prometheus/common v0.65.0 // indirect
github.com/prometheus/procfs v0.17.0 // indirect
github.com/spf13/cobra v1.9.1 // indirect
github.com/spf13/pflag v1.0.6 // indirect
github.com/stoewer/go-strcase v1.3.1 // indirect
github.com/x448/float16 v0.8.4 // indirect
go.opentelemetry.io/auto/sdk v1.1.0 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 // indirect
go.opentelemetry.io/otel v1.37.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 // indirect
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0 // indirect
go.opentelemetry.io/otel/metric v1.37.0 // indirect
go.opentelemetry.io/otel/sdk v1.37.0 // indirect
go.opentelemetry.io/otel/trace v1.37.0 // indirect
go.opentelemetry.io/proto/otlp v1.7.0 // indirect
go.yaml.in/yaml/v2 v2.4.2 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc // indirect
golang.org/x/net v0.42.0 // indirect
golang.org/x/oauth2 v0.30.0 // indirect
golang.org/x/sync v0.16.0 // indirect
golang.org/x/sys v0.34.0 // indirect
golang.org/x/term v0.33.0 // indirect
golang.org/x/text v0.27.0 // indirect
golang.org/x/time v0.12.0 // indirect
google.golang.org/genproto/googleapis/api v0.0.0-20250715232539-7130f93afb79 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20250715232539-7130f93afb79 // indirect
google.golang.org/grpc v1.74.0 // indirect
google.golang.org/protobuf v1.36.6 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
k8s.io/api v0.29.0 // indirect
k8s.io/client-go v0.29.0 // indirect
k8s.io/component-base v0.29.0 // indirect
k8s.io/klog/v2 v2.110.1 // indirect
k8s.io/kube-openapi v0.0.0-20231214164306-ab13479f8bf8 // indirect
k8s.io/utils v0.0.0-20231127182322-b307cd553661 // indirect
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.3 // indirect
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
k8s.io/api v0.33.3 // indirect
k8s.io/client-go v0.33.3 // indirect
k8s.io/component-base v0.33.3 // indirect
k8s.io/klog/v2 v2.130.1 // indirect
k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b // indirect
k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 // indirect
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.33.0 // indirect
sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect
sigs.k8s.io/randfill v1.0.0 // indirect
sigs.k8s.io/structured-merge-diff/v4 v4.7.0 // indirect
)
replace github.com/imdario/mergo => github.com/imdario/mergo v0.3.5

331
tests/go.sum
View File

@ -1,87 +1,79 @@
github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df h1:7RFfzj4SSt6nnvCPbCqijJi1nWCd+TqAT3bYCStRC18=
github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM=
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 h1:DklsrG3dyBCFEj5IhUbnKptjxatkF07cF2ak3yi77so=
github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
cel.dev/expr v0.24.0 h1:56OvJKSH3hDGL0ml5uSxZmz3/3Pq4tJ+fb1unVLAFcY=
cel.dev/expr v0.24.0/go.mod h1:hLPLo1W4QUmuYdA72RBX06QTs6MXw941piREPl3Yfiw=
github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ=
github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=
github.com/blang/semver/v4 v4.0.0/go.mod h1:IbckMUScFkM3pff0VJDNKRiT6TG/YpiHIM2yvyW5YoQ=
github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/cenkalti/backoff/v5 v5.0.2 h1:rIfFVxEf1QsI7E1ZHfp/B4DF/6QBAUhmgkxc0H7Zss8=
github.com/cenkalti/backoff/v5 v5.0.2/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
github.com/coreos/go-semver v0.3.1 h1:yi21YpKnrx1gt5R+la8n5WgS0kCrsPp33dmEyHReZr4=
github.com/coreos/go-semver v0.3.1/go.mod h1:irMmmIw/7yzSRPWryHsK7EYSg09caPQL03VsM8rvUec=
github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g=
github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
github.com/emicklei/go-restful/v3 v3.12.2 h1:DhwDP0vY3k8ZzE0RunuJy8GhNpPL6zqLkDf9B/a0/xU=
github.com/emicklei/go-restful/v3 v3.12.2/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc=
github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
github.com/fxamacker/cbor/v2 v2.9.0 h1:NpKPmjDBgUfBms6tr6JZkTHtfFGcMKsw3eGcmD/sapM=
github.com/fxamacker/cbor/v2 v2.9.0/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
github.com/go-openapi/jsonpointer v0.20.0 h1:ESKJdU9ASRfaPNOPRx12IUyA1vn3R9GiE3KYD14BXdQ=
github.com/go-openapi/jsonpointer v0.20.0/go.mod h1:6PGzBjjIIumbLYysB73Klnms1mwnU4G3YHOECG3CedA=
github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE=
github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En5Ap4rVB5KVcIDZG2k=
github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
github.com/go-openapi/swag v0.22.4 h1:QLMzNJnMGPRNDCbySlcj1x01tzU8/9LTTL9hZZZogBU=
github.com/go-openapi/swag v0.22.4/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14=
github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
github.com/go-openapi/jsonpointer v0.21.1 h1:whnzv/pNXtK2FbX/W9yJfRmE2gsmkfahjMKB0fZvcic=
github.com/go-openapi/jsonpointer v0.21.1/go.mod h1:50I1STOfbY1ycR8jGz8DaMeLCdXiI6aDteEdRNNzpdk=
github.com/go-openapi/jsonreference v0.21.0 h1:Rs+Y7hSXT83Jacb7kFyjn4ijOuVGSvOdF2+tg1TRrwQ=
github.com/go-openapi/jsonreference v0.21.0/go.mod h1:LmZmgsrTkVg9LG4EaHeY8cBDslNPMo06cago5JNLkm4=
github.com/go-openapi/swag v0.23.1 h1:lpsStH0n2ittzTnbaSloVZLuB5+fvSY/+hnagBjSNZU=
github.com/go-openapi/swag v0.23.1/go.mod h1:STZs8TbRvEQQKUA+JZNAm3EWlgaOBGpyFDqQnDHMef0=
github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
github.com/google/cel-go v0.17.7 h1:6ebJFzu1xO2n7TLtN+UBqShGBhlD85bhvglh5DpcfqQ=
github.com/google/cel-go v0.17.7/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY=
github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvRgGre9I=
github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U=
github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
github.com/google/btree v1.1.3 h1:CVpQJjYgC4VbzxeGVHfvZrv1ctoYCAI8vbl07Fcxlyg=
github.com/google/btree v1.1.3/go.mod h1:qOPhT0dTNdNzV6Z/lhRX0YXUafgPLFUh+gZMl761Gm4=
github.com/google/cel-go v0.26.0 h1:DPGjXackMpJWH680oGY4lZhYjIameYmR+/6RBdDGmaI=
github.com/google/cel-go v0.26.0/go.mod h1:A9O8OU9rdvrK5MQyrqfIxo1a0u4g3sF8KB6PUIaryMM=
github.com/google/gnostic-models v0.7.0 h1:qwTtogB15McXDaNqTZdzPJRHvaVJlAl+HVQnLmJEJxo=
github.com/google/gnostic-models v0.7.0/go.mod h1:whL5G0m6dmc5cPxKc5bdKdEN3UjI7OUGxBlw57miDrQ=
github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
github.com/google/pprof v0.0.0-20230705174524-200ffdc848b8 h1:n6vlPhxsA+BW/XsS5+uqi7GyzaLa5MH7qlSLBZtRdiA=
github.com/google/pprof v0.0.0-20230705174524-200ffdc848b8/go.mod h1:Jh3hGz2jkYak8qXPD19ryItVnUgpgeqzdkY/D0EaeuA=
github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 h1:Ovs26xHkKqVztRpIrF/92BcuyuQ/YW4NSIpoGtfXNho=
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0/go.mod h1:8NvIoxWQoOIhqOTXgfV/d3M/q6VIi02HzZEHgUlZvzk=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.1 h1:6UKoz5ujsI55KNpsJH3UwCq3T8kKbZwNZBNPuTTje8U=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.1/go.mod h1:YvJ2f6MplWDhfxiUC3KpyTy76kYUZA4W3pTv/wdKQ9Y=
github.com/imdario/mergo v0.3.5 h1:JboBksRwiiAJWvIYJVo46AfV+IAIKZpfrSzVKj42R4Q=
github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1 h1:X5VWvz21y3gzm9Nw/kaUeku/1+uBhcekkmy4IkffJww=
github.com/grpc-ecosystem/grpc-gateway/v2 v2.27.1/go.mod h1:Zanoh4+gvIgluNqcfMVTJueD4wSS5hT7zTt4Mrutd90=
github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY=
github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y=
github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI=
github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc=
github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg=
github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k=
github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
github.com/mailru/easyjson v0.9.0 h1:PrnmzHw7262yW8sTBwxi1PdJA3Iw/EKBa8psRf7d9a4=
github.com/mailru/easyjson v0.9.0/go.mod h1:1+xMtQp2MRNVL/V1bOzuP3aP8VNwRW55fQUto+XFtTU=
github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
@ -89,174 +81,169 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4=
github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/prometheus/client_golang v1.17.0 h1:rl2sfwZMtSthVU752MqfjQozy7blglC+1SOtjMAMh+Q=
github.com/prometheus/client_golang v1.17.0/go.mod h1:VeL+gMmOAxkS2IqfCq0ZmHSL+LjWfWDUmp1mBz9JgUY=
github.com/prometheus/client_model v0.5.0 h1:VQw1hfvPvk3Uv6Qf29VrPF32JB6rtbgI6cYPYQjL0Qw=
github.com/prometheus/client_model v0.5.0/go.mod h1:dTiFglRmd66nLR9Pv9f0mZi7B7fk5Pm3gvsjB5tr+kI=
github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM=
github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=
github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k6Bo=
github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo=
github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ=
github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog=
github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
github.com/prometheus/client_golang v1.22.0 h1:rb93p9lokFEsctTys46VnV1kLCDpVZ0a/Y92Vm0Zc6Q=
github.com/prometheus/client_golang v1.22.0/go.mod h1:R7ljNsLXhuQXYZYtw6GAE9AZg8Y7vEW5scdCXrWRXC0=
github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
github.com/prometheus/common v0.65.0 h1:QDwzd+G1twt//Kwj/Ww6E9FQq1iVMmODnILtW1t2VzE=
github.com/prometheus/common v0.65.0/go.mod h1:0gZns+BLRQ3V6NdaerOhMbwwRbNh9hkGINtQAsP5GS8=
github.com/prometheus/procfs v0.17.0 h1:FuLQ+05u4ZI+SS/w9+BWEM2TXiHKsUQ9TADiRH7DuK0=
github.com/prometheus/procfs v0.17.0/go.mod h1:oPQLaDAMRbA+u8H5Pbfq+dl3VDAvHxMUOVhe0wYB2zw=
github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII=
github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
github.com/stoewer/go-strcase v1.3.1 h1:iS0MdW+kVTxgMoE1LAZyMiYJFKlOzLooE4MxjirtkAs=
github.com/stoewer/go-strcase v1.3.1/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
go.etcd.io/etcd/api/v3 v3.5.11 h1:B54KwXbWDHyD3XYAwprxNzTe7vlhR69LuBgZnMVvS7E=
go.etcd.io/etcd/api/v3 v3.5.11/go.mod h1:Ot+o0SWSyT6uHhA56al1oCED0JImsRiU9Dc26+C2a+4=
go.etcd.io/etcd/client/pkg/v3 v3.5.11 h1:bT2xVspdiCj2910T0V+/KHcVKjkUrCZVtk8J2JF2z1A=
go.etcd.io/etcd/client/pkg/v3 v3.5.11/go.mod h1:seTzl2d9APP8R5Y2hFL3NVlD6qC/dOT+3kvrqPyTas4=
go.etcd.io/etcd/client/v3 v3.5.11 h1:ajWtgoNSZJ1gmS8k+icvPtqsqEav+iUorF7b0qozgUU=
go.etcd.io/etcd/client/v3 v3.5.11/go.mod h1:a6xQUEqFJ8vztO1agJh/KQKOMfFI8og52ZconzcDJwE=
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1 h1:SpGay3w+nEwMpfVnbqOLH5gY52/foP8RE8UzTZ1pdSE=
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.46.1/go.mod h1:4UoMYEZOC0yN/sPGH76KPkkU7zgiEWYWL9vwmbnTJPE=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 h1:aFJWCqJMNjENlcleuuOkGAPH82y0yULBScfXcIEdS24=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1/go.mod h1:sEGXWArGqc3tVa+ekntsN65DmVbVeW+7lTKTjZF3/Fo=
go.opentelemetry.io/otel v1.21.0 h1:hzLeKBZEL7Okw2mGzZ0cc4k/A7Fta0uoPgaJCr8fsFc=
go.opentelemetry.io/otel v1.21.0/go.mod h1:QZzNPQPm1zLX4gZK4cMi+71eaorMSGT3A4znnUvNNEo=
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0 h1:cl5P5/GIfFh4t6xyruOgJP5QiA1pw4fYYdv6nc6CBWw=
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.21.0/go.mod h1:zgBdWWAu7oEEMC06MMKc5NLbA/1YDXV1sMpSqEeLQLg=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0 h1:tIqheXEFWAZ7O8A7m+J0aPTmpJN3YQ7qetUAdkkkKpk=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.21.0/go.mod h1:nUeKExfxAQVbiVFn32YXpXZZHZ61Cc3s3Rn1pDBGAb0=
go.opentelemetry.io/otel/metric v1.21.0 h1:tlYWfeo+Bocx5kLEloTjbcDwBuELRrIFxwdQ36PlJu4=
go.opentelemetry.io/otel/metric v1.21.0/go.mod h1:o1p3CA8nNHW8j5yuQLdc1eeqEaPfzug24uvsyIEJRWM=
go.opentelemetry.io/otel/sdk v1.21.0 h1:FTt8qirL1EysG6sTQRZ5TokkU8d0ugCj8htOgThZXQ8=
go.opentelemetry.io/otel/sdk v1.21.0/go.mod h1:Nna6Yv7PWTdgJHVRD9hIYywQBRx7pbox6nwBnZIxl/E=
go.opentelemetry.io/otel/trace v1.21.0 h1:WD9i5gzvoUPuXIXH24ZNBudiarZDKuekPqi/E8fpfLc=
go.opentelemetry.io/otel/trace v1.21.0/go.mod h1:LGbsEB0f9LGjN+OZaQQ26sohbOmiMR+BaslueVtS/qQ=
go.opentelemetry.io/proto/otlp v1.0.0 h1:T0TX0tmXU8a3CbNXzEKGeU5mIVOdf0oykP+u2lIVU/I=
go.opentelemetry.io/proto/otlp v1.0.0/go.mod h1:Sy6pihPLfYHkr3NkUbEhGHFhINUSI/v80hjKIs5JXpM=
go.etcd.io/etcd/api/v3 v3.5.21 h1:A6O2/JDb3tvHhiIz3xf9nJ7REHvtEFJJ3veW3FbCnS8=
go.etcd.io/etcd/api/v3 v3.5.21/go.mod h1:c3aH5wcvXv/9dqIw2Y810LDXJfhSYdHQ0vxmP3CCHVY=
go.etcd.io/etcd/client/pkg/v3 v3.5.21 h1:lPBu71Y7osQmzlflM9OfeIV2JlmpBjqBNlLtcoBqUTc=
go.etcd.io/etcd/client/pkg/v3 v3.5.21/go.mod h1:BgqT/IXPjK9NkeSDjbzwsHySX3yIle2+ndz28nVsjUs=
go.etcd.io/etcd/client/v3 v3.5.21 h1:T6b1Ow6fNjOLOtM0xSoKNQt1ASPCLWrF9XMHcH9pEyY=
go.etcd.io/etcd/client/v3 v3.5.21/go.mod h1:mFYy67IOqmbRf/kRUvsHixzo3iG+1OF2W2+jVIQRAnU=
go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0 h1:PS8wXpbyaDJQ2VDHHncMe9Vct0Zn1fEjpsjrLxGJoSc=
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.58.0/go.mod h1:HDBUsEjOuRC0EzKZ1bSaRGZWUBAzo+MhAcUUORSr4D0=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0 h1:Hf9xI/XLML9ElpiHVDNwvqI0hIFlzV8dgIr35kV1kRU=
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.62.0/go.mod h1:NfchwuyNoMcZ5MLHwPrODwUF1HWCXWrL31s8gSAdIKY=
go.opentelemetry.io/otel v1.37.0 h1:9zhNfelUvx0KBfu/gb+ZgeAfAgtWrfHJZcAqFC228wQ=
go.opentelemetry.io/otel v1.37.0/go.mod h1:ehE/umFRLnuLa/vSccNq9oS1ErUlkkK71gMcN34UG8I=
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0 h1:Ahq7pZmv87yiyn3jeFz/LekZmPLLdKejuO3NcK9MssM=
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.37.0/go.mod h1:MJTqhM0im3mRLw1i8uGHnCvUEeS7VwRyxlLC78PA18M=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0 h1:EtFWSnwW9hGObjkIdmlnWSydO+Qs8OwzfzXLUPg4xOc=
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.37.0/go.mod h1:QjUEoiGCPkvFZ/MjK6ZZfNOS6mfVEVKYE99dFhuN2LI=
go.opentelemetry.io/otel/metric v1.37.0 h1:mvwbQS5m0tbmqML4NqK+e3aDiO02vsf/WgbsdpcPoZE=
go.opentelemetry.io/otel/metric v1.37.0/go.mod h1:04wGrZurHYKOc+RKeye86GwKiTb9FKm1WHtO+4EVr2E=
go.opentelemetry.io/otel/sdk v1.37.0 h1:ItB0QUqnjesGRvNcmAcU0LyvkVyGJ2xftD29bWdDvKI=
go.opentelemetry.io/otel/sdk v1.37.0/go.mod h1:VredYzxUvuo2q3WRcDnKDjbdvmO0sCzOvVAiY+yUkAg=
go.opentelemetry.io/otel/sdk/metric v1.37.0 h1:90lI228XrB9jCMuSdA0673aubgRobVZFhbjxHHspCPc=
go.opentelemetry.io/otel/sdk/metric v1.37.0/go.mod h1:cNen4ZWfiD37l5NhS+Keb5RXVWZWpRE+9WyVCpbo5ps=
go.opentelemetry.io/otel/trace v1.37.0 h1:HLdcFNbRQBE2imdSEgm/kwqmQj1Or1l/7bW6mxVK7z4=
go.opentelemetry.io/otel/trace v1.37.0/go.mod h1:TlgrlQ+PtQO5XFerSPUYG0JSgGyryXewPGyayAWSBS0=
go.opentelemetry.io/proto/otlp v1.7.0 h1:jX1VolD6nHuFzOYso2E73H85i92Mv8JQYk0K9vz09os=
go.opentelemetry.io/proto/otlp v1.7.0/go.mod h1:fSKjH6YJ7HDlwzltzyMj036AJ3ejJLCgCSHGj4efDDo=
go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo=
go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so=
go.uber.org/zap v1.27.0 h1:aJMhYGrd5QSmlpLMr2MftRKl7t8J8PTZPA732ud/XR8=
go.uber.org/zap v1.27.0/go.mod h1:GB2qFLM7cTU87MWRP2mPIjqfIDnGu+VIO4V/SdhGo2E=
go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611 h1:qCEDpW1G+vcj3Y7Fy52pEM1AWm3abj8WimGYejI3SC4=
golang.org/x/exp v0.0.0-20231214170342-aacd6d4b4611/go.mod h1:iRJReGqOEeBhDZGkGbynYwcHlctCvnjTYIamk7uXpHI=
golang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc h1:TS73t7x3KarrNd5qAipmspBDS1rkMcgVG/fS1aRb4Rc=
golang.org/x/exp v0.0.0-20250711185948-6ae5c78190dc/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc=
golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
golang.org/x/net v0.23.0 h1:7EYJ93RZ9vYSZAIb2x3lnuvqO5zneoD6IvWjuhfxjTs=
golang.org/x/net v0.23.0/go.mod h1:JKghWKKOSdJwpW2GEx0Ja7fmaKnMsbu+MWVZTokSYmg=
golang.org/x/oauth2 v0.15.0 h1:s8pnnxNVzjWyrvYdFUQq5llS1PX2zhPXmccZv99h7uQ=
golang.org/x/oauth2 v0.15.0/go.mod h1:q48ptWNTY5XWf+JNten23lcvHpLJ0ZSxF5ttTHKVCAM=
golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.18.0 h1:DBdB3niSjOA/O0blCZBqDefyWNYveAYMNF1Wum0DYQ4=
golang.org/x/sys v0.18.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
golang.org/x/term v0.18.0 h1:FcHjZXDMxI8mM3nwhX9HlKop4C0YQvCVCdwYl2wOtE8=
golang.org/x/term v0.18.0/go.mod h1:ILwASektA3OnRv7amZ1xhE/KTR+u50pbXfZ03+6Nx58=
golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg=
golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
golang.org/x/text v0.3.8/go.mod h1:E6s5w1FMmriuDzIBO73fBruAKo1PCIq6d2Q6DHfQ8WQ=
golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ=
golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
golang.org/x/tools v0.16.0 h1:GO788SKMRunPIBCXiQyo2AaexLstOrVhuAL5YwsckQM=
golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
google.golang.org/appengine v1.6.8 h1:IhEN5q69dyKagZPYMSdIjS2HqprW324FRQZJcGqPAsM=
google.golang.org/appengine v1.6.8/go.mod h1:1jJ3jBArFh5pcgW8gCtRJnepW8FzD1V44FJffLiz/Ds=
google.golang.org/genproto v0.0.0-20231212172506-995d672761c0 h1:YJ5pD9rF8o9Qtta0Cmy9rdBwkSjrTCT6XTiUQVOtIos=
google.golang.org/genproto v0.0.0-20231212172506-995d672761c0/go.mod h1:l/k7rMz0vFTBPy+tFSGvXEd3z+BcoG1k7EHbqm+YBsY=
google.golang.org/genproto/googleapis/api v0.0.0-20231212172506-995d672761c0 h1:s1w3X6gQxwrLEpxnLd/qXTVLgQE2yXwaOaoa6IlY/+o=
google.golang.org/genproto/googleapis/api v0.0.0-20231212172506-995d672761c0/go.mod h1:CAny0tYF+0/9rmDB9fahA9YLzX3+AEVl1qXbv5hhj6c=
google.golang.org/genproto/googleapis/rpc v0.0.0-20231212172506-995d672761c0 h1:/jFB8jK5R3Sq3i/lmeZO0cATSzFfZaJq1J2Euan3XKU=
google.golang.org/genproto/googleapis/rpc v0.0.0-20231212172506-995d672761c0/go.mod h1:FUoWkonphQm3RhTS+kOEhF8h0iDpm4tdXolVCeZ9KKA=
google.golang.org/grpc v1.60.0 h1:6FQAR0kM31P6MRdeluor2w2gPaS4SVNrD/DNTxrQ15k=
google.golang.org/grpc v1.60.0/go.mod h1:OlCHIeLYqSSsLi6i49B5QGdzaMZK9+M7LXN2FKz4eGM=
google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
google.golang.org/protobuf v1.33.0 h1:uNO2rsAINq/JlFpSdYEKIZ0uKD/R9cpdv0T+yoGwGmI=
google.golang.org/protobuf v1.33.0/go.mod h1:c6P6GXX6sHbq/GpV6MGZEdwhWPcYBgnhAHhKbcUYpos=
google.golang.org/genproto/googleapis/api v0.0.0-20250715232539-7130f93afb79 h1:iOye66xuaAK0WnkPuhQPUFy8eJcmwUXqGGP3om6IxX8=
google.golang.org/genproto/googleapis/api v0.0.0-20250715232539-7130f93afb79/go.mod h1:HKJDgKsFUnv5VAGeQjz8kxcgDP0HoE0iZNp0OdZNlhE=
google.golang.org/genproto/googleapis/rpc v0.0.0-20250715232539-7130f93afb79 h1:1ZwqphdOdWYXsUHgMpU/101nCtf/kSp9hOrcvFsnl10=
google.golang.org/genproto/googleapis/rpc v0.0.0-20250715232539-7130f93afb79/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
google.golang.org/grpc v1.74.0 h1:sxRSkyLxlceWQiqDofxDot3d4u7DyoHPc7SBXMj8gGY=
google.golang.org/grpc v1.74.0/go.mod h1:NZUaK8dAMUfzhK6uxZ+9511LtOrk73UGWOFoNvz7z+s=
google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
gopkg.in/evanphx/json-patch.v4 v4.12.0 h1:n6jtcsulIzXPJaxegRbvFNNrZDjbij7ny3gmSPG+6V4=
gopkg.in/evanphx/json-patch.v4 v4.12.0/go.mod h1:p8EYWUEYMpynmqDbY58zCKCFZw8pRWMG4EsWvDvM72M=
gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc=
gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw=
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
k8s.io/api v0.29.0 h1:NiCdQMY1QOp1H8lfRyeEf8eOwV6+0xA6XEE44ohDX2A=
k8s.io/api v0.29.0/go.mod h1:sdVmXoz2Bo/cb77Pxi71IPTSErEW32xa4aXwKH7gfBA=
k8s.io/apiextensions-apiserver v0.29.0 h1:0VuspFG7Hj+SxyF/Z/2T0uFbI5gb5LRgEyUVE3Q4lV0=
k8s.io/apiextensions-apiserver v0.29.0/go.mod h1:TKmpy3bTS0mr9pylH0nOt/QzQRrW7/h7yLdRForMZwc=
k8s.io/apimachinery v0.29.0 h1:+ACVktwyicPz0oc6MTMLwa2Pw3ouLAfAon1wPLtG48o=
k8s.io/apimachinery v0.29.0/go.mod h1:eVBxQ/cwiJxH58eK/jd/vAk4mrxmVlnpBH5J2GbMeis=
k8s.io/apiserver v0.29.0 h1:Y1xEMjJkP+BIi0GSEv1BBrf1jLU9UPfAnnGGbbDdp7o=
k8s.io/apiserver v0.29.0/go.mod h1:31n78PsRKPmfpee7/l9NYEv67u6hOL6AfcE761HapDM=
k8s.io/client-go v0.29.0 h1:KmlDtFcrdUzOYrBhXHgKw5ycWzc3ryPX5mQe0SkG3y8=
k8s.io/client-go v0.29.0/go.mod h1:yLkXH4HKMAywcrD82KMSmfYg2DlE8mepPR4JGSo5n38=
k8s.io/component-base v0.29.0 h1:T7rjd5wvLnPBV1vC4zWd/iWRbV8Mdxs+nGaoaFzGw3s=
k8s.io/component-base v0.29.0/go.mod h1:sADonFTQ9Zc9yFLghpDpmNXEdHyQmFIGbiuZbqAXQ1M=
k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0=
k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo=
k8s.io/kube-openapi v0.0.0-20231214164306-ab13479f8bf8 h1:yHNkNuLjht7iq95pO9QmbjOWCguvn8mDe3lT78nqPkw=
k8s.io/kube-openapi v0.0.0-20231214164306-ab13479f8bf8/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA=
k8s.io/utils v0.0.0-20231127182322-b307cd553661 h1:FepOBzJ0GXm8t0su67ln2wAZjbQ6RxQGZDnzuLcrUTI=
k8s.io/utils v0.0.0-20231127182322-b307cd553661/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.3 h1:IYXtJZpv6oAlx8Als8uIkxq2P3BlvqQfS8dt65obcco=
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.28.3/go.mod h1:z7+wmGM2dfIiLRfrC6jb5kV2Mq/sK1ZP303cxzkV5Y4=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4=
sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
k8s.io/api v0.33.3 h1:SRd5t//hhkI1buzxb288fy2xvjubstenEKL9K51KBI8=
k8s.io/api v0.33.3/go.mod h1:01Y/iLUjNBM3TAvypct7DIj0M0NIZc+PzAHCIo0CYGE=
k8s.io/apiextensions-apiserver v0.33.3 h1:qmOcAHN6DjfD0v9kxL5udB27SRP6SG/MTopmge3MwEs=
k8s.io/apiextensions-apiserver v0.33.3/go.mod h1:oROuctgo27mUsyp9+Obahos6CWcMISSAPzQ77CAQGz8=
k8s.io/apimachinery v0.33.3 h1:4ZSrmNa0c/ZpZJhAgRdcsFcZOw1PQU1bALVQ0B3I5LA=
k8s.io/apimachinery v0.33.3/go.mod h1:BHW0YOu7n22fFv/JkYOEfkUYNRN0fj0BlvMFWA7b+SM=
k8s.io/apiserver v0.33.3 h1:Wv0hGc+QFdMJB4ZSiHrCgN3zL3QRatu56+rpccKC3J4=
k8s.io/apiserver v0.33.3/go.mod h1:05632ifFEe6TxwjdAIrwINHWE2hLwyADFk5mBsQa15E=
k8s.io/client-go v0.33.3 h1:M5AfDnKfYmVJif92ngN532gFqakcGi6RvaOF16efrpA=
k8s.io/client-go v0.33.3/go.mod h1:luqKBQggEf3shbxHY4uVENAxrDISLOarxpTKMiUuujg=
k8s.io/component-base v0.33.3 h1:mlAuyJqyPlKZM7FyaoM/LcunZaaY353RXiOd2+B5tGA=
k8s.io/component-base v0.33.3/go.mod h1:ktBVsBzkI3imDuxYXmVxZ2zxJnYTZ4HAsVj9iF09qp4=
k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOPolHyvO06MXG5TUIj2mNAA=
k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts=
k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y=
k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.33.0 h1:qPrZsv1cwQiFeieFlRqT627fVZ+tyfou/+S5S0H5ua0=
sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.33.0/go.mod h1:Ve9uj1L+deCXFrPOk1LpFXqTg7LCFzFso6PA48q/XZw=
sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 h1:gBQPwqORJ8d8/YNZWEjoZs7npUVDpVXUUOFfW6CgAqE=
sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8/go.mod h1:mdzfpAEoE6DHQEN0uh9ZbOCuHbLK5wOm7dK4ctXE9Tg=
sigs.k8s.io/randfill v0.0.0-20250304075658-069ef1bbf016/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
sigs.k8s.io/randfill v1.0.0 h1:JfjMILfT8A6RbawdsK2JXGBR5AQVfd+9TbzrlneTyrU=
sigs.k8s.io/randfill v1.0.0/go.mod h1:XeLlZ/jmk4i1HRopwe7/aU3H5n1zNUcX6TM94b3QxOY=
sigs.k8s.io/structured-merge-diff/v4 v4.7.0 h1:qPeWmscJcXP0snki5IYF79Z8xrl8ETFxgMd7wez1XkI=
sigs.k8s.io/structured-merge-diff/v4 v4.7.0/go.mod h1:dDy58f92j70zLsuZVuUX5Wp9vtxXpaZnkPGWeqDfCps=
sigs.k8s.io/structured-merge-diff/v6 v6.2.0 h1:msyqjP8Nyd5sF3QSmJouFSzcBIdwq4ct8d1/7VSBHIQ=
sigs.k8s.io/structured-merge-diff/v6 v6.2.0/go.mod h1:M3W8sfWvn2HhQDIbGWj3S099YozAsymCo/wrT5ohRUE=
sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=
sigs.k8s.io/yaml v1.5.0 h1:M10b2U7aEUY6hRtU870n2VTPgR5RZiL/I6Lcc2F4NUQ=
sigs.k8s.io/yaml v1.5.0/go.mod h1:wZs27Rbxoai4C0f8/9urLZtZtF3avA3gKvGyPdDqTO4=

3
tests/validator.go
View File

@ -16,6 +16,7 @@ package crd
import (
"context"
"errors"
"fmt"
"io"
"os"
@ -230,7 +231,7 @@ func formatError(errs field.ErrorList) error {
for _, e := range errs.ToAggregate().Errors() {
s.WriteString(fmt.Sprintf("- %v\n", strings.TrimPrefix(e.Error(), "spec.validation.openAPIV3Schema")))
}
return fmt.Errorf(s.String())
return errors.New(s.String())
}
func NewIstioValidator(t *testing.T) *Validator {

12
type/v1beta1/selector.proto
View File

@ -21,7 +21,7 @@ package istio.type.v1beta1;
import "google/api/field_behavior.proto";
option go_package="istio.io/api/type/v1beta1";
option go_package = "istio.io/api/type/v1beta1";
// WorkloadSelector specifies the criteria used to determine if a policy can be applied
// to a proxy. The matching criteria includes the metadata associated with a proxy,
@ -41,13 +41,13 @@ message WorkloadSelector {
map<string, string> match_labels = 1;
}
// PortSelector is the criteria for specifying if a policy can be applied to
// PortSelector is the criteria for specifying if a policy can be applied to
// a listener having a specific port.
message PortSelector {
// Port number
// +kubebuilder:validation:Minimum=1
// +kubebuilder:validation:Maximum=65535
uint32 number = 1 [(google.api.field_behavior) = REQUIRED];
uint32 number = 1 [(google.api.field_behavior) = REQUIRED];
}
// WorkloadMode allows selection of the role of the underlying workload in
@ -61,7 +61,7 @@ enum WorkloadMode {
UNDEFINED = 0;
// Selects for scenarios when the workload is the
// source of the network traffic. In addition,
// source of the network traffic. In addition,
// if the workload is a gateway, selects this.
CLIENT = 1;
@ -83,7 +83,7 @@ enum WorkloadMode {
// a WorkloadSelector in the RequestAuthentication, AuthorizationPolicy,
// Telemetry, and WasmPlugin CRDs to target a Kubernetes Gateway.
//
// The following is an example of an AuthorizationPolicy bound to a waypoint proxy using
// The following is an example of an AuthorizationPolicy bound to a waypoint proxy using
// a PolicyTargetReference. The example sets `action` to `DENY` to create a deny policy.
// It denies all the requests with `POST` method on port `8080` directed through the
// `waypoint` Gateway in the `foo` namespace.
@ -106,7 +106,7 @@ enum WorkloadMode {
// methods: ["POST"]
// ports: ["8080"]
// ```
//
//
// When binding to a GatewayClass resource using PolicyTargetReference, your policy must be in the root namespace.
message PolicyTargetReference {
// group is the group of the target resource.