Automator: update istio/api@release-1.24 dependency in istio/client-go@release-1.24 (#2421)

* codegen: fix DeepCopy races

Fixes https://github.com/istio/api/issues/3019

The deepcopygen we use is from Kubernetes. Its not quite suitable for
our types due to our usage of protobuf, which has limitations on
dereferencing pointer types. This causes race conditions in concurrent
usage of the DeepCopy function.

This is possible to trigger with real Istio (found by running Istio in a
live cluster with `-race`, though our current tests happen to not
trigger things I guess), as well as other usage of istio/client-go (as
the reporter found).

I ran istio/istio with this change and found all tests continue to pass,
and running in a live cluster no longer fails

* clarify comments

---------

Co-authored-by: John Howard <john.howard@solo.io>

.devcontainer/devcontainer.json

@@ -1,6 +1,6 @@
 {
   "name": "istio build-tools",
-  "image": "gcr.io/istio-testing/build-tools:master-4759bf88d40172234fc6a0b9e11a4c5f1ea58a90",
+  "image": "gcr.io/istio-testing/build-tools:release-1.24-bccd228953b7abf90170da1419699d38e95329fb",
   "privileged": true,
   "remoteEnv": {
     "USE_GKE_GCLOUD_AUTH_PLUGIN": "True",

CODEOWNERS

@@ -1 +1 @@
-* @istio/wg-user-experience-maintainers
+* @istio/release-managers-1-24

Makefile.core.mk

@@ -100,6 +100,12 @@ rename_generated_files=\
 	find $(subst istio.io/client-go/, $(empty), $(subst $(comma), $(space), $(kube_api_packages)) $(kube_clientset_package) $(kube_listers_package) $(kube_informers_package)) \
 	-name '*.go' -and -not -name 'doc.go' -and -not -name '*.gen.go' -type f -exec sh -c 'mv "$$1" "$${1%.go}".gen.go' - '{}' \;
 
+# Kubernetes deepcopy gen directly sets values of our types. Our types are protos; it is illegal to do this for protos.
+# However, we don't even need this anyways -- each individual field is explicitly copied already.
+# Remove the line doing this illegal operation.
+fixup_generated_files=\
+	find . -name "*.deepcopy.gen.go" -type f | xargs sed -i -e '/\*out = \*in/d'
+
 .PHONY: generate-k8s-client
 generate-k8s-client:
 	# generate kube api type wrappers for istio types
@@ -117,6 +123,7 @@ generate-k8s-client:
 	@$(informer_gen) --input-dirs $(kube_api_packages) --versioned-clientset-package $(kube_clientset_package)/$(kube_clientset_name) --listers-package $(kube_listers_package) --output-package $(kube_informers_package) -h $(kube_go_header_text)
 	@$(move_generated)
 	@$(rename_generated_files)
+	@$(fixup_generated_files)
 
 .PHONY: build-k8s-client verify-k8s-client
 build-k8s-client:

common/.commonfiles.sha

@@ -1 +1 @@
-82dc68a737b72d394c344d4fd71ff9e9ebf01852
+2a57949e8949678850564daef685829ceb137ed5

common/Makefile.common.mk

@@ -92,7 +92,7 @@ mirror-licenses: mod-download-go
 	@license-lint --mirror
 
 TMP := $(shell mktemp -d -u)
-UPDATE_BRANCH ?= "master"
+UPDATE_BRANCH ?= "release-1.24"
 
 BUILD_TOOLS_ORG ?= "istio"
 

common/scripts/setup_env.sh

@@ -75,7 +75,7 @@ fi
 TOOLS_REGISTRY_PROVIDER=${TOOLS_REGISTRY_PROVIDER:-gcr.io}
 PROJECT_ID=${PROJECT_ID:-istio-testing}
 if [[ "${IMAGE_VERSION:-}" == "" ]]; then
-  IMAGE_VERSION=master-4759bf88d40172234fc6a0b9e11a4c5f1ea58a90
+  IMAGE_VERSION=release-1.24-bccd228953b7abf90170da1419699d38e95329fb
 fi
 if [[ "${IMAGE_NAME:-}" == "" ]]; then
   IMAGE_NAME=build-tools

go.mod

@@ -5,7 +5,7 @@ go 1.22.0
 toolchain go1.22.3
 
 require (
-	istio.io/api v1.24.0-alpha.0.0.20241018201654-7c8ec5b5ab72
+	istio.io/api v1.24.5-0.20250409200717-4933c1da972e
 	k8s.io/apimachinery v0.30.0
 	k8s.io/client-go v0.29.0
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1

go.sum

@@ -138,8 +138,8 @@ gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-istio.io/api v1.24.0-alpha.0.0.20241018201654-7c8ec5b5ab72 h1:AVg/4p5sVhZT6JwBczgvAy9idbVYiCqZFE/QVXNKy/k=
-istio.io/api v1.24.0-alpha.0.0.20241018201654-7c8ec5b5ab72/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I=
+istio.io/api v1.24.5-0.20250409200717-4933c1da972e h1:5LzLnhNQtSAfK/rsW5h+hlJtUM0LCFJwQwqwtR3UiD4=
+istio.io/api v1.24.5-0.20250409200717-4933c1da972e/go.mod h1:MQnRok7RZ20/PE56v0LxmoWH0xVxnCQPNuf9O7PAN1I=
 k8s.io/api v0.30.0 h1:siWhRq7cNjy2iHssOB9SCGNCl2spiF1dO3dABqZ8niA=
 k8s.io/api v0.30.0/go.mod h1:OPlaYhoHs8EQ1ql0R/TsUgaRPhpKNxIMrKQfWUp8QSE=
 k8s.io/apimachinery v0.30.0 h1:qxVPsyDM5XS96NIh9Oj6LavoVFYff/Pon9cZeDIkHHA=

pkg/apis/extensions/v1alpha1/types.gen.go

@@ -25,7 +25,7 @@ import (
 //
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
-// WasmPlugins provides a mechanism to extend the functionality provided by
+// WasmPlugin provides a mechanism to extend the functionality provided by
 // the Istio proxy through WebAssembly filters.
 //
 // <!-- crd generation tags

pkg/apis/extensions/v1alpha1/zz_generated.deepcopy.gen.go

@@ -25,7 +25,6 @@ import (
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WasmPlugin) DeepCopyInto(out *WasmPlugin) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -53,7 +52,6 @@ func (in *WasmPlugin) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WasmPluginList) DeepCopyInto(out *WasmPluginList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {

pkg/apis/networking/v1/zz_generated.deepcopy.gen.go

@@ -25,7 +25,6 @@ import (
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationRule) DeepCopyInto(out *DestinationRule) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -53,7 +52,6 @@ func (in *DestinationRule) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationRuleList) DeepCopyInto(out *DestinationRuleList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -90,7 +88,6 @@ func (in *DestinationRuleList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Gateway) DeepCopyInto(out *Gateway) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -118,7 +115,6 @@ func (in *Gateway) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GatewayList) DeepCopyInto(out *GatewayList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -155,7 +151,6 @@ func (in *GatewayList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceEntry) DeepCopyInto(out *ServiceEntry) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -183,7 +178,6 @@ func (in *ServiceEntry) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceEntryList) DeepCopyInto(out *ServiceEntryList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -220,7 +214,6 @@ func (in *ServiceEntryList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Sidecar) DeepCopyInto(out *Sidecar) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -248,7 +241,6 @@ func (in *Sidecar) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SidecarList) DeepCopyInto(out *SidecarList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -285,7 +277,6 @@ func (in *SidecarList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VirtualService) DeepCopyInto(out *VirtualService) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -313,7 +304,6 @@ func (in *VirtualService) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VirtualServiceList) DeepCopyInto(out *VirtualServiceList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -350,7 +340,6 @@ func (in *VirtualServiceList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkloadEntry) DeepCopyInto(out *WorkloadEntry) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -378,7 +367,6 @@ func (in *WorkloadEntry) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkloadEntryList) DeepCopyInto(out *WorkloadEntryList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -415,7 +403,6 @@ func (in *WorkloadEntryList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkloadGroup) DeepCopyInto(out *WorkloadGroup) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -443,7 +430,6 @@ func (in *WorkloadGroup) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkloadGroupList) DeepCopyInto(out *WorkloadGroupList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {

pkg/apis/networking/v1alpha3/types.gen.go

@@ -76,7 +76,7 @@ type DestinationRuleList struct {
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // EnvoyFilter provides a mechanism to customize the Envoy configuration
-// generated by Istio Pilot.
+// generated by istiod.
 //
 // <!-- crd generation tags
 // +cue-gen:EnvoyFilter:groupName:networking.istio.io

pkg/apis/networking/v1alpha3/zz_generated.deepcopy.gen.go

@@ -25,7 +25,6 @@ import (
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationRule) DeepCopyInto(out *DestinationRule) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -53,7 +52,6 @@ func (in *DestinationRule) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationRuleList) DeepCopyInto(out *DestinationRuleList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -90,7 +88,6 @@ func (in *DestinationRuleList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EnvoyFilter) DeepCopyInto(out *EnvoyFilter) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -118,7 +115,6 @@ func (in *EnvoyFilter) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EnvoyFilterList) DeepCopyInto(out *EnvoyFilterList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -155,7 +151,6 @@ func (in *EnvoyFilterList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Gateway) DeepCopyInto(out *Gateway) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -183,7 +178,6 @@ func (in *Gateway) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GatewayList) DeepCopyInto(out *GatewayList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -220,7 +214,6 @@ func (in *GatewayList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceEntry) DeepCopyInto(out *ServiceEntry) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -248,7 +241,6 @@ func (in *ServiceEntry) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceEntryList) DeepCopyInto(out *ServiceEntryList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -285,7 +277,6 @@ func (in *ServiceEntryList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Sidecar) DeepCopyInto(out *Sidecar) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -313,7 +304,6 @@ func (in *Sidecar) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SidecarList) DeepCopyInto(out *SidecarList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -350,7 +340,6 @@ func (in *SidecarList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VirtualService) DeepCopyInto(out *VirtualService) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -378,7 +367,6 @@ func (in *VirtualService) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VirtualServiceList) DeepCopyInto(out *VirtualServiceList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -415,7 +403,6 @@ func (in *VirtualServiceList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkloadEntry) DeepCopyInto(out *WorkloadEntry) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -443,7 +430,6 @@ func (in *WorkloadEntry) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkloadEntryList) DeepCopyInto(out *WorkloadEntryList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -480,7 +466,6 @@ func (in *WorkloadEntryList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkloadGroup) DeepCopyInto(out *WorkloadGroup) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -508,7 +493,6 @@ func (in *WorkloadGroup) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkloadGroupList) DeepCopyInto(out *WorkloadGroupList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {

pkg/apis/networking/v1beta1/zz_generated.deepcopy.gen.go

@@ -25,7 +25,6 @@ import (
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationRule) DeepCopyInto(out *DestinationRule) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -53,7 +52,6 @@ func (in *DestinationRule) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationRuleList) DeepCopyInto(out *DestinationRuleList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -90,7 +88,6 @@ func (in *DestinationRuleList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Gateway) DeepCopyInto(out *Gateway) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -118,7 +115,6 @@ func (in *Gateway) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GatewayList) DeepCopyInto(out *GatewayList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -155,7 +151,6 @@ func (in *GatewayList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProxyConfig) DeepCopyInto(out *ProxyConfig) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -183,7 +178,6 @@ func (in *ProxyConfig) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProxyConfigList) DeepCopyInto(out *ProxyConfigList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -220,7 +214,6 @@ func (in *ProxyConfigList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceEntry) DeepCopyInto(out *ServiceEntry) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -248,7 +241,6 @@ func (in *ServiceEntry) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceEntryList) DeepCopyInto(out *ServiceEntryList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -285,7 +277,6 @@ func (in *ServiceEntryList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Sidecar) DeepCopyInto(out *Sidecar) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -313,7 +304,6 @@ func (in *Sidecar) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SidecarList) DeepCopyInto(out *SidecarList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -350,7 +340,6 @@ func (in *SidecarList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VirtualService) DeepCopyInto(out *VirtualService) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -378,7 +367,6 @@ func (in *VirtualService) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VirtualServiceList) DeepCopyInto(out *VirtualServiceList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -415,7 +403,6 @@ func (in *VirtualServiceList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkloadEntry) DeepCopyInto(out *WorkloadEntry) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -443,7 +430,6 @@ func (in *WorkloadEntry) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkloadEntryList) DeepCopyInto(out *WorkloadEntryList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -480,7 +466,6 @@ func (in *WorkloadEntryList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkloadGroup) DeepCopyInto(out *WorkloadGroup) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -508,7 +493,6 @@ func (in *WorkloadGroup) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkloadGroupList) DeepCopyInto(out *WorkloadGroupList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {

pkg/apis/security/v1/types.gen.go

@@ -76,113 +76,6 @@ type AuthorizationPolicyList struct {
 //
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
-// PeerAuthentication defines mutual TLS (mTLS) requirements for incoming connections.
-//
-// In sidecar mode, PeerAuthentication determines whether or not mTLS is allowed or required
-// for connections to an Envoy proxy sidecar.
-//
-// In ambient mode, security is transparently enabled for a pod by the ztunnel node agent.
-// (Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.)
-// Because of this, `DISABLE` mode is not supported.
-// `STRICT` mode is useful to ensure that connections that bypass the mesh are not possible.
-//
-// Examples:
-//
-// Policy to require mTLS traffic for all workloads under namespace `foo`:
-// ```yaml
-// apiVersion: security.istio.io/v1
-// kind: PeerAuthentication
-// metadata:
-//
-//	name: default
-//	namespace: foo
-//
-// spec:
-//
-//	mtls:
-//	  mode: STRICT
-//
-// ```
-// For mesh level, put the policy in root-namespace according to your Istio installation.
-//
-// Policies to allow both mTLS and plaintext traffic for all workloads under namespace `foo`, but
-// require mTLS for workload `finance`.
-// ```yaml
-// apiVersion: security.istio.io/v1
-// kind: PeerAuthentication
-// metadata:
-//
-//	name: default
-//	namespace: foo
-//
-// spec:
-//
-//	mtls:
-//	  mode: PERMISSIVE
-//
-// ---
-// apiVersion: security.istio.io/v1
-// kind: PeerAuthentication
-// metadata:
-//
-//	name: finance
-//	namespace: foo
-//
-// spec:
-//
-//	selector:
-//	  matchLabels:
-//	    app: finance
-//	mtls:
-//	  mode: STRICT
-//
-// ```
-// Policy that enables strict mTLS for all `finance` workloads, but leaves the port `8080` to
-// plaintext. Note the port value in the `portLevelMtls` field refers to the port
-// of the workload, not the port of the Kubernetes service.
-// ```yaml
-// apiVersion: security.istio.io/v1
-// kind: PeerAuthentication
-// metadata:
-//
-//	name: default
-//	namespace: foo
-//
-// spec:
-//
-//	selector:
-//	  matchLabels:
-//	    app: finance
-//	mtls:
-//	  mode: STRICT
-//	portLevelMtls:
-//	  8080:
-//	    mode: DISABLE
-//
-// ```
-// Policy that inherits mTLS mode from namespace (or mesh) settings, and disables
-// mTLS for workload port `8080`.
-// ```yaml
-// apiVersion: security.istio.io/v1
-// kind: PeerAuthentication
-// metadata:
-//
-//	name: default
-//	namespace: foo
-//
-// spec:
-//
-//	selector:
-//	  matchLabels:
-//	    app: finance
-//	mtls:
-//	  mode: UNSET
-//	portLevelMtls:
-//	  8080:
-//	    mode: DISABLE
-//
-// ```
-//
 // <!-- crd generation tags
 // +cue-gen:PeerAuthentication:groupName:security.istio.io
 // +cue-gen:PeerAuthentication:versions:v1beta1,v1
@@ -232,245 +125,6 @@ type PeerAuthenticationList struct {
 //
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
-// RequestAuthentication defines what request authentication methods are supported by a workload.
-// It will reject a request if the request contains invalid authentication information, based on the
-// configured authentication rules. A request that does not contain any authentication credentials
-// will be accepted but will not have any authenticated identity. To restrict access to authenticated
-// requests only, this should be accompanied by an authorization rule.
-// Examples:
-//
-// - Require JWT for all request for workloads that have label `app:httpbin`
-//
-// ```yaml
-// apiVersion: security.istio.io/v1
-// kind: RequestAuthentication
-// metadata:
-//
-//	name: httpbin
-//	namespace: foo
-//
-// spec:
-//
-//	selector:
-//	  matchLabels:
-//	    app: httpbin
-//	jwtRules:
-//	- issuer: "issuer-foo"
-//	  jwksUri: https://example.com/.well-known/jwks.json
-//
-// ---
-// apiVersion: security.istio.io/v1
-// kind: AuthorizationPolicy
-// metadata:
-//
-//	name: httpbin
-//	namespace: foo
-//
-// spec:
-//
-//	selector:
-//	  matchLabels:
-//	    app: httpbin
-//	rules:
-//	- from:
-//	  - source:
-//	      requestPrincipals: ["*"]
-//
-// ```
-//
-// - A policy in the root namespace ("istio-system" by default) applies to workloads in all namespaces
-// in a mesh. The following policy makes all workloads only accept requests that contain a
-// valid JWT token.
-//
-// ```yaml
-// apiVersion: security.istio.io/v1
-// kind: RequestAuthentication
-// metadata:
-//
-//	name: req-authn-for-all
-//	namespace: istio-system
-//
-// spec:
-//
-//	jwtRules:
-//	- issuer: "issuer-foo"
-//	  jwksUri: https://example.com/.well-known/jwks.json
-//
-// ---
-// apiVersion: security.istio.io/v1
-// kind: AuthorizationPolicy
-// metadata:
-//
-//	name: require-jwt-for-all
-//	namespace: istio-system
-//
-// spec:
-//
-//	rules:
-//	- from:
-//	  - source:
-//	      requestPrincipals: ["*"]
-//
-// ```
-//
-// - The next example shows how to set a different JWT requirement for a different `host`. The `RequestAuthentication`
-// declares it can accept JWTs issued by either `issuer-foo` or `issuer-bar` (the public key set is implicitly
-// set from the OpenID Connect spec).
-//
-// ```yaml
-// apiVersion: security.istio.io/v1
-// kind: RequestAuthentication
-// metadata:
-//
-//	name: httpbin
-//	namespace: foo
-//
-// spec:
-//
-//	selector:
-//	  matchLabels:
-//	    app: httpbin
-//	jwtRules:
-//	- issuer: "issuer-foo"
-//	- issuer: "issuer-bar"
-//
-// ---
-// apiVersion: security.istio.io/v1
-// kind: AuthorizationPolicy
-// metadata:
-//
-//	name: httpbin
-//	namespace: foo
-//
-// spec:
-//
-//	selector:
-//	  matchLabels:
-//	    app: httpbin
-//	rules:
-//	- from:
-//	  - source:
-//	      requestPrincipals: ["issuer-foo/*"]
-//	  to:
-//	  - operation:
-//	      hosts: ["example.com"]
-//	- from:
-//	  - source:
-//	      requestPrincipals: ["issuer-bar/*"]
-//	  to:
-//	  - operation:
-//	      hosts: ["another-host.com"]
-//
-// ```
-//
-// - You can fine tune the authorization policy to set different requirement per path. For example,
-// to require JWT on all paths, except /healthz, the same `RequestAuthentication` can be used, but the
-// authorization policy could be:
-//
-// ```yaml
-// apiVersion: security.istio.io/v1
-// kind: AuthorizationPolicy
-// metadata:
-//
-//	name: httpbin
-//	namespace: foo
-//
-// spec:
-//
-//	selector:
-//	  matchLabels:
-//	    app: httpbin
-//	rules:
-//	- from:
-//	  - source:
-//	      requestPrincipals: ["*"]
-//	- to:
-//	  - operation:
-//	      paths: ["/healthz"]
-//
-// ```
-//
-// [Experimental] Routing based on derived [metadata](https://istio.io/latest/docs/reference/config/security/conditions/)
-// is now supported. A prefix '@' is used to denote a match against internal metadata instead of the headers in the request.
-// Currently this feature is only supported for the following metadata:
-//
-// - `request.auth.claims.{claim-name}[.{nested-claim}]*` which are extracted from validated JWT tokens.
-// Use the `.` or `[]` as a separator for nested claim names.
-// Examples: `request.auth.claims.sub`, `request.auth.claims.name.givenName` and `request.auth.claims[foo.com/name]`.
-// For more information, see [JWT claim based routing](https://istio.io/latest/docs/tasks/security/authentication/jwt-route/).
-//
-// The use of matches against JWT claim metadata is only supported in Gateways. The following example shows:
-//
-// - RequestAuthentication to decode and validate a JWT. This also makes the `@request.auth.claims` available for use in the VirtualService.
-// - AuthorizationPolicy to check for valid principals in the request. This makes the JWT required for the request.
-// - VirtualService to route the request based on the "sub" claim.
-//
-// ```yaml
-// apiVersion: security.istio.io/v1
-// kind: RequestAuthentication
-// metadata:
-//
-//	name: jwt-on-ingress
-//	namespace: istio-system
-//
-// spec:
-//
-//	selector:
-//	  matchLabels:
-//	    app: istio-ingressgateway
-//	jwtRules:
-//	- issuer: "example.com"
-//	  jwksUri: https://example.com/.well-known/jwks.json
-//
-// ---
-// apiVersion: security.istio.io/v1
-// kind: AuthorizationPolicy
-// metadata:
-//
-//	name: require-jwt
-//	namespace: istio-system
-//
-// spec:
-//
-//	selector:
-//	  matchLabels:
-//	    app: istio-ingressgateway
-//	rules:
-//	- from:
-//	  - source:
-//	      requestPrincipals: ["*"]
-//
-// ---
-// apiVersion: networking.istio.io/v1
-// kind: VirtualService
-// metadata:
-//
-//	name: route-jwt
-//
-// spec:
-//
-//	hosts:
-//	- foo.prod.svc.cluster.local
-//	gateways:
-//	- istio-ingressgateway
-//	http:
-//	- name: "v2"
-//	  match:
-//	  - headers:
-//	      "@request.auth.claims.sub":
-//	        exact: "dev"
-//	  route:
-//	  - destination:
-//	      host: foo.prod.svc.cluster.local
-//	      subset: v2
-//	- name: "default"
-//	  route:
-//	  - destination:
-//	      host: foo.prod.svc.cluster.local
-//	      subset: v1
-//
-// ```
-//
 // <!-- crd generation tags
 // +cue-gen:RequestAuthentication:groupName:security.istio.io
 // +cue-gen:RequestAuthentication:versions:v1beta1,v1

pkg/apis/security/v1/zz_generated.deepcopy.gen.go

@@ -25,7 +25,6 @@ import (
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthorizationPolicy) DeepCopyInto(out *AuthorizationPolicy) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -53,7 +52,6 @@ func (in *AuthorizationPolicy) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthorizationPolicyList) DeepCopyInto(out *AuthorizationPolicyList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -90,7 +88,6 @@ func (in *AuthorizationPolicyList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PeerAuthentication) DeepCopyInto(out *PeerAuthentication) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -118,7 +115,6 @@ func (in *PeerAuthentication) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PeerAuthenticationList) DeepCopyInto(out *PeerAuthenticationList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -155,7 +151,6 @@ func (in *PeerAuthenticationList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RequestAuthentication) DeepCopyInto(out *RequestAuthentication) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -183,7 +178,6 @@ func (in *RequestAuthentication) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RequestAuthenticationList) DeepCopyInto(out *RequestAuthenticationList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {

pkg/apis/security/v1beta1/types.gen.go

@@ -76,113 +76,6 @@ type AuthorizationPolicyList struct {
 //
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
-// PeerAuthentication defines mutual TLS (mTLS) requirements for incoming connections.
-//
-// In sidecar mode, PeerAuthentication determines whether or not mTLS is allowed or required
-// for connections to an Envoy proxy sidecar.
-//
-// In ambient mode, security is transparently enabled for a pod by the ztunnel node agent.
-// (Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.)
-// Because of this, `DISABLE` mode is not supported.
-// `STRICT` mode is useful to ensure that connections that bypass the mesh are not possible.
-//
-// Examples:
-//
-// Policy to require mTLS traffic for all workloads under namespace `foo`:
-// ```yaml
-// apiVersion: security.istio.io/v1
-// kind: PeerAuthentication
-// metadata:
-//
-//	name: default
-//	namespace: foo
-//
-// spec:
-//
-//	mtls:
-//	  mode: STRICT
-//
-// ```
-// For mesh level, put the policy in root-namespace according to your Istio installation.
-//
-// Policies to allow both mTLS and plaintext traffic for all workloads under namespace `foo`, but
-// require mTLS for workload `finance`.
-// ```yaml
-// apiVersion: security.istio.io/v1
-// kind: PeerAuthentication
-// metadata:
-//
-//	name: default
-//	namespace: foo
-//
-// spec:
-//
-//	mtls:
-//	  mode: PERMISSIVE
-//
-// ---
-// apiVersion: security.istio.io/v1
-// kind: PeerAuthentication
-// metadata:
-//
-//	name: finance
-//	namespace: foo
-//
-// spec:
-//
-//	selector:
-//	  matchLabels:
-//	    app: finance
-//	mtls:
-//	  mode: STRICT
-//
-// ```
-// Policy that enables strict mTLS for all `finance` workloads, but leaves the port `8080` to
-// plaintext. Note the port value in the `portLevelMtls` field refers to the port
-// of the workload, not the port of the Kubernetes service.
-// ```yaml
-// apiVersion: security.istio.io/v1
-// kind: PeerAuthentication
-// metadata:
-//
-//	name: default
-//	namespace: foo
-//
-// spec:
-//
-//	selector:
-//	  matchLabels:
-//	    app: finance
-//	mtls:
-//	  mode: STRICT
-//	portLevelMtls:
-//	  8080:
-//	    mode: DISABLE
-//
-// ```
-// Policy that inherits mTLS mode from namespace (or mesh) settings, and disables
-// mTLS for workload port `8080`.
-// ```yaml
-// apiVersion: security.istio.io/v1
-// kind: PeerAuthentication
-// metadata:
-//
-//	name: default
-//	namespace: foo
-//
-// spec:
-//
-//	selector:
-//	  matchLabels:
-//	    app: finance
-//	mtls:
-//	  mode: UNSET
-//	portLevelMtls:
-//	  8080:
-//	    mode: DISABLE
-//
-// ```
-//
 // <!-- crd generation tags
 // +cue-gen:PeerAuthentication:groupName:security.istio.io
 // +cue-gen:PeerAuthentication:versions:v1beta1,v1
@@ -232,245 +125,6 @@ type PeerAuthenticationList struct {
 //
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
-// RequestAuthentication defines what request authentication methods are supported by a workload.
-// It will reject a request if the request contains invalid authentication information, based on the
-// configured authentication rules. A request that does not contain any authentication credentials
-// will be accepted but will not have any authenticated identity. To restrict access to authenticated
-// requests only, this should be accompanied by an authorization rule.
-// Examples:
-//
-// - Require JWT for all request for workloads that have label `app:httpbin`
-//
-// ```yaml
-// apiVersion: security.istio.io/v1
-// kind: RequestAuthentication
-// metadata:
-//
-//	name: httpbin
-//	namespace: foo
-//
-// spec:
-//
-//	selector:
-//	  matchLabels:
-//	    app: httpbin
-//	jwtRules:
-//	- issuer: "issuer-foo"
-//	  jwksUri: https://example.com/.well-known/jwks.json
-//
-// ---
-// apiVersion: security.istio.io/v1
-// kind: AuthorizationPolicy
-// metadata:
-//
-//	name: httpbin
-//	namespace: foo
-//
-// spec:
-//
-//	selector:
-//	  matchLabels:
-//	    app: httpbin
-//	rules:
-//	- from:
-//	  - source:
-//	      requestPrincipals: ["*"]
-//
-// ```
-//
-// - A policy in the root namespace ("istio-system" by default) applies to workloads in all namespaces
-// in a mesh. The following policy makes all workloads only accept requests that contain a
-// valid JWT token.
-//
-// ```yaml
-// apiVersion: security.istio.io/v1
-// kind: RequestAuthentication
-// metadata:
-//
-//	name: req-authn-for-all
-//	namespace: istio-system
-//
-// spec:
-//
-//	jwtRules:
-//	- issuer: "issuer-foo"
-//	  jwksUri: https://example.com/.well-known/jwks.json
-//
-// ---
-// apiVersion: security.istio.io/v1
-// kind: AuthorizationPolicy
-// metadata:
-//
-//	name: require-jwt-for-all
-//	namespace: istio-system
-//
-// spec:
-//
-//	rules:
-//	- from:
-//	  - source:
-//	      requestPrincipals: ["*"]
-//
-// ```
-//
-// - The next example shows how to set a different JWT requirement for a different `host`. The `RequestAuthentication`
-// declares it can accept JWTs issued by either `issuer-foo` or `issuer-bar` (the public key set is implicitly
-// set from the OpenID Connect spec).
-//
-// ```yaml
-// apiVersion: security.istio.io/v1
-// kind: RequestAuthentication
-// metadata:
-//
-//	name: httpbin
-//	namespace: foo
-//
-// spec:
-//
-//	selector:
-//	  matchLabels:
-//	    app: httpbin
-//	jwtRules:
-//	- issuer: "issuer-foo"
-//	- issuer: "issuer-bar"
-//
-// ---
-// apiVersion: security.istio.io/v1
-// kind: AuthorizationPolicy
-// metadata:
-//
-//	name: httpbin
-//	namespace: foo
-//
-// spec:
-//
-//	selector:
-//	  matchLabels:
-//	    app: httpbin
-//	rules:
-//	- from:
-//	  - source:
-//	      requestPrincipals: ["issuer-foo/*"]
-//	  to:
-//	  - operation:
-//	      hosts: ["example.com"]
-//	- from:
-//	  - source:
-//	      requestPrincipals: ["issuer-bar/*"]
-//	  to:
-//	  - operation:
-//	      hosts: ["another-host.com"]
-//
-// ```
-//
-// - You can fine tune the authorization policy to set different requirement per path. For example,
-// to require JWT on all paths, except /healthz, the same `RequestAuthentication` can be used, but the
-// authorization policy could be:
-//
-// ```yaml
-// apiVersion: security.istio.io/v1
-// kind: AuthorizationPolicy
-// metadata:
-//
-//	name: httpbin
-//	namespace: foo
-//
-// spec:
-//
-//	selector:
-//	  matchLabels:
-//	    app: httpbin
-//	rules:
-//	- from:
-//	  - source:
-//	      requestPrincipals: ["*"]
-//	- to:
-//	  - operation:
-//	      paths: ["/healthz"]
-//
-// ```
-//
-// [Experimental] Routing based on derived [metadata](https://istio.io/latest/docs/reference/config/security/conditions/)
-// is now supported. A prefix '@' is used to denote a match against internal metadata instead of the headers in the request.
-// Currently this feature is only supported for the following metadata:
-//
-// - `request.auth.claims.{claim-name}[.{nested-claim}]*` which are extracted from validated JWT tokens.
-// Use the `.` or `[]` as a separator for nested claim names.
-// Examples: `request.auth.claims.sub`, `request.auth.claims.name.givenName` and `request.auth.claims[foo.com/name]`.
-// For more information, see [JWT claim based routing](https://istio.io/latest/docs/tasks/security/authentication/jwt-route/).
-//
-// The use of matches against JWT claim metadata is only supported in Gateways. The following example shows:
-//
-// - RequestAuthentication to decode and validate a JWT. This also makes the `@request.auth.claims` available for use in the VirtualService.
-// - AuthorizationPolicy to check for valid principals in the request. This makes the JWT required for the request.
-// - VirtualService to route the request based on the "sub" claim.
-//
-// ```yaml
-// apiVersion: security.istio.io/v1
-// kind: RequestAuthentication
-// metadata:
-//
-//	name: jwt-on-ingress
-//	namespace: istio-system
-//
-// spec:
-//
-//	selector:
-//	  matchLabels:
-//	    app: istio-ingressgateway
-//	jwtRules:
-//	- issuer: "example.com"
-//	  jwksUri: https://example.com/.well-known/jwks.json
-//
-// ---
-// apiVersion: security.istio.io/v1
-// kind: AuthorizationPolicy
-// metadata:
-//
-//	name: require-jwt
-//	namespace: istio-system
-//
-// spec:
-//
-//	selector:
-//	  matchLabels:
-//	    app: istio-ingressgateway
-//	rules:
-//	- from:
-//	  - source:
-//	      requestPrincipals: ["*"]
-//
-// ---
-// apiVersion: networking.istio.io/v1
-// kind: VirtualService
-// metadata:
-//
-//	name: route-jwt
-//
-// spec:
-//
-//	hosts:
-//	- foo.prod.svc.cluster.local
-//	gateways:
-//	- istio-ingressgateway
-//	http:
-//	- name: "v2"
-//	  match:
-//	  - headers:
-//	      "@request.auth.claims.sub":
-//	        exact: "dev"
-//	  route:
-//	  - destination:
-//	      host: foo.prod.svc.cluster.local
-//	      subset: v2
-//	- name: "default"
-//	  route:
-//	  - destination:
-//	      host: foo.prod.svc.cluster.local
-//	      subset: v1
-//
-// ```
-//
 // <!-- crd generation tags
 // +cue-gen:RequestAuthentication:groupName:security.istio.io
 // +cue-gen:RequestAuthentication:versions:v1beta1,v1

pkg/apis/security/v1beta1/zz_generated.deepcopy.gen.go

@@ -25,7 +25,6 @@ import (
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthorizationPolicy) DeepCopyInto(out *AuthorizationPolicy) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -53,7 +52,6 @@ func (in *AuthorizationPolicy) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthorizationPolicyList) DeepCopyInto(out *AuthorizationPolicyList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -90,7 +88,6 @@ func (in *AuthorizationPolicyList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PeerAuthentication) DeepCopyInto(out *PeerAuthentication) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -118,7 +115,6 @@ func (in *PeerAuthentication) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PeerAuthenticationList) DeepCopyInto(out *PeerAuthenticationList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {
@@ -155,7 +151,6 @@ func (in *PeerAuthenticationList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RequestAuthentication) DeepCopyInto(out *RequestAuthentication) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -183,7 +178,6 @@ func (in *RequestAuthentication) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RequestAuthenticationList) DeepCopyInto(out *RequestAuthenticationList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {

pkg/apis/telemetry/v1/zz_generated.deepcopy.gen.go

@@ -25,7 +25,6 @@ import (
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Telemetry) DeepCopyInto(out *Telemetry) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -53,7 +52,6 @@ func (in *Telemetry) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TelemetryList) DeepCopyInto(out *TelemetryList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {

pkg/apis/telemetry/v1alpha1/zz_generated.deepcopy.gen.go

@@ -25,7 +25,6 @@ import (
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Telemetry) DeepCopyInto(out *Telemetry) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
 	in.Spec.DeepCopyInto(&out.Spec)
@@ -53,7 +52,6 @@ func (in *Telemetry) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TelemetryList) DeepCopyInto(out *TelemetryList) {
-	*out = *in
 	out.TypeMeta = in.TypeMeta
 	in.ListMeta.DeepCopyInto(&out.ListMeta)
 	if in.Items != nil {