Add example for authn policy proto.

diemtvu · diemtvu · commit 2261e34cbf2a · 2018-01-31T16:48:11.000-08:00
diff --git a/authentication/v1alpha1/istio.authentication.v1alpha1.pb.html b/authentication/v1alpha1/istio.authentication.v1alpha1.pb.html
@@ -79,6 +79,44 @@ <h2 id="Policy">Policy</h2>
 For each part, if it&rsquo;s not empty, at least one of those listed credential
 must be provided and  (successfully) verified for the authentication to pass.</p>
 
+<p>Examples:
+Policy to enable mTLS for all services in namespace frod</p>
+
+<pre><code>apiVersion: config.istio.io/v1alpha2
+kind: RouteRule
+metadata:
+  name: mTLS-enable
+  namespace: frod
+spec:
+  match:
+  peer:
+  - mtls: {}
+</code></pre>
+
+<p>Policy to enable mTLS, and use JWT for productpage:9000</p>
+
+<pre><code>apiVersion: config.istio.io/v1alpha2
+kind: RouteRule
+metadata:
+  name: mTLS-enable
+  namespace: frod
+spec:
+  match:
+  - name: productpage
+    ports:
+    - 9000
+  peer:
+  - mtls:
+  end_user:
+  - jwt:
+      issuer: &quot;https://securetoken.google.com&quot;
+      audiences:
+      - &quot;productpage&quot;
+      jwks_uri: &quot;https://www.googleapis.com/oauth2/v1/certs&quot;
+      locations:
+      - header: x-goog-iap-jwt-assertion
+</code></pre>
+
 <table>
 <tr>
 <th>Field</th>
@@ -178,8 +216,7 @@ <h2 id="istio.mixer.v1.config.client.JWT">istio.mixer.v1.config.client.JWT</h2>
 <td><code>string</code></td>
 <td>
 <p>URL of the provider&rsquo;s public key set to validate signature of the
-JWT. See <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata">OpenID
-Discovery</a>.</p>
+JWT. See <a href="https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata">OpenID Discovery</a>.</p>
 
 <p>Optional if the key set document can either (a) be retrieved from
 <a href="https://openid.net/specs/openid-connect-discovery-1_0.html">OpenID Discovery</a>
@@ -195,8 +232,7 @@ <h2 id="istio.mixer.v1.config.client.JWT">istio.mixer.v1.config.client.JWT</h2>
 <td><code>bool</code></td>
 <td>
 <p>If true, forward the entire base64 encoded JWT in the HTTP request.
-If false, remove the JWT from the HTTP request and do not forward to the
-application.</p>
+If false, remove the JWT from the HTTP request and do not forward to the application.</p>
 
 </td>
 </tr>
diff --git a/authentication/v1alpha1/policy.pb.go b/authentication/v1alpha1/policy.pb.go
diff --git a/authentication/v1alpha1/policy.proto b/authentication/v1alpha1/policy.proto
@@ -59,6 +59,42 @@ message Destination {
 // - end_user: verify end-user credentials.
 // For each part, if it's not empty, at least one of those listed credential
 // must be provided and  (successfully) verified for the authentication to pass.
+//
+// Examples:
+// Policy to enable mTLS for all services in namespace frod
+//
+//     apiVersion: config.istio.io/v1alpha2
+//     kind: RouteRule
+//     metadata:
+//       name: mTLS-enable
+//       namespace: frod
+//     spec:
+//       match:
+//       peer:
+//       - mtls: {}
+//
+// Policy to enable mTLS, and use JWT for productpage:9000
+//
+//     apiVersion: config.istio.io/v1alpha2
+//     kind: RouteRule
+//     metadata:
+//       name: mTLS-enable
+//       namespace: frod
+//     spec:
+//       match:
+//       - name: productpage
+//         ports:
+//         - 9000
+//       peer:
+//       - mtls:
+//       end_user:
+//       - jwt:
+//           issuer: "https://securetoken.google.com"
+//           audiences:
+//           - "productpage"
+//           jwks_uri: "https://www.googleapis.com/oauth2/v1/certs"
+//           locations:
+//           - header: x-goog-iap-jwt-assertion
 message Policy {
   // List of destinations (workloads) that the policy should be applied on.
   // If empty, policy will be used on all destinations in the same namespace.
